Security professionals have raised concerns that plans
to strengthen the Computer Misuse Act could criminalise the
software tools used by IT professionals to test the security of
their company networks.
Proposals in the new Police and Justice Bill call for a new
offence, punishable by a fine and up to six months in prison, for
obtaining, distributing or writing software that could be used by
hackers.
But senior security professionals have warned that the draft law
could effectively criminalise IT professionals who use penetration
testing - also known as ethical hacking - to identify security
weaknesses.
Paul Simmonds, chief security officer at ICI, said he would be
concerned that the new legislation could lead to "over-zealous or
misinformed" prosecutions of legitimate security specialists.
"This appears to be a poorly thought-out clause," he said.
"There are plenty of legitimate uses for software that may help a
hacker."
The NCC Group, which provides penetration testing services to
businesses, said the proposals looked badly drafted.
Paul Vlissidis, head of penetration testing at the company, said
security professionals often routinely had to use code written by
hackers to ensure their company systems were not vulnerable to
attack.
"If a new exploit appears in the market, quite often the first
proof-of-concept code to test from that exploit is developed by
someone on the wrong side of the fence," he said.
"It may be weeks before a commercial tool responds to that. If
we were by law unable to use those tools to run these tests, we
would not be able to secure our customers' networks."
Security professionals point out that the line between hacking
tools and legitimate security tools is often blurred, making it
difficult to impose a blanket ban.
In some cases, businesses have used tools written by hackers to
help manage their networks, and provide remote support for users,
because they offered better control than commercial software, said
Piers Wilson, senior consultant at security specialist Insight
Consulting.
"There is plainly a problem with dual-use tools for legitimate
penetration testers," said Peter Sommer, visiting professor at the
London School of Economics. "That clause is going to need some
clarification."
Security consultant Chris Sundt said the wording of the draft
clause would need to be tested in court.
Other proposals in the Police and Justice Bill - to increase
minimum sentences for simple hacking offences and to expand the
Computer Misuse Act to cover all types of denial-of-service attacks
- have been welcomed by security professionals.
Proposed update to Computer Misuse Act
- A person is guilty of an offence if he makes, adapts, supplies
or offers to supply any article:
(a) knowing that it is designed or adapted for use
in the course of or in connection with an offence ... or
(b) intending it to be used to commit, or to
assist in the commission of an offence
- A person is guilty of an offence if he obtains any article with
a view to its being supplied for use to commit, or to assist in the
commission of an offence
Source: Police and Justice Bill 2006