Blog

21 Jan 20

 

Computer Misuse Act an inhibitor to CyberSecurity?

 

I am looking forward to the launch of the CLRNN (@CLRNNetwork, http://www.clrnn.co.uk/) report Reforming the Computer Misuse Act 1990 on January 22.  I am a major contributor.

 

The key to understanding the Act was that from the outset it was designed to fill in gaps in the existing legislation rather than to provide a comprehensive response to whatever you think "cybercrime" is. Most cybercrime can now be charged under existing legislation including the Fraud Act 2006, extortion/blackmail, Data Protection Act 2018 and the various Terrorism acts. Computer misuse is only invoked as a primary means of prosecution when none of these appear to be satisfactory. Indeed there are frequent occasions in which the Computer Misuse Act has clearly been breached but where prosecutors decide not to pursue charges with any vigour or indeed at all because success would be unlikely to alter the court's view of punishment in the event of conviction.

 

(This is one of the reasons why there appear to be so few prosecutions under the Computer Misuse Act and why it may be misleading to consider convictions under the act as reliable indicators of the extent of cybercrime).

 

The main offences - unauthorised access, unauthorised access in pursuit of a further criminal offence, and unauthorised system impairment - do not appear to require substantive modification.

 

The main problem is that, although this was never the intention, the act is an inhibitor to cyber security investigations and research. The reason is that the whole framework of the three main offences is based around the concept of "unauthorised". It turns out that authority to access a computer for any purpose can only be given by the owner of that computer or someone clearly delegated on their behalf – s 17. So far so apparently sensible. But these days computer systems are not self-contained stand-alone devices but rely on a constant supply of external input such as material from the web and data streams from other sources. Employees, sub- contractors and others may be being granted remote access from their own devices. In addition much of the processing might take place on devices which are not owned by the company or organisation using them – as in use of cloud services,  outsourcing contracts and external archiving for email and other documents.  

 

Where then are the boundaries between what an organisation can "authorise" and the outside world? The answer may or may not be in complex contracts of service and supply. This creates a difficulty for those carrying out penetration testing (otherwise known as ethical hacking and designed to look for weaknesses in an organisations computer systems) and for those carrying out investigations and seeking to find causes and those responsible for them. There is also a problem for researchers and academics and also for organisations offering threat intelligence. Threat intelligence, at its best, offers not only advice on generic threats but on new specific sources of threats including hostile actors. Customers of threat intelligence use it to devise their own detailed security precautions.  

 

All of these activities require investigators to look beyond the boundaries of any one specific computer system. At the moment the only organisations entitled to carry out these activities are law enforcement and the intelligence agencies which have specific "savings" in section 10 of the Act.

 

The public policy issue, therefore, is that under current law only law enforcement and the National Cyber Security Centre (NCSC) which is part of GCHQ, appear to be the only UK bodies that can carry out threat intelligence beyond a corporate boundary. This places a significant limit on the resources available to identify threats and also on the range of threats investigated; law enforcement will concentrate on events likely to have criminal prosecution outcomes, NCSC’s central remit is state security. The current legal framework therefore runs in direct opposition to repeatedly stated national policy of partnership working across public and private sector, effectively preventing industry from deploying its technical capabilities in the pursuit of national cyber security objectives.

 

The answer appears to be some sort of “public interest” defence but this would need to be very tightly defined so as not to be abused by recreational hackers.

 

The report also looks at issues of international jurisdiction,  corporate liability (can organisations as opposed to individuals be charged under the Act?) and guidelines for the handling of young and  “neurologically diverse” defendants.

 

I am very interested in responses to the detailed analyses and recommendations.  

 

Peter Sommer

peter@pmsommer.com

10 Dec 19

 

 

 

Cybersecurity and the UK Election: How Current Cyber Laws are Making the UK Less Safe

 

J.J. Child, Birmingham Law School, Co-Director of the Criminal Law Reform Now Network

 

All major political parties recognise the growing threat posed by computer misuse and the corresponding need to ensure an effective and co-ordinated cybersecurity regime. Computers are everywhere, from the control and coordination of our national infrastructure to our smartphones and home devises; and yet the principal criminal legislation (the Computer Misuse Act 1990) is both out of date in its content and conspicuously underused as a tool for prosecution. This year’s party manifestos recognise something of this problem, and they promise action.


The Conservative manifesto champions a new ‘cyber-crime force’, a strengthened National Crime Agency (NCA), and modernisation and training for police. Similarly, Labour focuses on training and investment for ‘modern’ cyber policing and reforming the NCA, as well as going further to suggest a review of the National Cyber Security Centre and the creation of a new Minister for Cybersecurity. The Liberal Democrat position, though perhaps more focused on the ethical dimension of new technologies, also recognises the need for investment in cyber policing.


Investment into the policing and prosecution of cybercrime is sorely needed. However, the rush to promise funds for increased policing only engages with part of the problem. Missing from each manifesto is an explicit pledge to reform current offences within the Computer Misuse Act 1990, and yet such reform is vital if the parties are to achieve their desired ends in terms of added security and safety online. The current legislation was created for a different time, and it approaches cyber offences through the blanket criminalisation of all ‘unauthorised’ access, supplemented with even broader provisions criminalising preparatory acts and the trading of equipment used for unauthorised computer access.


Overly broad offences of this kind result in perverse effects. Rather than providing tough regulation, non-culpable journalistic and academic research can be inadvertently criminalised; it has the same impact on the private cybersecurity operators that so many of us (including public bodies) rely upon for effective defence. In this manner, whereas cybersecurity operators from other jurisdictions can work freely in the public interest to police network defences, and to report cyber attack details to the public authorities, such activities in the UK are severely blunted (or are carried out under a cloud of potential prosecution).


The Criminal Law Reform Now Network is a group of leading practitioners and academics specialising in legal reform projects. The Network’s first report – Reforming the Computer Misuse Act 1990 - will be launched in Westminster on the 22nd January 2020 and available open access from www.clrnn.co.uk. The recommended reforms are simple and targeted, creating new public interest defences in line with other modern statutes, as well as clarifying advice on prosecution and sentencing. If the UK political parties are serious about investing in cyber defence, and we hope that they are, modernising the legal framework provides essential missing pieces to the puzzle.