Professor John Child gave evidence.

We will now hear evidence from Professor John Child, professor of criminal law at the University of Birmingham and co-founding director of the Criminal Law Reform Now Network. For this session, we have until 3.20 pm.

Q Thank you for coming to give evidence this afternoon. I have a couple of questions. First, how can industry and cyber-security researchers collaborate more effectively to increase cyber-resilience in the network and information systems of regulated sectors? Secondly, and building on that, are there any model schemes or arrangements for reporting risks to affected companies that could incentivise legitimate research activities?

Professor John Child:

My specialism is in criminal law, so this is a bit of a side-step from a number of the pieces of evidence you have heard so far. Indeed, when it comes to the Bill, I will focus on—and the group I work for focuses on—the potential in complementary pieces of legislation, and particularly the Computer Misuse Act 1990, for criminalisation and the role of criminalisation in this field.

I think that speaks directly to the first question, on effective collaboration. It is important to recognise in this field, where you have hostile actors and threats, that you have a process of potential criminalisation, which is obviously designed to be effective as a barrier. But the reality is that, where you have threats that are difficult to identify and mostly originating overseas, the actual potential for criminalisation and criminal prosecution is slight, and that is borne out in the statistics. The best way of protecting against threats is therefore very much through the use of our cyber-security expertise within the jurisdiction.

When we think about pure numbers, and the 70,000-odd cyber-security private experts, compared with a matter of hundreds in the public sector, police and others, better collaboration is absolutely vital for effective resilience in the system. Yet what you have at the moment is a piece of legislation, the Computer Misuse Act, that—perfectly sensibly for 1990—went with a protective criminalisation across-the-board approach, whereby any unauthorised access becomes a criminal offence, without mechanisms to recognise a role for a private sector, because essentially there was not a private sector doing this kind of work at the time.

When we think about potential collaboration, first and foremost for me—from a criminal law perspective—we should make sure we are not criminalising effective cyber-security. The reality is that, when we look at the current system, if any authorised access of any kind becomes a criminal offence, you are routinely criminalising engagement in legitimate cyber-security, which is a matter of course across the board. If you are encouraging those cyber-security experts to step back from those kinds of practices—which may make good sense—you are also lessening that level of protection and/or outsourcing to other jurisdictions or other cyber-security firms, with which you do not necessarily have that effective co-operation, reporting and so on. That is my perspective. Yes, you are absolutely right, but we now have mechanisms in place that actively disincentivise that close collaboration and professionalisation.

Q Professor Child, I note that you are very supportive of legal reform in quite a number of areas. With emphasis on the Computer Misuse Act, surely the reality is that the Crown Prosecution Service will never conclude that it is in the best interests of the country to prosecute any of the behaviours that people are concerned about, which we recognise as positive and helpful. Is there a need for legal reform?

Professor John Child:

Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.

We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.

The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”

Q I have a couple of unconnected questions. We have asked a couple of times whether senior board members should have legal, statutory responsibility for cyber. The pros are that it is not seen as a priority, and culture change has to be top-down. However, there are issues with smaller companies bearing a responsibility that is diffused along the supply chain. Also, boards that tend to have a focus on providing returns for shareholders may not be investing in this complex arena. I am interested in your thoughts on whether the Bill does enough to make senior executives responsible for their organisations’ cyber-security.

Professor John Child:

I think the Bill does a lot of things quite effectively. It modernises in a sensible way and it allows for the recognition of change in type of threat. This goes back to my criminalisation point. Crucially, it also allows modernisation and flexibility to move through into secondary legislation, rather than us relying purely on the maturations of primary legislation.

In terms of board-level responsibility, I cannot speak too authoritatively on the civil law aspects, but drawing on my criminal law background, there is something in that as well. At the moment, the potential for criminalisation applies very much to those making unauthorised access to another person’s system. That is the way the criminal law works. We also have potential for corporate liability that can lead all the way up to board rooms, but only if you have a directing mind—so only if a board member is directing that specific activity, which is unlikely, apart from in very small companies.

