Security experts have penned an open letter to UK Prime Minister Boris Johnson urging that the Computer Misuse Act be modernised.
Enacted into law in 1990, the Computer Misuse Act (CMA) made it a criminal offence to access, modify or destroy data on a computer without permission. But experts claim that the law is “unfit for purpose” and is in need of major reforms to take into account modern cybersecurity threats and practices.
- Best antivirus: stay safer online with watertight virus protection
- VPN: add a layer of extra protection thanks to a virtual private network
- Latest: Nvidia patches 12 serious security flaws
The letter, published by the CyberUp Campaign (opens in new tab) and written by a coalition of businesses, organizations, academics, lawyers and think tanks, calls on the government to update the legislation 30 years after it entered the law books.
“In 1990, when the CMA became law, only 0.5 per cent of the UK population used the internet, and the concept of cybersecurity and threat-intelligence research did not yet exist,” they wrote.
“Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalises a large proportion of modern cyber defence practices.”
Bolstering national security
The experts warn that the current law “prevents thousands of UK threat-intelligence researchers from carrying out research to detect malicious cyber activity and prevent harm and disruption to organisations and citizens alike”.
They point out that Section 1 of the Act “prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology”, making it harder for cybersecurity professionals to do their jobs and, as a result, putting the UK’s national security at risk.
“With the advent of modern threat-intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access,” they said.
“With less threat-intelligence research being carried out, the UK’s critical national infrastructure is left at an increased risk of cyberattacks from criminals and state actors.”
Urgent changes needed
As cyberattacks have continued to increase and become more complex, the signatories of the open letter believe that the UK Government needs to develop a new cyber regime.
They said: “Other countries -- like the U.S. and France -- have in place far more permissive regimes, which provide well-intentioned cybersecurity researchers with legal certainty while retaining the ability to prosecute those seeking to abuse the system.
“In addition, this creates an advantage for competing cybersecurity sectors, which could see the UK lose out on as many as 4,000 additional high-skilled jobs by 2023 without reform.
The letter concludes: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyberdefenders the tools they need to keep Britain safe.”