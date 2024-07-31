stokkete - stock.adobe.com
Campaigners call for evidence to reform UK's cyber laws
The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber pros to share their views on how the outdated law hinders legitimate work
The CyberUp Campaign, a group calling for urgent reform to the Computer Misuse Act of 1990, has launched a fresh consultation inviting security professionals and researchers to take part in a wide-ranging survey seeking views on the 34 year-old law’s impact on their work.
CyberUp argues that the CMA is risibly out of date – it was written only months after Sir Tim Berners-Lee first proposed the concept of the worldwide web – and that the wording of key clauses relating to unauthorised access to computer systems risks criminalising legitimate security pros and ethical hackers from being able to defend organisations. To do so, they say, potentially risks prosecution.
The campaigners first came together in early 2020 on the eve of the Covid-19 pandemic to call on Boris Johnson to address their concerns, and by May of 2021 their work had secured commitments from the then home secretary Priti Patel to begin a consultation on the issue.
However, this process stalled and became lost in the political melee, and by 2023, with Johnson and his successor Liz Truss consigned to history, the campaign had advanced no further in its aims. Another consultation did take place in 2023 and was widely welcomed, but little ultimately came of it.
The campaigners said that in opening a new study they hoped that the new Labour government would listen to clear, up-to-date and indisputable evidence to change the law.
“This is a pivotal moment for the cyber security industry: the new government has just introduced a very welcome Cyber Security and Resilience Bill in the King’s Speech – the first time ever that ‘cyber’ has been mentioned in any primary legislation – which presents an opportune moment for a legislative update to the CMA in the near future,” they said.
“Launching the survey now enables the campaign to demonstrate the potentially restrictive impact of outdated cyber crime legislation on the growth and investment of the UK’s cyber security sector, as well as its effect on cyber defensive activities conducted domestically.”
The survey should take about 10 minutes to complete and the campaigners have said that due to the sensitive nature of responses they may receive, all information contained in the final cut will be fully anonymised.
“This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act,” they said.
What do cyber pros really think?
The CyberUp campaigners include representatives from leading cyber firms including WithSecure, McAfee, NCC Group and Trend Micro, and is backed by security accreditation body Crest, and techUK as well.
Previous studies conducted by the group have revealed revealed broad consensus across the industry that reform is needed.
The last time such an exercise was conducted in 2023, security pros spoke of the “chilling” effect of the CMA on Britain’s cyber defenders, with 60% believing it acted as a barrier to working effectively, and 80% believing it put the UK at a competitive disadvantage on the world stage.
CyberUp estimates that out of nearly 2,000 active cyber security firms located in the UK, almost 600 have experienced an economic loss due to not being able to work effectively, which the campaign says risks £3bn of the £10.5bn annual sales made by the sector.
Additionally, it believes that over 16,800 security professionals have actually left the UK over the years to work in countries with more permissive laws.
With a fit-for-purpose regime that allows legitimate cyber security defensive and research work, whilst still ensuring malicious threat activity is appropriately sanctioned, the cyber resilience benefits delivered for the UK could be three times as great as they currently are, said the campaigners.
Computer Misuse Act reform: A lengthy process
- January 2020: Group of campaigners says the Computer Misuse Act of 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition has written to Boris Johnson to urge him to reform the UK’s 30 year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel will explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
- June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
- August 2022: A study produced by the CyberUp campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
- September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber pros from potential prosecution.
- January 2023: Cyber accreditation association Crest International has lent its support to the CyberUp campaign for reform to the Computer Misuse Act of 1990.
- February 2023: Westminster has opened a new consultation on proposed reforms to the Computer Misuse Act of 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
- March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber pros need to make their voices heard, says Bugcrowd's ethical hackers.
- November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber pros from prosecution have been left disappointed by a lack of legislative progress
- July 2024: In the Cyber Security and Resilience Bill introduced in the King's Speech, the UK's new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.