Cybersecurity experts have urged the new Prime Minister to tear up a decades-old law that prevents them from effectively stopping rogue states and criminals from hacking into the UK.
Firms representing Britain’s £10 billion cyber defense industry have asked Rishi Sunak and Liz Truss to rewrite the 30-year-old Computer Misuse Act, which they say is no longer fit for purpose.
Signatories include the Internet Service Providers Association, which represents BT, Virgin Media and Sky, London-listed cybersecurity firm NCC Group, and Ciaran Martin, the former head of Britain’s cybersecurity agency.
Current law prevents unauthorized access to computer hardware, but the signatories say it’s too broad and prevents them from performing routine internet scans to look for bugs that hackers can exploit.
Legit internet searchers in the UK are also not allowed to access hacked files that are shared on the dark web to warn victims that their data has been stolen.
Violating the Computer Misuse Act can result in a prison sentence of up to 10 years.
Activists from the group CyberUp have argued that the law needs to be updated to include a defense for cyber professionals engaged in legitimate research. The original law, written in 1990, was primarily designed to protect voicemail systems at a time when few people had access to computers.
Ollie Whitehouse, Chief Technology Officer at NCC Group, said: “With cyber threats steadily increasing, the time has come for the government to reform our pre-internet law to include a statutory defence. This will unleash the full pool of talent in the UK cybersecurity industry to serve our collective national cyber defence.
The signatories added that the UK was at greater risk of hacking attacks following Russia’s invasion of Ukraine. “We believe this strengthens the case for prioritizing efforts to reform computer misuse law to include a legal defense,” the letter said.
Mr Martin added: ‘A 32-year-old computer misuse law cannot be fit for purpose, almost by definition.’
Speaking to MPs earlier this year, Mr Martin said: ‘Piracy is not a dirty word and there are highly ethical ways to develop expertise in this area. You certainly don’t want people cowering for fear of breaking the criminal law.
In August, the US Department of Justice said it would no longer bring charges under federal anti-hacking laws against security researchers who gained “unauthorized” access to a computer system while they work in good faith.
The policy now states that “good faith security research should not be charged for” under the Computer Fraud and Abuse Act, which was originally drafted in 1986.
There have been cases where UK hackers claiming to be trying to uncover bugs have been sent to jail. In 2012, a York University student was sentenced to eight months in prison for accessing Facebook’s internal systems.
Glenn Mangham, who was 26 at the time and had previously warned companies about bugs he had discovered, later had his sentence halved on appeal.
Mr Mangham later said: “Strictly speaking what I did broke the law because then and afterwards it was not allowed, [but] I worked on the principle that sometimes it is better to ask for forgiveness than to ask permission.