What should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act 1990? That’s the question for campaigners under the CyberUp banner, that want to see something replace the 1990 Act.
The UK cyber security sector is hampered by the Computer Misuse Act in two main areas, the campaigners and a report released today argues: in vulnerability research (finding vulnerable systems and security vulnerabilities in systems and software) and cyber threat intelligence (identifying and tracking cyber adversaries and their victims).
According to the report, the UK Government can enable a swathe of benefits including improved cyber resilience of the nation and its allies and accelerated growth of the UK’s domestic cyber sector. As for legal principle, the campaigners have proposed a set of principles that could be applied in any case of unauthorised access to make a judgment on whether such an action was defensible.
They say: “We believe this principles-based approach is the correct one. This is because trying to set out in legislation or guidance specific activities and techniques involving unauthorised access that should be defensible would quickly become outdated and thus be unsustainable. A principles-based approach guards against this as cyber security techniques and technology evolve over time.”
The report sets out what the authors described as ‘a significant degree of consensus already exists about what are legitimate and illegitimate instances of unauthorised access’ so that courts could adjudicate clearly which behaviour and acts should continue to be punishable as criminal offences. There remain grey areas where the question of what is legitimate remains contested by some; hence the 19-page research paper. You can download it at the CyberUp website.
The document gives ‘ two central, related worries’ from the campaigners’ engagement with ministers, government officials and criminal justice representatives: a statutory defence ‘will unleash a wild west of cyber vigilantism’; and a statutory defence ‘will be abused by those with genuinely nefarious ends, and prosecutors will be unable to secure convictions in those instances’.
Drawing on an expert consensus would provide an ‘uncontroversial and swift judgment on the criminality of the action’. An expert consensus might shift over time, as new technologies and cyber techniques emerge, but courts will still be able to draw on it, the report says. Visit https://www.cyberupcampaign.com/.
