back to article Brit infosec firms urge PM Boris to reform the Computer Misuse Act

A group of British infosec companies has written to UK prime minister Boris Johnson asking him to reform the Computer Misuse Act 1990, saying the act "has failed to keep pace with technological and market developments, inadvertently prohibiting a large component of contemporary threat intelligence research." The companies, …

  1. Pascal Monett Silver badge

    Well good luck with that

    I sincerely hope that that letter will have some sort of positive impact, but given the UK government's track record on backdooring encryption, I doubt it.

    But here's hoping anyway.

  2. alain williams Silver badge

    I doubt that this will get any parliamentary time ...

    Brexit seems to be soaking it all up, to get a look in something has to be seen as really vital.

    1. amanfromMars 1 Silver badge

      Re: I doubt that this will get any parliamentary time ...

      Brexit seems to be soaking it all up, to get a look in something has to be seen as really vital. ..... alain williams

      Howdy, alain williams,

      To not understand and accept that infosec is really vital, has one playing as if in a primary school yard with other children in attendance rendering no meaningful support?

      And that renders one and all there extraordinarily vulnerable to a vast and varied range of rabid adulterated players plotting and piloting all manner of shenanigans to take fuller overwhelming advantage of the places and spaces they find themselves patrolling and trolling in.

      Such should be causing Exclusive Executive Order Command and SCADA Control Systems, Inescapable Terror for there are No Viable Defence or Surprisingly Successful Attack Options Available ....... other than Resigned Submission and Unconditional Surrender to Superior Forces and Special Sources.

      That be the SMARTR Option for Exercising, and ideally, if one knows what needs to be rightly done, AIdDrivering.

      1. steelpillow Silver badge

        Re: I doubt that this will get any parliamentary time ...

        "To not understand and accept that infosec is really vital, has one playing as if in a primary school yard"

        The problem is persuading politicians who think that clicking on links in unsolicited messages is a pretty cool idea.

    2. Jamie Jones Silver badge

      Re: I doubt that this will get any parliamentary time ...

      They needed to write "rewriting these rules will remove the need for the backstop" to get attention.

      1. Doctor Syntax Silver badge

        Re: I doubt that this will get any parliamentary time ...

        I think HMG de jour's position is that the backstop isn't needed anyway.

        1. MonkeyCee

          Re: I doubt that this will get any parliamentary time ...

          "I think HMG de jour's position is that the backstop isn't needed anyway."

          I thought it was a combination of:

          a) It won't be needed. The process is going so well it'll all be sorted and never needed.

          b) Such a rule would limit the UK's negotiation (somehow) and is an affront to British sovereignty over Ireland

          c) What do you mean we don't own all of Ireland?

          d) Bloody hell, then Ireland should jolly well Brexit with us too

          1. Claverhouse Silver badge

            Re: I doubt that this will get any parliamentary time ...

            There will be uniquely British technology instead of a backstop, to be invented by those jolly clever chaps who make computers work, all joined together like those Professor Branestawm books we read aloud in Cabinet. All clever stuff. It will be worth half a billion to save money on checks and stuff; plus we can always trust all the lovable rogues of Micks to play the game if we're straight up with them from the start, and not to begin again smuggling stuff up north...

            .

            Meanwhile, on a series of donkeys, carts drawn by llamas and camels, wearing a poncho and various indigenous headgear to blend in from Lima to Ulaanbaatar...

            Raab said the EU was not “not the only game in town” for future trade deals, and that he would be travelling to the US, Latin America and Asia to explore opportunities there.

            1. Jamie Jones Silver badge
              Facepalm

              Re: I doubt that this will get any parliamentary time ...

              Someone should show Raab this:

              From: https://www.independent.co.uk/news/world/europe/eu-trade-deal-south-america-mercosur-a8980036.html:

              The European Union and South American bloc Mercosur have struck a trade deal after two decades of negotiations.

              The EU is already Mercosur's biggest trade and investment partner and its second largest for trade in goods. In terms of tariff reduction, it could be the EU's most lucrative trade deal to date, with the savings potentially four times greater than for deals with Canada and Japan combined.

              Not to mention, this:

              From http://ec.europa.eu/trade/policy/countries-and-regions/regions/asean/index_en.htm

              Negotiations with Indonesia are still ongoing and are used to further deepen EU-Indonesia trade and investment relations. Bilateral Free Trade Agreements (FTAs) between the EU and ASEAN countries will serve as building blocks towards a future EU-ASEAN agreement, which remains the EU's ultimate objective

              Of course, our unicorns will get us a magic deal in days rather than decades. Everyone loves Britannia, Britannia rules the waves, after all.

