The Computer Misuse Act in 2020

On 29 June 2020, the Computer Misuse Act (CMA) turned 30. When the Act was given royal assent back in 1990, only 0.5% of the UK population used the Internet. Now, pro-reform academics call the legislation, “confused,” “ambiguous” and “outdated”.

For years, academics and MPs alike have highlighted the need for serious reform. In 2004, the All Party Internet Group released its inquiry report into the legislation, which recommended just that.

However, with little change made, in January of this year, the Criminal Law Reform Now Network (CLRNN) published its report, “Reforming the Computer Misuse Act 1990”. It outlined  that the legislation is overdue reform, and claimed it has not kept pace “with rapid technological change”. The report also stated that the Act places significant barriers in front of genuine threat intelligence research.

Now, an alliance, the CyberUp Campaign, made up of businesses, trade bodies, think tanks and lawyers from the cybersecurity industry in the UK, has written a letter to the Prime Minister, stressing the urgent need for reforms.

30 years of the Act

The computer crime law was first brought in back in 1990, after the Regina v Gold and Schifreen case of 1987. In this case, one of the Founders of SC Magazine, and a colleague, acquired the credentials of a BT engineer, and used this to hack into Prince Phillip’s Prestel account.

While it was apparent that a crime had been committed, at the time, there was no legislation directly outlining cybercrimes. After reviewing the case, the English Law Commission determined that new legislation was required to deal with such data breaches, and thus the CMA was formed.

Intending to deter hackers, the Act essentially criminalises the act of accessing or modifying data stored on a computer system without appropriate permission. Comprised of three sections, the legislation states that it is illegal to:

  • Access data stored on a computer without permission
  • Gain unauthorised access to data on a computer, with the intention of using that data to commit illegal activity
  • Make changes to any data stored on a computer without permission (eg. installing a virus/malware)

There have been amendments made to the Act over the years, the most significant being made in 2015. This saw the Act increase the penalty for committing cybercrimes, bringing it in line with the Serious Crime Act 2015. After this update, the maximum penalty for computer misuse was changed to a prison sentence of up to 14 years, and the possibility of a fine.

Criminalisation prohibits development and advancement

The CMA, has repeatedly been criticised for impeding the evolution of the cybersecurity industry, through criminalising the use of certain tools and software.

Yanna Papadodimitraki, Law Researcher at the University of Leeds, argues that in essence, the legislation promotes the suppression of “knowledge exchange”. Instead, she suggests that: “Building inclusive initiatives around mentoring and peer learning,” would help the cybersecurity industry to: “Avoid criminalization of its own talent and practices, promote ethical hacking, reduce the skills gap and work towards a safer web”.

This sentiment is held by the CLRNN too. In 2019, the group released its report, reviewing the legislation’s effectiveness. It stated that instead of safeguarding Britain’s cybersecurity, the legislation provides a “confused legal framework,” that prevents cyber threat intelligence professionals from taking on threat intelligence research through the most effective means.

As a result, the report made a number of recommendations. This included:

  • A range of measures to better tailor existing offences in line with the UK’s international obligations and modern legal systems
  • The creation of new public interest defences to “untie the hands” of cyber threat intelligence professionals, academics and journalists, with enhanced protection against cyber attacks and misuse, while maintaining consistency with overlapping offences in Data Protection Act 2018.
  • The introduction of new targeted guidance for prosecutors, including the prosecution of autistic and other vulnerable defendants
  • The formation of new sentencing guidelines, with detail on their formation and function

Reflecting on the need for urgent reform, Barrister Simon McKay, a Civil Liberties and Human Rights Law Practitioner, and Project Lead for the report, said: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime”.

CLRNN Co-Director John Child, added: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of hackers and companies who benefit from their activities, whilst permitting responsible cyber security experts to do their job without fear of prosecution”.

A letter urging the need for reform

Months on from the release of CLRNN’s report, no amendments or reforms have been made. Now, coordinated by industry group CyberUp, cybersecurity consultancies NCC Group and F-Secure, think-tank Demos and cybersecurity software developers McAfee and Trend Micro, amongst others, have written an open letter to PM Boris Johnson.

In it, they argue that in light of COVID-19, the need to reform the Act has never been more urgent. The letter states that the Coronavirus pandemic has highlighted “how reliant modern society is on secure and effective digital technologies”.

Further to this, the letter argues: “In particular, section 1 of the Act prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology.With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access”.

The letter ultimately concludes that the legislation is “no longer fit for purpose”. Closing, it  asserts: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber defenders the tools they need to keep Britain safe”.

It is clear that there are fundamental deficiencies in the legislation that need to be amended. Now, it’s up to the government to provide a comprehensive response, and bring the legislation into the 21st Century, to reflect the rapidly evolving technological landscape.

Article Created By Madaline Dunn