Categories: InfoSec News

New Proposals for UK’s Computer Misuse Act

Published by
RiSec.n0tst3

UK legislators have proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).

A cross-party group in the House of Lords, the UK’s second chamber, tabled the amendment on Tuesday (June 21).

The PSTI bill is designed to support the UK’s 5G rollout while also mandating vulnerability disclosure policies for vendors of Internet of Things (IoT) products, among other security provisions.

‘Acting in good faith’

The CyberUp campaign, a security industry coalition calling for wholesale reform of the CMA, argues that a statutory defence under the 1990 act would protect security researchers, ethical hackers, and pen testers from spurious legal action when responsibly hunting for or reporting vulnerabilities.

Speaking in the House of Lords yesterday, Lord Arbuthnot of Edrom referenced the CyberUp campaign’s suggestion that a statutory defence should be based on “the prospective benefits of the act outweighing the prospective harms”, on “reasonable steps being undertaken to minimise the risks of causing harm… the actor demonstrably acting in good faith [and] being able to demonstrate competence”.

The CyberUp campaign has also urged the government to release the findings of its ‘call for information’ (consultation) on the effectiveness of the CMA, which closed more than a year ago.

UK Home Secretary Priti Patel announced the consultation with academia, law enforcement agencies, and the cybersecurity industry alongside plans to review the CMA in May 2021.

Kat Sommer, head of public affairs at CyberUp backer NCC Group and CyberUp spokesperson, hailed the PSTI amendment, noting that some countries had “more permissive regimes, but no country has yet gone so far as to introduce a defence for unauthorised access.

“Of course, the ideal situation is for the government to bring forward reforms to the Computer Misuse Act which provide a defence in more than the case of just connected products – after a year-long wait, you would think we would be likely to hear something from ministers on this soon.”

‘Simply doing their job’

Campaigners believe that, if passed, the amendment will protect the likes of security researcher Rob Dyke, who was threatened with legal action under the CMA – threats that were eventually abandoned – after alerting a UK non-profit to security flaws in 2021.

“I’m really glad it seems like lawmakers are beginning to take seriously the need for cybersecurity researchers like me to have the protection of the law,” Dyke said. “It’s not right people might have to go through what I have simply for doing their job.”

Lord Arbuthnot also told the House of Lords that when the CMA was enacted, “no consideration was given – I remember because I was there – to web scraping, port scanning or malware denotation, and people are not sure that they are legal. Some of us are not sure quite what they are.

“This is why there needs to be certainty for cybersecurity researchers – they need to be able to do things for the public good.”

Related recent developments across the Atlantic may well offer hope to UK campaigners.

The legal jeopardy surrounding legitimate security research in the US has eased considerably following a US Supreme Court ruling in 2021 about what constitutes “unauthorized access” under the Computer Fraud and Abuse Act and the Department of Justice’s recent pledge not to prosecute “good faith” security research”.

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmark Close
Social Comments Box
Connect
Share the word, let's increase Cybersecurity Awareness as we know it

This post was last modified on 24 June 2022 7:30 PM

RiSec.n0tst3

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Leave a Comment
Published by
RiSec.n0tst3
Tags: Computer Misuse Act cybersecurity Legislators Proposals UK

Recent Posts

  • Data Breach News
  • InfoSec News

WH Smith Announces Cyber-Attack: Employee Data Stolen

British high street chain WH Smith has recently revealed that it was hit by a…

2 years ago
  • InfoSec News
  • World Affairs

Voice ID: How Secure is it Really?

As banks worldwide roll out Voice ID as a means of user authentication over the…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

What distinguishes Application Security from API Security?

In the era of digital transformation, cybersecurity has become a major concern for businesses. When…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

The Top 5 Cybersecurity threats facing Businesses Today

In today's digital age, cybersecurity threats have become a significant concern for businesses of all…

2 years ago
  • InfoSec News
  • World Affairs

Enterprise users infected by RIG Exploit Kit thanks to Internet Explorer

The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…

2 years ago
  • Cybersecurity Academy

The Rise and Rise of AI

One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…

2 years ago