UK National Crime Agency Head Calls for Hacking Law UpdatesGraeme Biggar Says Law Stymies Prosecutions of Foreign Hackers
A British cyber law that criminalizes hacking and other intrusion activities is outdated, often hindering law enforcement action against cyber crooks, U.K. lawmakers heard during a parliamentary hearing on cybercrime.
The Computer Misuse Act of 1990 criminalizes unauthorized access to computer systems and data, as well as damaging or destroying data.
The 32-year-old law does not categorize data theft as a criminal offense, testified Graeme Biggar, the director general of the U.K's National Crime Agency, before a Monday session of the U.K. Parliament's Joint Committee on National Security Strategy.
"It is currently not an offense, or at least not an offense in a way that we can use effectively, to steal data. Nor is it an offense to handle stolen property, if it is data," Biggar said. "Those are major impediments for us in being able to investigate and disrupt the crime."
Biggar also called for an expansion of British authority to criminally prosecute foreign cybercriminals. Current law limits jurisdiction to U.K. persons or someone using U.K. infrastructure. As an example of the limitation that creates, Biggar cited February sanctions imposed against seven Russian nationals accused of developing and managing TrickBot malware (see: US and UK Sanction Members of Russian TrickBot Gang).
"What we're not in a position to do, because they are based overseas, they are not U.K. citizens and they weren't using U.K. infrastructure, is to have arrest warrants out against them."
Such a change would allow the NCA and other federal British agencies to obtain criminal warrants against crooks, which would put the person of interest on Interpol's wanted list, facilitating the criminal's potential extradition to the United Kingdom for criminal trial.
The U.K government in February opened public consultation to introduce changes to the law (see: Computer Crime: Britain Plans to Overhaul 32-Year-Old Law).
Security researchers are calling for changes to the act to ensure that bug bounties and pen testing aren't criminal offenses under the statute prohibiting unauthorized access to a computer system. The U.K. Ministry of Defense in 2020 affirmed that it will not prosecute researchers who comply with its disclosure policy. The civilian government contracts with HackerOne for vulnerability reports pertaining to official websites.