Crime Doesn’t Pay – Or Does It?

Does crime pay? The easy answer is: yes it does.

According to a recent report by the online IT site The Register, almost ninety percent of hacking prosecutions in the UK last year resulted in convictions. Good news right?  Well, not quite.

Analysing the data provided by the UK Government from the last eleven years shows that the conviction rate is actually quite low.  A total of 422 prosecutions were conducted, with an average prosecution rate of just 38 per year.

One of the key issues, of course, is that the CMA was created in 1990.

CMA? Is that the ‘Country Music Awards?’

No, this has nothing to do with Dolly Parton or Johny Cash… although Cash does come into it, a little. But CMA refers to the Computer Misuse Act.

If you’ve never heard of the CMA, it doesn’t surprise me, but it’s been around since 1990. In 2018, as everyone prepared for the General Data Protection Regulation (GDPR), the fact that there was already a Data Protection Act seemed to come as a surprise to many, let alone that it had been around since 1998!

The Computer Misuse Act (1990) is the law which is used to prosecute hackers, and those carrying out other data-related crimes such as gaining unlawful access to computers and their contents.

Interestingly the analysis goes on to state that between 2008 and 2018, 79 people were found not guilty at court or otherwise had their cases halted. Of the guilty, sixteen per cent were given immediate custodial sentences.

Dirty Rotten Scoundrels

These custodial sentences, however, are still relatively short, with sentences typically falling between six and 24 months. With current UK sentencing laws automatically halving prison sentences in favour of release on licence, it makes the sentencing seem even more unlikely.

What does this tell us?

Well, quite a lot. The Registry did a great piece of work in this analysis, and I think it highlights a number of issues. The first is that the CMA is woefully out of date and like the Data Protection Act needs to be updated, and soon.

In the 2018 ‘Cyber Security Breaches Survey’ it was suggested that 43 per cent of UK businesses and two in ten charities (19 per cent) experienced a cybersecurity incident or attack in the past twelve months. But we are not catching those responsible. This is because it’s not a UK issue or a European one. It’s an international issue, and the criminals know that law enforcement (in cyber years) is around 100 years behind!

In the past, the bad guys knew that all they had to do was ‘pass state lines’ or go to a different area, and the police couldn’t touch them. Or else they didn’t have the communication tools to join the dots. To put it simply: the police need more resources and they need them fast.

In addition, the legal system needs to catch up. I’m not talking about a ‘snoopers charter’ here, I’m talking about updating laws (like the CMA) and also breaking down barriers surrounding jurisdictions, and being able to gain access to systems and servers where there is good evidence that wrongdoing is taking place.

Conclusion

I have admiration for the police and what they do. They do a difficult job in difficult circumstances with little to no credit. I wouldn’t want to do what they do.  Each of us needs to take more responsibility for our own cybersecurity and data protection. We need to recognise that if the police can catch someone, and if they can get them to court, the likelihood is that the perpetrator will either walk free immediately or after a short space of time.

Crime may not pay… but it appears that cybercrime does… eventually.