A coalition of cybersecurity businesses and professionals in the U.K. wrote a letter to the Prime Minister Boris Johnson urging him to reform the Computer Misuse Act 1990 (CMA). The coalition includes major cybersecurity firms like NCC Group, F-secure, McAfee, and Trend Micro, international accreditation body CREST, and several leading lawyers in the field came together to urge the Prime Minister for cybersecurity law reforms.
What is the Computer Misuse Act?
The Computer Misuse Act (CMA) 1990 came into effect 30 years ago to prevent computer hacking before the emergence of the internet and the concept of cybersecurity. Industry experts stated that Section 1 of the CMA prevents unauthorized access to computers and unintentionally criminalizes cybersecurity researchers and their investigations.
Letter to Prime Minister
The letter published by CyberUp, a campaign working towards cybersecurity reforms in the U.K., stated that the outdated CMA prevents security researchers from finding out malicious activities.
“In 1990, when the CMA became law, only 0.5% of the U.K. population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist. Now, 30 years on, the CMA is the central regime governing cybercrime in the U.K. despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber defense practices. In particular, Section 1 of the Act prohibits the unauthorized access to any program or data held in any computer and has not kept pace with advances in technology,” the letter stated.
“With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorize such access,” the letter added.
Earlier, a joint research by Criminal Law Reform Now Network (CLRNN), scholars from Birmingham and Cambridge universities stated that the U.K.’s CMA needs an update, as it has jeopardized the country’s cybersecurity. The research report, “Reforming the Computer Misuse Act” revealed how the CMA is preventing security professionals from performing threat intelligence researches. It also stated that the Act restricts journalists and scholars from researching potential cyberthreats.