Lord Arbuthnot of Edrom:
Moved by Lord Arbuthnot of Edrom
16: After Clause 49, insert the following new Clause—“Offences under the Computer Misuse Act 1990: defenceNotwithstanding anything contained in the Computer Misuse Act 1990, it is not an offence for a person (“A”) to test the conformity of a relevant connectable product with all or any of the security requirements, without consent of the person entitled to control access to the product (“B”), where—(a) A reasonably believes that B would have consented to that testing if B had known about the the circumstances of it, including the reasons for performing it,(d) A is empowered by an enactment, a rule of law, or an order of a court or tribunal, to carry out the test, or(c) the test was necessary for the detection of crime.”
My Lords, Amendment 16 proposes a statutory defence for ethical hackers. I am grateful to the noble Lord, Lord Clement-Jones, and to the CyberUp campaign, for their help. Again, I declare my interests as chairman of the Information Assurance Advisory Council, chairman of the Thales UK advisory panel and chairman of Electricity Resilience Limited.
The Computer Misuse Act 1990 criminalised unauthorised access to computer systems. The methods used by cybercriminals and cybersecurity professionals are often identical, which is one of the things that makes the drafting of this amendment rather problematic. Usually, criminals do not have permission for what they do, and cybersecurity professionals do, but I am told by the CyberUp campaign that there are occasions on which that permission is difficult or impossible for a cybersecurity professional to get.
At Second Reading, I cited the case of Rob Dyke, who has been through a legal tussle with the Apperta Foundation, which has since been in touch with me to put its side of the story. It is clear that it feels strongly that it was right to pursue Mr Dyke until he gave undertakings that allowed it to drop its litigation. I do not know the rights and wrongs of that, but the Apperta Foundation supports the principles put forward by CyberUp for a legal defence for offences under the Computer Misuse Act.
In any event, the Government are carrying out a review into the 1990 Act. CyberUp’s submission to it sets out that many in the cybersecurity profession do not know whether what they are doing is legal. This is because legislation in 1990 came in before much of what now happens with computers had been thought of—so it inevitably created ambiguities. In the 1990 Act, no consideration was given—I remember because I was there—to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.
This is why there needs to be certainty for cybersecurity researchers; they need to be able to do things for the public good. We cannot rely on the National Cyber Security Centre for everything, because even the Government cannot keep up with the speed of technological development, as has been mentioned. The CyberUp campaign recognises that legislation also cannot keep up with the speed of change, so it has helped with drafting this amendment not with a view to seeing it enacted—my noble friend will resist it for a number of good reasons—but with a view to eliciting from the Government a statement about how they are getting on with this aspect of the review of the Computer Misuse Act.
One suggestion that the CyberUp campaign makes is that
“legislation to mandate the courts to ‘have regard to’ Home Office or Department for Digital, Culture, Media and Sport … guidance on applying a statutory defence that would, ideally, be based on the framework” of principles. This includes, first, the prospective benefits of the Act outweighing the prospective harms; secondly, reasonable steps being undertaken to minimise the “risks of causing harm”; thirdly, the actor demonstrably acting “in good faith”; and fourthly, the actor being “able to demonstrate … competence”. Here we may come back to the standards/principle discussion that we had on the first group.
So I expect my noble friend to reject this amendment, but I should be grateful if he could say where the Government’s thinking on the matter is.
My Lords, I speak in support of this amendment. My noble friend has just said that he doubts that the Government will adopt it, but, like him, I want to know where their thinking has got to.
The Computer Misuse Act is one of the first bits of legislation passed in the cyber era. It is old and out of date, and it is fair to say that it contains actively unhelpful provisions that place in legal jeopardy researchers who are doing work that is beneficial to cybersecurity. That is not a desirable piece of legislation to have on the statute book.
Last year, before the consultation that closed over a year ago, I corresponded with my noble friend Lady Williams. The common-sense reading of her reply was that the Home Office was quite aware that the Computer Misuse Act needed updating. I confess that I am a bit disappointed that, a year after the consultation closed, there still has not been a peep from the Government on this subject—either a draft or a statement of intention. It would be good to know where the Government are going, because it is quite damaging for this legislation as it stands to remain on the statute book: it needs modernisation.
Like my noble friend, I recognise that actually getting the drafting right is tricky and complex. Drafting language that strikes the right balance is not all that easy. But inability to find an ideal outcome is not a good reason for doing nothing, so I live in expectation, because the best must not be the enemy of the good. If the Government do not intend to produce legislation that updates that Act, I should like to see something in this legislation, taking advantage of it, at least to move the dial forward and protect ethical hackers to a greater extent than is the case at the moment.