    3. John Brown (no body) Silver badge
      Facepalm

      Re: I doubt that this will get any parliamentary time ...

      "Brexit seems to be soaking it all up, to get a look in something has to be seen as really vital."

      ...not forgetting the 8 week holiday they'll all be pissing off on very soon now, right in the middle of the final countdown to Brexit. Priorities? Yeah, we've heard of them.

  3. Neil Brown

    “accredited professionals who act ethically ... to detect and prevent criminal activity."

    No ambiguity there!

    a.) accredited by whom? (“Do our training and get our accreditation — you can hack without fear of prosecution!”)

    b.) who decides what is “ethical”? Which ethical model is to be applied? Is there some kind of ethics oversight board?

    c.) allowing people to hack to “prevent criminal activity” seems broad? ("I hacked your computer and wiped it. Now it can't be used by criminals!")

    1. Anonymous Coward
      Anonymous Coward

      Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

      Exactly, What changes can they make to the law? It's nearly impossible to do without massive ambiguity. Do you leave it to the judges discretion? Do you add caveats and what caveats do you add without leaving it open to abuse? There is no easy answer, you can't prove beyond doubt that what you were doing was for "good" or legally right when it comes to someone else's computer. Logs can be manipulated so won't stand up in court and it would end up as one persons word against another.

      1. David 18

        Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

        Ah, but with a well worded Act, the burden of proof would be on the authorities to prove without reasonable doubt you were doing it for bad.

    2. the spectacularly refined chap

      Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

      b.) who decides what is “ethical”? Which ethical model is to be applied? Is there some kind of ethics oversight board?

      Exactly. I'd begin by questioning what you can't do within the current law, after all if you are appropriately authorised you have free rein in terms of what you can. If you are not authorised what makes you think you are in fact on of the good guys?

      Imagine you walked up to your house and found a random stranger taking some lock picks to your front door. Their motivation would not cross your mind. You would not entertain "I was just satisfying my curiosity to see how secure the lock was" as a legimate explanation. No, they'd get a good kicking and then call the police.

      In the digital realm for some reason people seem to think the standard is different. It isn't - the Computer Misuse Act was framed to apply the same standards as you would expect physically. Researchers seem to forget this or criticise the law as "outdated" when it is inconvenient.

      Consider all those reports you see here and elsewhere along the lines of "we scanned X million public IPs and found Y0,000 hosts with vulnerability Z." They don't have permission to do that so it is illegal. As I have said before the research isn't valid in any case since in those kinds of exercise you don't know who you are contacting, what they are protecting, what regulatory environment they operate in or what they have to interoperate with. Any conclusions drawn are therefore generally useless and the "researcher" a fuckwit.

      You don't weaken the law to give fuckwits free rein to tamper with and potentially damage other people's systems.

      1. werdsmith Silver badge

        Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

        You need to have a process where the good guys declare what they are about to do before doing it, then they need to stick to what they declared or scope out more stuff and declare that too.

        There is some pretty scary research goes on already in other fields where labs are licensed to go ahead and do it.

        1. amanfromMars 1 Silver badge

          Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

          You need to have a process where the good guys declare what they are about to do before doing it, then they need to stick to what they declared or scope out more stuff and declare that too. .... werdsmith

          You mean just like what Parliamentary Puppets do, werdsmith, in mad pursuit of the crazy rhetoric to be future historic?

          How do you think that all works out in AIMaster Piloted Puppet Programs, werdsmith?

          What worth is afforded to such solemn election typed promises by any SCADA Systems Administrations of today?

          And, as for .......

          There is some pretty scary research goes on already in other fields where labs are licensed to go ahead and do it.

          Aint that the Sweet Simple Truth Autonomously Drivering Progressive AI Pioneering :-) and via the Wealth of Outrageous Great Fortune with Deliveries of Infinite Bounty for Just Desserts of Insatiably Satisfying Rewards, a Much Prized Path that Forges New Journeys ahead to Travel and Experience as if Real and Natural, rather than being misidentified as Artificially Induced and of Alien Means.

          A Simple Question to Always Ask is ....... Who and/or What Proposes the News and Views for Tomorrow Today for 0Day Presentations that very soon become a Library of All Our Yesterdays?

          Who Thinks to See and Share such Novel Future Direction as is then Enacted, Every Day? Anyone special you might know/want to know/fear/oppose/compete against?

