Next week, lawmakers from various parties will come together to discuss important changes to the Computer Misuse Act of 1990. This law, nearly 35 years old, is in dire need of an update.
A proposed amendment to the Data (Access and Use) Bill, led by Conservative Lord Holmes and Liberal Democrat Lord Clement-Jones, aims to address outdated rules in the CMA. These rules unintentionally criminalize ethical security work. They’ll take this issue to Committee on Wednesday, December 18.
The CMA was created after hackers accessed British Telecom’s Prestel system in the mid-80s, but it was signed into law just two months after the web became public. While the CMA has seen changes over the years, its definition of “unauthorized access to a computer” remains vague. Many argue this loophole puts cybersecurity researchers and ethical hackers at risk of prosecution simply for doing their jobs.
The CyberUp campaign estimates the CMA is costing the UK economy about £3.5 billion. Rob Dartnall, the CEO of SecAlliance and a representative for CyberUp, expressed frustration. He noted that security pros in no other field face legal risks while performing their duties. Almost two-thirds of cybersecurity professionals say the CMA hampers their ability to protect the UK against rising cyber threats.
The amendment by Holmes and Clement-Jones would establish a legal defense for researchers who can show they believed the IT system owner would have consented to their work or that their actions were essential for identifying cybercrime. This would align UK protections with those in countries like Belgium, Germany, and France, where laws already support ethical hacking.
Dartnall emphasized that change is crucial for encouraging researchers to effectively safeguard digital systems in the UK, especially as the National Cyber Security Centre underscored the urgency of this need in its recent review.
He stated, “This amendment could modernize the Computer Misuse Act and introduce a legal defense for security professionals, addressing the challenges posed by today’s cyber threats.” Dartnall highlighted the surge in critical vulnerabilities and ransomware incidents in recent years, stressing the need to protect both privacy and the economy.
Introducing this legal defense could not only bolster the UK’s cybersecurity framework but also enhance its standing as a leader in the field. Dartnall concluded that with backing from across the political spectrum, this amendment could be a turning point for better protecting the nation.