2 Laws and computers
This section is part of the amber and green pathways.
Now that you have a broader understanding of the kind of things that can go wrong, you’ll look at some of the most important laws in the UK that help to protect us against these cyber security threats. These are the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2016, the Computer Misuse Act 1990 and the Fraud Act 2006.
First though, we’ll start with a brief introduction to the UK legal system. If you live outside the UK (or work with a multinational organisation) you’ll also get a chance to find out what legal frameworks exist in your own country. It is still useful to learn about the UK laws so that you can look for the equivalent in your country.
Criminal and civil law
Law in Britain can be broadly divided into two categories:
- Criminal law is concerned with punishing behaviour that is considered unacceptable (murder, serious injury, fraud and so on). The majority of criminal cases are brought by the State against individuals and companies and require a high standard of proof to secure a conviction (‘beyond reasonable doubt’). Criminal cases can punish guilty parties with either fines or imprisonment, depending on the nature and severity of the offence.
- Civil law is concerned with disputes and these are usually brought before the court by individuals. Civil cases concern (among other things) property law, contracts and noise. There is a lower standard of proof (‘on the balance of probabilities’) than with criminal law and punishments are usually financial in nature.
Bills, Acts and Laws
An Act of Parliament is a law that has been approved by the British Parliament (Britain has a second type of law that has not been passed through Parliament known as Common Law).
An Act starts as a draft called a Bill which is debated in the elected House of Commons. If it is approved, the Bill is passed to a specialist committee made up from Parliamentarians for revision. Their changes are discussed further in the House of Commons and possibly revised further.
After a formal vote, the Bill passes from the House of Commons to the House of Lords for further scrutiny and possible amendments. The Lords will vote on the Bill before returning it to the House of Commons which considers their amendments. If the two houses agree (and sometimes they do not), the Bill is given Royal Assent and becomes an Act.
Some Acts take immediate effect, but often there is a delay between enactment and implementation as there may need to be processes put in place in order to achieve compliance.
So a Bill does not become law until it becomes an Act.
Keeping up with threats
It is worth remembering that cyber security is a fast moving area and therefore, legislation is constantly being revised based on new threats and court cases. In particular, the outcomes of trials can result in changes to the interpretation of existing laws as well as prompting creation of new laws. Additionally, because cyber threats are global, they can be affected by legislation from other jurisdictions.
Case study: Lauri Love
In 2016, a computer science graduate, Lauri Love, allegedly hacked into the systems of the FBI, NASA, and the American Missile Defence Agency, accessing personal information of about 104,000 employees of the Department of Energy. Three different states in the US issued indictments. He was to be extradited to the USA where he could face up to 99 years in jail, if convicted.
Love and his family fought extradition, although the initial ruling was to honour extradition treaty regulations and to try him in the USA. In 2017, he assisted the NHS in combating the WannaCry ransomware attack.
In February 2018, he won his appeal against extradition. His appeal was based on the fact that he was diagnosed with Asperger’s syndrome, and also suffers from severe eczema related to his anxiety and was at risk of committing suicide. The judgement mentioned that if the offences are proved, he will have a significantly different experience in a prison from what he would experience in the USA.