Campaigners call for evidence to reform UK’s cyber laws

The CyberUp Campaign, a group calling for urgent reform to the Computer Misuse Act of 1990, has launched a fresh consultation inviting security professionals and researchers to take part in a wide-ranging survey seeking views on the 34 year-old law’s impact on their work.

CyberUp argues that the CMA is risibly out of date – it was written only months after Sir Tim Berners-Lee first proposed the concept of the worldwide web – and that the wording of key clauses relating to unauthorised access to computer systems risks criminalising legitimate security pros and ethical hackers from being able to defend organisations. To do so, they say, potentially risks prosecution.

The campaigners first came together in early 2020 on the eve of the Covid-19 pandemic to call on Boris Johnson to address their concerns, and by May of 2021 their work had secured commitments from the then home secretary Priti Patel to begin a consultation on the issue.

However, this process stalled and became lost in the political melee, and by 2023, with Johnson and his successor Liz Truss consigned to history, the campaign had advanced no further in its aims. Another consultation did take place in 2023 and was widely welcomed, but little ultimately came of it.

The campaigners said that in opening a new study they hoped that the new Labour government would listen to clear, up-to-date and indisputable evidence to change the law.

“This is a pivotal moment for the cyber security industry: the new government has just introduced a very welcome Cyber Security and Resilience Bill in the King’s Speech – the first time ever that ‘cyber’ has been mentioned in any primary legislation – which presents an opportune moment for a legislative update to the CMA in the near future,” they said.

“Launching the survey now enables the campaign to demonstrate the potentially restrictive impact of outdated cyber crime legislation on the growth and investment of the UK’s cyber security sector, as well as its effect on cyber defensive activities conducted domestically.”

The survey should take about 10 minutes to complete and the campaigners have said that due to the sensitive nature of responses they may receive, all information contained in the final cut will be fully anonymised.

“This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act,” they said.

What do cyber pros really think?

The CyberUp campaigners include representatives from leading cyber firms including WithSecure, McAfee, NCC Group and Trend Micro, and is backed by security accreditation body Crest, and techUK as well.

Previous studies conducted by the group have revealed revealed broad consensus across the industry that reform is needed.

The last time such an exercise was conducted in 2023, security pros spoke of the “chilling” effect of the CMA on Britain’s cyber defenders, with 60% believing it acted as a barrier to working effectively, and 80% believing it put the UK at a competitive disadvantage on the world stage.

CyberUp estimates that out of nearly 2,000 active cyber security firms located in the UK, almost 600 have experienced an economic loss due to not being able to work effectively, which the campaign says risks £3bn of the £10.5bn annual sales made by the sector.

Additionally, it believes that over 16,800 security professionals have actually left the UK over the years to work in countries with more permissive laws.

With a fit-for-purpose regime that allows legitimate cyber security defensive and research work, whilst still ensuring malicious threat activity is appropriately sanctioned, the cyber resilience benefits delivered for the UK could be three times as great as they currently are, said the campaigners.