Computer Misuse Act 1990 Debate

Full Debate: Read Full Debate
Department: Home Office

Computer Misuse Act 1990

Steve Baker Excerpts
Tuesday 19th April 2022

(2 years, 8 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Steve Baker Portrait Mr Steve Baker (Wycombe) (Con)
- Hansard - -

I am absolutely delighted to speak in this extremely important debate—it is perhaps not pressingly urgent, but very important. I congratulate my hon. Friend the Member for Bridgend (Dr Wallis) on securing this debate and on his speech. I pay tribute to my hon. Friend the Member for Rushcliffe (Ruth Edwards), who wrote an excellent foreword in the report from CyberUp and techUK, “Time for Reform? Understanding the UK cyber security industry’s views of the Computer Misuse Act”. It is an excellent paper with sensible suggestions.

If I may say so, we are blessed to have this Security Minister here in his place. As far as I understand it, being Security Minister is not for someone who showboats or campaigns; it is for somebody who is extremely thoughtful and reliable and can really get to the heart of matters, so I am grateful that my right hon. Friend is the Minister replying today. He might not be able to respond to all the points today, but I know he will certainly think about them. I also pay tribute to my hon. Friend the Member for Boston and Skegness (Matt Warman), who showed his command of the subject.

I approach this debate with great humility, deeply aware of my own inadequacy at rising to the most difficult technical problems involved. I say that not because I do not know anything about the subject, but because I do. I have an MSc in computer science from Oxford, which I gained in 2000. I was once upon a time—at least, I think so—a reasonably competent Unix system administrator. I have done a network intrusion course as a software engineer, and I like to think that I might be considered as once being above average as a software engineer.

Having read books such as “The Art of Computer Programming” and Bruce Schneier’s book on cryp-tography—he is one of the world’s great experts—I am well aware that the subject of cyber-security is fabulously complex and difficult and not well understood. Without naming the organisation, I once went to a major public body to talk about cyber-security. It had put a large TV up on the wall and on it was a NORAD-style display of cyber-attacks going to and fro across the world, and there was a little software engineer’s rolling league table of which attacks were in progress. I asked what it all meant, and the public body did not know. It could not tell me what the attacks going to and fro meant, which put the meeting in context. So my first point is that no one following this debate or this subject should be under any illusion whatever about the complexity involved. It is a problem for the top 1% of software engineers—the sort of people who might be employed at GCHQ at the very cutting edge of understanding computers, how they work and how things can be dealt with.

Secondly, I think reform of the Computer Misuse Act would be a very good thing. My goodness!—what we have learned and how things have changed since that Act was put in place. Even since I joined Parliament in 2010, software engineering has changed tremendously. We all find that we go out of date very quickly, and the law has to keep pace with how things have changed.

The point was made earlier that some things that happen in the real world have parallels online. When I look at the range of things that software engineers have to do to counter network intrusion and cyber-attacks, at the moment we seem to be in a position akin to saying to a householder, “You may not defend against burglars,” or to someone attacked in the street, “You may not commit acts of self-defence.” That parallel might be flawed, but we have to look extremely carefully at whether software engineers and other professionals are adequately defended in law, so that they can do what is necessary to defend against criminal attack. That is what we are talking about.

The paper from CyberUp and techUK is excellent. I read it only over the weekend, but it all seems to be very sensible and well thought through, and I certainly commend it to the Minister and his officials. They should have a really good look at it to see whether the case has been made, in particular for a statutory defence for professionals in the field, making sure that we have taken into account everything we now know about cyber-security.

I am not actually in favour of an official register of professionals, which is recommended in the paper. There are two reasons for that. First, insert here all the arguments about the state running registers of professionals—the anti-competitive practice it can encourage and so on—which do not need rehearsing. It would also become something of a honeypot for criminals. If we were to create a privileged list of registered actors who are, in some sense, allowed or better facilitated to conduct cyber-security operations, for want of a better term, that would create an enormous incentive for criminals to get their people on that list, or to corrupt individuals on the list in order to get what they want from them. I remain opposed to having a state-sponsored list of professionals with some kind of privilege to conduct these operations, outside of employees of the state themselves—obviously, we employ people to do this sort of thing. I think that would be a mistake.

Those are the three points that I wanted to make. First, we need humility as we approach these things. This issue is not susceptible to loose pub chat; it needs real expertise. Secondly, reform of the CMA seems to me to be a jolly good idea. Thirdly, there should be no official register. Once again, thank you very much, Sir Mark. I am really looking forward to hearing the response of my right hon. Friend the Minister.

--- Later in debate ---
Stuart C McDonald Portrait Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
- Hansard - - - Excerpts

It is a pleasure to see you in the Chair, Sir Mark. We do not always have such a knowledgeable Chair in relation to such technical matters.

