UK – “Serious Crimes” to Cybersecurity

The United Kingdom has recently passed the Serious Crimes Act, 2015.

Part 2 of the Act makes several amendments to the Computer Misuse Act 1990 (“CMA”), including:


– a new offence of unauthorised acts in relation to a computer that result either directly, or indirectly, in serious damage in any country to the economy, environment, national security or human welfare, or create a significant risk of such things. The offence will carry a maximum sentence of life imprisonment for some categories of cyberattack. A person is guilty of the offence if they, at the time of commission, are aware that it is unauthorised, and intends the act to cause serious damage of a material kind, or is reckless as to whether such damage is caused; and

– an offence for obtaining a tool for use to commit an offence under s1 (unauthorised access to computer material) and s3 (unauthorised acts with intent to impair, or with recklessness as to impairing operation of computer) of the CMA, regardless of an intention to supply that tool; and

– the extra-territorial provisions have been extended to provide for the ability to prosecute a UK national who commits any CMA offence outside of the UK where the conduct has no significant link to the UK (provided that the office is also an offence in the country where it took place).


Would these be appropriate for Canada, or does the ‘mischief to data’ provision of s. 430(1.1) of the Criminal Code cover it sufficiently? The Code provides a maximum penalty of ten years, unless the mischief causes ‘actual danger to life’, in which case the maximum sentence is imprisonment for life. Would increasing the sentence for damage to ‘the economy, environment, national security or human welfare’ likely deter anyone who would not be deterred by the prospect of up to ten years in jail?


  1. Surely the English provisions are set at a level of seriousness far above the “mischief to data” provisions in the Canadian Code which appear to have been used as additional charges when those charged with child pornography offences attempt to erase their tracks, and in one case where someone’s log-on information was changed to prevent access.

    But I am loathe to encourage the Feds to pile on even more provisions onto the national security / terrorism fear-agenda.

  2. The United States has just upped the stakes too. President Obama yesterday released an Executive Order authorizing the government to seize the property of people engaging in certain kinds of “malicious cyber-enabled activities” and to deny them the right to enter the US. The administration of the order is given to the Department of the Treasury, which has issued a FAQ about it.

    At least one cybersecurity expert has welcomed the initiative. He notes that the Order is an ’empty shell’ pending regulations.

    An interesting alternative to legislation.