“In section 17 of the Computer Misuse Act 1990, at the end of subsection (5) insert—

‘(c) he does not reasonably believe that the person entitled to control access of the kind in question to the program or data would have consented to that access if he had known about the access and the circumstances of it, including the reasons for seeking it;

(d) he is not empowered by an enactment, by a rule of law, or by the order of a court or tribunal to access of the kind in question to the program or data.’”—(Alex Norris.)

Brought up, and read the First time.

I beg to move, That the clause be read a Second time.

With this it will be convenient to discuss new clause 53—Defences to charges under the Computer Misuse Act 1990—

“(1) The Computer Misuse Act 1990 is amended as follows.

(2) In section 1, after subsection (2) insert—

‘(2A) It is a defence to a charge under subsection (1) to prove that—

(a) the person’s actions were necessary for the detection or prevention of crime; or

(b) the person’s actions were justified as being in the public interest.’

(3) In section 3, after subsection (5) insert—

‘(5A) It is a defence to a charge under subsection (1) to prove that—

(a) the person’s actions were necessary for the detection or prevention of crime; or

(b) the person’s actions were justified as being in the public interest.’”

The new clauses would introduce a statutory defence into the Computer Misuse Act 1990 for cyber-security professionals who are acting in the public interest to better protect the UK from cyber-criminals.

I want to say very clearly that cyber-criminals are more of a threat than ever, and we need arrangements that are fit for the present day to take them on. In the UK alone, there was a 77% increase in cyber-threats last year. We know that their impact on individuals’ lives can be hugely consequential, but the legislation that provides the foundation to take on that sort of cyber-threat is more than 33 years old. It was written to protect telephone exchanges before the widespread use of the internet and digital technologies. Legislation has not kept pace with modern cyber-security defence techniques.

Consumer organisations such as Which?, trade bodies and UK cyber-security companies have long campaigned for reform of the 1990 Act. The CyberUp campaign, from which we received written evidence and which is backed by a number of cyber businesses and trade associations such as techUK, believes that reform of the Act would future-proof our response to cyber-crime and could deliver benefits for the UK’s economic prosperity and criminal justice system and defend our democracy and national security.

Together, the new clauses would update section 1 of the 1990 Act, which prohibits unauthorised access to computers. Simply put, the legislation inadvertently criminalises a large portion of legitimate vulnerability, security and threat intelligence research by UK cyber-security professionals, who are committing a crime if they use legitimate techniques to check for vulnerabilities, to carry out research or to build defences. We are asking them to put themselves at risk in order to do something that is clearly a social good, so the new clauses seek to update the Act.

The former Home Secretary, Priti Patel, announced a review of the Act in May 2021, nearly three years ago, and Sir Patrick Vallance, who was the Government’s chief scientific adviser, gave his backing, saying:

“We recommend amending the Computer Misuse Act 1990 to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals.”

In March, the Chancellor committed to implementing Sir Patrick’s review on the pro-innovation regulation of technologies. Hopefully, therefore, we are pushing at an open door. In its report on ransomware, the Joint Committee on the National Security Strategy stated that there has not been enough progress and that the Bill is deficient in this area, so there is a strong argument for this reform.

New clause 52 would tighten up the definition of an offence, and new clause 53 would tighten up possible defences that could be used by individuals legitimately either researching or protecting in the cyber-security space.

The Government broadly support the sentiment behind the new clause—we want to enable people undertaking legitimate cyber-security work to do so without fear of criminalisation—but this is a very complicated area. The Government published their response to the review of the Computer Misuse Act last November, and we are actively considering options to strengthen the legislative framework. However, we need to make sure we do that in a way that does not inadvertently create a loophole or a defence that cyber-criminals or hostile state actors could exploit to defend themselves against prosecution. It is complicated and needs quite a lot of thought, and further work is required to make sure we get this absolutely right. We are therefore not ready to accept legislation, but we are committed to giving it further, very careful consideration, so that if changes are needed, we can make them in a way that does not inadvertently create loopholes.

On protections for people engaged in legitimate activity, I remind the Committee that prior to bringing a prosecution, the Crown Prosecution Service applies the public interest test. If somebody were engaging in legitimate cyber-security activity and inadvertently fell foul of the Act, it may well be that the CPS applied that public interest test and therefore did not proceed with the prosecution. However, this does need some more thought, and I do not think we are ready to legislate yet.

I am grateful for the Minister’s assurances on the Government’s intent, and on that basis I beg to ask leave to withdraw the motion.

Clause, by leave, withdrawn.