Campaigners argue that contentious edge case activities are not a justification for further delaying much overdue’ reform.

While the government is now reviewing the 1990 statute, proponents of CMA reform have listed cybersecurity activities that ought to be protected by the law.

These legal hacking practices, according to the “consensus” opinion of experts, included responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

According to a paper (PDF) Released by the CyberUp campaign yesterday (15 August), this consensus “would form the primary premise of a new legal environment for cybersecurity experts based on a statutory defense.”

Such a defense “would enable the UK’s cybersecurity sector to more effectively safeguard the UK as part of the whole-of-society effort while ensuring cybercriminals may still be prosecuted,” rather than “unleashing a wild west of cyber vigilantism.”

Edge cases

The CyberUp campaign also outlined behaviors that, in general, need to be regarded as illegal, including so-called “hack backs,” the use of malware, and “active defense” strategies that “still constitute a murky area.”

These “contentious edge cases” include exploiting vulnerabilities, validating passively detected vulnerabilities, breaking into a bad actor’s network, stuffing credentials, actively gathering intelligence, performing forensic analysis, using botnets, and neutralizing suspicious or nefarious assets. These scenarios call for “further consultation and discussion as the policy formation process develops.”

The existence of edge cases, insisted CyberUp, is no justification for further delaying “long overdue” change.

The findings were based on the opinions of 15 cybersecurity researchers, consultants, and other specialists who evaluated various actions in light of the potential negative and positive effects.

The percentage of specialists who were in “consensus,” or agreement, varied widely.

In contrast, 64% of respondents thought that patching third-party networks or using remote desktop protocol (RDP) connections to gather information from an attacker’s computers potentially ran the risk of doing harm but also offered worthwhile benefits. For instance, 100% of respondents thought that using sandboxes delivered no or limited harm but clearly demonstrated benefits.

Importance of Intent

The exercise, which “falls short” at the moment, “exposed the limitations of any endeavor to isolate procedures, activities, and acts from the intent of an actor,” according to the paper.

CyberUp suggests that courts utilize general principles to evaluate cases of unauthorized access rather than depending on binary lists of legal and illegal actions, which would quickly become outdated as methods and technology advanced.

A collection of these guidelines is established in a defense framework (PDF) that CyberUp issued in 2021.

The CyberUp campaign stated that it disagreed with advice from some of the experts it contacted that certain activities should only be carried out with a permit or, even more stringently, when actors “have been certified and have a court warrant to proceed.”

The report stated, “In our view, the boundaries of legal conduct will be sufficiently unambiguous over time with case law, and ideally with clear guidance from prosecutors, to counter the need for the high degree of oversight that is sought by those who prefer a system more tightly regulated by the courts.”

In May 2021, it was revealed that the outdated CMA, which makes “unauthorized access” a crime, will be reviewed.