Security professionals have raised concerns that plans to strengthen the Computer Misuse Act could criminalise the software tools used by IT professionals to test the security of their company networks.
Proposals in the new Police and Justice Bill call for a new offence, punishable by a fine and up to six months in prison, for obtaining, distributing or writing software that could be used by hackers.
But senior security professionals have warned that the draft law could effectively criminalise IT professionals who use penetration testing - also known as ethical hacking - to identify security weaknesses.
Paul Simmonds, chief security officer at ICI, said he would be concerned that the new legislation could lead to "over-zealous or misinformed" prosecutions of legitimate security specialists.
"This appears to be a poorly thought-out clause," he said. "There are plenty of legitimate uses for software that may help a hacker."
The NCC Group, which provides penetration testing services to businesses, said the proposals looked badly drafted.
Paul Vlissidis, head of penetration testing at the company, said security professionals often routinely had to use code written by hackers to ensure their company systems were not vulnerable to attack.
"If a new exploit appears in the market, quite often the first proof-of-concept code to test from that exploit is developed by someone on the wrong side of the fence," he said.
"It may be weeks before a commercial tool responds to that. If we were by law unable to use those tools to run these tests, we would not be able to secure our customers' networks."
Security professionals point out that the line between hacking tools and legitimate security tools is often blurred, making it difficult to impose a blanket ban.
In some cases, businesses have used tools written by hackers to help manage their networks, and provide remote support for users, because they offered better control than commercial software, said Piers Wilson, senior consultant at security specialist Insight Consulting.
"There is plainly a problem with dual-use tools for legitimate penetration testers," said Peter Sommer, visiting professor at the London School of Economics. "That clause is going to need some clarification."
Security consultant Chris Sundt said the wording of the draft clause would need to be tested in court.
Other proposals in the Police and Justice Bill - to increase minimum sentences for simple hacking offences and to expand the Computer Misuse Act to cover all types of denial-of-service attacks - have been welcomed by security professionals.
Proposed update to Computer Misuse Act
- A person is guilty of an offence if he makes, adapts, supplies or offers to supply any article:
(a) knowing that it is designed or adapted for use in the course of or in connection with an offence ... or
(b) intending it to be used to commit, or to assist in the commission of an offence
- A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of an offence
Source: Police and Justice Bill 2006