As proud Founding Members of the CyberUp Campaign, NCC Group initially embarked on the quest to reform the UK’s Computer Misuse Act 1990 in 2018. We were driven by the very real barriers, from legal uncertainty to the risk of jail time, that the Act’s provisions present to the work of cyber professionals undertaking legitimate cyber security research, including our own threat intelligence teams.
Since its formal launch in 2020, the CyberUp Campaign has brought together peers from across the cyber ecosystem alongside trade associations, academics and parliamentarians, all of whom believe that UK cybercrime laws should not inadvertently criminalise the very same people seeking to keep the nation safe and secure. Together, the Campaign is puzzled that a whole-of-society approach to cyber is hampered by an outdated legal framework that largely ignores the valuable role the cyber industry plays in safeguarding and promoting the UK’s security and prosperity alike.
At NCC Group we are buoyed by recent signals that concerns are being listened to, following the UK Government’s launch of an official process to consider what solutions are available to better protect good faith cyber security researchers. This is progress. But, we must not rest on our laurels. At this crucial crossroads, it is critical that we continue to make the case for reform, working closely with Government to explore all options and ensure reform of the Act remains a cyber policy priority.
What are we advocating for?
The Computer Misuse Act, which was written over three decades ago, blanketly prohibits all forms of unauthorised access to computer material, irrespective of intent or motive. As part of the CyberUp Campaign, NCC Group advocates for the inclusion of a statutory defence in the Act that would give individuals across the cyber industry legal protections to carry out crucial vulnerability research and threat intelligence so long as they meet certain criteria.
We believe that such reform, if done correctly, will greatly strengthen researchers’ ability to fight cybercrime, support national security and enable the UK to prosper in the digital age.
How close to reform are we?
In February 2023 – responding to an initial Call for Information on the Act launched 21 months prior – the UK Government acknowledged for the first time that the UK needs “to ensure that the cyber security industry is not unnecessarily prohibited from conducting activities that would protect entities and individuals from hostile cyber actors”. As such, the Government said it would review what legitimate cyber activity “may conflict with the Computer Misuse Act” and consider what “legislative and non-legislative solutions” might be available to better protect good faith cyber security researchers - including legal defences.
A month later, in March 2023, former Chief Scientific Adviser Sir Patrick Vallance recommended “amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals.” We were pleased to see the Chancellor commit to implementing Sir Patrick’s recommendation in the 2023 Spring Budget. The Home Office has since launched a multi-stakeholder process to consider whether defences for legitimate cyber security activity should be embedded in the Act. We are expecting a Ministerial update on progress imminently.
What’s next?
As we await the Government’s update on progress, NCC Group continues to work with our peers across the cyber ecosystem to make the case for 21st century legislation that reflects modern cyber security practices.
The continued ambiguity acts as a brake on the industry. It presents very real risks to the UK as cyber security professionals must operate with one hand tied behind their back against a fast-evolving threat landscape. We are therefore urging the UK Government to recognise the risk of inaction, and show its global cyber leadership by being ambitious both in its future plans and the timelines for their implementation, in the months ahead.