Reforming the Computer Misuse Act 1990, and Cyber-Up

Dr Laura Noszlopy (CLRN Network Facilitator) 

The team at CLRNN worked with a number of stakeholders during the drafting of the Reforming the Computer Misuse Act 1990 (CMA) report, and its Westminster launch in January 2020.

While the in-depth review of the CMA’s shortcomings and the recommendations for its reform are the result of independent, evidence-based research and analysis, we are keen to ensure that CLRNN’s work reaches beyond academia to affect real world policy change.

This is why our discussions in relation to the CMA involved representatives from the UK’s cyber security industry, to understand their concerns and take into account the barriers they face in relation to the law as it currently stands. Foremost of these was the major UK-based cyber security company, NCC Group.

NCC Group and other industry partners subsequently launched the CyberUp campaign, specifically to push for reform of the CMA: to update and upgrade the UK’s cyber crime legislation to protect our national security and seize the economic opportunity presented by cyber professionals. The national security and commercial aspects of reform were highlighted in CLRNN’s report, and widely reported in the media, but the journey to see the recommendations implemented continues. As such, CLRNN is pleased to share the efforts of the CyberUp campaign to press for reform of the law.

The CyberUp campaign’s position is as follows:

The current legislative framework runs counter to the UK’s stated policy objective to promote public-private partnership to combat cyber crime. The UK’s cyber security industry is unable to deploy its full capabilities in the pursuit of national security. Reform is needed to:

1) Amend the law to allow cyber security and threat intelligence researchers acting in the public interest to explain and justify their actions and to allow the detection or prevention of crime.

Create clear legal definitions to ensure that cyber security and threat intelligence researchers who reasonably believe they have authorisation to act can legitimately do so.

2) The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.

But Section 1 of the CMA, prohibiting unauthorised access to computers, inadvertently criminalises a large proportion of cyber security and threat intelligence research and investigation by UK cyber security professionals. This is because the law punishes behaviour without any regard for the motivation of those carrying it out which offers no protection whatsoever for professional researchers acting in good faith.

The cyber security industry works closely with law enforcement and intelligence agencies to defend the UK against cyber crime and geo-political threat actors. But the restrictions in gathering high quality actionable intelligence make it highly challenging to stay ahead of hostile threat actors and cyber criminals as governments alone cannot provide the required capacity.

It is essential that reform takes place in a way that addresses the risk of misuse or exploitation of any legal changes by individuals with dishonest or criminal motives.

The CyberUp campaign is exploring options to create a regime of approval and accreditation of eligible providers, signing of an individually applicable strict ethics code of conduct, a commitment to maintain and share auditable logs of all activities and an obligation to pass on all intelligence and information to the appropriate authorities.

CyberUp has been very clear that they do not support ‘hacking back’ – where a security researchers’ activities entail the disruption or degradation of the investigated systems and infrastructure. These ‘offensive’ cyber activities should remain the prerogative of the state. Nonetheless, reform of the CMA is overdue.

For more information on the CyberUp campaign, please visit https://www.cyberupcampaign.com/news/cma-report-launched-in-parliament