UK cybersecurity industry calls for an overhaul of Computer Misuse Act

News by Rene Millman

The 30-year-old legislation is out of date, a coalition of cybersecurity experts and industry leaders tells the UK's Prime Minister Boris Johnson.

Several of businesses, trade bodies, lawyers and think tanks from the cybersecurity industry in the UK have written to the Prime Minister to urge reform of the laws around cybercrime in the UK, claiming that the 30-year-old regulations are now ‘unfit for purpose’.

The alliance, which includes large cybersecurity consultancies such as NCC Group and F-Secure, industry trade body techUK, cybersecurity software developers McAfee and Trend Micro, international accreditation body CREST, the think tank Demos, and a number of prominent lawyers in the field, has written to the Prime Minister urging him to bring forward reforms to the Computer Misuse Act (CMA) exactly thirty years after the law gained Royal Assent.

The Computer Misuse Act (1990) was brought in following one of SC's founders, Steve Gold, and a colleague, hacked into Prince Philip's Prestel account.  The judge said they were guilty but they had broken no law so a law was advisable to deter hackers; now the law affects a large proportion of the research that cybersecurity professionals can carry out to assess and defend against emerging threats posed by organised criminals and geopolitical actors says the group.

The letter said: “In particular, section 1 of the Act prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology.

"With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

It said that the laws meant that with less threat intelligence research being carried out, the UK’s critical national infrastructure is left at an increased risk of cyber-attack.

The signatories to the letter stress the urgency of the issue, highlighting the nation’s heightened reliance on secure and resilient digital technologies, particularly in light of the coronavirus crisis.

The letter points to other countries which have more permissive regimes - like France and the US - and warns of the extent to which Britain has fallen behind internationally.

“This creates an advantage for competing cybersecurity sectors, which could see the UK lose out on as many as 4,000 additional high-skilled jobs by 2023 without reform,” said the letter.

The letter finished by calling on the government to make putting in place a new cybercrime regime part of this commitment.

“This will give our cyber defenders the tools they need to keep Britain safe,” the letter finishes.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that reform to the UK cybercrime law is long overdue.

“There are many aspects of the law that are currently inadequate and can put even well-intentioned researchers in harm's way,” he said. “However, care needs to be taken in how updates are made so as to not cause issues down the road, or to introduce loopholes. The digital world is still evolving, and care needs to be taken that any amendments are not only appropriate for today, but for the future."

Ed Parsons, MD at F-Secure Consulting & spokesperson for the CyberUp campaign, told SC Media UK that the CMA in its current form doesn’t provide an effective defences for cybersecurity professionals acting in good faith, whether involved in technical research, incident response or threat intelligence. 

“It limits what the UK computing industry can do compared with foreign competitors, including our ability to provide support to national security and law enforcement authorities through proportionate investigation of attacker infrastructure,” he said.

Ollie Whitehouse, Global CTO, NCC Group, told SC Media UK that section 1 of the Computer Misuse Act criminalises any access to a computer system without the permission of the system owner.

“Threat intelligence and security researchers, by the very nature of the work they are undertaking, are often unable to obtain that permission: a threat intelligence researcher investigating a cyber criminal's attack infrastructure will be hard-pressed to obtain that criminal's consent to try and catch them,” he said.

He added that the failing of the current law is that it completely ignores the fact that there are ethical researchers undertaking research activities in good faith.

The law needs to be changed to allow for actors' motivations to be taken into account when judging their actions.

“The way to do this, we believe, is to include statutory defences in a reformed Computer Misuse Act that legitimise activities otherwise illegal under section 1 where they happen in order to detect and prevent (cyber) crime. There are legal precedents, including in the Data Protection Act 2018, so this isn't a novel concept. But it would extend legal certainties and protections guaranteed to others to the UK's cyber defenders.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews