Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

guest · Jun 29, 2020

Campaigners Call for Computer Misuse Act Revision on 30th Anniversary
June 29, 2020
https://www.infosecurity-magazine.com/news/campaigners-misuse-revisionn-30/

An open letter has been sent to UK Prime Minister Boris Johnson, asking for an update to the Computer Misuse Act (CMA) as it marks its 30th anniversary of reaching royal assent..

Coordinated by the CyberUp Campaign, a group of cybersecurity organizations are pushing for an update of the Computer Misuse Act to make it fit for the digital age.

“In 1990, when the CMA became law, only 0.5% of the UK population used the internet, and the concept of cybersecurity and threat intelligence research did not yet exist,” the letter read. “Now, 30 years on, the CMA is the central regime governing cybercrime in the UK despite being originally designed to protect telephone exchanges. This means that the CMA inadvertently criminalizes a large proportion of modern cyber-defense practices.”
“[...] we are calling on the government to make putting in place a new cybercrime regime part of this commitment. This will give our cyber-defenders the tools they need to keep Britain safe.”
Click to expand...

CyberUp Campaign:
‘Out of Date’ 30 year-old Cybercrime Legislation Leaves UK at Risk During Coronavirus, Professionals Warn

A coalition of businesses, trade bodies, lawyers and think tanks from across the cyber security industry have today taken the unprecedented step of uniting to pen a letter to the Prime Minister urging him to reform the law governing cybercrime in the UK, which came into effect thirty years ago today, claiming it is now ‘unfit for purpose’.
Click to expand...

Cyber security experts use CMA’s 30th birthday to ask the Prime Minister for reform

The CMA prevents thousands of UK threat intelligence researchers from carrying out research to detect malicious cyber activity and prevent harm and disruption to organisations and citizens alike. In particular, section 1 of the Act prohibits the unauthorised access to any program or data held in any computer and has not kept pace with advances in technology.
Click to expand...

guest · Nov 19, 2020

Computer Misuse Act: Most UK cybersecurity pros fear breaking the law by simply doing their jobs
November 19, 2020
https://portswigger.net/daily-swig/...r-breaking-the-law-by-simply-doing-their-jobs

Four in five UK cybersecurity professionals worry about breaking the law due to outdated provisions of the country’s aging cybercrime legislation.

A survey – commissioned by techUK and the CyberUp Campaign, industry groups both pushing for Computer Misuse Act (CMA) reform – highlights the restrictions that penetration testers are under when it comes to abiding by the 30-year-old law.
Critics argue that the law inhibits the work of cyber-threat analysts and other security researchers, in particular because of the tight definition of what acts are authorized and who can authorize them.

According to CyberUp, the findings of the survey illustrate that the concerns and confusion about the Computer Misuse Act are hampering the nation’s cyber defences by preventing cybersecurity professionals from doing their jobs.
Click to expand...

Ollie Whitehouse, CTO of NCC Group and director at PortSwigger Web Security, The Daily Swig’s parent company, added: “This research and the resultant report significantly adds to the body of evidence suggesting that we must reform this outdated legislation to ensure the cyber resilience of the United Kingdom and its allies.”

“Defending against cyber-attacks has shown the cyber industry-government partnership at its finest, but the Computer Misuse Act limits this kind of collaboration and constrains its full potential whilst undermining the economic opportunities for UK companies,” he added.
Click to expand...

CyberUp: 4 out of 5 cyber security professionals worry about breaking the law when defending UK, report finds

guest · Nov 3, 2021

CyberUp presents four principles to keep security researchers out of jail for good-faith probing
Computer Misuse Act campaign gets down to brass tacks
November 3, 2021
https://www.theregister.com/2021/11/03/computer_misuse_act_defence_principles_cyberup/

Campaigners want a new code of practice alongside a proposed public interest defence for the Computer Misuse Act 1990, in the hope it will protect infosec pros from false threats of prosecution.

The CyberUp campaign hopes the four principles it put forward this week will be used by judges to help decide whether accused information security professionals have committed crimes or not.
Click to expand...

In a published paper, CyberUp said it wants judges "to 'have regard to' Home Office or Department for Digital, Culture, Media and Sport (DCMS) guidance on applying a statutory defence that would, ideally, be based on the framework we propose."
The principles include asking judges to look at:

Whether an alleged CMA infringement caused harms or benefits;

Whether the infringement was proportional;

What the accused intended to do; and

Their competence "to act in ways that minimise the risk of harm."

Click to expand...

If CyberUp's proposals become a binding statutory guidance document they'll be an arguable point outside the courtroom as well as in front of a judge, providing a bit of clarity to companies and individual security researchers (and curious folk) alike.
Click to expand...

CyberUp: New Research: a proposal for a principles-based framework for the application of a statutory defence under a reformed Computer Misuse Act

In response to questions about how this well-established legal principle would operate in the cyber context, the paper seeks to demonstrate that courts are capable of successfully and consistently applying an assessment of whether an act of unauthorised access (currently illegal under the Computer Misuse Act) was defensible, and thereby inform an evolving understanding of what constitutes legitimate conduct in cyber space.
Click to expand...

guest · Aug 15, 2022

Report reveals consensus around Computer Misuse Act reform
August 15, 2022

Cyber security experts and professionals are broadly aligned on questions of legitimacy and legality when it comes to some instances of unauthorised access to IT systems, according to a report produced by campaigners for reform of the Computer Misuse Act (CMA), who hope their findings will bring clarity for policymakers exploring changes to the law.

The CyberUp campaign has been calling for reform of the CMA for years. The law dates to the early 1990s, when the world of IT looked very different, and as a result there is now great concern in the security world that its current wording effectively criminalises the work of ethical hackers and security researchers.
Click to expand...

For this reason, the group has been advocating for the inclusion of a statutory defence in the CMA since 2019, and last year the government said it would begin work on reforming the CMA, but since then little progress has been made, bar an attempt in the Lords to insert such a provision into the Product Security and Telecommunications Infrastructure (PSTI) Bill.

“The consensus outlined in the report published today shows how a statutory defence can operate in practice,” the campaigners said.
Click to expand...

CyberUp: New Research: legitimate cyber security activities in the 21st Century

A new piece of work by the CyberUp Campaign released today establishes the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act.
The key findings of the report:

Through consultation with industry experts, the report establishes the set of activities which are seen as legitimate instances of unauthorised access – and therefore ought to be legal under a reformed Computer Misuse Act. These include: proportionate threat intelligence; responsible vulnerability research and disclosure; active scanning; enumeration; use of open directory listings; identification; and honeypots.

The report also outlines the consensus on illegitimate forms of unauthorised access, which include: hack back, distributed denial-of-service attacks, and breaking into the critical national infrastructure, among others.

Finally, the report establishes that techniques best describes as ‘active defence’ still represent a grey area and will require further discussion as the Home Office prepares to respond to the review of the Act and set out next steps towards a potential policy change.

Click to expand...

Crucially, it highlights that it will not open up a ‘Wild West’ of cyber vigilantism. Instead, by reforming the Computer Misuse Act to make defensible the activities outlined in the report, the CyberUp Campaign argues the Government can enable a swathe of benefits including improved cyber resilience of the nation and its allies and accelerated growth of the UK’s domestic cyber security sector.
Click to expand...

Log in or Sign up

Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Campaigners Call for Computer Misuse Act Revision on 30th Anniversary

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches