Since its inception 30 years ago, the Computer Misuse Act 1990 (CMA) has acted as the primary legislative sword and shield of the UK against a threatening, and ever-growing, cloud of cyber-enabled crime. It is no longer the case that those exploiting an organisation’s threat-vectors exist in dark basements wearing hooded jumpers as commonly depicted in media, such as in the popular series Mr. Robot. Cyber-dependent crime has, according to a recent Government report, developed into a £27 billion a year industry and includes budding ‘script-kiddies’ looking to cause disruption through to well-oiled and suspected state-sponsored criminal enterprises. As such, the potential threats facing organisations, such as phishing, ransomware, DDoS attacks, data theft, and fraud continue to grow in commonality and concern.
In many cases, the far-sighted nature of the CMA, alongside a number of amendments made to it, has done well to permit the Act to keep up with the times. However, it appears that this may no longer be the case. This is reflected by the decision of the Home Office to undertake and recently conclude a call for evidence on areas of the Act that do not adequately reflect the potential offences and digital landscape which are now part of everyday life. The Home Office is presently analysing the evidence provided and is due to release their findings later this year.
An Evolving Regulatory Landscape for Digital Society in the UK
In addition to identifying key areas of development within the legislation, the call for evidence is part of the Government’s commitment to strengthening its position as a world-leader in the area of technology and computing, as well as combating cyber-enabled crime more generally. As part of this commitment, the Government is later this year set to publish their latest UK Cyber Strategy, replacing the previous iteration implemented in 2016.
Under its new strategy, the Government’s priority points of action will be to:
- strengthen the UK’s cyber ecosystem, enabling a whole-of-society approach to cyber-crime and the wider digital economy, and deepening the partnership between government, academia and industry;
- build a resilient and prosperous digital UK, where citizens feel safe online and confident that their data is protected;
- take a lead in the technologies vital to the digital economy and build industrial capability where necessary and ensure the UK can adopt emerging technologies securely;
- promote a free, open, peaceful, and secure cyberspace, by working with other governments and industry, and drawing on the UK’s thought leadership in cyber security; and
- detect, disrupt and deter its adversaries.
In order to achieve these objectives, it is imperative that the Government and its respective departments continue to develop their legislative armoury to allow them to combat new threats preemptively before they have a chance to damage digital infrastructure. By doing so, the Government can hope to shield citizens and organisations from a growing criminal industry.
Call for Evidence on the Computer Misuse Act
The recent call for evidence by the Home Office has sought to develop the last aspect of the strategy, allowing authorities a means to detect, disrupt, and deter any potential threats by:
- enabling specific powers to target criminals; and
- imposing substantial consequences for those that continue to cause concern.
Input was requested from all areas of industry and academia and focused particularly on the development of new offences, protections, powers, and their jurisdictional scope. The call for evidence also requested details of notable examples of international approaches that may be compatible with developing a methodology for implementing their cyber strategy moving forward. It will therefore be interesting to see the results of the call given the varied information requested from an equally wide number of sources. What remains a constant in this process is that the CMA no longer feels capable of meeting the needs of a contemporary digital society.
‘Developing Definitions of Developing Technology’
Perhaps one of the most notable areas worthy of change is a clarification on the definition of “computer”. The CMA does not provide a definition due to the fact that rapid changes in technology could lead to the definition soon becoming out of date. Instead, the definition is left to case law to fill in the gaps. This was somewhat achieved in DPP v McKeown, DPP v Jones [1997] UKHL 4 where it was defined as “a device for storing, processing, and retrieving information“. The logic behind this approach is clear as technology does indeed progress quicker than legislative amendments, but in the interim it leaves the potential for gaps and disputes to develop, such as what should constitute a “device” in the first place.
A notable issue with this is the creation of a grey area in the law, which may be particularly problematic should litigation ensue or an defence of an action relies on the interpretation of “computer” by a judge or jury. This is because the current definition is reliant on the subjective interpretation of those involved. Certain parties may deem smart devices within homes as computers, despite their rudimentary design, due to their ability to interact with networks and process commands and information. Others may restrict the scope of the definition to more complex systems that are more traditionally associated with the definition of computer, despite both devices offering a similar potential attack surface for those seeking to exploit vulnerabilities when connected to a home or work network. Under the current legislation, both parties could argue the applicability of the definition to their particular group of devices. The Act therefore runs the risk of capturing devices that would generally not be thought of as computers, such as smart-bulbs, while omitting more novel technologies that more complex systems would fail to include, such as flash glucose monitoring systems.
