CyberUp: full Queen’s Speech reaction

Today, the Government released its legislative programme for the next parliamentary session via the Queen’s Speech in Parliament. Disappointingly for us as the CyberUp Campaign, it didn’t include any commitment to reform the Computer Misuse Act.

We are, of course, frustrated at this lack of commitment, but feel nevertheless encouraged that many of the plans for laws that did make it into the Speech show the UK Government is thinking seriously about what is needed to succeed in an increasingly digital future.

 This is particularly relevant in the context of the National Cyber Strategy, published in December 2021, that sets out a whole-of-society approach to improving the cyber resilience of the systems, infrastructure and services underpinning that digital future, through building an enduring and balanced partnership across the public, private and third sectors, with each playing an important role in the national effort. Russia’s invasion of Ukraine, moreover, has further emphasised the importance of shoring up the UK’s domestic cyber resilience against potential impacts arising from the conflict.  

 Looking at the legislative proposals, we are ever more convinced that reform of the Computer Misuse Act remains the missing piece of the puzzle. As we eagerly, and increasingly impatiently, await the outcome of the Home Office’s Call for Information, we outline why:

 The Online Safety Bill

 The long-delayed legislation to tackle online harms is currently at Committee Stage in the Commons and will be carried over to the new session, it therefore wasn’t mentioned during the Queen’s Speech, but still forms part of the Government’s legislative agenda. Following significant discussion over its scope to cover social as well as economic harms, the Government agreed to include fraudulent advertising alongside user-generated content that meets certain definitions of fraud. MPs who have been vocal advocates for online fraud to be addressed in the Online Safety Bill  – including Ruth Edwards MP and Simon Fell MP– are also key supporters of the CyberUp Campaign. We will continue to maximise opportunities to raise the need for reform of the Computer Misuse Act as part of the discussions surrounding the legislation.

The Product Security and Telecommunications Infrastructure (PSTI) Bill

Another piece of legislation carried over from the previous parliamentary session, Part 1 of the proposed legislation will require manufacturers to make sure their ‘network-connected’ products (all consumer connected products, from smart TVs to smart phones) meet minimum cyber security requirements before they are placed on the UK market (including via online marketplaces), and publish a declaration of conformity (which should be verified by retailers) – so as to minimise harm.

In particular, recognising the crucially important role that cyber vulnerability research plays in making IOT devices better, the law requires manufacturers to implement vulnerability disclosure policies, including a public point of contact to report vulnerabilities to.  The Bill is currently at Report Stage in the Commons and is also being carried over to the new session. The CyberUp Campaign were fortunate to be able to submit evidence to the Bill Committee earlier in the process. Our submission focussed on the threats of legal action that still face researchers who report vulnerabilities, and the fact that the aims of the Bill would be complemented by CMA reform. Though the legislation is absolutely a step in the right direction, unfortunately there has been no greater commitment on the part of Government to understand the potential impact of existing legislation, like the Computer Misuse Act, on the policy objectives of the Bill. If encouraging greater vulnerability reporting is part of the solution, as this Bill suggests, then all obstacles to this – such as the outdated CMA – need to be removed.

The National Security Bill

The Home Office consultation on a proposed Bill concluded in July last year. The purpose of the Bill, which was also included in earlier Queen’s Speeches as the Counter State Threats Bill, mirrors closely what our objectives for the Computer Misuse Act are – “to modernise existing [] laws to reflect the modern threat and modern legislative standards”.

The Bill would also go some way towards implementing the recommendations of the Intelligence and Security Committee’s Russia Report (which also advocated for reform of the Computer Misuse Act). Moreover, it will include updates to the Official Secrets Act, and even though the Home Office is not minded to follow the Law Commission’s recommendations on those matters, it is worth highlighting that those did include the introduction of a public interest defence, which is the exact change we want to see in an updated Computer Misuse Act, too.

 The Economic Crime and Corporate Transparency Bill

 Part 2 of the legislation that was rushed through in response to Russia’s invasion of Ukraine will predominantly focus on increasing law enforcement powers to seize crypto-assets to tackle money laundering risks more effectively. It is also argued that these measures will support wider action against the growing national threat of ransomware attacks. Unsurprisingly, while we support in full any and all measures effectively to tackle the harmful activities of international cyber criminals, we do argue strongly that increased law enforcement powers should go hand in hand with improved protections for cyber defensive work in the cyber industry so that the whole-of-society effort between public and private sector really can work to maximum effect.

 The Data Reform Bill

 The Data Reform Bill will implement many of the Government’s proposals for reform of the data protection regime outside the European Union. This includes the introduction of new legislative safeguards for academic and commercial research which would more meaningfully reflect modern research practices and support greater data and information sharing between public and private sectors. These are the principles we also emphasise as key arguments for and benefits of a reformed Computer Misuse Act, and we believe that their inclusion in one area of digitally relevant legislation should also be reflected in another to truly pay heed to the Government’s ambition for innovation-friendly and technology-supporting regulation and legislation.

 In conclusion, as outlined before, we believe that the proposed laws in this year’s Queen’s Speech reflect a clear desire to prepare the UK for the digital future, and include many of the principles and concepts that would underpin a reformed Computer Misuse Act. As we urge for progress on this matter, we will also want to see consistency in how these principles and concepts are applied so that UK cyber security researchers – so vital for the UK’s digital future – will be able to benefit from the same legal protections and safeguards that will be afforded to those working in other industries.