Obsolete provisions of aging UK legislation risk criminalizing pen testers

Four in five UK cybersecurity professionals worry about breaking the law due to outdated provisions of the country’s aging cybercrime legislation.

A survey – commissioned by techUK and the CyberUp Campaign, industry groups both pushing for Computer Misuse Act (CMA) reform – highlights the restrictions that penetration testers are under when it comes to abiding by the 30-year-old law.

Critics argue that the law inhibits the work of cyber-threat analysts and other security researchers, in particular because of the tight definition of what acts are authorized and who can authorize them.

Even though the CMA has been amended twice, it has long been superseded by technological progress since it was written onto the statue books back in 1990 – a time well before the ubiquity of computers or the internet.

Fear factor

CyberUp is campaigning for a reform of the law to take account of the motivations of ethical cybersecurity professionals, enabling them to operate with legal certainty and free from the fear of prosecution.

According to CyberUp, the findings of the survey illustrate that the concerns and confusion about the Computer Misuse Act are hampering the nation’s cyber defences by preventing cybersecurity professionals from doing their jobs.


BACKGROUND Calls for reform grow louder as UK Computer Misuse Act turns 30


The survey of 46 industry professionals also found that the CMA is having a stifling effect on the UK’s cyber security industry, with 91% of businesses feeling they had been put at a competitive disadvantage relative to other countries with better legal regimes.

Reformers want to see a new public interest defense aimed at cyber threat intelligence professionals, academics, and journalists as well as the creation of new sentencing guidelines and other changes.

Outdated legislation

The CyberUp campaign is supported by a coalition of industry partners, policy makers, and academics.

Ed Parsons, managing director at F-Secure Consulting and spokesperson for the CyberUp Campaign, said: “The survey findings highlight that many cybersecurity professionals, at present, are having to carry out their jobs with one hand tied behind their back in order to stay within the law.


Read more of the latest cybersecurity news from the UK


“Reform of the CMA will make the UK cybersecurity industry more competitive and more attractive to work in at a time when cyber skills are in short supply and in high demand.”

Ollie Whitehouse, CTO of NCC Group and director at PortSwigger Web Security, The Daily Swig’s parent company, added: “This research and the resultant report significantly adds to the body of evidence suggesting that we must reform this outdated legislation to ensure the cyber resilience of the United Kingdom and its allies.”

“Defending against cyber-attacks has shown the cyber industry-government partnership at its finest, but the Computer Misuse Act limits this kind of collaboration and constrains its full potential whilst undermining the economic opportunities for UK companies,” he added.


RECOMMENDED Google Project Zero to form ‘crystal ball’ forecast panel to help improve vulnerability disclosure