UK's cybersecurity laws 'crying out for reform'
The United Kingdom’s Computer Misuse Act 1990 is crying out for a new reform, according to a new report from the Criminal Law Reform Now Network (CLRNN).
The current Computer Misuse Act (CMA) states that it is illegal for people to access or modify data on a computer without authorisation. This kind of criminal activity is most prevalent in cyber attacks.
However, the CLRNN states that the Act is holding cybersecurity professionals back, because they legally cannot conduct threat intelligence research against cybercriminals and geopolitical threat actors.
“The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime,” says CLRNN member and barrister Simon McKay.
That position is backed by academics and cyber advocates from the likes of Birmingham Law School, and NCC Group.
NCC Group global CTO Ollie Whitehouse says that the report exposes the UK’s outdated cybersecurity crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security.
“[The laws are] within a regime drawn up 30 years ago – when less than 0.5% of the world’s population had access to the internet.”
“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.”
“In today’s uncertain international climate, the ability of cyber criminals and geo-political threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century to allow the industry to flourish and make the country safer and more secure.”
The reports’ recommendations include:
- A range of measures to better tailor existing offences in line with the UK's international obligations and other modern legal systems, including new corporate offences.
- New public interest defences to untie the hands of cyber threat intelligence professionals, academics and journalists to provide better protections against cyber-attacks and misuse, while ensuring consistency with overlapping offences within the Data Protection Act 2018.
- A set of new targeted guidance for prosecutors, including the prosecution of young defendants, and calls for greater transparency regarding the use of PREVENT programmes by police.
- The creation of new sentencing guidelines, and provides detail on their formation and function.