Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform
Out-of-date law prevents Britain from fully developing its cybersecurity industry, say campaigners
British infosec businesses are celebrating the 30th birthday of the Computer Misuse Act 1990 by writing to Prime Minister Boris Johnson urging reform of the elderly cybercrime law.
The Computer Misuse Act (CMA) received Royal Assent on 29 June 1990, before "the concept of cyber security and threat intelligence research," the CyberUp campaign group said in its letter [PDF].
"Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges," it added. "This means that the CMA inadvertently criminalises a large proportion of modern cyber defence practices."
CyberUp was founded by a coalition of infosec firms including NCC Group, Orpheus Cyber, Context Information Security and Nettitude, as we reported last summer when the campaign wrote its first letter to the PM.
So far Boris hasn't got round to replying.
CyberUp's latest missive, that carries twenty signatories, warns: "With less threat intelligence research being carried out, the UK's critical national infrastructure is left at an increased risk of cyber attacks from criminals and state actors."
The main problem posed by the current CMA is that it criminalises any "unauthorised access", under section 1 of the act, to a computer. This means "defensive cyber activities" of the sort carried out by CyberUp's members are at best in a grey area – and at worst classified as downright illegal; as the campaign put it, "criminals are obviously very unlikely to explicitly authorise such access."
In January a group of academics published a detailed report echoing calls for the CMA to be reformed, including detailed legal proposals on exactly how to tweak the offences created by the act.
The CMA itself was passed into law after the legendary 1985 Prestel hack on Prince Phillip's email inbox. Prosecutors tried and failed to convict journalists Steve Gold and Robert Schifreen of forgery after the duo spotted mainframe login credentials had been left publicly exposed and typed them in to see what would happen. The logic was that they had somehow forged the password; something that the Court of Appeal eventually threw out.
Around 40 CMA cases are brought to court every year with about 90 per cent of prosecutions resulting in a conviction, according to court data analysed by The Register last year.
The only corporate CMA prosecution to date took place in 2018. A firm called Smart Recruitment, a trading name of Workchain Ltd, hatched a plot to diddle junior workers out of company pension contributions. Company managers blagged workers' account ID numbers from pension provider NEST before logging onto its online system in the workers' names to click the necessary opt-out buttons. Directors were jailed and the company was fined more than £280,000.
Most recently a Manchester police gunman was jailed under the CMA after abusing his force computer login to find and contact prostitutes whose details had previously been hoovered up by police. ®