“(1) The Secretary of State must, within twelve months of the passing of this Act, review whether amendments to the Computer Misuse Act 1990 may be conducive to ensuring, maintaining or improving the security and resilience of network and information systems used or relied upon in connection with the carrying on of essential activities.

(2) Following the conclusion of the review under subsection (1), the Secretary of State must lay before Parliament a report which outlines–

(a) the potential amendments to the Computer Misuse Act 1990 which were considered as part of the review;

(b) the review’s conclusions as to whether the potential amendments considered could be beneficial in ensuring, maintaining or improving the security and resilience of relevant network and information systems; and

(c) the Government’s intentions to make amendments to the Computer Misuse Act 1990 or act on any other recommendations of the review.”—

This new clause would require the Secretary of State to review, within 12 months, whether amending the Computer Misuse Act 1990 could improve the resilience of network and information systems, and to report the government’s intentions to Parliament.

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

With this it will be convenient to discuss new Clause 19—Vulnerability research: review of the merits of a statutory defence—

“(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an Amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.

(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.

(3) For the purposes of this section—

(a) ‘ethical vulnerability research’ means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—

(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and

(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;

(b) ‘relevant bodies’ means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”

This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.

New Clause 18 would place a duty on the Government to review within 12 months whether our over-30-year-old Computer Misuse Act is holding back the very cyber-resilience that the Bill seeks to build. The Government’s own impact assessment for the Bill identifies a key market failure: imperfect information. It states that businesses lack awareness of their own cyber-risks, leading to under-investment in security. We must ask why that information is imperfect. We believe that it is partly because the Computer Misuse Act 1990 prevents cyber-security professionals from undertaking legitimate public interest activity to identify those risks, so ethical hackers cannot provide the necessary information.

New clause 18 ties the review specifically to the security and resilience of network and information systems regulated by the Bill. It asks a simple question: does the Computer Misuse Act 1990 help or hinder the resilience of our critical infrastructure? For that reason, I wish to seek a vote on new clause 18.

I will speak to new Clause 19, tabled in my name on behalf of His Majesty’s official Opposition. The new clause would compel the Secretary of State, within 12 months of Royal Assent, to review the need for a statutory defence, encompassing legitimate cyber-research activities, to criminal offences under clause 1 of the Computer Misuse Act 1990, which is about unauthorised access to computer programs.

The campaign for reform in this area, CyberUp, has argued that, in its current form, the CMA inadvertently criminalises critical activity such as vulnerability research and threat intelligence, both of which are essential for defending the nation’s digital systems. The new clause would also require the Secretary of State’s review to evaluate whether the creation of such a defence would enable regulated bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.

New clause 18, tabled by the hon. Member for Henley and Thame, relates to the same important topic and would require the Secretary of State to review, and report to Parliament within 12 months of the Bill’s entering into law, whether amending the Computer Misuse Act could improve the resilience of network and information systems.

Hon. Members will recall the insightful oral evidence of Professor John Child of the University of Birmingham. Professor Child made a clear and compelling case for the need to amend the Computer Misuse Act to provide statutory defences for legitimate cyber-research—sometimes called ethical hacking activities. Likewise, campaign groups, industry specialists and parliamentarians have all argued that the Computer Misuse Act, which was written before the modern internet, is no longer fit for purpose.

At present, the Act fails to distinguish between malicious attackers and cyber professionals acting in the public interest, inadvertently criminalising a large proportion of research that UK cyber-security professionals can carry out to protect UK critical infrastructure and the UK’s technological ecosystem. This means that cyber-security professionals working to defend UK organisations from real-world threats risk prosecution. That has created a chilling effect—talent is being lost, investment is stifled and security gaps are going unidentified.

If we are to have true UK cyber-resilience—not just among regulated sectors, but across businesses of all types and throughout society—we need a multifaceted approach. Industry and private sector-led initiatives will play a strong role in that. Professor Child made clear that countries that have implemented more favourable regimes, such as the US and Israel, are benefiting from increased cyber-resilience as a result of cyber-research activity.

The Government have acknowledged that reform of the CMA is a pressing issue. Indeed, the Home Office has been reviewing that question for some time. Further, the Minister for Security, Dan Jarvis, highlighted the urgent need for changes to the law in this area in a recent speech, stating that Government have

“heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake.”

He went on to say:

“These researchers play an important role in increasing the resilience of UK systems, and securing them from…vulnerabilities.

We shouldn’t be shutting these people out, we should be welcoming them and their work.”

Yet the Home Office has brought forward no specific proposals for reform. Parliament is unlikely to legislate again in the cyber-security domain for some considerable time; we cannot afford to kick the can down the road on this vital issue any longer if we are to have a credible plan for whole-of-society cyber-resilience.

Can the hon. Gentleman address the point of who he thinks would benefit if that Act was repealed?

I am a bit unclear about the hon. Gentleman’s Intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new Clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.

I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.

I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.

I speak first to new Clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.

The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.

New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.

I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.

Many of us, on both sides of the House, are sympathetic to both new clauses. We heard very clearly in evidence sessions that the Computer Misuse Act, as it is today, has a chilling effect on the operation of the cyber-security industry in this country and on whether such companies want to locate here as opposed to other countries.

I absolutely hear what the Minister says about the Home Office developing proposals. I wonder whether he can set out a timescale for when those proposals are likely to be brought forward—whether he expects that to be in this parliamentary Session or the next one. The issue is clearly holding back the cyber-security industry in this country, and we would all like to see it resolved.

My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.

I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new Clause.

Just—

Will the Minister clarify what he thinks ethical vulnerability research actually constitutes?

Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.

I return to new Clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.

We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.

I thank the Shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.

In that spirit, I thank hon. Members for their work on this question of the Amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.

I beg to ask leave to withdraw the Clause.

Clause, by leave, withdrawn.

Bill, as amended, to be reported.

Committee rose.

CSRB34 Regulatory Policy Committee (RPC)

CSRB35 iProov (further written evidence)

CSRB37 techUK (supplementary)

CSRB38 Cloudflare

CSRB39 Microsoft