In the wake of the recent call for evidence on updating the Computer Misuse Act, Coran Darling highlights some areas that he thinks need some attention.
Since its inception more than 30 years ago, the Computer Misuse Act 1990 (CMA) has acted as the primary legislative sword and shield of the UK against a threatening, and ever-growing, cloud of cyber-enabled crime. It is no longer the case that those exploiting an organisation’s threat-vectors exist in dark basements wearing hooded jumpers as commonly depicted in media, such as in the popular series Mr. Robot. Cyber-dependent crime has, according to a recent Government report, developed into a £27 billion a year industry and includes budding ‘script-kiddies’ looking to cause disruption through to well-oiled and suspected state-sponsored criminal enterprises. As such, the potential threats facing organisations, such as phishing, ransomware, DDoS attacks, data theft and fraud continue to grow in commonality and concern.
In many cases, the far-sighted nature of the CMA, alongside the numerous amendments made to it, has helped the Act keep up with the times. However, it appears that this may no longer be the case as reflected by the decision of the Home Office to undertake a call for evidence on areas of the Act that do not adequately reflect the potential offences and digital landscape which are now part of everyday life. The Home Office is presently analysing the evidence provided and is due to release their findings later this year.
An Evolving Regulatory Landscape for Digital Society in the UK
In addition to identifying key areas of development within the legislation, the call for evidence is part of the Government’s commitment to strengthening its position as a world-leader in the area of technology and computing, as well as combating cyber-enabled crime more generally. As part of this commitment, the Government is set to publish their latest UK Cyber Strategy later this year, replacing the previous iteration implemented in 2016.
Under its new strategy, the Government’s priority points of action will be to:
To achieve these objectives, it is imperative that the Government and its respective departments continue to develop their legislative armoury to allow them to combat new threats pre-emptively before they have a chance to damage digital infrastructure. By doing so, the Government can hope to shield citizens and organisations from a growing criminal industry.
Call for Evidence on the Computer Misuse Act
The recent call for evidence by the Home Office sought views on how to develop the last aspect of the strategy. It asked how authorities could be given the means to detect, disrupt, and deter any potential threats by:
Input was requested from all areas of industry and academia and focused particularly on the development of new offences, protections, powers, and their jurisdictional scope. The call for evidence also requested details of notable examples of international approaches that may be compatible with developing a methodology for implementing their cyber strategy moving forward. It will therefore be interesting to see the results of the call given the varied information requested from an equally wide number of sources. What remains a constant in this process is that the CMA no longer feels capable of meeting the needs of a contemporary digital society.
‘Developing Definitions of Developing Technology’
Perhaps one of the most notable areas worthy of change is a clarification on the definition of “computer”. The CMA does not provide a definition as rapid changes in technology could have led to the definition soon becoming out of date. Instead, case law is left to fill the gaps. This issue was tackled in DPP v McKeown, DPP v Jones  UKHL 4 where a computer was defined as “a device for storing, processing, and retrieving information”.
The logic behind this approach is clear - technology does indeed progress quicker than legislative amendments - but in the interim, it leaves the potential for gaps and disputes to develop, such as what should constitute a “device” in the first place.
The current definition is subjective and some may see smart devices within homes as computers, despite their rudimentary design, due to their ability to interact with networks and process commands and information. An example of this wider approach is found in the Cybercrime Convention 2001 which defines computer systems as: “any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data”. This contrasts with the UK approach constructed in DPP v McKeown cited above, despite both definitions resulting in devices with a similar potential attack surface for those seeking to exploit vulnerabilities when connected to a home or work network. Under the current legislation, both parties could argue the applicability of the definition to their particular group of devices. The Act therefore runs the risk of capturing devices that would generally not be thought of as computers, such as smart-bulbs, while omitting more novel technologies that more complex systems would fail to include, such as flash glucose monitoring systems.
A potential avenue to address this could be government guidance to supplement the regulations. Such guidance could be updated more regularly as technological and judicial developments emerge. It would therefore not be an exhaustive definition, but would perhaps help clarify the majority of cases where people are concerned with whether they are interacting with a “computer” in the eyes of the law, and whether their use might create liability under the Act. However one can equally appreciate the potential for disputes arising as to the degree of weight that is to be applied to such guidance and therefore its potential overall effectiveness is uncertain.
