The pioneering crowdsourced cybersecurity platform provider believes increased publicity for the consultation is necessary to engage the full spectrum of views
Bugcrowd, operator of the world’s leading crowdsourced cybersecurity platform, today called on independent cyber security researchers, customers of crowdsourced cybersecurity, and cybersecurity defenders at large to contribute their views to the UK Government’s consultation on 1990’s Computer Misuse Act. The deadline for submissions is less than two weeks away, but it’s unclear whether sufficient interested parties have contributed to ensure the UK Government can conduct a fully-informed review.
Among a number of issues, respondents to the consultation are invited to comment on the potential of a statutory legal defence for hacking, if such activities had good-faith/benevolent motives. This move would mirror the USA’s reforms to charging rules under its Computer Fraud and Abuse Act. The Home Office has already indicated that such a legal defence could “advance our whole of society approach to cyber security”, but is simultaneously wary of the potential for unintended consequences.
Bugcrowd founder Casey Ellis is leading Bugcrowd’s response to the UK Government’s consultation. He said: “Poor legal protection for ethical hackers could have the chilling effect whereby those who could contribute to making the Internet a safer place become afraid to do so. In Bugcrowd’s view, the UK needs to think along the same lines as the United States, which has clarified protection for legitimate security research activities via an important Supreme Court ruling and a clear DOJ commitment not to prosecute good-faith security researchers.
“To be even clearer: people build software, people make mistakes, and mistakes create vulnerabilities. Amid the rapid acceleration of technology and the massive, ongoing, worldwide shortage of skilled cybersecurity professionals, Bugcrowd wants organisations and law enforcement to remain able to benefit from “Neighbourhood watch for the Internet” by decriminalising and encouraging anyone from the ethical hacking ’ community to assist. Those ethical, well-meaning and responsible researchers should not be put in a position where they may be at risk of legal jeopardy,” he added.
In May 2021, the Home Secretary announced a review of the Computer Misuse Act (CMA). The first step in the review was a public call for information seeking the views of stakeholders and the wider public, to identify and understand whether there is activity causing harm in the area covered by the CMA that is not adequately addressed by the current offences. The consultation closes on April 6th 2023, and submissions can be made via email or in writing to the addresses on the Government’s consultation web page.
Bugcrowd is contributing to the consultation as part of two industry groups, the Cybersecurity Policy Working Group (CPWG) and the Hacker Policy Coalition. Both these organisations will be making submissions to the consultation reflecting the views of their respective members.
“Nonetheless, it’s still important that as many as possible individuals and organisations have their say on this,” said Bugcrowd’s Ellis. “The UK needs a revised Act that not only better defines the difference between the activities of malicious attackers who have no intent to obey the law in the first place, and those who hack in good faith, discovering and disclosing vulnerabilities so they can be addressed before they are exploited.”