Ethical hackers, security researchers and consultants, and the community at large are being urged to step up and make their voices heard as the government explores a series of proposed changes to the Computer Misuse Act (CMA) of 1990.
The long-awaited consultation, which has been running since February, is seeking views on a number of legislative changes, including giving new powers to law enforcement agencies and closing existing loopholes that make it easier for malicious actors to get away with misusing purloined data.
However, when the consultation was launched, campaigners who want to see the law reformed to better protect cyber security professionals from prosecution under outdated sections of the 33-year-old CMA were left disappointed because rather than lay out concrete proposals for the community to consider, the government merely said more work was needed on this point.
Among other things, Westminster wants to consider questions such as how to safeguard the UK’s ability to act against cyber criminals if legal defences for hacking are implemented; how to ensure any defences do not provide cover for offensive actions; and what levels of training, standards and certifications need to be in place for security professionals.
Nevertheless, Casey Ellis, founder and CEO of crowdsourced security platform Bugcrowd, is calling on the community to have its say on the basis that interested parties need to contribute to ensure the government is as well-informed as possible.
“It’s still important that as many as possible individuals and organisations have their say on this,” he said. “The UK needs a revised act that not only better defines the difference between the activities of malicious attackers who have no intent to obey the law in the first place, and those who hack in good faith, discovering and disclosing vulnerabilities so they can be addressed before they are exploited.
Bugcrowd, which is contributing to the consultation through the Cybersecurity Policy Working Group (CPWG) and the Hacker Policy Coalition, said that the most significant way in which community members could help would be to comment on the potential of a statutory legal defence for hacking if the motives are benevolent and the activity undertaken in good faith.
“Poor legal protection for ethical hackers could have the chilling effect whereby those who could contribute to making the internet a safer place become afraid to do so,” said Ellis.
“To be even clearer: people build software, people make mistakes, and mistakes create vulnerabilities. Amid the rapid acceleration of technology and the massive, ongoing, worldwide shortage of skilled cyber security professionals, Bugcrowd wants organisations and law enforcement to remain able to benefit from a ‘neighbourhood watch for the internet’ by decriminalising and encouraging anyone from the ethical hacking community to assist,” he said.
Hacking back
Speaking to Computer Weekly, Ellis said that the past year of war in Ukraine had changed the paradigm around how people think about the concept of hacking, particularly when it comes to offensive operations, a case in point being the work undertaken in a quasi-official capacity by Ukraine’s IT Army of volunteer hackers.
In this regard, he said, establishing legislative “guard rails” to protect ethical hackers is becoming ever more important.
He also said that adding legal protections would bring the UK in line with changes being made in Australia and the United States.
In December 2022 Australian home affairs and cyber minister Clare O’Neil unveiled plans to develop a new national cyber strategy which included a more mature approach to vulnerability disclosure, and in May last year, the US Department of Justice revised its policy on how crimes under the Computer Fraud and Misuse Act (CFAA) of 1986 should be charged, directing that violations undertaken in the cause of good faith research should now be immune from prosecution.
Ellis said the UK needed to be thinking along similar lines, especially given its involvement in the so-called AUKUS trilateral defensive pact, a core focus of which is national cyber security.