‘The sheep in wolf’s clothing’
Another area worthy of change is the protection afforded to those who commit acts that would typically fall within the remit of the CMA’s offences for non-malevolent purposes. In its current form, the CMA does not adequately distinguish the difference between criminal behaviour and ethical hacking. Ethical hackers (both white and grey hat), along with other penetration and security experts, specialise in the deliberate hacking and testing of computer systems to discover weaknesses in security that could be exploited by criminals and black hats.
Where the hacker has been engaged and has clear consent, this is unlikely to cause any issues because many of the offences in the CMA rely on an element on non-authorisation for a crime to be committed. Of more concern is where s grey hat hackers or security researchers do so without permission in order to analyse potential threats throughout industries or to monitor the responses organisations to potential threat vectors present online. Despite good intentions, these parties are technically committing an offence as they have penetrated third-party systems without authorisation.
The call for evidence does appear to acknowledge this to some degree, and questions those responding on whether there are sufficient protections to cover “legitimate” cyber activities. Some would argue that it would be wise to consider the widening of protections to those that fall more within the grey remit whereby their intentions are good, but they have acted without authorisation. A blanket exemption to this is unlikely to work as a number of parties could simply claim that they were behaving in this way, all the while concealing criminal behaviour. Instead, a potential caveat whereby a specifically qualified party either through academic standing/accreditation or stringent professional standards could be implemented to engage this protection. It remains unclear how the Home Office will approach this issue but failure to do so may prevent those seeking to act for the public good from participating in the wider protection of those interacting with computers and the digital environment.
‘The Double-edged Sword’
A further area worthy of change (and by no means the only one) relates to our understanding of cyber-crime and the development of potentially dangerous software. Under the current legislation, the CMA makes it an offence to supply, or offer to supply, any programme or data that is likely to be used to commit or assist in the commission of an offence under the Act. On the surface, this seems like a completely reasonable requirement: it limits the chance of people sharing dangerous software, such as ransomware, trojan horses, or phishing programmes. However, it also inadvertently restricts researchers and security experts (both amateur and professional) from sharing their software to a wider audience so that people could use their tools to strengthen their own systems. This is because the very nature of open-source and sharing platforms such as GitHub, allows all manner of people (including both good and bad actors) to access their repositories. It would be difficult to argue that the provision of this software to users would be done so without knowing that it could be used to commit an offence.
The open sharing of source code is an invaluable way of increasing the probability the weaknesses will be spotted and addressed by the community, creating ever-more robust platforms. It therefore appears counterintuitive not to include appropriate measures to protect those who do so for the purposes of academia, sharing knowledge and overall altruism. A development of the terms to carve out provisions where software or data is shared for these purposes could be beneficial in pushing towards the strategy goal of disrupting adversaries to the UK digital environment. Again, a blanket approach cannot be adopted it could allow many bad actors to claim that they were doing so for well-intended purposes. A potential way of getting around this would be the use of authorised and vetted portals where it is clear that the aim of those sharing is to benefit the security of others. Requiring account authorisation to access these programmes may limit their overall use and would also create a verifiable audit trail of who has possession and where it is distributed. However, it would be foolish to think that this would be all that is required to prevent access by less altruistic users leaving an interesting conundrum for law makers: how can we encourage knowledge sharing without doing so in a way that makes it too easy for bad actors to also make use of these programmes.
While the CMA has done well to act as the sword and shield of Government when dealing with cyber-crime for over three decades, it appears that they are now dulled and chipped, and in need of change. There are clear areas of development that are now required in order to remain in step with how people use computers, and our now much greater appreciation of the dangers of cyber-crime. Having concluded this call for evidence, there is now an invaluable opportunity to begin considering how to bring UK legislation up to date and fit to survive another 30 years in our rapidly developing digital world.
Coran Darling is a Trainee Solicitor at DLA Piper LLP with experience in data privacy, artificial intelligence, robotics, and intellectual property, having joined the firm from the technology industry. He is an active member of DLA Piper’s Working Group on AI and a committee member of the Society for Computers and Law specialist group on artificial intelligence with particular interest in algorithmic transparency.