Steve Baker Portrait Mr Steve Baker
- Hansard - -

He will answer questions later!

Stuart C McDonald Portrait Stuart C. McDonald
- Hansard - - - Excerpts

Indeed.

I thank the hon. Member for Bridgend (Dr Wallis) for securing the debate and for his expert introduction of the topic. He rightly highlighted events in Ukraine, and, indeed, today’s reports of attacks on No. 10 as providing a stark backdrop to this discussion. He and all hon. Members made a strong case for revisiting and revising the 1990 Act.

The point I agree with most fundamentally was made by the hon. Member for Wycombe (Mr Baker), who highlighted the complexity of these issues. I feel rather underqualified at the moment, particularly given the CVs on display today. Nevertheless, I approach this topic with an open mind and am open to persuasion by the experts. I welcome the Home Office’s call for information last year. The recent cyber strategy hints at this legislation being looked at again. If the Government proceed with reforms, the Minister will have our support and we will play as constructive a part as we can to ensure that they are the right ones.

As we heard, the 1990 Act was pretty much rushed into effect via a private Member’s Bill when it seemed to be established that hacking—shoulder surfing in one particular case—was not against the law. Obviously, that had to change, so the legislation put criminal offences on the statute book for unauthorised access, unauthorised access with intent to commit other crimes and unauthorised modification of computer material, but things have changed significantly since then. The hon. Member for Bridgend said he was a toddler back when the legislation was passed. I certainly was not; I would have been sitting, as a teenager, with my BBC Micro computer taking 20 minutes to load “Football Manager”. He is right to point out that, back then, a tiny percentage of the population had access to computers. The internet was something for the future. Technology has changed in unbelievable ways, with computer use now absolutely ubiquitous. People are also using a large number of smart internet-connected devices. That all radically alters the threat landscape from when the legislation came into force.

As the Act explicitly mentions computers and not other internet of things devices that can connect to the internet and be hacked, things such as smart fridges or nanny cams must be argued to be computers to fall under scope of the legislation. We had reference to the submission by the NCA to the House of Commons Russia inquiry, highlighting the widespread use of mobile phones as a reason for urgently updating and reforming the CMA. The legislation does not appear to be effective: one report I read recently suggested that less than 1% of reports of hacking led to prosecutions. There are issues about whether it even works in bringing criminals into the court system for justice.

It is right to acknowledge that it is not the case that the Act has not been updated at all. Changes have been made: punishments have increased and, significantly, the offences of impairing the use of a computer and provision of articles to facilitate misuse have been added. The Government have also started to address the problem of securing smart devices through the Product Security and Telecoms Infrastructure Bill 2022, but revisiting and broadening the scope of the CMA would improve on that and complete the move to address the internet of things security dilemma.

Perhaps a more pressing issue, which Members have rightly focused on, is that the Act does not attempt to differentiate between the motives of hackers: malign cyber criminals who intend to exploit or harm other users or their systems are treated the same as those identifying weaknesses and flagging them up for altruistic reasons. Often, ethical hackers test a company’s systems accurately by using the tools that hackers themselves would use. Those concerns have led to the CyberUp campaign and the idea of a statute of defence to protect cyber researchers identifying vulnerabilities in computer systems and company networks not to exploit them but to help fix them. I pay tribute to that campaign for helping me try to understand what this is about.

As the hon. Member for Barrow and Furness (Simon Fell) put it, all this is holding us back. While US IT security companies can offer whole-of-supply-chain vulnerability scanning to identify weaknesses that could compromise systems, UK companies cannot offer those services for fear of prosecution under the CMA. He pointed out that that has a knock-on effect on our ability to grow our expertise and talent base. If those working legitimately to uncover vulnerabilities or using hacking tools to simulate attacks are left at risk of prosecution for doing their jobs, that leaves companies, organisations and our key infrastructure more vulnerable to attack.

Adding a defence to the Act seems a sensible way to proceed. I accept that the scope of any such defence has to be judged carefully. This is not a straightforward. The hon. Member for Boston and Skegness (Matt Warman) was right to raise the difficulties. While a defence should protect those engaging in legitimate vulnerability scanning or ethical hacking, the defence must be defined in a way that does not encourage vigilante activity or any sort of free-for-all. He suggested as an alternative the idea of using guidance. I must say that, as a lawyer, I slightly shy away from using guidance when the alternative is to put something on the face of a Bill; from a rule of law perspective, that is always more desirable but, again, it is something that I am open to persuasion on.

All these concerns have been recognised by the CyberUp campaign through inclusion in its proposals for various tests, including a competency element, to ensure that only a person engaged in activities covered by the Act who is competent to do so and who has good intent is protected. While it is complicated, I believe that it can be done and should be done.

I finish by again welcoming the debate and the chance to put on record our support for reviewing, revising and updating the 1990 legislation. As I said, we will work constructively on any proposals to do that.

