This article is more than 1 year old

Rapid7 says Computer Misuse Act should include 'good faith' infosec research exemption

Security biz publishes plans for law reforms

Infosec firm Rapid7 has joined the chorus of voices urging reform to the UK's Computer Misuse Act, publishing its detailed proposals intended to change the cobwebby old law for the better.

The cloud-based SIEM company specifically highlighted section 3A of the CMA, saying this potentially "imperils dual-use open-source security testing tools and the sharing of proof-of-concept code".

It also echoed other industry concerns about criminalising general security research through section 1 of the act, which prohibits accessing a computer without the owner's permission.

"It’s worth noting that neither the National Crime Agency (NCA) or the CPS seem to be recklessly pursuing frivolous investigations or prosecutions of good-faith security research. Nonetheless, the current legal language does expose researchers to legal risk and uncertainty, and it would be good to see some clarity on the topic," said Rapid7 in a blog post published over the sleepy summer period.

Highlighting "dual use technologies" the company suggested "clearer protections" under section 3A(2), exempting anything "capable of being used for legitimate purposes" and which were both widely available and "intended by the creator or supplier" for legitimate uses.

Where this would leave tools such as Cobalt Strike is unclear. The threat simulation tool was originally developed for pentesters but has become ubiquitous among malicious folk on the internet - to the point where six suspects arrested in connection with the notorious Clop ransomware gang were found to be using it.

Rapid7 also proposed a legal exemption for "good faith" security research, resting on the notion that good faith research can be shown to be carried out "in a manner reasonably designed to minimise and avoid unnecessary damage or loss to property or persons".

The Home Office announced plans to reform the three-decade-old act in May, with Home Secretary Priti Patel saying she wanted to ensure "we have the right tools and mechanisms to detect, disrupt and deter our adversaries."

In a detailed PDF setting out its position, Rapid7 extrapolated its position.

Many people take a view that if something is made accessible in public spaces on the internet, authorisation to access it is inherently granted… That being the case, the question becomes how systems owners/operators can indicate a lack of authorisation for accessing systems or information in a way that scales while still enabling broad access and innovative use of online services.

Most of the UK infosec industry is right behind the current moves to reform the CMA, including Trustwave, A&O IT Group, IntSights, and others. Driving the reforms was the CyberUp campaign group, whose leading lights include NCC Group, F-Secure and others. ®

More about


Send us news

Other stories you might like