Introduction to the UK's Cybercrime Law Reform Plans
The British government has announced plans to overhaul the country's main cybercrime law, the Computer Misuse Act 1990. The proposed reforms aim to provide a statutory defense for security researchers, but experts warn that the protections would be too narrow, leaving most researchers in the same position as today.
Background and Context
The Computer Misuse Act 1990 has been criticized for prohibiting ordinary cybersecurity activities, and the industry has been campaigning for modernization. In December, Security Minister Dan Jarvis pledged to introduce a statutory defense for researchers, but the proposed safeguards are extremely limited.
Limitations of the Proposed Safeguards
The government plans to restrict the statutory defense to cases where researchers are being prosecuted for scanning internet-facing systems. This would require researchers to cease activity the moment a vulnerability is identified, meaning they could not confirm it was real, assess its severity, or determine its exploitability.
Accredited researchers would also be required to conduct tests personally and could not direct others to carry out activity on their behalf. This provision would cut across the standard commercial model, where senior professionals oversee junior staff or automated tools.
Criticism and Concerns
Industry professionals say that the proposed reforms would render any disclosure nearly worthless, since system owners routinely require proof that a vulnerability is genuine before acting on it. The accreditation requirement has also been widely criticized, as it could exclude bug bounty hunters, academic researchers, hobbyists, and professionals at smaller businesses.
Jen Ellis, a cyber policy consultant, praised officials for engaging with the security community but warned that there was a misalignment between expectations and reality. She argued that the current proposal was much narrower and focused only on scanning for known vulnerabilities.
Global Comparison and Competitive Disadvantage
Standard practices across the global cybersecurity industry, including accessing attacker infrastructure to understand ongoing campaigns, remain criminalized in the United Kingdom. The government is understood to be concerned that a broad statutory defense covering these activities would provide malicious actors with legal cover.
Industry says that the current position puts British companies at a competitive disadvantage to rivals in Germany, France, the Netherlands, Belgium, and the United States, all of which operate under less restrictive legal frameworks.
Conclusion and Future Directions
The Home Office said it was speaking to international counterparts to understand their approaches to the issue. The National Cyber Security Centre (NCSC) declined to comment on how many of its staff hold chartered status.
A spokesperson for the Home Office said that the government recognizes the major role that cybersecurity professionals play in enhancing and protecting the UK's security and that it is vital to support them. The government will continue working with the industry as it refines its proposal.
Researchers also flagged how the proposals took no account of agentic AI tools, which are increasingly used across the industry to conduct vulnerability discovery and security testing autonomously. Whether activity performed by an AI system rather than a human researcher would fall within a defense requiring accredited individuals to conduct tests personally has not been addressed.
Source: The Record