The speech made by Jamie Wallis, the Conservative MP for Bridgend, in Westminster Hall on 19 April 2022.
I beg to move,
That this House has considered the Computer Misuse Act 1990.
Before I begin, I draw Members’ attention to my entry in the Register of Members’ Financial Interests, and in particular to my stakeholding in a firm that has offered digital forensic services in the past, but which I understand does not plan to offer such services at least for the next three to five years.
It is a pleasure to serve with you in the Chair, Sir Mark. I am grateful to have secured this important debate of national security significance, especially considering this morning’s headlines about the potential spyware attack on No. 10. The need for this debate has become more urgent of late, especially considering the barbaric and unprovoked invasion of Ukraine, which has placed a spotlight on the pressing requirement to strengthen the UK’s cyber-security.
The UK Government have achieved a great deal in developing our cyber-capabilities, spearheading the creation of the National Cyber Force and putting aside a total of £2.6 billion for cyber and IT, which is a significant funding increase on previous years. I strongly welcome the Department for Digital, Culture, Media and Sport working more closely with cyber-security firms, through £850,000 of funding to support the establishment and activities of the UK Cyber Cluster Collaboration.
Given this Government’s strong record developing our cyber-capabilities, it is surprising that 32 years after its introduction as a private Member’s Bill, the Computer Misuse Act 1990 remains the primary piece of legislation covering cyber-crime in the UK. I am sure we all agree that the technological landscape has altered drastically over the last 30 years. Our existing legislation must urgently be updated to reflect those monumental changes. When the 1990 Act came into law, Margaret Thatcher was Prime Minister, the first website was yet to be published and I was just a toddler.
The CMA was brought into law to criminalise unauthorised access to computers. In other words, hacking without permission became illegal, irrespective of motive or intent. However, the CMA came into force before the modern cyber-security industry, which now employs more than 52,000 people across 1,800 firms. In 2022, the methods used by cyber criminals and cyber-security professionals are often very similar—sometimes the same. Individuals who work in cyber-security are frequently required to perform actions for which explicit authorisation is difficult, if not impossible, to obtain.
Contemporary defensive cyber research into computer system vulnerabilities and threat intelligence often involves the scanning and examination of compromised victims and criminal systems to lessen the impact of future attacks—pre-empting what such a hack might resemble to prevent its success. It strikes me as woefully naive to think that criminals will explicitly authorise access to their systems. To do so would be akin to a policeman asking permission to arrest an individual.
British cyber-security professionals are at risk of being taken to court for obtaining actionable intelligence, which means that as a country we are dissuading vital research from being conducted at a time when countries such as Russia and China are increasingly deploying hostile technologies against us and our allies. Consequently, even though the CMA has been amended several times since 1990, its major flaw is that it fails to allay fear of arrest and/or prosecution among cyber-security professionals as they carry out essential threat intelligence research against cyber criminals and agents of rogue states.
We find ourselves in a perverse situation where industry specialists who are acting in the public interest—often dealing with issues that are critical to our national security infrastructure—are at risk of being designated a criminal. Even with responsible policing, the CMA can still be used by non-state bodies to pursue individuals through the civil courts, causing considerable financial and emotional injury to well-intentioned professionals. If situations such as these remain possible, future generations of cyber professionals could be deterred from pursuing a highly rewarding career, precisely at a time when we should aspire for Britain to continue its reputation as a global cyber leader.
In urging for reform of the CMA, I have worked closely with the CyberUp campaign, which argues for updating the law and makes the case that failure to reform is holding back our cyber defences and preventing the upskilling of our workforce. In the “Time for reform?” report published by the CyberUp campaign and techUK in November 2020, analysis of a survey showed that the industry overwhelmingly suggested that the CMA was not fit for purpose. More than nine in 10 respondents said that they
“did not believe that the Computer Misuse Act represented a world leading example of 21st century cyber crime legislation.”
With Russia frequently targeting infrastructure through cyber-attacks, it is becoming increasingly urgent that we resolve the contradictions in the CMA. We need only look at the 2017 Russian state-sponsored NotPetya virus, which caused billions of pounds-worth of damage, to appreciate how devastating such attacks can be. At the epicentre of this digital hydrogen bomb in Ukraine, national transport infrastructure ground to a halt, people were unable to withdraw money from ATMs and even the radiation monitoring system at Chernobyl went offline. The current situation is an immense security risk.
