Gajus - stock.adobe.com
Cyber security experts and professionals are broadly aligned on questions of legitimacy and legality when it comes to some instances of unauthorised access to IT systems, according to a report produced by campaigners for reform of the Computer Misuse Act (CMA), who hope their findings will bring clarity for policymakers exploring changes to the law.
The CyberUp campaign has been calling for reform of the CMA for years. The law dates back to the early 1990s, when the world of IT looked very different, and as a result there is now great concern in the security world that its current wording effectively criminalises the work of ethical hackers and security researchers.
For this reason, the group has been advocating for the inclusion of a statutory defence in the CMA since 2019, and last year the government said it would begin work on reforming the CMA, but since then little progress has been made, bar an attempt in the Lords to insert such a provision into the Product Security and Telecommunications Infrastructure (PSTI) Bill.
“The consensus outlined in the report published today shows how a statutory defence can operate in practice,” the campaigners said.
“Crucially, it highlights that it will not open up a ‘Wild West’ of cyber vigilantism. Instead, by reforming the Computer Misuse Act to make defensible the activities outlined in the report, the CyberUp Campaign argues the Government can enable a swathe of benefits, including improved cyber resilience of the nation and its allies, and accelerated growth of the UK’s domestic cyber security sector.”
Respondents to the survey were asked to categorise cyber activities and techniques used in the course of vulnerability and threat research into acts that cause no or limited harm but deliver benefit, which are defensible; acts that cause harm and deliver benefit, which may be defensible; acts that cause no or limited harm and deliver no or limited benefit, which also may be defensible; and acts that cause harm and deliver no or limited benefit, which are indefensible.
CyberUp found consensus on 13 activities that fit the first category. These are the use of application programming interface (API) keys, banner grabbing, the use of beacons, the implementation of firewalls and network access controls, the use of honeypots, the use of open directory listings, passive intelligence gathering, port scanning, the use of sandboxes or tarpits, taking down servers or botnets, sink-holing, web scraping, and malware analysis. CyberUp therefore believes the reformed CMA should make these actions defensible.
Read more about CyberUp’s work
- January 2020: Group of campaigners says the Computer Misuse Act of 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition has written to Boris Johnson to urge him to reform the UK’s 30 year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel will explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
In the second category, CyberUp found agreement that forward or active intelligence gathering, patching third-party networks and using remote desktop protocol connections to gain information from attackers’ systems may be defensible, but that further work will be needed to establish how to manage them.
Respondents were then asked for their views on cyber activities and techniques that require unauthorised access but that a reformed CMA should deem legitimate or illegitimate.
CyberUp found that the cyber community agrees there is a set of activities that can be seen as legitimate instances of unauthorised access and should, therefore, be legal. These activities include vulnerability research, the proportionate surveying of systems that are publicly available (i.e. exposed to the internet), responsible security research, responsible disclosure, active scanning, enumeration, best practice internet scanning, use of Active Directory listings, identification, passive reconnaissance and investigation, and the use of honeypots.
It also found there is agreement on what activities constitute illegitimate unauthorised access, such as hacking back, conducting distributed denial-of-service attacks, the use of malware and ransomware, malicious “socially undesirable” acts, the validation of exploits or proof of a failed security boundary, and breaking into systems deemed part of critical national infrastructure. This group of activities also includes the rather more indistinct concept of causing harm.
Finally, the report reveals a consensus that the set of cyber techniques described as active defence may still represent a grey area that should be considered and discussed as the Home Office prepares to take its next steps towards a potential policy change.
These grey areas include actions such as infiltrating the networks or systems of threat actors, verifying passive-detected vulnerabilities, exploiting vulnerabilities, credential stuffing, neutralising suspicious or malicious assets, active intel gathering, the use of botnets, and active investigation and forensic analysis.
CyberUp emphasised that it is not necessarily proposing the full list of activities set out in its report make its way into government guidance accompanying a statutory defence, as the nature of the fast-evolving security landscape means the list will inevitably become dated. Instead, it said, it hopes that a court will be able to draw on the degree of consensus based on its “harm-benefit” matrix at any given time, when prosecuting a hypothetical future case.
It also found some of its respondents objected to or questioned the overall approach of expanding the scope of defensible activity. One commented that the status quo should remain in place because such activities could cause “disruption of intelligence or law enforcement operations, diplomatic incidents or war”.
Others raised questions around whether there should be some kind of licensing system for certain cyber activities, while another respondent suggested that these activities should only ever be undertaken by a certified actor in possession of a court warrant to proceed.