Security pros fear prosecution under outdated UK laws

An overwhelming 80% majority of cyber security professionals currently active in the UK fear they may be breaking the law simply by going about their work in defending against cyber attacks thanks to the UK’s outdated laws, according to a new report produced by the CyberUp campaign and techUK.

CyberUp – a group consisting of a number of industry associations and cyber security suppliers – wants the Computer Misuse Act (CMA) of 1990 to be reformed because it has inadvertently criminalised common defensive techniques used by security professionals and is no longer fit for purpose.

For example, section one of the CMA forbids unauthorised access to any program or data held in any computer. Because defensive security activities often involve the scanning and interrogation of compromised systems – and one cannot seek consent from a cyber criminal to authorise access – a prosecutor could successfully argue that the defenders broke the law.

MP Ruth Edwards, who previously led on cyber security policy for techUK, said: “The Computer Misuse Act, though world-leading at the time of its introduction, was put on the statute book when 0.5% of the population used the internet. The digital world has changed beyond recognition, and this survey clearly shows that it is time for the Computer Misuse Act to adapt.

“This year has been dominated by a public health emergency – the coronavirus pandemic, but it has also brought our reliance on cyber security into stark relief. We have seen attempts to hack vaccine trials, misinformation campaigns linking 5G to coronavirus, a huge array of coronavirus-related scams, an increase in remote working and more services move online.

“Our reliance on safe and resilient digital technologies has never been greater. If ever there was going to be a time to prioritise the rapid modernisation of our cyber legislation, and review the Computer Misuse Act, it is now,” she said.

The study is the first piece of work to quantify and analyse the views of the wider security community in the UK on this issue, and the campaigners say they have found substantial concerns and confusion about the CMA that are hampering the UK’s cyber defences. They found evidence that at the height of Covid-19 pandemic related cyber attacks in the spring of 2020, some researchers were stopped from preventing harm to businesses and citizens because of a lack of certainty about their legal position.

More widely, it found that 91% of businesses felt the CMA left them at a competitive disadvantage relative to countries with better – or more permissive – legal regimes around cyber security. A similar number believed a change to the law would increase growth and productivity. The campaign estimated that if averaged across the latest figures for revenue and employment in the security sector, changing the law could benefit UK businesses to the tune of £1.6bn, and even create new jobs.

Ed Parsons, managing director at F-Secure Consulting and spokesperson for the CyberUp campaign, said: “The survey findings highlight that many cyber security professionals, at present, are having to carry out their jobs with one hand tied behind their back in order to stay within the law. Reform of the CMA will make the UK cyber security industry more competitive and more attractive to work in at a time when cyber skills are in short supply and in high demand.

“Meanwhile, the current pandemic has not only underlined our dependence on digital technology, but also accelerated shifts in enterprise architecture, increasing the complexity of the environments we need to protect. Now more than ever, we need clear legal definitions to ensure that cyber security professionals who reasonably believe they have authorisation to act can legitimately do so.”

Julian David, techUK CEO, said the study’s findings corroborated what his members were telling him – that it is holding business back.

“As government develops its next National Cyber Security Strategy and continues to strongly invest in the sector, ensuring we develop the right legal framework for cyber security companies is an essential component of our future success,” he said.