Feng Yu - stock.adobe.com

Ethical hackers urged to respond to Computer Misuse Act reform proposals

The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and ethical hackers and security experts need to make their voices heard, says Bugcrowd

Ethical hackers, security researchers and consultants, and the community at large are being urged to step up and make their voices heard as the government explores a series of proposed changes to the Computer Misuse Act (CMA) of 1990.

The long-awaited consultation, which has been running since February, is seeking views on a number of legislative changes, including giving new powers to law enforcement agencies and closing existing loopholes that make it easier for malicious actors to get away with misusing purloined data.

However, when the consultation was launched, campaigners who want to see the law reformed to better protect cyber security professionals from prosecution under outdated sections of the 33-year-old CMA were left disappointed because rather than lay out concrete proposals for the community to consider, the government merely said more work was needed on this point.

Among other things, Westminster wants to consider questions such as how to safeguard the UK’s ability to act against cyber criminals if legal defences for hacking are implemented; how to ensure any defences do not provide cover for offensive actions; and what levels of training, standards and certifications need to be in place for security professionals.

Nevertheless, Casey Ellis, founder and CTO of crowdsourced security platform Bugcrowd, is calling on the community to have its say on the basis that interested parties need to contribute to ensure the government is as well-informed as possible.

“It’s still important that as many as possible individuals and organisations have their say on this,” he said. “The UK needs a revised act that not only better defines the difference between the activities of malicious attackers who have no intent to obey the law in the first place, and those who hack in good faith, discovering and disclosing vulnerabilities so they can be addressed before they are exploited.

Bugcrowd, which is contributing to the consultation through the Cybersecurity Policy Working Group (CPWG) and the Hacker Policy Coalition, said that the most significant way in which community members could help would be to comment on the potential of a statutory legal defence for hacking if the motives are benevolent and the activity undertaken in good faith.

“Poor legal protection for ethical hackers could have the chilling effect whereby those who could contribute to making the internet a safer place become afraid to do so,” said Ellis.

“To be even clearer: people build software, people make mistakes, and mistakes create vulnerabilities. Amid the rapid acceleration of technology and the massive, ongoing, worldwide shortage of skilled cyber security professionals, Bugcrowd wants organisations and law enforcement to remain able to benefit from a ‘neighbourhood watch for the internet’ by decriminalising and encouraging anyone from the ethical hacking community to assist,” he said.

Hacking back

Speaking to Computer Weekly, Ellis said that the past year of war in Ukraine had changed the paradigm around how people think about the concept of hacking, particularly when it comes to offensive operations, a case in point being the work undertaken in a quasi-official capacity by Ukraine’s IT Army of volunteer hackers.

In this regard, he said, establishing legislative “guard rails” to protect ethical hackers is becoming ever more important.

He also said that adding legal protections would bring the UK in line with changes being made in Australia and the United States.

In December 2022 Australian home affairs and cyber minister Clare O’Neil unveiled plans to develop a new national cyber strategy which included a more mature approach to vulnerability disclosure, and in May last year, the US Department of Justice revised its policy on how crimes under the Computer Fraud and Misuse Act (CFAA) of 1986 should be charged, directing that violations undertaken in the cause of good faith research should now be immune from prosecution.

Ellis said the UK needed to be thinking along similar lines, especially given its involvement in the so-called AUKUS trilateral defensive pact, a core focus of which is national cyber security.

Read more about the CMA reform process

  • February 2023: Westminster has opened a new consultation on proposed reforms to the Computer Misuse Act of 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
  • January 2023: Cyber accreditation association Crest International has lent its support to the CyberUp campaign for reform to the Computer Misuse Act of 1990.
  • September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber pros from potential prosecution.
  • August 2022: A study produced by the CyberUp campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
  • June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted.
  • May 2021: Home secretary Priti Patel will explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
  • November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
  • June 2020: The CyberUp coalition has written to Boris Johnson to urge him to reform the UK’s 30 year-old cyber crime laws.
  • January 2020: A group of campaigners says the Computer Misuse Act of 1990 risks criminalising cyber security professionals and needs reforming.

Read more on Hackers and cybercrime prevention