UK Rejects Update to 1990 Cybercrime Law: Security Researchers Remain at Legal Risk

British Government Declines Cybercrime Law Reform

The UK government has rejected a proposed amendment to the 1990 Computer Misuse Act (CMA), which aimed to provide legal protections for cybersecurity researchers. Science Minister Patrick Vallance defended the decision, arguing that such protections could be exploited by cybercriminals.

Background on the Proposed Amendment

The current law criminalizes “unauthorized access to a computer,” creating significant risks for ethical security researchers. Critics argue that the CMA is outdated, failing to reflect modern cybersecurity challenges.

Key issues driving the push for reform:

• The existing law could lead to prosecutions against ethical hackers conducting penetration testing or vulnerability research.
• The CMA was enacted 35 years ago, long before today’s threat landscape, bug bounty programs, and coordinated vulnerability disclosure (CVD) frameworks.
• The U.S. and EU have already introduced protections for ethical hackers under certain conditions.

Reasons for the Government’s Rejection

Despite strong support from the cybersecurity industry, the UK government declined the amendment, citing concerns such as:

• Potential for misuse – Fear that criminals could exploit legal protections to justify hacking activities.
• Challenges in proving intent – Law enforcement could struggle to differentiate between ethical research and malicious hacking.
• The need for further review – Officials claim a deeper examination of the legal and national security implications is required.
•  Industry divisions – Disagreement among policymakers and security experts over how to implement legal protections without creating loopholes.

Cybersecurity Community Response

The CyberUp campaign, which has been advocating for CMA reform, warned that this decision could damage the UK’s standing as a cybersecurity leader. Critics argue that by failing to modernize the law, the government risks discouraging security research and weakening critical infrastructure protection.

What’s Next for UK Cybersecurity Law?

With rising threats from cybercrime, ransomware, and nation-state attacks, the UK’s legal framework must adapt to ensure that ethical hacking is encouraged rather than criminalized. Industry experts continue to push for:

• Clear legal definitions of ethical cybersecurity research to distinguish it from cybercrime.
• Structured legal exemptions for penetration testers, security researchers, and bug bounty participants.
• Alignment with global best practices seen in U.S. and EU cybersecurity laws.
  

While the CMA remains unchanged, the debate is far from over, with pressure mounting on the UK government to reconsider its stance in future legislative reviews.