Campaigners who want to reform the UK’s Computer Misuse Act (CMA) of 1990 to protect cybersecurity researchers and analysts from the threat of prosecution for doing their work have major new support in the form of the body accreditation and insurance of cyber professionals Crest International.
The CyberUp campaign argues that the CMA, who turns 33 this year, is ridiculously outdated and does not adequately reflect the evolution of the cybersecurity profession over the past three decades.
The group’s main concern is the wording of the law, in particular the notion of “unauthorized access” to a program or data held on a computer.
Since defensive security activity frequently involves scanning, interrogating and accessing computer systems, the campaign says a prosecutor could successfully claim that a cyber professional is breaking the law when using techniques common and accepted defensiveness in his work.
Reform was promised in 2021, but the process has stalled even though there is now a widely accepted consensus that the law needs to be changed.
“Crest has supported and admired the efforts of the CyberUp campaign since its inception, so it’s great to make this support official,” said Rob Dartnall, Chairman of Crest’s UK Council.
“The Computer Misuse Act is outdated and its vision of security testing and threat intelligence is not suited to today’s increasingly digitalized world with ever more and more sophisticated cyber threats.
“In 2021, CyberUp won a full review of the law, so it is now important that industry in the UK works together to ensure substantial reform. We will work with the campaign to help engage industry and push forward a successful reform.
A spokesperson for the CyberUp campaign said: “The CyberUp campaign is delighted to have Crest International as a supporter.
“We very much look forward to working with Crest and its members in the UK to ensure reform of the Computer Misuse Act. The UK is on the verge of a historic change in our cybercrime laws. The help of organizations like Crest is essential if we are to ensure that this unique opportunity is not wasted.
An August 2022 report produced by the CyberUp campaign aimed to reassure policymakers that the reform would not usher in a “Wild West” of cybervigilance.
The report categorizes cyber activities into acts that cause no harm or limited harm but provide benefit, acts that cause harm and provide benefit, acts that cause no harm and provide no benefit, and acts that cause harm and bring no benefit.
In the first category, CyberUp proposed to the government to make a total of 13 activities defensible in law – using application programming interface (API) keys, grabbing banners, using beacons, implementation of firewalls and network access controls, use of honeypots, use of open directory listings, passive intelligence gathering, port scanning, use sandboxes or tarpits, server or botnet removal, scuttling, web scraping and malware analysis.
Activities that may fall into the latter category, which would remain indefensible in law, could include hacking, conducting distributed denial of service attacks, using malware and ransomware, malicious “socially undesirable” acts , validation of exploits or evidence of a failing security boundary and intrusion into systems considered part of critical national infrastructure.
The report also highlighted some gray areas, particularly around the activity qualified as active defense, which can include actions such as infiltrating threat actors’ networks or systems, checking passively detected vulnerabilities , exploitation of vulnerabilities, credential stuffing, neutralization of suspicious or malicious assets, information gathering, use of botnets, and active investigation and forensic analysis.
Campaign work continues.