If the Government are concerned about our drafting, I am sure we would be willing to listen to suggestions on a better formulation. In the absence of that, perhaps the Minister will say when and how the Government intend actually to modify a piece of legislation that has served its time and now needs to be superseded.
My Lords, very quickly, I remember well during the passage of the Computer Misuse Act and the Police and Justice Act 2006 trying to tidy up language about hacking tools and so on. It became very complicated and no one could quite work out how to do it, because the same thing could be used by baddies to do one thing and by good people to help maintain systems, et cetera. In the end, I think it went into the Act and they just said, “Well, we won’t prosecute the good guys”. Everyone felt that was a little inadequate. I do not know quite what we are going to do about it but it needs to be looked at. Therefore, this is a good start and I would welcome some discussion around it, because we need something in law to protect the good people as well as to catch the criminals.
My Lords, this amendment is countersigned by my noble friend Lord Clement-Jones. I know he will be very disappointed not to be able to speak to this, because it is an issue he feels particularly strongly about, as do I. Also in their absence are the auras of the noble Lords, Lord Vaizey and Lord Holmes, who spoke at Second Reading on this issue—it is a shame they are not here, but I think they have been ably replaced by the noble Baroness, Lady Neville-Jones, and the noble Earl, in their speeches. I will try not to duplicate the points that have been made by the three speakers before me. At the heart of this, as the noble Baroness confirmed, is the need to address the UK’s outdated Computer Misuse Act to create fit-for-purpose cybercrime legislation to protect national security. Clearly, that is not easy, as she pointed out, but that does not mean we should not do it at some point.
The Computer Misuse Act, as we know, was created to criminalise unauthorised access to computer systems or illegal hacking. It entered into force in 1990, before the cybersecurity industry as we know it today had really developed in the UK. Now, 32 years later, many modern cybersecurity practices involve actions for which explicit authorisation is difficult, if not impossible, to obtain. As a result, the Computer Misuse Act now criminalises at least some of the cybervulnerability and threat intelligence research and investigation that UK-based cybersecurity professionals in the private and academic sectors are capable of carrying out. This creates a perverse situation where the cybersecurity professionals, acting in the public interest to prevent and detect crime, are held back by the legislation that seeks to protect the computer systems: it is an anomaly.
As noble Lords will know, under the guidance that will be introduced following the passage of the Bill, manufacturers of consumer-connectable products will be required to provide a public point of contact to report vulnerabilities. This could be an important step forward in ensuring that vulnerability disclosures by cybersecurity researchers are encouraged, leading to improved cyber resilience across these technologies, systems and devices.
Indeed, the government response to the consultation on these proposals mentioned the importance of legal certainty for security researchers in the context of vulnerability disclosure. However, if the Government recognise and encourage greater vulnerability reporting as an important part of the cyber resilience—that is what they seem to be saying—they should go further by reforming the Computer Misuse Act and putting into law a basis from which cybersecurity researchers can defend themselves in doing what the Government have bid them to do: reporting vulnerabilities. On the one hand, the Government are creating a responsibility; on the other, because of the existing legislation, this remains potentially illegal.
It is not in the scope of this Bill to amend the Computer Misuse Act and provide a more comprehensive defence under it, so this amendment is the next best opportunity. Instead, it seeks a more limited goal: to ensure that cybersecurity professionals, who act in the public interest in relation to testing relevant connectable products, can defend themselves from prosecution by the state and from unjust civil litigation—and would do so by inserting this new clause. I stress that, because of the public interest aspect in the context, it is surely of great importance that these products can be tested in good faith without securing the consent of the product manufacturer or distributor in every case. Without this or a wider Computer Misuse Act defence, the impact of the security requirements in the Bill will be far too weak and will essentially depend on manufacturers and distributors marking their own homework.
We support this amendment and look forward to the Minister explaining how the important words of Her Majesty’s Government on reporting vulnerabilities can be carried out without a measure such as this on the statute book.
My Lords, this has been a far more interesting debate than I initially surmised it would be—
No, I give credit where it is due. I congratulate the noble Lord, Lord Arbuthnot, on his amendment because the issues that he raised and the questions posed by the noble Lord, Lord Fox, in particular, are legitimate ones.
Although this is not the place to amend or change the Computer Misuse Act 1990, as the noble Lord, Lord Fox, said, it certainly is the place to raise concerns. After all, we are talking about product security and safety. It is vital that we have appropriate safeguards in place to prevent and, if need be, punish cyberattacks and other forms of hostile behaviour online.
However, as we seek to make smart devices safer, clearly there is a role for researchers and others to play in identifying and reporting on security flaws. They need to be able to do this within the safe zone of concern, knowing that they are not themselves going to be captured by those who are responsible for cybersecurity. As I understand it, exemptions exist in similar legislation to ensure that academics and other legitimately interested parties can access material relating to topics such as terrorism. The amendment before us today raises the prospect of granting a similar exemption and defence in this particular field.
