My Lords, this amendment is countersigned by my noble friend Lord Clement-Jones. I know he will be very disappointed not to be able to speak to this, because it is an issue he feels particularly strongly about, as do I. Also in their absence are the auras of the noble Lords, Lord Vaizey and Lord Holmes, who spoke at Second Reading on this issue—it is a shame they are not here, but I think they have been ably replaced by the noble Baroness, Lady Neville-Jones, and the noble Earl, in their speeches. I will try not to duplicate the points that have been made by the three speakers before me. At the heart of this, as the noble Baroness confirmed, is the need to address the UK’s outdated Computer Misuse Act to create fit-for-purpose cybercrime legislation to protect national security. Clearly, that is not easy, as she pointed out, but that does not mean we should not do it at some point.
The Computer Misuse Act, as we know, was created to criminalise unauthorised access to computer systems or illegal hacking. It entered into force in 1990, before the cybersecurity industry as we know it today had really developed in the UK. Now, 32 years later, many modern cybersecurity practices involve actions for which explicit authorisation is difficult, if not impossible,
to obtain. As a result, the Computer Misuse Act now criminalises at least some of the cybervulnerability and threat intelligence research and investigation that UK-based cybersecurity professionals in the private and academic sectors are capable of carrying out. This creates a perverse situation where the cybersecurity professionals, acting in the public interest to prevent and detect crime, are held back by the legislation that seeks to protect the computer systems: it is an anomaly.
As noble Lords will know, under the guidance that will be introduced following the passage of the Bill, manufacturers of consumer-connectable products will be required to provide a public point of contact to report vulnerabilities. This could be an important step forward in ensuring that vulnerability disclosures by cybersecurity researchers are encouraged, leading to improved cyber resilience across these technologies, systems and devices.
8.15 pm
Indeed, the government response to the consultation on these proposals mentioned the importance of legal certainty for security researchers in the context of vulnerability disclosure. However, if the Government recognise and encourage greater vulnerability reporting as an important part of the cyber resilience—that is what they seem to be saying—they should go further by reforming the Computer Misuse Act and putting into law a basis from which cybersecurity researchers can defend themselves in doing what the Government have bid them to do: reporting vulnerabilities. On the one hand, the Government are creating a responsibility; on the other, because of the existing legislation, this remains potentially illegal.
It is not in the scope of this Bill to amend the Computer Misuse Act and provide a more comprehensive defence under it, so this amendment is the next best opportunity. Instead, it seeks a more limited goal: to ensure that cybersecurity professionals, who act in the public interest in relation to testing relevant connectable products, can defend themselves from prosecution by the state and from unjust civil litigation—and would do so by inserting this new clause. I stress that, because of the public interest aspect in the context, it is surely of great importance that these products can be tested in good faith without securing the consent of the product manufacturer or distributor in every case. Without this or a wider Computer Misuse Act defence, the impact of the security requirements in the Bill will be far too weak and will essentially depend on manufacturers and distributors marking their own homework.
We support this amendment and look forward to the Minister explaining how the important words of Her Majesty’s Government on reporting vulnerabilities can be carried out without a measure such as this on the statute book.