Pro-Innovation Regulation of Technologies Review and the Computer Misuse Act 1990
(Limited Text - Ministerial Extracts only)
Read Full debate
The Minister for Security (Tom Tugendhat)
I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing this debate and for his continued interest in this issue. This is not the first time he has raised it with me—in fact, the first time he raised it with me was many years ago—but it is perhaps the first time that I may be able to assist.
In my role as Security Minister, I see evidence every day of the scale of the threat from cyber-crime that affects our citizens, businesses and Government services. There were an estimated 690,000 incidents of computer misuse in England and Wales in the year to September 2022, of which 577,000 were related to unauthorised access to personal information. I have seen the effects of criminals targeting businesses and individuals online—the businesses that suffer financial losses because of ransomware attack and their inability to carry on their businesses, and the individuals who lose personal information, including highly personal information, and can suffer harassment and blackmail because of it.
It is because of such criminal activity that protecting the country in cyber-space is such a key priority for the Government. It is essential that we ensure the UK has the powers and legislation to allow our law enforcement agencies to take action to tackle this threat. The Computer Misuse Act dates from 1990, before almost anybody had an email address—certainly before I did. Today, we could not only research the law online, but one of the large language model artificial intelligences we now see frequently used online could actually draft large parts of it too.
That is why this Government have launched a call for information, asking for different views on whether the 1990 Act and the powers used by law enforcement agencies to investigate the offences in that Act need to be enhanced.
In February, we launched a consultation in which we set out proposals for new powers for law enforcement agencies to improve their ability to take action to tackle crime online. Those proposals include a power to allow law enforcement agencies to take control of domains and internet protocol addresses to help tackle a wide range of offences, including fraud; a power to require the preservation of computer data; and a power to take action against a person possessing or using data obtained by another person through a CMA offence. In the consultation, we committed to further considering the question raised by my hon. Friend of whether the Act needs to be amended to provide defences to CMA offences.
As the Government set out in our response to the pro-innovation regulation of technologies review by Sir Patrick Vallance, the Home Office is taking forward work to consider the merits and risks of introducing changes to the Act in relation to the defences. That is a complex issue that requires significant further discussion with a wide range of stakeholders. The Computer Misuse Act is based fundamentally on the principle that the owner of the system is responsible for the operation of the system and its data, and bears the cost in securing it. It is right that they have the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data.
It is important that we consult those who actually own the systems for their views on that. In particular, we need to ensure that any changes that we make to the Act support the continued improvement to the UK’s cyber-security while ensuring that system owners continue to have the right to determine who may access their systems and data. That in itself feeds into the growth agenda. System owners need to know that the Government take unauthorised access to their systems seriously and will support them in tackling those who attempt to commit such offences.
Let me clear about some of the issues that we need to address in relation to introducing defences. The proposals would potentially allow a defence for the unauthorised access by a person to another person’s property—in this case, their computer systems and data—without their knowledge or consent. We will therefore need to define what constitutes legitimate cyber-security activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum.
We will also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. Of course, we must make no changes that would prevent law enforcement agencies from investigating, prosecuting and pursuing those who commit cyber-crimes. I am sure Members would agree that, in the light of those issues, any changes must be considered very carefully indeed.
As we set out in the consultation, we have committed to working with law enforcement agencies, prosecutors, the cyber-security industry and system owners to consider proposals and reach a consensus on the best way forward. That work is under way, and the Government would welcome any contributions from those with an interest in this area.
Question put and agreed to.