The Police and Justice Act passed into law on yesterday, creating a penalty for denial-of-service attacks of up to 10 years in prison.
The law is an update of 1990's Computer Misuse Act, and seeks to close a loophole some perceived in the older law in that it didn't specifically address denial-of-service (DoS) attacks. The older legislation criminalised doing anything "which causes an unauthorised modification of the contents of any computer", as long as this was carried out with criminal intent.
It wasn't clear whether this covered DoS attacks; for instance, in November 2005 a court cleared teenager David Lennon, who had sent five million emails to a former employer, because the act didn't seem to be addressed by existing law. The ruling was later overturned, and Lennon was sentenced to two months' electronically tagged curfew.
The new law contains much broader and more specific language, covering anyone who carries out an act with the intent to impair the operation of a computer, prevent or hinder access to any program or data or impair the operation of any program.
The wording would cover anyone who pays someone else to launch an attack, according to an analysis from IT lawyers Pinsent Masons.
The law brings other measures into force as well, including establishing a National Policing Improvement Agency and expanding police powers to capture passenger and crew data on journeys within the UK and to stop and search people and vehicles at airports.