Stuart Monk - Fotolia

Vallance rejects latest charge to reform UK hacking laws

Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit

A second attempt in as many months to reform the outdated Computer Misuse Act (CMA) of 1990 to provide legal protections for cyber security professionals and ethical hackers who fear prosecution under the vague offence of “unauthorised access to a computer” has been knocked back in the House of Lords by former government chief scientific adviser turned minister for science, research and innovation Patrick Vallance.

Two amendments proposed by Chris Holmes and Tim Clement-Jones to the Data (Access and Use) Bill would address this by amending the CMA in such a way that legitimate cyber pros can prove their actions were “necessary for the detection or prevention of crime” or “justified as being in the public interest”.

Despite strong support from other members of the House of Lords, a previous attempt to introduce these amendments in December 2024 stalled with the government arguing they were premature.

Speaking on Tuesday 28 January, Holmes said: “It [the CMA] was put into statute at a time when technology looked nothing like it did 10 or 20 years ago, never mind today.

“The Computer Misuse Act constrains the sector from keeping us as safe as it might and constrains businesses in terms of their growth and what they could be adding today to our economy…There is no reason for us to continue with the Computer Misuse Act when we have the solution in our hands.”

No defence for the ‘good guys’

Speaking in support of Holmes’ amendments, Merlin Hey, Earl of Erroll, said that during the CMA’s passage in 1990, similar concerns had been expressed but that the government had dismissed them.

“We were always deeply unhappy about it but had to go along with it because we had to have something; otherwise, we could not do anything about hacking tools being freely available,” said Hey.

“We ended up with a rather odd situation where there is no defence against being a good guy. This is a very sensible amendment to clean up an anomaly that has been sitting in our law for a long time and should probably have been cleaned up a long time ago.”

In his assessment, Vallance – who as chief scientific adviser made similar recommendations in a review on pro-innovation tech regulation, which were accepted at the time – said that his recommendations were still in play as part of an ongoing review of the CMA, but that the issues around reform were highly complex.

“Our engagement with stakeholders has revealed differing views, even among industry. While some industry partners highlight…that the Computer Misuse Act may prevent legitimate public interest activity, others have concerns about the unintended consequences. Law enforcement has considerable concerns that allowing unauthorised access to systems under the pretext of identifying vulnerabilities could be exploited by cyber criminals,” said Vallance.

“Without robust safeguards and oversight, this amendment could significantly hinder investigations and place a burden on law enforcement partners to establish whether a person’s actions were in the public interest.

“The introduction of these specific amendments could unintentionally pose more risk to the UK’s cyber security, not least by inadvertently creating a loophole for cyber criminals to exploit to defend themselves against a prosecution.”

Vallance said that the government would continue to work both with industry, law enforcement and the National Cyber Security Centre (NCSC), and that an update would be provided “in due course”.

Andrew Jones, strategy director at the Cyber Scheme and spokesperson for the CyberUp Campaign – which has been arguing for reform for years – said: “While we appreciate the government’s efforts to ensure it handles updating the Computer Misuse Act correctly, we are somewhat disappointed that another opportunity to protect our cyber security professionals and strengthen the UK’s defences has been missed.

“The Computer Misuse Act is a relic of the 20th century, inadvertently criminalising critical research conducted by UK cyber security professionals to support national cyber defence operations, law enforcement, intelligence agencies and critical national infrastructure operators. This leaves the UK increasingly vulnerable to sophisticated and disruptive cyber threats. As the US and EU move to safeguard ethical cyber security work as a cornerstone of national resilience, the UK cannot afford to lag behind.

“Urgent action is needed. The statutory defence proposed – drafted in consultation with industry and legal experts – offers a practical, proportionate and robust solution that would protect legitimate cyber security professionals, support HMG intent on a responsible future for AI, strengthen UK cyber defences and reinforce its place as a cyber security leader.

“We remain fully prepared to work with the government to help implement this necessary change in the future, as soon as it is ready to act.”

Timeline: Computer Misuse Act reform

  • January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
  • June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws.
  • November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
  • May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
  • June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
  • August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
  • September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
  • January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990.
  • February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
  • March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
  • November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
  • July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
  • July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
  • December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
  • December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.

Read more on Hackers and cybercrime prevention