The last year has seen some of the costliest cyber attacks on UK businesses to date. Attacks on Marks &Spencer cost the supermarket chain hundreds of millions in lost profits and led to empty shelves. The Jaguar Land Rover attack sent shockwaves throughout its supply chain, which ultimately dragged down UK GDP in the third quarter.
While the perpetrators of cyber crime often operate across international borders, and beyond the reach of law enforcement, the M&S attack has resulted in several arrests in the UK, under the Computer Misuse Act [CMA] of 1990. With a new Cyber Security and Resilience Act on the way, it might seem UK authorities will soon have greater powers to force organisations to build better defences.
But while the UK government continues to pursue cyber criminals, it also needs to be much clearer about the crucial role of cyber security researchers and ethical hackers in defending against them.
Last week, UK security minister Dan Jarvis told a conference that the government was looking at changes to the CMA to introduce a “statutory defence” for cyber security experts who spot and share vulnerabilities.
It would mean that, as long they meet “certain safeguards”, researchers would be protected from prosecution.
To understand why this is so significant it’s worth recalling the background to the CMA. In the mid-1980s, IT journalist Steve Gold and fellow hacker Robert Schifreen were accused of accessing the Duke of Edinburgh’s BT Prestel email account.
They were prosecuted and convicted under the Forgery and Counterfeiting Act, but this was overturned on appeal, because that act didn’t specifically cover computer crimes.
This led to the CMA which set prison sentences for gaining unauthorised access to computer material.
The date is significant. At that time, most computer systems were tightly-controlled and effectively inaccessible to the majority of the population.
Very few people had a (BT-approved) modem at the time. The web had been developed just a year before. The dot com boom was years in the future, the term cyber war had yet to be coined, and the prospect of industrial level cyber crime barely considered.
The legislators who crafted the CMA can be forgiven for not anticipating the transformation of today’s digital environment, from mobile to cloud to AI. So, it’s perhaps understandable that the act didn’t anticipate the emergence of cyber security researchers, who would look for vulnerabilities and misconfigurations and share that information with the organisations concerned.
Less understandable is why this hasn’t been addressed since. As cyber crime transformed from a small niche into a worldwide epidemic over the last two decades, white hat hackers have been key to exposing and mitigating the methods and technologies cyber criminals have exploited. This has necessarily meant thinking and acting like a hacker.
Yet the CMA, and similar legislation in other countries, have proven to be a blunt instrument when it comes to deterring cyber crime.
It’s fair to point out that the number of prosecutions under the CMA and similar laws has been fairly low. But that is more because of the asymmetric nature of cyber crime: Most threats are coming from individuals beyond the reach of the UK and its allies, who are unlikely to be deterred by the CMA.
This imbalance has only become more stark as vulnerabilities and flaws have been exploited indiscriminately and at internet scale not just by criminals but by nation states willing to compromise critical national infrastructure, foreign businesses and consumers for strategic gains.
It has left researchers, and their potential clients, in a legal grey area. It has, on occasion, led to prosecutions of legitimate good guys.
Meanwhile, that ongoing threat of prosecution has an effect on another group of individuals – the next generation we need to encourage to join the industry. We are already suffering a chronic skills crisis, and the prospect of a criminal record hardly represents a golden hello.
None of this is new. The Criminal Law Reform Network highlighted in 2020 how “the CMA 1990 requires significant reform to make it fit for the 21st century.” and recommended the addition of required harms. The Home Office began a review of the act in 2021, which concluded in 2023, and did consider the question of a defence for researchers. the addition of required harms.
When the Cyber security and Resiliency Act becomes law in the UK, many more organisations will be obliged to report breaches, and be under more pressure to manage their security posture, including vulnerabilities.
They’re not going to be able to do that without the help of ethical hackers and cyber security researchers, who should be able to operate without fear of prosecution. It’s certainly do-able. Portugal has just announced built in defences for researchers in its implementation of NIS2.
Jarvis’ statement is welcome. But now we need action. We can’t wait another five years for the government to act to give cyber researchers and ethical hackers the cover they need. And we definitely can’t wait another 35.
Ed Parsons is chief operating officer at bug bounty, vulnerability disclosure and penetration testing services provider Intigriti, and a former vice president and cyber professional member association ISC2. A career risk and cyber expert, Parsons is a is a Certified Information Systems Security Professional (CISSP) and a UK Chartered Cyber Security Professional.
