CISO2CISO.COM & CYBER SECURITY GROUP

Legitimate Cyber Security Activities in the 21st Century by CyberUP

Assessing the current consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act 1990.

Executive Summary

The CyberUp Campaign has been asking the UK Government to reform the Computer Misuse Act
1990 (CMA) to include a statutory defence since 2017. This is because we see that some cyber
security activities that today would be classed as unauthorised access to computer material –
currently illegal and without defence – could be justified if the law were updated in line with the
evolution of cyberspace in the 21st century. Specifically, the UK cyber security sector is hampered
today by the Computer Misuse Act in two main areas:
• Vulnerability research i.e. the activity of finding vulnerable systems and security vulnerabilities in
systems and software.
• Cyber threat intelligence i.e. the activity of identifying and tracking our cyber adversaries and
their victims.
By permitting these activities, we argue, the Government can enable a swathe of benefits including
improved cyber resilience of the nation and its allies and accelerated growth of the UK’s domestic
cyber security sector.
In response to understandable questions about how a statutory defence – a well-established
legal principle – would work in practice in the cyber context, we previously developed a Defence
Framework, which proposed a set of principles that could be applied in any case of unauthorised
access to make a judgment on whether such an action was defensible.
We believe this principles-based approach is the correct one. This is because trying to set out in
legislation or guidance specific activities and techniques involving unauthorised access that should
be defensible would quickly become outdated and thus be unsustainable. A principles-based
approach guards against this as cyber security techniques and technology evolve over time.
Nevertheless, in this report we establish, through consultation with UK cyber security professionals,
that a significant degree of consensus already exists about what are legitimate and illegitimate
instances of unauthorised access. This consensus should offer additional confidence to policy makers
that applying a statutory defence in practice is possible, and that it is therefore also possible for the
courts to adjudicate clearly which behaviour and acts should continue to be punishable as criminal
offences.
There remain grey areas where the question of what is legitimate remains contested by some. This
research paper does not seek to offer a definitive final view on some of these edge cases; they will
need to be subject to further consultation and discussion as the policy formation process develops.
But, a focus on these edge cases should not be allowed to cloud the key finding of this report: that
consensus exists on which acts of unauthorised access should be defensible.

Leave a Reply

Your email address will not be published.