Cyber Security Experts Call For Greater UK Protections For Ethical Hackers

A group of cyber security experts is calling on the UK government to reform the Computer Misuse Act, saying it fails to protect security professionals.

The Act was introduced back in 1990 after BT’s then email system, Prestel, was hacked by journalist Robert Schifreen in an attempt to access the mailbox of Prince Philip. Schifreen – who said he wanted to raise awareness of vulnerabilities – was charged, but acquitted; the new act then made it an offense to access a computer without authorization.

However, 30 years is a long time, and the UK is now looking to introduce new measures – dubbed the ‘Cyber Duty to Protect’ – and has put out a call for information, asking for views on what actions can be taken to reduce risks.

In their letter to incoming prime minister Liz Truss, the Internet Service Providers’ Association (ISPA), security firm NCC Group and the former head of the National Cyber Security Centre (NCSC) Ciaran Martin call for the introduction of a statutory defence to protect ethical hackers.

“As you will be aware, last year the Home Office conducted a review of the effectiveness of the Act. We understand from Freedom of Information requests that 66% of those who responded to the review expressed concerns over the lack of protection in the Act for legitimate cyber activity,” they write.

“You will of course be all too aware of the increased cyber threat posed by our adversaries, not least following Russia’s invasion of Ukraine. We believe this strengthens the case for prioritising efforts to reform the Computer Misuse Act to include a statutory defence.”

At issue is the work of ethical hackers, or penetration testers, who currently must gain permission to access systems and follow agreed rules an what may be done with the data, generally agreed via a contract and non-disclosure agreement (NDA).

However, this means it’s currently illegal for penetration testers to scan systems for vulnerabilities without advance permission, or to access hacked data on the dark web for their research.

And researchers have indeed fallen foul of…