New Research: legitimate cyber security activities in the 21st Century

A new piece of work by the CyberUp Campaign released today establishes the current expert consensus of what should constitute legitimate cyber security activity under a reformed UK Computer Misuse Act.

 The key findings of the report:

• Through consultation with industry experts, the report establishes the set of activities which are seen as legitimate instances of unauthorised access – and therefore ought to be legal under a reformed Computer Misuse Act. These include: proportionate threat intelligence; responsible vulnerability research and disclosure; active scanning; enumeration; use of open directory listings; identification; and honeypots.

• The report also outlines the consensus on illegitimate forms of unauthorised access, which include: hack back, distributed denial-of-service attacks, and breaking into the critical national infrastructure, among others.

• Finally, the report establishes that techniques best describes as ‘active defence’ still represent a grey area and will require further discussion as the Home Office prepares to respond to the review of the Act and set out next steps towards a potential policy change.

 The CyberUp Campaign has been advocating for the inclusion of a statutory defence in the Computer Misuse Act since 2019. Building on the CyberUp’s Defence Framework, the consensus outlined in the report published today shows how a statutory defence can operate in practice. Crucially, it highlights that it will not open up a ‘Wild West’ of cyber vigilantism. Instead, by reforming the Computer Misuse Act to make defensible the activities outlined in the report, the CyberUp Campaign argues the Government can enable a swathe of benefits including improved cyber resilience of the nation and its allies and accelerated growth of the UK’s domestic cyber security sector.