New research: Public attitudes to Cyber Security laws
Two thirds of public favour changes to cybersecurity laws
New polling released today shows that two thirds of UK adults (66%) are inclined to support a change in the law to allow cyber security professionals to carry out research to prevent cyber attacks, such as scanning the computers of cyber criminals to gain insight into their techniques or victims – provided the professionals are acting in the public interest / good faith. These adults either supported the law change or felt it sounded like a good idea based on their current knowledge.
The polling was carried out by Savanta ComRes and commissioned by the CyberUp Campaign, which has been calling for reform of the Computer Misuse Act, the main piece of legislation governing cyber crime and cyber security activity in the UK.
The results follow a Government review into the effectiveness of the Computer Misuse Act, which closed in June, and will add to the pressure on the Government to take action.
The CyberUp Campaign – which is backed by industry body techUK and the Confederation of British Industry (CBI) – has been lobbying for a change to the 31-year old law, arguing that is has failed to keep pace with technology and industry practice. They claim that much of the threat intelligence and vulnerability research that cyber security professionals are able to carry out to protect the country is criminalised, because the Act blanketly prohibits all unauthorised access to computer material, irrespective of intent or motive. This leaves the UKs’ cyber defenders having to act with one hand tied behind their back because much of their defensive work requires the interaction with compromised victims’ and criminals’ computer systems where owners have not, or are unlikely to, explicitly permit or authorise such activities.
The CyberUp Campaign has been pushing for the inclusion of a ‘statutory defence’ in the Act, so that cyber security researchers who are acting in the public interest can defend themselves from prosecution by the state.
The survey – of a nationally representative sample of 2,093 adults, carried out between the 24th-26th September 2021 – put this scenario and proposed fix to respondents, and found that 66% of them supported the law change or felt it was a good idea based on their current knowledge, with only 6% opposing it outright. The supportive sentiment rose to 74% among those who would vote Conservative if a General Election was held tomorrow.
The survey also put two further questions to respondents, such as whether a cyber security professional should be able to scan organisations’ computer systems to find and report a flaw in a system to the system owner (vulnerability research) and whether an Internet Service Provider (ISP) should be allowed to resolve flaws in its networks by accessing its customers’ systems without their permission, but letting them know afterward. Changing the law for these reasons both yielded a majority that supported this or felt it was a good idea based on their current knowledge – 63% and 53% respectively.
Kat Sommer, Head of Public Affairs at NCC Group, a cyber security company supporting the CyberUp Campaign, commented:
“These results show the resounding backing of the British public for our proposed changes to the Computer Misuse Act, and mean that ministers really have no excuse not to bring forward proposals for reform as soon as possible following the Government’s review of the legislation.”
“The Act– written in 1990 – didn’t foresee the birth of the cyber security profession, and therefore leaves ethical cyber security researchers in the lurch as to whether or not they will be prosecuted simply for doing their jobs. The result is a chilling effect on the cyber security industry, leaving the UK less safe from cyber criminals. It’s good to see that the public’s instincts confirm what we believe to be indisputable: the time has come for an update to our cyber laws.”