Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

British infosec businesses are celebrating the 30th birthday of the Computer Misuse Act 1990 by writing to Prime Minister Boris Johnson urging reform of the elderly cybercrime law.


The Computer Misuse Act (CMA) received Royal Assent on 29 June 1990, before "the concept of cyber security and threat intelligence research," the CyberUp campaign group said in its letter [PDF].


"Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges," it added. "This means that the CMA inadvertently criminalises a large proportion of modern cyber defence practices."


CyberUp was founded by a coalition of infosec firms including NCC Group, Orpheus Cyber, Context Information Security and Nettitude, as we reported last summer when the campaign wrote its first letter to the PM.


So far Boris hasn't got round to replying.


CyberUp's latest missive, that carries twenty signatories, warns: "With less threat intelligence research being carried out, the UK's critical national infrastructure is left at an increased risk of cyber attacks from criminals and state actors."


The main problem posed by the current CMA is that it criminalises any "unauthorised access", under section 1 of the act, to a computer. This means "defensive cyber activities" of the sort carried out by CyberUp's members are at best in a grey area – and at worst classified as downright illegal; as the campaign put it, "criminals are obviously very unlikely to explicitly authorise such access."


In January a group of academics published a detailed re ..