Groups promote Computer Misuse Act update to enable security research

Some in the UK security industry are calling for an update to the CMA to allow them to conduct security research without threat of prosecution.

programmer developer devops apps developer code hacker dark secrets by peopleimages getty
PeopleImages / Getty Images

The Computer Misuse Act (CMA) 1990 defines what activities involving computers are illegal within the UK. It was created because existing legislation wasn’t suited to the nascent digital world of the mid-to-late 1980s. Today the CMA is seen as inadequate for the security research and consulting industry it now inadvertently governs.

Security firms and researchers are calling for the law to be changed to give researchers and ethical hackers in the UK more legal protections around their activities. They want the CMA to delineate the difference between the work of security research and cybercriminals.

Computer Misuse Act: The UK’s first anti-hacking law

The Act itself was enacted because previous laws didn’t account for criminal activity based entirely within the digital realm. In 1987, Steve Gold and Robert Schifreen gained access to BT’s Prestel service at a trade show using the credentials shoulder-surfed from a BT engineer. The two eventually gained access to the email account of the Duke of Edinburgh, Prince Philip. They were tried under the Forgery and Counterfeiting Act 1981, but this was eventually overturned on appeal because they hadn't tried to profit from their activity. The case made it clear a new law needed to punish those committing computer-based crime.

Introduced in 1990, the CMA makes it an offense to:

  • Gain unauthorised access to computer material
  • Gain unauthorised access with intent to commit or facilitate commission of further offences
  • Cause unauthorised modification of computer material

The lowest levels of offense can result in up to two years in prison and a £5,000 fine. More serious offenses that result in harm can result in a 14-year prison sentence.

As with examples in the US such as Georgia’s controversial “hack back” bill, the chief issue campaigners have with the CMA is that it doesn’t discern the difference between malicious attackers and legitimate security research. The law assumes all unauthorised access is criminal, thereby putting security researchers and ethical hackers at potential risk from prosecution.

“The Computer Misuse Act 1990 was fit for purpose when it was conceived, but the relentless march of technology in the last 30 years means much of it has become outdated,” says Peter Yapp, partner for cyber and information security at law firm Schillings. “The Act prohibits unauthorised access to computers, therefore rendering this vital research work, technically, illegal. As an example, there are a multitude of US based companies offering vulnerability scanning services of the extended supply chain, whereas there are few, if any, UK companies offering the same service.”

The CMA has been updated since 1990, but rather than exempt researchers, the new provisions added more types of offenses. Section 36 of the Police and Justice Act 2006 introduced amendments to make it an offense if a person does any unauthorised action in relation to a computer, or knows they are doing something unauthorised if it could result in impaired operation of any computer or affect access to any program or data held in any computer. It also made the making, supplying or obtaining of articles (code, for example) for computer misuse an offense. The Serious Crime Act 2015 added an offence for impairing a computer to cause damage, such as to the economy or environment.

How the Computer Misuse Act prevents ethical hacking

A 2020 report from the Criminal Law Reform Now Network (CLRNN) notes that authorisation or lack thereof “is at the heart” of the CMA’s issues and where ethical hackers and security researchers “see themselves as vulnerable to criminal charges.” The CLRNN report notes that authorisation can be difficult to obtain in research involving large and complex environments that have many interdependencies with other systems and devices – including potentially those by employees or other organisations – which may not be covered by the initial authorisation agreement and can only be granted by that secondary party. Currently the only exemption is given to law enforcement and the security and intelligence agencies.

Threat intelligence and penetration testing – including basic actions such as port or internet scanning or even investigating the results of honeypot operations – could technically be illegal under the current act. Ownership of code and tools that could be used for misuse is also an offense. However, the tools of a security researcher and a threat actor often overlap, and researchers will often have copies of more malicious tools such as malware with the aim of understanding how they work and developing protective measure. Researchers releasing tools that could be used for hacking – legitimate or otherwise – could also be viewed as an offense.

“Everyone working in the UK computing industry faces having to do the job with one hand tied behind their back in order to stay within the law,” says Ed Parsons, managing director at F-Secure Consulting. “The risk today of someone accessing something without proper authority is arguably greater than it has ever been. It means we can only take a reactive approach when defending victims of an attack rather than a proactive one. We need to have the freedom to research security issues in our national infrastructure so that developers can make them more resilient to state-backed attacks and exploits.”

Convictions under the CMA are few. The CLRNN estimates around 500 convictions under CMA from 1990 to 2018. While a steady increase has occurred in the last few years, this is still a tiny proportion of the overall reported cybercrimes in the UK. Limited police resources, the difficulty in identifying criminals, the fact that many don’t reside in the UK, and that businesses prefer to focus on reclaiming lost data or funds over reporting to law enforcement or criminal conviction (and the potential media attention) are the main reasons for few convictions.

