Professionals need protection from the Computer Misuse Act

Over the past few months, the government has shown it understands that we need urgent action to make the online world safer. In this year’s Queen’s Speech, the government announced its plan to introduce an Online Safety Bill, a new frontier for cyber legislation that promises to protect online users from criminal exploitation like never before.

But when it comes to cyber security, protecting online users is only half the battle. Throughout the global Covid-19 pandemic, businesses have come under a barrage of cyber attacks, with criminals and hostile nation states seeking to exploit our weaknesses when we have been at our most vulnerable.

Many CISOs have alerted their employers of the immense stress of their roles over the past year. It isn’t just sensitive customer data at risk – cyber criminals are increasingly targeting national infrastructure, with attacks last year on local authorities, health services and schools.

As cyber professionals come under pressure to combat the threat, you would hope that our current legislation would have their backs. Unfortunately, our security teams have been hamstrung by the very laws designed to protect them.

The Computer Misuse Act (CMA) 1990 was brought in back when we were all still faxing each other from offices with screeching modems. While the Act is admittedly flexible for its age, cyber security professionals can no longer guarantee that it can protect them in their line of work. A study produced by the CyberUp campaign found that 80% of cyber security professionals operating in the UK feared accidentally running foul of the law.

The principal problem with the CMA 1990 is authorisation. Authorisation – or lack thereof – is at the heart of the Act, criminalising unauthorised access to computer systems. This often involves cyber attacks such as malware or ransomware attacks, which seek to disrupt services, obtain information illegally or extort individuals or businesses.

According to the CMA 1990, an act done in relation to a computer is unauthorised if the person doing the act (or causing it to be done):

• Is not himself a person who has responsibility for the computer and is entitled to determine whether the act may be done.
• Does not have consent to the act from any such person.

However, with the digital world evolving at breakneck speed, our legislators have focused on how criminals have been adapting without sparing a thought to how the cyber security industry has adapted also. The CMA offers no means to consider individuals’ motives, or recognise circumstances where such access might be deemed legitimate, such as penetration testing with permission.

This can leave those who believe that their computer-related investigations and activities improve cyber security and are ethical, at the mercy of decisions made by the Crown Prosecution Service.

The law is compromising the UK’s cyber resilience by preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geopolitical threat actors without fear of prosecution.

This leaves the UK’s critical national infrastructure at increased risk, unable to stay ahead of the threats posed by hostile cyber actors. It is time to seize the opportunity to develop 21st century laws, making the country – our public bodies and infrastructure – safer and more secure.

Earlier in 2021, the government announced that it is planning to review the CMA 1990. Its focus is on how we might develop new criminal penalties for cyber criminals. However, the importance of supporting and enabling a new protection regime for cyber security does not seem to have registered as yet.

At SASIG, we have encouraged our members in the cyber security industry to engage as fully as possible with the review. It is our hope that, if the government is serious about national cyber security, that it will also consider supporting those on the cyber front line.