Cross-sector report demands changes to outdated cybercrime law

A cross-sector lobbying group is calling on the UK to reform its computer crime laws, legislation that its members say has failed to keep up with present demands of increasing connectivity.

In a report released today (January 22) by the Criminal Law Reform network (CLRNN), lobbyists said the UK’s Computer Misuse Act (CMA) was “crying out for reform” and failing to provide prosecutors with the tools needed to hold cybercrime activity to account.

The private cybersecurity sector also has its hands tied by counterproductive restrictions found in the CMA, which leave some white hat hackers fearing prosecution for simply doing their jobs.

“The role of the CMA 1990, like any criminal statute, is to accurately target and criminalise wrongful conduct; ensuring that legitimate and beneficial conduct (including research, enforcement and reasonable expression) is protected in the public interest,” the report states.

“We do not believe that the current law achieves this aim. Rather, overbroad offences (and a lack of defences) serve to criminalise or supress conduct in a manner that few if any would defend.”

‘Let the experts do their job’

Enacted in 1990, the CMA criminalizes ‘harmful’ activity conducted with a computer, inclusive of the very broad offenses of unauthorized access to computer material and unauthorized modification of that material.

The law has undergone some amendments over the years, such as adding denial-of-service (DoS) attacks as a clear offense and increasing the maximum sentencing.

But despite these modifications, the law has remained inadequate due to its purported inability to protect legitimate security research through its loose definition of “unauthorized access”, along with the potential criminalization of certain security testing tools.

“The legal case for reform of the Computer Misuse Act 1990 is overwhelming,” said Dr John Child, senior lecturer in criminal law at the University of Birmingham and co-director of CLRRN.

“Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of hackers and companies who benefit from their activities, whilst permitting responsible cybersecurity experts to do their job without fear of prosecution.”

Keeping up with the times

The CLRNN report builds a case for reforming the UK’s cybercrime legislation predominately by pointing to its slow take to the modern digital age, where the legislative definition of ‘computer’ has not kept pace with advancements in mobile or IoT sectors, nor indeed the ever-changing cybercrime world of fileless malware, ransomware, and phishing attacks.

The 30-year-old Computer Misuse Act is failing to keep up with the fast-paced world of cybercrime

“Nearly thirty years after its enactment, the CMA contains no definition section that seeks to explain what ‘computer’, ‘data’ and ‘program’ mean,” the report said.

Concerns of ‘over-criminalization’ and the potential criminal liability carried by legitimate security researchers is counteracted with the report’s suggestion of narrowing offenses to require demonstrable malicious intent.

This would include “removing the potential for recklessness”, the report said.

Strengthening defences in the CMA is another proposal outlined in the report, particularly as blue teams, penetration testers, and other security professionals often utilize the same digital tools as criminals in order to protect against illegitimate actions.

“We consider that the CMA should be amended to provide for a defence where it was necessary for a person to act in order to detect and/or prevent crime,” the report said.

Read more of the latest cybercrime news

Ollie Whitehouse, chief technology officer at NCC Group and non-executive director at The Daily Swig’s parent company, PortSwigger Web Security, has lobbied for change to the CMA alongside other infosec companies. He was a contributor to the CLRNN report.

“I think that [Shodan] is a good example of one of the bigger discrepancies between the UK and the US [laws] but similarly they [both] very clearly criminalize illegal hacking and the provide a way for legislators and law enforcement officials to prosecute under those,” said Whitehouse, speaking to The Daily Swig in September.

“The challenge for any reform is that everyone is anxious about are [if] you going to give the bad person a defense which they could use. They [criminals] are trained professionals, and they try to use the statuary defences of a way of getting out [of trouble].”

The report additionally provides tentative guidance for prosecutors and law enforcement in dealing with cybercrime suspects, who may very well be young offenders, or those on the autistic spectrum.

“Currently there seems to be reason to suppose such a link in the case of children between immaturity and computer offending, whether or not they are autistic or display autistic like traits,” the report said.

Fresh guidance needed

A clarification of responsibilities pertaining to police, the National Crime Agency, and Crown Prosecution Service, should also be made to enable better response to cybercrime and any proportionate repercussions.

The report adds: “New guidance should be issued for sentencers addressing how to draft preventative orders that effectively tackle CMA offending, providing examples of effective and proportionate prohibitions and requirements to courts who are unlikely to have significant expertise in this complex area.”

Civil financial penalties are also proposed to act alongside the CMA in convicting computer misuse offenses.

According to the UK’s Office for National Statistics (ONS), an approximate 4.5 million cybercrimes were committed in England and Wales in 2018 – 3.2 million of which were reported as fraud, and an approximate 1.2 million related to computer misuse.

There were a total of 169 convictions under the CMA between 2010 and 2015, as highlighted in Freedom of Information requests obtained by The Daily Swig.

The CLRNN report, ‘Reforming the Computer Misuse Act 1990’, was produced in collaboration with the NCC Group and CLRNN’s network of legal experts, policymakers, and law enforcement.

It was funded, in part, by the Arts and Humanities Research Council and can be read in full via the CLRNN website (non-HTTPS link).

YOU MIGHT ALSO LIKE Is it time to reform the Computer Misuse Act?