The Data Bill: It’s time to cyber up

The Computer Misuse Act is outdated and needs reform – so it’s disappointing to see the government decline an opportunity to update the legislation, says the peer who proposed amendments

Lord Chris Holmes,
House of Lords

Published: 19 Dec 2024

In the latest deliberations on the Data Use and Access Bill in the House of Lords, I set out two amendments to offer well overdue updating to the Computer Misuse Act (CMA) of 1990. In preparing for committee stage of the bill I remain incredibly grateful to everyone involved with the CyberUp campaign, their analysis and commentary always so perfectly on point.

I hardly think I need to rehearse the backdrop to the CMA, many people will be well aware of the act and its shortcomings. Curiously, in the intervening thirty-four and a half years, despite seismic changes in our society and technologies – crucially, including the rise of cyber security threats – the act remains unamended.

Having said that though, I’ve tempted myself a little as it is the case that the act was originally drafted to protect telephone exchanges in 1990, when only 0.5% of the population had access to the internet.

The CMA was the UK’s first computer crime law and came about following an attack on Prestel in the mid-1980s. Anyone under the age of 40 is probably wondering what Prestel was – a forerunner of internet-based online services launched by the Post Office in 1979 – which only serves to make the point.

Significant change
My amendments to the new Data Bill seek to achieve a very clear and materially significant change, to enable cyber security professionals to do what we have asked of them without the legislation tying at least one hand behind their back.

Thirty-four years on, the CMA still governs how we tackle cyber criminals. As it is currently written, the act inadvertently criminalises legitimate cyber security research. This includes a large proportion of vulnerability research and threat intelligence activities which are critical in protecting the UK from increasingly sophisticated cyber attacks.

Fundamentally, it restricts cyber security researchers from conducting essential work to protect the UK, including critical national infrastructure. While improving data access is a positive move, it is equally crucial to modernise cyber security laws to protect not just the data but also the systems that underpin it.

The wording of my amendments in full is:

Data use: definition of unauthorised access to computer programs or data

In section 17 of the Computer Misuse Act 1990, at the end of subsection (5) insert—

“c) they do not reasonably believe that the person entitled to control access of the kind in question to the program or data would have consented to that access if they had known about the access and the circumstances of it, including the reasons for seeking it, and

(d) they are not empowered by an enactment, by a rule of law, or by order of a court or tribunal to access of the kind in question to the program or data.

Data use: defences to charges under the Computer Misuse Act 1990

(1) The Computer Misuse Act 1990 is amended as follows.

(2) In section 1, after subsection (3) insert—

(4) It is a defence to a charge under subsection (1) to prove that—

(a) the person’s actions were necessary for the detection or prevention of crime, or

(b) the person’s actions were justified as being in the public interest.

(3) In section 3, after subsection (6) insert—

(7) It is a defence to a charge under subsection (1) in relation to an act carried out for the intention in subsection (2)(b) or (c) to prove that—

(a) the person’s actions were necessary for the detection or prevention

of crime, or

(b) the person’s actions were justified as being in the public interest.

As I said in the debate, don’t take my word for it, the National Cyber Security Centre acknowledged the widening gap between the risks facing the UK and its ability to mitigate them in its 2024 annual review, clearly stating that “updating this out-of-date legislation is a crucial step in closing this gap”.

Statutory defence
Introducing a statutory defence would provide legal clarity and protection for ethical cyber security professionals undertaking legitimate vulnerability research and threat intelligence activities. Such a defence would align the UK with best practices internationally, ensuring that we keep pace with nations like the US and EU, which are moving to safeguard ethical cyber security work.

To put some numbers to this, there have been nine million instances of cyber crime against UK businesses and charities since May 2021, according to the Department for Science, Innovation and Technology’s 2024 cyber breaches survey, published April 2024. Half of businesses and 32% of charities suffered a cyber breach or attack last year, with £2.4bn estimated increased revenue potential post-update for the sector.

Analysis based on CyberUp’s recent industry report suggests that 60% of respondents said the CMA is a barrier to their work in threat intelligence and vulnerability research, and 80% believed the UK was at a competitive disadvantage due to the CMA.

Concluding my remarks, I asked whether the minister would be able to provide an update on the work to reform the Computer Misuse Act? I also asked her whether she believed that my amendments as drafted would provide the legal protection that we seek and, if so, why the government would not bring them into force via the means of the Data Bill.

The minister’s answers to both questions were largely the same – we must wait, the amendments are “premature”, there was not consensus among those who responded to last year’s consultation on the matter so the path forward must continue with no timeline or sense of when this most pressing of issues will be resolved.

If the government needs some public support to increase its pace on this project, how about the fact that two-thirds of UK adults are inclined to support a change in the law to allow cyber security professionals to carry out research to prevent cyber attacks?

There is also support for such a statutory change from the excellent report of the then chief scientific advisor, Patrick Vallance, earlier this year which concluded that, “Amending the CMA to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals”.

Other nations have already led in this area, not least France and the Netherlands. Belgium, Germany and Malta are currently amending their legal frameworks to this end. As I stated in the debate, it’s time to pass these amendments, it’s time to afford our cyber security professionals the safety they need to do the self-same thing for us, all of us. As has been the case for far too long – it’s time to CyberUp.

Read more on IT legislation and regulation