Cyber security experts have urged the incoming prime minister to tear up a decades-old law that is blocking them from effectively stopping rogue states and criminals from hacking the UK.
Companies representing Britain’s £10bn cyber defence sector have asked Rishi Sunak and Liz Truss to rewrite the 30-year-old Computer Misuse Act, which they said is no longer fit for purpose.
The signatories include the Internet Services Providers’ Association, which represents BT, Virgin Media and Sky, London-listed cyber security company NCC Group and Ciaran Martin, the former head of Britain’s cyber security agency.
The current act prevents unauthorised access to computer material, but the signatories argue this is too broad and prevents them from conducting routine scans of the internet to look for bugs that can be exploited by hackers.
Legitimate internet researchers in the UK are also prevented from accessing hacked files that are shared on the dark web to warn victims their data has been stolen.
Breaking the Computer Misuse Act can lead to a jail sentence of up to 10 years.
Campaigners from the CyberUp group argued the law needs to be updated to include a defence for cyber professionals engaged in legitimate research. The original act, written in 1990, was mainly designed to protect voicemail systems at a time when few had access to computers.
Ollie Whitehouse, chief technology officer at NCC Group, said: “With cyber threats ever increasing, now is the time for the Government to reform our pre-internet era law to include a statutory defence. Doing so will unleash the full reservoir of talent in the UK cyber security industry in service of our collective national cyber defence.”
The signatories added that the UK is at greater risk of hacking attacks following Russia’s invasion of Ukraine. “We believe this strengthens the case for prioritising efforts to reform the Computer Misuse Act to include a statutory defence,” the letter said.
Mr Martin added: “A 32-year-old statute about computer misuse cannot be fit for purpose, almost by definition.”
Speaking to MPs earlier this year, Mr Martin said: “Hacking is not a bad word and there are highly ethical ways to develop expertise in this area. You certainly don’t want people trembling with fear that they might be violating the criminal law.”
In August, the US Department of Justice said it would no longer bring charges under federal anti-hacking laws against security researchers who have gained “unauthorised” access to a computer system when they are working in good faith.
The policy now states “good-faith security research should not be charged” under the Computer Fraud and Abuse Act, which was originally drafted in 1986.
There have been cases where British hackers claiming to be trying to discover bugs have been sent to prison. In 2012, a York University student was sentenced to eight months in prison for accessing Facebook’s internal systems.
Glenn Mangham, who was 26 at the time and had previously warned companies about the bugs he had discovered, later had his sentence halved on appeal.
Mr Mangham later said: “Strictly speaking what I did broke the law because at the time and subsequently it was not authorised, [but] I was working under the premise that sometimes it is better to seek forgiveness than to ask permission.”