Maksim Shmeljov - stock.adobe.co
Ethical hackers can be heroes: It's time for the law to catch up
The UK government's plan to finally rewrite the 1990 Computer Misuse Act to provide much-needed legal protections for ethical hackers is welcome, but now we need firm action.
The last year has seen some of the costliest cyber attacks on UK businesses to date. Attacks on Marks & Spencer cost the supermarket chain hundreds of millions in lost profits and led to empty shelves. The Jaguar Land Rover attack sent shockwaves throughout its supply chain, which ultimately dragged down UK GDP in the third quarter.
While the perpetrators of cyber crime often operate across international borders, and beyond the reach of law enforcement, the M&S attack has resulted in several arrests in the UK, under the Computer Misuse Act [CMA] of 1990. With a new Cyber Security and Resilience Act on the way, it might seem UK authorities will soon have greater powers to force organisations to build better defences.
But while the UK government continues to pursue cyber criminals, it also needs to be much clearer about the crucial role of cyber security researchers and ethical hackers in defending against them.
Last week, UK security minister Dan Jarvis told a conference that the government was looking at changes to the CMA to introduce a “statutory defence” for cyber security experts who spot and share vulnerabilities.
It would mean that, as long they meet “certain safeguards”, researchers would be protected from prosecution.
To understand why this is so significant it’s worth recalling the background to the CMA. In the mid-1980s, IT journalist Steve Gold and fellow hacker Robert Schifreen were accused of accessing the Duke of Edinburgh’s BT Prestel email account.
They were prosecuted and convicted under the Forgery and Counterfeiting Act, but this was overturned on appeal, because that act didn’t specifically cover computer crimes.
This led to the CMA which set prison sentences for gaining unauthorised access to computer material.
The date is significant. At that time, most computer systems were tightly-controlled and effectively inaccessible to the majority of the population.
Very few people had a (BT-approved) modem at the time. The web had been developed just a year before. The dot com boom was years in the future, the term cyber war had yet to be coined, and the prospect of industrial level cyber crime barely considered.
The legislators who crafted the CMA can be forgiven for not anticipating the transformation of today’s digital environment, from mobile to cloud to AI. So, it’s perhaps understandable that the act didn’t anticipate the emergence of cyber security researchers, who would look for vulnerabilities and misconfigurations and share that information with the organisations concerned.
Less understandable is why this hasn’t been addressed since. As cyber crime transformed from a small niche into a worldwide epidemic over the last two decades, white hat hackers have been key to exposing and mitigating the methods and technologies cyber criminals have exploited. This has necessarily meant thinking and acting like a hacker.
Yet the CMA, and similar legislation in other countries, have proven to be a blunt instrument when it comes to deterring cyber crime.
It’s fair to point out that the number of prosecutions under the CMA and similar laws has been fairly low. But that is more because of the asymmetric nature of cyber crime: Most threats are coming from individuals beyond the reach of the UK and its allies, who are unlikely to be deterred by the CMA.
This imbalance has only become more stark as vulnerabilities and flaws have been exploited indiscriminately and at internet scale not just by criminals but by nation states willing to compromise critical national infrastructure, foreign businesses and consumers for strategic gains.
It has left researchers, and their potential clients, in a legal grey area. It has, on occasion, led to prosecutions of legitimate good guys.
Meanwhile, that ongoing threat of prosecution has an effect on another group of individuals – the next generation we need to encourage to join the industry. We are already suffering a chronic skills crisis, and the prospect of a criminal record hardly represents a golden hello.
None of this is new. The Criminal Law Reform Network highlighted in 2020 how “the CMA 1990 requires significant reform to make it fit for the 21st century.” and recommended the addition of required harms. The Home Office began a review of the act in 2021, which concluded in 2023, and did consider the question of a defence for researchers. the addition of required harms.
Timeline: Computer Misuse Act reform
- January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
- June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
- August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
- September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
- January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990.
- February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
- March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
- November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
- July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
- July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
- December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
- December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.
- January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.
- May 2025: Britain’s outdated hacking laws are leaving the UK’s cyber practitioners hamstrung and afraid. Security professional Simon Whittaker reveals how he nearly ran afoul of the Computer Misuse Act, and why he’s speaking out for reform.
- December 2025: Campaigners celebrate as security minister Dan Jarvis commits to amending the outdated Computer Misuse Act to protect security professionals from prosecution.
When the Cyber security and Resiliency Act becomes law in the UK, many more organisations will be obliged to report breaches, and be under more pressure to manage their security posture, including vulnerabilities.
They’re not going to be able to do that without the help of ethical hackers and cyber security researchers, who should be able to operate without fear of prosecution. It’s certainly do-able. Portugal has just announced built in defences for researchers in its implementation of NIS2.
Jarvis’ statement is welcome. But now we need action. We can’t wait another five years for the government to act to give cyber researchers and ethical hackers the cover they need. And we definitely can’t wait another 35.
Ed Parsons is chief operating officer at bug bounty, vulnerability disclosure and penetration testing services provider Intigriti, and a former vice president and cyber professional member association ISC2. A career risk and cyber expert, Parsons is a is a Certified Information Systems Security Professional (CISSP) and a UK Chartered Cyber Security Professional.
Read more on Hackers and cybercrime prevention
-
![]()
UK government pledges to rewrite Computer Misuse Act
By: Alex Scroxton
-
![]()
Why we must reform the Computer Misuse Act: A cyber pro speaks out
By: Alex Scroxton
-
![]()
Vallance rejects latest charge to reform UK hacking laws
By: Alex Scroxton
-
![]()
Latest attempt to override UK’s outdated hacking law stalls
By: Alex Scroxton
