Abstract
A group of cyber security organisations, working under the banner of the CyberUp Campaign, are calling on the UK Government to revise the Computer Misuse Act (CMA), which they say is no longer fit for purpose.
In an open letter to Prime Minister Boris Johnson, the group said: “In 1990, when the CMA became law, only 0.5% of the UK population used the Internet, and the concept of cyber security and threat intelligence research did not yet exist. Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalises a large proportion of modern cyber-defence practices.”
Citing the Covid-19 pandemic as an example of how modern society is dependent on digital technologies, the letter continued: “The Government has committed to investing in the UK's digital and technology credentials and, as we move beyond the pandemic, we are calling on the Government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”
Anton Grashion, an EMEA director at Corelight, commented: “The security community is right to question whether or not the CMA is the appropriate legislation to keep consumers and organisations safe in 2020. Not only has the threat landscape developed well beyond the scope envisioned in 1990, but the activity of threat hunting on behalf of security vendors or departments has also become significantly more pronounced. In the digitally accelerated world in which we exist, new legislative measures need to be taken to account for our hugely connected world. The explosion in hybrid working since Covid-19 serves to prove just how reliant the global economy is on secure working practices, and it is up to the Government to catch up to this.”
The CyberUp Campaign includes NCC Group, Digital Shadows, McAfee and Trend Micro, industry trade bodies techUK and CREST, plus a number of lawyers, academics and researchers specialising in cyber security.
One of the problems with the CMA, the group says, is that it makes it an offence to carry out any unauthorised access to computer systems, which can catch out security researchers and other professionals whose actions are not malicious.
“Digital transformation in the past 30 years has made the world almost unrecognisable, has changed the way in which organisations conduct their business and has revolutionised our way of life,” said Tarik Saleh, senior security engineer at DomainTools. “But cyber criminals' tools and techniques have evolved, too, so it is important for governments to modify their regulations to facilitate the job of defenders. If the UK decides to review the Computer Misuse Act, the best way to go about doing that without introducing loopholes will be to consult with the cyber security and threat intelligence community. This will also ensure that any changes to the legislation will account for the transformations that the digital landscape will undergo in the coming years.”
There's more information here: www.cyberupcampaign.com/about.