          Do you not think you have every right to know? Join Progressive AI Pioneers and Find Out.

          1. werdsmith Silver badge

            Re: “accredited professionals who act ethically ... to detect and prevent criminal activity."

            u wot m8

  4. iron Silver badge
    Facepalm

    Here's hoping they don't wish they'd kept their moths shut once Boris and the Blue Noses do their usual trick of shitting all over everything. They'll probably make it illegal to port scan your own server and mandate back doors in all encryption.

    1. Anonymous Coward
      1. the spectacularly refined chap

        There is some truth to this though, it doesn't have to be a party political point. I remember listening to some radio talk show a few years back where a member of the public was featured who had been in an accident with a cyclist. She was calling for some form of registration plate for cycles so that in such cases the cyclist could be traced for charges and/or a civil claim. Bear in mind that in settings such as that the natural tendency is to sympathise with the guest and offer support.

        Michael Heseltine was one of the guests that day and asked what he thought. He was very reluctant. To paraphrase his response it was along the lines of "I'm not sure, it's very easy for things to get tacked on to legislation such as this... before you know it you could well end up with mandatory competence certification, compulsory insurance and lord knows what else that impacts even the six year olds playing out in the park... I've been involved in introducing these kinds of regulations in the past and they never do pan out exactly like you originally envisaged."

        This is a chap who has seen it all before and knows exactly the process these things go through. He is also vastly more experienced than BoJo. If he is concerned about embellishments that should tell you something.

        1. werdsmith Silver badge

          When a politician doesn't understand something they do seem to accept any old dumbed down explanation that sounds plausible to them.

        2. Commswonk Silver badge

          Michael Heseltine was one of the guests that day and asked what he thought. He was very reluctant. To paraphrase his response it was along the lines of "I'm not sure, it's very easy for things to get tacked on to legislation such as this... before you know it you could well end up with mandatory competence certification, compulsory insurance and lord knows what else that impacts even the six year olds playing out in the park... I've been involved in introducing these kinds of regulations in the past and they never do pan out exactly like you originally envisaged."

          This is a chap who has seen it all before and knows exactly the process these things go through.

          (Sorry about the long quote)

          I don't suppose that it occurred to you that a politician (or a civil servant) is adept at finding reasons for doing nothing.

          It doesn't mean that doing nothing is the right thing, though.

          For a more recent scenario we need look no further than the young woman who was killed while riding an e-scooter on the highway, which is against the law, as is riding one on the pavement. By all accounts this has become commonplace, and the fatality might never have occurred if the law had been enforced right from the outset.

          Is doing "nothing" still the right thing to do?

          1. MonkeyCee

            Nothing is sometimes the best option

            "Is doing "nothing" still the right thing to do?"

            Compare how easy it is to introduce legislation, versus how hard it is to remove it.

            Since common law assumes an amount of sense by the courts, we generally don't get rid of old laws, even when they become out dated. Usually it takes someone taking the piss to force a change, and even then parliament is very reluctant about binning old laws.

            Legislation also lacks any intent. Of course, it's written with intent, but how you draft a law versus how you think it should work.

            Take the recent "upskirting" legislation. The desire to include emotive language in it resulted in it being meaningless. It's now a crime if it's "sexual" and "not for commercial purposes". So paps taking pictures of a celebs knickers is OK, and as long as the perv has an upskirting website, they can carry on taking pictures in public.

            Or banning deep fakes. Which is either going to fail, or end up banning all photoshoped images.

            "riding an e-scooter on the highway, which is against the law, as is riding one on the pavement. "

            Am I missing something here? Illegal on pavement, illegal on road, so where are they legal?

            Also wasn't aware it was illegal to ride on the pavement or path. You've got to exercise caution, and not hit people, but you can certainly ride along trow paths etc. And yes, I've had shouty dickheads who think that not only do they know the law, but should enforce it too.

            1. Commswonk Silver badge

              Re: Nothing is sometimes the best option

              "riding an e-scooter on the highway, which is against the law, as is riding one on the pavement. "

              <snipped> Illegal on pavement, illegal on road, so where are they legal?

              On private land.

              Am I missing something here?

              Yes, mainly the fact that ignorance of the law is not a defence.

            2. Mike007

              Re: Nothing is sometimes the best option

              Am I missing something here? Illegal on pavement, illegal on road, so where are they legal?

              Legal on private land where the rules do not apply.

