Professionals need protection from the Computer Misuse Act

by Joseph K. Clark

Over the past few months, the government has shown it understands that we need urgent action to make the online world safer. In this year’s Queen’s Speech, the government announced its plan to introduce an Online Safety Bill, a new frontier for cyber legislation that promises to protect online users from criminal exploitation like never before.

But when it comes to cyber security, protecting online users is only half the battle. Throughout the global Covid-19 pandemic, businesses have come under a barrage of cyberattacks, with criminals and hostile nation-states seeking to exploit our weaknesses when we have been at our most vulnerable.

Many CISOs have alerted their employers of the immense stress of their roles over the past year. It isn’t just sensitive customer data at risk – cybercriminals are increasingly targeting national infrastructure, with attacks last year on local authorities, health services, and schools. As cyber professionals come under pressure to combat the threat, you hope our current legislation will have their backs. Unfortunately, our security teams have been hamstrung by the very laws designed to protect them.

The Computer Misuse Act (CMA) 1990 was brought back when we were all still faxing each other from offices with screeching modems. While the Act is admittedly flexible for its age, cyber security professionals can no longer guarantee that it can protect them in their work. A study produced by the CyberUp campaign found that 80% of cyber security professionals operating in the UK feared accidentally running afoul of the law.

The principal problem with the CMA 1990 is authorization. Authorization – or lack thereof – is at the heart of the Act, criminalizing unauthorized access to computer systems. This often involves malware or ransomware attacks, which seek to disrupt services, obtain information illegally, or extort individuals or businesses.


According to the CMA 1990, an act done about a computer is unauthorized if the person doing the Act (or causing it to be done):

  • Is not himself a person responsible for the computer and is entitled to determine whether the Act may be done.
  • Does not have consent to the Act from any such person.

However, with the digital world evolving at breakneck speed, our legislators have focused on how criminals have adapted without sparing a thought to how the cybersecurity industry has adapted. The CMA offers no means to consider individuals’ motives or recognize circumstances where access might be deemed legitimate, such as penetration testing with permission.

This can leave those who believe that their computer-related investigations and activities improve cyber security and are ethical at the mercy of decisions made by the Crown Prosecution Service.

The law compromises the UK’s cyber resilience by preventing cyber security professionals from conducting threat intelligence research against cybercriminals and geopolitical threat actors without fear of prosecution.

This leaves the UK’s critical national infrastructure at increased risk, unable to stay ahead of the threats posed by hostile cyber actors. It is time to seize the opportunity to develop 21st-century laws, making the country – our public bodies and infrastructure – safer and more secure.

Earlier in 2021, the government announced its plans to review the CMA 1990. Its focus is on how we might develop new criminal penalties for cybercriminals. However, the importance of supporting and enabling a new protection regime for cyber security does not seem to have been registered yet.

At SASIG, we have encouraged our members in the cyber security industry to engage as fully as possible with the review. We hope that if the government is serious about national cyber security, it will also consider supporting those on the cyber front line.

Related Posts