(9 months, 2 weeks ago)
Lords ChamberRegrettably, the noble Lord is wrong. We set up a multistakeholder group of systems owners, law enforcement, cybersecurity companies and prosecutors—a systems access group—to specifically consider the proposal of statutory defences. Six meetings were held between May 2023 and October 2023. Unfortunately, there is a lack of consensus among those participants and the cybersecurity industry, and with law enforcement and prosecutors, on whether there is a need for statutory defences and on what is considered to be legitimate activity. That lack of consensus proves the point that careful thought is needed in this area.
My Lords, I declare my technology interests as set out in the register. Does my noble friend agree that it is time that a statute which is 34 years old, was introduced when only 0.5% of us were online and which 91% of cyber professionals say is damaging to the UK cyber industry, was updated to enable our fantastic cyber professionals and to increase growth and productivity in the UK?
My noble friend raises some good points and, as I said, the Government are considering the right way to do that. If I talk about some of the difficulties, it might illustrate this point to the House. Amending legislation to enable cybersecurity activities involves accessing computer systems, and the data is complex. This needs a lot of thought. We would need to establish what constitutes legitimate cybersecurity activity and the boundaries of such activity. We would need to consider who should be allowed to undertake such activity, where the professional standards would need to be complied with and what reporting or oversight would be needed. We cannot make changes that would prevent law enforcement agencies and prosecutors investigating and prosecuting those who commit cybercrimes. It is right to consider this carefully and that is what we are doing.