During a parliamentary hearing on cybercrime, U.K. lawmakers discussed the challenges posed by the outdated Computer Misuse Act of 1990, which criminalizes hacking and unauthorized access to computer systems. Graeme Biggar, the director general of the U.K’s National Crime Agency, highlighted the Act’s limitations, noting that it does not classify data theft as a criminal offense. He emphasized that this gap hinders law enforcement’s ability to effectively investigate and disrupt cybercrime activities related to data theft.
Biggar also called for an expansion of British authority to prosecute foreign cybercriminals, citing the current limitations that prevent the pursuit of individuals based overseas who are not U.K. citizens and do not use U.K. infrastructure. To address these shortcomings, the U.K. government initiated a public consultation in February to explore potential changes to the 32-year-old law.
The proposed modifications aim to make data theft a criminal offense and broaden jurisdiction to enable the prosecution of foreign cybercriminals. Such changes would empower the National Crime Agency and other federal British agencies to obtain criminal warrants against cybercriminals, potentially leading to their inclusion on Interpol’s wanted list and facilitating extradition for criminal trials in the United Kingdom. In addition to law enforcement concerns, security researchers are advocating for amendments to the Computer Misuse Act to ensure that activities such as bug bounties and penetration testing are not treated as criminal offenses. The U.K. Ministry of Defense, recognizing the importance of cybersecurity research, has stated that it will not prosecute researchers who comply with its disclosure policy, highlighting the need for clarity in distinguishing between criminal hacking and ethical security testing.
