Documents to download

There will be a Westminster Hall debate on the Computer Misuse Act 1990 on 19 April 2022.  The debate will be led by Dr Jamie Wallis MP.

The Computer Misuse Act 1990 was created to specifically address cyber- dependent crimes such as hacking and misuse of communications systems. 

In 2021 the Home Office published a consultation calling for views on the legislation and whether it could be strengthened to respond to the ongoing threat of cyber- dependent crime.  This consultation ended in June 2021.  A recent response to a parliamentary question said that the responses to the review were being considered and that the Government would provide an update to Parliament in due course.

The Computer Misuse Act

Cybercrime can be divided into two categories:

  • Cyber-dependent crimes, where the crime can only be committed through use of a computer, or other information communications technology (ICT), such as hacking to steal, or the use of malware to disrupt systems or for financial gain; and
  • Cyber- enabled crimes, where more traditional crimes such as fraud or data theft are committed using ICT.

The Computer Misuse Act 1990 was created to specifically legislate for cyber-dependent crimes such as hacking and misuse of communications systems.

The 1990 Act sets out the offences associated with interfering with a computer (hacking) and the associated tools (such as malware, viruses and Trojan Horses) that enable computer systems to be breached.  Sections 1 to 3A create five criminal offences to tackle cybercrime:

  • Section 1 – unauthorised access to computer material or data (hacking);
  • Section 2 – unauthorised access with intent to commit or facilitate commission of further offences;
  • Section 3 – unauthorised acts with intent to impair the operation of a computer (including circulating viruses, deleting files and inserting a “Trojan Horse” to steal data as well as effectively criminalising all forms of distributed denial of service (DDoS) attacks);
  • Section 3ZA – Unauthorised acts causing, or creating risk of, serious damage; and
  • Section 3A – making, adapting, supplying or offering to supply an article intending it to be used to commit, or to assist in the commission of, an offence under sections 1 or 3.

The Act was most recently amended in 2015 by the Serious Crime Act 2015 which created the offence under section 3ZA of unauthorised acts causing serious damage. 

Further information on the offences in the Act is provided in Crown Prosecution Service guidance, Computer Misuse Act.

2021 consultation  

The Government has said that, whilst the Computer Misuse Act continues to be a key part of the response against cybercrime, changes to society’s use of the internet in the last thirty years and an increasing threat from cyber criminals mean that the Act should be reviewed to ensure it is effective in protecting against the threat of cybercrime.  The Home Office held a consultation on the Computer Misuse Act between May and June 2021

The consultation noted the increased use of the internet and the significant threat from cybercrime:

[…] the Act was passed 30 years ago, and since then the reliance of society on the digital world has increased enormously, we are now critically dependent on the internet. The threat is significant. As the Serious Organised Crime Strategy 2018 sets out, cyber security breaches create significant costs for businesses, particularly ransomware attacks, where businesses and organisations, including the NHS, are significantly disrupted. To take action against these threats, the Government has invested £1.9bn through the National Cyber Security Programme between 2016 – 2021 to develop the UK’s cybersecurity.

The consultation asked respondents about whether there were “legislative gaps in our response to cyber-dependent crime, and in particular if there is a need to make changes to the Computer Misuse Act to improve our ability to protect our society from the threat posed by cyber-dependent crime.”

It asked about several elements in the Act, including whether:

  • the current offences adequately address cyber-dependent crimes;
  • whether law enforcement agencies were suitably equipped to deal with cybercrime; and
  • whether legitimate cyber security activity was protected under the law.

This consultation ended in June 2021.  A recent response to a parliamentary question said that the responses to the review were being considered and that the Government would provide an update to Parliament in due course.

Proposals for reform of the Act

One concern raised by representatives of the cybersecurity industry is that the Computer Misuse Act applies a blanket prohibition of all unauthorised access to computer material, irrespective of intention.  They report that this inadvertently criminalises a large proportion of vulnerability and threat work undertaken by UK cybersecurity professionals.

The CyberUp campaign group (a coalition of industry bodies) is calling for the inclusion of a statutory defence within the Computer Misuse Act to ensure that “cyber security professionals who are acting in the public interest can defend themselves from prosecution by the state and from unjust civil litigation.”  It argues that the current legislation “leaves the UK’s cyber defenders having to act with one hand tied behind their back because much of their defensive work requires the interaction with compromised victims’ and criminals’ computer systems where owners have not, or are unlikely to, explicitly permit or authorise such activities.”  The CyberUp campaign provides more detail on this issue in a campaign briefing

A 2020 report by the Criminal Law Reform Now Network (which facilitates collaboration between academics and others on criminal law reform) provides an analysis of the Computer Misuse Act and makes proposals for reforms.  It states that the Act “requires significant reform to make it fit for the 21st Century” and proposes a number of changes to the legislation.These include:

  • amending the offences under the Act;
  • introducing a new public interest defence for cyber security professionals and journalists;
  • the revision of prosecution guidance; and
  • the production of specific sentencing guidance.

More information is provided in the report, Reforming the Computer Misuse Act 1990.

Documents to download

Related posts