As set out in The National Cyber Security Strategy 2016 – 2021 (NCSS), there are two major categories of cybercrime: (i) cyber-dependent crimes, such as hacking into computer systems to view, steal or damage data; and (ii) cyber-enabled crimes, which include “traditional” crimes, such as cyber-enabled fraud and data theft.

The Computer Misuse Act 1990 is the main UK legislation relating to cyber-dependent crime.

In May 2021, the Government issued a Call for Information on the 1990 Act, which sought to identify whether there is activity causing harm in the area covered by the Act that is not adequately covered by the offences. This included whether law enforcement agencies have the necessary powers to investigate and take action against those attacking computer systems, and whether the legislation is fit for use following the technological advances since the 1990 Act was introduced. In addition, the Home Office sought suggestions on how the response to cyber-dependent crime could be strengthened within the legislative context.

In its response to the Call for Information, the Government said that it was clear that much of the 1990 Act remains effective in allowing law enforcement agencies to take action against those committing the harms covered by the Act. Prosecutors and the courts have been able to use the Act to prosecute and convict those who commit the offences, despite the significant changes in technology since the Act was introduced, reflecting the technology-neutral nature of the legislation.

However, the Call for Information raised several important issues in relation to specific areas of the Act, and to the powers available to law enforcement agencies to investigate these offences. The new consultation sets out the Government’s response to these issues and suggests proposals to address them.

The Government says that some of the proposals for change are sufficiently clear for it to consult on now, with a view to legislating when Parliamentary time allows. These proposals are set out in the first section of the consultation and cover:

• domain name and IP address takedown and seizure;
• power to preserve data; and
• data copying.

The second section sets out the approach the Government will take to other areas where it believes that more work needs to be done to identify what action should be taken. These areas cover:

• extra-territorial provisions;
• defences; and
• sentencing

The Government proposes that the extra work is done through a multi-stakeholder approach, led by the Home Office. The deadline for responses to the consultation is 6 April 2023. To access the consultation, click here.