Re: The law is fine and doesn't need changing
No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.
The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.
Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.
Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.
How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.
But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!
There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.
The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.