Cyber Security

Legitimate hacking activities under UK law proposed by ‘expert consensus’

Campaigners for reform of the UK’s Computer Misuse Act (CMA) have identified cybersecurity activities that should be legally defensible ahead of a government review of the 1990 law.

Based on the “consensus” view of experts, these legitimate hacking activities included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

This consensus “would form the core basis of a new legal environment for cybersecurity professionals based on a statutory defence,” says a report (PDF) published yesterday (August 15) by the CyberUp campaign.

Far from unleashing “a wild west of cyber vigilantism”, such a defense “will enable the UK’s cybersecurity sector to more effectively protect the UK as part of the whole-of-society effort, whilst ensuring cybercriminals can still be prosecuted”.

Edge cases

The CyberUp campaign also set out actions that should broadly be considered illegitimate, such as so-called ‘hack backs’ and malware deployment, as well as ‘active defence’ techniques that “still represent a grey area”.

These “contentious edge cases”, which require “further consultation and discussion as the policy formation process develops”, include exploitation of vulnerabilities, verification of passive-detected vulnerabilities, infiltrating a bad actor’s network, credential stuffing, active intel gathering, forensic analysis, botnets, and neutralizing suspicious or nefarious assets.

CyberUp campaigners deliver a letter signed by MPs calling for CMA reform to the Prime Minister’s residence

CyberUp insisted that the existence of edge cases is no excuse for further delaying of “much overdue” reform.

The results were based on input from 15 cybersecurity researchers, consultants, and other experts who assessed activities according to the potential harms and benefits accrued.

The degree of ‘consensus’, whereby more than 50% of experts agreed, varied considerably.

For instance, 100% agreed that use of sandboxes caused no or limited harm but delivered clear benefits, whereas 64% agreed that patching third party networks or using remote desktop protocol (RDP) connections to gain information from attacker’s computers potentially caused harm but also provided worthwhile benefits.

Importance of intent

“Unsurprisingly, the exercise also revealed the limitations of any effort to isolate techniques, activities and actions from the intent of an actor”, where the CMA currently “falls short”, said the report.

Rather than relying on binary lists of legitimate and illegitimate activities, which would quickly become out of date as techniques and technology evolved, CyberUp recommends that courts use broad principles to judge instances of unauthorised access.

defense framework (PDF) published in 2021 by CyberUp establishes a set of such principles.

The CyberUp campaign said it disagreed with suggestions from certain experts it consulted that some activities should only be conducted under license or, more stringently still, where actors “have been certified and have a court warrant to proceed”.

“Our view is that, over time with case law, and ideally with clear guidance from prosecutors, the boundaries of legal conduct will be sufficiently unambiguous to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts,” said the report.

Advertisement. Scroll to continue reading.

A review of the aging CMA, which criminalizes “unauthorized access”, was announced in May 2021.

Source: https://portswigger.net/daily-swig/legitimate-hacking-activities-under-uk-law-proposed-by-expert-consensus

Click to comment

You May Also Like

Business News

The days when a construction machinery dealership would simply sell a piece of equipment and then perhaps sell parts or offer a repair service...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

ANALYSIS The US National Institute of Standards and Technology (NIST) is planning significant changes to its Cybersecurity Framework (CSF) – the first in five years,...

Cyber Security

Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, according to the country’s cybersecurity agency....

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version