A majority of British infosec professionals worry about accidentally breaking the UK’s antiquated Computer Misuse Act, according to an industry campaign group that hopes to reform the law.
The Cyberup campaign, which includes NCC Group, Orpheus Cyber, Context Information Security, Nettitude, F Secure and others, first wrote to UK Prime Minister Boris Johnson in July 2019 urging him to update the regulations.
In its latest study, the group reckoned that 80 per cent of security professionals were worried about breaking the law, based on responses submitted on behalf of major infosec firms.
Ruth Edwards, the Conservative MP for Rushcliffe in Nottingham, said in a new report issued today: “I know from my time in this industry that there are now real concerns among the cyber security community that this law is impeding professionals’ ability to protect the nation from the ever-evolving range of cyber threats we face, and preventing the sector from establishing its leadership position on the international stage.”
The campaign hopes to update the Computer Misuse Act 1990 (CMA) for the modern era on the grounds that the law was drafted long before either modern IT architectures or modern infosec threats had been thought of.
Bank on it: It’s either legal to port-scan someone without consent or it’s not, fumes researcher
F-Secure veep Ed Parsons told The Register he supported the Cyberup campaign, saying that today’s report was also “an opportunity to remind security professionals of what this legislation is and how it applies to the activity they’re undertaking in their day-to-day jobs.”
Previous criticism of the CMA included assertions that threat intelligence providers operating from the UK were unable to probe adversaries’ infrastructure to the same depth as their overseas counterparts lest they break section 1 of the act, which bans “unauthorised” acts on other people’s computers – even when those machines are operated by criminals using them to attack individual or business targets. “Unauthorised” can mean as little as using a username and password from the public domain to log into an account, a point lost on many infosec researchers and even journalists.
“To give you a different perspective on this, my company F-Secure, we’re not a threat intelligence provider,” said Parsons. “The professionals who work for me aren’t threat intelligence providers, they’re security research and incident responders among other disciplines. They find their roles somewhat bounded by the CMA in its current form. I think that’s particularly relevant in the field of security research.”
Academics call for UK’s Computer Misuse Act 1990 to be reformed
Parsons said that given how modern enterprise IT infrastructure is growing and evolving, the CMA makes it “increasingly complex and difficult to draw a circle around what is in scope of any of the work that we do”, saying: “Modern organisations are typically an ecosystem of third-party providers and, increasingly, cloud-based services as well. When we’re doing research on behalf of a client, what is and isn’t in scope? Therefore what’s authorised and what’s unauthorised is actually getting harder to figure out.”
Can someone operating an S3 bucket give authorisation, within the CMA definition, to a pentesting firm looking to probe that? What if Amazon detects that activity and decides it is hostile? The answers to such questions are well known to a few – but those few might not include your local police force’s cyber crime team, or the prosecutor who acts on their behalf urging to bring a criminal case.
While this is mostly a hypothetical fear – Parsons conceded “we’ve not seen this legislation being used in anger a lot” against infosec researchers – it can also be cited as evidence that the CMA is not fit for purpose.
A number of crimes committed using computers as the attack vector are charged by prosecutors as non-CMA offences, primarily fraud. While the number of CMA prosecutions remains relatively low, as covered ad nauseam previously on El Reg, the number of prosecutions for computer-related crime is likely to be orders of magnitude higher than the CMA stats themselves show in isolation. ®