The government has finally published its long-awaited response to its review of the Computer Misuse Act (CMA) of 1990 and opened a new consultation on proposed legislative changes, but has disappointed campaigners who want to see the law reformed to protect cyber security professionals from potential prosecution.
The CMA was introduced before the development of the cyber security industry, and, as it stands, criminalises the act of unauthorised access to a computer, which cyber professionals fear puts them at risk of falling foul of the law simply for doing their jobs.
In its response, the government said this problem was one of the main issues raised during the review of the CMA, and that while it had “carefully considered” proposals to introduce statutory defences for various hacking practices, further work is required to consider options, and the risks and benefits associated with doing so.
CyberUp campaign spokesman Ollie Whitehouse said: “More than 21 months since the government announced its review of the Computer Misuse Act, this is a response that is light on delivery. Cyber crime is endemic across the UK. We need urgency and pace – not for these issues to be kicked into the long grass.
“We welcome that the government has acknowledged that there is a problem with legitimate cyber security activity being constrained by the UK’s outdated cyber laws; 66% of respondents to its consultation agreed on this point. And yet [the] announcement lacks concrete action, leaving the UK way behind other nations.”
Whitehouse said the campaigners understood the complexity of the issue and agreed that reforms need careful consideration, but lamented the lack of progress since the government put the issue on the table nearly two years ago.
“We simply cannot wait another two years for reform – it is too important for the UK’s enhanced protection in cyber space, not to mention its future prosperity,” he said.
“It is essential that the government lay out a clear timetable and plan for the next steps, to ensure there are no more delays. CyberUp – with our coalition of parliamentary and industry supporters – has been an important part of the debate over the last four years, and we will continue to work with the government to get this right.”
Issues the government wants to consider further before introducing reforms to the law include safeguarding the UK’s ability to act against cyber criminals and other threat actors, and ensuring that any defences do not provide cover for offensive actions.
It also wants more time to consider the benefits that introducing defences could provide, acknowledging that a strong cyber security ecosystem is important to the overall resilience of the UK.
The government now wants to consider whether and what defences – including potentially non-legislative solutions – should be introduced in the context of how cyber pros can be supported and developed, considering what activity that may conflict with the CMA is legitimate for cyber pros to undertake, and what standards and training may need to be in place to guarantee they are qualified to do so. This work will be taken forward as part of Westminster’s wider work to improve the UK’s national cyber security posture.
Wider consultation
The wider consultation – which will run until April 2023 – will seek views on a number of proposed legislative changes to the CMA that the government believes it may be appropriate to make.
The first of these changes would see UK law enforcement agencies receive powers to take down and seize domain names and IP addresses being used by cyber criminals and threat actors – something that is done on a voluntary basis today by groups such as Action Fraud and the National Cyber Security Centre (NCSC).
The government believes formalising these arrangements would put UK agencies on a more equal footing with international partners, and enable better cooperation with foreign agencies such as the FBI in the US.
The second proposed change is to give the UK’s law enforcement agencies, as well as His Majesty’s Revenue and Customs (HMRC), the power to require the preservation of existing data by a data owner to prevent it from being deleted.
Currently, UK agencies can only request data to be preserved on a voluntary basis, an arrangement that works well enough in most circumstances, but the government says it sees benefits in formalising this, particularly given the growing number of legal cases that require electronic evidence.
The new powers would not give law enforcement the ability to seize data, rather to allow it to assess if the data is relevant to an investigation. They would also cover requests from overseas agencies.
The third and final proposed change is to create a new offence of possessing or using illegally obtained data. The CMA covers unauthorised access to data, but not its removal or copying, and creating a new offence would seal off a loophole which makes it difficult to take action against someone possessing or using data obtained through a CMA offence, for example where the person who now possesses the data did not actually commit the CMA offence.
The government is concerned it is not possible to charge that person with theft or handling stolen property because theft is defined as “permanently depriving” the original owner of their property, whereas most instances of data theft involve copying it.
The consultation will also consider two other areas where the CMA may usefully be reformed. The first of these areas is the consideration of firming up extra-territorial provisions in the CMA to establish clearer jurisdiction when offences don’t necessarily take place in England and Wales.
The government hopes this could eliminate some grey areas, as well as potentially giving the justice system the ability to prosecute for all aspects of cyber criminal activity in the UK rather than restricting prosecution to activity where a “significant link” can be proved. This could be important where an individual is located in a jurisdiction, such as Russia, that won’t investigate or prosecute.
The other area under consideration is the possibility of revising sentencing guidelines for cyber criminal activity as some stakeholders had suggested that the maximum existing penalties – up to 12 months in prison on a summary conviction, two years on indictment, or a fine or both – under the CMA were not necessarily much of a deterrent, and the courts are not currently issuing maximum sentences.
The government also wants to address issues such as distinguishing genuine criminality from script kiddies messing around, and the frequent occurrence of neurodiverse offenders, which introduces questions of vulnerability and safeguarding, and proportionate sentencing.
“Cyber crime threatens our citizens, businesses and government. State actors and criminals, at all levels of complexity and with varying intent are targeting homes and businesses across the UK,” wrote security minister Tom Tugendhat in a foreword to the consultation announcement.
“These are complex issues, and therefore the Home Office will lead a programme to bring stakeholders together to identify how these issues should be addressed to ensure that the UK’s cyber security can counter the risks posed by state threats and criminals.”