You can have a legal regime that says, whether through accreditation or simple public interest offences, that there are certain activities that involve unauthorised access to another person’s system, which may be legitimate or indeed necessary. However, we want a professional culture within that; we do not want that outsourced to individuals around the world. You can then build in sensible corporate liability based on consent or connivance, which goes to individuals in the boardroom, or a failure-to-prevent model of criminalisation, which is more popular when it comes to financial crimes. That is where you say, “If this exists in your sector, as an industry and as a company, you can be potentially liable as an entity if you do not make sure these powers are used responsibly, and if you essentially outsource to individuals in order to avoid personal liabilities”.

Q Thank you—that was quite detailed. I have a very quick question: what measures would you want the Government to take to enhance the cyber-resilience of the UK’s critical national infrastructure? I am interested in your thoughts on requirements for failsafes and risk management, and indeed on the non-technical resilience measures that would be needed in case of complete failure.

Professor John Child:

Again, I have to draw back to the criminal law aspects. I think the Bill does the things it needs to do well; certainly, from the conversations I have had with those in cyber-security and so on, these are welcome steps in the right direction.

However, when you look at critical national infrastructure, although you can create layers of civil responsibility and regulation—which is entirely sensible—most of that will filter down to individuals doing cyber-security and resilience work. It is about empowering those individuals; within a state apparatus, that is one thing, but even with regulators and in-house cyber-security experts, individuals are working only within the confines of what they are allowed to do under the criminal law, as well as the civil regulatory system.

The reason I have been asked here, and what a lot of my work has focused on, is this: if you filter responsibility down to individuals doing security work for national as well as commercial infrastructure, you need to empower them to do that work effectively. The current law does not do that; it creates the problem of either doing that work under the veil of criminalisation, or not doing it, with work being outsourced to places where you do not have the back-and-forth communication and reporting regime you would need.

I think you are touching on the old problem of where liability lies when you have this long supply chain of diffused responsibility, but thank you.

Q Thank you, Professor, for coming along. You said that when the Computer Misuse Act was written in 1990, not many people were doing cyber-security work. You attested that the criminalisation element was negative for a number of reasons. Obviously, since then, a private sector has grown up in this area. I am struggling to marry those two pieces of information together. Can you give us an impression of other jurisdictions and of international comparators where things may be different, and whether they have been able to get ahead of us in building a more thriving sector? Are we particularly lagging behind in the OECD? Are other countries ahead of us because they do not have the measures we do?

Professor John Child:

That is a good question. It is certainly fair to say that all jurisdictions are somewhat in flux about how to deal with cyber threats, which are mushrooming in ways people would not have expected—certainly not in 1990, but even many years after.

The various international conventions—the OECD, the Budapest convention and so on—require regulation and criminalisation, but those are not nearly as wide as the blanket approach that was taken in this country. Some comparative civil law jurisdictions in the rest of Europe start from a slightly different place, in that they did not necessarily take the maximalist approach to criminalisation we did.

In a number of jurisdictions, you do not have direct criminalisation of all activities, regardless of the intention of the actor, in the same way that we do. So we are starting from a slightly different position. Having said that, we do see a number of jurisdictions making positive strides in this direction, because they need to; indeed, we see that at European Union level as well, where directives are being created to target this area of concern.

There are a few examples. We wrote a comparative report, incidentally, which is openly available. In terms of some highlights from that, there is a provision in French law, for example, where, despite mandatory prosecution being the general model within French criminal law, there is a carve-out relating to cyber-security and legitimate actors, where there is not the same requirement to prosecute. In the Netherlands, there was a scandal around hacking of keycards for public transport. That was done for responsible reasons, and there was a backlash in relation to prosecution there. There were measures taken in terms of prosecutorial discretion. Most recently, in Portugal, we saw a specific cyber-security defence created within the criminal law just last year.