--- Later in debate ---
Damian Hinds Portrait The Minister for Security and Borders (Damian Hinds)
- Hansard - - - Excerpts

It is a pleasure to serve under your expert chairmanship, Sir Mark. I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing today’s debate and bringing this important issue to Westminster Hall. I am also grateful to all colleagues who have taken part. It strikes me that this is a good example of bringing to bear on Parliament not just opinions or political points but real depths of expertise from the outside world. I think it has been a very good debate.

I thank the SNP spokesman, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald), and the Opposition spokesperson, the hon. Member for Halifax (Holly Lynch), for the constructive way that they engaged with the important discussion. I reassure everybody that it will feed into the review, which I will come back to later. I confirm to my hon. Friend the Member for Bridgend that I would be pleased to meet with him and a group of colleagues to discuss the issue further—I look forward to it.

As the Minister for Security and Borders, I am keenly aware of the scale of the cyber-crime threat facing our citizens and businesses. Keeping them safe is a key priority for the Government and our operational agencies and I take this opportunity to thank all those who work tirelessly to protect the public.

The threat from cyber-crime has intensified over the last couple of years. As the hon. Member for Halifax said, the pandemic meant that even more of our lives were spent online, and, inevitably, criminals have sought to exploit that shift. The statistics bear out the scale of the threat, with computer misuse now accounting for an estimated 15% of all crime. That opportunism is despicable and underlines how crucial it is that we have a robust and effective response. The Computer Misuse Act is primarily about hacking into someone else’s computer, but clearly there are more crimes that involve misusing computers for criminal means—most fraud, for example. Later today we have the Second Reading of the Online Safety Bill, which is an ambitious and forward-looking piece of legislation that will tackle online harms around fraud and fraudulent advertising.

I turn to some of the points made by the hon. Member for Strangford (Jim Shannon) about protecting individuals and small businesses. I reassure him that comprehensive advice is available from Cyber Aware. We encourage everybody to act on that, starting with three key things: protecting email security with a password made up of three random words; using two-factor authentication where that is available; and keeping operating systems up to date—often when an update comes around it is to see off some weakness that has been found.

I want to note important steps taken by industry that can make what hacking yields of less utility—things such as the banking sector’s deployment of the confirmation of payee system. We have sector charters in place with key industries, including retail banking. While Northern Ireland has a different policing arrangement, in this part of the UK we have the regional and national cyber-resilience centres, supported by policing, to help give extra support and guidance to small businesses that may have less wherewithal to invest in cyber-security expertise.

I also want to respond to my hon. Friend the Member for Barrow and Furness (Simon Fell) about skills; he is absolutely right that although the issue is about machines, it is ultimately about people. It is people who improve our defences. There are key pathways and standards in the Institute for Apprenticeships and Technical Education system, including under the cyber-security technologist umbrella and more broadly with the introduction of T-levels. Indeed, the critical T-level is digital business services, which includes a minimum of nine weeks of industry placement. I strongly encourage firms operating in the area—in cyber-security and in-house digital technology—to support that to make sure we all work together to bring on that next generation of experts who will help keep us all safer.

Steve Baker Portrait Mr Steve Baker
- Hansard - -

The Minister has prompted me to recommend a book called “Peopleware”. It is a classic in software engineering and is all about people and how they develop software. One of its points is the orders of magnitude difference between different categories of competence in software engineering. It raises some interesting issues that I am sure he and his officials would find helpful.

Damian Hinds Portrait Damian Hinds
- Hansard - - - Excerpts

I am grateful to my hon. Friend. I shall add that to my bedtime reading list, which is not uncrowded at present. I will look forward to getting to that.

In the last year, we saw a number of high-profile ransomware attacks around the world, including attacks on local authorities and schools in the UK. The National Cyber Security Centre has reported that in just the first four months of 2021, it handled the same number of ransomware incidents as for the whole of 2020. The National Cyber Security Centre has improved our understanding of the threat and provides a unified source of advice and support to Government and business.

I am afraid that the threat posed by cyber-attacks continues to grow in scale and complexity. That is why the national cyber strategy, mentioned by a number of colleagues and published in December, sets out how the Government will invest £2.6 billion over the next three years to develop a whole-of-society approach to increasing national cyber-security and resilience, including reducing the risk and opportunity for cyber-crimes and disrupting cyber-criminals. As part of that funding, we will continue to invest in the law enforcement cyber-crime network at national, regional and local level. In the face of such a broad and complex threat picture, law enforcement agencies must have the powers they need to investigate online criminality. It is also essential that we have robust legislation in place to enable action to be taken against the perpetrators.

