Computer Misuse Act 1990 Debate

Full Debate: Read Full Debate
Department: Home Office

Computer Misuse Act 1990

Jamie Wallis Excerpts
Tuesday 19th April 2022

(2 years, 6 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Jamie Wallis Portrait Dr Jamie Wallis (Bridgend) (Con)
- Hansard - -

I beg to move,

That this House has considered the Computer Misuse Act 1990.

Before I begin, I draw Members’ attention to my entry in the Register of Members’ Financial Interests, and in particular to my stakeholding in a firm that has offered digital forensic services in the past, but which I understand does not plan to offer such services at least for the next three to five years.

It is a pleasure to serve with you in the Chair, Sir Mark. I am grateful to have secured this important debate of national security significance, especially considering this morning’s headlines about the potential spyware attack on No. 10. The need for this debate has become more urgent of late, especially considering the barbaric and unprovoked invasion of Ukraine, which has placed a spotlight on the pressing requirement to strengthen the UK’s cyber-security.

The UK Government have achieved a great deal in developing our cyber-capabilities, spearheading the creation of the National Cyber Force and putting aside a total of £2.6 billion for cyber and IT, which is a significant funding increase on previous years. I strongly welcome the Department for Digital, Culture, Media and Sport working more closely with cyber-security firms, through £850,000 of funding to support the establishment and activities of the UK Cyber Cluster Collaboration.

Given this Government’s strong record developing our cyber-capabilities, it is surprising that 32 years after its introduction as a private Member’s Bill, the Computer Misuse Act 1990 remains the primary piece of legislation covering cyber-crime in the UK. I am sure we all agree that the technological landscape has altered drastically over the last 30 years. Our existing legislation must urgently be updated to reflect those monumental changes. When the 1990 Act came into law, Margaret Thatcher was Prime Minister, the first website was yet to be published and I was just a toddler.

The CMA was brought into law to criminalise unauthorised access to computers. In other words, hacking without permission became illegal, irrespective of motive or intent. However, the CMA came into force before the modern cyber-security industry, which now employs more than 52,000 people across 1,800 firms. In 2022, the methods used by cyber criminals and cyber-security professionals are often very similar—sometimes the same. Individuals who work in cyber-security are frequently required to perform actions for which explicit authorisation is difficult, if not impossible, to obtain.

Contemporary defensive cyber research into computer system vulnerabilities and threat intelligence often involves the scanning and examination of compromised victims and criminal systems to lessen the impact of future attacks—pre-empting what such a hack might resemble to prevent its success. It strikes me as woefully naive to think that criminals will explicitly authorise access to their systems. To do so would be akin to a policeman asking permission to arrest an individual.

British cyber-security professionals are at risk of being taken to court for obtaining actionable intelligence, which means that as a country we are dissuading vital research from being conducted at a time when countries such as Russia and China are increasingly deploying hostile technologies against us and our allies. Consequently, even though the CMA has been amended several times since 1990, its major flaw is that it fails to allay fear of arrest and/or prosecution among cyber-security professionals as they carry out essential threat intelligence research against cyber criminals and agents of rogue states.

We find ourselves in a perverse situation where industry specialists who are acting in the public interest—often dealing with issues that are critical to our national security infrastructure—are at risk of being designated a criminal. Even with responsible policing, the CMA can still be used by non-state bodies to pursue individuals through the civil courts, causing considerable financial and emotional injury to well-intentioned professionals. If situations such as these remain possible, future generations of cyber professionals could be deterred from pursuing a highly rewarding career, precisely at a time when we should aspire for Britain to continue its reputation as a global cyber leader.

In urging for reform of the CMA, I have worked closely with the CyberUp campaign, which argues for updating the law and makes the case that failure to reform is holding back our cyber defences and preventing the upskilling of our workforce. In the “Time for reform?” report published by the CyberUp campaign and techUK in November 2020, analysis of a survey showed that the industry overwhelmingly suggested that the CMA was not fit for purpose. More than nine in 10 respondents said that they

“did not believe that the Computer Misuse Act represented a world leading example of 21st century cyber crime legislation.”

With Russia frequently targeting infrastructure through cyber-attacks, it is becoming increasingly urgent that we resolve the contradictions in the CMA. We need only look at the 2017 Russian state-sponsored NotPetya virus, which caused billions of pounds-worth of damage, to appreciate how devastating such attacks can be. At the epicentre of this digital hydrogen bomb in Ukraine, national transport infrastructure ground to a halt, people were unable to withdraw money from ATMs and even the radiation monitoring system at Chernobyl went offline. The current situation is an immense security risk.

The national cyber strategy, which was published in December 2021, sets out a commitment to improving our resilience to cyber-threats, but currently the strategy is clearly hamstrung because of the CMA. I have spoken to threat intelligence researchers from leading UK cyber-security companies, who have stated that they come up against CMA-related barriers three times a week on average. In those situations, researchers must seek guidance on whether they can investigate without breaching the provisions of the Act. In 80% of such cases, investigations cannot be undertaken. Where investigations can go forward, there is a significant benefit, with the average number of victims who can be identified, and thus warned and supported, varying between a handful and often up to hundreds per investigation.

