Campaigners who want to reform the UK’s Computer Misuse Act (CMA) of 1990 to protect cyber security researchers and analysts from the threat of being prosecuted for doing their jobs have an important new backer in the form of cyber professional accreditation and assurance body Crest International.
The CyberUp campaign argues that the CMA, which turns 33 this year, is laughably out of date and does not properly reflect the evolution of the cyber security profession over the past three decades.
The group’s main concern is that the wording of the law, in particular the concept of “unauthorised access” to a program or data held on a computer.
Since defensive security activity frequently entails scanning, interrogating and accessing computer systems, the campaign says a prosecutor could successfully argue that a cyber professional breaks the law when they use common and accepted defensive techniques in their work.
Reform was promised in 2021, but the process has become bogged down even though there is now a widely agreed consensus that the law must be changed.
“Crest has supported and admired the efforts of the CyberUp Campaign since its inception, so it is great to make this support official,” said Rob Dartnall, chair of Crest’s UK Council.
“The Computer Misuse Act is out of date and its view of security testing and threat intelligence is not fit for today’s increasingly digitised world with ever growing and more sophisticated cyber threats.
“In 2021, CyberUp secured a comprehensive review of the act, so it is now important for industry in the UK to collaborate to ensure substantial reform happens. We will be working with the campaign to help engage industry and drive forward successful reform.”
A spokesperson for the CyberUp campaign said: “The CyberUp Campaign is delighted to have Crest International on board as a supporter.
“We are very much looking forward to working with Crest and its members in the UK to ensure the reform of the Computer Misuse Act. The UK is on the precipice of a historic change in our cyber crime laws. Help from organisations like Crest is essential if we are to make sure this once-in-a-generation opportunity does not go to waste.”
An August 2022 report produced by the CyberUp campaign set out to reassure policymakers that reform would not open up a “Wild West” of cyber vigilantism.
The report categorises cyber activities into acts that cause no or limited harm but deliver benefit, acts that cause harm and deliver benefit, acts that cause no harm and deliver no benefit, and acts that cause harm and deliver no benefit.
In the first category, CyberUp proposed the government make a total of 13 activities defensible in law – the use of application programming interface (API) keys, banner grabbing, the use of beacons, the implementation of firewalls and network access controls, the use of honeypots, the use of open directory listings, passive intelligence gathering, port scanning, the use of sandboxes or tarpits, taking down servers or botnets, sink-holing, web scraping, and malware analysis.
Activities likely to fit the final category, which would remain indefensible in law, could include hacking back, conducting distributed denial-of-service attacks, the use of malware and ransomware, malicious “socially undesirable” acts, the validation of exploits or proof of a failed security boundary, and breaking into systems deemed part of critical national infrastructure.
The report also highlighted some grey areas, particularly around activity described as active defence, which can include actions such as infiltrating the networks or systems of threat actors, verifying passive-detected vulnerabilities, exploiting vulnerabilities, credential stuffing, neutralising suspicious or malicious assets, active intel gathering, the use of botnets, and active investigation and forensic analysis.
The campaign’s work continues.