The government is to begin work on reforming the 31-year-old Computer Misuse Act (CMA) of 1990, and has set out plans to launch a consultation to gather input and guidance from stakeholders later in 2021.
Speaking at the National Cyber Security Centre’s (NCSC’s) ongoing CyberUK 2021 virtual event, home secretary Priti Patel said that the CMA had proven an effective piece of legislation to tackle unauthorised access to computer systems, and had been updated a number of times to take account of technological changes, such as the growth in cyber and cyber-enabled crime.
“As part of ensuring that we have the right tools and mechanisms to detect, disrupt and deter our adversaries, I believe now is the right time to undertake a formal review of the Computer Misuse Act,” said Patel.
“Today, I’m announcing we will be launching a call for information on the Act this year. I urge you all to provide your open and honest views on ensuring that our legislation and powers, continue to meet the challenges posed by threats in cyber space.”
For some time, campaigners have been clamouring for CMA reforms to be introduced, saying that as the law currently stands it technically risks criminalising legitimate cyber security professionals going about their day-to-day jobs. This is because it makes it an offence to access or modify data on a computer without authorisation.
A January 2020 report from the Criminal Law Reform Now Network (CLRNN) called on the government to change the law. The report urged the government to bring in measures to tailor existing offences in line with the UK’s international obligations and modern legal systems, including corporate offences; new public interest defences and protections for ethical hackers and journalists that remain consistent with overlapping offences covered by the Data Protection Act of 2018; new guidance for prosecutors, including the prosecution of young defendants, and more transparency around the use of the Prevent programme; and new sentencing guidelines.
Speaking at the time, CLRNN co-director John Child, a senior lecturer in criminal law, said: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of hackers and companies that benefit from their activities, while permitting responsible cyber security experts to do their job without fear of prosecution.”
A further study produced by the CyberUp campaign, which also wants the CMA rewritten for the 2020s, found that 80% of cyber security pros operating in the UK feared accidentally running afoul of the law.
MP Ruth Edwards, a former cyber security lead at techUK, said: “The Computer Misuse Act, though world-leading at the time of its introduction, was put on the statute book when 0.5% of the population used the internet. The digital world has changed beyond recognition, and this survey clearly shows that it is time for the Computer Misuse Act to adapt.
“Our reliance on safe and resilient digital technologies has never been greater. If ever there was going to be a time to prioritise the rapid modernisation of our cyber legislation, and review the Computer Misuse Act, it is now,” she said.
In her speech, the home secretary had high praise for the work of the UK’s cyber security professionals, stating: “The efforts of the NCSC and the work that you all do to protect our country in the cyber space are simply outstanding.
“These efforts may not always be front page news, but in my role, I know what you do here is at the forefront of defending our nation and keeping our people safe.”