Cyber Legal regime ‘not up to scratch’

Current laws do not enable a threat-led, cross government approach to cyber security

6 March 2020

The CyberUp campaign welcomes UK government departments’ acknowledgement of the need for clear legal guidance to facilitate embracing threat-led cyber security without falling foul of cyber crime laws, and calls on the government to make good on the suggestion that cyber security professionals need greater legal certainty by reforming the Computer Misuse Act.

The UK Home Office’s Digital, Data and Technology team has shared a number of cyber expertise documents that explore cutting-edge cyber capabilities to increase government departments’ cyber protections. These include threat intelligence, threat hunting and digital risk and intelligence capabilities.

The information and advice contained in the documents demonstrate the importance of cyber threat intelligence as an enabler for cyber defenders to better enhance the security of their organisations.

The documents draw out the value of cyber threat intelligence in offering human observations regarding how a threat actor would, for example, infiltrate and attack a computer network. Being informed by a deeper understanding of the geopolitical and threat landscape, clearly helps organisations understand who is most likely to attack them, and why and how they would do so.

In addition, the technical tools, including US-based infrastructure search engines such as Shodan and Censys, are seen as allowing cyber security analysts to check if their networks and systems include misconfigured or vulnerable servers or devices.

The documents also acknowledge that government departments must in no way break the Computer Misuse Act, and that their cyber threat intelligence functions must ensure that threat intelligence information is sourced using legal means.

But they also acknowledge that departments’ security teams are fearful of committing unlawful actions in carrying out their functions, particularly with regard to monitoring public domains, websites and platforms for threats, taking down sensitive documentation from dark web forums, or scraping social media websites for hostile reconnaissance activities. It is for this reason that the documents call for legal guidance to ensure departments are able to confidently, safely and lawfully monitor public domains, while being protected legally. 

Cyber Up campaign spokesperson Ollie Whitehouse commented:

“The Home Office have correctly acknowledged the imperative that our nation’s cyber defenders and threat intelligence researchers have legal clarity and legal protections if they are to protect us all without fear of inadvertently braking the law. This applies just as much to those threat intelligence researchers working in industry as it does to government officials.

“We have the opportunity to modernise the current legal regime and lead the world in this regard - we hope that the government will heed these calls and provide legal certainty by urgently bringing forward reforms to the badly outdated Computer Misuse Act 1990.”