Latest attempt to override UK’s outdated hacking law stalls
Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee
Two amendments to the Data (Access and Use) Bill that would have established a statutory legal defence for security professionals and ethical hackers to protect them from prosecution under the 1990 Computer Misuse Act (CMA) have failed to make it beyond a House of Lords committee hearing after being withdrawn.
The 34-year-old CMA broadly defines the offence of “unauthorised access to a computer” that is frequently relied upon in the UK when prosecuting cyber criminals, but given it became law when Margaret Thatcher was prime minister, it has not been updated to reflect the emergence, and practices, of the legitimate cyber security profession.
Campaigners say this is putting the UK at a competitive disadvantage because security pros fear they may be prosecuted simply for doing their jobs – for example, by accessing a system during the course of an incident investigation – while their employers lose out to companies located in more permissive jurisdictions.
Introduced by Lord Chris Holmes and Lord Tim Clement-Jones, the changes would have introduced two amendments into the Data Bill to amend the CMA such that security professionals could prove their actions were “necessary for the detection or prevention of crime” or “justified as being in the public interest”.
Speaking in support of the amendment on 18 December 2024, Holmes spoke about how the CMA was introduced to defend telephony exchanges in an era when 0.5% of the population was online, and if that was the act’s sole purpose, that alone would indicate it needs updating given the profound advances in technology made in the past three-and-a-half decades.
“The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe. They oftentimes work, understandably, under the radar, behind not just closed but locked doors, doing such important work. Yet, for want of these amendments, they are doing that work, all too often, with at least one hand tied behind their back,” said Holmes.
The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe
Lord Chris Holmes
“Let us take just two examples: vulnerability research and threat intelligence assessment and analysis. Both could find that cyber security professional falling foul of the provisions of the CMA 1990. Do not take my word for it: look to the 2024 annual report of the National Cyber Security Centre, which rightly and understandably highlights the increasing gap between the threats we face and its ability, and the ability of the cyber security professionals community, to meet those threats.
“These amendments, in essence, perform one simple but critical task: to afford a legal defence for legitimate cyber security activities,” he said. “That is all, but it would have such a profound impact for those whom we have asked to keep us safe and for the safety they can thus deliver to every citizen in our society.
“It’s not time, it’s well over time that these amendments become part of our law. If not now, then when? If not these amendments, what amendment? And if not these amendments, what will the government say to all those people who will continue to be put in harm’s way for want of these protective provisions?” added Holmes.
Government responds
During the hearing in Westminster, other parliamentarians, including the amendment’s co-sponsor Lord Clement-Jones and Lord James Arbuthnot, better known for his campaigning work in the Post Office Horizon scandal, spoke in favour of reform, but to no avail.
Lord Timothy Kirkhope said: “This just demonstrates, yet again, that unless we pull ourselves together, with better smart legislation that moves faster, we will never ever catch up with developments in technology and AI [artificial intelligence]. This has been demonstrated dramatically by these amendments. I express concerns that the government move at a pace that government always moves at, but in this particular field it is not going to work.”
Responding to the meeting, under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones said the government agreed the UK needed a revised legislative framework to enable the authorities to tackle the harms posed by cyber criminals, and that it was committed to ensuring the CMA remains up to date and is effective in this regard.
However, said Jones, reform is a “complex and ongoing” issue that is being considered as part of a Home Office review of the CMA itself.
“We are considering improved defences by engaging extensively with the cyber security industry, law enforcement agencies, prosecutors and system owners. However, engagement to date has not produced a consensus on the issue, even within the industry, and that is holding us back at this moment – but we are absolutely determined to move forward with this and to reach a consensus on the way forward,” she said.
“The specific amendments … are premature, because we need a stronger consensus on the way forward, notwithstanding all the good reasons … given for why it is important that we have updated legislation. With these concerns and reasons in mind, I hope that the noble Lord [Holmes] will feel able to withdraw his amendment,” said Jones.
Katharina Sommer, group head of government affairs at cyber firm NCC Group, said she was thrilled to see such passionate calls for reform, and that the session had rightly highlighted the outdated nature of the CMA and how it holds back cyber security professionals.
“We need a statutory defence, like that proposed by Lord Holmes’ welcome amendment, to allow this vital work to proceed unimpeded, at a time where the cyber threat is rising unabatedly. Reforming the CMA would unlock huge opportunities, strengthen our defences, and help the UK compete on the world stage,” she said.
“It is heartening to see the minister recognise the need to provide legal protections for legitimate cyber security activities, and hear about her determination to reach consensus on the way forward, particularly as this follows her colleague the security minister’s recent commitment to reviewing the CMA,” said Sommer.
“We do hope sincerely that all those involved in keeping the UK safe in cyberspace are prepared to work together, and find compromise rather than risk deadlock. We look forward to working with the government and all partners to ensure the UK’s cyber laws reflect 21st century threats.”
Timeline: Computer Misuse Act reform
January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
Disappointment
Andrew Jones, strategy director at The Cyber Scheme, a supporter of the CyberUp Campaign for legal reform, said: “Whilst we are slightly disappointed by the government’s decision not to seize this opportunity to bring the Computer Misuse Act into the 21st century, we are encouraged by their recent comments suggesting a review of the act is being considered. Until then, the CMA will remain an outdated piece of legislation, preventing our cyber security professionals from defending organisations effectively and leaving us lagging behind peer nations, as the US and EU move to safeguard ethical cyber security work as a cornerstone of national resilience.
“With the CEO of the National Cyber Security Centre recently acknowledging that hostile activity in UK cyberspace has increased in ‘frequency, sophistication and intensity’, it is vital that the UK takes measures to upgrade its cyber resilience.
He added: “The statutory defence we propose – drafted in consultation with industry and legal experts – would protect legitimate cyber security professionals, strengthen UK cyber defences, and reinforce its place as a cyber security leader. We are fully prepared to work with the government to help implement this necessary change in the future, as soon as it is ready to act.”
