Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)

- Hansard -

Copy Link

-

It is a pleasure to see you in the Chair, Sir Mark. We do not always have such a knowledgeable Chair in relation to such technical matters.

Stuart C. McDonald

- Hansard -

Copy Link

-

Indeed.

I thank the hon. Member for Bridgend (Dr Wallis) for securing the debate and for his expert introduction of the topic. He rightly highlighted events in Ukraine, and, indeed, today’s reports of attacks on No. 10 as providing a stark backdrop to this discussion. He and all hon. Members made a strong case for revisiting and revising the 1990 Act.

The point I agree with most fundamentally was made by the hon. Member for Wycombe (Mr Baker), who highlighted the complexity of these issues. I feel rather underqualified at the moment, particularly given the CVs on display today. Nevertheless, I approach this topic with an open mind and am open to persuasion by the experts. I welcome the Home Office’s call for information last year. The recent cyber strategy hints at this legislation being looked at again. If the Government proceed with reforms, the Minister will have our support and we will play as constructive a part as we can to ensure that they are the right ones.

As we heard, the 1990 Act was pretty much rushed into effect via a private Member’s Bill when it seemed to be established that hacking—shoulder surfing in one particular case—was not against the law. Obviously, that had to change, so the legislation put criminal offences on the statute book for unauthorised access, unauthorised access with intent to commit other crimes and unauthorised modification of computer material, but things have changed significantly since then. The hon. Member for Bridgend said he was a toddler back when the legislation was passed. I certainly was not; I would have been sitting, as a teenager, with my BBC Micro computer taking 20 minutes to load “Football Manager”. He is right to point out that, back then, a tiny percentage of the population had access to computers. The internet was something for the future. Technology has changed in unbelievable ways, with computer use now absolutely ubiquitous. People are also using a large number of smart internet-connected devices. That all radically alters the threat landscape from when the legislation came into force.

As the Act explicitly mentions computers and not other internet of things devices that can connect to the internet and be hacked, things such as smart fridges or nanny cams must be argued to be computers to fall under scope of the legislation. We had reference to the submission by the NCA to the House of Commons Russia inquiry, highlighting the widespread use of mobile phones as a reason for urgently updating and reforming the CMA. The legislation does not appear to be effective: one report I read recently suggested that less than 1% of reports of hacking led to prosecutions. There are issues about whether it even works in bringing criminals into the court system for justice.

It is right to acknowledge that it is not the case that the Act has not been updated at all. Changes have been made: punishments have increased and, significantly, the offences of impairing the use of a computer and provision of articles to facilitate misuse have been added. The Government have also started to address the problem of securing smart devices through the Product Security and Telecoms Infrastructure Bill 2022, but revisiting and broadening the scope of the CMA would improve on that and complete the move to address the internet of things security dilemma.

Perhaps a more pressing issue, which Members have rightly focused on, is that the Act does not attempt to differentiate between the motives of hackers: malign cyber criminals who intend to exploit or harm other users or their systems are treated the same as those identifying weaknesses and flagging them up for altruistic reasons. Often, ethical hackers test a company’s systems accurately by using the tools that hackers themselves would use. Those concerns have led to the CyberUp campaign and the idea of a statute of defence to protect cyber researchers identifying vulnerabilities in computer systems and company networks not to exploit them but to help fix them. I pay tribute to that campaign for helping me try to understand what this is about.

As the hon. Member for Barrow and Furness (Simon Fell) put it, all this is holding us back. While US IT security companies can offer whole-of-supply-chain vulnerability scanning to identify weaknesses that could compromise systems, UK companies cannot offer those services for fear of prosecution under the CMA. He pointed out that that has a knock-on effect on our ability to grow our expertise and talent base. If those working legitimately to uncover vulnerabilities or using hacking tools to simulate attacks are left at risk of prosecution for doing their jobs, that leaves companies, organisations and our key infrastructure more vulnerable to attack.

Adding a defence to the Act seems a sensible way to proceed. I accept that the scope of any such defence has to be judged carefully. This is not a straightforward. The hon. Member for Boston and Skegness (Matt Warman) was right to raise the difficulties. While a defence should protect those engaging in legitimate vulnerability scanning or ethical hacking, the defence must be defined in a way that does not encourage vigilante activity or any sort of free-for-all. He suggested as an alternative the idea of using guidance. I must say that, as a lawyer, I slightly shy away from using guidance when the alternative is to put something on the face of a Bill; from a rule of law perspective, that is always more desirable but, again, it is something that I am open to persuasion on.

All these concerns have been recognised by the CyberUp campaign through inclusion in its proposals for various tests, including a competency element, to ensure that only a person engaged in activities covered by the Act who is competent to do so and who has good intent is protected. While it is complicated, I believe that it can be done and should be done.

I finish by again welcoming the debate and the chance to put on record our support for reviewing, revising and updating the 1990 legislation. As I said, we will work constructively on any proposals to do that.