We can extrapolate the figures to try to develop a national picture of what is going on. Using data obtained in the DCMS sectoral analysis 2022, the list of CREST threat intelligence providers and statistics from the DCMS cyber breaches survey 2021, we can surmise that the CMA is an active consideration in relation to at least a hundred, but potentially up to 3,000 investigations, each week across the UK in cyber-threat intelligence firms; that is, of course, assuming that all the other firms are similarly conscientious about staying on the right side of the law. That means that up to 2,400 investigations could be abandoned due to sensitivities around the CMA, which in turn could mean that up to 1 million victims remain unidentified and thus under threat from cyber criminals. Financially, it is estimated that the outdated CMA is costing our economy at least £30 million a week.

Our digital economy is being held back by a law that came into existence when less than half a percent of the population used the internet. We need to make the case that Britain, with its impressive track record in computing, networking and cyber, is a fantastic place to invest, create jobs and upskill our workforce. As it stands, we risk losing out to global competitors with more liberal legislative regulations, such as France, Israel and the United States.

What practical changes need to be made to the CMA for it to be well placed to rise to the challenges of 2022 and beyond? Industry representatives have directly conveyed to me a strong desire to see the inclusion of a statutory defence for cyber-security professionals who are acting in the public interest. Although I understand the need to ensure an effective balance between protecting legitimate cyber-activity and being able to prosecute genuine criminals effectively, one thing that struck me in my meetings with industry representatives was that even among those who felt relatively at ease about the prospect of prosecution, there remained a strong and genuine fear of arrest, which would involve the seizure of their work devices—the tools of their trade—and cause significant stress to individuals who are proud of their contributions to keeping Britain safe.

Currently, the only protections in the Act, beyond a few cases where a warrant is obtained, are extendable only to actions undertaken with explicit authorisation. Consequently, for the law to work for 21st-century Britain and its need to defend itself from cyber-attacks, reform should include a legal mechanism and clarify legal ambiguities in order to put professionals at ease.

Paul Beresford Portrait Sir Paul Beresford (Mole Valley) (Con)
- Hansard - - - Excerpts

I apologise for not being here at the very beginning. My hon. Friend is absolutely correct about a statutory defence, but I understand that that could be achieved without changing the current legislation, particularly if it were done in co-ordination with the Crown Prosecution Service.

Jamie Wallis Portrait Dr Wallis
- Hansard - -

It is important that we respond directly to the concerns of the cyber-security professionals; this is what they have asked for. Meaningful engagement with them will lead to a potential compromise. There is also a need to balance how we act against genuine cyber criminals, and I think that meaningful engagement and working with them will be the way to find that suitable compromise.

Updating the CMA has widespread cross-party support, with the all-party parliamentary internet group first calling for reform of the CMA in 2004—18 years ago. Since then, the Intelligence and Security Committee’s Russia report has recommended that the CMA should be updated in response to the heightened risk of malignant Russian cyber-activities.

Although cyber professionals across the country and I greatly appreciate the announcement by the Home Secretary last year of a review looking at the CMA, progress has seemingly been slow. Some 66% of respondents to the Government’s call for information had concerns over the existing legal protections of the CMA, so I hope that the Minister will update us as to whether the review is being expedited, especially considering that there has been an increase in hostile cyber-actions undertaken by rogue states and given this morning’s headlines on potential spyware attacks on No. 10. I would also be grateful if the Minister would meet myself and others from the campaign to discuss the matter further. I look forward to hearing contributions from hon. and right hon. Members.

--- Later in debate ---
Jamie Wallis Portrait Dr Wallis
- Hansard - -

I begin my closing remarks by extending my thanks to you, Sir Mark, for being in the Chair, and to all right hon. and hon. Members for their insightful contributions to this timely debate. It is wonderful to see such cross-party engagement on this issue of significance for our national security, and I am pleased about how Members have contributed to a very good debate.

I thank my hon. Friend the Member for Wycombe (Mr Baker) for raising an important point about humility. He and I both know that expertise a few short years ago probably means a lack of it today—I can certainly attest to that. His comments about the register of professionals were certainly also cause for thought.

I thank my hon. Friend the Member for Boston and Skegness (Matt Warman) for raising points about statutory defence. I think we can get the best of both worlds: it is possible, on our side, to give the reassurances that security professionals want without necessarily legalising what is obviously criminal activity.

I thank the SNP spokesperson, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald). When he spoke about smart fridges, he touched on something that I forgot to mention in my speech: however much we think the technological landscape has changed, even more is coming. It was not that long ago that the internet of things was just an idea, and now it is on its way. Everything will have a SIM card and everything will be connected to the internet. Driverless cars, drone deliveries and all those things are coming—they are not pipe dreams; they are currently being developed by someone, somewhere.

I also thank the chair of the all-party parliamentary group on cyber security, my hon. Friend the Member for Barrow and Furness (Simon Fell), for his concise and eloquent summary of the case for reform, and the shadow Minister, the hon. Member for Halifax (Holly Lynch), for introducing comparisons with how other countries have done—she mentioned France—which was very useful.

I thank my right hon. Friend the Minister for his attendance and for his carefully considered response to the points that were raised. I am grateful for his offer to make time available to meet us so that we can begin the important work of well-considered and careful reform.

Question put and agreed to.

Resolved,

That this House has considered the Computer Misuse Act 1990.