CyberUp Report finds the UK cyber sector is held back by the Computer Misuse Act

A new report released today by the CyberUp Campaign and techUK has found that the overwhelming majority of cyber security professionals (80 per cent) worry about breaking the law in the process of defending against cyber-attacks. It is the first piece of work to quantify and analyse the views of the cyber security industry on this issue.

The Computer Misuse Act (1990) is the law that governs the activities of cyber security professionals in the UK. The Act was written in 1990 before the advent of modern cyber security. This report, based on a survey of businesses in the sector and individual cyber security researchers, finds concerns and confusion about the law are hampering the nation’s cyber defences by preventing cyber security professionals from doing their jobs.

The survey found that there was a near-unanimous (93 per cent) belief that the Computer Misuse Act did not represent a piece of legislation that was fit for this century.

In the UK, the public and private sectors work closely together to defend the country in cyberspace. The National Cyber Security Centre (NCSC), the government agency for protecting against cyber-crime and cyber threats, recently claimed in a disclosure about their efforts to thwart cyber threat actors during the pandemic that private sector firms they worked with had ‘made an indispensable contribution to [NCSCs] efforts to understand cyber threats and respond to incidents’.

Cyber crime is a widespread problem in the UK. In the last year for which data was available, there were 3,648,000 incidents of online fraud and 976,000 incidents of computer misuse. This is a total of 4,624,000 incidents of online crime.5 A different data set reveals 32 per cent of businesses reported cyber breaches or attacks in the last 12 months, and that £4,180 is the average annual cost for businesses that lost data or assets after breaches.6

However, the CyberUp Campaign and techUK survey revealed that, in some cases, cyber security researchers were being stopped from preventing harm to businesses and citizens by the Computer Misuse Act. This arose out of both fear of breaking the law and a lack of certainty about what exactly constituted a breach.

Ruth Edwards MP, a former cyber security professional who contributed a foreword to the report, urged the government to review the legislation. The report suggests a series of proposals for reform that would allow the law to take account of the motivations of ethical cyber security professionals, enabling them to operate with legal certainty and free from the fear of prosecution.

Unsurprisingly, the survey also found that the Computer Misuse Act is having a stifling effect on the UK cyber security industry, with 91 per cent of businesses feeling they had been put at a competitive disadvantage relative to other countries with better legal regimes.

In addition, a similar number (90 per cent) indicated that a change in the law would lead to growth and productivity benefits for their organisation. When averaged across the latest figures for revenue and employment in the sector, a change in legislation would lead to an increase in revenue of £1.6 billion and 6,200 jobs.