Computer Misuse Act: Tell the Home Office infosec needs a public interest defence in law, says CyberUp campaign
Bug-hunting industry wants to know a bit more before doing that, though
Businesses operating in the word of infosec have been urged to write to the Home Office and support a public interest defence being added to the Computer Misuse Act.
On a TechUK-organised call to discuss industry's response to the review of the act, British and overseas companies operating in the UK were urged by both the industry body and the Cyberup campaign to tell UK.gov what they think the law ought to say.
One of Cyberup’s suggestions for improving the CMA is a plan to introduce a public interest defence. This would allow people accused of committing crimes under the CMA to say they were essentially doing it for the right reasons – and it was this plan that caused the most comment during this morning’s call.
The meeting was held under the Chatham House Rule, meaning what was said at it can be reported but not the identity of the speaker.
“What are the types of [currently illegal] acts you think should be made legal?” asked one industry representative from a multinational firm, who also questioned whether the public interest defence proposal would be “reasonable”. Surely, the rep asked, a public interest defence would end up being “an open ended requirement that would be open to interpretation?”
- The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law
- We'd love to report on the outcome of the CREST exam cheatsheet probe, but UK infosec body won't publish it
- NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro
- UK's Computer Misuse Act to be reviewed, says Home Secretary as she condemns ransomware payoffs
We want to find flaws, not handcuffs
While public interest defences are very helpful for people doing the right thing, the expense of running one in court, along with the penalties if it doesn’t wash with a judge or jury, tend to mean nobody wants to be the test case.
A person with knowledge of the law responded: “Are you more happy with the current status quo, which essentially criminalises everything and relies on prosecutorial discretion, which isn't set out – it isn't defined?”
“Or would you rather have something within primary legislation that provides a mechanism whereby you can argue in court that this is within a public interest,” the person continued, “and at least then, along the lines of that public interest, [that becomes] something that can then be built [upon].”
Cyberup is also firmly against using exploits to fight back against criminals, arguing that offensive cyber is best left to agents of the state. On its website, the campaign group also supports the idea of a cybersecurity licensing scheme, saying: “We propose exploring options to create a regime of approval and accreditation of eligible providers, signing of an individually applicable strict ethics code of conduct, a commitment to maintain and share auditable logs of all activities and an obligation to pass on all intelligence and information to the appropriate authorities.”
The prime industry movers behind Cyberup are NCC Group, F-Secure and Nettitude. The website proposal does not go into detail about who would own and operate such a licensing scheme.
Another speaker wrapped up proceedings by saying: “I'm conscious that there might be some pretty fierce debates, kind of, down the line around this. So it's great that we've had a chance to kind of start to do that today. And there will be future engagements, both with the Home Office and just amongst TechUK members, to kind of firm up our position on what that should be and what that should look like.”
Individuals and companies alike have until Tuesday 8 June to respond. More details are available on GOV.UK. ®