The 30-year-old Computer Misuse Act legislation is ‘out of date’, a coalition of cybersecurity experts & industry leaders recently told UK Prime Minister Boris Johnson.
Some businesses, trade bodies, lawyers & think tanks from the cybersecurity industry in the UK have now written to the PM to urge reform of cybercrime, legislation, & claiming that the 30-year-old laws have become ‘unfit for purpose’.
This alliance, including large cybersecurity consultancies e.g. NCC Group & F-Secure, industry trade body Tech UK, cybersecurity software developers McAfee & Trend Micro, international accreditation body CREST, the think tank Demos, & a number of leading lawyers in the field, has written to the PM asking him to advance reforms to the Computer Misuse Act (CMA) just 30 years after the law gained the Royal Assent.
The Computer Misuse Act (1990) was introduced in 1990 after Steve Gold, & a colleague, hacked into Prince Philip’s Prestel account. The judge suggested that they were guilty, but they had broken no law, so legislation was advised to deter hackers. This now affects a large amount of the research that cybersecurity professionals can carry out to assess & defend against threats posed by organised criminals & geopolitical players, commented the group.
The letter further outlined “In particular, s1 of the Act prohibits the unauthorised access to any program or data held in any computer & has not kept pace with advances in technology.
“With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning & interrogation of compromised victims’ & criminals’ systems to lessen the impact of attacks & prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access.”
It also led to less threat intelligence research being carried out, & the UK’s ‘critical national infrastructure’ being left at an increased risk of cyber-attack.
The signatories to the letter stressed the urgency of this matter, highlighting the nation’s heightened reliance on secure & resilient digital technologies, especially because of the coronavirus crisis.
The letter explains that other countries have more flexible rules – e.g. France & the US – & warns of the extent to which the UK has now ‘fallen behind’ internationally.
“This creates an advantage for competing cybersecurity sectors, which could see the UK lose out on as many as 4,000 additional high-skilled jobs by 2023 without reform,” it goes on to say.
It concluded with a call to the govt. to make putting in place a new cybercrime regime part of this commitment.
“This will give our cyber defenders the tools they need to keep Britain safe,” the letter ended.
Javvad Malik, Security Awareness Advocate at KnowBe4, observed that reform to UK cyber-crime law is ‘vastly overdue’.
“There are many aspects of the law that are currently inadequate & can put even well-intentioned researchers in harm’s way,” he observed “However, care needs to be taken in how updates are made so as to not cause issues down the road, or to introduce loopholes. The digital world is still evolving, & care needs to be taken that any amendments are not only appropriate for today, but for the future.”
Ed Parsons, MD at F-Secure Consulting & spokesperson for the Cyber Up campaign, explained that the CMA currently doesn’t provide ‘effective defences’ for cybersecurity professionals acting in ‘good faith’, whether involved in technical research, incident response or threat intelligence.
“It limits what the UK computing industry can do compared with foreign competitors, including our ability to provide support to national security & law enforcement authorities through proportionate investigation of attacker infrastructure,” he suggested.
Ollie Whitehouse, Global CTO, NCC Group, explained that s1 of the Computer Misuse Act criminalises any access to a computer system without the permission of the system owner.
“Threat intelligence & security researchers, by the very nature of the work they are undertaking, are often unable to obtain that permission: a threat intelligence researcher investigating a cyber criminal’s attack infrastructure will be hard-pressed to obtain that criminal’s consent to try & catch them,” he further explained.
He added that the failing of the current law is that it completely ignores the fact that there are ethical researchers undertaking research activities in good faith.
The law needs to be amended to allow for motivations to be considered when judging their actions.
“The way to do this, we believe, is to include statutory defences in a reformed Computer Misuse Act that legitimise activities otherwise illegal under s1 where they happen in order to detect & prevent cyber-crime. There are legal precedents, including in the Data Protection Act 2018, so this is not novel concept. But it would extend legal certainties & protections guaranteed to others to the UK’s cyber defenders.”