Cybercrime laws need urgent reform to protect UK, says report

Britain’s cyber-defences are being endangered by the outdated Computer Misuse Act, which prevents investigators from dealing effectively with online threats while over-punishing immature defendants, according to a legal report.

Thirty years after hacking became a criminal offence, a study by the Criminal Law Reform Now Network (CLRNN) calls for urgent revision of the legislation governing illegal access to computers, denial of service attacks and other digital crimes.

The 144-page review, led by academic lawyers at Birmingham and Cambridge universities, argues that the 1990 Computer Misuse Act is “crying out for reform” and must develop public interest defences for hacking.

The report, Reforming the Computer Misuse Act, identifies problems of enforcement and legal obstructions that expose the UK’s economy and critical infrastructure to “harm by cybercriminals and hostile nation states”.

Related: UK 'wholly' unprepared to stop devastating cyber-attack, MPs warn

Wide-ranging changes are needed, the report stresses, to create a legislative regime that is “fit for purpose – allowing ethically motivated cyber defenders, security researchers and journalists to pursue their work with greater legal certainty, while improving the ability of the state to identify, prosecute and punish those acting against the public interest”.

The act exposes cybersecurity professionals to prosecution for carrying out intelligence research against cybercriminals and foreign state actors, it warns, leaving the UK’s critical national infrastructure at risk at a time when threats are growing.

Simon McKay, a civil liberties and human rights barrister who was the project lead for the report, said: “One of our key recommendations is that a number of [legitimate] defences need to be built into the Computer Misuse Act to allow research, and integrity testing of systems.

“The act does not even have any kind of defence for the way law enforcement carries out online work. They can only avoid prosecution through having a warrant and they have to stay within the confines of that.”

The report calls for a public interest defence to enable cyber-threat intelligence professionals, academics and journalists to explore networks to provide better protections against cyber-attacks and computer misuse.

A standard research method involves using a so-called honeypot, a computer set up to appear attractive to hackers that can identify the computer sources of an attack and capture as much code as possible.

If they strictly observe the law, the report says, researchers “would be very limited in probing the source of those attacks. This restricts the ability of security researchers to identify threats and pass vital information to public enforcement bodies.”

The report calls for greater flexibility in terms of punishments, the introduction of fines and specific guidelines for judges from the Sentencing Council when dealing with immature defendants or those diagnosed with autism or Asperger syndrome.

Recent high-profile cases have involved attempts to extradite British suspects to the US for hacking – such as Lauri Love, who was diagnosed with Asperger’s.

Dr John Child, a senior lecturer in criminal law at Birmingham University and co-director of CLRNN, said: “There’s very little information for prosecutors or judges … You get some cases which have led to draconian outcomes for some youths.” There should be schemes for “redirecting problem youths”, he added.

US legislators are looking at legalising “hack back” laws that permit firms to retaliate to online attacks, Child said. The UK should not follow that example but instead create rules “in line with international obligations which target the bad actors”.

Reports of hacking incidents to Action Fraud lines are often not investigated by police because of a shortage of resources, the report warns.

Ollie Whitehouse, of NCC Group, said: “The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber-defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.”

The first recorded reports of computer crime date back to at least the 1970s when a US teenager used a computer terminal to order equipment that would be dropped off at a place of his choosing and then sold on.

The CLRNN was established in 2017 as a means for academics and legal experts to conduct investigations into areas of the law they feel need improving. The Law Commission, the official body responsible for such work, has been criticised because its selection of research projects has been increasingly dependent on commissions by government departments.