Full Report
Akshaya Asokan reports: The U.K. government is considering amending its three-decade-old hacking law to include a “statutory defense” cover for security researchers, Security Minister Dan Jarvis said. The announcement comes amid concerns that the law penalizes white hat hackers for essential security practices such as participating in bug bounties. Speaking at a Financial Times event... Source
Analysis Summary
# Regulation/Compliance: UK Computer Misuse Act (CMA) 1990 Revision (Proposed Statutory Defense)
## Overview
The U.K. government is considering amending the Computer Misuse Act (CMA) of 1990. The primary goal of this potential amendment is to introduce a "statutory defense" specifically designed to protect legitimate security researchers (white hat hackers) from criminal prosecution when conducting essential security testing, such as participating in bug bounty programs, which might otherwise be interpreted as unauthorized access under the current law.
## Key Details
- Issuing Authority: U.K. Government (Security Minister Dan Jarvis announced consideration)
- Effective Date: Not yet set (Pending legislative process)
- Jurisdiction: United Kingdom (UK)
- Status: Proposed (Under consideration for legislative change)
## Requirements
This summary outlines the requirements associated with the *current* CMA 1990 and the *proposed* changes.
### Mandatory Requirements (Under current CMA 1990)
1. **Prohibition on Unauthorized Access:** It is a criminal offense to gain unauthorized access to any computer material (Section 1 of the CMA).
2. **Prohibition on Unauthorized Acts:** It is an offense to carry out any unauthorized act while having authorized access to a computer (e.g., exceeding permissions) (Section 2 of the CMA).
3. **Prohibition on Unauthorized Modification:** It is an offense to impair the operation of a computer or prevent authorized access to data by unauthorized acts (e.g., planting malware, denial of service) (Section 3 of the CMA).
### Recommended Practices (Based on proposed changes for security researchers)
1. **Document Research Scope:** Security researchers should clearly define the scope of their activities (what they are testing, where, and how) before commencing work.
2. **Adhere to Bug Bounty Rules:** Strictly follow the established rules of engagement provided by any bug bounty program or responsible disclosure policy being utilized.
3. **Seek Prior Authorization (If Possible):** Where appropriate, researchers should seek explicit, written permission from asset owners to confirm their activities fall outside the scope of traditional hacking and align with security testing.
## Affected Organizations
- Industries: All organizations operating computer systems within the UK jurisdiction, particularly those engaging with external security researchers (e.g., Fintech, critical national infrastructure, large enterprises).
- Organization Size: Not explicitly defined by size, but applies to any entity owning systems susceptible to unauthorized access.
- Geographic Scope: United Kingdom.
## Compliance Timeline
- Issuance of Draft Legislation: Unknown.
- Parliamentary Review/Debate: TBD following legislative drafting.
- **Final Deadline:** Not applicable yet, pending the finalization and enactment of the revised Act.
## Implementation Guidance
### Assessment Phase
- **CMA Risk Assessment:** Review current internal security testing procedures and third-party engagement policies (including bug bounties) to identify activities that could potentially violate the existing CMA 1990 provisions.
- **Legal Review:** Consult with legal counsel to understand the precise interpretation of "unauthorized access" in the context of current operations.
### Implementation Phase
- **Internal Policy Update (Current State):** Modify internal researcher guidelines to explicitly warn participants about the legal ambiguity under the existing CMA and advise caution until clarification is provided.
- **Advocacy/Feedback:** Participate in government consultations regarding the proposed statutory defense to ensure the final language adequately covers legitimate security practices.
### Validation Phase
- **Scenario Testing:** Run simulated vulnerability disclosure scenarios to test internal response protocols against potential misinterpretations of the law, pending regulatory clarity.
## Technical Requirements
*No specific new *technical* requirements are mandated yet, as the change addresses *legal protection* for existing technical activities (security testing).*
## Penalties & Enforcement
- **Fines:** Penalties under the existing CMA 1990 are severe, including potential imprisonment, depending on the specific section violated (e.g., Section 3 offenses carry significant prison sentences).
- **Other Consequences:** Criminal conviction leading to loss of professional standing or employment.
- **Enforcement:** Enforced by U.K. law enforcement agencies, potentially leading to prosecution by the Crown Prosecution Service (CPS). The proposed defense aims to prevent enforcement against legitimate activity.
## Related Standards
- **NIST SP 800-53/ISO 27001:** While these frameworks mandate security testing (e.g., vulnerability scanning and penetration testing), the CMA revision addresses the *legal risk* associated with performing those tests in the UK, rather than the technical execution standards themselves.
## Resources
- Official Documentation: Reference to the original **Computer Misuse Act 1990**.
- Guidance Documents: Statements made by **Security Minister Dan Jarvis** at the Financial Times event (specific public text release pending).
- Tools: None specifically for this regulatory change yet.
## Practical Recommendations
1. **Monitor Legislative Updates:** Organizations must closely track official announcements from the Home Office or relevant ministerial departments regarding the drafting and progression of the CMA amendment.
2. **Define Clear Researcher Contracts:** If utilizing external penetration testers or running bug bounties, ensure contracts explicitly indemnify the researcher where possible (though this cannot supersede criminal law) and clearly define permitted testing scope.
3. **Advocate for Clarity:** Engage with industry bodies to ensure the drafting of the statutory defense is broad enough to protect common, essential security research practices like vulnerability disclosure.