Campaigners for reform of the UK’s Computer Misuse Act (CMA) have identified cybersecurity activities that should be legally defensible ahead of a government review of the 1990 law.
Based on the “consensus” view of experts, these legitimate hacking activities included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.
This consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” says a report (PDF) published yesterday (August 15) by the CyberUp campaign.
Far from unleashing “a wild west of cyber vigilantism”, such a defense “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”.
Edge cases
The CyberUp campaign also set out actions that should broadly be considered illegitimate, such as so-called ‘hack backs’ and malware deployment, as well as ‘active defence’ techniques that “still represent a grey area”.
These “contentious edge cases”, which require “further consultation and discussion as the policy formation process develops”, include exploitation of vulnerabilities, verification of passive-detected vulnerabilities, infiltrating a bad actor’s network, credential stuffing, active intel gathering, forensic analysis, botnets, and neutralizing suspicious or nefarious assets.
CyberUp insisted that the existence of edge cases is no excuse for further delaying of “much overdue” reform.
The results were based on input from 15 cybersecurity researchers, consultants, and other experts who assessed activities according to the potential harms and benefits accrued.
The degree of ‘consensus’, whereby more than 50% of experts agreed, varied considerably.
For instance, 100% agreed that use of sandboxes caused no or limited harm but delivered clear benefits, whereas 64% agreed that patching third party networks or using remote desktop protocol (RDP) connections to gain information from attacker’s computers potentially caused harm but also provided worthwhile benefits.
Importance of intent
“Unsurprisingly, the exercise also revealed the limitations of any effort to isolate techniques, activities and actions from the intent of an actor”, where the CMA currently “falls short”, said the report.
Rather than relying on binary lists of legitimate and illegitimate activities, which would quickly become out of date as techniques and technology evolved, CyberUp recommends that courts use broad principles to judge instances of unauthorised access.
A defense framework (PDF) published in 2021 by CyberUp establishes a set of such principles.
The CyberUp campaign said it disagreed with suggestions from certain experts it consulted that some activities should only be conducted under license or, more stringently still, where actors “have been certified and have a court warrant to proceed”.
“Our view is that, over time with case law, and ideally with clear guidance from prosecutors, the boundaries of legal conduct will be sufficiently unambiguous to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts,” said the report.
A review of the aging CMA, which criminalizes “unauthorized access”, was announced in May 2021.