Happy 31st birthday to the British Computer Misuse Act (CMA), which went into effect Aug. 29, 1990, as one of the first cybercrime laws on the books. Although the CMA has undergone several revisions, many cybersecurity experts believe it’s desperately in need of an update to reflect evolving threats and technology.
The CMA came about after two journalists hacked into Prestel, an early online messaging system run by BT (formerly British Telecom). Using “shoulder surfing,” they stole a BT engineer’s login credentials during a trade show and found their way into the Duke of Edinburgh’s inbox.
The Prestel hackers were white hat hackers, trying to prove how far they could go in BT’s system. They were initially convicted under the Forgery and Counterfeiting Act, but the conviction was overturned because they didn’t make a profit from their hack.
Public outcry was great, and the result was the CMA, which created criminal penalties for unauthorized computer access on its own, unauthorized computer access with the intent to steal data or commit a crime, and the distribution of malware. Subsequent versions of the CMA increased penalties up to life imprisonment depending on the level of damages.
Has the Computer Misuse Act outlived its usefulness?
Many believe the CMA, last updated in 2015, is past its prime. For one thing, its definition of “computer” reflects the desktop PCs so common in the late 1980s and early 1990s, not the “internet of things” we use today, with smartphones, smart home devices and the like. The legislation is also focused on hacking and malware, not the ransomware attacks so prevalent today. And the law does not distinguish between malicious and ethical hacking.
Even if it needs a refresh, the CMA was innovative in its time—and its royal hacking origins are preserved at the National Museum of Computing at Bletchley Park in the UK.
Photo: Anton_Ivanov / Shutterstock