Report reveals consensus around Computer Misuse Act reform

Cyber security experts and professionals are broadly aligned on questions of legitimacy and legality when it comes to some instances of unauthorised access to IT systems, according to a report produced by campaigners for reform of the Computer Misuse Act (CMA), who hope their findings will bring clarity for policymakers exploring changes to the law.

The CyberUp campaign has been calling for reform of the CMA for years. The law dates back to the early 1990s, when the world of IT looked very different, and as a result there is now great concern in the security world that its current wording effectively criminalises the work of ethical hackers and security researchers.

For this reason, the group has been advocating for the inclusion of a statutory defence in the CMA since 2019, and last year the government said it would begin work on reforming the CMA, but since then little progress has been made, bar an attempt in the Lords to insert such a provision into the Product Security and Telecommunications Infrastructure (PSTI) Bill.

“The consensus outlined in the report published today shows how a statutory defence can operate in practice,” the campaigners said.

“Crucially, it highlights that it will not open up a ‘Wild West’ of cyber vigilantism. Instead, by reforming the Computer Misuse Act to make defensible the activities outlined in the report, the CyberUp Campaign argues the Government can enable a swathe of benefits, including improved cyber resilience of the nation and its allies, and accelerated growth of the UK’s domestic cyber security sector.”

Respondents to the survey were asked to categorise cyber activities and techniques used in the course of vulnerability and threat research into acts that cause no or limited harm but deliver benefit, which are defensible; acts that cause harm and deliver benefit, which may be defensible; acts that cause no or limited harm and deliver no or limited benefit, which also may be defensible; and acts that cause harm and deliver no or limited benefit, which are indefensible.

CyberUp found consensus on 13 activities that fit the first category. These are the use of application programming interface (API) keys, banner grabbing, the use of beacons, the implementation of firewalls and network access controls, the use of honeypots, the use of open directory listings, passive intelligence gathering, port scanning, the use of sandboxes or tarpits, taking down servers or botnets, sink-holing, web scraping, and malware analysis. CyberUp therefore believes the reformed CMA should make these actions defensible.

In the second category, CyberUp found agreement that forward or active intelligence gathering, patching third-party networks and using remote desktop protocol connections to gain information from attackers’ systems may be defensible, but that further work will be needed to establish how to manage them.

Respondents were then asked for their views on cyber activities and techniques that require unauthorised access but that a reformed CMA should deem legitimate or illegitimate.

CyberUp found that the cyber community agrees there is a set of activities that can be seen as legitimate instances of unauthorised access and should, therefore, be legal. These activities include vulnerability research, the proportionate surveying of systems that are publicly available (i.e. exposed to the internet), responsible security research, responsible disclosure, active scanning, enumeration, best practice internet scanning, use of Active Directory listings, identification, passive reconnaissance and investigation, and the use of honeypots.

It also found there is agreement on what activities constitute illegitimate unauthorised access, such as hacking back, conducting distributed denial-of-service attacks, the use of malware and ransomware, malicious “socially undesirable” acts, the validation of exploits or proof of a failed security boundary, and breaking into systems deemed part of critical national infrastructure. This group of activities also includes the rather more indistinct concept of causing harm.