The UK’s Computer Misuse Act (1990) is up for revision. It’s time for ethical hackers to submit your views

We all need to stand up to make the Internet a safer place 

The UK’s Computer Misuse Act, under which most UK hacking prosecutions are made, came into force in 1990 – about one year after the introduction of the world wide web. Since then, of course, cyberspace has evolved beyond all recognition! The UK Government is currently consulting on how the Act can be updated to – as the consultation itself puts it – “identify and understand whether there is activity causing harm in the area covered by the CMA that is not adequately addressed by the current offences”.

Why it matters:

One of the issues on which respondents are invited to comment is the potential for a statutory legal defence for hacking if such activities had good-faith/benevolent motives. The UK’s Home Office – which has responsibility for the consultation – has already indicated that such a legal defence could “advance our whole of society approach to cyber security”. Simultaneously, however, it is wary of the potential for unintended consequences.

Of course, this is an area of very great interest to me, to Bugcrowd, and to our crowd of cybersecurity researchers or ethical hackers. Poor legal protection for ethical hackers creates a chilling effect whereby those who could contribute to making the Internet a safer place are afraid to do so in the first place.

A view from the top:

In Bugcrowd’s view, the UK needs to think along the same lines as the United States, which has already clarified protection for legitimate security research activities via an important Supreme Court ruling and a clear DOJ commitment not to prosecute good-faith security hackers. The UK needs a revised Act that not only better defines what bad actors are not permitted to do, but also adequately and clearly supports the key role that freelance, ethical cybersecurity hackers play in discovering and disclosing vulnerabilities so they can be addressed before they are exploited.

Bugcrowd is contributing to the consultation via two industry groups on which I sit: the Cybersecurity Policy Working Group (CPWG) and the Hacker Policy Coalition. Both these organisations will be making submissions to the consultation reflecting the views of their respective members.

But it’s equally important that as many as possible individuals and organisations have their say on this, and I encourage anyone from our extended ecosystem with a view to contribute to the consultation here. I also encourage you to be quick: the consultation closes on April 6th 2023.