An open letter has been sent to UK Prime Minister Boris Johnson, asking for an update to the Computer Misuse Act (CMA) as it marks its 30th anniversary of reaching royal assent..
Coordinated by the CyberUp Campaign, a group of cybersecurity organizations are pushing for an update of the Computer Misuse Act to make it fit for the digital age.
“In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist,” the letter read. “Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”
The letter cited the COVID-19 pandemic, stating that this demonstrates “how reliant modern society is on secure and effective digital technologies.”
It claimed: “The government has committed to investing in the UK’s digital and technology credentials and, as we move beyond the pandemic, we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”
In the past few years, efforts have been made to bring the CMA up-to-date, with NCC Group admitting that a lot of the work it does “is hampered by the CMA” and with a reform, it wants to make a change so as to make vital threat intelligence commercially and ethically easier.
The CyberUp Campaign includes NCC Group, alongside representatives from vendors Digital Shadows, McAfee and Trend Micro, industry trade bodies techUK and CREST, and a number of prominent lawyers, academics and researchers in the field of cybersecurity.
In an email to Infosecurity, Robert Schifreen, who was one of the two people initially charged with accessing the Duke of Edinburgh’s personal message box after gaining access to BT’s Prestel interactive viewdata service, agreed that the CMA “could do with a polish.” However. he also said it is basically fit for purpose, “and I don't see much evidence that researchers are being dissuaded from researching in case their possession of pen test tools results in them being prosecuted.”
He added: “If anyone wants to criticize a key element of the fight against cybercrime, attacking Action Fraud would be more useful than attacking the CMA.”