A proposed amendment to the UK’s Computer Misuse Act (CMA) aimed at providing legal protection for white hat hackers failed to pass in the House of Lords on December 18, 2024. The amendment, introduced by Conservative life peer Chris Holmes, sought to introduce legal defenses for cybersecurity researchers engaging in activities such as security testing and vulnerability discovery. The proposed change would have made it legal for individuals to access computer systems without consent if their actions were necessary for preventing or detecting crime or were deemed to be in the public interest. However, the proposal was defeated during a bloc vote on amendments to the Data Use and Access Bill.
The Computer Misuse Act, which criminalizes unauthorized access to computer systems, has long been criticized by security professionals for discouraging research and innovation in cybersecurity. Cybersecurity experts, including those from the CyberUp Campaign, argue that the CMA creates barriers to legitimate threat intelligence and vulnerability testing. Without a legal shield, ethical hackers often face the risk of prosecution despite their efforts to protect systems from malicious actors. This has led to calls for reforms to the law to better balance security research with legal protections.
Chris Holmes’ amendment was seen as a step toward addressing these concerns, as it would have explicitly exempted ethical hackers from prosecution when their activities contributed to crime prevention. The proposal was backed by a coalition of cybersecurity professionals, including Andrew Jones from The Cyber Scheme Limited, who emphasized that the amendment would strengthen the UK’s cyber defenses. Proponents argued that by protecting legitimate researchers, the amendment would reinforce the UK’s position as a cybersecurity leader.
Despite the setback in the House of Lords, the Labour government has not ruled out updating the CMA. Security Minister Dan Jarvis recently indicated that updating the law remains a priority for the government. While the defeat of this amendment signals challenges in advancing cybersecurity reforms, the debate over balancing legal protections and cybersecurity research is expected to continue, with the hope that future efforts will better support ethical hackers while safeguarding national security.
