The CyberUp coalition, a group of stakeholders from across the cyber security sector, has joined growing calls for the government to reform the UK’s 30 year-old cyber crime legislation, saying it is unfit for purpose, and putting organisations in the UK at increased risk during the Covid-19 coronavirus pandemic.
The Computer Misuse Act (CMA) gained Royal Assent on 29 June 1990, 30 years ago to the day, but was written only months after Tim Berners-Lee first proposed the concept of the world wide web, and long before the concept of cyber security as it exists today was known.
The group, which includes industry association techUK, accreditation body Crest, the think tank Demos, a number of prominent legal experts, and security companies including F-Secure, McAfee, NCC Group and Trend Micro, say that the legislation is deterring a large proportion of the research that cyber security professionals can conduct to assess and defend against cyber crime and other threats.
In a letter to prime minister Boris Johnson, the group said: “The CMA is the central regime governing cyber crime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalises a large proportion of modern cyber defence practices.
“The CMA prevents thousands of UK threat intelligence researchers from carrying out research to detect malicious cyber activity and prevent harm and disruption to organisations and citizens alike. In particular, section 1 of the Act prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology.
“With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access.
“With less threat intelligence research being carried out, the UK’s critical national infrastructure is left at an increased risk of cyber attacks from criminals and state actors,” said the campaigners.
CyberUp wants the government to adopt more permissive regimes – such as exist in France and the US, for example – which allow well-intentioned security pros to conduct their work without having to fear prosecution. They added that without this certainty, the UK could lose out by up to 4,000 high-skilled jobs in the next three years.
The group said that the UK’s lockdown had made it clear how reliant the country is on secure digital technology to deliver essential services such as banking, entertainment, food deliveries, healthcare, utilities and so on. It said given the government has committed to investing in the UK’s digital credentials, it naturally flowed that a new cyber crime regime should form part of this commitment.
At the beginning of 2020, the Criminal Law Reform Now Network (CLRNN) published a report titled Reforming the Computer Misuse Act 1990 – with input from CyberUp – that set out how updated legislation might look.
Among the reforms proposed are new measures that tailor existing offences in line with Britain’s international duties and present-day legal systems; new public interest defences and protections to let legitimate researchers work freely but consistently under the Data Protection Act 2018; improved guidance for prosecutors; and new sentencing guidelines.
