pn_photo - stock.adobe.com
Computer Misuse Act reform to move forward in National Security Bill
Reform of the Computer Misuse Act is to be folded into a wider National Security Bill that will grant more powers for law enforcement and the security services to better protect the UK against a wider spectrum of threats.
The long-awaited reform of Britain's outdated Computer Misuse Act of 1990 – which has hamstrung the work of Britain’s cyber security professionals and researchers for years – is to be included in a new National Security Bill.
Announced today by King Charles III in his speech at the State Opening of Parliament, the National Security Bill is chiefly designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack.
It comes partly in response to the 2024 Southport terror attack, and more recent incidents targeting Britain’s Jewish community, and will create new offences around creating and disseminating harmful material online, and according to Westminster will close gaps within the nation’s state threats legislation and align it more closely with anti-terror laws.
Ultimately, the stated goal is to enhance the UK’s ability to counter the full spectrum of threats ranged against the UK by enhancing the powers available to law enforcement and the security services.
The government said that by reforming the legal cyber landscape within this, cyber cops will gain updated powers and capabilities to “remain effective in the digital age”.
It intends to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders.
“It will also unlock the power of cyber security professionals to better enable them to secure computer systems. It will also seek to tackle the pervasive threat to the UK economy and businesses, posed by ruthless cyber criminals,” said the government.
Bona fide professionals
The CMA was passed thirty-five years ago in response to a high-profile hacking incident involving no less than the King’s father, the late Duke of Edinburgh.
It defined the offence of unauthorised access to a computer – which has been used successfully in countless cyber crime prosecutions over the years.
However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research.
Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017.
At the time, Whittaker said: “It [CMA reform] would allow us to be more secure in our research. I’d love to be able to just look at things in more detail and help people secure themselves. It would allow us to focus on our jobs instead of being worried that we’re going to breach something or that something else is going to go wrong.”
Besides making life easier for security teams, the CyberUp Campaign, which has been pushing for reform for years, estimates that merely by reforming the CMA to give legitimate security professionals a statutory defence in law, Britain’s cyber sector – which employs almost 70,000 people generating £11.9bn in revenues – could unlock up to 20% growth right off the bat.
A campaign spokesperson said: “Today marks a genuine turning point for cyber security in the UK. For years, the CMA has left legitimate cyber security professionals and researchers operating under unnecessary legal risk, while hostile actors move faster and with fewer constraints.
“By including CMA reform in the National Security Bill, the Government has recognised a basic reality: cyber professionals cannot be expected to defend the country with one hand tied behind their backs.
“The test now is whether the legislation delivers a clear, workable statutory defence for good-faith cyber security activity, including vulnerability research and threat intelligence. We stand ready to work with ministers and Parliament to turn this commitment into a lasting upgrade to the UK’s cyber resilience,” they said.
AI adds urgency to reform chatter
Sabeen Malik, vice president for global government affairs and public policy at Rapid7, added: “As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed – activities the 1990 Computer Misuse Act’s broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing.
“Hostile actors are already weaponising AI to find and exploit zero-days faster than human teams can triage them, so any legal regime that chills good-faith use of the same capabilities by UK defenders directly widens the offence-defence gap the National Cyber Strategy is meant to close.
“A statutory public-interest defence – the test the CyberUp Campaign has now set for the bill – is the minimum needed to give industry, CERTs, and threat-intel teams the legal certainty to deploy AI-enabled defensive tooling at the scale the threat environment now demands,” said Malik.
Timeline: Computer Misuse Act reform
- January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
- June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
- August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
- September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
- January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990.
- February 2023: Westminster opens a consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
- March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
- November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
- July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
- July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
- December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
- December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.
- January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.
- May 2025: Britain’s outdated hacking laws are leaving the UK’s cyber practitioners hamstrung and afraid. Security professional Simon Whittaker reveals how he nearly ran afoul of the Computer Misuse Act, and why he’s speaking out for reform.
- December 2025: Campaigners celebrate as security minister Dan Jarvis commits to amending the outdated Computer Misuse Act to protect security professionals from prosecution.
- April 2026: Ahead of the NCSC's CyberUK conference, the CyberUp Campaign for reform of the UK’s hacking laws urges the government to keep focus and proposes a four-pillar framework that would protect cyber professionals from prosecution.
