Why the UK's "outdated" cybersecurity legislation needs an urgent refresh

Parliamentarians from both sides of the aisle have called on the government to modernize the UK’s “outdated” cybersecurity laws to secure the country from growing digital threats.

The coalition, led by Lord Holmes of Richmond, said it wants to fix areas of the 1990 Computer Misuse Act (CMA), stating the legislation is not fit to govern the modern internet.

The CMA was drawn up to control dangerous or malicious misuse of computer systems and data. As the bill was created before the modern internet, the coalition argued that it fails to account for the challenges UK security practitioners are currently facing.

In particular, the bipartisan group said the CMA inadvertently criminalizes a very wide range of legitimate digital activities that it argues are crucial for safeguarding the country’s critical national infrastructure, businesses, and citizens.

The cross-party group has proposed a statutory defense for security practitioners who can demonstrate either a reasonable belief that the organization in charge of the system would have consented to their work, or that work was necessary to catch malicious activity.

The push will seek to make “key amendments” to the Data (Access and Use) Bill which are expected to be debated in the House of Lords Grand Committee on 18 December.

The CyberUp Campaign, a UK initiative pushing for refreshing the UK’s cyber laws, argued that the changes proposed by Lord Holmes et al are vital to enable security researchers to play a more central role in protecting digital systems and sensitive data in the UK.

Rob Dartnall, CEO at UK-based threat intelligence provider SecAlliance and representative of the CyberUp Campaign, said the campaign welcomed the recent developments, stating legitimate cybersecurity researchers face unique challenges in the UK as a result of the “outdated” legislation.

“We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face,” he said.

“The UK’s outdated cyber laws are preventing our cyber security professionals from defending organisations effectively. In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK—an untenable situation as cyber threats grow.”

Dartnall added that this action has been sorely needed in light of the growing cyber threats facing the country, arguing that giving security practitioners the freedom to do more to help protect the country is essential.

“ The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on people’s data privacy and the UK’s economy,” he explained.

“By introducing a statutory defence, the UK could protect legitimate cybersecurity professionals, strengthen its cyber defences, and reinforce its place as a cybersecurity leader.

"It is time we updated the law to fit with the digital age. With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country.”