About the Campaign
“When reforms are made to the CMA, it will be due in no small part to the advocacy that CyberUp and industry have put behind this.”
Simon Fell MP, Chair of the APPG for Cyber Security
“The Computer Misuse Act must be reformed as a priority to acknowledge the changes in our technological landscape.”
Holly Lynch MP, Shadow Security Minister
The CyberUp Campaign is leading the push for cyber security legislation that is fit for the challenges and threats of the 21st century through our efforts to reform the Computer Misuse Act (CMA).
Changing primary legislation is no small undertaking, but the Campaign has successfully built up a strong coalition of supporters which has placed CMA reform firmly onto the political agenda, securing parliamentary questions, debates and national media coverage.
In May 2021, the Home Secretary announced that the Government would be conducting a formal review into the effectiveness of the CMA - a landmark moment and a testament to the Campaign’s efforts. In February 2023, more than 21 months on, the Government published its response to this review, which lacked any concrete action or a clear timeline of the next steps needed to ensure reform. The Campaign will continue to work closely with our parliamentary and industry supporters to call on the Government to take action and create a world-leading cyber crime regime.
The case for a statutory defence
The CyberUp Campaign is calling for the inclusion of a statutory defence in a reformed Computer Misuse Act, so that cyber security professionals who are acting in the public interest can defend themselves from prosecution by the state and from unjust civil litigation. This will provide much needed legal clarity and unlock the world-leading UK cyber industry’s full potential as well as improve the general cyber resilience of UK systems, technology and infrastructure.
We were delighted to see the recent commitment made by the Chancellor during the Spring Budget to implement all of the recommendations in Sir Patrick Vallance’s Digital Technology Regulation Review, which includes the introduction of a statutory public interest defence in a reformed CMA. We strongly support the comments in the review that the potential benefits of reform include catalysing growth of the cyber security industry within the UK and ensuring the sector is able to compete on a level playing field internationally.
We have developed a ‘Defence Framework’ that would guide the application of a statutory defence under a reformed Computer Misuse Act.
It is essential that reform takes place in a way that addresses the risk of misuse or exploitation of any legal changes by individuals with dishonest or criminal motives.
The CyberUp Campaign does not support ‘hacking back’ – where a security researchers’ activities entail the disruption or degradation of the investigated systems and infrastructure. These ‘offensive’ cyber activities should remain the prerogative of the state.
We have set out the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act, demonstrating that a statutory defence would not open up a ‘wild west’ of cyber vigilantism but instead improve the cyber resilience of the UK and its allies and accelerate the growth of the UK’s domestic cyber sector.
The CMA’s current shortcomings
The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.
But the CMA was designed over 32 years ago, before widespread use of the internet, and with the aim of protecting telephone exchanges. Cyber security is one of the most advanced and rapidly developing sectors in the world, yet the UK is still allowing cyber crime to be governed by laws passed when less than 0.5% of the population used the internet.
As a consequence, Section 1 of the CMA, prohibiting unauthorised access to computers, inadvertently criminalises a large proportion of vulnerability security and threat intelligence research and investigation by UK cyber security professionals. This is because the law punishes behaviour without any regard for the motivation of those carrying it out which offers no protection whatsoever for professional researchers acting in good faith.
The crucial role of cyber professionals
Vulnerability research constitutes investigative activities undertaken by a cyber security researcher to attempt to find a vulnerability in a product or an IT system, with the intent to report the vulnerability to the system owner, and thereby prevent harm or costs.
Threat intelligence is undertaken for defensive purposes, to detect cyber-attacks, gain insight into attackers and victims, lessen the impact of incidents, and prevent future ones. Activities can require the scanning, interrogation and (limited) interaction with compromised victims’ and criminals’ systems where owners have not, or are unlikely to, explicitly permit, or authorise, such access.
The cyber security industry works closely with law enforcement and intelligence agencies to defend the UK against rising cyber crime and geo-political threat actors. That collaboration, hampered by the CMA’s current shortcomings, is fundamental to staying ahead of hostile threat actors and cyber criminals as Governments alone cannot provide the required capacity to tackle growing and increasingly complex threats.
The benefits of CMA reform
This year 39% of businesses reported a cyber security breach or attack. Extrapolating those figures to the UK’s business population as a whole, last year, 2.3 million businesses were a victim of a computer misuse offence. The Government’s 2022 National Cyber Strategy called for a ‘whole of society’ approach to tackling cyber threats – but this can’t be possible while the private sector still have one hand tied behind their back. It’s time to let the cyber professionals assist the national effort to defend against these threats.
A reformed CMA will strengthen the essential building blocks needed to be a leading democratic and responsible global cyber power – an ambition the UK Government set out in the Integrated Review and reiterated in the National Cyber Strategy 2022.
Reform would put the UK on a level footing with global competitors and drive growth, creating an estimated £2 billion additional annual sector revenue, and 8,000 new jobs. The restrictions put in place by the CMA put the brakes on what has the potential to be one of the biggest growth areas in the UK’s burgeoning tech sector.
