Why we must reform the Computer Misuse Act: A cyber pro speaks out
Britain’s outdated hacking laws are leaving the UK’s cyber practitioners hamstrung and afraid. Security professional Simon Whittaker reveals how he nearly ran afoul of the Computer Misuse Act, and why he’s speaking out for reform
Eight years ago, Simon Whittaker, head of cyber security at Belfast-based consultancy Instil, narrowly avoided having his front door smashed in by the Police Service of Northern Ireland (PSNI) (see photo of warrant below) and was only saved from an expensive repair job because a relative was home at the time.
Whittaker was the innocent victim of a misunderstanding that arose when his work as a cyber security professional butted heads with legislation contained in the UK’s Computer Misuse Act (CMA) of 1990 that at first glance seems sensible.
“What happened to me is that we were working with a client who was working with an NHS Trust, demonstrating some of their software,” he explains. “Their software picked up information from various dark web sources and posted this information on Pastebin.”
This post was made on Tuesday 9 May 2017 (remember this date – it’s important) and the information contained several keywords, including “NHS” and “ransomware” (see screenshot of Pastebin page below).
This accidental act was enough to trip alarm bells somewhere in the depths of Britain’s intelligence apparatus. The National Crime Agency (NCA) got involved, emails whizzed back and forth over the Atlantic to the Americans. Unbeknownst to Whittaker and his family, a crisis was developing.
A redacted PSNI warrant
“We ended up with eight coppers at our door and a lot of people very upset,” says Whittaker. “It cost us about £3,000 in legal fees, when all that had happened was a few words had been posted on Pastebin.
“We talk about using a sledgehammer to crack a nut, but it’s quite accurate, inasmuch as they had identified the smallest amount of evidence – that wasn’t even evidence because nothing happened – but it was enough.”
And the punchline? It just so happens that the posts were identified on Friday 12 May as part of the investigation into the WannaCry attack, which caused chaos across the NHS. Whittaker’s home was raided the following Monday.
A redacted screenshot of the PasteBin post
Security theatre
So, what is the CMA, and how did it almost land Whittaker in the nick? It’s a big question that speaks not only to his unpleasant experience, but to wider issues of legal overreach, government inertia and, ultimately, the ability of Britain’s burgeoning cyber security economy to function to its full potential.
Indeed, the CyberUp campaign for CMA reform estimates that the UK’s security firms lose billions every year because the CMA effectively binds them.
In a nutshell, it defines the broad offence of Unauthorised Access to a Computer. At face value, this is hard to argue with because it appears to make cyber crime illegal.
However, in its broad application, what the offence actually does is to make all hacking illegal. As such, it is now woefully outdated because it completely fails to account for the fact that, from time to time, legitimate security professionals and ethical hackers must access a computer without authorisation if they are to do their jobs.
“It’s so frustrating, the idea that there’s a piece of legislation that’s been around for so long that was originally brought in because they didn’t have any legislation,” says Whittaker.
“Somebody broke into Prince Philip’s email account, a BT account, and they didn’t have any legislation to do them under, so they got them under the Forgery and Counterfeiting Act.”
Whittaker is referring to a 1985 incident in which security writer and educator Robert Schifreen hacked the BT Prestel service – an early email precursor – and accessed the Duke of Edinburgh’s mailbox.
Schifreen’s archive, preserved at the National Museum of Computing, reveals how he hacked Prestel to raise awareness of potential vulnerabilities in such systems. In a 2016 interview, Schifreen told Ars Technica that he waited until after 6pm on the day of the hack to be sure that the IT team had gone home for the evening and couldn’t interfere. He even tried to tell BT what he was doing.
The CMA was the Thatcher government’s response to this, and 35 years on, the offence of Unauthorised Access to a Computer is now at the core of a five-year-plus campaign led by the CyberUp group and backed in Parliament by, among others, Lord Chris Holmes.
Whittaker says it is very clear that in 1990, it was impossible to predict that research would fall into the information security domain.
“Nobody expected there would be people open to bug bounties or to having their IT researched and investigated. I don’t think anybody back then realised that this was going to be a thing – and if you look at the underlying message of the CMA, which is, ‘Don’t touch other people’s stuff’, there is some sense to that,” he says.
“But what the CMA doesn’t do is put any kind of allowance for research or understanding that there are cyber professionals out there whose job it is to try to break things, to try to keep the nation secure and organisations safe,” he adds.
“The CMA was a piece of legislation that was very broad, and the idea that it’s still there after this amount of time, and hasn’t been adapted in accordance with the changes we’ve seen over the last 20, 25 years that I’ve been in the industry, is quite bizarre,” says Whittaker.
“The legislation around murder hasn’t changed since 1861 in the Offences Against the Person Act. It’s not like the offence of murder has changed hugely since 1861, whereas the computing world has changed dramatically since 1990.”
One hand tied behind our backs
Cutting to the core of the problem, what the CMA does in practice is force security professionals in the UK to operate with one eye on the letter of the law and one hand tied behind their backs.
Whittaker recounts another story from Instil’s archives. “We had a look on Shodan, and identified there was an open Elasticsearch bucket that was dropping credentials for a very large mobile phone and fixed-line provider in Spain.
