Proposed Amendment to the PSTI Bill Set To Provide Defence to Ethical Hacking Under the CMA

Published 22 julio 2022

Ethical Hacking: “A security practice where a hired hacker, either an individual or an appointment within a company, attempts to break into a system, simulating a malicious cyber-attackers action. The ethical hacker, colloquially known as a white hat hacker, is typically a computer security expert specializing in pen testing, penetration testing, and other testing methodologies.”

– White Hat Security

UK legislators have tabled a proposed amendment to the Product Security and Telecommunications Infrastructure (“PSTI”) Bill which, if passed, will provide a legal defence to ethical hacking for cybersecurity professionals under the Computer Misuse Act 1990 (“CMA”). This follows closely in the footsteps of the recent landmark decision made across the pond by the US Department of Justice to cease the prosecution of ethical hackers, pursuant to the Computer Fraud and Abuse Act (“CFAA”). This came into force on 19 May 2022 and added impetus to the calls for UK cyber law reform in respect of the same.

Perhaps unsurprisingly, the CMA is widely considered to be unsuitable for the modern world; it was drawn up over 30 years ago, at a time where fewer than 0.5% of the UK population had internet access and the concept of ethical hacking would be yet to gain any prevalence – the term first being coined in 1995 by the Vice President of IBM, John Patrick.

Fast-forward to 2022 and the landscape of the worldwide web has evolved into something quite unrecognisable, with 94.8% of the UK using the internet today. Not only has internet use proliferated exponentially but its complexity has increased in equal if not greater proportions. Consequently, it should come as no surprise that UK cybersecurity lobbyists argue that the Act could do with a little updating at the very least, or a top-to-bottom renovation as the hardliners are calling for.

According to a 2020 survey, 80% of cybersecurity professionals expressed concerns of being prosecuted due to the lack of public interest provisions under the CMA. Further still, the same survey revealed that 91% of cybersecurity professionals believed they were at a competitive disadvantage to those working under superior legal regimes in this respect. The introduction of a defence under the CMA would therefore provide ethical hackers and security researchers with a much-welcomed layer of protection from liability in the performance of their role exploring vulnerabilities and in turn would allow us to advance at the same rate as our international counterparts. Principally, the defence will draw a distinction once and for all between their legitimate work and that of cyber-criminals.

Pros & Cons

In order to successfully execute this balancing act between the common good and societal need for restrictions on illegal activity, a helpful starting point is to look at the broad advantages and disadvantages of ethical hacking:

The Pros

• Helps fight cyber-terrorism and national security breaches.
• Assists in taking preventative action against hackers.
• Enables systems to be built that are impenetrable by hackers.
• Offers greater security to banking and financial establishments in particular.
• Enables the identification of open holes in a computer system and how to close them.

The Cons

• Risks corrupting the files and data of an organisation.
• The information gained through hacking could be used for malicious use.
• It can impact on individuals’ privacy.

The consensus among cybersecurity professionals is that the benefits of amendment would outweigh the disadvantages. This view has been advocated in particular by the CyberUp campaign, a security industry coalition, who have been calling for reform to British cybercrime laws for 30 years. Ollie Whitehouse, the Global CTO at NCC Group which leads CyberUp, likened the current restrictions imposed by the CMA to acting “with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs” – a description which very aptly captures the frustrations held by those in the sector whose ability to carry out their job continues to be stifled by outdated elements of this legislation.

Whilst the cons should by no means be taken lightly, whether they are sufficient to prohibit reform is another question. In our opinion, the answer to that question is no. The gravity of the cons are dwarfed by the common good benefits of the pros. There is nothing to prevent separate action being taken at a later stage to tackle the abovementioned cons in a way that doesn’t completely stifle the necessary evolution of the law.

Conclusion

On balance, the prevailing view is that the hypothetical risk of the defence being abused is outweighed by the advantages of updating the legislation. This is, in part, due to the proposals for various safeguard tests to be incorporated, including a competency element which will help to ensure an individual engaged in the activities covered was acting in good faith and with an ethical motivation. Overall, the risks and appropriate responses have been factored into the drafting of the bill and are likely to act as a robust shield against any such attempts.

All things considered, it appears that the CMA is no longer fit-for-purpose, given how widely change is sought by the cybersecurity sector. If this amendment is passed it would represent a sensible step in the right direction and may well be a catalyst for some long-awaited modernisation.

Article Author: Alana Herbert-White