Skip to main content

Pro-Innovation Regulation of Technologies Review and the Computer Misuse Act 1990

Volume 730: debated on Tuesday 28 March 2023

Motion made, and Question proposed, That this House do now adjourn.—(Joy Morrissey.)

Before I begin, I draw Members’ attention to my entry in the Register of Members’ Financial Interests, and in particular to my stakeholding in a firm that has historically offered digital forensic services, but which I understand does not currently and does not plan to offer such services for the next five years.

I am grateful for having secured this debate in order to highlight the importance of the Government’s recent commitment to implementing the recommendations in Sir Patrick Vallance’s pro-innovation regulation of technologies review, which included the introduction of a statutory public interest defence to the Computer Misuse Act 1990. I also thank the CyberUp Campaign, which has worked closely with me and other colleagues to champion the reform to the outdated CMA.

I am certain that the Minister will be aware that I previously stressed the reasons as to why we urgently need to reform the CMA in a Westminster Hall debate almost a year ago. In that debate, I argued, alongside insightful contributions from other hon. Members, that the 33-year-old Act needs further reform to bring our cyber-security capabilities into the 21st century.

The primary issue with the CMA, as it is currently written, is that British cyber-security professionals are at risk of being taken to court for obtaining actionable intelligence. Such is the scale of this concern, that a report by the CyberUp Campaign and techUK found that four out of five cyber-security professionals worry about breaking the law when conducting essential research in good faith. Currently, the only protections in the Act, beyond a few cases where a warrant is obtained, are extendable only to actions undertaken with explicit authorisation. Consequently, reform should include a legal mechanism and clarify legal ambiguities in order to put professionals at ease.

In 2022, the methods used by cyber criminals and cyber-security professionals are often very similar—sometimes the same. Individuals who work in cyber-security are frequently required to perform actions for which explicit authorisation is difficult, if not impossible, to obtain. Legitimate instances of unauthorised access include gathering proportionate threat intelligence; responsible vulnerability research and disclosure; active scanning; enumeration; use of open directory listings; identification; and, of course, honeypots.

Currently, we find ourselves in a perverse situation where industry specialists who are acting in the public interest—often dealing with issues that are critical to our national security infrastructure—are at risk of being designated a criminal. ENISA, the European cyber-security agency, notes that the threat of prosecution can have a “chilling effect” on cyber researchers which “adversely affects security”. The upshot of this is that we are dissuading vital research from being conducted at a time when countries such as Russia and China are increasingly deploying hostile technologies against us and our allies.

I commend the hon. Gentleman for securing this debate. Does he not agree that the balance must be found to allow for new research and development while ensuring that there is protection in place, not simply in an individual setting, but in terms of security for our nation from cyber warfare? That is a delicate balance to find, as he has said. With the growing reputation of Belfast as a cyber-security hub, we should, with any legislation, be regulating and encouraging development in British-controlled companies in the safest way possible in the future.

Yes, I agree wholeheartedly with the hon. Gentleman. I think that I go on to elaborate exactly how we might be able to do that.

We are now almost two years on from when the former Home Secretary announced a review of the CMA. In those two years, the technological landscape has only further drastically altered with heightened cyber-security risks becoming endemic to an increasingly uncertain geopolitical world. Recent Government announcements surrounding TikTok only serve to prove this point.

In the case of TikTok, Government cyber-security experts have conducted a thorough review of evidence since November and have uncovered a potential risk in the way sensitive Government data is accessed. This conclusion has been corroborated by the United States, Canada and the European Union. The review highlights TikTok’s data collection methods, which include the collection of user contact lists, accessing of calendars, scanning of hard drives, including external ones, and hourly geolocation of devices.

With this in mind, to protect against the increasing cyber threats in the UK and to combat online fraud, it is imperative to safeguard vulnerability and threat intelligence research related to defensive measures. The Office for National Statistics reported a concerning 77% rise in cyber threats in 2022, while online fraud increased by a third over the past two years. According to the Department for Digital, Culture, Media and Sport, data breaches survey in July 2022, 39% of companies have experienced a cyber-attack or data breach in the prior 12 months. In order to address these concerns, researchers play a vital role in identifying product and service vulnerabilities, working with manufacturers and vendors to fix them, detecting cyber-attacks, and gaining insight into attackers and victims. By doing so, they can decrease the impact of incidents and use horizon scanning to prevent future ones. The UK Government’s National Cyber Strategy recognises the crucial nature of this work and is committed to building valuable and trusted relationships with security researchers to reduce vulnerabilities. Thus, reforming the CMA will be a significant step in developing co-operation with professionals.

The introduction of a statutory defence is not only essential for giving UK security professionals legal protections and peace of mind when responding to the increasing number of cyber threats, but will help to encourage innovation and influence the evolution of international regulatory frameworks to give us an economic advantage over our competitors. As the Chancellor clearly enunciated in his spring Budget statement, we must be on the front foot in shaping the evolution of regulation and standards in this key growth sector.

In his review, Sir Patrick agreed with me that

“amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals...would have a catalytic effect on innovation in a sector with considerable growth potential.”

Such a defence would allow our technology professionals to compete on a level playing field with their counterparts in Israel, France and the United States who are already protected in statute.

As things stand, our digital economy is being held back by a law that came into existence when less than half a per cent of the population used the internet. Cyber-security industries in the UK now employ more than 52,000 people across 1,800 firms and a survey of such firms representing more than half of the sector found that, on average, respondents expected a 20% increase in revenue as a result of reforming the CMA.

