Pro-Innovation Regulation of Technologies Review and the Computer Misuse Act 1990 Debate
Full Debate: Read Full DebateJamie Wallis
Main Page: Jamie Wallis (Conservative - Bridgend)Department Debates - View all Jamie Wallis's debates with the Home Office
(1 year, 8 months ago)
Commons ChamberBefore I begin, I draw Members’ attention to my entry in the Register of Members’ Financial Interests, and in particular to my stakeholding in a firm that has historically offered digital forensic services, but which I understand does not currently and does not plan to offer such services for the next five years.
I am grateful for having secured this debate in order to highlight the importance of the Government’s recent commitment to implementing the recommendations in Sir Patrick Vallance’s pro-innovation regulation of technologies review, which included the introduction of a statutory public interest defence to the Computer Misuse Act 1990. I also thank the CyberUp Campaign, which has worked closely with me and other colleagues to champion the reform to the outdated CMA.
I am certain that the Minister will be aware that I previously stressed the reasons as to why we urgently need to reform the CMA in a Westminster Hall debate almost a year ago. In that debate, I argued, alongside insightful contributions from other hon. Members, that the 33-year-old Act needs further reform to bring our cyber-security capabilities into the 21st century.
The primary issue with the CMA, as it is currently written, is that British cyber-security professionals are at risk of being taken to court for obtaining actionable intelligence. Such is the scale of this concern, that a report by the CyberUp Campaign and techUK found that four out of five cyber-security professionals worry about breaking the law when conducting essential research in good faith. Currently, the only protections in the Act, beyond a few cases where a warrant is obtained, are extendable only to actions undertaken with explicit authorisation. Consequently, reform should include a legal mechanism and clarify legal ambiguities in order to put professionals at ease.
In 2022, the methods used by cyber criminals and cyber-security professionals are often very similar—sometimes the same. Individuals who work in cyber-security are frequently required to perform actions for which explicit authorisation is difficult, if not impossible, to obtain. Legitimate instances of unauthorised access include gathering proportionate threat intelligence; responsible vulnerability research and disclosure; active scanning; enumeration; use of open directory listings; identification; and, of course, honeypots.
Currently, we find ourselves in a perverse situation where industry specialists who are acting in the public interest—often dealing with issues that are critical to our national security infrastructure—are at risk of being designated a criminal. ENISA, the European cyber-security agency, notes that the threat of prosecution can have a “chilling effect” on cyber researchers which “adversely affects security”. The upshot of this is that we are dissuading vital research from being conducted at a time when countries such as Russia and China are increasingly deploying hostile technologies against us and our allies.
I commend the hon. Gentleman for securing this debate. Does he not agree that the balance must be found to allow for new research and development while ensuring that there is protection in place, not simply in an individual setting, but in terms of security for our nation from cyber warfare? That is a delicate balance to find, as he has said. With the growing reputation of Belfast as a cyber-security hub, we should, with any legislation, be regulating and encouraging development in British-controlled companies in the safest way possible in the future.
Yes, I agree wholeheartedly with the hon. Gentleman. I think that I go on to elaborate exactly how we might be able to do that.
We are now almost two years on from when the former Home Secretary announced a review of the CMA. In those two years, the technological landscape has only further drastically altered with heightened cyber-security risks becoming endemic to an increasingly uncertain geopolitical world. Recent Government announcements surrounding TikTok only serve to prove this point.
In the case of TikTok, Government cyber-security experts have conducted a thorough review of evidence since November and have uncovered a potential risk in the way sensitive Government data is accessed. This conclusion has been corroborated by the United States, Canada and the European Union. The review highlights TikTok’s data collection methods, which include the collection of user contact lists, accessing of calendars, scanning of hard drives, including external ones, and hourly geolocation of devices.
