Britain’s Computer Misuse Act (CMA) needs a “statutory defence” to allow cybersecurity professionals to function properly and protect the country from cyber threats, the CyberUp campaign warned, urging incoming prime minister Liz Truss to take urgent action. Others in the industry are less sure such a defence is required, with different protections already in place.
The Computer Misuse Act was introduced in 1990 following the failure to charge hackers who broke into Prestel, BT’s email system at the time. It was designed to handle unauthorised access to computer systems and the spreading of malware, three years before the world wide web was launched.
Under the act security professionals face the risk of prosecution if they attempt to access a computer or computer material without authorisation.
The signatories of an open letter to Ms Truss co-ordinated by CyberUp include representatives of industry body the Internet Service Providers’ Association, cybersecurity company NCC Group and the former head of the NCSC Ciaran Martin. They are calling for better protection for cybersecurity professionals.
In the letter, the group claim in its current state the act prevents them from conducting routine scans of the internet to hunt for bugs that could be exploited and makes it illegal to search through hacked and leaked documents on the dark web to provide details of the leak to clients.
The group says in the letter that a Home Office review of the effectiveness of the Act revealed that 66% of those responding were concerned about the lack of protections for legitimate cybersecurity activity and a year on from that review no action has been taken to rectify the issue.
According to Department for Culture, Media and Sport, last year 39% of businesses reported a cybersecurity breach or attack, which campaigners say works out at about 2.3 million businesses and the problem is increasing. “We believe this strengthens the case of prioritising efforts to reform the Computer Misuse Act to include a statutory defence.”
“A statutory defence in the Computer Misuse Act would mark the UK out in having a world-leading cybercrime regime and foster investment in what is already a high-growth sector,” the letter added.
A cybersecurity expert who asked to remain anonymous said there are significant risks involved in introducing a statutory defence. He told Tech Monitor it wasn’t needed as all researchers and penetration testers have to do to protect themselves is ensure they have a contract and waiver from the company they are working with.
“While the act does have its problems, the campaign (and the consultation) take no account of sentencing guidelines which effectively already provide the defence they’re after,” they explained. “A statutory defence would mean that anyone engaged in supposedly ‘legitimate’ research would have no need to notify their target at any point, and the campaign is very unclear on what ‘approved’ research would be.”
He said the proposals include approval regimes which would be run by private industry, suggesting that many of those signing the letter are potential candidates to run that regime. “There are definitely valid concerns about private industry being given sole governance of a scheme which effectively exempts security researchers from abiding by the CMA, which include concerns around impacts on competition in the research and penetration testing industry, and previously seen failures of ethical behaviour by some of these companies,” they said.
“So for a worst case, this could put companies who have previously demonstrated unethical behaviour around certification of testers in a position to dictate who can and cannot test legally. And some of these companies are behind the campaign.”
Pen testing: no permission required
Currently, a penetration tester will ask for permission to gain access to a system as part of an engagement contract. That contract will include very specific rules around what they can access, when and what can be done with any data seen during the attack. Rules are governed by the Competition and Markets Authority (CMA) which can issue fines for access outside of the agreed terms of a contract.
“What the campaign is seeking to do is to allow pen testers to not worry about asking permission first,” the cybersecurity expert said. “This raises ethical questions about what happens next to the data and information discovered about vulnerabilities in that network. What they seem to be asking for is equivalent to fire services having a statutory defence to break in and enter to check your fire alarm batteries.”
Not everyone agrees with this outlook. Jamie Moles a 35-year veteran of the cybersecurity industry and senior security engineer with ExtraHop, told Tech Monitor it is important that legislation keeps pace with technology and the act is in need of review.
“The act was built for the days of modems and dial-up but we are in a new world today,” Moles says. “When it was introduced there were no mobile phones, no Facebook and importantly no professional consultancy hackers. I believe the law needs to take that into account. It might not need a lot of change, it just needs tweaking.”
Contract law already provides cover
Moles doesn’t think that a statutory defence in the legislation will lead to rogue contractors misusing the law and going after companies for profit, but also doesn’t think it is necessary to have that element of the legislation as contract law already protects legal operatives.
“Anybody who does a pen test has to have permission first,” he says. “You get permission to do these things upfront in the form of a non-disclosure agreement (NDA) and contract. If I break in without permission I’ve broken the law. I don’t think a statutory defence would protect me in that case but it may help protect legitimate professionals from overzealous prosecutors.
“You either have permission to do these things and agreement upfront or you don’t. Statutory defence won’t work if it can be established you performed these actions with the intention of personal gain out of it and without prior permission.”
The other element of the CyberUp campaign is calling for protection for professionals accessing and reviewing stolen data in order to help protect companies that have been victims of a hack or ransomware attack. The group says a statutory defence provides some protection as the current legislation, as written, makes accessing that data illegal.
Moles says the solution is retrospective NDAs. “If I’m working on the dark web and find a data dump and within that data dump find data belonging to a company like Vodafone, as it stands the law says I can’t look at that. But I can go to Vodafone, tell them what I’ve found and have them sign a contract and NDA that allows me to access their stolen data.
“If down the line a government prosecutor decides to go after me for accessing the stolen data all Vodafone has to do is refuse to cooperate on the grounds of the retrospective NDA.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.