UK cyber security legislation 'crying out for reform', new report finds

cyber-security-900px
Dr John Child says: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming."

A new report released today by the Criminal Law Reform Now Network (CLRNN) – a collaboration between academics, practitioners and other legal experts – finds the Computer Misuse Act 1990 (CMA) is “crying out for reform”.

The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.

But the CLRNN report, ‘Reforming the Computer Misuse Act’, details how the CMA is in fact compromising the UK’s cyber resilience by preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geo-political threat actors, leaving the UK’s critical national infrastructure at increased risk.

It also restricts journalists and academics from researching cyber threats in the public interest.

Barrister Simon McKay, a civil liberties and human rights law practitioner, member of CLRNN and project lead for the report, commented: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime.”

The reports’ recommendations include:

  • A range of measures to better tailor existing offences in line with the UK's international obligations and other modern legal systems, including new corporate offences.
  • New public interest defences to untie the hands of cyber threat intelligence professionals, academics and journalists to provide better protections against cyber-attacks and misuse, while ensuring consistency with overlapping offences within the Data Protection Act 2018.
  • A set of new targeted guidance for prosecutors, including the prosecution of young defendants, and calls for greater transparency regarding the use of PREVENT programmes by police.
  • The creation of new sentencing guidelines, and provides detail on their formation and function.

Dr John Child, Senior Lecturer in Criminal Law at the Birmingham Law School and co-director of CLRNN, says: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of  hackers and companies who benefit from their activities, whilst permitting responsible cyber security experts to do their job without fear of prosecution.”

Ollie Whitehouse, Global CTO at NCC Group and spokesperson for the CyberUp campaign, commented on the release of the report: “This report shines a welcome light on the UK’s outdated cyber security crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security within a regime drawn up 30 years ago – when less than 0.5% of the world’s population had access to the internet.

“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.

“In today’s uncertain international climate, the ability of cyber criminals and geo-political threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century to allow the industry to flourish and make the country safer and more secure.”

Download the report

Notes to editors:

For more information or interviews, please contact: Hasan Salim Patel, Communications Manager (Arts, Law and Social Sciences), on +44 (0)121 415 8134 or contact the press office out of hours on +44 (0)7789 921 165.

About the University of Birmingham

  • The University of Birmingham is ranked amongst the world’s top 100 institutions, its work brings people from across the world to Birmingham, including researchers and teachers and more than 5,000 international students from over 150 countries.

Criminal Law Reform Now Network

  • Launched in 2017, the Criminal Law Reform Now Network (CLRNN) facilitates collaboration between academics and other legal experts to discuss, draft and disseminate comprehensible proposals for criminal law reform to the wider community. Our research contacts include members of the public and mainstream media as well as legal and industry professionals, police, policymakers, and politicians. The CLRNN is ready to consult with and make suggestions to anyone who has the power to bring about law reform. The CLRNN is supported by AHRC Network Grant funding. 

CyberUp

  • CyberUp is campaigning to reform the UK’s outdated Computer Misuse Act, to update and upgrade cyber crime legislation to protect our national security and promote international competitiveness. The campaign brings together a broad coalition of supporters across the UK cyber security sector and beyond.

NCC Group 

  • NCC Group exists to make the world safer and more secure. As global experts in cyber security and risk mitigation, NCC Group is trusted by over 15,000 clients worldwide to protect their most critical assets from the ever-changing threat landscape. With the company’s knowledge, experience and global footprint, it is best placed to help businesses identify, assess, mitigate and respond to the evolving cyber risks they face. To support its mission, NCC Group continually invests in research and innovation, and is passionate about developing the next generation of cyber scientists. With over 1,800 colleagues in 12 countries, NCC Group has a significant market presence in North America, continental Europe and the UK, and a rapidly growing footprint in Asia Pacific with offices in Australia and Singapore. The report has been endorsed and launched with an industry-led campaign. Various stakeholders, including global cyber and risk mitigation experts, NCC Group, have contributed their views during the formation of the report, making a business (as well as legal) case for reform.