Campaigners call for evidence to reform UK cyber laws
The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work
The CyberUp Campaign, a group calling for urgent reform to the Computer Misuse Act (CMA) 1990, has launched a fresh consultation inviting security professionals and researchers to take part in a wide-ranging survey seeking views on the 34-year-old law’s impact on their work.
CyberUp argues that the CMA is risibly out of date – it was written only months after Tim Berners-Lee first proposed the concept of the worldwide web – and that the wording of key clauses relating to unauthorised access to computer systems risks criminalising legitimate security professionals and ethical hackers trying to defend organisations. To do so, they say, potentially risks prosecution.
The campaigners first came together in early 2020, on the eve of the Covid-19 pandemic, to call on Boris Johnson, as prime minister, to address their concerns, and by May 2021 their work had secured commitments from the then home secretary Priti Patel to begin a consultation on the issue.
However, this process stalled and became lost in the political melee, and by 2023, with Johnson and his successor Liz Truss consigned to history, the campaign had advanced no further in its aims. Another consultation did take place in 2023 and was widely welcomed, but little ultimately came of it.
The campaigners said that in opening a new study, they hoped the new Labour government would listen to clear, up-to-date and indisputable evidence to change the law.
“This is a pivotal moment for the cyber security industry. The new government has just introduced a very welcome Cyber Security and Resilience Bill in the King’s Speech – the first time ever that ‘cyber’ has been mentioned in any primary legislation – which presents an opportune moment for a legislative update to the CMA in the near future,” they said.
This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act
CyberUp campaigners
“Launching the survey now enables the campaign to demonstrate the potentially restrictive impact of outdated cyber crime legislation on the growth and investment of the UK’s cyber security sector, as well as its effect on cyber defensive activities conducted domestically.”
The survey should take about 10 minutes to complete and the campaigners have said that due to the sensitive nature of responses they may receive, all information contained in the final cut will be fully anonymised.
“This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act,” they said.
What do cyber pros really think?
The CyberUp campaigners include representatives from leading cyber firms, including WithSecure, McAfee, NCC Group and Trend Micro, and the campaign is backed by security accreditation body Crest and trade association TechUK.
Previous studies conducted by the group have revealed broad consensus across the industry that reform is needed.
Last time such an exercise was conducted in 2023, security professionals spoke of the “chilling” effect of the CMA on Britain’s cyber defenders, with 60% believing it acted as a barrier to working effectively and 80% claiming it put the UK at a competitive disadvantage on the world stage.
CyberUp estimates that out of nearly 2,000 active cyber security firms in the UK, almost 600 have experienced an economic loss due to not being able to work effectively, which the campaign says risks £3bn of the £10.5bn annual sales made by the sector.
Additionally, it believes more than 16,800 security professionals have left the UK over the years to work in countries with more permissive laws.
With a fit-for-purpose regime that allows legitimate cyber security defensive and research work, while still ensuring malicious threat activity is appropriately sanctioned, the cyber resilience benefits delivered for the UK could be three times as great as they currently are, said the campaigners.
Computer Misuse Act reform: A lengthy process
January 2020: Group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
February 2023: Westminster has opened a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, says Bugcrowd’s ethical hackers.
November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left disappointed by a lack of legislative progress.
July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
