Computer Misuse Act: Tell the Home Office infosec needs a public interest defence in law, says CyberUp campaign

Bug-hunting industry wants to know a bit more before doing that, though

Businesses operating in the word of infosec have been urged to write to the Home Office and support a public interest defence being added to the Computer Misuse Act.

On a TechUK-organised call to discuss industry's response to the review of the act, British and overseas companies operating in the UK were urged by both the industry body and the Cyberup campaign to tell what they think the law ought to say.

One of Cyberup’s suggestions for improving the CMA is a plan to introduce a public interest defence. This would allow people accused of committing crimes under the CMA to say they were essentially doing it for the right reasons – and it was this plan that caused the most comment during this morning’s call.

The meeting was held under the Chatham House Rule, meaning what was said at it can be reported but not the identity of the speaker.

“What are the types of [currently illegal] acts you think should be made legal?” asked one industry representative from a multinational firm, who also questioned whether the public interest defence proposal would be “reasonable”. Surely, the rep asked, a public interest defence would end up being “an open ended requirement that would be open to interpretation?”

We want to find flaws, not handcuffs

While public interest defences are very helpful for people doing the right thing, the expense of running one in court, along with the penalties if it doesn’t wash with a judge or jury, tend to mean nobody wants to be the test case.

A person with knowledge of the law responded: “Are you more happy with the current status quo, which essentially criminalises everything and relies on prosecutorial discretion, which isn't set out – it isn't defined?”

“Or would you rather have something within primary legislation that provides a mechanism whereby you can argue in court that this is within a public interest,” the person continued, “and at least then, along the lines of that public interest, [that becomes] something that can then be built [upon].”

Cyberup is also firmly against using exploits to fight back against criminals, arguing that offensive cyber is best left to agents of the state. On its website, the campaign group also supports the idea of a cybersecurity licensing scheme, saying: “We propose exploring options to create a regime of approval and accreditation of eligible providers, signing of an individually applicable strict ethics code of conduct, a commitment to maintain and share auditable logs of all activities and an obligation to pass on all intelligence and information to the appropriate authorities.”

The prime industry movers behind Cyberup are NCC Group, F-Secure and Nettitude. The website proposal does not go into detail about who would own and operate such a licensing scheme.

Another speaker wrapped up proceedings by saying: “I'm conscious that there might be some pretty fierce debates, kind of, down the line around this. So it's great that we've had a chance to kind of start to do that today. And there will be future engagements, both with the Home Office and just amongst TechUK members, to kind of firm up our position on what that should be and what that should look like.”

Individuals and companies alike have until Tuesday 8 June to respond. More details are available on GOV.UK. ®

Other stories you might like

  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Emma Sleep Company admits checkout cyber attack
    Customers wake to a nightmare as payment data pilfered from UK website

    Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

    Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

    "This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

    Continue reading
  • UK Computer Misuse Act reformers visit Parliament
    Cyberup campaign hasn't gone away, you know

    Infosec researcher Rob Dyke, best known to Reg readers for fending off legal threats from not-for-profit open-source foundation Apperta after finding a data breach, has visited Parliament to demand Computer Misuse Act reform.

    Dyke, an open-source security researcher, was threatened by the Apperta Foundation with High Court and criminal legal action after he discovered that some of the organisation's data was publicly available on GitHub.

    Speaking to The Register today, Dyke said: "The Home Office is still sitting on the consultation they opened nearly 10 months ago. It would have been lovely to see some drafts or summaries from that so the conversation could carry on."

    Continue reading

Biting the hand that feeds IT © 1998–2022