To ask His Majesty’s Government what action they are taking to reform the Computer Misuse Act 1990 to enable legitimate independent testing of computer systems.
My Lords, the Government support people undertaking legitimate cybersecurity work to do so without fear of criminalisation. We are actively considering options to strengthen the legislative framework as part of the review of the Computer Misuse Act, which is ongoing. This work is complex and needs a lot of thought, not least to ensure that we do not inadvertently create a loophole that can be exploited by cybercriminals or hostile state actors.
My Lords, the need to be able to carry out independent research into computer systems has been put into the spotlight by the Horizon scandal. We last discussed this issue at Oral Questions last July. Since then, the Government have had the conclusions of a stakeholder working group for several months but have done absolutely nothing to include a public interest defence in the Criminal Justice Bill that is now in the Commons. I described the Government’s progress last year as “glacial”. Was I being unkind to glaciers?
Regrettably, the noble Lord is wrong. We set up a multistakeholder group of systems owners, law enforcement, cybersecurity companies and prosecutors—a systems access group—to specifically consider the proposal of statutory defences. Six meetings were held between May 2023 and October 2023. Unfortunately, there is a lack of consensus among those participants and the cybersecurity industry, and with law enforcement and prosecutors, on whether there is a need for statutory defences and on what is considered to be legitimate activity. That lack of consensus proves the point that careful thought is needed in this area.
My Lords, I declare my technology interests as set out in the register. Does my noble friend agree that it is time that a statute which is 34 years old, was introduced when only 0.5% of us were online and which 91% of cyber professionals say is damaging to the UK cyber industry, was updated to enable our fantastic cyber professionals and to increase growth and productivity in the UK?
My noble friend raises some good points and, as I said, the Government are considering the right way to do that. If I talk about some of the difficulties, it might illustrate this point to the House. Amending legislation to enable cybersecurity activities involves accessing computer systems, and the data is complex. This needs a lot of thought. We would need to establish what constitutes legitimate cybersecurity activity and the boundaries of such activity. We would need to consider who should be allowed to undertake such activity, where the professional standards would need to be complied with and what reporting or oversight would be needed. We cannot make changes that would prevent law enforcement agencies and prosecutors investigating and prosecuting those who commit cybercrimes. It is right to consider this carefully and that is what we are doing.
My Lords, the Minister set out a long list of things that need considering. I understand his point, so could he perhaps tell us the timetable for this process, when we might hear the verdict on all these considerations and perhaps see some legislation before your Lordships’ House?
My Lords, the public consultation on this process concluded only in November 2023, so we have not had a huge amount of time to consider all the responses. As I have explained, we will be reviewing how to take forward the recommendations and will update Parliament in due course.
My Lords, why would a public interest defence help cybercriminals?
My Lords, that is clearly among the things that are being considered.
My Lords, does the Minister agree that there is a related issue of computer-based evidence? The Police and Criminal Evidence Act 1984 stated that computer-based evidence should be subject to proof that the computer system was operating properly. That changed, in 1999, to a presumption that a computer system has operated correctly unless there is explicit evidence to the contrary. That change was supported by the Post Office and coincided with the introduction of the Horizon IT system. Does my noble friend agree that this area needs to be looked at?
My noble friend raises a very good point. If I may, I will look into the specifics of her question and write to her.
My Lords, Article 40 of the French criminal procedure code provides for cybersecurity specialists who are acting in good faith and solely in the national interest to be protected from prosecution. Does the Minister believe that a similar provision would be suitable here?
My Lords, we are always interested in learning from the approaches taken by other countries and jurisdictions. We speak with our international counterparts, including all our major allies, to understand how they approach the issue of whether there should be defences to these types of offences. But the majority of our like-minded partners do not have statutory defences and are instead in favour of prosecutorial guidance. For example, the US Department of Justice introduced guidance for prosecutors on when to prosecute instances of potential breaches of its Computer Fraud and Abuse Act.
My Lords, does the Minister agree that the Criminal Justice Bill is a good opportunity for the Government to bring forward a public interest amendment, perhaps with the bells and whistles that the Minister is talking about, or is he firmly of the view that this will occur only in the future?
My Lords, I am not quite sure where the bells and whistles come from. As I said, we are just considering all the potential implications. However, part of the Criminal Justice Bill introduces a new power for law enforcement and other investigative agencies to suspend IP addresses and domain names where they are being used to facilitate serious crime. So the answer is partially yes, but the other situation that the noble Lord described is very complicated.
My Lords, the prosecutorial guidance referred to just now by my noble friend leaves computer professionals in a position of uncertainty. Do they not need certainty as to the shape of the law?
Well, yes, and as I said, the working group that was set up to look into this, which included the cybersecurity industry, law enforcement, prosecutors and others, could not reach consensus on this subject. Certain cybersecurity professionals are in favour of defences but other industry experts are not—so we have to continue to consider these responses.