All major political parties recognise the growing threat posed by computer misuse and the corresponding need to ensure an effective and co-ordinated cybersecurity regime. Computers are everywhere, from the control and coordination of our national infrastructure to our smartphones and home devises; and yet the principal criminal legislation (the Computer Misuse Act 1990) is both out of date in its content and conspicuously underused as a tool for prosecution. This year’s party manifestos recognise something of this problem, and they promise action.
The Conservative manifesto champions a new ‘cyber-crime force’, a strengthened National Crime Agency (NCA), and modernisation and training for police. Similarly, Labour focuses on training and investment for ‘modern’ cyber policing and reforming the NCA, as well as going further to suggest a review of the National Cyber Security Centre and the creation of a new Minister for Cybersecurity. The Liberal Democrat position, though perhaps more focused on the ethical dimension of new technologies, also recognises the need for investment in cyber policing.
Investment into the policing and prosecution of cybercrime is sorely needed. However, the rush to promise funds for increased policing only engages with part of the problem. Missing from each manifesto is an explicit pledge to reform current offences within the Computer Misuse Act 1990, and yet such reform is vital if the parties are to achieve their desired ends in terms of added security and safety online. The current legislation was created for a different time, and it approaches cyber offences through the blanket criminalisation of all ‘unauthorised’ access, supplemented with even broader provisions criminalising preparatory acts and the trading of equipment used for unauthorised computer access.
Overly broad offences of this kind result in perverse effects. Rather than providing tough regulation, non-culpable journalistic and academic research can be inadvertently criminalised; it has the same impact on the private cybersecurity operators that so many of us (including public bodies) rely upon for effective defence. In this manner, whereas cybersecurity operators from other jurisdictions can work freely in the public interest to police network defences, and to report cyber attack details to the public authorities, such activities in the UK are severely blunted (or are carried out under a cloud of potential prosecution).
The Criminal Law Reform Now Network is a group of leading practitioners and academics specialising in legal reform projects. The Network’s first report – Reforming the Computer Misuse Act 1990 - will be launched in Westminster on the 22nd January 2020 and available from the Criminal Law Reform Now Network website. The recommended reforms are simple and targeted, creating new public interest defences in line with other modern statutes, as well as clarifying advice on prosecution and sentencing. If the UK political parties are serious about investing in cyber defence, and we hope that they are, modernising the legal framework provides essential missing pieces to the puzzle.