Dave Robertson

- Hansard -

Copy Link

-

Q Thank you, Professor, for coming along. You said that when the Computer Misuse Act was written in 1990, not many people were doing cyber-security work. You attested that the criminalisation element was negative for a number of reasons. Obviously, since then, a private sector has grown up in this area. I am struggling to marry those two pieces of information together. Can you give us an impression of other jurisdictions and of international comparators where things may be different, and whether they have been able to get ahead of us in building a more thriving sector? Are we particularly lagging behind in the OECD? Are other countries ahead of us because they do not have the measures we do?

Professor John Child: That is a good question. It is certainly fair to say that all jurisdictions are somewhat in flux about how to deal with cyber threats, which are mushrooming in ways people would not have expected—certainly not in 1990, but even many years after.

The various international conventions—the OECD, the Budapest convention and so on—require regulation and criminalisation, but those are not nearly as wide as the blanket approach that was taken in this country. Some comparative civil law jurisdictions in the rest of Europe start from a slightly different place, in that they did not necessarily take the maximalist approach to criminalisation we did.

In a number of jurisdictions, you do not have direct criminalisation of all activities, regardless of the intention of the actor, in the same way that we do. So we are starting from a slightly different position. Having said that, we do see a number of jurisdictions making positive strides in this direction, because they need to; indeed, we see that at European Union level as well, where directives are being created to target this area of concern.

There are a few examples. We wrote a comparative report, incidentally, which is openly available. In terms of some highlights from that, there is a provision in French law, for example, where, despite mandatory prosecution being the general model within French criminal law, there is a carve-out relating to cyber-security and legitimate actors, where there is not the same requirement to prosecute. In the Netherlands, there was a scandal around hacking of keycards for public transport. That was done for responsible reasons, and there was a backlash in relation to prosecution there. There were measures taken in terms of prosecutorial discretion. Most recently, in Portugal, we saw a specific cyber-security defence created within the criminal law just last year.

In the US, it varies between states. In a lot of states, you have quite an unhelpful debate between minimalist and maximalist positions, where they either want to have complete hack-back on the one hand or no action at all on the other, but you have a slightly more tolerant regime in terms of prosecution.

So there are varying degrees, but certainly that is the direction of travel. For sensible, criminal law reasons that I would speak to, as well as the commercial benefits that come with a sector that is allowed to do its work properly, and the security benefits, that is certainly the direction of travel.