The CyberUp Campaign, a group calling for urgent reform to the Computer Misuse Act (CMA) 1990, has launched a fresh consultation inviting security professionals and researchers to take part in a wide-ranging survey seeking views on the 34-year-old law’s impact on their work.
CyberUp argues that the CMA is risibly out of date – it was written only months after Tim Berners-Lee first proposed the concept of the worldwide web – and that the wording of key clauses relating to unauthorised access to computer systems risks criminalising legitimate security professionals and ethical hackers trying to defend organisations. To do so, they say, potentially risks prosecution.
The campaigners first came together in early 2020, on the eve of the Covid-19 pandemic, to call on Boris Johnson, as prime minister, to address their concerns, and by May 2021 their work had secured commitments from the then home secretary Priti Patel to begin a consultation on the issue.
However, this process stalled and became lost in the political melee, and by 2023, with Johnson and his successor Liz Truss consigned to history, the campaign had advanced no further in its aims. Another consultation did take place in 2023 and was widely welcomed, but little ultimately came of it.
The campaigners said that in opening a new study, they hoped the new Labour government would listen to clear, up-to-date and indisputable evidence to change the law.
“This is a pivotal moment for the cyber security industry. The new government has just introduced a very welcome Cyber Security and Resilience Bill in the King’s Speech – the first time ever that ‘cyber’ has been mentioned in any primary legislation – which presents an opportune moment for a legislative update to the CMA in the near future,” they said.
This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act CyberUp campaigners
“Launching the survey now enables the campaign to demonstrate the potentially restrictive impact of outdated cyber crime legislation on the growth and investment of the UK’s cyber security sector, as well as its effect on cyber defensive activities conducted domestically.”
The survey should take about 10 minutes to complete and the campaigners have said that due to the sensitive nature of responses they may receive, all information contained in the final cut will be fully anonymised.
“This is an excellent opportunity to capitalise on the legislative momentum the campaign and the wider sector have generated over several years to update the Computer Misuse Act,” they said.
What do cyber pros really think?
The CyberUp campaigners include representatives from leading cyber firms, including WithSecure, McAfee, NCC Group and Trend Micro, and the campaign is backed by security accreditation body Crest and trade association TechUK.
Previous studies conducted by the group have revealed broad consensus across the industry that reform is needed.
Last time such an exercise was conducted in 2023, security professionals spoke of the “chilling” effect of the CMA on Britain’s cyber defenders, with 60% believing it acted as a barrier to working effectively and 80% claiming it put the UK at a competitive disadvantage on the world stage.
CyberUp estimates that out of nearly 2,000 active cyber security firms in the UK, almost 600 have experienced an economic loss due to not being able to work effectively, which the campaign says risks £3bn of the £10.5bn annual sales made by the sector.
Additionally, it believes more than 16,800 security professionals have left the UK over the years to work in countries with more permissive laws.
With a fit-for-purpose regime that allows legitimate cyber security defensive and research work, while still ensuring malicious threat activity is appropriately sanctioned, the cyber resilience benefits delivered for the UK could be three times as great as they currently are, said the campaigners.