back to article Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

British infosec businesses are celebrating the 30th birthday of the Computer Misuse Act 1990 by writing to Prime Minister Boris Johnson urging reform of the elderly cybercrime law. The Computer Misuse Act (CMA) received Royal Assent on 29 June 1990, before "the concept of cyber security and threat intelligence research," the …

  1. Cederic Silver badge

    Good

    A company deciding that I'm a security threat and hacking my PC are breaking the law and must continue to be breaking the law.

    Seems to me that aspect of the Computer Misuse Act is doing its job.

    1. disgustedoftunbridgewells Silver badge

      Re: Good

      So your objection to fixing the broken bits is that there are some bits that aren't broken?

      1. Joe W Silver badge

        Re: Good

        Well, using an example where it worked in an article on how it is broken is maybe not that great an idea...

        And maybe it is that in any political system, fear should be that the only working portion will be broken when rewriting / updating the law?

      2. Tom 7 Silver badge

        Re: Good

        My problem would be that the broken bits would not be fixed and the working bits will be broken, By the time this goes through parliament the tories will add a few amendments and the computer misuse act will be 'whatever you do but nothing the government or its agents do".

        1. Mike Richards Silver badge

          Re: Good

          The later amendments to the CMA are especially poor. Most notably, The Police and Justice Act 2006 Section 37 (Making, supplying or obtaining articles for use in computer misuse offences) created a new section 3A in the CMA which effectively makes a lot of cyber security tools illegal in the eyes of a well-motivated prosecutor.

  2. Cynic_999 Silver badge

    The law is fine and doesn't need changing

    If a "security person" wants to "test" the vulnerabilities of someone's computer, then they should ask permission from the owner of the computer before conducting such testing. Otherwise anyone could claim after being caught that he was a "white hat" merely "testing security".

    If the police want to secretly infect a suspect's computer with software that gathers evidence that may aid their investigation, or to download data without the suspect's approval or knowledge, then to do so legally requires that they first obtain a warrant that grants permission for them to do so (called an "interference to equipment" warrant). If they do not obtain such a warrant, then they are quite rightly guilty of breaking the computer misuse act. The warrant provides judicial oversight to ensure that the unauthorised access to the suspect's computer is fair and proportionate, and the police are not abusing their powers. See https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715479/Equipment_Interference_Code_of_Practice.pdf

    1. Hans Neeson-Bumpsadese Silver badge

      Re: The law is fine and doesn't need changing

      If a "security person" wants to "test" the vulnerabilities of someone's computer, then they should ask permission from the owner of the computer before conducting such testing. Otherwise anyone could claim after being caught that he was a "white hat" merely "testing security".

      Agreed. All the times I've been involved with security testing, there's been paperwork agreed between the client and the testers with words to the effect of "you're going to do something naughty, but it's OK because we've asked you to (so that we know how to detect/stop other people from being naughty)" and that makes common sense. Therefore there is no "unauthorised" activity.

      I've always been a bit mystified as to why people who, without any solicitation, try to break into networks and snoop around are in some way considered to be heroic in their actions because they are highlighting weaknesses in someone's security. Outside of cyberspace, it's the equivalent of going down the street trying to pick doorlocks to get into peoples' houses, just so you can tell someone that they need to replace their aging Yale....something which feels both wrong and creepy in equal measure.

      1. Anonymous Coward
        Anonymous Coward

        Re: The law is fine and doesn't need changing

        I did a pen testing course a while back and we were constantly told to make sure we had an air tight contract signed by as senior a person as possible before we started doing any work at all even just recon to make sure we were covered by the law. If they had their way, all CEOs would agree to pen tests in blood just to make it completely iron tight

        I've also got multiple stories of people in IT or security who decided to investigate someone doing something dodgy internally without permission and getting fired themselves even though they caught the person in the act because they weren't permitted to do what they'd done!

        1. Cederic Silver badge

          Re: The law is fine and doesn't need changing

          Yeah, I've had several occasions where I've had to tell colleagues to stop immediately and report it to less capable people in another department, entirely because of who had legal authority to investigate and fix things.

