Computer Misuse Act 1990 Debate

Full Debate: Read Full Debate
Department: Home Office

Computer Misuse Act 1990

Holly Lynch Excerpts
Tuesday 19th April 2022

(2 years, 8 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Holly Lynch Portrait Holly Lynch (Halifax) (Lab)
- Hansard - -

As always, it is a pleasure to serve under your chairmanship, Sir Mark. As others have done, I will start by paying tribute to and thanking the hon. Member for Bridgend (Dr Wallis) for securing today’s important debate and for his ongoing and important role in highlighting some of the issues in this policy space.

Like others, I will start with some humility about the limits of my technical capabilities in this space, while very much recognising that the comments of those who have some background in it have been particularly insightful —I include your comments in that, Sir Mark.

We often describe debates in Westminster Hall as timely, but as the UK faces a threat unlike any other in recent history, and just one day after reports broke that Downing Street itself may have been may have been targeted using Pegasus hacking software, which can turn smartphones into remote listening devices, a renewed focus on the Computer Misuse Act could not be more urgent.

As others have mentioned, the 1990 Act was the first major legislative attempt to tackle cyber-crime and criminalise hacking. The Act strengthened the protection of personal data held by organisations by making it a crime for individuals to gain unauthorised access to that data or to modify it without the necessary permission. Undoubtedly, it was a significant landmark, but given the rate and complexity of technological advance, the Act is long overdue for reform. While it has been amended by more recent legislation, at 30 years old, its contemporary relevance continues to wane.

This policy area moves at such a pace that legislation could be rendered out of date in the time between a new law being drafted and securing Royal Assent, so laws governing this space would require almost constant consideration and review. That is where the statutory guidance plays an important role, as some areas of this must be particularly dynamic. However, with the Act at 30-plus, and without a significant overhaul, we are now woefully ill-equipped as a country to ensure that we are meeting as robustly as is required the cyber challenges that we face.

In 2020, an estimated 99.99% of total cyber-crime and roughly 99% of reported computer misuse offences went unpunished. That is despite the fact that we know that cyber-crime is significantly under-reported. Coupled with that, there were only 45 prosecutions in 2020 for computer misuse offences. In total, there were 43 convictions, with the average custodial sentence being 15.7 months, and the average fine just £1,203. While there are several reasons for low prosecution rates for cyber-crime—such as jurisdiction, with a great deal of this type of crime being committed abroad—the CMA, with its confusing framework and ambiguous, outdated terminology, presents a further challenge.

I recently met the CyberUp organisation—others have already paid tribute to its work—which was set up in 2020 to campaign for reform of the CMA. It is a broad coalition of supportive bodies from within the cyber-security industry, including the larger cyber consultancies and the cyber industry trade body, techUK, and has the backing of the Confederation of British Industry. Others have cited similar arguments, such as the Criminal Law Reform Now Network, which was launched in 2007 and comprises leading academics, practitioners and legal experts in the field. In its 2020 report, it concluded that the CMA is “crying out for reform”.

Speaking last year at the National Cyber Security Centre, the Home Secretary announced a welcome formal review of the CMA. The result of the call for information was clear, with 66% of respondents saying that they had concerns over the current protections in the Act for legitimate cyber-activity. I understand that the outcome of the review is expected to be published early this summer, so as with others who have spoken today my first question is, can the Minister confirm when we can expect the next step of that review? I would be grateful if he could update Members about that. Given that there is no reference to reform of the CMA in the Government’s new national cyber strategy, which was published late last year, many people hope that the review will comprehensively address the areas discussed today and provide a clear position on how we move forward.

As the hon. Member for Bridgend has mentioned, reviewing the CMA in the light of Russia’s abhorrent invasion of Ukraine is of even greater importance in order to ensure that our cyber-defence is fit for purpose. As outlined in the 2020 Russia report conducted by the Intelligence and Security Committee,

“Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security.”

During evidence provided to the Committee, the NCA explained:

“The Computer Misuse Act…is very outdated legislation. It was designed for a time when we all didn’t carry six phones and computers and let alone have criminals who do the same.”

It would therefore seem more than sensible for the Government to accept the report’s recommendation that the CMA

“should be updated to reflect modern use of personal electronic devices”,

alongside the report’s other recommendations.

A Government report published just last month and conducted by the UK, the US and other allies exposed the historic malign cyber-activity of Russia’s Federal Security Service, including a long list of cyber-operations targeting the UK energy sector, US aviation and a Russian dissident in the UK, who was targeted using sophisticated hacking and spear phishing. Given the historic and increased cyber-threat level, we must consider the concerns of cyber-security professionals who make a strong case that the CMA, in its current form, prevents them from being able to robustly test security systems using some of the most effective methods available to them.

Last month, the former chief executive officer of the UK National Cyber Security Centre warned that our current system

“lacks nuance in protecting people who inevitably have to look into bad things to protect against them.”

That argument is further supported by the recent findings of a survey conducted by CyberUp and techUK, which found that 93% of cyber-security professionals believe that

“the Computer Misuse Act did not represent a piece of legislation that was fit for this century”

and 91% of cyber-security businesses felt that

“they had been put at a competitive disadvantage relative to other countries with better legal regimes.”

If we do not have a system that our security professionals have confidence in, we do not allow them to robustly defend our security to the best of their abilities.

Having discussed the necessary reasons for reform, it is important to consider what legislative reform would look like and the possible alternatives available to us. One reform, advocated by CyberUp and the Criminal Law Reform Now Network, would introduce a statutory defence to the CMA, using a principles-based framework that would allow cyber-security professionals to defend activities performed in the public interest. I recognise the diverse purposes for interrogating cyber-security, which were raised by the hon. Member for Boston and Skegness (Matt Warman), and the requirement to ensure that we find the balance in introducing a defence. When an individual is able to demonstrate clearly that they acted to prevent crime or to protect a system or that no personal profit or gains were made, it would seem reasonable and appropriate for that to be recognised in new legislation.

If I have understood the French approach correctly, article 40 of the criminal procedure code allows for a person who is acting in good faith and who acts solely in the national interest by notifying the appropriate body about an existing vulnerability related to the relevant system. That may be a comparison we can look at in order to see how we can best update our legislation.

If we are to ensure that we can protect ourselves from evolving cyber-threats, such as those revealed at the very heart of Government today, the Computer Misuse Act must be reformed as a priority to acknowledge the changes in our technological landscape. When the CMA was drafted, the majority of people did not even have access to a computer, but now we all carry that capacity with us in our pockets. Times have changed, and so must the legislation.

I would be grateful for an outline of the Government’s response to the revelations of spyware in Downing Street, and for confirmation that a comprehensive and urgent investigation is under way, as well as for an update on whether any upcoming legislation on countering hostile state actors will operate in this online space and when we might see more detail about those proposals.

Being able to combat threats from hostile cyber-actors in the current geopolitical environment is an essential requirement, and it is our role as legislators to ensure that that is possible. We need the very brightest and best working in the UK cyber-security space; those professionals must have the ability to do their jobs as well as they can if they are to deliver the protections that our country urgently needs.