
                         ----------------------------

                         *  F  E  A  T  U  R  E  S  *

                         ----------------------------

              British Computer Society pushes for hacking reforms

    Unauthorised attempts to access  and  damage  information held on  computer
systems are not covered adequately  by  the  law,  according   to  a  group  of
senior  BCS members  and  experts  in  computer  security.
    They  are particularly concerned about  the  consequences of the  House  of
Lords' judgement (Regina  v  Gold,   Regina   v   Schifreen,   April   21 1988)
concerning two hackers who broke  into  the  Duke of  Edinburgh's   mailbox  on
British  Telecom's  Prestel   viewdata  service.
    Stephen  Gold and Robert Schifreen had been accused under  the  forgery and
Counterfieting Act, but the Lords'  judgement revolved  around   the  recording
and  storage  of   electronically    held   information.    Becuase no data was
actually copied,  the hackers'  appeal was upheld.
    The security specialists,   led  by  Frank  taylor,  have  asked  the  Home
Office and the Department of Trade and Industry to put  new  legislation before
Parliament as soon as possible.
    In a letter to the Home Office,  the DTI, the Lord Chancellor's  Department
and  the  EEC,  the BCS members   state   that  "anyone  intending   to   break
in,   or  succeeding  in  breaking    into  computerised systems,  which affect
the lives of every citizen in  the  country,  needs to know he or she faces the
full rigours  of  the law.
    Jim Brookes,  cheif executive of  the  BCS,   says,  "This is  no  laughing
matter - it is deadly serious".
    "It  is a professional ethical matter.   All kinds of data are  stored   on
computers  - everything  from   medical   records   to  financial  information,
from  scientific  research   to   company   commercial  material.   All of them
could be accessed illegally."
    "The  hackers' action and  the  Lords'  subsequent  decision  have  brought
the  whole  question  of  computer   hacking    and   its  implications  to the
attention of those in power and everyone  in  the IT industry," says Taylor.
    In this way the hackers  have  had  a  positive effect,  but their  actions
have  also  shown the way for those of a  more  criminal  nature.
    "We  are worried that the decision  of  the  Lords  won't  be  any  type of
deterrent."
    "It  could  also  set  a  dangerous  precedent  for  future   cases,"  says
Taylor.
    Taylor  and the scoiety are calling  for  stricter laws to  deal  with  the
problem.   The BCS believes that   unauthorised   access   should be covered by
statute,  as a criminal  act.    It  also  wants   information  and  data to be
treated as intellectual property which  can  cen  be lost or damaged by chance,
delay,  or corruption, and  by  improper  or incorrect exposure resulting  from
unauthorised  access.
    The  society has  drawn  attention  to  the  report  of  the  Scottish  Law
Commission in 1987 (See LAW file  in  this area),  which  says  hacking  should
be made a criminal offence with penalties   up  to  five years in prison.   The
discrepancy between Scottish law  and  the judgement of the Law Lords calls for
immediate attention.
    "We  support the Scottish Law Commission's  report",  says  the  BCS group.
"We agree that it should be  an  offence for any person  without  authorisation
to inspect such data or program or add  to,  alter or corrupt any such program.
We think the Scottish report  should be the  basis on a new law applying to the
whole UK."
    New  legislation is needed to  deal  with  the entire process  of  computer
hacking,   and   not   just   whether   data   was    copied.    According   to
Taylor,  the act pf overcoming   security  measures  without  authority,  often
the  prelude to  hacking,  should  be  treated as a crime itself.
    The security specialists also  discussed  the  serious matter  of  computer
viruses, recently highlighted by the popular press.
    The  BCS Security committee is worried that the media hype has  exacerbated
the   situation,   becuase   it   offers    an    intellectual   challenge   to
programmers similar to the challenge  of  breaking  into computer systems.
    BCS technical co-ordinator Tony Sale says,  "The effect of such  activities
is  to damage  the  image  of  computing.    It   wastes   a   large  amount of
professional time in hunting for  viruses  which  may or may not exist."
    The  security committee sugests  two  lines  for defence  against  viruses.
The first is simply to run  software  of proven pedigree.   The  second  should
be to hash total all program and  data  files.   This  process devises a simple
number code for programs  or  data   files   on   the system.   If you have the
original copies of  your  software locked away  in  a safe, take them out, copy
them to newly  formatted discs and obtain the hash total.
    This total will  provide  a  check  for  the  same  files  already  on  the
computer  system.   Any difference in  hash  total  could  mean  that some code
has been altered.
    Other   methods    suggested    by    the    committee    include    timing
measurements and decoy programs, but these  are  not  fool proof and  require a
lot of time and energy.   Sale  suggests  that "the  only  long  term  solution
to the problem of viruses  is  to   change   the   climate   of opinion so that
production of one is deemed  socially   unacceptable.   This can be assisted by
more awareness of the BCS  code of ethics and professional responsibility."
    Some legal remedies  are  possible  in  dealing  with  viruses.    As  with
hacking, if electronic representations  of  information  can be  established as
real objects, then damages might be obtained.


          -----------------------------------------------------------


   <See the "OPINIONS" section for an alternative view to those of the BCS.>

