Under current law, only the NCSC can carry out threat intelligence beyond a corporate boundary
The Computer Misuse Act turns 30 today. And critics say it has far outlived its purpose, with its Section 1 blanket-criminalising security researchers, and undermining the ability for security teams to conduct threat scanning.
Now, an eclectic coalition has written to the Prime Minister urging him to reform the aging law — warning that it prevents threat intelligence researchers from “carrying out research to detect malicious cyber activity.”
Signatories to the letter include industry group techUK, security firms F-Secure, NCC, Digital Shadows, international accreditation body CREST, the think tank Demos, and several prominent lawyers. Their letter today builds on a substantial report urging reform that was published in January 2020.
Computer Misuse Act at 30: Old Before Its Time?
The Computer Misuse Act (1990) was written to “prevent computer hacking before the concept of cyber security existed”, they say (just 0.5% of the population used the Internet when the Act was given Royal Assent).
The campaigners warned today that restrictions in the legislation deter “a large proportion of the research [needed to] assess and defend against emerging threats posed by organised criminals and geo-political actors.”
The 1990 legislation begins:
(1) A person is guilty of an offence if – a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; b) the access he intends to secure is unauthorised.
As Ollie Waterhouse, Global CTO, NCC Group told Computer Business Review: “[This] criminalises any access to a computer system without permission of the system owner. [Yet] threat intelligence and security researchers, by the very nature of the work they are undertaking, are often unable to obtain that permission: a threat intelligence researcher investigating a cyber criminal’s attack infrastructure will be hard pressed to obtain that criminal’s consent to try and catch them. [The law] completely ignores the fact that there are ethical researchers undertaking research activities in good faith.”
That’s just section 1. Section 3, meanwhile, targets anyone who “makes, adapts, supplies or offers to supply any article intending it to be used to commit, or to assist in the commission of, an offence under section 1″.
As a January 2020 report also urging reform notes:
“The aim of secton 3A was to find an additional means of punishing hostile attackers by looking at the tools that they use. The main problem in drafting the legislation was that code and tools used by hackers are either identical to or very similar to code and tools used legitimately by computer and network systems administrators and by penetration testers.”
As NCC’s Waterhouse added: “The law needs to be changed to allow for actors’ motivations to be taken into account when judging their actions. The way to do this, we believe, is to include statutory defences in a reformed Computer Misuse Act that legitimise activities otherwise illegal under section 1 where they happen in order to detect and prevent (cyber) crime.
“There are legal precedents, including in the Data Protection Act 2018, so this isn’t a novel concept. But it would extend legal certainties and protections guaranteed to others to the UK’s cyber defenders.”
The campaign aims to build on earlier work by the Criminal Law Reform Now Network (CLRNN) on the same subject. The CLRNN’s January 22 report notes that it is strikingly difficult to get precise numbers on CMA prosecutions, but puts it at approximately 500 since 1990. Campaigners say despite the comparatively low prosecution figures, the deterrent factor of the legislation — which is well known in the security community — remains deeply damaging.
They noted in the January report that, under current law, “only law enforcement and the NCSC, which is part of GCHQ and inherits its powers under section 10 of the CMA 1990, Part 5 of the Investigatory Powers Act 2016 and section 3 Intelligence Services Act 1994, appear to be the only UK bodies that can carry out threat intelligence beyond a corporate boundary”.
Ed Parsons, MD at F-Secure Consulting added: “We also need to protect security professionals involved in research on common technologies targeted by cyber criminals looking to launch indiscriminate attacks at scale.”
He added: “The CMA in its current form doesn’t provide an effective defences for cybersecurity professionals acting in good faith, whether involved in technical research, incident response or threat intelligence. It limits what the UK computing industry can do compared with foreign competitors, including our ability to provide support to national security and law enforcement authorities through proportionate investigation of attacker infrastructure.
See also: This Security Researcher says He was Threatened with Legal Action, “Assaulted” over Attempted Disclosure to Casino Vendor