The shadow foreign secretary for UK’s opposition Labour party, David Lammy MP, has asked why the reform of the Computer Misuse Act appears to have stalled in an open letter to government.
The letter, published on the Labour Party website, takes the ruling Conservative Party’s ministers to task over a range of what Labour sees as a failure to act on various Russia-linked topics.
One of those is the Computer Misuse Act (CMA), which Home Secretary Priti Patel pledged to reform in a major speech last year. Yet Lammy and his colleague Rachel Reeves MP, Labour’s shadow chancellor, asked in their letter: “Where is the replacement to the outdated Computer Misuse Act, as recommended by the Russia Report?”
While Labour was referring to Parliament’s Intelligence and Security Committee report of July 2020, calls for CMA reform from the British cybersecurity industry pre-date that.
Political attention to CMA reform has generally been absent. Although Lord Holmes of Richmond lent his weight to the industry’s CyberUp campaign in early 2021, other politicians have largely ignored what is admittedly a niche issue when viewed against other challenges that Britain faces. Even though Labour raising CMA reform publicly is part of a political swipe at ministers rather than genuine agreement that change is long overdue, any public mention of it is likely to be good rather than bad.
Around 80 per cent of infosec professionals surveyed by CyberUp in 2020 said they feared prosecution under the CMA for making a bad judgment call, though prosecution statistics show the odds of being taken to court under the act are vanishingly low.
Other industry sources from outside the big companies have told The Register they fear CMA reform may be a government excuse to increase the number of criminal offences under the act instead of enacting genuine change that protects security researchers and puts them on a level footing with their foreign counterparts.
Currently the act bans any unauthorised access to data held on a computer – even data that may have been stolen by ransomware criminals, for example. Proposals for reform include public interest defences and amendments aimed at narrowing existing offences.
So far the government has published nothing concrete about CMA reform other than vague promises that it’s being looked at. With the next general election due in May 2024, it may be the case that a policy with broad support across the political spectrum might not emerge until then.
A Home Office spokesperson told The Reg: “As the cyber threat evolves it is right we do too. That’s why last May, the Home Secretary announced a review of the Computer Misuse Act to challenge those who unlawfully access computer systems.
“The Call for Information has now closed and we are reviewing the proposals made. We will update Parliament in due course.” ®