WWW.COMPUTERWEEKLY.COM
Computer Misuse Act reform gains traction in Parliament
Corgarashu - stock.adobe.comNewsComputer Misuse Act reform gains traction in ParliamentAn amendment to the proposed Data (Access and Use) Bill that will right a 35 year-old wrong and protect security professionals from criminalisation is to be debated at WestminsterByAlex Scroxton,Security EditorPublished: 13 Dec 2024 13:49 Cross-party parliamentarians will next week debate proposals that aim to fix a glaring flaw in the Computer Misuse Act of 1990 (CMA) as momentum gathers behind the need to reform the nearly 35 year-old law.An amendment to the proposed Data (Access and Use) Bill, led by Conservative peer Lord Holmes and Liberal Democrat peer Lord Clement-Jones, that will override outdated aspects of the CMA that inadvertently criminalise good faith, legitimate security activities, will now be debated in Committee on Wednesday 18 December.Created largely in response to a famous incident in which professional hackers and technology journalists broke into British Telecoms Prestel system in the mid-80s, the CMA received Royal Assent in June 1990, barely two months after Tim Berners-Lee and CERN made the world wide web publicly available for the first time.Although it has been frequently amended over the years to reflect the changing world of technology, the CMA still vaguely defines the offence of unauthorised access to a computer, which opponents have long argued inadvertently criminalises cyber security threat researchers and incident responders and forces ethical hackers to work with one hand tied behind their back out of fear of prosecution.According to the CyberUp campaign, which has been pushing for reform for years, the CMA could be costing the UK economy up to 3.5bn.The UKs outdated cyber laws are preventing our cyber security professionals from defending organisations effectively, Rob Dartnall, SecAlliance CEO, Crest UK chair, and CyberUp representative, told Computer Weekly.In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK an untenable situation as cyber threats grow.Holmes and Clement-Jones amendment proposes a statutory defence for researchers who can demonstrate either a reasonable belief that the IT system owner would have consented to their work, or that the activity was strictly necessary for the detection of cyber crime.This will give British cyber pros similar protections to those already in force in other European countries such as Belgium, Germany, France, Malta and the Netherlands, all of which have either recently updated their legal frameworks to address professional hacking, or already had more appropriate legal regimes.Dartnall said that change was vital to fostering a safe environment for researchers and allowing them to play a more effective role in safeguarding digital systems and data in the UK a need urgently highlighted by the National Cyber Security Centre (NCSC) in its recent Annual Review.We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face, he said.The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on peoples data privacy and the UKs economy.By introducing a statutory defence, the UK could protect legitimate cyber security professionals, strengthen its cyber defences, and reinforce its place as a cyber security leader. It is time we updated the law to fit with the digital age, added Dartnall. With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country.Timeline: Computer Misuse Act reformJanuary 2020: Group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals andneeds reforming.June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reformthe UKs 30 year-old cyber crime laws.November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecutedjust for doing their jobs.May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updatedto reflect the changed online world.June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecutedin the course of their work.August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakersas they explore its reform.September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionalsfrom potential prosecution.January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign forreform to the Computer Misuse Act 1990.February 2023: Westminster has opened a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionalshave been left disappointed.March 2023: The deadline for submissions to the governments consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard,says Bugcrowds ethical hackers.November 2023: A group of activists who want to reform the UKs computer misuse laws to protect bona fide cyber professionals from prosecution have been left disappointed by a lack of legislative progress.July 2024: In the Cyber Security and Resilience Bill introduced in the Kings Speech, the UKs new government pledges to give regulators more teeth to ensure compliance with security best practiceand to mandate incident reporting.July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.In The Current Issue:CIO interview: Steve OConnor, Aston MartinNCSC boss calls for sustained vigilance in an aggressive worldDownload Current IssueData engineering - FlowX.ai: Orchestrating data pipelines for vertical AI agents CW Developer NetworkLooking ahead at long, mid and short term IT plans Cliff Saran's Enterprise blogView All Blogs
0 Comments 0 Shares 7 Views