Britain’s computer users are at greater risk of cyber-attack because “outdated” laws mean investigators are required to ask criminals and rogue states permission to interrogate their systems.
Leaders of Britain’s multi-billion pound tech industry have today (Mon) written to Boris Johnson urging him to rewrite the 30-year-old computer misuse act to provide tech firms with legal cover to help GCHQ and other Government agencies counter cyber attacks.
They say the “outdated” law was designed to protect telephone exchanges when only one in 200 (0.5 per cent) of people and has now been overtaken by highly sophisticated cyber criminals who are running rings round investigators who have “one arm tied behind their backs.”
There are 4.6 million online crime incidents every year mainly related to fraud but also including malware, hacking and sophisticated attacks by organised crime or rogue nations.
They cite Section One of the act which prohibits the unauthorised access to any programme or data held in any computer which they say “inadvertently criminalises a large proportion of modern cyber defence practices.”
“With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims’ and criminals’ systems to lessen the impact of attacks and prevent future incidents,” says the letter.
“In these cases, criminals are obviously very unlikely to explicitly authorise such access.
“The computer misuse act prevents thousands of UK threat intelligence researchers from carrying out research to detect malicious cyber activity and prevent harm and disruption to organisations and citizens alike.”
They say countries like the US and France have more “liberal” regimes where people’s privacy is maintained but there are legal defences to enable investigators to interrogate criminals’ and rogue state’s cyber hackers’ computers.
This not only helps protect ordinary computer users who may become victims but also gives the other countries a competitive advantage, which the industry claims could cost the UK an extra 4,000 jobs by 2023.
The signatories include 20 of the world’s biggest cyber security firms as well as not-for-profit bodies that work with GCHQ and other state agencies.
Ollie Whitehouse, chief technology officer with the NCC group, a leading multinational cyber security firm, said the industry was not seeking an offensive capability to “hack back” but simply to be able “swim upstream” and interact with the criminals’ computers.
“It’s not about getting insider, it’s the ability to look through their shop window and ask those systems some questions to elicit information as to whether there are other victims, how their wider operation is working and any linkage to any other activity,” he said.
The industry is proposing that there would be a certification process which would mean only affiliated organisations would be covered by any legal defence allowing access and only if it could be shown to be in the public interest.
All member firms would have to abide by a legally enforced code of conduct, would have to keep logs of all activity which would be open to inspection