The UK Finally Starts Reforming Its 'Computer Misuse Act' (computerweekly.com) 20
Computer Weekly reports on "the long-awaited reform of Britain's outdated Computer Misuse Act of 1990 — which has hamstrung the work of the nation's cyber security professionals and researchers for years."
The Computer Misuse Act was passed 35 years ago in response to a high-profile hacking incident involving no less than the King's father, the late Duke of Edinburgh. It defined the offence of unauthorised access to a computer — which has been used successfully in countless cyber crime prosecutions over the years. However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research.
Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017... Sabeen Malik, vice-president for global government affairs and public policy at Rapid7, added: "As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed — activities the 1990 Computer Misuse Act's broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing."
The reforms are part of a new bill that's "enhancing the powers available to law enforcement and the security services," according to the article. It points out that the U.K. government also intends "to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders."
It's all part of a proposed bill "designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack."
The Computer Misuse Act was passed 35 years ago in response to a high-profile hacking incident involving no less than the King's father, the late Duke of Edinburgh. It defined the offence of unauthorised access to a computer — which has been used successfully in countless cyber crime prosecutions over the years. However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research.
Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017... Sabeen Malik, vice-president for global government affairs and public policy at Rapid7, added: "As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed — activities the 1990 Computer Misuse Act's broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing."
The reforms are part of a new bill that's "enhancing the powers available to law enforcement and the security services," according to the article. It points out that the U.K. government also intends "to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders."
It's all part of a proposed bill "designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack."
Confused by the summary (Score:4, Informative)
Re: (Score:2)
Considering the number of cases due to the Malicious Communications Act, weaponised for hurty words (12000 and counting), which one is more likely?
Re: Confused by the summary (Score:3)
Re: (Score:1)
The quote is particularly ridiculous, if companies want to make those red-team activities legal under the current law, they can just... authorize them.
Re: (Score:2)
this!
Re: (Score:2)
Re: (Score:3)
how is that covert...
It is if your CIO signs a contract but does not inform you video-game-playing, porn-downloading on company time admins.
Re: (Score:2)
and the other 2...
Scanning your little corner of the Internet is legal if your CIO authorizes it.
It would be best if you cease shit-posting on Slashdot from your company workstation.
Re: (Score:2, Interesting)
Much of the problem could be fixed if the police simply learned not to do what the computer tells them, and think it through first.
Re: (Score:2)
Much of the problem could be fixed if the police simply learned not to do what the computer tells them, and think it through first.
I think you're asking a lot from PC Plod. Thinking, that is.
what about HUGE datacenters? (Score:2, Interesting)
wait, what? (Score:2)
"... and new abilities to search people believed to be concealing evidence on behalf of suspected offenders."
Dystopia, we are here.
I am no alarmest (Score:1)
Re: (Score:1)