“Every time a new order came in, it dropped their data into this bucket, which then provided names, addresses, telephone numbers, bank details, lots of really interesting stuff,” he says.
“We were very concerned about reporting this. Because we had found it, we were concerned there was going to be blame associated with us. Why were you looking? What were you doing? What was happening here? We engaged our lawyers to help us do that responsible disclosure to them.
“We did it privately – we’ve never spoken about it to anybody, but we spoke with the organisation and they were ultimately very grateful. Their CISO was very understanding, but it still cost us about two grand in legal fees to be able to do it.”
Whittaker can recount many other stories of how people who are just trying to do some public-spirited research into similar issues have had to either stop and not do it, or travel to another jurisdiction to do it, because of the CMA.
Penetration testing within the limits of the law
To more deeply understand how the CMA hamstrings the UK’s cyber professionals, let’s go back in time again, this time to the early 2000s, when Whittaker, then working in software development, caught the cyber bug after a job took him to Russia following an acquisition.
“One of the first things the Russians asked us was, “Have you ever had a security or pen test?’ We said, ‘No, but don’t worry, we’re really good at this stuff’, and within 20 seconds, they had torn us to pieces and broken us in multiple different ways. I was watching the test and I said, ‘That’s so cool, how do I work out how to do that?’”
If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way
Simon Whittaker, Instil
About 20 years down the line, Whittaker’s company, founded as Vertical Structure, but now merging into Instil – is a Crest-accredited penetration tester, and certified by the National Cyber Security Centre (NCSC) as a Cyber Essentials certifying body and an assured service provider for the Cyber Essentials programme.
“We teach people how to break things. We teach people how to break into their own systems. We teach people how to break into their own cloud infrastructure, how to do threat modelling, so they can start to understand how to think about threats,” he explains.
But in practice, this means Whittaker and his team are teaching people to do things that a court could argue is against the CMA in some way, shape or form, so in addition to the technicalities, he is also very careful to teach his clients all about the law and how to operate within its confines when brushing up against hard limits.
“The pieces of paper have to be signed, the scope has to be agreed on,” says Whittaker. “When we’re teaching juniors, we spend probably half a day going through the CMA and detailing to them exactly how nervous they have to be about this stuff, making sure they are aware of it.
“It is definitely at the forefront of our minds. And if there is a breach in scope, you stop. You contact the client and say, ‘Listen, we’ve scanned too many IPs, we’ve done this, we’ve done that’. You speak to the client regularly about making sure that doesn’t happen.
“In all of our considerations, we would rather pull back on the project rather than risk hitting a third party when we’re pen testing,” says Whittaker.
He looks, maybe a little wistfully, to the work of security researchers at larger US or Israeli security organisations that have a little leeway in such things, or to the work of those in more lenient jurisdictions, such as the Baltics, where the cyber research wings of prominent virtual private network providers churn out large volumes of research, often on big flaws in consumer technology.
“You hear, for instance, stories about broadband provider X that sent this box that is rubbish and can be accessed remotely. I can hack all of those things, but I can’t go and do the research in a responsible, formal way, because if I do, I run the risk of being arrested or sued,” he says.
“It’s really frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But it’s very complicated.”
What would reform of the CMA mean?
The Computer Misuse Act is currently up for reform as part of a wider Home Office review of the act, but progress has been shaky and stalled out several times thanks to the Covid-19 pandemic and the successive collapses of Boris Johnson’s and Liz Truss’s governments.
It’s frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But [the law makes it] very complicated
Simon Whittaker, Instil
Cut to 2024 and a new Labour government, and things seemed to be moving again. But then in December 2024, attempts by Lord Holmes and other peers to have the Data (Access and Use) Bill amended to introduce a statutory defence for cyber professionals were rebuffed by the government, with under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones saying reform was a complex issue.
The government is considering improved defences through engagement with the security community, but Jones claims that to date, there is no consensus on how to do this within the industry, which is holding matters back.
More recently, science minister Patrick Vallance weighed in after police highlighted their concerns that allowing unauthorised access to systems under the pretext of identifying vulnerabilities could be exploited by cyber criminals.
He said: “The introduction of these specific amendments could unintentionally pose more risk to the UK’s cyber security, not least by inadvertently creating a loophole for cyber criminals to exploit to defend themselves against a prosecution.”
But after many years and frequent engagement with the government, the campaigners, while keeping things civil, are clearly frustrated – and understandably so. They want things to be moving faster.
Whittaker says reform would be the difference between night and day for his security practice.
“It would allow us to be more secure in our research. I’d love to be able to just look at things in more detail and help people secure themselves. It would allow us to focus on our jobs instead of being worried that we’re going to breach something or that something else is going to go wrong. It would be a step change from what we currently see – that ability to perform in a useful way,” he says.
“All we are trying to do is give our teams, these experts that we have right here in Belfast and around the country, the ability to be able to compete on a global scale. If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way,” he concludes.
And when all is said and done, isn’t keeping the UK safe in the ever-changing, ever-expanding threat landscape more important than enforcing a blanket definition of hacking as an illegal act when cyber criminals around the world know full well they’re breaking the law and simply don’t give a damn?
Timeline: Computer Misuse Act reform
January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.
January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.