In the US, it varies between states. In a lot of states, you have quite an unhelpful debate between minimalist and maximalist positions, where they either want to have complete hack-back on the one hand or no action at all on the other, but you have a slightly more tolerant regime in terms of prosecution.

So there are varying degrees, but certainly that is the direction of travel. For sensible, criminal law reasons that I would speak to, as well as the commercial benefits that come with a sector that is allowed to do its work properly, and the security benefits, that is certainly the direction of travel.

Q That is a really helpful international comparator on where others are with the criminal law. Is there any correlation between that and the ability of people within those jurisdictions to act and work in this space? In the UK, we have seen a significant increase in the number of people working in this area since 1990. That is the real thing for me: whether we can prove that, internationally, there is a significant difference between jurisdictions that are minimalist or maximalist. If one of them is encouraging more people to work in this area, and therefore has a wider pool of talent, are they able to protect critical infrastructure better? Does that correlation exist?

Professor John Child:

Yes. As I understand it, it does. This is part of the reason, incidentally, why my organisation, which focuses very much on criminal law aspects, ended up doing some collaborative work with the CyberUp campaign. That is because, from the industry perspective, they can do that kind of business modelling in a way that we do not. Whereas we can make the case for sensible criminal law reform, they can talk about how that reform translates into both the security environment and the commercial environment. Their perspective on this is, first, that we can see that there is already outsourcing of these kinds of services, particularly to the US, Israel and other more permissive jurisdictions. That is simply because, if you are a cyber-security expert in one of those jurisdictions, you are freer to do the work companies would like you to do to make sure their systems are safe here.

There are also the sectoral surveys and so on, and the predictions about what it is likely to do to the profession if you allow it to do these kinds of services in this jurisdiction. That is about the security benefits, but they are also talking about something like a 10% increase in the likely projection of what cyber-security looks like in this jurisdiction—personnel, GDP and so on.

Q What are the arguments against amending the CMA, and how would you deal with them?

Professor John Child:

There are obviously a number. It is always more comfortable when you have a beginning point of criminalisation. The argument to decriminalise in an environment where you want to protect against threats is sometimes a slightly unintuitive sell. Is the criminalisation that we have doing the necessary work in terms of actually fighting the threats? To some extent, yes, but it is limited. Is it doing harms? There is an argument to say that it is doing harms.

This comes back to the point that was made earlier, which was perfectly sensible. When you speak to the CPS and others, their position as prosecutors is to say, “Very few people are being prosecuted, and we certainly don’t want to be prosecuting legitimate cyber-security experts, so there is no problem.” Admittedly, that means there is no problem in terms of actual criminalisation and prosecution, but that is the wrong problem. If you focus on the problem being the chilling effect of the existence of the criminalisation in the first place, you simply cannot solve that through prosecutorial discretion, and nor should you, when it comes to identifying what a wrong is that deserves to be criminalised. You certainly cannot resolve it through sentencing provisions.

The only way that you can sensibly resolve this is either by changing the offence—that is very difficult, not least because, from a position of criminalisation, it might be where other civil jurisdictions begin—or by way of defence, which realistically is the best solve from the point we are at now. If you have a defence that can be specifically tailored for cyber-security and legitimate actors, you can build in reverse burdens of proof. You can build in objective standards of what is required in terms of public interest.

The point here is that the worry is one of bad actors taking advantage. The reality is that that is very unlikely. The idea that the bad actors we identify within the system would be able to demonstrate how they are acting in the public best interest is almost ridiculous. Indeed, the prospect of better threat intelligence, better securities and so on provides more information and better information-sharing to the NCSC and others and actually leads to more potential for prosecution of nefarious actors rather than less.

It is a more complicated story than we might like in terms of a standard case for changing the criminal law, but it is nevertheless an important one.

That brings us to the end of the time allotted to ask questions. On behalf of the Committee, I thank our witness for his evidence. We move on to our next panel.