Two amendments aimed at protecting security professionals and ethical hackers under the 1990 Computer Misuse Act (CMA) have been withdrawn after failing to advance in a House of Lords committee hearing. These proposed changes would have provided a legal defense, allowing these experts to argue that their actions were necessary for preventing or detecting crime or were in the public interest.
The CMA, now 34 years old and enacted during Margaret Thatcher’s time, broadly defines “unauthorized access to a computer.” Its vague nature puts security professionals at risk of prosecution, especially when they need to access systems during incident investigations. This reluctance can hinder the UK’s competitiveness in cybersecurity, as professionals fear legal repercussions while companies in more permissive jurisdictions benefit.
Lord Chris Holmes and Lord Tim Clement-Jones introduced the amendments. Holmes pointed out how outdated the CMA is, noting it was crafted when only a small fraction of the population was online. The technology landscape has shifted dramatically since then. He highlighted that the act unintentionally criminalizes the very people tasked with safeguarding against cyber threats.
Holmes cited examples like vulnerability research and threat intelligence, which could lead to security professionals unwittingly violating the CMA. He referenced the National Cyber Security Centre’s 2024 report, which emphasizes the growing gap between cyber threats and the ability of specialists to address them. The proposed amendments aimed to offer legal protection for legitimate cybersecurity activities, which, according to Holmes, would positively impact public safety.
During the hearing, several parliamentarians voiced support for the need for reform, but to no avail. Lord Timothy Kirkhope expressed his frustration over the slow pace of legislative change, particularly in an era where technology is advancing rapidly.
In response, Baroness Margaret Jones, the under-secretary of state at the Department for Science, Innovation and Technology, acknowledged the necessity for a revised legal framework in the face of evolving cyber threats. She emphasized that the government is committed to updating the CMA but deemed reform a “complex and ongoing” issue. They are seeking input from various stakeholders but have yet to reach a consensus.
Katharina Sommer, head of government affairs at NCC Group, welcomed the discussion on reform, reiterating the need for a statutory defense that supports cybersecurity professionals in their critical work. She highlighted the urgency for the UK to compete globally and improve its cybersecurity measures.
Andrew Jones, strategy director at The Cyber Scheme, expressed disappointment over the missed opportunity for immediate reform. He urged action, noting the increasing hostile activity in UK cyberspace. He reiterated the importance of protecting cybersecurity professionals through a statutory defense to enhance the UK’s national resilience in cyber defense.
The debate surrounding the CMA emphasizes a clear need for legal clarity to empower cybersecurity professionals to perform their jobs without fear of prosecution.