UK Computer Misuse Act reformers visit Parliament

Infosec researcher Rob Dyke, best known to Reg readers for fending off legal threats from not-for-profit open-source foundation Apperta after finding a data breach, has visited Parliament to demand Computer Misuse Act reform.

Dyke, an open-source security researcher, was threatened by the Apperta Foundation with High Court and criminal legal action after he discovered that some of the organisation’s data was publicly available on GitHub.

Speaking to The Register today, Dyke said: “The Home Office is still sitting on the consultation they opened nearly 10 months ago. It would have been lovely to see some drafts or summaries from that so the conversation could carry on.”

Yesterday he visited Parliament, meeting around a dozen MPs including former Conservative minister Esther McVey, now a backbencher, and Labour’s shadow security minister Holly Lynch.

Esther McVey poses with Rob Dyke for Cyberup

Esther McVey (left) poses with Cyberup spokesman Rob Dyke inside Parliament

Dyke and leading members of the Cyberup campaign also visited 10 Downing Street to hand in a letter signed by MPs demanding faster reform of the Act.

The security researcher’s highly eventful attempt at vulnerability disclosure to Apperta last year resulted in him having to spend £25,000 to see off the open-source org’s legal threats, though a crowdfunding campaign helped with the bulk of his legal fees.

“I have been heartened, though, by the generosity of the cybersecurity community, who rallied around me and helped me pay my legal bills,” commented Dyke. “I think they know that it could have been any one of them that was put in this situation.”

The Cyberup campaign, the NCC Group-sponsored industry effort to reform the Computer Misuse Act, highlighted Dyke’s travails and said that vulnerability disclosure policies “have no basis in law.” This, said Cyberup in a statement, meant that organisations could “on a whim decide to pursue legal proceedings against innocent cyber security professionals.”

Dyke told us: “The legal threats and phone calls from the police amounted to a harrowing ordeal which has taken an enormous toll on me and my family. I couldn’t sleep. I ate too little. I lost weight. I took time off work. The anxiety and stress I was feeling of course had a terrible impact on those around me.”

As well as threatening ruinously expensive High Court action against Dyke, Apperta also reported him to Northumbria Police claiming he had committed a crime under the Computer Misuse Act. The police subsequently shrugged their shoulders and left the two sides to it.

Cyberup is calling for the Computer Misuse Act to be amended and include a statutory defence “that would offer good faith cyber security researchers a legal basis to defend their actions against frivolous legal threats.”

Big industry companies including F-Secure support the campaign, while smaller firms and independent researchers have expressed fears to The Register that any legal changes would benefit the big entities rather than the entire industry.

Other critics, speaking privately for fear of losing business and job opportunities in the UK’s close-knit infosec industry, worry that a new legal defence might hinge on membership of some future registration scheme. Such a scheme was floated by the government-controlled UK Cyber Security Council earlier this year; at present, you don’t need to be registered or licensed to work in cybersecurity (but good luck if you have neither industry certifications nor demonstrable skills).

Government wants to see the UK cybersecurity profession coming under greater central control, under the guise of driving up standards and introducing a UK-specific infosec certification and qualification framework.

Ruth Edwards MP said in a Cyberup statement that she supported CMA reform: “I applaud Rob for speaking out about his experience – it shines a light on what I am sure many others have gone through. It is time that we reformed the Computer Misuse Act and I will be taking this up further with ministers.”

Kat Sommer, NCC Group’s head of public affairs, added: “The Act – written in 1990 – didn’t foresee the birth of the cybersecurity profession, and therefore leaves ethical cybersecurity researchers like Rob in the lurch as to whether or not they will be prosecuted simply for doing their jobs.”

Conservative Party pledges to reform the CMA have petered out into nothingness over the past year. A cynic might suspect that reforms with support from both the ruling party and its Labour opposition is being banked until the next general election. ®

READ MORE HERE