Only 24% of those prosecuted 2008 and 2018 were found not guilty at court or otherwise had their cases halted, according to a 2019 analysis by the Register. Prison was unlikely; just nine (including young offenders sent to youth prisons) out of 45 convictions received custodial sentences. Convictions do happen. Last year an IT consultant who deleted information from company servers in retaliation for being fired was given a two-year prison sentence. Two CMA cases this year resulting in prison sentences involved downloading hacking tools to spy on people or accessing customer databases

As far as CSO can ascertain, no security researchers in the UK have been prosecuted for their research activities under the CMA. This lack of action against security researchers, however, lies largely within prosecutorial discretion by law enforcement, and researchers and companies campaigning for change want more concrete reassurance against facing criminal charges.

“In reality the CMA hasn’t prevented ethical hacking,” says Scott Pendlebury, head of threat research at Netacea. “Bug bounty programs are commonly used among businesses, which in effect pay people to find vulnerabilities in their own websites. In this case, companies hand over authority to hackers for research purposes, meaning there’s no breach of the CMA.”

Intention plays a big role in whether an activity is criminal under the CMA. ”In an online environment, intention is easily revealed, it’s pretty obvious if someone is profiting from another’s data, for example, or investigating how something works,” says Pendlebury. “Finally, most researchers worth their salt will understand how to remain anonymous when investigating. So, even if a technical breach of the CMA was made, it’s likely it won’t be able to be traced back to the researchers, or even noticed in the first place.”

Why the UK needs a new cybercrime bill

The CyberUp campaign, led by NCC Group, F-secure, techUK, McAfee, Trend Micro and CREST, have written to the prime minister claiming the law is “unfit for purpose.” They asked him to reform the law to take account of the motivations of ethical security researchers and enable them to “operate free from the fear of prosecution that currently restrains them.”

“Section 1 of the Computer Misuse Act criminalises any access to a computer system without permission of the system owner,” says Ollie Whitehouse, chief technical officer at NCC Group. “A threat intelligence researcher investigating a cyber criminal's attack infrastructure will be hard pressed to obtain that criminal's consent to try and catch them.”

“The failing of the current law is that it completely ignores the fact that there are ethical researchers undertaking research activities in good faith,” says Whitehouse. “The law needs to be changed to allow for actors' motivations to be taken into account when judging their actions.”

The way to do this, he explains, is to include statutory defences in a reformed CMA that legitimise activities otherwise illegal under section 1 of the CMA where the motive is to detect and prevent cybercrime.

Rather than redefining computer misuse offences in law that could leave it open to abuse by criminals, a better option would be to introduce a statutory defence that legitimise activities otherwise illegal under section 1 of the CMA. Introducing a strict ethics code of conduct and a commitment to maintain and share auditable logs of all activities with an obligation to pass that on to authorities as required is also recommended.

What needs to change about the CMA?

On its page about CMA reform, NCC Group say they want the law changed so that they can perform the following;

  • Scan, probe and enumerate internet-exposed hosts and services without owners’ explicit authorisation to understand ports, network services and machine responses
  • Interrogate attacker and compromised systems to obtain information without bypassing security or authorisation mechanisms to identify the location of the system, its configuration and operator, and identify links to systems used in other attackers
  • Perform light-touch interaction with attacker and compromised systems, including authentication using weak or default credentials, and access to code control panels enabling the identification of victims, and copying file and document contents

The CLRNN recommends amending the law in the following ways:

  • Narrowing the application of the CMA and amending the definition of “intention” to focus on pursuing a criminal endeavour.
  • Adding a defence that actions were necessary for the detection or prevention of crime or justified in the public interest (though the burden of proving those defences rests on the accused)
  • Accounting for unauthorised access where consent about access is difficult to attain (for example accessing a lost phone to try and ascertain the owner)
  • Narrowing the provisions around making, supplying or obtaining offence to apply only where a defendant intends to pursue a criminal endeavour
  • Adding an offense where an organisation or entity failed to prevent a CMA offense by a person acting on their behalf

The CLRNN also ask that the Crown Prosecution Service offer more guidance and include a list of factors that point both toward and against prosecution under the act. Factors that would point against prosecution would include:

  • A motive to prevent crime or to reveal security flaws in a method unlikely to endanger the integrity of the system
  • Obtaining and revealing information in the course of responsible journalism or cyber threat intelligence collection
  • Cooperation with police investigations and agencies responsible for cyber threat intelligence.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies