Reforming the UK’s Computer Misuse Act has economic, security benefits for the nation

I welcome the Criminal Law Reform Now Network’s report on reforming the Computer Misuse Act 1990 (CMA). It’s time to bring this twentieth century legislation into the modern information age; to level the playing field for UK cyber security companies, address the industry skills shortage, and help us continue to protect people and organizations.

The CMA came into effect in 1990, a year after the creation of the World Wide Web, when just one in twenty UK households had internet access. Now we enjoy ubiquitous connectivity. According to some predictions, there will be 1000 connected devices per person within the next twenty years. This increased connectivity and the widespread adoption of cloud-based services have undermined traditional approaches to information security, forcing the industry to adapt.

One significant innovation is the use of offensive security research to uncover new threats and help organizations build resilience towards modern attack techniques. It’s integral to our operations here at F-Secure. This research helps to secure the technology and systems we all rely on – everything from mobile phones to critical national infrastructure. Nowadays much of our research (some recent examples here and here) concerns ‘internet based’ threats, exploiting complexity within our technology ecosystem to launch remote attacks at scale. To get ahead of malicious actors, our offensive security professionals and incident responders need the right framework to operate responsibly and effectively within this environment.

Like all good legislation the CMA needs to keep up with these developments. In present form it provides no protection for security researchers acting in good faith in an increasingly complex field, where the risk of unauthorised access is arguably greater than ever. Amendments to protect researchers acting in the public interest, or for the detection and prevention of crime, are therefore something we support. We need clear legal definitions to ensure that researchers who reasonably believe they have authorisation to act can legitimately do so.

Tipping the cyber security scales in the UK’s favour

Cyber security is often presented as an asymmetric threat. Malicious actors can conduct attacks remotely, beyond the reach of law enforcement. However, their victims and defenders are bound by laws that govern their physical jurisdiction. For F-Secure and other UK cyber security companies supporting this campaign, the CMA not only impacts our ability to defend victims, but also our competitiveness in a global market. Writ large, this threatens the UK’s national security and its ability to grow its share of a global cyber security services market – a market currently dominated by North America.

The proposed reforms will also help the UK address the skills shortage affecting our industry. The UK Parliament’s Joint Committee on the National Security Strategy once reported that the shortage of “deep technical expertise” was one of the “greatest challenges faced by the UK…in relation to cyber security.” We need a diverse range of bright minds to push the boundaries of our industry. High-profile prosecutions and long sentences reinforce negative stereotypes that may deter some from cyber security as a profession. The proposed addition of ‘required harms’ for offences and guidance on sentencing are therefore welcome. We must stop criminalizing the activity and ultimately talent we need to promote our industry, defend the UK and address the #cybersecurity skills shortage.