BLOG: The UK could learn from the US cyber threat intelligence legal regime
14 May 2020
As the UK cyber security sector continues to be inhibited by the Computer Misuse Act, it is worth turning ones gaze toward the other countries with a more progressive approach to governing cyber crime – ones which recognise the needs and requirements of the legitimate cyber security industry more than the UK regime does at present.
One country that sets such an example is the US. It worth examining the differences between there system and our own to better understand how the UK Government could improve upon the status quo. In March of this year, the US Department of Justice (DOJ) published “legal considerations when gathering online cyber threat intelligence and purchasing data from illicit sources”, responding directly to industry practitioners’ queries regarding cyber threat intelligence gathering efforts.
The DOJ acknowledges private sector providers’ concerns about operating in grey areas and undertakes to help establish the boundaries of criminal activities. UK efforts have, thus far, fallen short of such endeavours.
In addition, the DOJ offers clarity as to what constitutes clear violations of the Computer Fraud and Abuse Act (CFAA), the US equivalent to the UK’s Computer Misuse Act, and what doesn’t. In that vein, unauthorised access to Dark Market forums, via stolen credentials or by exploiting vulnerabilities, is deemed to break the law; screen captures, or other means that do not bypass security features are found not necessarily to violate the legislation.
Crucially, the DOJ appears to offer a definition of what constitutes to legitimate cyber security activities, namely those undertaken to “help others to identify and defend against cybersecurity threats”.
The DOJ takes a similarly forthright approach in setting out the challenges facing industry practitioners. It makes clear that investigators might be unable readily to distinguish between criminals and innocent parties engaged in intelligence gathering. The DOJ also acknowledges that the absence of criminal motivation or intent does play a role when assessing whether any activity was, indeed, illegal. In contrast, one of the shortcomings of the Computer Misuse Act in the UK is that it lacks the means to take account of actors’ motivations.
The DOJ also lays out number of principles of what good practice in cyber threat intelligence gathering looks like to help providers establish the right mechanisms and processes to deploy their activities lawfully, many of which could serve as guiding principles for a future UK regime. These principles include: documenting operational plans for conducting intelligence gathering and keeping records of how information was gathered and used; establishing trusted relationships with and reporting intelligence promptly to law enforcement.
UK law-makers would do well to follow the lead taken by their counterparts across the pond.