Baroness Neville-Jones
Main Page: Baroness Neville-Jones (Conservative - Life peer)Department Debates - View all Baroness Neville-Jones's debates with the Home Office
Wednesday 7th January 2026
(2 days, 21 hours ago)
Lords ChamberRead Full debate Crime and Policing Bill 2024-26 View all Crime and Policing Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts Amendment Paper: HL Bill 111(Corrected)-VIII(a) Amendment for Committee (Supplementary to the Eighth Marshalled List) - (6 Jan 2026)
Lord Holmes of Richmond (Con)
My Lords, it is a pleasure again to follow my friend, the noble Lord, Lord Clement-Jones, whose amendment I agree with. I will speak to my Amendments 361 through 364, which are, as he rightly put, companions to the intent of his Amendment 360.
In simple terms we have an opportunity to change the law to benefit our cyber professionals and everything that they do to keep us safe, often—rightly and understandably—in the shadows. They deserve not only our respect but our support, and this is one small way we can support them.
I would also like to put on record my thanks and congratulations to CyberUp. It is an effective campaign because it has taken an issue, understood it at its essence and been clear, consistent and proportionate in its campaigning. It has not only been campaigning around the difficulties but offering practical and proportionate solutions. It is the very model of what a campaigning organisation should be.
We are told that 2026 is going to be the year smart glasses really take off—we will see. In 2007, the iPhone was launched. Yet the Computer Misuse Act still sits comfortably, dustily, fustily out of date on the statute book since 1990, a year when 0.5% of us UKers were online.
What has happened in the intervening 35 and a half years? Has that 0.5% doubled, trebled, increased tenfold or twentyfold? What was 0.5% in 1990 has moved on to 98.7% of the UK being online in 2025. That percentage alone should be enough to make the case for the need to urgently update the Computer Misuse Act. That Act came into being to address the issue of attacks on telephone exchanges. If the Government, or any polling organisation, went on to the streets of our country and asked anybody under the age of that of your Lordships about a telephone exchange, they might get some interesting results, but none of any benefit to the issues that we are discussing. It would be the greatest understatement to say that things have moved on since 1990.
There is a case for change, which the previous Government and this Government have largely accepted. Since 2021, work has been done on reviewing this issue, yet still we await any legislative change. What we are talking about is incredibly straightforward: giving a legal defence to legitimate cyber activities that is clear, concise, precise and proportionate.
The CMA being so chronically out of date would be a good enough reason to update it, but it is not just out of date, it is doing harm—harm to our cyber professionals, who, as I have already mentioned, do so much to keep us safe; harm to the security of our nation; and harm to the UK cyber industry.
I will share some numbers. There are 36.77 million reasons to make a change, because there have been 36.77 million cyber attacks on UK businesses and charities. There are another 27 billion reasons to make this change, because cyber attacks cost UK businesses and our economy £27 billion—not in total but year on year. Since 2021, when these various reviews began, £27 billion has been taken out of our economy year on year.
The changes in these amendments would bring the legal clarity and certainty required by our cyber professionals. If we look at other parts of the Bill, we can see where legal defences and clarity around public interest are being brought in. That would be completely analogous with what we are suggesting here with the Computer Misuse Act.
We are falling behind in terms of security, societal and economic benefits. The United States, France, Germany, Israel, Belgium and more countries already have a more appropriate regime than we do in the United Kingdom. The Government talk about growth, and quite right too. We already have a £13 billion cyber industry in this country. This change could unlock growth in the region of £3 billion, as well as in skills, training, jobs and careers, just by dint of making this very straightforward, clear, concise and proportionate change.
Dan Jarvis—partly in another place and largely at the Financial Times summit on 5 December last year—acknowledged this issue, stating that he understood the points behind it and that it was a priority for the Home Office. I therefore ask the Minister: is this a key, pressing and urgent priority? I suggest that it should be one of the Home Office’s top priorities. To that end, will the Minister agree to meet me and other colleagues across your Lordships’ House to update us on exactly where the Home Office’s thinking is, and where and when it is looking to make this change?
We have the ideal opportunity with this Bill. The time is now. In many ways, we are well overdue for the time being now. I ask the Minister: if not this Bill, what Bill? If not now, when?
Baroness Neville-Jones (Con)
My Lords, I support the amendments in this group, especially Amendments 360 and 362, tabled by the noble Lord, Lord Clement-Jones, and my noble friend Lord Holmes.
Like others, I welcome that the Government appear to have seen value in the introduction of a statutory defence for cyber security researchers. I hope that this will result in the updating of the Computer Misuse Act, for which, like others, I have been campaigning for about a decade. When it was passed, that Act was perfectly valid, but the market conditions, which have been described by colleagues, were extraordinarily different. As my noble friend Lord Holmes has rightly said, the Act is now not just neutral in the scene but actively doing damage to our national security.
The Act prevents or discourages those professionals whose work lies in researching things such as vulnerabilities in the system or threat intelligence from doing that work, because of the possibility of finding themselves in trouble with the law. It is therefore very important that we organise ourselves so that such challenges, if they exist, can be defended against as they come forward, and that the activities of our professionals can be both supported and encouraged.
I hope that, in drafting the legislation, the Government will ensure that they cover all aspects of this particular difficulty—not just vulnerabilities in the system but particularly threat intelligence, which, if we think about it for a moment, is becoming increasingly important. We need to know what is wrong with the system, and we need to know it early and before it is capable of doing real damage in each case.
This is an important amendment. When he replies, can the Minister give an assurance that the amendments that the Government will bring forward, I hope, will cover both the question of vulnerabilities and the issue of threat intelligence?
Lord Davies of Gower (Con)
My Lords, I thank the noble Lord, Lord Clement-Jones, and my noble friend Lord Holmes of Richmond for tabling the amendments in this group.
To start with Amendment 360, I welcome the noble Lord’s aims. When a crime is detected or prevented, it is a sensible principle that the individual responsible for detection or prevention should not be punished. That said, the amendment is perhaps too wide in its scope. It mentions nothing of proportionality, which leads me to worry that it could end up being used as a defence for an individual who has committed a far greater crime than that which they claim to have been preventing. Similarly, “public interest” is broad and undefined, and I would appreciate it if the noble Lord, Lord Clement-Jones, could clarify what would fall under this defence.