UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs
Priti Patel doesn't say a word about encryption, though
CyberUK 21 Priti Patel has promised a government review of the UK's 30-year-old Computer Misuse Act "this year" as well as condemning companies that buy off ransomware criminals.
The Home Secretary pledged the legal review in a speech at the CyberUK conference this afternoon, organised by the National Cyber Security Centre (NCSC).
"As part of ensuring that we have the right tools and mechanisms to detect, disrupt and deter our adversaries, I believe now is the right time to undertake a formal review of the Computer Misuse Act," said Patel.
Passed in 1990, the Computer Misuse Act (CMA) was last majorly amended in 2008, lengthening prison sentences available and clearly criminalising DDoS attacks, something that was felt by government to be unclear at the time.
"Today I am announcing we are launching a call for information on the Act this year," continued Patel. "I urge you all to provide your open and honest views on ensuring that our legislation and powers continue to meet the challenges posed by threats to cyberspace."
Patel's promise represents victory for the CyberUp campaign, which has leaned on government over the past couple of years to amend the CMA and bring it up to date for the modern era. Originally passed as a not-quite-kneejerk response to the Prince Philip Prestel hack in the late 1980s, the act is not a popular option for police or prosecutors, despite, on the face of it, criminalising most modern computer-enabled mischief.
Ed Parsons, exec veep of consulting at F-Secure, which supports the CyberUp campaign to reform the CMA, told The Register: "I would welcome an official review of the Computer Misuse Act and encourage the Home Secretary to consider the proposed reforms set out in the Criminal Law Reform Now Network's report last year.
"The review should consider broadly how to combat cybercrime including helping UK cyber security companies to defend people and organisations and address the industry skills shortage."
- Prince Philip, inadvertent father of the Computer Misuse Act, dies aged 99
- Lord joins campaign urging UK government to reform ye olde Computer Misuse Act
- Average convicted British computer criminal is young, male, not highly skilled, researcher finds
- Cyberup campaign: 80% of infosec pros fear they might fall foul of UK's outdated Computer Misuse Act
Everyone's afraid of breaching it when doing their jobs - even the police
The Law Commission, a government law reform body, published a report on search warrants in October 2020 that highlighted police fears about breaching the CMA while investigating online crimes. That report [PDF] recommended reform of the act for three reasons:
The first reason accords with the observation made by the Law Society and which we have endorsed elsewhere: it would be beneficial to both the individual subject to a warrant and investigators, to have clarity on the powers available and the extent of them.
The second reason is that the limits on the use of the power could then be made explicit in its statutory formulation.
A third and more specific reason is that without lawful authority, an investigator may be committing an offence under the Computer Misuse Act 1990 by searching an electronic device.
Patel also pledged to tackle "online child sexual abuse", revealing that 800 arrests had taken place in the last year for this despicable crime alone. Notably, however, she did not repeat her previous attacks on end-to-end encryption, something that was widely expected given the British government's hostility to the technology.
Ransomware is bad and you shouldn't pay off criminals
The Home Secretary also delivered a direct attack on companies that pay off ransomware criminals in the hope of decrypting their data and preventing publication of trade secrets, staffers' personal data and more.
"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware," said Patel today.
Paying a ransom in response to ransomware does not guarantee a successful outcome. You will not protect networks from future attacks, nor will it prevent the possibility of future data loss. In fact paying a ransom is likely to encourage further criminality.
Patel's condemnation comes shortly after the multinational Ransomware Taskforce, a public-private offshoot of the US-based Institute for Security and Technology, pointed out in a report [PDF] that ransom funds "may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity". Yet the taskforce notably stopped short of recommending a global ban on ransom payments.
The topic is a hot one: many businesses, fearful of regulatory action and negative publicity, quietly pay up and hope nobody notices – as well as praying that the crims don't come back for a second bite of the cherry.
Former NCSC chief Ciaran Martin praised Patel's condemnation of ransomware payments as "significant and welcome".
A Russian ransomware gang caused the operators of a major US oil pipeline to shut it down last week as a precautionary measure. Infosec firm Secureworks told The Register it had tracked 81 so-called "name and shame" attacks by the Russia-based criminal gang, which has made some waves in the wider infosec world for publishing a public relations website. Among other things, the group that calls itself DarkSide used the site to say today that its aim was "to make money, and not creat[e] problems for society."
"If threat actors realize that pure extortion based on stolen data is as profitable as encrypted ransomware is today – then that is a game changer. The flash to bang between initial compromise and operational success (for the threat actor) collapses from days to hours or even minutes," mused a gloomy Barry Hensley, chief threat intel officer of Secureworks. ®