- Security TWENTY
- Women in Security
The law governing cybercrime in the UK, which came into effect 30 years ago, is now ‘unfit for purpose’, it’s claimed. Cyber security consultancies such as NCC Group and F-secure, the trade body techUK, cyber security software developers McAfee and Trend Micro, international accreditation body CREST, the think-tank Demos, and lawyers and academics in the field, have written to Prime Minister Boris Johnson, urging him to bring forward reforms to the Computer Misuse Act (CMA) exactly thirty years after the law gained Royal Assent.
The Computer Misuse Act 1990 was written to prevent computer hacking before there was such a thing as cyber security, and when use of the internet was limited to less than one per cent of the UK population. As the letter points out, the 1990 Act now deters a large proportion of the research that cyber security professionals can carry out to assess and defend against emerging threats posed by organised criminals and geo-political actors.
In the UK, the public and private sectors work together to defend the country in cyberspace. But, with less threat intelligence research being carried out, the UK’s critical national infrastructure is left at an increased risk of cyber attack. The signatories to the letter stress the urgency of the issue, highlighting the nation’s heightened reliance on secure and resilient digital technologies, particularly in light of the coronavirus lockdown. The letter points to other countries which have more permissive regimes – like France and the US – and warns of the extent to which Britain has fallen behind internationally.
The letter was co-ordinated by the CyberUp Campaign, a group of cyber bodies pushing for an update of Computer Misuse Act to make it fit for the digital age. The campaigners are calling for reforms to the Act which would, amongst other things, allow the law to take account of the motivations of ethical cyber security people, enabling them to operate free from the fear of prosecution that restrains them.
Tarik Saleh, senior security engineer at DomainTools, said: “As technology evolves, it is only natural to expect that the legislation around it to be updated as well. Digital transformation in the past 30 years has made the world almost unrecognisable, has changed the way in which organisations conduct their business and has revolutionised our way of life. But cybercriminals’ tools and techniques have evolved, too, so it is important for governments to modify their regulations to facilitate the job of defenders. If the UK decides to review the Computer Misuse Act, the best way to go about doing that without introducing loopholes will be to consult with the cybersecurity and threat intelligence community. This will also ensure that any changes to the legislation will account for the transformations that the digital landscape will undergo in the coming years.”
And Keith Glancey, Systems Engineering Manager, Western Europe at the network security company Infoblox, said: “Security companies use threat feeds to analyse potential threats, but with current restrictions we are flying partially blind. In today’s current work from home environment, it is imperative that we push security out to the edge of the network and protect end-user devices. If the current restrictions were to be lifted on analysing threats from ‘controlled’ devices, then this would almost certainly increase the quality and richness of the threat feeds and help in the fight against cyber-criminals.”