In the recent discussions on the Data Use and Access Bill in the House of Lords, I proposed two amendments aimed at updating the Computer Misuse Act (CMA) from 1990. I want to thank everyone involved with the CyberUp campaign for their invaluable insights and support.
We all know the CMA has its flaws. Despite the dramatic shifts in technology and society over the past thirty-four years—especially with the rise in cyber threats—the CMA hasn’t changed at all. It was crafted when only a fraction of the population used the internet, primarily to protect telephone exchanges. This was at a time when most people had never even heard of Prestel, an early online service that launched in 1979.
What I aim for with my amendments is straightforward: we need to empower cyber security professionals to effectively combat cyber criminals. Under current law, many legitimate activities in cyber security, such as vulnerability research, can border on illegal due to the way the CMA is written. This hampers essential initiatives to protect our national infrastructure from evolving cyber threats. While improving how we access data is a step forward, we equally need to modernize our cyber laws to safeguard both the data itself and the systems that support it.
Here’s how the amendments lay out:
1. In section 17 of the Computer Misuse Act, we add safeguards so that if a person believes access would be consented to, it’s not criminalized.
2. In section 1, we establish that if actions are necessary for preventing crime or justified in the public interest, they can serve as a defense against charges.
The National Cyber Security Centre has pointed out the growing divide between the risks we face and our capacity to counter them. They stress that updating this old legislation is critical for bridging that gap.
Creating a legal defense will give ethical cyber security pros clarity and protection while they work on vulnerability research. This brings the UK in line with global best practices, especially compared to the efforts being made in the US and EU to protect ethical cyber work.
The scale of the issue is staggering: since May 2021, there have been nine million cyber crime incidents involving UK businesses and charities. Last year alone, half of all businesses and 32% of charities faced a cyber breach, with a projected £2.4 billion in revenue potential lost. CyberUp’s recent report shows that a significant proportion of industry professionals see the CMA as a barrier to their work; 60% indicated it hinders threat intelligence and vulnerability research, while 80% believe it puts the UK at a competitive disadvantage.
During my recent remarks, I asked the minister for an update on reforming the Computer Misuse Act and whether my amendments would ensure legal protection for researchers. The response? We have to wait. The government considers these amendments “premature” due to insufficient consensus from last year’s consultation, and there’s no timeline in sight for when this urgent issue will get addressed.
Public support is strong; two-thirds of UK adults are in favor of changing the law to allow cyber security professionals to conduct research aimed at preventing cyber attacks. Additionally, earlier this year, former chief scientific advisor Patrick Vallance endorsed amending the CMA to include a public interest defense for cyber security professionals.
Countries like France and the Netherlands are ahead of us on this front. Belgium, Germany, and Malta are also moving to amend their laws. It’s high time we pass these amendments and provide our cyber security professionals with the protection they need to safeguard all of us. It’s time to CyberUp.