Computer Misuse Act: Tell the Home Office infosec needs a public interest defence in law, says CyberUp campaign Businesses operating in the word of infosec have been urged to write to the Home Office and support a public interest defence being added to the Computer Misuse Act. On a TechUK-organised call to discuss industry's response to the review of the act, British and overseas companies operating in the UK were urged by both the …
Several issues seem not to have been granted sufficient attention.
Firstly, a distinction must be made between investigation of an exploitable vulnerability and the acts of exploiting or publicising one.
Secondly, authorisation for investigation is not always obtainable - e.g. where a system owner fails to respond to an alert.
I consider that a public interest defence is not a sufficient protection for legitimate researchers, because it exposes legitimate investigators to the hazard of a decision going against them after the fact.
I suggest (and proposed the last time this came round) that there should be an exemption for registered infosec professionals under very strict conditions - vis:
[1] only for investigation and discovery of vulnerabilities (not publication, live demonstration or exploitation)
[2] where authorisation has been sought but can not be obtained
[3] for communication to the system owners only (not for publication)
[4] only for those investigators currently registered with a relevant professional association
[5] only after informing a relevant authority of the intended investigation prior to proceeding
For all other circumstances a public interest defence (e.g. investigation for publication) would be sufficient, but there are many cases on records where a system owner or vendor has proved uncooperative, making investigation in the public interest hazardous for the researcher. This alternative aims to eliminate the hazard under stringent control (also in the public interest).
I understand the need for a 'public interest' defence but would be irate if someone tried using it to justify hacking my systems.
Your idea has some flaws but is also in its current form very much worth submitting to the 'call for action' so if you haven't already done so, do consider raising it with them.
One challenge is the targeted party doesn't know that they're being attacked for benign purposes; they could launch countermeasures and we end up with the plot of Neuromancer.
> phoning up
Phoning WHO up? If you have an issue with e.g. Chase bank, who the hell are you going to "phone up"?
The support line is clueless. There's no other contact info other than maybe a mailing address.
Posting as anon because I had a .ru site try to take funds from my Chase account, and they gave fuck-all about it until I got the FTC involved.
I do wonder whether a licensing scheme would present more problems than it solves: who owns and operates it? How much should it cost to join? Would it only accept corporate members? If you're playing about with Shodan on a Sunday afternoon and stumble on something, are you still protected? etc etc.
"playing about with Shodan on a Sunday afternoon"
That's a perfect example of what should only be covered by a defence. Seeking authorisation from the system owner and reporting before the fact to a relevant agency would be the primary requirements for carrying out any active investigation under the suggested exemption.
So until the suggested steps are taken you only have a defence. Once those steps have been taken by a suitably registered professional they could rely on the exemption to proceed further. And by registered, I merely mean "paid up member of a relevant professional association" as an indication of professional standing subject to a code of conduct. I would not like to see a separate mandatory registration requirement being introduced.
Firstly, a distinction must be made between investigation of an exploitable vulnerability and the acts of exploiting or publicising one.
If a supplier isn't responding to fair warning to fix something, publicising it might be the only way to get them to fix it. Both investigation and publication therefore, are legal activities. Also, what if the supplier no longer exists? Or it is on a product "out of support". I've had suppliers basically say go *#$3 yourself, buy a new one if you want updates. Funnily enough, we don't use them anymore.
In my line of work, hardware routinely is kept for 50+ years, and microelectronics or PLC's well over 20 years. So, being out of support or out of existence are both very real.
Secondly, authorisation for investigation is not always obtainable - e.g. where a system owner fails to respond to an alert.
As above; if the supplier does not respond or no longer exists, in neither case should it be criminal.
I'd shift the definition of Computer Misuse to those individuals that choose to attack a system for purposes of theft, ransom, disruption, sabotage, terrorism etc.
The reason I'd do so, is that investigative techniques to detect weaknesses have to involve probing attacks on a given system.
There is no practical way to legislate for every possible scenario therefore the solution has to move away from prescriptive can and can-nots.
"If a supplier isn't responding to fair warning to fix something, publicising it might be the only way to get them to fix it."
