A review of the UK’s creaking cybercrime laws has been criticized for lacking “urgency” after the UK government launched a second public consultation on the issue.
The consultation is primarily seeking feedback on three proposals to emerge from an earlier call for information related to the aging Computer Misuse Act 1990 (CMA).
According to security minister Tom Tugendhat, these proposals would grant law enforcement agencies new powers to seize control of maliciously deployed domains and IP addresses, “require the preservation of computer data” while police determine the data’s relevance to an investigation, and take action against persons “possessing or using data obtained by another person through a CMA offence”.
Statutory defense
Tugenhadt also invited comment on sentencing, extra-territorial threats, and the prospect of introducing a statutory defense for hacking undertaken for good-faith or benign rather than malicious motives.
The CyberUp campaign, which lobbies for a complete overhaul of the CMA, wants robust legal protections for responsible vulnerability research and disclosure, disseminating threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and running honeypots.
The campaign, whose backers include the Confederation of Business Industry (CBI) and parliamentarians like Lord Chris Holmes, believe the lack of legal clarity for good-faith security work threatens to undermine vital intelligence-sharing between the private cybersecurity industry and law enforcement agencies.
The Home office recognized that a statutory defense could “advance our whole of society approach to cyber security” but warned of the risk of providing legislative cover for ‘hacking back’.
“We believe further work is required to consider options, and the risks and benefits associated with the introduction of statutory defences,” it said.
‘Way behind other nations’
The latest consultation comes around 21 months after the CMA review was first announced by then Home Secretary Priti Patel, in May 2021.
“Cybercrime is endemic across the UK. We need urgency and pace – not for these issues to be kicked into the long grass,” said Ollie Whitehouse, spokesperson for the CyberUp campaign.
“We welcome that the government has acknowledged that there is a problem with legitimate cybersecurity activity being constrained by the UK’s outdated cyber laws; 66% of respondents to its consultation agreed on this point.
“And yet – today’s announcement lacks concrete action, leaving the UK way behind other nations.”
Progress has certainly been more notable across the Atlantic in terms of enhancing legal protections for legitimate security research, following a landmark Supreme Court ruling and US Department of Justice pledge not to prosecute good-faith security researchers last year.
Kat Sommer, group head of strategy and public affairs at NCC Group, which leads the CyberUp campaign, told The Daily Swig that she welcomed the government’s recognition “that cybercrime laws must not unnecessarily prohibit cyber security activities”, and “commitment to work with the industry to consider the defences that should be introduced to safeguard cyber professionals.
“Nevertheless, the continued ambiguity while this work takes place will act as a brake on the industry,” she continued. “After 21 months of consultation, we would have hoped for further progress to bring the 32-year-old Computer Misuse Act into the 21st century, than what has been announced this week.”
Ollie Whitehouse said “very little progress has been made in nearly two years” and urged the government to “lay out a clear timetable and plan for the next steps, to ensure there are no more delays”.
A further round of consultation on the CMA began yesterday (7 February) and ends on 6 April 2023.
There were an estimated 1.6 million incidents of computer misuse reported in England and Wales in the year ending March 2022, accounting for 14% of crime overall.
Source: https://portswigger.net/daily-swig/second-uk-computer-misuse-act-consultation-reflects-very-little-progress