Lords move to protect cyber researchers from prosecution

A cross-bench group in the House of Lords is seeking to insert an amendment to the upcoming Product Security and Telecommunications Infrastructure (PSTI) Bill that will provide cyber security researchers, penetration testers and ethical hackers with a Computer Misuse Act defence for carrying out vulnerability and security research.

The group includes former digital minister Lord Vaizey and Lord Arbuthnot, a key figure in the unravelling of the Post Office Horizon scandal over many years. They say this will be the first time in the 32-year history of the Computer Misuse Act that there has been an attempt to mollify the offence of unauthorised access to computer material, which the security community has long held puts its bona fide work at risk by failing to distinguish it from cyber criminal activity.

The amendment also increases the pressure on the government to make public the findings of its Call for Information on the effectiveness – and potential reform of – the Computer Misuse Act, which closed more than 12 months ago and appears to have been quietly forgotten.

The CyberUp campaign, which has been advocating for the reform of the Computer Misuse Act for years, said that given the PSTI Bill contains provisions to force product manufacturers to implement vulnerability disclosure policies, without a statutory defence in the Computer Misuse Act, researchers can face “spurious legal action” for reporting a vulnerability to a company which can decide “on a whim” to ignore the policy. This is known as liability dumping.

The proposed amendment would provide a statutory defence for breaches of the Computer Misuse Act if the researcher reasonably believed the owner of the system they hacked would have consented to the research, or if such an act was necessary for the detection of crime.

CyberUp spokesperson Kat Sommer, who is also head of public affairs at NCC Group, said that should the amendment be successfully inserted, it would be a landmark moment for cyber legislation not just in the UK, but all over the world. “We are grateful to their lordships for taking up this important cause, where I’m afraid the government has been dragging its feet,” she said.

“Of course, the ideal situation is for the government to bring forward reforms to the Computer Misuse Act which provide a defence in more than the case of just connected products – after a year-long wait, you would think we would likely hear something from ministers on this soon,” said Sommer.

The security community’s concerns over the prosecution of legitimate research is not without foundation. Just last year, security researcher Rob Dyke went through a lengthy ordeal after he disclosed a vulnerability to the Apperta Foundation, a healthcare non-profit backed by NHS Digital and NHS England.

Dyke found sensitive data, including application source code, usernames, passwords and API keys, left exposed on the internet, but after making his disclosure, Apperta engaged a law firm to write to Dyke warning that he may have committed a criminal offence. Ultimately, Dyke was forced to crowdfund £25,000 to stave off legal bills, before Apperta backed down.

“I’m really glad it seems like lawmakers are beginning to take seriously the need for cyber security researchers like me to have the protection of the law,” he said.

“It’s not right that people might have to go through what I have simply for doing their job. Let’s hope the government takes notice and fast.”

The amendment, which is also sponsored by Lord Clement-Jones and Lord Holmes, will be introduced on the floor on 21 June.