Adam Bannister June 23, 2022 at 14:06 UTC
Updated: June 23, 2022 at 14:09 UTC
The amendment applies to the bill related to the deployment of 5G and connected products
UK lawmakers have proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) Bill that would give cybersecurity professionals a legal defense for their activities under the Computer Misuse Act (CMA).
A cross-party group in the House of Lords, the UK’s second chamber, tabled the amendment on Tuesday (June 21).
the PSTI bill it is designed to support the rollout of 5G in the UK while at the same time requiring vulnerability disclosure policies for vendors of Internet of Things (IoT) products, among other security provisions.
‘act in good faith’
the CyberUp The campaign, a security industry coalition calling for comprehensive reform of the CMA, argues that a legal defense under the 1990 law would protect security researchers, ethical hackers and penetration testers from actions false legal claims when searching for or reporting vulnerabilities responsibly.
Speaking in the House of Lords yesterdayEdrom’s Lord Arbuthnot referred to the CyberUp campaign’s suggestion that a legal defense should be based on “the possible benefits of the act outweighing the possible harms”, on “reasonable steps being taken to minimize the risks of causing harm … good faith [and] be able to demonstrate competence.
The CyberUp campaign has also urged the government to publish the results of its ‘information call’ (consultation) on the effectiveness of the CMA, which closed more than a year ago.
UK Home Secretary Priti Patel announced the consultation with academia, law enforcement agencies and the cybersecurity industry along with plans to review the CMA in May 2021.
BACKGROUND UK government to review country’s old Computer Misuse Act
Kat Sommer, head of public affairs for the NCC Group, sponsor of CyberUp and spokesperson for CyberUp, praised the PSTI amendment, noting that some countries had “more permissive regimes, but no country has gone so far as to introduce a defense for unauthorized access.” authorized.
“Of course, the ideal situation is for the government to introduce amendments to the Computer Misuse Act that provide a defense beyond the connected products-only case: after a year-long wait, you’d think we’d likely hear something. of ministers on this soon.”
‘Just doing your job’
Campaigners believe that, if passed, the amendment will protect the likes of security researcher Rob Dyke, who was threatened with legal action under the CMA – threats that were eventually dropped, after alerting a UK non-profit. United on security flaws in 2021.
“I’m very pleased that it appears that lawmakers are beginning to take seriously the need for cybersecurity researchers like myself to have the protection of the law,” Dyke said. “It’s not okay that people have to go through what I have just to do their job.”
DO NOT MISS IT Computer Misuse Law: Most UK cybersecurity professionals fear breaking the law simply by doing their job
Lord Arbuthnot too told the House of Lords that when the CMA was enacted, “it wasn’t considered, I remember because I was there, web scraping, port scanning, or malware denotation, and people aren’t sure it’s legal. Some of us are not sure what they are.
“That’s why there needs to be certainty for cybersecurity researchers: They need to be able to do things for the public good.”
Recent developments across the Atlantic may well offer UK campaigners hope.
The legal risk surrounding legitimate security research in the US has been greatly diminished following a 2021 US Supreme Court ruling on what constitutes “unauthorized access” under the Abuse and Security Act. Computer Fraud and the Department of Justice’s recent promise not to prosecute security in “good faith.” research.
RELATED UK Computer Misuse Law: Lord Chris Holmes CBE on CyberUp campaign’s call to review ‘archaic’ legislation