Matt Warman – 2022 Speech on the Computer Misuse Act 1990

The speech made by Matt Warman, the Conservative MP for Boston and Skegness, in Westminster Hall on 19 April 2022.

I congratulate my hon. Friend the Member for Bridgend (Dr Wallis) on securing this debate. I myself put in for a debate on this issue a while ago, but the gods obviously smile more on Bridgend than they do on Boston. Nevertheless, I welcome this opportunity to debate the issue.

I thank the Minister and his officials for several meetings that he and I have had about this issue relatively recently. All were prompted, as my hon. Friend the Member for Bridgend said, by CyberUp and by Kat Sommer, who deserves to be cited in Hansard for her persistence, among many other things.

This is an important but technical issue. I will be honest and say that I am not completely certain that the Computer Misuse Act 1990 is broken, but I am certain that it can be improved, by one means or another. That is because, as my hon. Friend the Member for Bridgend said, the structure of the cyber-security industry has changed since the Act came into force, and is different from almost any other part of the national security set-up. If we were to ask whether academics have a right to interrogate systems for the purposes of research, we would definitely say yes. If we were to ask whether businesses have the right to interrogate those same systems, we would assume that it was for commercial purposes and that it was important to have different rules.

It is also a sector where a lot of very small-scale research is done by individuals—some of them literally in their bedrooms. There is a very diverse set of people looking for loopholes and vulnerabilities. Uncovering those vulnerabilities—be they in banks, businesses or any other area where we all rely on the internet—is categorically in the public interest, even if it may also be in the interests of businesses, researchers or people looking for bounties given by large businesses to uncover those vulnerabilities. Those businesses realise that it is in their interests to provide the maximum security to their customers or users.

That gets to the heart of why the Computer Misuse Act matters. On the one hand, it seeks to prevent hacking and other things that we do not want to see done by people with malign intent; but on the other hand, it risks fettering the ability of people with the public interest at heart to solve issues that we would all like to see solved. Admiring the problem is the easy bit; the hard bit is trying to work out what we should do about it.

There are a couple of things that we should not do. We should not introduce a blanket public interest defence for anyone who goes looking for things that might subsequently be perceived as a loophole or bug in a system. To do that would potentially give carte blanche to anyone who got caught, allowing them to claim that they were going to fess up about it, rather than benefit from it themselves. A public interest defence that goes too far should be avoided. I find it hard to imagine how a public interest defence might be constructed that does not, inadvertently or otherwise, go too far.

The other thing that we should not do—notwithstanding the figures that my hon. Friend the Member for Bridgend quoted—is assume that cyber firms of any sort should not be mindful of legislation such as the Computer Misuse Act. Of course, if someone is doing research they should consider what is legal. It is a good thing, not a bad thing, that it is a factor for consideration for those who are engaged in the cyber-security industry. We should be mindful of how we can fix the Act, rather than just sweep it away altogether. I come to a point that was made a moment ago; those issues can probably be addressed through enhanced guidance that provides a degree of legal comfort to the unsurprisingly risk-averse lawyers who work for cyber firms and others. Such guidance would not provide carte blanche to people who might have malevolent intent.

Criminals will not be looking at the CMA and wondering whether what they are doing is legal; by definition criminals are not bothered about whether they are breaking the law. However, there is an important grey area, and we should not create an unintended opportunity for people to defend themselves in court. I implore the Minister to continue his work on the review of the Act, which is really important, but with some minor legislative tweaking we could provide the comfort that the industry rightly asks for and could continue to secure the excellent reputation that Britain has and, as the hon. Member for Strangford said, that Belfast has, for being a world-leading cyber power. We can build on that success because the CMA is an example of a bit of legislation that, although very old, has largely stood the test of time for a lot longer than many might think.

I will close by simply saying that the principles embedded in the CMA are not bad ones. Whenever it comes to legislating for the internet, we should realise that the internet has not necessarily reinvented every single wheel, and principles that apply offline can be applied online. In this case, they need a little bit of updating, but I do not think we should throw the baby out with the bathwater, as the hon. Member for Strangford said.