UK cyber laws ‘out of date’, former cyber chief warns

The former CEO of the UK National Cyber Security Centre (NCSC) yesterday warned that the UK’s Computer Misuse Act is hampering the nation’s ability to tackle evolving cyber threats, including from hostile states such as Russia.

 In an appearance before the All Party Parliamentary Group on Cyber Security, Mr Martin said:

 “I do try not to always say the answer is new legislation, but obviously in this case a 32 year old piece of legislation is unlikely to have envisaged everything.

 “On the deterrent side, something with a two year maximum penalty is not going to be much of deterrent [to potential cyber criminals].

 “On the enabling side, I do think the Act is having a chilling effect on the community of researchers. Hacking is not a bad word and there are highly ethical ways to develop expertise in this area, and you certainly don’t want people trembling with fear that they might be violating the criminal law. The current framework lacks nuance in protecting people who inevitably have to look into bad things to protect against them.”

His comments follow a review of the legislation carried out by the Home Office last May. The Home Office are yet to provide the Government response to the views gathered. The CyberUp Campaign has established through Freedom of Information requests that 66% of respondents to the review stated that they had concerns over the current protections in the Act for legitimate cyber activity.

The Computer Misuse Act (1990) is the law that governs the activities of cyber security professionals in the UK. The Act was written in 1990 before the advent of modern cyber security. Mr Martin highlighted concerns that the law is now hampering the nation’s cyber defences by preventing cyber security professionals from doing their jobs effectively.

 In the UK, the public and private sectors work closely together to defend the country in cyberspace. The National Cyber Security Centre (NCSC), the government agency for protecting against cyber crime and cyber threats, has made disclosures that their efforts to thwart cyber threat actors during the pandemic involved private sector firms who had “made an indispensable contribution to [NCSC’s] efforts to understand cyber threats and respond to incidents.”

 Mr Martin’s successor as NCSC CEO Lindy Cameron has also tied the effectiveness of the private sector to the Computer Misuse Act, saying “the protection [the private cyber security sector] provide is crucial to the digital transformation of the economy, and every organisation, large and small, has a role to play. We have come a long way, but there is room for improvement, and for even deeper collaboration. I hope the review of the Computer Misuse Act announced by the Home Secretary will help with this.”

 Mr Martin’s comments reflect the findings of research by the CyberUp Campaign and techUK, who have published a joint survey that shows cyber security researchers were being stopped from preventing harm to businesses and citizens by the Computer Misuse Act. The survey found:

• 93 per cent of cyber security professionals believe that the Computer Misuse Act did not represent a piece of legislation that was fit for this century.

• 80 per cent of cyber security professionals worry about breaking the law when defending against cyber threats

• 91 per cent of cyber security businesses felt they had been put at a competitive disadvantage relative to other countries with better legal regimes

• 90 per cent of cyber security businesses thought a change to the law would lead to growth and productivity benefits for their organisation. When averaged across the latest figures for revenue and employment in the sector, a change in legislation would lead to an increase in revenue of £1.8 billion and 7,000 high-skilled jobs.

 Ollie Whitehouse, CTO of NCC Group and spokesperson for the CyberUp Campaign, commented on the development::

“As CEO of the National Cyber Security Centre, Ciaran Martin was the most senior government official responsible for defending the people and institutions of the UK from cyber threats. The fact that he is now raising concerns about the Computer Misuse Act reflects the growing feeling that this legislation isn’t fit for purpose - it should be a clarion call to policy makers that reform is needed urgently”