My hon. Friend the Member for Wycombe (Mr Baker) was right about how much has changed since 1990, and my hon. Friend the Member for Barrow and Furness pointed out that the world is more interconnected than ever. Next year, it will be even more interconnected again. All that is correct and we must make sure we are up to date and up to pace. However, as my hon. Friend the Member for Boston and Skegness (Matt Warman) pointed out, it is also the case that over the last 30 years, the Computer Misuse Act has generally proven to be a far-sighted piece of legislation for tackling unauthorised access to systems. As the threat has changed, so too has the Act, which has been updated a number of times—most recently in 2015, where the offence of unauthorised acts causing, or creating risk of, serious damage was introduced.

We are firmly and fully committed to ensuring the legislative framework that underpins our efforts to address cyber-crime remains relevant and effective. That is why last May the Home Secretary announced a review of the Computer Misuse Act. The Home Office subsequently launched a call for information, which marked the first step in that process. The purpose of the call for information was to seek views of interested stakeholders across the piece, including in industry, academia and the agencies, on the Act and the associated investigative powers available to law enforcement. The Home Office has received responses covering a range of interesting and complex issues and we are grateful to those who have sent in their views. We are considering the feedback submitted and continue to engage with partners to determine whether changes are needed. We will provide an update on the initial findings of the review shortly.

I want to touch on a couple of key points directly relating to the Act that will influence the approach we take on defences. First, the Act is based on the principle that the owner of the computer and computer data has the right to say who can access it. I want to stress that point, which was made repeatedly during the development of the Act. Authorisation to access a system is the prerogative of the owner. It is that person who is responsible for the operation of the system and bears the cost of securing it.

Equally, the Government are rightly seeking to ensure that system owners take more responsibility for the security of their systems and the content held on them. Therefore it is right that the system owner has the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data. We encourage firms to agree to having their systems tested for vulnerabilities by third parties but the fundamental point is that it is the choice of the legal property owner to determine that.

Secondly, we need to ensure that the Act continues to criminalise those who take unauthorised action against computer systems and provides the legal basis for relevant legal authorities to act.

In launching the review, we have been clear that we are open to changes to the Act that enhance our approach to that threat. However, I must also emphasise that any such changes should be well-considered and well-evidenced. We must guard against taking any action that would undermine the ability of law enforcement agencies and prosecutors to investigate criminals and prosecute them.

I have heard the views of Members on defences. My hon. Friend the Member for Boston and Skegness identified the nuance very well, as my hon. Friend the Member for Wycombe did the nuance of the registration of industry professionals. We are still considering the question of defences, but I am sure that Members would agree with me that we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind. That is why we need to tread cautiously. An ill-conceived defence could leave prosecutors with the burden of trying to prove a negative, for example, in needing to prove that cyber-attacker X was not, in fact, intending to protect a computer system when they attempted to access it without permission.

It is also worth pointing out that there are already defences in the Act that apply to cyber-security activity. If a person has the authorisation of the system owner to access the system, no offence is committed. In addition, any decision on prosecution is a matter for independent law enforcement and prosecuting agencies who take into account all relevant facts of the case. We must also ensure that any changes to the Act do not permit or encourage retaliatory cyber-activity, sometimes known as “hack back”. There is a danger that such a defence could embolden so-called hacktivists, or commercial entities who wish to offer such services, if they believe their actions could be protected under the law. The UK does not condone unlawful cyber-attacks of any kind.

Some responses to the call for information set out proposals for a review of sentences, and we have also had suggestions for new powers for law enforcement agencies to take action against criminals online. We are considering them as part of the review, including whether sentencing guidelines are needed to ensure that the harms caused by those committing Computer Misuse Act offences are appropriately considered during sentencing.

The hon. Member for Halifax asked a direct question and yes, state threats in this area are absolutely a prevalent and growing issue. I know she would not expect me to give a commentary on a specific security matter, but I want to reassure her and the House that the Government take extremely seriously the question about state capability in this area.

There is absolutely no doubt that the UK needs a Computer Misuse Act that is fit for purpose and can rise to the challenges of the present day. As colleagues know, the Home Office is engaged in a review that is charged specifically with ensuring exactly that.

The context of the war in Ukraine makes that work more important than ever, as the shadow Minister said quite rightly. I am acutely conscious of that, but we cannot rush this. That would only serve to help our adversaries. We are, therefore, approaching the exercise with the careful consideration that the public would expect and which these sometimes complex issues demand. Through the review, and as part of business as usual, we are listening attentively to law enforcement agencies and National Cyber Security Centre experts on what is most likely to enhance our national cybersecurity. Of course, we are also studying the approaches of other countries.

I thank my hon. Friend the Member for Bridgend for securing the debate, which has been interesting and insightful. I am grateful to have had the opportunity to outline our activity in the space and, as I said at the start of my remarks, I look forward to meeting my hon. Friend and colleagues to discuss it further.