Cross-party parliamentarians will next week debate proposals that aim to fix a “glaring flaw” in the Computer Misuse Act of 1990 (CMA) as momentum gathers behind the need to reform the nearly 35 year-old law.
An amendment to the proposed Data (Access and Use) Bill, led by Conservative peer Lord Holmes and Liberal Democrat peer Lord Clement-Jones, that will override outdated aspects of the CMA that inadvertently criminalise good faith, legitimate security activities, will now be debated in Committee on Wednesday 18 December.
Created largely in response to a famous incident in which professional hackers and technology journalists broke into British Telecom’s Prestel system in the mid-80s, the CMA received Royal Assent in June 1990, barely two months after Tim Berners-Lee and CERN made the world wide web publicly available for the first time.
Although it has been frequently amended over the years to reflect the changing world of technology, the CMA still vaguely defines the offence of “unauthorised access to a computer”, which opponents have long argued inadvertently criminalises cyber security threat researchers and incident responders and forces ethical hackers to work with one hand tied behind their back out of fear of prosecution.
According to the CyberUp campaign, which has been pushing for reform for years, the CMA could be costing the UK economy up to £3.5bn.
“The UK’s outdated cyber laws are preventing our cyber security professionals from defending organisations effectively,” Rob Dartnall, SecAlliance CEO, Crest UK chair, and CyberUp representative, told Computer Weekly.
“In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK – an untenable situation as cyber threats grow.”
Holmes and Clement-Jones’ amendment proposes a statutory defence for researchers who can demonstrate either a reasonable belief that the IT system owner would have consented to their work, or that the activity was strictly necessary for the detection of cyber crime.
This will give British cyber pros similar protections to those already in force in other European countries such as Belgium, Germany, France, Malta and the Netherlands, all of which have either recently updated their legal frameworks to address professional hacking, or already had more appropriate legal regimes.
Dartnall said that change was vital to fostering a safe environment for researchers and allowing them to play a more effective role in safeguarding digital systems and data in the UK – a need urgently highlighted by the National Cyber Security Centre (NCSC) in its recent Annual Review.
“We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face,” he said.
“The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on people’s data privacy and the UK’s economy.
“By introducing a statutory defence, the UK could protect legitimate cyber security professionals, strengthen its cyber defences, and reinforce its place as a cyber security leader. It is time we updated the law to fit with the digital age,” added Dartnall. “With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country.”