The national cyber strategy, which was published in December 2021, sets out a commitment to improving our resilience to cyber-threats, but currently the strategy is clearly hamstrung because of the CMA. I have spoken to threat intelligence researchers from leading UK cyber-security companies, who have stated that they come up against CMA-related barriers three times a week on average. In those situations, researchers must seek guidance on whether they can investigate without breaching the provisions of the Act. In 80% of such cases, investigations cannot be undertaken. Where investigations can go forward, there is a significant benefit, with the average number of victims who can be identified, and thus warned and supported, varying between a handful and often up to hundreds per investigation.
We can extrapolate the figures to try to develop a national picture of what is going on. Using data obtained in the DCMS sectoral analysis 2022, the list of CREST threat intelligence providers and statistics from the DCMS cyber breaches survey 2021, we can surmise that the CMA is an active consideration in relation to at least a hundred, but potentially up to 3,000 investigations, each week across the UK in cyber-threat intelligence firms; that is, of course, assuming that all the other firms are similarly conscientious about staying on the right side of the law. That means that up to 2,400 investigations could be abandoned due to sensitivities around the CMA, which in turn could mean that up to 1 million victims remain unidentified and thus under threat from cyber criminals. Financially, it is estimated that the outdated CMA is costing our economy at least £30 million a week.
Our digital economy is being held back by a law that came into existence when less than half a percent of the population used the internet. We need to make the case that Britain, with its impressive track record in computing, networking and cyber, is a fantastic place to invest, create jobs and upskill our workforce. As it stands, we risk losing out to global competitors with more liberal legislative regulations, such as France, Israel and the United States.
What practical changes need to be made to the CMA for it to be well placed to rise to the challenges of 2022 and beyond? Industry representatives have directly conveyed to me a strong desire to see the inclusion of a statutory defence for cyber-security professionals who are acting in the public interest. Although I understand the need to ensure an effective balance between protecting legitimate cyber-activity and being able to prosecute genuine criminals effectively, one thing that struck me in my meetings with industry representatives was that even among those who felt relatively at ease about the prospect of prosecution, there remained a strong and genuine fear of arrest, which would involve the seizure of their work devices—the tools of their trade—and cause significant stress to individuals who are proud of their contributions to keeping Britain safe.
Currently, the only protections in the Act, beyond a few cases where a warrant is obtained, are extendable only to actions undertaken with explicit authorisation. Consequently, for the law to work for 21st-century Britain and its need to defend itself from cyber-attacks, reform should include a legal mechanism and clarify legal ambiguities in order to put professionals at ease.
Sir Paul Beresford (Mole Valley) (Con)
I apologise for not being here at the very beginning. My hon. Friend is absolutely correct about a statutory defence, but I understand that that could be achieved without changing the current legislation, particularly if it were done in co-ordination with the Crown Prosecution Service.
It is important that we respond directly to the concerns of the cyber-security professionals; this is what they have asked for. Meaningful engagement with them will lead to a potential compromise. There is also a need to balance how we act against genuine cyber criminals, and I think that meaningful engagement and working with them will be the way to find that suitable compromise.
Updating the CMA has widespread cross-party support, with the all-party parliamentary internet group first calling for reform of the CMA in 2004—18 years ago. Since then, the Intelligence and Security Committee’s Russia report has recommended that the CMA should be updated in response to the heightened risk of malignant Russian cyber-activities.
Although cyber professionals across the country and I greatly appreciate the announcement by the Home Secretary last year of a review looking at the CMA, progress has seemingly been slow. Some 66% of respondents to the Government’s call for information had concerns over the existing legal protections of the CMA, so I hope that the Minister will update us as to whether the review is being expedited, especially considering that there has been an increase in hostile cyber-actions undertaken by rogue states and given this morning’s headlines on potential spyware attacks on No. 10. I would also be grateful if the Minister would meet myself and others from the campaign to discuss the matter further. I look forward to hearing contributions from hon. and right hon. Members.