Gajus - stock.adobe.com

King’s Speech misses the mark on cyber law reform, says campaign

A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber pros from prosecution have been left disappointed by a lack of legislative progress

British businesses continue to fall victim to rampant cyber criminality as the government blows hot and cold on much-needed reforms to 33-year-old legislation that is hindering the ability of the cyber security profession to respond effectively, according to campaigners who have lamented a “missed opportunity” in this week’s King’s Speech.

The CyberUp campaign, which has been trying to get the outdated Computer Misuse Act (CMA) of 1990 reformed for years – on the basis that clauses in the legislation could be used to prosecute security professionals simply for doing their jobs – says that almost eight million instances of cyber crime, six every minute, have been recorded across the country since the government first committed to reviewing the law in May 2021.

The campaign said the King’s Speech – the first since George VI opened Parliament in 1950 – had failed to grasp the nettle of reform and, as such, UK organisations will remain at risk. It called for the government to act swiftly to conclude a consultation on the matter, and bring the CMA into the 21st century.

Rob Dartnall, CEO of SecAlliance, chair of CREST UK and representative of the CyberUp Campaign, said: “The reality is that in the war against cyber crime, our professionals’ hands are tied by out-of-date laws. Surely now, with nearly eight million cyber attacks taking place since the government’s original commitment to reforming cyber security legislation, the urgency should be there to make this a political priority and give us the tools to protect the country from online threats.

“It is almost certain that more timely reform could have helped prevent a good proportion of these threats which have had huge consequences for our businesses and charities. Every day that passes without reform leaves people exposed to even more rapidly growing threats.”

What does the CyberUp campaign want?

At the centre of the campaigner’s demands is a clause in the CMA that prevents unauthorised access to computer material, which came into force at a time when just 0.5% of the population had access to the infant internet.

Section One of the CMA reads thus: A person is guilty of an offence if (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured; (b)the access he intends to secure, or to enable to be secured, is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case.

The CyberUp campaign says that this has a “chilling effect” on the industry because it puts cyber security incident responders and researchers acting ethically at risk of prosecution.

In the UK, the public sector, in the form of the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and other bodies work hand-in-hand with private sector cyber experts to defend the country, but the provisions of the CMA mean much of their work is unintentionally criminalised.

A freedom of information (FoI) request made by the campaign in 2021 found that two-thirds of respondents to a preliminary consultation on reform were concerned over being criminalised, which ultimately means less threat intelligence and vulnerability research work is done in the UK.

This would seem to run contrary to the government’s oft-quoted goal of making the UK “the safest place in the world to live and work online”, and may also be putting the UK at a competitive disadvantage.

Earlier this year, government chief scientific advisor Patrick Vallance, in a review published at the same time as the chancellor pledged to reform the CMA in the 2023 Spring Statement, said that other countries such as France and the US have already updated their regulations, and that Westminster needed to do the same.

“A reformed act will unleash the full potential of the UK cyber security industry, who are frustrated by current legislation, which leaves our country dangerously exposed,” said Dartnall.

“We urge government to lay out a clear timetable for the next steps for reform, which positively reflect industry’s support for professional safeguards. As the future of our security landscape grows increasingly uncertain, we must ensure our cyber professionals are equipped with the necessary tools to stay ahead of hostile threat actors and cyber criminals.”

The campaign already counts multiple parliamentarians among its supporters, including peers such as former national cyber security advisor Pauline Neville-Jones, internet entrepreneur Martha Lane-Fox, and James Arbuthnot, who has been a vocal supporter of the subpostmasters victimised in the Post Office Horizon scandal. It plans to host a drop-in event in Parliament to highlight to MPs and Peers why the laws need to be updated to secure the UK’s future growth, productivity and success, and expand its support base.

Cyber agenda progresses

In other areas pertaining to cyber security, the King’s Speech did advance the agenda some distance, as the updated Data Protection and Digital Information (DPDI) Bill – which is set to amend how the UK goes about implementing the European Union (EU) General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED), both transposed into UK law post-Brexit.

The DPDI Bill has attracted the ire of privacy campaigners and cyber experts who fear it will turn the UK into a “leaky valve” that undermines the data rights of EU citizens, and may put the UK’s data adequacy arrangement at risk.

“The fact the Data Protection and Digital Information (No. 2) Bill has been carried forward to the next parliamentary session and mentioned in the King's Speech, signals that data protection reform remains a legislative priority for the current government,” said Rhiannon Webster, partner and head of UK data privacy and cyber security at Ashurst, a law firm.

“As the bill is already mid-way through parliamentary approval process, organisations should prepare for the law to be on the statute book before the next general election and can expect to see changes aimed at cutting red-tape and compliance burdens,” she said.

Dan Morgan, senior government affairs director at risk management specialist SecurityScorecard, said there was an “imperative need” for the UK to fortify its cyber framework.

“With seven pivotal bills, including the Digital Markets, Competition and Consumers Bill and the Data Protection and Digital Information Bill, poised for passage in this session, the UK aims to refresh regulations to spur growth and intensify competition. This is a positive and progressive agenda but lacks a legislative plan for cyber security,” he said.

Morgan said that in contrast with a more proactive stance taken in the EU through such directives as NIS2 and the Cyber Resilience Act (CRA), the UK lacked a cohesive legislative counterpart, despite the best efforts of the NCSC, and ongoing projects such as the Science and Technology Select Committee inquiry into the cyber resilience of the UK’s critical national infrastructure (CNI).

“SecurityScorecard takes this opportunity to urge the committee to advocate for comprehensive legislative action. For SecurityScorecard, the absence of standardised cyber risk measurements has perpetuated a security trust deficit, with regulations and standards varying significantly across different sectors and nations,” said Morgan.

“This inconsistency has led to a patchwork of security measures, leaving critical infrastructures exposed to cyber threats. The company also notes that point-in-time assessments of cyber risk are insufficient in the face of ever-evolving threats. They argue for the adoption of cyber risk ratings to enhance visibility across the critical infrastructure sector and government agencies.”

Read more about security policy

Read more on Regulatory compliance and standard requirements