The new UK government has vowed to treat cybersecurity as a matter of national security and is “considering all options” to curb cybercrime, according to the Minister for Security, Dan Jarvis.
This includes a review of the 1990 Computer Misuse Act, the Minister said during the opening speech at Recorded Future’s Predict 2024 event in London on October 22.
Why the UK’s Computer Misuse Act Needs Reform
The UK's Computer Misuse Act (CMA) was introduced in 1990 in response to growing concerns about computer-related crime and hacking. It was one of the first laws of its kind, addressing the need to regulate unauthorized access to computer systems and the misuse of computer technology.
The law has been amended several times over the years, notably by the Police and Justice Act 2006, after the News International phone hacking scandal in 2011, and by the Serious Crime Act 2015.
However, it is recognized that the law in its current form risks criminalizing cybersecurity professionals that use hacking techniques as part of their roles, such as researchers and pen testers.
In 2023, following efforts by an industry coalition, the CyberUp Campaign, pushing for a reform of the CMA, the Labour Party, then the leading opposition party in the UK, proposed a legal amendment that would have allowed ethical hackers to use a public interest defense.
The previous Conservative government ran a public consultation, but the law was not passed.
At Predict 2024, Jarvis said that today, unauthorized computer access can “lead to a wide range of frauds, theft and extortion, and can also facilitate stalking, domestic abuse and harassment, destroying business and ruining lives.”
In 2023, the UK government saw one million CMA offenses reported, most of which sought out personal data.
“These crimes are estimated to cost the UK economy billions of pounds every year,” Jarvis continued.
Questioning Sanction Regimes of Cyber Legislations
Daniel Cuthbert, a co-chair of the British government’s cybersecurity advisory board and in attendance at Predict 2024, was himself prosecuted under the CMA in 2004 after he gained unauthorized access to a charity website.
Following the British Minister for Security’s speech, Cuthbert said on X that it was “great to hear” that the government was considering reforming the legislation “to reflect ever-growing attacks against the UK.”
Speaking to Infosecurity, Allan Liska, a threat intelligence analyst at Recorded Future, said the sanction regimes of cybersecurity laws adopted in the 1990s particularly need to be reviewed, not just in the UK.