Government rejects latest bid to reform UK’s outdated Computer Misuse Act

Despite calls to provide more protection for cybersecurity professionals

Chief scientific adviser Patrick Vallance rejects calls for reform, which would protect ethical hackers.

An attempt to modernise the UK’s outdated Computer Misuse Act (CMA) of 1990 has again been rejected in the House of Lords, despite calls to provide legal protections for cybersecurity professionals and ethical hackers.

Former government chief scientific adviser and current minister for science, research and innovation, Patrick Vallance, opposed the proposed amendments.

The amendments, put forward by Lords Chris Holmes and Tim Clement-Jones as part of the Data (Access and Use) Bill, aimed to introduce legal defences for cyber professionals acting in the public interest. The proposed changes would have allowed individuals to justify their actions if they were necessary to detect or prevent crime.

However, despite backing from other members of the Lords, this latest push was defeated. It follows a previous unsuccessful attempt in December 2024, which the government deemed premature.

Speaking on 28th January, Holmes criticised the CMA’s outdated nature, arguing that it restricts cybersecurity professionals from effectively protecting businesses and the wider economy.

“The Computer Misuse Act was introduced at a time when technology was unrecognisable compared to today. It hinders the sector’s ability to keep us safe and holds businesses back from reaching their full potential,” he said.

Lending support, Merlin Hay, the Earl of Erroll, highlighted that similar concerns had been raised when the Act was first introduced in 1990, but were dismissed by the government.

“We knew the Act was flawed from the outset, but we needed something in place to regulate hacking tools,” he said. “The problem is, it offers no defence for the ‘good guys’ who are working to protect systems. This amendment would finally correct a long-standing anomaly in our law.”

Vallance acknowledged the concerns but argued that reforming the CMA was highly complex. While his own review on pro-innovation technology regulation previously supported similar changes, he said ongoing discussions with stakeholders revealed divisions within the industry.

“While some in the industry argue that the CMA prevents legitimate public interest activities, others worry about unintended consequences,” he said. “Law enforcement has serious concerns that allowing unauthorised access for security testing could be exploited by cyber criminals.”

Vallance warned that without strong oversight, the amendments could complicate investigations and create legal loopholes for criminals.

Despite rejecting the proposed changes, Vallance confirmed the government would continue working with industry, law enforcement, and the National Cyber Security Centre (NCSC) to assess future reforms.

Andrew Jones, strategy director at the Cyber Scheme and spokesperson for the CyberUp Campaign, expressed disappointment at the government’s stance.

In a statement to Computer Weekly he said, “While we appreciate the government’s caution, another opportunity to protect cyber security professionals and bolster the UK’s defences has been missed.

“The CMA is outdated and inadvertently criminalises essential cyber security research, leaving the UK vulnerable to growing cyber threats.”

Jones emphasised the need for urgent reform, particularly as the US and EU move ahead with protections for ethical hackers. He called for the government to adopt a statutory defence drafted with industry and legal input, which he argued would strengthen the UK’s cyber resilience while maintaining oversight.