In March this year, we issued a ‘call to action’ to CISOs and ethical hackers, encouraging them to respond to a UK Government consultation on updating its 33 year old Computer Misuse Act (CMA). Why did we do this and what happens now?
The UK Government’s spring consultation on updating the CMA was a really important issue for us to highlight because, under the current act, hacking of any kind remains technically illegal in the UK. Dating back to 1990, the act doesn’t differentiate between ‘hacking for good’ and hacking for malicious purposes.
The current act is out of date with reality. In 2023, an ever-increasing number of CISOs and organizations across the world are benefiting from the skills of hackers via crowdsourced cyber security platforms like Bugcrowd. This includes, in the UK, many vulnerability disclosure program (VDP) customers, who have no intention of pursuing the very researchers that seek out vulnerabilities for the public good.
Why it Matters
The letter of the existing CMA law is at odds with current policy statements. For example, the UK Government’s National Cyber Strategy 2022 states that it aims to develop “valuable and trusted relationships with the security researcher community, delivering a reduction in vulnerabilities across the government estate.” However, the appropriate legal protection for researchers and ethical hackers are not in place.
Bugcrowd founder and CTO, Casey Ellis, has offered advice to the UK Government via his involvement with the Hacker Policy Council. This is a coalition of organizations with deep security expertise that advises legislators around the world, many of which are wrestling with similar issues. The world has simply moved forward and legislators clearly need to react.
Protection for hackers has extensive support from business. In its 2021 report, the State of Cybersecurity Resilience 2021, Accenture found that 81% of business leaders believe the cost of staying ahead of cybersecurity attackers to be “unsustainable.” This perception of a ‘losing battle’ has helped fuel interest in Bugcrowd’s crowdsourced approach to cybersecurity during the last two years.
The Need for UK Legislation to Support Hackers
While many regulators around the world are grappling with the same issues as the UK to create legislation, there’s also plenty of best practice legislation already in place for them to reference. In the US, there have been at least 43 instances since 2014 of vulnerability disclosure programs or bug bounty being mentioned in relation to a bill, law, policy, or directive that was proposed and in some cases established/signed into law. Given the global nature of both bad actors and the security researcher community, consistency between jurisdictions will only help in the prosecution of bad actors and the protection of good-faith hackers.
Following public consultations, the UK Government typically issues a response, usually several months later. After its January 2022 consultation on proposals for legislation to improve the UK’s cyber resilience closed, a response was published in November. We could see the response to the recent CMA consultation any time from now.
It’s part of our mission here at Bugcrowd to stand up for and represent the ethical hacker community, so we’ll be looking at the UK Government’s response carefully on the community’s behalf, whenever it comes. You’ll find Bugcrowd at Black Hat Europe in London this December. Find us there and tell us what you think.