Ruslan Grumble - Fotolia
The Data Bill: It’s time to cyber up
The Computer Misuse Act is outdated and needs reform - so it's disappointing to see the government decline an opportunity to update the legislation, says the peer who proposed amendments
In the latest deliberations on the Data Use and Access Bill in the House of Lords, I set out two amendments to offer well overdue updating to the Computer Misuse Act (CMA) of 1990. In preparing for committee stage of the bill I remain incredibly grateful to everyone involved with the CyberUp campaign, their analysis and commentary always so perfectly on point.
I hardly think I need to rehearse the backdrop to the CMA, many people will be well aware of the act and its shortcomings. Curiously, in the intervening thirty-four and a half years, despite seismic changes in our society and technologies - crucially, including the rise of cyber security threats - the act remains unamended.
Having said that though, I’ve tempted myself a little as it is the case that the act was originally drafted to protect telephone exchanges in 1990, when only 0.5% of the population had access to the internet.
The CMA was the UK’s first computer crime law and came about following an attack on Prestel in the mid-1980s. Anyone under the age of 40 is probably wondering what Prestel was - a forerunner of internet-based online services launched by the Post Office in 1979 - which only serves to make the point.
Significant change
My amendments to the new Data Bill seek to achieve a very clear and materially significant change, to enable cyber security professionals to do what we have asked of them without the legislation tying at least one hand behind their back.
Thirty-four years on, the CMA still governs how we tackle cyber criminals. As it is currently written, the act inadvertently criminalises legitimate cyber security research. This includes a large proportion of vulnerability research and threat intelligence activities which are critical in protecting the UK from increasingly sophisticated cyber attacks.
Fundamentally, it restricts cyber security researchers from conducting essential work to protect the UK, including critical national infrastructure. While improving data access is a positive move, it is equally crucial to modernise cyber security laws to protect not just the data but also the systems that underpin it.
The wording of my amendments in full is:
Data use: definition of unauthorised access to computer programs or data
In section 17 of the Computer Misuse Act 1990, at the end of subsection (5) insert—
“c) they do not reasonably believe that the person entitled to control access of the kind in question to the program or data would have consented to that access if they had known about the access and the circumstances of it, including the reasons for seeking it, and
(d) they are not empowered by an enactment, by a rule of law, or by order of a court or tribunal to access of the kind in question to the program or data.
Data use: defences to charges under the Computer Misuse Act 1990
(1) The Computer Misuse Act 1990 is amended as follows.
(2) In section 1, after subsection (3) insert—
(4) It is a defence to a charge under subsection (1) to prove that—
(a) the person’s actions were necessary for the detection or prevention of crime, or
(b) the person’s actions were justified as being in the public interest.
(3) In section 3, after subsection (6) insert—
(7) It is a defence to a charge under subsection (1) in relation to an act carried out for the intention in subsection (2)(b) or (c) to prove that—
(a) the person’s actions were necessary for the detection or prevention
of crime, or
(b) the person’s actions were justified as being in the public interest.
As I said in the debate, don’t take my word for it, the National Cyber Security Centre acknowledged the widening gap between the risks facing the UK and its ability to mitigate them in its 2024 annual review, clearly stating that “updating this out-of-date legislation is a crucial step in closing this gap”.
Statutory defence
Introducing a statutory defence would provide legal clarity and protection for ethical cyber security professionals undertaking legitimate vulnerability research and threat intelligence activities. Such a defence would align the UK with best practices internationally, ensuring that we keep pace with nations like the US and EU, which are moving to safeguard ethical cyber security work.
To put some numbers to this, there have been nine million instances of cyber crime against UK businesses and charities since May 2021, according to the Department for Science, Innovation and Technology’s 2024 cyber breaches survey, published April 2024. Half of businesses and 32% of charities suffered a cyber breach or attack last year, with £2.4bn estimated increased revenue potential post-update for the sector.
Analysis based on CyberUp’s recent industry report suggests that 60% of respondents said the CMA is a barrier to their work in threat intelligence and vulnerability research, and 80% believed the UK was at a competitive disadvantage due to the CMA.
Concluding my remarks, I asked whether the minister would be able to provide an update on the work to reform the Computer Misuse Act? I also asked her whether she believed that my amendments as drafted would provide the legal protection that we seek and, if so, why the government would not bring them into force via the means of the Data Bill.
The minister’s answers to both questions were largely the same - we must wait, the amendments are “premature”, there was not consensus among those who responded to last year’s consultation on the matter so the path forward must continue with no timeline or sense of when this most pressing of issues will be resolved.
If the government needs some public support to increase its pace on this project, how about the fact that two-thirds of UK adults are inclined to support a change in the law to allow cyber security professionals to carry out research to prevent cyber attacks?
There is also support for such a statutory change from the excellent report of the then chief scientific advisor, Patrick Vallance, earlier this year which concluded that, “Amending the CMA to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals”.
Other nations have already led in this area, not least France and the Netherlands. Belgium, Germany and Malta are currently amending their legal frameworks to this end. As I stated in the debate, it’s time to pass these amendments, it’s time to afford our cyber security professionals the safety they need to do the self-same thing for us, all of us. As has been the case for far too long - it’s time to CyberUp.
Timeline: Computer Misuse Act reform
- January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30 year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
- June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
- August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
- September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
- January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990.
- February 2023: Westminster has opened a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
- March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
- November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
- July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
- July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
- December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
