The CyberUp coalition, a group of businesses, trade associations, non-governmental organisations (NGOs) and lawyers drawn from across the cyber security community have called on the incoming prime minister Liz Truss to quickly push through long-awaited reforms to the Computer Misuse Act (CMA) of 1990.
The campaigners argue that the CMA is out of date and, as its wording currently stands, prevents cyber security professionals and hackers from being able to defend UK organisations from cyber attacks without risking prosecution for unauthorised access to a computer.
In a letter to Truss, who won the race to become Conservative leader and therefore prime minister on Monday, the campaigners said the CMA is stifling the security industry and called on her to reform it posthaste, “so that the UK’s ethical cyber security professionals can contribute to defending the UK from cyber threats, free from the fear of prosecution.”
The government promised reform in 2021, but this process has stalled in the Home Office, which has yet to provide any response to the views it received during an information-gathering exercise, although the campaigners say that through a freedom of information (FoI) request they have been able to establish that 66% of respondents to the review were concerned that the existing CMA does not sufficiently protect legitimate cyber activity.
The campaigners are further making the case for reform based on the ongoing cyber threat posed by Russia. They told Truss: “You will, of course, be all too aware of the increased cyber threat posed by our adversaries, not least following Russia’s invasion of Ukraine. We believe this strengthens the case for prioritising efforts to reform the Computer Misuse Act to include a statutory defence.”
They added: “You lead a government that is already investing millions of pounds to foster a constructive business environment for technology companies. Given this, it would seem remiss not to take the opportunity of this revenue-neutral step towards doing just that. A statutory defence in the Computer Misuse Act would mark the UK out in having a world-leading cyber crime regime and foster investment in what is already a high-growth sector.”
Former National Cyber Security Centre (NCSC) CEO Ciaran Martin, who is among a number of prominent community names to have put their signatures to the letter, said: “I do think the [Computer Misuse] Act is having a chilling effect on the community of researchers. Hacking is not a bad word and there are highly ethical ways to develop expertise in this area, and you certainly don’t want people trembling with fear that they might be violating the criminal law.”
NCC Group CTO Ollie Whitehouse added: “With the cyber threats facing the UK ever increasing, now is the time for the government to reform our pre-internet era law to include a statutory defence. Doing so will unleash the full reservoir of talent in the UK cyber security industry in service of our collective national cyber defence.
“The government reviewed the legislation last May, [and] beyond holding statements no material updates have been provided since. With a new administration soon to assume office, I would strongly encourage ministers to push forward with the reforms and make us all safer.”