A second attempt in as many months to reform the outdated Computer Misuse Act (CMA) of 1990 to provide legal protections for cyber security professionals and ethical hackers who fear prosecution under the vague offence of “unauthorised access to a computer” has been knocked back in the House of Lords by former government chief scientific adviser turned minister for science, research and innovation Patrick Vallance.
Two amendments proposed by Chris Holmes and Tim Clement-Jones to the Data (Access and Use) Bill would address this by amending the CMA in such a way that legitimate cyber pros can prove their actions were “necessary for the detection or prevention of crime” or “justified as being in the public interest”.
Despite strong support from other members of the House of Lords, a previous attempt to introduce these amendments in December 2024 stalled with the government arguing they were premature.
Speaking on Tuesday 28 January, Holmes said: “It [the CMA] was put into statute at a time when technology looked nothing like it did 10 or 20 years ago, never mind today.
“The Computer Misuse Act constrains the sector from keeping us as safe as it might and constrains businesses in terms of their growth and what they could be adding today to our economy…There is no reason for us to continue with the Computer Misuse Act when we have the solution in our hands.”
No defence for the ‘good guys’
Speaking in support of Holmes’ amendments, Merlin Hey, Earl of Erroll, said that during the CMA’s passage in 1990, similar concerns had been expressed but that the government had dismissed them.
“We were always deeply unhappy about it but had to go along with it because we had to have something; otherwise, we could not do anything about hacking tools being freely available,” said Hey.
“We ended up with a rather odd situation where there is no defence against being a good guy. This is a very sensible amendment to clean up an anomaly that has been sitting in our law for a long time and should probably have been cleaned up a long time ago.”
In his assessment, Vallance – who as chief scientific adviser made similar recommendations in a review on pro-innovation tech regulation, which were accepted at the time – said that his recommendations were still in play as part of an ongoing review of the CMA, but that the issues around reform were highly complex.
“Our engagement with stakeholders has revealed differing views, even among industry. While some industry partners highlight…that the Computer Misuse Act may prevent legitimate public interest activity, others have concerns about the unintended consequences. Law enforcement has considerable concerns that allowing unauthorised access to systems under the pretext of identifying vulnerabilities could be exploited by cyber criminals,” said Vallance.
“Without robust safeguards and oversight, this amendment could significantly hinder investigations and place a burden on law enforcement partners to establish whether a person’s actions were in the public interest.
“The introduction of these specific amendments could unintentionally pose more risk to the UK’s cyber security, not least by inadvertently creating a loophole for cyber criminals to exploit to defend themselves against a prosecution.”
Vallance said that the government would continue to work both with industry, law enforcement and the National Cyber Security Centre (NCSC), and that an update would be provided “in due course”.
Andrew Jones, strategy director at the Cyber Scheme and spokesperson for the CyberUp Campaign – which has been arguing for reform for years – said: “While we appreciate the government’s efforts to ensure it handles updating the Computer Misuse Act correctly, we are somewhat disappointed that another opportunity to protect our cyber security professionals and strengthen the UK’s defences has been missed.
“The Computer Misuse Act is a relic of the 20th century, inadvertently criminalising critical research conducted by UK cyber security professionals to support national cyber defence operations, law enforcement, intelligence agencies and critical national infrastructure operators. This leaves the UK increasingly vulnerable to sophisticated and disruptive cyber threats. As the US and EU move to safeguard ethical cyber security work as a cornerstone of national resilience, the UK cannot afford to lag behind.
“Urgent action is needed. The statutory defence proposed – drafted in consultation with industry and legal experts – offers a practical, proportionate and robust solution that would protect legitimate cyber security professionals, support HMG intent on a responsible future for AI, strengthen UK cyber defences and reinforce its place as a cyber security leader.
“We remain fully prepared to work with the government to help implement this necessary change in the future, as soon as it is ready to act.”