Computer Misuse Act ‘crying out for reform’

The Computer Misuse Act of 1990, which criminalises people who attempt to access or modify data on a computer without authorisation, is well past being due for an overhaul and may even be putting the UK’s cyber security resilience at risk, according to the Criminal Law Reform Now Network (CLRNN).

In a new report, Reforming the Computer Misuse Act, the group, which comprises academics, legal experts and practitioners, says the 30-year-old law is “crying out for reform”.

The CLRNN warned that the law could prevent security professionals from carrying out threat intelligence research against cyber criminals and state-backed threat actors, putting UK organisations and infrastructure at greater risk of compromise. It could also prevent journalists and academics from researching security threats in the legitimate public interest.

Simon McKay, project leader for the CLRNN, and in his day job a barrister specialising in civil liberties and human rights law, said: “The Computer Misuse Act needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on.

“This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cyber crime.”

CLRNN co-director John Child, senior lecturer in criminal law at the Birmingham Law School, added: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of hackers and companies that benefit from their activities, while permitting responsible cyber security experts to do their job without fear of prosecution.”

To this end, the report calls for: new measures to tailor existing offences in line with the UK’s international obligations and modern legal systems, including corporate offences; new public interest defences and protections to help white hats, journalists and others work freely, while ensuring consistency with overlapping offences covered by the Data Protection Act of 2018; new guidance for prosecutors, including the prosecution of young defendants, and more transparency around the use of the Prevent programme; and new sentencing guidelines.

Ollie Whitehouse, global CTO at NCC Group and a spokesperson for the CyberUp campaign, said the UK is leaving security professionals to tackle national security threats in the context of a legal regime drawn up 30 year ago, when less than 0.5% of the world’s population was online.

“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so that our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs,” he said.

“In today’s uncertain international climate, the ability of cyber criminals and geopolitical threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century legislation to allow the industry to flourish and make the country safer and more secure.”