Computer Misuse Act reform is overdue - not all anniversaries should be celebrated
Let's not have any further anniversaries for the UK's outdated cyber security laws - the government has dragged its heels for too long and reform is urgently needed
Morrissey once famously sang, “I’ve come to wish you an unhappy birthday,” in the opening lyrics to The Smiths’ 1987 album track of that name.
It’s largely how I felt about the Computer Misuse Act (CMA) last August when it reached its 35th - a law well past time for an overhaul, not just out of date but downright dangerous.
It is why I have been working with colleagues for well over a decade to try to persuade successive governments to make the necessary changes our nation desperately needs.
We are told that so-called smart glasses will really arrive in 2026 - we’ll see. Platforms proliferate, millions of devices have been connected, the iPhone arrived in 2007 - and yet the impact of all of this and more is still governed by a 1990 statute.
Protecting telephone exchanges
The CMA was originally drafted to protect telephone exchanges - even that sentence sounds quaint. At that time, only 0.5% of the UK had access to the internet. In the intervening period, has that 0.5% doubled, increased tenfold? Well, as we know, 98.7% of us are now online in the UK and yet the law remains unchanged.
This “out of dateness” should be reason enough for urgent change. More than this though, the CMA is not just dusty - it is doing real damage on a daily basis. Damage to our cyber professionals who do so much to keep us safe, damage to our economy in terms of cyber attacks, while simultaneously holding our cyber industry back.
Thus, no change is far worse than neutral - it does security, society and economy wide damage.
The UK is falling behind while global competitors are updating their cyber security frameworks to introduce clearer protections for good-faith cyber activity
Chris Holmes
Some stats to bring this to life - 37.66 million instances of cyber crime against UK businesses and charities since the government review into the CMA began in May 2021 (based on the government’s 2025 Cyber Breaches Survey, published April 2025).
That self-same survey showed 43% of businesses and 30% of charities suffered a cyber breach or attack last year, with the total cost of cyber crime to the UK economy estimated to be £27bn per year. That’s £27bn each and every year since the government review began some five years ago.
Massive credit must be given to all those involved with the CyberUp campaign who have worked tirelessly for so many years on this matter.
Legal defence
It is for these reasons and more, that colleagues and I put down amendments to the Crime and Policing Bill, currently in the House of Lords. The clear intent of our work, as ever, is to provide a legal defence to legitimate cyber activities.
The CMA still governs UK cyber crime while inadvertently criminalising legitimate cyber security research, including critical vulnerability research and threat intelligence activities.
The purpose of seeking to introduce a statutory defence is to provide legal clarity and protection for ethical cyber security professionals undertaking legitimate vulnerability research and threat intelligence activities.
Provisions within the current draft of the Crime and Policing Bill introduce new powers to suspend domains and IP addresses used for criminal purposes. This is no bad thing, although it seems clear that these changes must also include a legal defence for legitimate cyber security researchers.
Without it, researchers risk legal action simply for responsibly reporting vulnerabilities. This foundational issue must be addressed as it continues to hold back the UK’s cyber security sector and weakens our national resilience.
The UK is falling behind while global competitors, such as the US, Germany and Belgium are updating their cyber security frameworks to introduce clearer protections for good-faith cyber activity.
This is not only a question of security, or of resilience - it goes to the very heart of the growth agenda.
Thriving sector
Our cyber industry represents a thriving frontier sector generating over £13bn in annual revenue and supporting more than 58,000 skilled jobs. If the UK is to succeed in any of its technology ambitions, our cyber professionals and industry are absolutely essential. Also, this change alone could add around £3bn to our country’s coffers.
In response to our amendments and debate, the minister confirmed that the Home Office is working with industry to refine its proposed approach to updating the CMA. This is positive and it is clear that work is going on. To seek some further clarity, I asked the minister whether the government is still undertaking the review or, is indeed reviewing the review? Answer came there none on that, though.
Are we mistaking regulation for resilience? We have a growing number of cyber compliance regulations, yet our country’s cyber resilience remains fragile. What is going wrong?
It is clear that the bill offers a real, right-now opportunity to make these proportionate, positive changes.
The bill’s provisions build on earlier measures carried over from the previous government’s Criminal Justice Bill 2023–24. During its passage in the Commons, then shadow minister for policing, Alex Norris, tabled amendments seeking to introduce a statutory defence to the CMA. The proposal was further supported by then shadow security minister, Dan Jarvis, who highlighted the broad consensus on the need for an urgent update to the CMA and urged action to modernise the legislation.
Encouragingly, since then, the government has taken positive steps. The Home Office is now actively engaging with industry on a clear plan for reform, including scoping concrete proposals to ensure legitimate cyber security researchers can operate within a transparent and supportive legal framework, while maintaining strong safeguards against misuse.
The Crime and Policing Bill itself further demonstrates the government’s willingness to modernise the law in a balanced way. The introduction of several new public interest defences for proposed offences covering both the possession and provision of certain objects - such as child sexual abuse image generators, SIM farms, and other specified articles, and actions or conduct in particular contexts - shows a thoughtful approach to proportionality and fairness.
Similarly, the decision to codify defences, rather than rely solely on prosecutorial discretion, provides greater legal certainty. The bill’s use of flexible “good reason” defences reflects an understanding that legitimate activities can occur in complex or rapidly evolving environments. Finally, the inclusion of evidential or reverse burdens of proof establishes a pragmatic mechanism to ensure accountability while allowing space for lawful and responsible conduct.
The development of clear public interest defences in this bill offers a valuable model for other areas of law, including the CMA. Extending a similar statutory defence to legitimate cyber security professionals would provide clarity, consistency, and confidence, ensuring their vital work in identifying and responsibly reporting vulnerabilities is fully supported.
We still await anything like “white smoke” on this issue and will continue to push the government when the bill comes back at report stage later this Spring.
It’s more than time to act on this harmfully out of date law. Let’s not reach the point, in late August this year, where, at 36 we would have to wish it again, a very unhappy birthday.
