What is the Computer Misuse Act?
If your computer systems are attacked, is the law effective enough to put those criminals behind bars?
With the use and distribution of personal computers exploding over the last few decades, legislators have been keen to establish laws that govern how digitally stored information is protected.
The Computer Misuse Act (CMA) was drafted in 1990, to provide a law to govern the way that individuals can lawfully access data on a computer system. First and foremost, it criminalised any unauthorised access to data and the practice of modifying stored information without the permission of the owner. These laws were informed by the 1978 case of Regina v Gold and Schifreen, which involved two hackers that had used the credentials of a BT engineer to remotely access BT’s Prestel service.
Through a technique called shoulder surfing, they stole the engineer’s login information and used it to access the service. As a show of their success, they subsequently used the service to locate the late Duke of Edinburgh’s email address. BT, which had been monitoring the account, passed details of this suspicious activity to the authorities, and the hackers were convicted under the Forgery and Counterfeiting Act 1981. However, this was overturned on appeal on the grounds that they hadn’t tried to make a profit from accessing the Prestel service.
This event demonstrated there were clear oversights in the law, driven by a total lack of legislation that governed acceptable and unacceptable use of computer systems. Businesses, in particular, craved legal backing given the rising amount of data that was being kept in the digital realm.
This ushered in the Computer Misuse Act 1990, which has since been updated several times to reflect continued changes in technology and cyber security. The most significant update came in 2015, although many now believe the law is out of date, and that in order to address the current threat landscape, new legislation is required.
Computer Misuse Act penalties
There are three penalty levels if you are prosecuted under the CMA, applied in proportion to the severity of the act.
It is illegal under the Computer Misuse Act to gain access to a computer without permission (officially known as "unauthorised access to a computer"). For this, you face a penalty of up to two years in prison and a £5,000 fine.
If you gain access to a computer without permission in order to steal data or take part in another crime, such as using that data to commit fraud, you will be tried under the second penalty level. For this, you face a sentence of up to 10 years in prison, and can receive an unlimited fine. The extent of the punishment depends on the severity of the individual case, and the prosecution has to prove you had intent to commit another crime with the illicit access, which can be difficult.
Thirdly, if you modify the content of a computer or provide the tools so others can do so, for example if you sell ransomware with the intent for others to alter or destroy the contents of a computer, you could face a prison sentence of up to ten years alongside an unlimited fine.
If this potential damage extends to causing harm to human welfare or puts national security at risk, the sentence could be up to life imprisonment.
Computer Misuse Act summary, expansion, and controversy
It goes without saying that in the decades since 1990, the digital landscape has changed beyond recognition. In stark contrast, the CMA has more or less stayed the same, except for the occasional provisions made to it.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilitiesFree Download
This explains why the legislation has been heavily criticised for being outdated. Back in 1990, when the CMA was passed as legislation, access to computers was far from common. If you did have access to one, it was usually through work; websites did not yet exist.
In the modern day, most users juggle devices like smartphones, laptops, and tablets at work and also in their personal lives. Technology permeates the fabric of our lives in a way that was unimaginable to most people in 1990, and the wording of the CMA cannot account for the prevalence of these basic devices.
As technology has developed, so has the threat landscape. In 1990, the methods through which users could cause harm using computers were extremely narrow, and consequently the law had a fairly simplistic interpretation of what constitutes a malicious act. Since 1990, however, computer users have become far more digitally literate, and entire generations have grown up with computers.
Although the increase in new tech skills is a positive sign, it also means there are more hackers than ever before, and cyber crime can be committed in an ever-increasing number of ways. Legislators have been repeatedly forced to tweak the act to adapt to new online threats. For example, updates to the law added definitions for cyber attack methods that criminals could carry out, as well as considering the preparation required to launch an attack as a malicious action in and of itself.
However, these additions have been far from a cure-all, and in many cases have simply complicated the legal landscape through which legitimate computer users must navigate. Section 37 of the Police and Justice Act of 2006, for example, is one of many provisions that has faced criticism for its poorly conceived scope. Section 3A states that making, supplying or obtaining any articles for use in a malicious act using a computer is categorised as criminal activity. Under this legislation, owning any hacking software or exploit tools is a crime, even if you are a ‘white hat’ hacker using them for ethical hacking, or for researching security threats.
In these scenarios, it is illegal to be in possession of the tools needed to do your job, and many in the industry have accused the act of restricting them unduly. If it came to it, a judge would likely be sympathetic to how these tools are being used. But who wants to go to court for doing nothing wrong?
The legislation was additionally amended in 2015, thanks to the Serious Crime Act, which included specific passages on computer misuse and introduced three alterations to the original law. Amendments in Section 3ZA defined unauthorised acts causing serious damage as offences, and brought the EU Directive on Attacks against Information Systems into law in the UK. It also sought to clarify the "savings" provision that protects law enforcement from prosecution for acts performed on computers under powers of inspection or examination.
In a fact sheet, the government stated that the new offence of unauthorised acts causing serious damage "addresses the most serious cyber attacks, for example, those on essential systems controlling power supply, communications, food or fuel distribution". Attacks of this nature are on the rise, with Russia’s invasion of Ukraine bringing an unprecedented level of cyber attacks to the besieged country’s critical national infrastructure (CNI).
Until this provision, the most serious crime covered by the act was the section 3 offence of unauthorised access to impair the operation of a computer, which as previously stated carries a maximum penalty of 10 years. The government argued that this "did not sufficiently reflect the level of personal and economic harm that a major cyber attack on critical systems could cause". Therefore, conviction under the new offence can result in a more severe prison sentence, of up to 14 years.