          Even where the Infosec team trust and ask me to do things I'll sit and shadow them while they do the work, using their credentials on their keyboard with me in a purely advisory role (where the advice may be, "..and now type this.")

          If you want unrestricted access to hack away without fear, go and join the NSA.

        2. Drew Scriver Silver badge

          Re: The law is fine and doesn't need changing

          One of the problems is that customers currently have no recourse if they find (or suspect) a vulnerability and that companies care very little. How about a branch manager of one of the top-3 banks in the USA who had never even heard of PCI-DSS...? Or one of the top-10 banks I called to report that it was possible to gain access account holders' accounts - only to be told that they had no process for escalating my findings to their Cyber Security department?

          Worse, if a customer suspects an issue they don't have a legal means to dig a little deeper to see if their data may in fact be at risk.

          To compound the problem, some companies go to great lengths to hide their problems rather than to address them. Remember the bank (!) that formally asked (forced?) Qualys to disallow the public from running an SSL-test on their main domain because it kept returning an "F"?

          I would propose three actions as part of fixing the general security legislation:

          1) A (government) clearinghouse/database where the public can report issues. Reports are to be automatically made public after x days, or at the very least it should be public where the company is failing. Receiving even general flags like "PCI-DSS violation, OWASP-violation, NIST-violation, unpatched systems, runs EOL-software", would most likely spur companies into action.

          2) A (government) agency where members of the public can register themselves, report suspected issues and be given clearance to investigate (within white-hat boundaries) a specific issue.

          3) Make executives personally liable for breaches that are the result of demonstrated decisions to do due diligence. That should all but eliminate those instances where people "on the floor" are flagging an issue only to be rebuffed by the corporation.

          1. amanfromMars 1 Silver badge

            Re: The law is fine and doesn't need changing says Nero Fiddlers as Rome burns

            To compound the problem, some companies go to great lengths to hide their problems rather than to address them .... Drew Scriver

            And what do you think happens whenever the problem compounding is some countries going to great lengths to hide their problems rather than to address them? Apart from the fact that it be a classic recipe for disaster in orders of magnitude of epic proportions unfolding at relative breakneck speed.

            Law changing is gonna do diddly squat, as in sweet FA, to divert or restrain that grand monster.

    2. Pier Reviewer

      Re: The law is fine and doesn't need changing

      No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.

      The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.

      Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.

      Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.

      How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.

      But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!

      There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.

      The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.

      1. Anonymous Coward
        Anonymous Coward

        Peer Reviewer...

        Sorry for the downvote but after you've used "ppl" so many times because you obviously can't be arsed to type those extra Three Fekkin Characters in a multi paragraph post it made me want to smack you upside the head with a foam pool noodle filled with frozen fetid fish guts.

        Friends don't let friends do txt spk. ;-)

    3. cbars Silver badge

      Re: The law is fine and doesn't need changing

      Yes, but this isn't just people lobbying. If you were an infosec company, wouldn't it be nice to be able to cold call and say "hey, you've got a problem you need someone to fix... FYI we fix this stuff..."

      Thats where this is coming from. Also, another avenue for giving the plod a pass on creepy powers, while dressing it up as security, so home sec will love the idea of reform.

  3. Chris G Silver badge

    So far Boris hasn't got round to replying.

    As soon as he has found the most advantageous way to deal with this, he will reply.

    1. tony2heads

      Re: So far Boris hasn't got round to replying.

      No : as soon as Dominic Cummings tells Boris what to say, Boris will reply

      1. disgustedoftunbridgewells Silver badge

        Re: So far Boris hasn't got round to replying.

        Your post is so tedious that I caught narcolepsy from it.

  4. steelpillow Silver badge
    Holmes

    Don't change the ban, change the insurance policy.

    The law is right to keep pen testers with unknown-coloured hats at bay. The problem is obtaining permission to carry out defensive screening. Emailing the hapless outfit with "Hi, can I run a fake cyberattack on you?" can hardly have a good response rate.

    We need a regulatory regime where insurance companies put your permission in the small print and are then able to delegate the research to approved cybersecurity operations.

