About the Campaign

The CyberUp Campaign is the UK’s leading cyber coalition calling for an update to the UK’s outdated Computer Misuse Act 1990 (CMA). It brings together a broad base of supporters from across the UK cybersecurity sector and beyond. Together, we advocate for updating and upgrading cybercrime laws to protect our national security, enhance our resilience to digital crime, and promote the UK’s international competitiveness in the rapidly evolving global technology sector.

What is the Computer Misuse Act 1990 (CMA)?

The CMA was created to criminalise unauthorised access to computer systems, or illegal hacking. However, it was written in 1990, and given current advances in technology, the threats we face, our unique geopolitical situation and the evolution of the domestic cybersecurity industry, it is unfit for purpose in the context of 21st century. Despite this, the legislation still governs how we tackle cyber criminals today. Moreover, as it is currently written, the Act inadvertently criminalises research that UK cyber security professionals can carry out to protect the UK’s critical national infrastructure, its citizens and businesses. In practice, this means that the UK’s cyber defence capabilities are weakened.

What do cyber security professionals do and why is it important?

Vulnerability and threat intelligence research is undertaken for defensive purposes. Researchers identify vulnerabilities in products and services and work with manufacturers and vendors to fix them. They also detect cyber attacks, gain insight into attackers and victims, lessen the impact of incidents, and prevent future ones. The UK National Cyber Security Centre recognises the value of this important work, committing to build valuable and trusted relationships with the security researcher community to deliver a reduction in vulnerabilities.

How does the CMA impact cyber security professionals?

The CMA blanketly prohibits all unauthorised access to computer material, irrespective of intent or motive. This leaves the UK’s cyber defenders having to act with one hand tied behind their back because much of their defensive work requires the interaction with compromised victims’ and criminals’ computer systems where owners have not, or are unlikely to, explicitly permit or authorise such activities.

The current UK cyber industry landscape

Source: Department for Science, Innovation and Technology- Cyber security sectorial analysis 2024

The CyberUp Campaign does not support ‘hacking back’ – where a security researchers’ activities entail the disruption or degradation of the investigated systems and infrastructure. These ‘offensive’ cyber activities should remain the prerogative of the state.

We have set out the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act, demonstrating that a statutory defence would not open up a ‘wild west’ of cyber vigilantism but instead improve the cyber resilience of the UK and its allies and accelerate the growth of the UK’s domestic cyber sector.

Other advocates of a statutory defence

What are we calling for?

The CyberUp campaign wants to see the inclusion of a ‘statutory defence’ in the CMA, so that cyber security professionals who are acting in the public interest can defend themselves from prosecution by the state and from unjust civil litigation. This will provide much needed legal clarity and unlock the world leading UK cyber industry’s full potential.

What does this look like in practice?

In response to understandable questions about how a reformed CMA would work in practice – striking the right balance between protecting the cyber security ecosystem, safeguarding system owners and prosecuting criminals effectively – the CyberUp campaign has developed a set of principles, in consultation with industry and legal experts, that could guide the application of a ‘statutory defence’. That means that when judging a cyber security professionals’ actions to see if a cyber crime was committed, the following would be taken into account:

Why does the Computer Misuse Act need updating?

  • It will make the UK safer and more secure by allowing cyber security professionals to improve cyber security and detect and prevent crime in the public interest without the threat of prosecution. The longer we wait to update the CMA, the longer the UK’s private sector cyber defenders must operate with one hand tied behind their back. An updated Act is key to delivering effective actions against such threats and several other Government priorities, including growing the economy, developing secure technology, and driving a modern and digital government.

  • It will bring UK cyber crime laws into the 21st century. The CMA was put on the statute book when 0.5% of the population used the internet. The digital world has since changed beyond recognition and the Act must be updated to reflect that.

  • It will put the UK on a level footing with global competitors and drive growth. The restrictions put in place by the CMA put the brakes on what has the potential to be one of the biggest growth areas in the UK’s burgeoning tech sector. This is because companies headquartered in jurisdictions that offer more permissive legislative regimes, such as France, the US and Israel, are able to supply the market with a rich supply of threat intelligence gathered abroad, putting UK businesses at a competitive disadvantage. Each year we don’t update the CMA, the UK cyber industry is at risk of falling behind its international competitors, losing out on up to 20 per cent additional revenue.

  • It will help to tackle the cyber skills shortage (estimated at 10,000 per year) by lifting a significant disincentive for aspiring cyber security researchers to join the profession.

The CyberUp Campaign’s Industry Survey 2023