Hacking prosecutions fell by 12% to 57 in 2019 compared to the previous year in the UK, according to an analysis by the law firm RPC. This meant that just 0.33% of the 17,600 hacking offences reported in the UK in 2019 resulted in a prosecution under the Computer Misuse Act.
RPC believes lack of resources being provided to the police to investigate such cases is the biggest factor in prosecutions being so low. It added that the UK government typically focuses its resources on targeting cyber-criminals involved in attempts to compromise national security.
In addition, it is often very difficult to identify and pursue attackers, as the majority of offences reported in the UK are likely to be carried out abroad. The primary reason for this, according to the RPC, is that attackers are more likely to route attacks through countries which do not necessarily have a co-operative law enforcement relationship with UK authorities.
Worryingly, there has been a significant growth in phishing attacks and scams this year as a result of COVID-19. For example, in April Google revealed it was blocking over 240 million COVID-themed spam messages each day in addition to 18 million malware and phishing emails. Many emails intercepted by Google contained malware designed to allow hackers access to the recipient’s system.
Examples of phishing attacks include messages impersonating government agencies or charities asking for donations or attempting to scam small businesses.
Richard Breavington, partner at RPC, commented: “Tracking down cyber-criminals is a very resource-intensive task. Hackers know how to cover their tracks, and doing so is relatively straighforward. Cyber-criminals view hacking as a low-risk activity, with virtually zero risk of prosecution.”
Commenting on the findings, Ollie Whitehouse, global CTO at the NCC Group, outlined the need to reform the current legislation: “As the global threat landscape evolves and broadens and technology becomes ever more complex, the fact that fewer true hackers are being prosecuted successfully in the UK demonstrates the urgent need for new legislation. The Computer Misuse Act – which is now 30 years old – was originally introduced to avoid unauthorized access to computer data and systems, but it is no longer fit for purpose in the interconnected digital world of the 21st century.”
He added: “We want modern legislation to acknowledge the important role cybersecurity professionals play in keeping citizens and businesses safe and secure. We want to transform what constitutes unauthorized access in the act and introduce statutory defenses, so that security professionals can identify and investigate threats without fear of legal action, ensure cyber-criminals do get punished appropriately, and ultimately prevent real-world cyber-attacks in the future.”