Recent retailer attacks shine spotlight on the Computer Misuse Act

Ransomware has been very much in the headlines recently, from the retailer attacks on M&S, Co-op and others, to the government’s recent decision to proceed with its ransomware proposals (blog). The fact that the National Crime Agency has, unusually, managed to track down the perpetrators of those retailer attacks and prosecute them using the Computer Misuse Act 1990 has also brought this rarely discussed law under the spotlight. 

What is the Computer Misuse Act?

The Computer Misuse Act (the “Act”) is the key legislation for prosecuting cybercriminals in the UK. It sets out computer misuse crimes which cover hacking and denial of service attacks as well as making or supplying malware (see the box for more information). 

In practice, the computer misuse offences are often committed alongside other financial crimes, such as bribery or money laundering.

Is reform of the Act likely?

Although there has been a lot of discussion around cyber reforms generally, the Act (which was last amended by the Serious Crime Act 2015) is arguably due an update, with many cyber campaign groups considering it to be unfit for purpose.

In 2021 the UK government announced its intention to review the legislative framework and law enforcement capability offered by the Act. Following this, in 2023 the UK government launched a public consultation and put forward certain reforms of the Act (see blog), but no further action was taken. Despite this, the Home Office’s response highlighted some concerns with the effectiveness of the Act, including around clarifying and expanding its extra-territorial reach and the sentencing of perpetrators.

More recently, amendments were tabled to the Data (Use and Access) Bill ('DUA' - now enacted - see blog) to introduce a statutory defence for cybersecurity professionals and others for legitimate unauthorised access to computers. The purpose of this protection was to ensure that individuals who are trying to defend against cyberthreats do not themselves risk prosecution. However, these proposals were withdrawn and did not make it into the final version of DUA. On reflection, it was felt that further work was needed to prevent any unintended consequences of such a defence. The Home Office did however commit to providing “an update in due course” of this issue as part of the government’s ongoing review of the Act. 

What’s next?

For now, it remains unclear when, or if, the Act will be updated. While it is being used to prosecute, (predominantly young UK) offenders in the recent retailer cases, it still faces criticism that it is not suitable to tackle the current global cyber threat. However, the government’s focus seems to be on updating the UK’s NIS regime (blog) and ransomware rules (blog). The question is therefore whether the current media attention on the Scattered Spider prosecutions will be sufficient to bring modernising this legislation back to the top of the political agenda.