The push to reform the outdated Computer Misuse Act (CMA) from 1990 has hit a snag again. Just a couple of months after the last attempt, Patrick Vallance, the former government chief scientific adviser and now the minister for science, research, and innovation, blocked two amendments aimed at protecting cyber security professionals and ethical hackers from prosecution. These amendments, proposed by Chris Holmes and Tim Clement-Jones as part of the Data (Access and Use) Bill, could have clarified when these professionals could demonstrate their actions were in the public interest or necessary for preventing crime.
Back in December 2024, a similar proposal faced resistance. The government claimed it was premature. Speaking recently, Holmes pointed out that the CMA is stuck in the past, designed at a time when technology was vastly different. He stressed that the act holds back the sector from enhancing our safety and limits business growth. “We have the solution in our hands,” he said, criticizing the outdated framework.
Earl of Erroll, who backed Holmes, recalled that concerns over the CMA were raised during its initial passage but were shrugged off by the government. He noted a glaring issue: the law doesn’t protect those acting for good. “This is a sensible amendment to fix a long-standing anomaly,” he said.
Vallance addressed these concerns by highlighting the complexity of any amendments. He mentioned that feedback from industry shows a split opinion—some argue the CMA hinders helpful public interest work, while others fear unintended consequences. Law enforcement is concerned that broadening access could be manipulated by cyber criminals. “Without proper oversight, this could complicate investigations,” Vallance warned.
He assured that the government will continue discussions with stakeholders, including law enforcement and the National Cyber Security Centre, promising an update later.
Andrew Jones, strategy director at the Cyber Scheme and a representative of the CyberUp Campaign, expressed disappointment over the missed opportunity. He called the CMA a relic, noting how it can unwittingly criminalize important research conducted by cyber security experts that aids national defense. As other regions fortify protections for ethical hacking, he argued that the UK risks falling behind.
Jones insisted on the urgency for reform, pushing for a statutory defense that aligns with industry insights and would safeguard legitimate practitioners. He expressed readiness to collaborate with the government whenever it’s set to move forward.