Security legislation, ransomware, and supply chain attacks top the agenda at this year’s CyberUK
UK Home Secretary Priti Patel has announced plans to review the country’s aging computer crime laws this year.
The review, announced during a ministerial address to the NCSC-organised CyberUK 2021 conference today (May 11), follows a long-running security industry campaign to persuade the government to review the law, spearheaded by the CyberUP initiative.
“The Computer Misuse Act has proved to be an effective piece of legislation to tackle unauthorized access to computer systems, and it has been updated a number of times,” Patel said in a pre-recorded statement to CyberUK delegates.
“Alongside the Act there is also separate legislation that provides the powers for law enforcement agencies to investigate both cyber-dependent and cyber-enabled crimes.
“As part of ensuring that we have the right tools and mechanisms to detect, disrupt, and deter our adversaries, I believe now is the right time to undertake a formal review of Computer Misuse Act.”
Patel said that the government would be holding a consultation of the Computer Misuse Act this year but without giving a firm date or timescale.
Long overdueThe CyberUp Campaign, which is backed by the Confederation of British Industry (CBI) and tech industry trade body techUK, nonetheless described the planned consultation as a "long overdue step".
The Government’s review will ask academia, business, law enforcement agencies, the cybersecurity industry, and other interested parties about the Act, including whether current “protections in the CMA for legitimate cybersecurity activity provide adequate cover”.
Research conducted by the CyberUp Campaign and techUK has found that the vast majority of cybersecurity professionals (80%) worry about breaking the current law in the process of defending against cyber-attacks.
Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign, commented: “We welcome the Home Secretary’s announcement that the government has heeded our calls for a review into the Computer Misuse Act – this is a long overdue step for a piece of legislation that simply hasn’t kept pace with changes in technology."
During her speech, Patel warned of the threats posed by state-sponsored attackers, such as those behind the SolarWinds supply chain attack, and ransomware, among other threats.
The UK Home Secretary condemned the payment of ransoms to cybercriminals, arguing that paying ransoms does little to guarantee a successful outcome, nor does it protect networks against future attacks or defend against data leaks.
“Paying a ransom is likely to encourage criminality [sic] to continue to use this approach,” Patel warned.
The Home Secretary urged organizations to be prepared and to liaise with law enforcement and government organizations such as the UK’s National Cyber Security Centre (NCSC).
Protecting the software supply chain
Earlier during CyberUK 2021, which took place online this year because of the Covid-19 pandemic, Sudhakar Ramakrishna, CEO of SolarWinds, spoke to Paul Chichester, NCSC director of operations, about lessons learned from the recent high-impact supply chain attack.
SolarWinds has adopted a secure-by-design approach in response to the incident, Ramakrishna said. This involves implementing measures such as least-privilege access and improved technical controls.
Chichester praised the move but asked what the incentive might be for more organizations to adopt worthwhile but costly secure-by-design programmes. Ramakrishna admitted this was still a work in progress.
Reflecting on this aspect of a larger discussion between Chichester and Ramakrishna, Dr Ian Levy, the NCSC’s technical director, noted that supply chain attacks have been known about since the Sendmail attack of 2002.
The danger posed by such incidents was illustrated by the NotPetya ransomware assault of 2017, which relied on a compromised update to a Ukrainian tax accounting package called ‘MeDoc’.
Adopting best practices in areas such as secure development can guard against such attacks, but the market provides no economic incentives for such measures, according to Dr Levy.
“We don’t buy software because someone has secured their CI/CD [continuous integration/continuous delivery] pipeline,” Dr Levy quipped.