CMA reform is expected to bring benefits to the entire digital sector and wider economy. According to a recent report by the Audiovisual Anti-Piracy Alliance, copyright-infringing internet protocol television providers in Europe generated more than £1.4 billion of unlawful revenue in 2021, causing significant damage to the UK film and television industry. CMA reform would allow cyber-security professionals to efficiently take down such illegal streaming platforms, providing yet another example of the economic advantages of this initiative. MakeUK also found that half of manufacturing businesses in the country had experienced cybercrime in the year to May 2021, with 63% saying they had lost at least £5,000 and 6% that they had lost over £100,000.

Recognising the importance of modernising cyber-security laws to foster growth, system owners such as internet service providers understand the need to support such regulations. Zen Internet, for instance, acknowledges its responsibility for maintaining cyber-security functions as an ISP. However, the current legislation poses limitations for security service providers that aim to ensure the safety of their staff, customers, and suppliers.

During the Westminster Hall debate that I secured on the CMA, the former Minister for Security and Borders, my right hon. Friend the Member for East Hampshire (Damian Hinds), suggested that,

“we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind”. —[Official Report, 19 April 2022; Vol. 712, c. 19WH.]

I completely agree with that sentiment. However, having liaised with industry experts, I know that it is possible to give the reassurances that professionals want without necessarily legalising what is obviously criminal activity. In order to ensure that there are appropriate safeguards so that any new legislation does not inadvertently create a legal loophole to be abused by bad actors, I recommend engaging with stakeholders such as CyberUp to implement a relevant defence framework.

Legal safeguards for good faith cyber-security activities could be established through a defence framework that would provide a set of principles for the courts to assess the validity of actions. Those principles would cover factors such as the harm-benefit balance, proportionality, intent and competence of the actor. The Belgian approach offers examples of such safeguards, which apply to activities meeting specific criteria, while identifying unacceptable activities such as distributed denial of service attacks, password thefts, or hack backs that disrupt or damage the targeted systems.

From Charles Babbage and Ada Lovelace to Alan Turing and Tim Berners-Lee, as a nation we have a proud history of innovation in this area. With the Chancellor confirming in the Budget that all nine of Sir Patrick Vallance’s digital technology pro-growth recommendations will be implemented, I know that this Conservative Government share my ambition to ensure that the UK cyber-security and digital sectors remain world leading.

To that end I am keen, along with cyber-security researchers up and down the country, to understand the timeline and process for the Home Office, working with His Majesty’s Treasury, to introduce a statutory defence to the CMA. The sooner a well-considered defence is added to the CMA, the sooner we can unlock the great potential that such changes would entail for the economy. I hope the Minister will be able to provide some clarity on that point today.

I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing this debate and for his continued interest in this issue. This is not the first time he has raised it with me—in fact, the first time he raised it with me was many years ago—but it is perhaps the first time that I may be able to assist.

In my role as Security Minister, I see evidence every day of the scale of the threat from cyber-crime that affects our citizens, businesses and Government services. There were an estimated 690,000 incidents of computer misuse in England and Wales in the year to September 2022, of which 577,000 were related to unauthorised access to personal information. I have seen the effects of criminals targeting businesses and individuals online—the businesses that suffer financial losses because of ransomware attack and their inability to carry on their businesses, and the individuals who lose personal information, including highly personal information, and can suffer harassment and blackmail because of it.

It is because of such criminal activity that protecting the country in cyber-space is such a key priority for the Government. It is essential that we ensure the UK has the powers and legislation to allow our law enforcement agencies to take action to tackle this threat. The Computer Misuse Act dates from 1990, before almost anybody had an email address—certainly before I did. Today, we could not only research the law online, but one of the large language model artificial intelligences we now see frequently used online could actually draft large parts of it too.

That is why this Government have launched a call for information, asking for different views on whether the 1990 Act and the powers used by law enforcement agencies to investigate the offences in that Act need to be enhanced.

In February, we launched a consultation in which we set out proposals for new powers for law enforcement agencies to improve their ability to take action to tackle crime online. Those proposals include a power to allow law enforcement agencies to take control of domains and internet protocol addresses to help tackle a wide range of offences, including fraud; a power to require the preservation of computer data; and a power to take action against a person possessing or using data obtained by another person through a CMA offence. In the consultation, we committed to further considering the question raised by my hon. Friend of whether the Act needs to be amended to provide defences to CMA offences.

As the Government set out in our response to the pro-innovation regulation of technologies review by Sir Patrick Vallance, the Home Office is taking forward work to consider the merits and risks of introducing changes to the Act in relation to the defences. That is a complex issue that requires significant further discussion with a wide range of stakeholders. The Computer Misuse Act is based fundamentally on the principle that the owner of the system is responsible for the operation of the system and its data, and bears the cost in securing it. It is right that they have the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data.

It is important that we consult those who actually own the systems for their views on that. In particular, we need to ensure that any changes that we make to the Act support the continued improvement to the UK’s cyber-security while ensuring that system owners continue to have the right to determine who may access their systems and data. That in itself feeds into the growth agenda. System owners need to know that the Government take unauthorised access to their systems seriously and will support them in tackling those who attempt to commit such offences.

Let me clear about some of the issues that we need to address in relation to introducing defences. The proposals would potentially allow a defence for the unauthorised access by a person to another person’s property—in this case, their computer systems and data—without their knowledge or consent. We will therefore need to define what constitutes legitimate cyber-security activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum.

We will also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. Of course, we must make no changes that would prevent law enforcement agencies from investigating, prosecuting and pursuing those who commit cyber-crimes. I am sure Members would agree that, in the light of those issues, any changes must be considered very carefully indeed.

As we set out in the consultation, we have committed to working with law enforcement agencies, prosecutors, the cyber-security industry and system owners to consider proposals and reach a consensus on the best way forward. That work is under way, and the Government would welcome any contributions from those with an interest in this area.

Question put and agreed to.

House adjourned.