Fair comment, but that's where the defence would remain applicable, simply because publicising it increases public exposure to the threat and therefore tempers the public interest (remembering that "in the public interest" is not "what interests the public", but "for the benefit of the public"). My suggestion was that there should be an exemption rather than merely a defence under strict conditions including confidentiality. This would allow legitimate investigators more scope. It would be an alternative to the defence under those conditions where the public interest would be best served by the research but a non-cooperative system owner might threaten prosecution rather than address the problem. So it's a suggested alternative to "threat of public disclosure" which seems to be about all that works at present. If a system owner was aware that (under a strict regime including both general confidentiality and notification of the issue to an authority) they would be unable to prosecute, it might be as effective as public disclosure, but without the adverse consequences for the public.
My worry here is that the UK government are only too happy to rely on promises and soothing words, rather than legislation, on the grounds that they can then still get revenge on prosecute anyone who embarrasses them.
"Found a bug in the DSS* systems, have you? No, you're not a bug hunter, that's benefit fraud mate, you're nicked. Oh wait, you also found an unsecured page on the MI5 site? National security, espionage, you're nicked. No, we know you told us about it, we don't care, you're still going to jail."
That's the sort of thing I worry about...
* Is it still the DSS? Haven't had to deal with them in years
While I am usually very much against new laws, I do believe there is a case to be made to make it illegal to knowingly allow an infected computer to have Internet access. So that if, for example, a person is informed that there is a computer on a network they control that is running "zombie" software or delivering a virus, they can be prosecuted if that computer is not shut down within a certain period of time after notification has been given.
" illegal to knowingly allow an infected computer to have Internet access"
Wilful connection of an infected computer that transmits the infection is already covered by statute and there is also (or was, last time I checked) a reckless denial of service offence, but in the general case reliance on "knowledge" as a basis for culpability would be a major stumbling block. If it's a criminal offence, the test is "beyond reasonable doubt", and that would be almost impossible to prove, given the general level of technical knowledge among computer users. So almost every action would probably fail, or more likely never get to court as the DPP would have no confidence in a guilty verdict.
You could prove that a person had the requisite knowledge by proving that they were notified of the situation. This is no different to proving that (for example) a council had knowledge of a dangerous pothole or a building contractor had knowledge of damaged scaffolding etc.
If wilful connection of compromised equipment is a crime; then does that not mean that every single Windows installation in the land is a crime? Or is one sort of spyware/malware more legitimate than another just because one comes from Seattle; the other comes from some shady business park outside Moscow?
To say nothing of the millions of compromised, unpatched routers shipped by ISP's with default passwords. (Or many, many other devices for that matter).
Intent is the best thing to legislate for rather than method. You can buy a knife. What you do with it is your choice, and some applications are rather less legal than others!
I would prefer it to be the case that prosecutions under the CMA could only be made after explicit permission had been sought and obtained from the Attorney General. Most crimes today involve computers in some shape or form either as evidence gatherers or as tools for executing the crime. The CMA should be available as a "sweeping up" measure. This would effectively mean that any public interest defences had been considered and rejected by the Attorney General so that permission was given to allow the prosecution to go ahead.
Alistair: You will remember from the Law Commission paper back in the late 1980s the whole idea of the CMA was that it would be gap-filling for existing legislation. Since then, of course, we have had the Fraud Act 2006, which covers large numbers of "cyber crimes". People continue to wonder at the low annual numbers of CMA prosecutions - the explanation is that other "easier" prosecution routes are available. Moreover in those circumstances additional successful CMA convictions would be unlikely to produce a longer sentence, but would add to police and prosecution costs.
It states that "A person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held in any computer."
So the Computer Misuse Act implies that it's an offence to turn your phone on unless you are a woman. It's a joke that this is a joke but the law was written 30 years ago when today's environment did not exist and computers were generally either desktop machines or were the actual desktops themselves with a pile of mag tapes on top. Back then most people communicated across "the inter net" with a tennis racket in their hand.
The Computer Misuse Act needs to be completely rewritten, not just patched to update bugs.
The CMA is the worst of both worlds at the moment
Literally, everything can be shoehorned into one of the three or four categories
And with the exception of the causing death clause, the penalties are laughable.
It needs cleaning up to better define an offence and given some teeth to act as a sufficient deterrent
For the protection of legitimate security testing, it should be a case of reasonable attempt to gain permission / inform the system owner, and a membership of a relevant authorising body ((ISC)2, ISACA, CREST, EC-Council, TIGER, SANS, etc.) along with contemporaneous documentation of actions taken and an intent to inform, a CVE request/Bug bounty Submission, would be a good option too.....
If a responsible body, for deciding which certs count, needs to be appointed, the NCSC in its role as National CERT and SPOC makes a good candidate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
