UK cyber security legislation ‘crying out for reform’, new report finds

A new report released by the Criminal Law Reform Now Network (CLRNN) – a collaboration between academics, practitioners and other legal experts – finds the Computer Misuse Act 1990 (CMA) is “crying out for reform”.

The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.

But the CLRNN report, ‘Reforming the Computer Misuse Act’, details how the CMA is in fact compromising the UK’s cyber resilience by preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geo-political threat actors, leaving the UK’s critical national infrastructure at increased risk.

It also restricts journalists and academics from researching cyber threats in the public interest.

Barrister Simon McKay, a civil liberties and human rights law practitioner, member of CLRNN and project lead for the report, commented: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime.”

The reports’ recommendations include:

  • A range of measures to better tailor existing offences in line with the UK’s international obligations and other modern legal systems, including new corporate offences.
  • New public interest defences to untie the hands of cyber threat intelligence professionals, academics and journalists to provide better protections against cyber-attacks and misuse, while ensuring consistency with overlapping offences within the Data Protection Act 2018.
  • A set of new targeted guidance for prosecutors, including the prosecution of young defendants, and calls for greater transparency regarding the use of PREVENT programmes by police.
  • The creation of new sentencing guidelines, and provides detail on their formation and function.

Dr John Child, Senior Lecturer in Criminal Law at the Birmingham Law School and co-director of CLRNN, says: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of  hackers and companies who benefit from their activities, whilst permitting responsible cyber security experts to do their job without fear of prosecution.”

Ollie Whitehouse, Global CTO at NCC Group and spokesperson for the CyberUp campaign, commented on the release of the report: “This report shines a welcome light on the UK’s outdated cyber security crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security within a regime drawn up 30 years ago – when less than 0.5% of the world’s population had access to the internet.

“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.

“In today’s uncertain international climate, the ability of cyber criminals and geo-political threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century to allow the industry to flourish and make the country safer and more secure.”

The report Reforming the Computer Misuse Act 1990 is also available online