A new defense for ethical hacking has been established under the UK Computer Misuse Act
UUK legislators have proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill to give cybersecurity professionals a legal defense for their activities under the Computer Misuse Act (CMA).
A cross-party group in the House of Lords, the UK’s second chamber, tabled the amendment on Tuesday (June 21).
The PSTI bill is designed to support the UK’s 5G rollout while also mandating vulnerability disclosure policies for vendors of Internet of Things (IoT) products, among other security provisions.
‘Acting in good faith’
The CyberUp campaign, a security industry coalition calling for wholesale reform of the CMA, argues that a statutory defense under the 1990 act would protect security researchers, ethical hackers, and pen testers from spurious legal action when responsibly hunting for or reporting vulnerabilities.
Speaking in the House of Lords yesterday, Lord Arbuthnot of Edrom referenced the CyberUp campaign’s suggestion that a statutory defense should be based on “the prospective benefits of the act outweighing the prospective harms”, on “reasonable steps being undertaken to minimize the risks of causing harm… the actor demonstrably acting in good faith [and] being able to demonstrate competence”.
The CyberUp campaign has also urged the government to release the findings of its ‘call for information (consultation) on the effectiveness of the CMA, which closed more than a year ago.
UK Home Secretary Priti Patel announced the consultation with academia, law enforcement agencies, and the cybersecurity industry alongside plans to review the CMA in May 2021.
Kat Sommer, head of public affairs at CyberUp backer NCC Group and CyberUp spokesperson, hailed the PSTI amendment, noting that some countries had “more permissive regimes, but no country has yet gone so far as to introduce a defense for unauthorized access.
“Of course, the ideal situation is for the government to bring forward reforms to the Computer Misuse Act which provide a defense in more than the case of just connected products – after a year-long wait, you would think we would be likely to hear something from ministers on this soon.”
‘Simply doing their job’
Campaigners believe that, if passed, the amendment will protect the likes of security researcher Rob Dyke, who was threatened with legal action under the CMA – threats that were eventually abandoned – after alerting a UK non-profit to security flaws in 2021.
“I’m really glad it seems like lawmakers are beginning to take seriously the need for cybersecurity researchers like me to have the protection of the law,” Dyke said. “It’s not right people might have to go through what I have simply for doing their job.”
Lord Arbuthnot also told the House of Lords that when the CMA was enacted, “no consideration was given – I remember because I was there – to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.
“This is why cybersecurity researchers need to be certainty – they need to be able to do things for the public good.”
Related recent developments across the Atlantic may well offer hope to UK campaigners.
The legal jeopardy surrounding legitimate security research in the US has eased considerably following a US Supreme Court ruling in 2021 about what constitutes “unauthorized access” under the Computer Fraud and Abuse Act and the Department of Justice’s recent pledge not to prosecute “good faith” security research.