Campaigners urge Johnson to reform Computer Misuse Act to make it fit for modern digital era

The law currently hinders cyber security research in Britain, campaigners argue in an open letter to the PM

On the 30th anniversary of the Computer Misuse Act (CMA), the members of CyberUp Campaign have written a letter to Prime Minister Boris Johnson, urging him to revise the elderly act to make its fit for the digital age.

CyberUp, which was founded last year, is a coalition of cyber security companies including Orpheus Cyber, NCC Group, Nettitude and Context Information Security.

Signatories to the letter include several prominent names, including Julian David, CEO, techUK; RaJ Samani, McAfee Fellow/Chief Scientist, McAfee; Rik Ferguson, Vice President Security Research; international accreditation body CREST and others.

The UK's CMA came into effect in 1990 after journalists Steve Gold (one of SC's founders) and Robert Schifreen hacked into Prince Philip's Prestel account in 1985. In that case, the judge ruled that the accused persons were guilty, but they can't be punished because they had not violated any existing law. The court then advised the government to bring a new law to deter the hackers.

According to CyberUp Campaign, the main issue with the current CMA is that it criminalises any "unauthorised access" to a computer, under Section 1 of the law, and therefore it is no longer fit to defend the state of cyber security in the country.

"In 1990, when the CMA became law, only 0.5 per cent of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist," the letter to the Prime Minister reads.

"Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalises a large proportion of modern cyber-defence practices."

According to CyberUp, the CMA's broad wordings don't clearly define what is legal and what is illegal in the fast-moving world of information security. Moreover, in its current form, the law is hindering a large proportion of the cyber security research that professionals need to conduct to defend against evolving threats from state-sponsored threat actors or organised criminals.

CyberUp also argues that far more permissive regimes exist in other countries, such as the US and France, providing legal certainty to cyber security researchers while retaining the ability to punish the cyber criminals who try to abuse the system.

The campaign group warns that further delay in CMA reform could see "the UK lose out on as many as 4,000 additional high-skilled jobs by 2023."