  5. Anonymous Coward
    Anonymous Coward

    CMA Violation....does this count?

    https://www.theguardian.com/uk-news/2018/sep/21/british-spies-hacked-into-belgacom-on-ministers-orders-claims-report

    1. Cederic Silver badge

      Re: CMA Violation....does this count?

      No. Section 10 is the "doesn't apply to us" clause that also lets the police search your phone even when you scream, "No! That's got my naked bottom pictures on it!"

  6. This post has been deleted by its author

  7. amanfromMars 1 Silver badge

    Such as an abdication has one almost speechless ......

    So far Boris hasn't got round to replying.

    FFS, Boris, IT isn't to be Ignored for you are Beholding to All of their Services. Are you gonna step in line or crash out of leading following Colossal Future Events?

    What do assorted super-talented weirdos and misfits with odd skills to exercise for Government think of such as silence as an adequate response to a virtual emergency ..... with Myriad Psychotic Global Episodes to Remotely Control with Almighty Commands .... in Simple Texts Relaying Instructions to Future Directors of Present Promotions ..... for Other Worldly Views Depicting the States of Current Progress in NEWS Broadcasts.

    The premise is simple ...... Creating brave new smarter worlds virtually with and for human assets, with programming which seamlessly morphs and introduces multiple practical realisations in the physical mainstream, is the Future Way to Go ....... with a Vital Blighty Source ‽ .

    Tell us all here there's No Flash Slush Fund Cash for Targeted Disbursement for/to Any of those Sorts of Operations, and you'd be surely wrong ? :-)

    For the Likes of a DARPA or National Cyber Force is such a facility and ability sort of essential, methinks, for to aid guarantee of Operational Program Success in environments requiring Capital Churn ...... Generative Expensive Expansive Spends.

    1. Cliff Thorburn

      Re: Such as an abdication has one almost speechless ......

      When you get psychologically tortured, and told ‘no more nukes’, you kind of get the message that Blowjo and Cumming’s aint interested in paying the slush fund dues amFM ...

      1. amanfromMars 1 Silver badge

        Re: Such as an abdication has one almost speechless ......

        When you get psychologically tortured, and told ‘no more nukes’, you kind of get the message that Blowjo and Cumming’s aint interested in paying the slush fund dues amFM ... ..... Cliff Thorburn

        I suppose it is fortunate then that the likes of they are not needed nor heeded by that and those in control of such novel stealthy, stay healthy and wealthy decisions, CT, as reward one with such a facility for utilities beyond most normal supernatural abilities.

  8. Version 1.0 Silver badge

    How effective has the law been?

    I see attempts to log into our mail server every 10-20 seconds from all over the world, illegal under this act but what's the point of even bothering to call anyone about it? Nobody cares, in terms of stopping crime I think it's less than one milli-percent effective.

  9. IGotOut Silver badge

    It would have to be very carefully worded.

    Many here have said "Don't change it', but for example, a port scan then logging in with a default IoT piece of crap could, in theory, get you arrested. So do you contact HappyLuckyDevicesMakeYouExcellelent to tell them you intend to check for security holes?

    And if they say " No", do you leave that heap of crap just sitting out there being used as a botnet?

    On the flip side, if you say it's ok to login and check, the bad guys can say "Hey we were looking for security holes. No intention of doing anything bad'.

    It's not a case of yes or no.

  10. amanfromMars 1 Silver badge

    Strewth! ......

    Do you really believe any competent and effective security operation penetrations testing systems and agents would seek permission or advise subjects they be subjects/objects/persons of third party interest?

    1. Anonymous Coward
      Anonymous Coward

      Re: Strewth! ......

      Once upon a time, a long time ago, and a long way away.......a CIO hired white hats to do a penetration test on the IT infrastructure. So...."Yes" people do know that these tests are being done.

      *

      Sad to say, the CIO's expectation of a clean bill of health was not fulfilled. In fact, ANOTHER member of the Board of Directors (the legal one) was reading a copy of the CIO's email inbox within a few hours.

      *

      .....and a couple of years later, when the test was repeated....with the same outcome.....(more junior) people were fired out of hand.

      *

      .....makes one wonder what the state of play in that large corporation might be today!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020