Statutory defense for ethical hacking under UK Computer Misuse Act tabled
Amendment applies to bill related to 5G rollout and connected products
UK legislators have proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill that would give cybersecurity professionals a legal defense for their activities under the Computer Misuse Act (CMA).
A cross-party group in the House of Lords, the UK’s second chamber, tabled the amendment on Tuesday (June 21).
The PSTI bill is designed to support the UK’s 5G rollout while also mandating vulnerability disclosure policies for vendors of Internet of Things (IoT) products, among other security provisions.
‘Acting in good faith’
The CyberUp campaign, a security industry coalition calling for wholesale reform of the CMA, argues that a statutory defence under the 1990 act would protect security researchers, ethical hackers, and pen testers from spurious legal action when responsibly hunting for or reporting vulnerabilities.
Speaking in the House of Lords yesterday, Lord Arbuthnot of Edrom referenced the CyberUp campaign’s suggestion that a statutory defense should be based on “the prospective benefits of the act outweighing the prospective harms”, on “reasonable steps being undertaken to minimise the risks of causing harm… the actor demonstrably acting in good faith [and] being able to demonstrate competence”.
The CyberUp campaign has also urged the government to release the findings of its ‘call for information’ (consultation) on the effectiveness of the CMA, which closed more than a year ago.
UK Home Secretary Priti Patel announced the consultation with academia, law enforcement agencies, and the cybersecurity industry alongside plans to review the CMA in May 2021.
BACKGROUND UK government to review country’s aging Computer Misuse Act
Kat Sommer, head of public affairs at CyberUp backer NCC Group and CyberUp spokesperson, hailed the PSTI amendment, noting that some countries had “more permissive regimes, but no country has yet gone so far as to introduce a defence for unauthorised access.
“Of…
