Government peer tells The Daily Swig that legislators should aim to future-proof UK cybercrime laws
The UK’s legislative framework for prosecuting cybercriminals dates back to a time when just 0.5% of the UK population had internet access.
Enacted in 1990, the Computer Misuse Act (CMA) criminalized “unauthorised access” to computers following the acquittal of a hacker duo charged after finding and reporting a security vulnerability in a text-based computer system.
Thirty-one years later and today’s security researchers and threat intelligence experts are still uncertain about the legality of their crucial work.
‘Chilling effect’
Four in five UK cybersecurity professionals said they were worried about breaking the law because the CMA lacked ‘public interest’ provisions, according to a 2020 survey by a campaign group that is lobbying for reform.
Led by NCC Group, the CyberUp campaign is supported by UK technology association techUK, the Confederation of Business Industry (CBI), and infosec firms including Nettitude, F-Secure, and Digital Shadows.
BACKGROUND Most UK cybersecurity pros fear breaking the law by simply doing their jobs
CyberUp gained another prominent supporter last month when Lord Chris Holmes of Richmond CBE, a member of the UK’s upper legislative chamber, the House of Lords, called for an overhaul of the “archaic” legislation on his blog.
“There’s a chilling effect right now,” the Conservative peer tells The Daily Swig. “Imagine [being a cybersecurity professional], knowing that individuals, our critical national infrastructure, our economy, our society could be far better protected, but for want of updating an old piece of legislation.”
‘Significantly out of date’
Lord Holmes, Britain’s most successful Paralympic swimmer with nine gold medals, is abreast of the dizzying pace of technological change through his role on House of Lords Select Committees and All-Party Parliamentary Groups on blockchain, AI, digital skills, and the fourth industrial revolution, among other tech topics.
“The Computer Misuse Act was constructed in such a very different time” and “is now significantly out of date”, Lord Holmes says. The legislation needs updating to ensure “our statute book is fit for the world in which we are currently living, transacting and working”.
And the urgency of change has never been greater, he adds, given “probably at no other time in our history have we faced such significant threat”.
Catch up on the latest UK cybersecurity news
To illustrate his point, the pandemic has seen a surge in online fraud and ransomware attacks, and a series of supply chain attacks that impact numerous organizations and applications via single, vulnerable software components.
To make matters worse, cybercrime gangs are often backed by the resources of nation states.
Within this fraught context, cybersecurity professionals are operating “with one hand tied behind their backs”, according to Ollie Whitehouse, CTO of NCC Group, which leads the CyberUp campaign.
‘Clear, effective solutions’
Lord Holmes said he believes the CyberUp campaign is an effective vehicle for change because it has “clearly identified very clear, effective, and easy to bring about solutions” that would empower infosec professionals to “do their vital work”.
These include public interest provisions that would free cybersecurity professionals from the risk of prosecution when probing hardware, applications, and networks for security vulnerabilities.
Currently, “you’re either authorized or you’re not”, Whitehouse has previously told The Daily Swig.
However, Whitehouse also warned that legislators must beware of giving cybercriminals wriggle room to “use the statuary defences as a way of getting out [of trouble]”.
Future-proofing
Lord Holmes highlights another challenge: future-proofing the legislation to the degree that it is feasible.
“There’s a need to have legislation which not only reflects the modern world, but has the ability – as much as it’s possible – to look forward, and, provide in a rightly understood, rightly permissive structuring” – legislation that enables professionals to “operate in the world, not just as it is, but also as it will be, as technology races on at an exponential pace”.
CyberUp also proposes the creation of an accreditation scheme for cybersecurity providers, “individually applicable” ethical codes of conduct, “a commitment to maintain and share auditable logs of all activities, and an obligation to pass on all intelligence and information to the appropriate authorities”.
READ MORE The UK’s Computer Misuse Act is ‘crying out for reform’
In January 2020, another CyberUp supporter, the cross-sector lobbying group Criminal Law Reform network (CLRNN), published a report calling for more nuanced sentencing guidelines and noting that the CMA lacked definitions for terms such as ‘computer’, ‘data’, and ‘program’.
The CyberUp campaign also estimates that fit-for-purpose legislation could create 6,400 jobs and £1.6 billion in additional revenue.
Its 2020 survey also found that 91% of UK infosec professionals felt they were at a competitive disadvantage compared to counterparts in countries with superior legal regimes – the CMA, for example, somewhat restricts UK firms from developing hacking tools like the US-built IoT search engine Shodan.
However for its part, the US Computer Fraud and Abuse Act (CFAA), which was passed in 1986, is nevertheless under fire for similar reasons, while 13% of 154 countries have no cybercrime legislation at all, according to figures from the United Nations Conference on Trade and Development (UNCTAD).
‘Push for legislative change’
The UK government has been more active on other fronts, putting cybersecurity at the heart of a recently unveiled defense, security, and foreign policy review, and creating a unified command – the ‘National Cyber Force’ – for its cybersecurity defenses.
Lord Holmes believes the UK government has “done a good job with cyber” and hails the contribution of the private infosec sector and “the brilliant work done at GCHQ”.
However, he thinks “there needs to be a greater understanding of this specific issue and the pressing need” for change.
In lobbying for this change, the CyberUp campaign has “effectively stated what needs to be done” and built a broad base of support, he says.
The next stage, he suggests, should be about raising awareness “beyond cyber professionals and the technology sector”, across society and parliament, “to get that weight of support to push for legislative change”.
Lord Holmes says that he believes CyberUp should benefit “every single citizen in this country”, adding: “We all need to be become ‘cyber-uppers’.”
READ MORE Explainer: What does the UK’s Integrated Review mean for cybersecurity?