A report made by the CyberUp campaign reveals broad alignment among security professionals on questions round the Computer Misuse Act, which it hopes gives confidence to policymakers because they explore its reform
- Alex Scroxton,Security Editor
Published: 15 Aug 2022 15: 00
Cyber security experts and professionals are broadly aligned on questions of legitimacy and legality with regards to some cases of unauthorised usage of IT systems, in accordance with a report made by campaigners for reform of the Computer Misuse Act (CMA), who hope their findings provides clarity for policymakers exploring changes to regulations.
The CyberUp campaign has been calling for reform of the CMA for a long time. Regulations dates to the first 1990s, once the world of IT looked completely different, and for that reason there’s now great concern in the security world that its current wording effectively criminalises the task of ethical hackers and security researchers.
Because of this, the group has been advocating for the inclusion of a statutory defence in the CMA since 2019, and this past year the federal government said it could begin focus on reforming the CMA, but since that time little progress has been made, bar an effort in the Lords to insert this type of provision in to the Product Security and Telecommunications Infrastructure (PSTI) Bill.
The consensus outlined in the report published today shows what sort of statutory defence can operate used, the campaigners said.
Crucially, it highlights that you won’t start a Wild West of cyber vigilantism. Instead, by reforming the Computer Misuse Act to create defensible the actions outlined in the report, the CyberUp Campaign argues the federal government can enable a swathe of benefits, including improved cyber resilience of the country and its own allies, and accelerated growth of the UKs domestic cyber security sector.
Respondents to the survey were asked to categorise cyber activities and techniques found in the span of vulnerability and threat research into acts that cause no or limited harm but deliver benefit, which are defensible; acts that cause harm and deliver benefit, which might be defensible; acts that cause no or limited harm and deliver no or limited benefit, which also could be defensible; and acts that cause harm and deliver no or limited benefit, which are indefensible.
CyberUp found consensus on 13 activities that fit the initial category. They are the usage of application programming interface (API) keys, banner grabbing, the usage of beacons, the implementation of firewalls and network access controls, the usage of honeypots, the usage of open directory listings, passive intelligence gathering, port scanning, the usage of sandboxes or tarpits, taking down servers or botnets, sink-holing, web scraping, and malware analysis. CyberUp therefore believes the reformed CMA should make these actions defensible.
In the next category, CyberUp found agreement that forward or active intelligence gathering, patching third-party networksand using remote desktop protocol connections to get information from attackers systems could be defensible, but that further work will undoubtedly be had a need to establish how exactly to manage them.
Respondents were then asked because of their views on cyber activities and techniques that want unauthorised access but a reformed CMA should deem legitimate or illegitimate.
CyberUp discovered that the cyber community agrees there exists a group of activities which can be viewed as legitimate cases of unauthorised access and really should, therefore, be legal. These activities include vulnerability research, the proportionate surveying of systems which are publicly available (i.e. subjected to the web), responsible security research, responsible disclosure, active scanning, enumeration, best practice internet scanning, usage of Active Directory listings, identification, passive reconnaissance and investigation, and the usage of honeypots.
In addition, it found there’s agreement on which activities constitute illegitimate unauthorised access, such as for example hacking back, conducting distributed denial-of-service attacks, the usage of malware and ransomware, malicious socially undesirable acts, the validation of exploits or proof a failed security boundary, and breaking into systems deemed section of critical commercial infrastructure. This band of activities also contains the more indistinct idea of causing harm.
Finally, the report reveals a consensus that the group of cyber techniques referred to as active defence may still represent a grey area that needs to be considered and discussed because the OFFICE AT HOME prepares to take its next steps towards a potential policy change.
These grey areas include actions such as for example infiltrating the networks or systems of threat actors, verifying passive-detected vulnerabilities, exploiting vulnerabilities, credential stuffing, neutralising suspicious or malicious assets, active intel gathering, the usage of botnets, and active investigation and forensic analysis.
CyberUp emphasised that it’s definitely not proposing the entire set of activities lay out in its report make its way into government guidance accompanying a statutory defence, because the nature of the fast-evolving security landscape means the list will inevitably become dated. Instead, it said, it hopes a court can draw on the amount of consensus predicated on its harm-benefit matrix at any moment, when prosecuting a hypothetical future case.
In addition, it found a few of its respondents objected to or questioned the entire approach of expanding the scope of defensible activity. One commented that the status quo should stay in place because such activities might lead to disruption of intelligence or police operations, diplomatic incidents or war.
Others raised questions around whether there must be some type of licensing system for several cyber activities, while another respondent suggested these activities should only ever be undertaken by way of a certified actor in possession of a court warrant to proceed.