Reforming the Computer Misuse Act 1990, and Cyber-Up
The team at CLRNN worked with a number of stakeholders during the drafting of the Reforming the Computer Misuse Act 1990 (CMA) report, and its Westminster launch in January 2020.
While the in-depth review of the CMA’s shortcomings and the recommendations for its reform are the result of independent, evidence-based research and analysis, we are keen to ensure that CLRNN’s work reaches beyond academia to affect real world policy change.
This is why our discussions in relation to the CMA involved representatives from the UK’s cyber security industry, to understand their concerns and take into account the barriers they face in relation to the law as it currently stands. Foremost of these was the major UK-based cyber security company, NCC Group.
NCC Group and other industry partners subsequently launched the CyberUp campaign, specifically to push for reform of the CMA: to update and upgrade the UK’s cyber crime legislation to protect our national security and seize the economic opportunity presented by cyber professionals. The national security and commercial aspects of reform were highlighted in CLRNN’s report, and widely reported in the media, but the journey to see the recommendations implemented continues. As such, CLRNN is pleased to share the efforts of the CyberUp campaign to press for reform of the law.
The CyberUp campaign’s position is as follows:
The current legislative framework runs counter to the UK’s stated policy objective to promote public-private partnership to combat cyber crime. The UK’s cyber security industry is unable to deploy its full capabilities in the pursuit of national security. Reform is needed to:
1) Amend the law to allow cyber security and threat intelligence researchers acting in the public interest to explain and justify their actions and to allow the detection or prevention of crime.
Create clear legal definitions to ensure that cyber security and threat intelligence researchers who reasonably believe they have authorisation to act can legitimately do so.
2) The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.
But Section 1 of the CMA, prohibiting unauthorised access to computers, inadvertently criminalises a large proportion of cyber security and threat intelligence research and investigation by UK cyber security professionals. This is because the law punishes behaviour without any regard for the motivation of those carrying it out which offers no protection whatsoever for professional researchers acting in good faith.
The cyber security industry works closely with law enforcement and intelligence agencies to defend the UK against cyber crime and geo-political threat actors. But the restrictions in gathering high quality actionable intelligence make it highly challenging to stay ahead of hostile threat actors and cyber criminals as governments alone cannot provide the required capacity.
It is essential that reform takes place in a way that addresses the risk of misuse or exploitation of any legal changes by individuals with dishonest or criminal motives.
The CyberUp campaign is exploring options to create a regime of approval and accreditation of eligible providers, signing of an individually applicable strict ethics code of conduct, a commitment to maintain and share auditable logs of all activities and an obligation to pass on all intelligence and information to the appropriate authorities.
CyberUp has been very clear that they do not support ‘hacking back’ – where a security researchers’ activities entail the disruption or degradation of the investigated systems and infrastructure. These ‘offensive’ cyber activities should remain the prerogative of the state. Nonetheless, reform of the CMA is overdue.
For more information on the CyberUp campaign, please visit https://www.cyberupcampaign.com/news/cma-report-launched-in-parliament
Dr Laura Noszlopy
Network Facilitator for the Criminal Law Reform Now Network
Computer Misuse Act an inhibitor to CyberSecurity?
I am looking forward to the launch of the CLRNN (@CLRNNetwork, http://www.clrnn.co.uk/) report Reforming the Computer Misuse Act 1990 on January 22. I am a major contributor.
The key to understanding the Act was that from the outset it was designed to fill in gaps in the existing legislation rather than to provide a comprehensive response to whatever you think "cybercrime" is. Most cybercrime can now be charged under existing legislation including the Fraud Act 2006, extortion/blackmail, Data Protection Act 2018 and the various Terrorism acts. Computer misuse is only invoked as a primary means of prosecution when none of these appear to be satisfactory. Indeed there are frequent occasions in which the Computer Misuse Act has clearly been breached but where prosecutors decide not to pursue charges with any vigour or indeed at all because success would be unlikely to alter the court's view of punishment in the event of conviction.
(This is one of the reasons why there appear to be so few prosecutions under the Computer Misuse Act and why it may be misleading to consider convictions under the act as reliable indicators of the extent of cybercrime).
The main offences - unauthorised access, unauthorised access in pursuit of a further criminal offence, and unauthorised system impairment - do not appear to require substantive modification.
The main problem is that, although this was never the intention, the act is an inhibitor to cyber security investigations and research. The reason is that the whole framework of the three main offences is based around the concept of "unauthorised". It turns out that authority to access a computer for any purpose can only be given by the owner of that computer or someone clearly delegated on their behalf – s 17. So far so apparently sensible. But these days computer systems are not self-contained stand-alone devices but rely on a constant supply of external input such as material from the web and data streams from other sources. Employees, sub- contractors and others may be being granted remote access from their own devices. In addition much of the processing might take place on devices which are not owned by the company or organisation using them – as in use of cloud services, outsourcing contracts and external archiving for email and other documents.
Where then are the boundaries between what an organisation can "authorise" and the outside world? The answer may or may not be in complex contracts of service and supply. This creates a difficulty for those carrying out penetration testing (otherwise known as ethical hacking and designed to look for weaknesses in an organisations computer systems) and for those carrying out investigations and seeking to find causes and those responsible for them. There is also a problem for researchers and academics and also for organisations offering threat intelligence. Threat intelligence, at its best, offers not only advice on generic threats but on new specific sources of threats including hostile actors. Customers of threat intelligence use it to devise their own detailed security precautions.
All of these activities require investigators to look beyond the boundaries of any one specific computer system. At the moment the only organisations entitled to carry out these activities are law enforcement and the intelligence agencies which have specific "savings" in section 10 of the Act.
The public policy issue, therefore, is that under current law only law enforcement and the National Cyber Security Centre (NCSC) which is part of GCHQ, appear to be the only UK bodies that can carry out threat intelligence beyond a corporate boundary. This places a significant limit on the resources available to identify threats and also on the range of threats investigated; law enforcement will concentrate on events likely to have criminal prosecution outcomes, NCSC’s central remit is state security. The current legal framework therefore runs in direct opposition to repeatedly stated national policy of partnership working across public and private sector, effectively preventing industry from deploying its technical capabilities in the pursuit of national cyber security objectives.
The answer appears to be some sort of “public interest” defence but this would need to be very tightly defined so as not to be abused by recreational hackers.
The report also looks at issues of international jurisdiction, corporate liability (can organisations as opposed to individuals be charged under the Act?) and guidelines for the handling of young and “neurologically diverse” defendants.
I am very interested in responses to the detailed analyses and recommendations.
Cybersecurity and the UK Election: How Current Cyber Laws are Making the UK Less Safe
J.J. Child, Birmingham Law School, Co-Director of the Criminal Law Reform Now Network
All major political parties recognise the growing threat posed by computer misuse and the corresponding need to ensure an effective and co-ordinated cybersecurity regime. Computers are everywhere, from the control and coordination of our national infrastructure to our smartphones and home devises; and yet the principal criminal legislation (the Computer Misuse Act 1990) is both out of date in its content and conspicuously underused as a tool for prosecution. This year’s party manifestos recognise something of this problem, and they promise action.
The Conservative manifesto champions a new ‘cyber-crime force’, a strengthened National Crime Agency (NCA), and modernisation and training for police. Similarly, Labour focuses on training and investment for ‘modern’ cyber policing and reforming the NCA, as well as going further to suggest a review of the National Cyber Security Centre and the creation of a new Minister for Cybersecurity. The Liberal Democrat position, though perhaps more focused on the ethical dimension of new technologies, also recognises the need for investment in cyber policing.
Investment into the policing and prosecution of cybercrime is sorely needed. However, the rush to promise funds for increased policing only engages with part of the problem. Missing from each manifesto is an explicit pledge to reform current offences within the Computer Misuse Act 1990, and yet such reform is vital if the parties are to achieve their desired ends in terms of added security and safety online. The current legislation was created for a different time, and it approaches cyber offences through the blanket criminalisation of all ‘unauthorised’ access, supplemented with even broader provisions criminalising preparatory acts and the trading of equipment used for unauthorised computer access.
Overly broad offences of this kind result in perverse effects. Rather than providing tough regulation, non-culpable journalistic and academic research can be inadvertently criminalised; it has the same impact on the private cybersecurity operators that so many of us (including public bodies) rely upon for effective defence. In this manner, whereas cybersecurity operators from other jurisdictions can work freely in the public interest to police network defences, and to report cyber attack details to the public authorities, such activities in the UK are severely blunted (or are carried out under a cloud of potential prosecution).
The Criminal Law Reform Now Network is a group of leading practitioners and academics specialising in legal reform projects. The Network’s first report – Reforming the Computer Misuse Act 1990 - will be launched in Westminster on the 22nd January 2020 and available open access from www.clrnn.co.uk. The recommended reforms are simple and targeted, creating new public interest defences in line with other modern statutes, as well as clarifying advice on prosecution and sentencing. If the UK political parties are serious about investing in cyber defence, and we hope that they are, modernising the legal framework provides essential missing pieces to the puzzle.