              It is a vehicle, hence no driving on the pavement. (Exceptions exist, such as an invalid carriage, which must meet a lot of criteria - 4mph top speed for a start)

              It is illegal to drive a vehicle on the road without the proper paperwork. The DVLA have no category that these vehicles fit in to that would permit someone to obtain the required paperwork. Something to do with categories being defined by safety considerations I suspect...

    2. Zippy´s Sausage Factory

      I think you missed out the "joke alert" or the /sarcasm tag there.

      1. Anonymous Coward
        Anonymous Coward

        If you need a joke tag to indicate what you wrote was a joke, perhaps you need help writing the joke.

    3. hplasm
      Happy

      Ha!

      Shut your damn moth!

      1. Clunking Fist Bronze badge

        Re: Ha!

        I wouldn't have to if I hadn't opened my wallet first!

  5. macjules Silver badge

    Reform?

    Reforming the Computer Misuse Act would enable us to learn more about an attacker’s tactics and identify additional victims, addressing current barriers that often halt our defence investigations so as not to break the law.

    How about companies such as NCC or Nettitude that approve or pass security scans on wrongdoers, such as Equifax or British Airways, should also be prosecuted?

    1. Joe Montana

      Re: Reform?

      As someone who works in the industry, but not for any of the above companies...

      Companies like NCC only perform scans within a given scope, so a client will come along and say "we need you to scan www.ourcompany.com" for a budget of £X (ie time limited), so that's what they do, and provide a report saying what was found.

      But this is just a scan of the front door, its extremely limited in scope, and the client companies want it limited because it saves them money. Sure you might not find any vulnerabilities on the web server itself, but that's not the only way to attack a company site:

      * Third party sites that provide content (ads, analytics or tracking scripts etc)

      * The backend hosting environment where the site is (routers, firewalls, hypervisors, nameservers, etc etc etc)

      * The workstations used by those who manage the site itself, or the infrastructure it sits on.

      * Any interconnected infrastructure - eg are any of those aforementioned devices joined to a domain?

      * Malicious employees.

      There are so many other ways to hack a site, but doing a thorough assessment of all the interconnected pieces in a highly complex system is very expensive - so noone does it.

      1. macjules Silver badge

        Re: Reform?

        Agree. As someone who regularly uses both companies (together with the huge invoices from them to prove it) I do sometimes find it vexing that their "security" scans can can be limited to "well we tried this method of injecting xss into your nodes and it worked" coupled with "your response headers give away too much information", which does seem to always be their fallback.

        I have in the past had recourse to them over sites that they have vouched as "impervious to attack" which soon after have been found to be not exactly impervious.

  6. SVV

    Roll up, roll up, get yer cyber defence accreditation here...

    At Honest Ron's Cyber Defence Shed you can get yer certificat for only £100 wot will allow you to do "reasearch" on any systems you considers insecure for the benefit of our newly deregulated econermee...... see m'lud I'm just an honest to goodness filanfropist who was tryin' to see if all that loot was secured!

  7. Doctor Syntax Silver badge

    Vaguely worded legislation has the advantage that judges can interpret it to suit changing circumstances. The downside is that someone has to be guinea-pig so that it gets in front of the judge.

    1. Mike007

      I would love parliament to pass a piece of legislation that simply consisted of something like:

      1. It is an offence under this section to do naughty things. For the purpose of this section, a court shall take into account all matters which appear to it in the particular circumstances to be relevant to the determination of how naughty someone has been.

      2. Where a violation of section 1 has been found, a court may make a ruling with regard to the public interest including one or more of -

      a) A fine not exceeding the statutory maximum.

      b) A prison sentence not exceeding life imprisonment.

      c) An award of damages to any involved party.

      d) An injunction preventing further violations.

      e) Any other remedy deemed appropriate by the court.

      3. The secretary of state shall have the power to issue regulations granting exemptions or making modifications to sections 1 and 2.

      ...There's no way of parliament approving it without section 3.

      1. Clunking Fist Bronze badge

        But having a second doughnut is naughty! I won't go to jail for that! You ain't taking me alive, copper!

  8. EnviableOne Silver badge

    Modified as recently as 2014

    At least we have an act thats kinda fit for purpose, unlike our cousins over the pond, we dont have to charge people with wire fraud ...

    CFAA is a pile of $InsultingSlangHere

  9. Danny 2 Silver badge

    WannaCry

    I want to cry every time I read about Westminster legislating on IT, but quick survey, is Marcus Hutchins ethical or a baddie?

  10. Anonymous Coward
    Anonymous Coward

    Ransomware

    You'd think that ransomware would be classed as the highest level of offence, given how much damage is done.

    If not, why not ?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021