NCC Group welcomes UK Government response to Computer Misuse Act review, but urges timeline clarity

The UK Government has published its long-awaited response to a Call for Information on the Computer Misuse Act 1990 (CMA), confirming that the Government is open to additional legal protections for security researchers and setting out plans for new law enforcement powers to crack down on cybercrime.

Launched in May 2021, the review considered whether the CMA – which was written over three decades ago – provided sufficient protections for legitimate cyber security activity. NCC Group responded to the Call for Information at the time, advocating for the inclusion of a statutory defence in law that would enable industry to carry out crucial vulnerability research and threat intelligence work so long as certain criteria were met.

In the response published today, the UK Government acknowledged for the first time that the UK needs “to ensure that the cyber security industry is not unnecessarily prohibited from conducting activities that would protect entities and individuals from hostile cyber actors”. As such, the Government will review what legitimate cyber activity “may conflict with the CMA” and consider what “legislative and non-legislative solutions” might be available to better protect good faith cyber security researchers, including a statutory defence.

Despite this positive step forward, the Government stopped short of confirming any timelines for considering whether statutory defences should be introduced. Instead, it has launched a consultation looking only at the introduction of new law enforcement powers under a reformed CMA.

As NCC Group highlighted in its evidence to the UK Parliament’s ongoing inquiry into ransomware, the changing cyber threat landscape requires an evolving law enforcement response. The Government’s focus on additional law enforcement powers is therefore understandable. Nevertheless, it is NCC Group’s view that the Government’s whole of society approach to cyber security should place equal weight on the role of the UK’s world-leading cyber security industry in addressing the changing cyber threat.

Kat Sommer, Group Head of Strategy and Public Affairs said:

“This is a hugely significant day for the UK’s cyber ecosystem. After many years calling for better legal protections for cyber professionals, it is very welcome to see the Government’s recognition that the UK’s cybercrime laws must not unnecessarily prohibit cyber security activities that protect all of us from hostile cyber actors.

It’s great news too that the Government has committed to working with the cyber security industry to consider what defences should be introduced to safeguard cyber professionals. Nevertheless, the continued ambiguity while that work takes place will act as a brake on the industry. After 21 months of consultation, we would have hoped for further progress to bring the 32-year-old Computer Misuse Act into the 21st century than what has been announced today.

That said, we welcome this update as a step in the right direction and will, of course, work with the UK Government and urge it to be ambitious in its timelines and prioritise this crucial issue in the months ahead.

As we have long argued, reform, done in the right way, could greatly enhance the protection of the UK in cyberspace.”