A potential avenue to address this could be the issuance of governmental guidance to supplement the more solid regulatory implementations. This would mean that, although the subject remains grey, persons and organisations have further clarity as to what may fall within the confines of the definition. The fact that it would be guidance also means that it could be updated more regularly subject to technological and judicial developments as they appear. It would therefore not be an exhaustive definition, but would perhaps do enough to clarify the majority of cases where people are concerned with whether they are interacting with a “computer” in the eyes of the law, and whether their use might create liability under the Act. However one can equally appreciate the potential for disputes arising as to the degree of weight that is to be applied to such guidance and therefore its potential overall effectiveness is uncertain.
‘The sheep in wolf’s clothing’
Another area worthy of change is the protections afforded to those who commit the acts that would typically fall within the remit of the CMA’s offences for non-malevolent purposes. In its current form, the CMA does not adequately distinguish the difference between criminal behaviour and ethical hacking. Ethical hackers (both white and grey hat) and other penetration and security experts specialise in the deliberate hacking and testing of computer systems to discover weaknesses in security that could be taken advantage of by criminals and black hats.
In instances where the hacker has been engaged and has clear consent, this is unlikely to cause any issues. This is because many of the offences in the CMA rely on an element on non-authorisation for a crime to be committed. It is perhaps more of a concern for parties such as grey hat hackers or security researchers who typically do so without permission in order to analyse potential threats throughout industries or to monitor the responses organisations to potential threat vectors present online. Despite good intentions, these parties are technically committing an offence as they have penetrated third-party systems without authorisation.
The call for evidence does appear to acknowledge this at least to some degree, and questions those responding on whether there are sufficient protections to cover “legitimate” cyber activities. Some would argue that it would be wise to consider the widening of protections to those that fall more within the grey remit whereby their intentions are good, but they have acted without authorisation. A blanket exemption to this is unlikely to work as a number of parties could simply claim that they were behaving in this way, all the while concealing criminal behaviour. Instead, a potential caveat whereby a specifically qualified party either through academic standing/accreditation or stringent professional standards could be implemented to engage this protection. It remains unclear how the Home Office will approach this issue, however failure to do so may prevent those seeking to act for the better of society in participating in the wider protection of those interacting with computers and the digital environment.
‘The Double-edged Sword’
A further, but by no means the only other, area worthy of change comes from our understanding of cyber-crime and the development of potentially dangerous software. Under the current legislation, the CMA makes it an offence to supply or offer to supply any programme or data that is likely to be used to commit or assist in the commission of an offence under the Act. On the surface, this seems like a completely reasonable requirement, as it limits the chance of people sharing dangerous software, such as ransomware, trojan horses, or phishing programmes. However, it inadvertently also reduces the chance of researchers and security experts (both amateur and professional) from widely sharing their software in hope that people could use their tools to strengthen their own online protections and therefore reduce the chance of future attacks by criminals. This is because, by the very nature of open-source and sharing platforms, such as GitHub, all manner of people can access its repositories. This therefore includes both good and bad actors. As such, it would be difficult to argue that the provision of this software to users would be done so without knowing that it could be used to commit an offence.
The sharing of source code openly is an invaluable way of increasing the probability the weaknesses will be spotted and addressed by the community, creating ever-more robust platforms. It therefore appears counterintuitive to not include appropriate measures to protect those who do so for the purposes of academia, sharing knowledge, and overall altruism. A development of the terms to carve out provisions where software or data is shared for these purposes could be beneficial in pushing towards the strategy goal of disrupting adversaries to the UK digital environment. A blanket approach to this would again be equally inefficient as it would likely allow many bad actors to claim that they were doing so for well-intended purposes. A potential way of getting around this would be the use of authorised and vetted portals where it is clear that the aim of those sharing is to benefit the security of others. By requiring account authorisation to access these programmes may therefore limit the overall use of these programmes as well as it would work to create a verifiable audit trail of who has possession and to where it is distributed. However, it would be foolish to think that this would do all that is required to prevent access by less altruistic users. This therefore poses an interesting conundrum for law makers on how to encourage knowledge sharing without doing so in a way that makes it too easy for bad actors to also make use of these programmes.
Concluding thoughts
While the CMA has done well to act as the sword and shield of Government when dealing with cyber-crime for over three decades, it appears that they are now dulled and chipped, and in need of change. There are clear areas of development that are now required in order to remain in step with how people use computers, and our now much greater appreciation of the dangers of cyber-crime. Having concluded this call for evidence, there is now an invaluable opportunity to begin considering how to bring UK legislation up to date and fit to survive another 30 years in our rapidly developing digital world.