With this in mind, to protect against the increasing cyber threats in the UK and to combat online fraud, it is imperative to safeguard vulnerability and threat intelligence research related to defensive measures. The Office for National Statistics reported a concerning 77% rise in cyber threats in 2022, while online fraud increased by a third over the past two years. According to the Department for Digital, Culture, Media and Sport, data breaches survey in July 2022, 39% of companies have experienced a cyber-attack or data breach in the prior 12 months. In order to address these concerns, researchers play a vital role in identifying product and service vulnerabilities, working with manufacturers and vendors to fix them, detecting cyber-attacks, and gaining insight into attackers and victims. By doing so, they can decrease the impact of incidents and use horizon scanning to prevent future ones. The UK Government’s National Cyber Strategy recognises the crucial nature of this work and is committed to building valuable and trusted relationships with security researchers to reduce vulnerabilities. Thus, reforming the CMA will be a significant step in developing co-operation with professionals.
The introduction of a statutory defence is not only essential for giving UK security professionals legal protections and peace of mind when responding to the increasing number of cyber threats, but will help to encourage innovation and influence the evolution of international regulatory frameworks to give us an economic advantage over our competitors. As the Chancellor clearly enunciated in his spring Budget statement, we must be on the front foot in shaping the evolution of regulation and standards in this key growth sector.
In his review, Sir Patrick agreed with me that
“amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals...would have a catalytic effect on innovation in a sector with considerable growth potential.”
Such a defence would allow our technology professionals to compete on a level playing field with their counterparts in Israel, France and the United States who are already protected in statute.
As things stand, our digital economy is being held back by a law that came into existence when less than half a per cent of the population used the internet. Cyber-security industries in the UK now employ more than 52,000 people across 1,800 firms and a survey of such firms representing more than half of the sector found that, on average, respondents expected a 20% increase in revenue as a result of reforming the CMA.
CMA reform is expected to bring benefits to the entire digital sector and wider economy. According to a recent report by the Audiovisual Anti-Piracy Alliance, copyright-infringing internet protocol television providers in Europe generated more than £1.4 billion of unlawful revenue in 2021, causing significant damage to the UK film and television industry. CMA reform would allow cyber-security professionals to efficiently take down such illegal streaming platforms, providing yet another example of the economic advantages of this initiative. MakeUK also found that half of manufacturing businesses in the country had experienced cybercrime in the year to May 2021, with 63% saying they had lost at least £5,000 and 6% that they had lost over £100,000.
Recognising the importance of modernising cyber-security laws to foster growth, system owners such as internet service providers understand the need to support such regulations. Zen Internet, for instance, acknowledges its responsibility for maintaining cyber-security functions as an ISP. However, the current legislation poses limitations for security service providers that aim to ensure the safety of their staff, customers, and suppliers.
During the Westminster Hall debate that I secured on the CMA, the former Minister for Security and Borders, my right hon. Friend the Member for East Hampshire (Damian Hinds), suggested that,
“we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind”. —[Official Report, 19 April 2022; Vol. 712, c. 19WH.]
I completely agree with that sentiment. However, having liaised with industry experts, I know that it is possible to give the reassurances that professionals want without necessarily legalising what is obviously criminal activity. In order to ensure that there are appropriate safeguards so that any new legislation does not inadvertently create a legal loophole to be abused by bad actors, I recommend engaging with stakeholders such as CyberUp to implement a relevant defence framework.
Legal safeguards for good faith cyber-security activities could be established through a defence framework that would provide a set of principles for the courts to assess the validity of actions. Those principles would cover factors such as the harm-benefit balance, proportionality, intent and competence of the actor. The Belgian approach offers examples of such safeguards, which apply to activities meeting specific criteria, while identifying unacceptable activities such as distributed denial of service attacks, password thefts, or hack backs that disrupt or damage the targeted systems.
From Charles Babbage and Ada Lovelace to Alan Turing and Tim Berners-Lee, as a nation we have a proud history of innovation in this area. With the Chancellor confirming in the Budget that all nine of Sir Patrick Vallance’s digital technology pro-growth recommendations will be implemented, I know that this Conservative Government share my ambition to ensure that the UK cyber-security and digital sectors remain world leading.
To that end I am keen, along with cyber-security researchers up and down the country, to understand the timeline and process for the Home Office, working with His Majesty’s Treasury, to introduce a statutory defence to the CMA. The sooner a well-considered defence is added to the CMA, the sooner we can unlock the great potential that such changes would entail for the economy. I hope the Minister will be able to provide some clarity on that point today.