The Computer Misuse Act (CMA) turns 30 years old

The Computer Misuse Act (CMA) received royal assent in 1990 following the conviction of Robert Schifreen and Stephen Gold in 1986.

The duo were charged for remotely accessing BT’s Prestel service at a trade show using the credentials of a BT engineer and accessing the voicemail account of the Duke of Edinburgh, Prince Philip.

At the time, Schifreen and Gold were convicted under the Forgery and Counterfeiting Act 1981, but the case was later overturned. Despite this, the case did highlight the need for legislation that could keep up with the evolving technology landscape, while keeping information safe and secure.This led to the creation of what we know now as the CMA.

30 years on, our physical and cyber worlds have evolved drastically, but the Act has been left mostly unchanged. In response to this, the CyberUp campaign, which is made up of cyber security firms, academics, legal experts, industry groups, politicians and more, is calling for urgent reform of the outdated Act.

We sat down with the head of public affairs at NCC Group and core supporter of the CyberUp campaign, Katharina Sommer, to find out more about the CMA, how it impacts the industry as well as wider society, and why reform is needed.

The CMA was introduced over 30 years ago, but some people may have never heard of it – could you briefly explain its purpose and what it aims to prevent?

“The Computer Misuse Act effectively makes unauthorised access to computers – illegal hacking, if you want – a criminal offence. It also prohibits the making and supplying of hacking tools, and criminalises cyber attacks on critical national infrastructure. In very simple terms, its main purpose is to ensure computer data and systems can only be accessed by those who have permission to do so.”

The Act has been updated since then – why aren’t these changes enough?

“The changes to the Act over the years have always exclusively focused on keeping up with new ways of causing damage and disruption in cyberspace, such as making Distributed Denial of Service (DDoS) attacks an offence.

“It has always tried to keep up with the bad guys but nobody has really looked at the chilling effect the law has on the good guys – the security and threat intelligence researchers across the UK cyber industry who didn’t really exist in the way they do today when the Act was written.”

We know that the Act impacts the cyber security industry’s ability to deliver threat intel services, but why should consumers care about it?

“The Act currently limits the amount of threat intelligence that can be obtained by UK researchers to detect and prevent cyber crimes. It also deters security researchers from finding vulnerabilities that would ultimately make products safer and more secure.

“This means that consumers are missing out on a higher level of cyber resilience, and are stuck using more insecure devices that areputting themselves and their data at risk of cyber crime.

“Allowing the UK’s cyber defenders to do their job properly will ultimately mean that UK consumers are better protected in cyberspace. What’s more important than that?”

What proposals have been put forward by the CyberUp campaign?

“The CyberUp campaign wants to ensure that UK cyber defenders no longer have to act with one hand tied behind their backs when investigating the methods and tactics of cyber criminals to identify their past and future victims.

“The current Act does not even entertain the possibility that professionals could carry out some ‘illegal’ activities in good faith, or for a good or legitimately justifiable reason such as detecting or preventing crime.

“The campaign is suggesting changes to how ‘unauthorised access’ is defined in the Act, and the introduction of statutory defences so that cyber professionals’ motivations can be taken into account when it is decided if their actions were indeed illegal. This would free cyber defenders to undertake a greater range of defensive and investigative activities in the fight against cyber crime.”

How will these proposals change theway the cyber security industry operates?

“At its core, the implementation of our proposals will create greater legal certainty for industry professionals.

“The CMA at present leaves a whole array of grey areas that leave professionals very vulnerable to prosecution, and potential jail sentences – not a risk any ethical hacker wants to take in carrying out their work.

“Creating legal certainty – and acknowledging that cyber defensive and investigative activities are perfectly justifiable under the UK’s cyber crime laws – would support the UK cyber industry to use their world-class capabilities to help protect the UK in cyberspace.”

For people outside of the industry, what impact will the proposed changes have on their lives?

“There’s no denying that the proposed CMA reform would impact our day-to-day lives in a number of ways, but the main thing it will bring is confidence in the UK’s ability to defend itself against evolving cyber threats.

“Reform will bring knowledge that an outdated piece of criminal law has finally caught up with the realities of life in the 21st century, and that the risk of people going to jail for having done the right thing is significantly reduced.

“Ultimately though, it will also give society the reassurance it needs as threats preside – knowing that the cyber professionals whose job it is to keep us all safe and secure are able to do so, because the laws preventing their effectiveness have been changed to allow them to do that job.”

If you’d like to find out more about the CyberUp campaign and how you can support it, visit: https://www.cyberupcampaign.com