Criminal Law Reform Now Network: Follow-on Impact (Computer Misuse Act)

The Criminal Law Reform Now Network (CLRNN) was launched in 2017 in order to facilitate collaboration between academics and other legal experts to discuss, draft and disseminate comprehensible proposals for criminal law reform to the wider community. Our research contacts include members of the public and mainstream media as well as legal and industry professionals, police, policymakers, and politicians. We immediately established computer misuse and private prosecutions as priority areas for reform, and indeed, four years later, both items are high on the agenda within government. CLRNN has been funded by an AHRC Network Grant.

On 22 January 2020, we launched at Westminster (and published open-access) the outcome of our first project, Reforming the Computer Misuse Act 1990. The report makes several recommendations for reform, including to the core offences/defences in the primary legislation, to CPS guidance, to sentencing guidelines, and highlighted the potential for civil penalties. The current follow-on funding bid focuses on the possibilities of reform of the primary legislation, the Computer Misuse Act 1990 (CMA). This has become more urgent since the Home Secretary announced on 11 May 2021 that the CMA should be revised and amended.

Existing 'hacking' offences were originally drafted in the CMA to reflect an outdated view that unauthorised access to another's computer is always harmful. But site owners may be thought likely to deny access even though there are vulnerabilities in their site which may enable them to be used aggressively by hackers. Cyber security today depends upon an understanding that site owners should not have an absolute say in allowing vulnerabilities to persist; indeed some compromised sites will be run by cyber criminals who have no reason to authorise any testing. Nor can the police and National Crime Agency cope with the workload in keeping the internet safe from cyber threats. So, licensing cyber security experts to conduct tests, both to close down vulnerabilities and to detect sources of threats, is the best way forward. But there is no such framework in the CMA and no defence at all for responsible experts to act in the public interest.

During the drafting of our report, we worked closely with cyber security representatives to understand the chilling effect that the current law has on work in their industry (e.g, either limiting the services they can provide; or risking prosecution for arguably criminal acts). In our Report, we propose the creation of a new public interest defence. The government's present interest in reforming the CMA goes wider, including a new sentencing regime, but we have anticipated many of the salient issues here in our Report too; and should legislative reform be coming, with harsher sentences, we think that the CPS will wish to revise their own prosecutions policies accordingly, and so our work on CPS policy within the Report may also need to be further disseminated and explained.

The NCC Group are our project partners in this follow-on bid, as an industry based advocate for CMA Reform (Cyber-Up Campaign). Their Cyber-Up Campaign appears to have had the most effect on government so far, and they have acknowledged our contributions in the process. But their efforts require legal input, including at meetings. We therefore seek follow-on funding for the continued work of our network facilitator to coordinate meetings and research briefings, as well as for an impact event to be hosted at the University of Cambridge at the end of 2021 to re-engage our primary political stakeholders and re-emphasise the legal and academic case for reform. The next year looks likely to be critical for reform and we are keen that our work to date should have maximum impact.