BLOG: “Nobody is arguing against reform” – a summary of recent debates on reforming the UK’s Computer Misuse Act

The start of 2021 has seen the CyberUp Campaign pick up where we left off in 2020. Building on the momentum of having released the results of our survey on the views of cyber security professionals and businesses towards the Computer Misuse Act, the Campaign started this year by participating in two policy discussions about the future of the legislation: beyond being heartened by the quality of the debate and the insights we’ve gained, we also believe that it’s very promising indeed that panellists and participants agreed unanimously that reform is needed.  

The CyberUp Campaign was represented by Ollie Whitehouse, CTO of NCC Group. We provide a brief summary of the discussions for those who missed them:

SASIG webinar

Following, in their own words, the “huge demand to address this issue”, on 12th January, the Security Awareness Special Interest Group (SASIG) hosted a webinar titled ‘How do you solve a problem like the Computer Misuse Act?’.  Chaired by  Peter Yapp (Partner, Schillings), Ollie Whitehouse (Group CTO, NCC Group), Andrew Murray (Professor of Law, London School of Economics), and Stewart Room (Global Technology Sector Leader, DWP Law) shared their thoughts and proposed solutions.

Peter used his time to give a background of the origins of the Computer Misuse Act and its evolution (or lack thereof) since becoming law, and touched on some of the arguments as to why there are increasing calls for reform, including: the growing variety of threats over the last 30 years, the Act’s failure to allow for recent innovations, and the lack of clear definitions and broad-brushed offences, making their application an exercise in subjective interpretation across a large grey area.

Andrew spoke to the history of the Computer Misuse Act as it relates to the issue of insider threats presented by an organisation’s employees, and the need to consider these scenarios in any reforms, and highlighted that, under the current Act, action, not intent matters, warning that the old laws were not suited to a modern context, and that the lack of defences risked a chilling effect.

Ollie gave a full-throated articulation of the CyberUp Campaign’s arguments for reform, including the commercial and national security cases for reform, using the example of honeypot techniques currently hampered by the Act to highlight that gaining explicit authorisation in 2021 is often not practicable.  Ollie was clear that we are campaigning to put statutory defences into the Act and  update the definition of some of the Act’s key provisions, to give  greater clarity to researchers.

In his remarks, Stewart made reference to an “inequality in arms” (a sense of impunity for the bad guys, limited ability for the good guys to respond), but offered some gentle push back, warning that reform would have to safeguard against the risk of bounty hunters who might exploit defences or exemptions to extort organisations on the security vulnerabilities they identified. He argued, too, that while the CPS is not, at present, prosecuting any cyber researchers, reliance on the good faith of prosecutors, was not a long-term solution.

Ultimately, despite justified notes of caution, the discussions did reveal a broad consensus for reform of the Computer Misuse Act, to make it a targeted and effective computer crime law fit for the modern age.

APPG on Cyber Security event

The SASIG discussions were echoed in the All-Party Parliamentary Group on Cyber Security event on Computer Misuse Act reform on 18 January.

The panel included Ollie Whitehouse, Daniel Cuthbert, who was previously prosecuted under the CMA, and now works as Head of Security for Santander, and Dr Robert Carolina, Lecturer in Cyber and Information Security at Royal Holloway University.

Ollie again made the CyberUp Case for reform, and was followed by Daniel who offered his own unique perspective on the Act. He highlighted that change was needed because the Act currently stopped people with good intent, with the lack of any legal safeguards resulting in UK cyber defenders “not doing as much as we could”, which, as Ollie added, also meant UK companies “buying in” information from outside the UK in defence of their systems and networks.

They were followed by Dr Carolina, who spoke on prosecution theory and history, including the CPS’s lack of appetite to try technical cases involving the Internet, and raised some challenges for reform, including how to distinguish legitimate cyber security and threat intelligence research, and illegitimate hacking, raising questions of licensing cyber security researchers with a “good person badge”.  Dr John Child, of the Criminal Law Reform Now Network, who the Campaign have worked closely with in the past, then offered some thoughts on how reform would need to be designed to achieve its aims.

As one of the attendees noted, while questions remained over how best to future proof the UK’s cyber laws beyond 2021, there was consensus over the ineffectiveness of the Computer Misuse Act in its current form, to the point that “nobody was arguing against reform”.

As a Campaign, we have been heartened by the engagement and understanding of the issues demonstrated across these policy discussions we were delighted to be part of. It bodes well for any government consultation on proposed reform, as and when that does finally see the light of day.