Two amendments to the Data (Access and Use) Bill that would have established a statutory legal defence for security professionals and ethical hackers to protect them from prosecution under the 1990 Computer Misuse Act (CMA) have failed to make it beyond a House of Lords committee hearing after being withdrawn.
The 34-year-old CMA broadly defines the offence of “unauthorised access to a computer” that is frequently relied upon in the UK when prosecuting cyber criminals, but given it became law when Margaret Thatcher was prime minister, it has not been updated to reflect the emergence, and practices, of the legitimate cyber security profession.
Campaigners say this is putting the UK at a competitive disadvantage because security pros fear they may be prosecuted simply for doing their jobs – for example, by accessing a system during the course of an incident investigation – while their employers lose out to companies located in more permissive jurisdictions.
Introduced by Lord Chris Holmes and Lord Tim Clement-Jones, the changes would have introduced two amendments into the Data Bill to amend the CMA such that security professionals could prove their actions were “necessary for the detection or prevention of crime” or “justified as being in the public interest”.
Speaking in support of the amendment on 18 December 2024, Holmes spoke about how the CMA was introduced to defend telephony exchanges in an era when 0.5% of the population was online, and if that was the act’s sole purpose, that alone would indicate it needs updating given the profound advances in technology made in the past three-and-a-half decades.
“The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe. They oftentimes work, understandably, under the radar, behind not just closed but locked doors, doing such important work. Yet, for want of these amendments, they are doing that work, all too often, with at least one hand tied behind their back,” said Holmes.
The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe
Lord Chris Holmes
“Let us take just two examples: vulnerability research and threat intelligence assessment and analysis. Both could find that cyber security professional falling foul of the provisions of the CMA 1990. Do not take my word for it: look to the 2024 annual report of the National Cyber Security Centre, which rightly and understandably highlights the increasing gap between the threats we face and its ability, and the ability of the cyber security professionals community, to meet those threats.
“These amendments, in essence, perform one simple but critical task: to afford a legal defence for legitimate cyber security activities,” he said. “That is all, but it would have such a profound impact for those whom we have asked to keep us safe and for the safety they can thus deliver to every citizen in our society.
“It’s not time, it’s well over time that these amendments become part of our law. If not now, then when? If not these amendments, what amendment? And if not these amendments, what will the government say to all those people who will continue to be put in harm’s way for want of these protective provisions?” added Holmes.
Government responds
During the hearing in Westminster, other parliamentarians, including the amendment’s co-sponsor Lord Clement-Jones and Lord James Arbuthnot, better known for his campaigning work in the Post Office Horizon scandal, spoke in favour of reform, but to no avail.
Lord Timothy Kirkhope said: “This just demonstrates, yet again, that unless we pull ourselves together, with better smart legislation that moves faster, we will never ever catch up with developments in technology and AI [artificial intelligence]. This has been demonstrated dramatically by these amendments. I express concerns that the government move at a pace that government always moves at, but in this particular field it is not going to work.”
Responding to the meeting, under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones said the government agreed the UK needed a revised legislative framework to enable the authorities to tackle the harms posed by cyber criminals, and that it was committed to ensuring the CMA remains up to date and is effective in this regard.
However, said Jones, reform is a “complex and ongoing” issue that is being considered as part of a Home Office review of the CMA itself.
“We are considering improved defences by engaging extensively with the cyber security industry, law enforcement agencies, prosecutors and system owners. However, engagement to date has not produced a consensus on the issue, even within the industry, and that is holding us back at this moment – but we are absolutely determined to move forward with this and to reach a consensus on the way forward,” she said.
“The specific amendments … are premature, because we need a stronger consensus on the way forward, notwithstanding all the good reasons … given for why it is important that we have updated legislation. With these concerns and reasons in mind, I hope that the noble Lord [Holmes] will feel able to withdraw his amendment,” said Jones.
Katharina Sommer, group head of government affairs at cyber firm NCC Group, said she was thrilled to see such passionate calls for reform, and that the session had rightly highlighted the outdated nature of the CMA and how it holds back cyber security professionals.
“We need a statutory defence, like that proposed by Lord Holmes’ welcome amendment, to allow this vital work to proceed unimpeded, at a time where the cyber threat is rising unabatedly. Reforming the CMA would unlock huge opportunities, strengthen our defences, and help the UK compete on the world stage,” she said.
“It is heartening to see the minister recognise the need to provide legal protections for legitimate cyber security activities, and hear about her determination to reach consensus on the way forward, particularly as this follows her colleague the security minister’s recent commitment to reviewing the CMA,” said Sommer.
“We do hope sincerely that all those involved in keeping the UK safe in cyberspace are prepared to work together, and find compromise rather than risk deadlock. We look forward to working with the government and all partners to ensure the UK’s cyber laws reflect 21st century threats.”
Disappointment
Andrew Jones, strategy director at The Cyber Scheme, a supporter of the CyberUp Campaign for legal reform, said: “Whilst we are slightly disappointed by the government’s decision not to seize this opportunity to bring the Computer Misuse Act into the 21st century, we are encouraged by their recent comments suggesting a review of the act is being considered. Until then, the CMA will remain an outdated piece of legislation, preventing our cyber security professionals from defending organisations effectively and leaving us lagging behind peer nations, as the US and EU move to safeguard ethical cyber security work as a cornerstone of national resilience.
“With the CEO of the National Cyber Security Centre recently acknowledging that hostile activity in UK cyberspace has increased in ‘frequency, sophistication and intensity’, it is vital that the UK takes measures to upgrade its cyber resilience.
He added: “The statutory defence we propose – drafted in consultation with industry and legal experts – would protect legitimate cyber security professionals, strengthen UK cyber defences, and reinforce its place as a cyber security leader. We are fully prepared to work with the government to help implement this necessary change in the future, as soon as it is ready to act.”