4 out of 5 cyber security professionals worry about breaking the law when defending UK, report finds
A new report released today by the CyberUp Campaign and techUK has found that the overwhelming majority of cyber security professionals (80 per cent) worry about breaking the law in the process of defending against cyber attacks. It is the first piece of work to quantify and analyse the views of the cyber security industry on this issue.
The Computer Misuse Act (1990) is the law that governs the activities of cyber security professionals in the UK. The Act was written in 1990 before the advent of modern cyber security. This report, based on a survey of businesses in the sector and individual cyber security researchers, finds concerns and confusion about the law are hampering the nation’s cyber defences by preventing cyber security professionals from doing their jobs.
The survey found that there was a near-unanimous(93 per cent) belief that the Computer Misuse Act did not represent a piece of legislation that was fit for this century.
In the UK, the public and private sectors work closely together to defend the country in cyberspace. The National Cyber Security Centre (NCSC), the government agency for protecting against cyber crime and cyber threats, recently claimed in a disclosure about their efforts to thwart cyber threat actors during the pandemic that private sector firms they worked with had “made an indispensable contribution to [NCSCs] efforts to understand cyber threats and respond to incidents.”
Cyber crime is a widespread problem in the UK. In the last year for which data was available, there were 3,648,000 incidents of online fraud and 976,000 incidents of computer misuse. This is a total of 4,624,000 incidents of online crime.5 A different data set reveals 32 per cent of businesses reported cyber breaches or attacks in the last 12 months, and that £4,180 is the average annual cost for businesses that lost data or assets after breaches.6
However, the CyberUp Campaign and techUK survey revealed that, in some cases, cyber security researchers were being stopped from preventing harm to businesses and citizens by the Computer Misuse Act. This arose out of both fear of breaking the law and a lack of certainty about what exactly constituted a breach.
Ruth Edwards MP, a former cyber security professional who contributed a foreword to the report, urged the government to immediately review the legislation. The report suggests a series of proposals for reform that would allow the law to take account of the motivations of ethical cyber security professionals, enabling them to operate with legal certainty and free from the fear of prosecution.
Unsurprisingly, the survey also found that the Computer Misuse Act is having a stifling effect on the UK cyber security industry, with 91 per cent of businesses feeling they had been put at a competitive disadvantage relative to other countries with better legal regimes. In addition, a similar number (90 per cent) indicated that a change in the law would lead to growth and productivity benefits for their organisation. When averaged across the latest figures for revenue and employment in the sector, a change in legislation would lead to an increase in revenue of £1.6 billion and 6,200 jobs.
Ruth Edwards MP commented: “The Computer Misuse Act, though world-leading at the time of it’s introduction, was put on the statute book when 0.5% of the population used the internet.
“The digital world has changed beyond recognition, and this survey clearly shows that it is time for the Computer Misuse Act to adapt.
“This year has been dominated by a public health emergency - the coronavirus pandemic, but it has also brought our reliance on cyber security into stark relief. We have seen attempts to hack vaccine trials, misinformation campaigns linking 5G to coronavirus, a huge array of coronavirus-related scams, an increase in remote working and more services move online.
“Our reliance on safe and resilient digital technologies has never been greater.
“If ever there was going to be a time to prioritise the rapid modernisation of our cyber legislation, and review the Computer Misuse Act, it is now.”
Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign, commented:
“This research and the resultant report significantly adds to the body of evidence suggesting that we must reform this outdated legislation to ensure the cyber resilience of the United Kingdom and its allies. Defending against cyber-attacks has shown the cyber industry-government partnership at its finest, but the Computer Misuse Act limits this kind of collaboration and constrains its full potential whilst undermining the economic opportunities for UK companies.”
Julian David, Chief Executive Officer, techUK, commented:
“These results correspond with what we hear from our cyber security members about the Computer Misuse Act – that it is holding their businesses back. As Government develops its next National Cyber Security Strategy and continues to strongly invest in the sector, ensuring we develop the right legal framework for cyber security companies is an essential component of our future success.”
Roxanne Morison, Head of Digital Policy, Confederation of British Industry, commented:
“The UK must remain at the cutting-edge of cyber resilience. The CBI is glad to support the CyberUp Campaign and backs carefully updating the legislation to reflect today’s threat ecosystem. These proposals will not only strengthen the UK’s dynamic cyber security sector, but would also ensure British business a whole is more secure.”