Cybersecurity experts and professionals broadly agree on issues of legitimacy and legality when it comes to some cases of unauthorized access to IT systems, according to a report produced by campaigners for IT reform. Computer Misuse Act (CMA), who hope their findings will provide clarity for policymakers exploring changes to the law.
The CyberUp campaign has been calling for CMA reform for years. The law dates back to the early 1990s, when the IT world looked very different, and as a result there is now great concern in the security world that its current wording effectively criminalizes the work of ethical hackers and security researchers.
For this reason, the group has been advocating for statutory protection to be included in the CMA from 2019, and last year the Government said it would start work on reforming the CMA, but little progress has been made since then, apart from an attempt by the Lords to include such a provision in the Bill on Product Security and Telecommunications Infrastructure (PSTI).
“The consensus outlined in the report published today shows how legal protection can work in practice,” the campaigners said.
“Most importantly, he emphasizes that he will not open up a ‘Wild West’ of cyber vigilance. Instead, by reforming the Computer Misuse Act to make the activities described in the report defensible, the CyberUp campaign argues that the government could enable a range of benefits, including improved cyber resilience for the nation and its allies and accelerated growth in domestic cyber traffic of the United Kingdom’s security sector.”
Survey respondents were asked to categorize cyber activities and techniques used in the course of vulnerability and threat research into actions that cause no or limited harm but benefit, that are defensible; actions that cause harm and benefit that may be defensible; actions that cause no or limited harm and no or limited benefit, which may also be defensible; and actions that cause harm and bring no or limited benefit that are unjustified.
CyberUp found a consensus of 13 activities that fit the first category. These are the use of application programming interface (API) keys, banner grabbing, the use of beacons, the implementation of firewalls and network access controls, the use of honeypots, the use of open directory listings, the passive collection of information, port scanning, using sandboxes or tarpits, taking down servers or botnets, detecting, web scraping and analyzing malware. CyberUp therefore believes that a reformed CMA should make these actions defensible.
In the second category, CyberUp found agreement that redirecting or actively gathering intelligence, patching third-party networks, and using remote desktop protocol connections to obtain information from attackers’ systems can be defensible, but that it will take additional work to determine how to manage .
Respondents were then asked about their views on cyber activities and techniques that require unauthorized access, but which the reformed CMA should consider legitimate or illegitimate.
CyberUp found that the cyber community agrees that there is a range of activities that can be considered legitimate cases of unauthorized access and therefore should be legal. These activities include vulnerability scanning, proportional scanning of systems that are publicly accessible (ie exposed to the Internet), responsible security scanning, responsible disclosure, active scanning, enumeration, Internet best practice scanning, use of Active Directory lists, identification, passive intelligence and investigation, and the use of honeypots.
It also found agreement on what activities constitute illegitimate unauthorized access, such as reverse hacking, conducting distributed denial-of-service attacks, using malware and ransomware, malicious “socially undesirable” actions, validating exploits, or proving a failed security boundary and penetration of systems considered part of critical national infrastructure. This group of activities also includes the rather more vague concept of causing harm.
Gray area
Finally, the report reveals a consensus that the range of cyber techniques described as active defense may still represent a gray area that needs to be considered and debated as the Home Office prepares to take its next steps towards a potential change of politics.
These gray areas include actions such as infiltrating the networks or systems of threat actors, verifying passively discovered vulnerabilities, exploiting vulnerabilities, stuffing credentials, neutralizing suspicious or malicious assets, actively gathering information, exploiting botnets, and actively investigating and forensic analysis.
CyberUp emphasized that it does not necessarily propose that the full list of activities outlined in its report find its way into government guidance accompanying the statutory protections, as the nature of the rapidly evolving security landscape means that the list will inevitably become outdated. Instead, it says it hopes the court will be able to use the degree of consensus based on its “harm-benefit” matrix at any point in time when it pursues a hypothetical future case.
It also found that some respondents objected to or questioned the overall approach to expanding the scope of defensible activity. One commented that the status quo should remain in place because such activities could cause “disruption of intelligence or law enforcement operations, diplomatic incidents, or war.”
Others raised questions about whether there should be any licensing system for certain cyber activities, while another respondent suggested that these activities should only be carried out by a certified participant holding a court order to proceed.
https://www.computerweekly.com/news/252523826/Report-reveals-consensus-around-Computer-Misuse-Act-reform