Changes made regarding the EU Directive on Attacks against Information Systems extended extraterritorial jurisdiction, increasing the ease with which cyber criminals using the UK as a base of operations can be prosecuted. It applies even if they are not physically located within the UK, and also allows the police and Crown Prosecution Service (CPS) to pursue and prosecute UK residents for cyber crimes committed overseas.
The provision relating to protection for law enforcement accessing computers in the act of investigation caused much controversy. The government argued that the changes were made "to remove any ambiguity for the lawful use of powers to investigate crime (for example under Part 3 of the Police Act 1997) and the interaction of those powers with the offences in the 1990 Act".
"The changes do not extend law enforcement agencies' powers but merely clarify the use of existing powers (derived from other enactments, wherever exercised) in the context of the offences in the 1990 Act," it added.
However, civil rights groups including Privacy International have argued that the changes are far too broad, and that complete legal exemption for police and spy agencies such as MI5 is excessive and unwarranted. Privacy raised concerns in a case to the European Court of Human Rights along with five other complainants.
Is the Computer Misuse Act fit for purpose?
Recent years have seen repeated calls to reform or scrap the CMA, with many security researchers and law enforcement professionals citing its ability to cope with the complexities of modern-day computing.
Many will emphasise the act’s poor record for supporting criminal investigations, with less than 1% of computer hacking offences investigated in the UK in 2019 resulting in prosecution. However, much of the criticism falls on the limitations imposed by the act’s definitions, and its inability to distinguish between criminal and ethical hacking.
The definition of ‘computer’ is outdated
Perhaps the most obvious criticism is that the act represents a time when a computer was mainly referred to as a desktop PC. In this regard, it fails to account for much of the innovation of the 21st century, putting it well out of step with the state of the modern world.
“The Computer Misuse Act 1990 contains several issues that apply subjectivity when objectivity should be the test,” argues Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre. “The term “computer” isn’t defined and the contemporary definition of “computer” has likely shifted in the intervening thirty years.”
This lack of clear definition creates a “grey area”, adds Mackey, where prosecutors are forced to apply the act based on subjective interpretation, rather than objective information.
“This can lead to interesting scenarios which would question whether a smartphone, nanny-cam, WiFi-connected dishwasher or CCTV system are in fact computers – despite the reality that each of these devices often runs a general-purpose operating system, is connected to a network, and runs software at the behest of its user.”
The understanding of cyber crime is outdated
Another area that most seem to agree on is that the cyber crime landscape has evolved beyond the scope of the CMA.
“The types of crime the Act was originally designed to fight are actually decreasing – but new threats are emerging seemingly every month,” says Peter Yapp, Partner at law firm Schillings and former deputy director of the UK’s National Cyber Security Centre (NCSC). “For example, hacking for extortion has nearly doubled over the past year while virus/malware reports have dropped. This underlines one of the main shortfalls of the Act – the evolution of using computers to commit fraud to the computer becoming the main conduit for fraud.”
An EDR buyer's guide
How to pick the best endpoint detection and response solution for your businessFree Download
The subjective interpretation of the act ultimately drives a wedge between the legal system and security researchers, and some have argued that judges often appear to misunderstand the wider issues facing the industry.
“In essence, the Act isn’t working for cyber security practitioners, law enforcement officers, the Crown Prosecution Office and the Courts,” adds Yapp. “Even more worryingly, judges don’t seem to understand the issues. For example, Southwark Crown Court is supposedly a specialist fraud centre that deals with the majority of the serious and major fraud cases in England and Wales, but its level of understanding around computer crime isn’t sufficient to facilitate any significant number of successful prosecutions. The police have dedicated many more resources to this area over the past five years, but until every police officer understands cybercrime, we will be playing catch up.”
Richard Millett, training development manager at Firebrand Training and regular cyber security advisor for police forces across the UK, explains that many cyber crime cases are instead tried under other legislation, such as fraud and theft, not only because of a lack of definitions but also because it allows stricter penalties to be issued.
“If you look at the tariffs for the various sections under the [Computer Misuse] act you see that the penalties defined do not match the severity of some of the offences that have been committed,” says Millett. “It is only when you look at section 3za which covers “causing or creating risk of serious damage” do you see tariffs of “imprisonment for life”. The financial and economic damage that has been inflicted by some individuals is not reflected in the penalties that have been applied, running into millions in many cases.”
Ethical hacking is technically illegal under the act
The greatest challenge facing cyber security researchers trying to operate within the scope of the act is its failure to distinguish between criminal and ethical hacking.
As Rob Shooter, managing partner of law firm Fieldfisher explained to IT Pro, many in the industry assert that the hacking offences under the CMA are too “broad brush”, leaving cyber security researchers with little legal room to perform ethical hacking against cyber criminals.
The act defines non-consensual access of a computer system as a crime, regardless of the intent or benefits that may come about as a result of the action. Technically, this means that functions performed by researchers to analyse potential threats, from scanning, file interrogation, or probing compromised systems, are illegal unless consent has been given by both the victim and perpetrator of the crime.
“As an example, there are a multitude of US-based companies offering vulnerability scanning services of the extended supply chain, whereas there are few, if any, UK companies offering the same service,” explains Yapp.
Although this technicality may limit the actions of ethical hacking or may leave some wary about potential prosecution, Yapp adds that he is unaware of any cases involving UK researchers being sanctioned by law enforcement as a direct result of their work.
The 3D skills report
Add 3D skills to your creative toolkits and play a sizeable role in the digital futureFree Download
The increasing need for environmental intelligence solutions
How sustainability has become a major business priority and is continuing to grow in importanceFree Download
2022 State of the multi-cloud report
What are the biggest multi-cloud motivations for decision-makers, and what are the leading challengesFree Download
Solve global challenges with machine learning
Tackling our word's hardest problems with MLFree Download