I am conscious that the noble Lord, Lord Fox, raised the spectre of auras in the form of the noble Lords, Lord Vaizey, Lord Clement-Jones and Lord Holmes of Richmond—as well as the intent of the noble Baroness, Lady Neville-Jones, who is of course very knowledgeable about the business of security and has had both professional and political responsibility in that field. However, I think that, when those auras and his own say that this is an issue of concern, we as the Official Opposition reflect that concern.
I hope that the noble Lord will engage with the noble Lord, Lord Arbuthnot, and others following Committee on this—I am sure he will—because it is a very important subject. A campaign backed by such an esteemed cross-party group of colleagues in the Committee and in another place cannot be entirely wrong. The Computer Misuse Act 1990 is the framework we have got, but it is right that it is reviewed and that something fresh is brought before us to protect us from cyberattacks in the future.
I am very grateful to my noble friend Lord Arbuthnot of Edrom for representing the other three signatories to this amendment. I was glad to meet him and the noble Lord, Lord Clement-Jones, to discuss this yesterday.
The role of security researchers in identifying and reporting vulnerabilities to manufacturers is vital for enhancing the security of connectable products. The good news is that many manufacturers already embrace this principle, but there are also some products on the market, often repackaged white label goods, where it is not always possible to identify the manufacturer or who has the wherewithal to fix a fault. The Bill will correct that.
As noble Lords have noted, there are legal complexities to navigate when conducting security research. The need to stop, pause and consider the law when doing research is no bad thing. The Government and industry agree that the cybersecurity profession needs to be better organised. We need professional standards to measure the competence and capabilities of security testers, as well as the other 15 cybersecurity specialisms. All of these specialists need to live by a code of professional ethics.
That is why we set up the UK Cyber Security Council last year as the new professional body for the sector. Now armed with a royal charter, the council is building the necessary professional framework and standards for the industry. Good cybersecurity research and security testing will operate in an environment where careful legal and regulatory considerations are built into the operating mode of the profession. We should be encouraging this rather than creating a route to allow people to sidestep these important issues.
As noble Lords have rightly noted, the issues here are complex, and any legislative changes to protect security researchers acting in good faith run the risk of preventing law enforcement agencies and prosecutors being able to take action against criminals and hostile state actors—the goodies and baddies as the noble Earl, Lord Erroll, referred to them. I know my noble friend’s amendment is to draw attention to this important issue. As drafted, it proposes not requiring persons to obtain consent to test systems where they believe that consent would be given. That conflicts with the provisions of the Computer Misuse Act, which requires authorisation to be given by the person entitled to control access. As the products that would be covered by this defence include products in use in people’s homes or offices, we believe that such authorisation is essential. The current provisions in the Computer Misuse Act make it clear that such access is illegal, and we should maintain that clarity to ensure that law enforcement agencies do not have to work with conflicting legislation.
The amendment would also limit the use of such a defence as testers would still be subject to the legal constraints that noble Lords have described when reporting any vulnerability that the Government have not banned through a security requirement. If a new attack vector was identified that was not catered for by the security requirements, the proposed defences would have no effect. The amendment would not protect those testing products outside the scope of this regime, from desktop computers to smart vehicles. If we consider there to be a case for action on this issue, the scope of that action should not be limited to the products that happen to be regulated through this Bill. None the less, the Government are listening to the concerns expressed by the CyberUp Campaign, which have been repeated and extended in this evening’s debate.
The Home Secretary announced a review of the Computer Misuse Act last year. As my noble friend noted, the Act dates back to 1990. I do not want to stress too much its antiquity as I am conscious that he served on the Bill Committee for it in another place. His insight into the debates that went into the Bill at the time and the changes that have taken place are well heard. The evidence which is being submitted to the review is being assessed and considered carefully by the Home Office. It is being actively worked on and the Home Office hopes to provide an update in the summer.
I hope, in that context, that noble Lords will agree that it would be inappropriate for us to pre-empt that work before the review is concluded and this complex issue is properly considered. With that, I hope my noble friend will be content to withdraw his amendment.
My Lords, I was six at the time. It has been a useful debate and I thank all those who have taken part. I am particularly grateful to my noble friend Lady Neville-Jones, who made it quite plain that we understand the problems in the way of the Government in legislating on this but we are getting impatient. With everything that is going on in the world, out-of-date cybersecurity legislation is becoming more dangerous day by day. That said, I beg leave to withdraw the amendment.
Amendment 16 withdrawn.
Clauses 50 to 57 agreed.