Adam Bannister 23 June 2022 at 14:06 UTC
Updated: June 23, 2022 at 14:09 UTC
The amendment applies to the bill related to 5G rollout and connected products
UK lawmakers are proposing an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill that would give cybersecurity professionals a legal defense for their activities under the Computer Misuse Act (CMA).
A cross-party group in the House of Lords, the UK’s second chamber, put forward the amendment on Tuesday (June 21).
The PSTI bill is designed to support 5G in the UK while also mandating vulnerability disclosure policies for vendors of Internet of Things (IoT) products, and other security provisions.
‘Acting in the Fine Faith’
The CyberUp campaign, a security industry coalition calling for wholesale reform of the CMA, argues that a statutory defense under the 1990 action would protect security researchers, ethical hackers, and pennies. tester from false legal action if responsibly finding or reporting vulnerabilities.
Speaking at the House of Lords yesterdayLord Arbuthnot of Edrom referred to the CyberUp campaign’s suggestion that a statutory defense should be based on “prospective benefits of the act beyond prospective harms”, on reasonable steps taken to reduce the risk of causing harm. … Good faith [and] able to show competence ”.
The CyberUp campaign also urged the government to release the findings of the ‘call for information’ (consultation) on the effectiveness of the CMA, which closed more than a year ago.
UK Home Secretary Priti Patel has announced consultation with academia, law enforcement agencies, and the cybersecurity industry with plans to review the CMA in May 2021.
BACKGROUND The UK government will review the aging Computer Misuse Act
Kat Sommer, head of public affairs at CyberUp backer NCC Group and CyberUp spokesperson, praised the PSTI amendment, saying that some countries have “more permissive regimes, but no country has yet been able to introduce in a defense for unauthorized access.
“Of course, the ideal situation for the government to bring in Computer Misuse Act reforms that provides a defense even more in the case of connected products – after a year of waiting, you’d think we’d probably hear. something from the ministers about it soon. ”
‘Just do their job’
Campaigners believe that, if passed, the change will protect the likes of security researcher Rob Dyke, who has threatened to take legal action under the CMA – threats that were eventually abandoned – after alerting a non-profit UK on security breaches in 2021.
“I’m so excited that it seems like lawmakers are starting to take seriously the need for cybersecurity researchers like me to have legal protections,” Dyke said. “It’s not right that people have to go through what I have just for doing their job.”
AYAW KAWALA Computer Misuse Act: Most UK cybersecurity pros fear breaking the law just by doing their jobs
Lord Arbuthnot also told the House of Lords that when the CMA was implemented, “no consideration was given – I remember because I was there – to web scraping, port scanning or malware denotation, and people were not sure they were legal. .Some of us aren’t sure what they are.
“This is why there needs to be security for cybersecurity researchers – they need to be able to do things for the public good.”
Relevant recent developments across the Atlantic may give hope to UK campaigners.
The legal risk surrounding legitimate U.S. security research has slowed sharply following a U.S. Supreme Court decision in 2021 on what is “unauthorized access” under the Computer Fraud and Abuse Act and the Department of Justice’s recent promise not to prosecute “good faith” security research.
COMPANIONS UK Computer Misuse Act: Lord Chris Holmes CBE on CyberUp campaign call to overhaul ‘old’ legislation