Eight years ago, Simon Whittaker, who leads cyber security at Belfast consultancy Instil, found himself facing a raid by the Police Service of Northern Ireland. The situation escalated because of a miscommunication rooted in the UK’s Computer Misuse Act from 1990. Simon recalls, “We were working with a client linked to an NHS Trust, showcasing their software. It picked up information from dark web sources and posted it on Pastebin.”
On May 9, 2017, that post, which included terms like “NHS” and “ransomware,” triggered alarms across various intelligence agencies. The National Crime Agency got involved, and a crisis unfolded while Simon and his family remained oblivious.
“We had eight officers at our door,” Simon explains. “It cost us around £3,000 in legal fees, all because of a few words online.” He emphasizes the absurdity: “They identified the smallest amount of evidence—evidence that wasn’t even evidence.”
The kicker? Those posts were flagged just days before the WannaCry ransomware attack wreaked havoc on the NHS.
Now, let’s dig into the Computer Misuse Act. It broadly defines the crime of unauthorized access to a computer. While that seems logical at first, it essentially criminalizes all hacking, including the necessary work of ethical hackers and security professionals. “It’s frustrating,” Simon says. “This legislation hasn’t kept pace with the realities of cybersecurity.”
He references a notorious hacking case from 1985 that spurred the CMA’s creation. Security writer Robert Schifreen hacked into the Duke of Edinburgh’s email account to highlight vulnerabilities, leading to the CMA’s formulation under the Thatcher government. Simon insists, “Back then, no one anticipated that ethical hacking would become a norm.”
Even today, the CMA doesn’t allow for legitimate research by cybersecurity experts. It forces them to tread carefully, balancing on the tightrope between legality and their mission. Simon shares another tale from Instil’s records: they discovered an open database leaking sensitive information from a major telecommunications provider. “We hesitated to report it, worried we’d be blamed,” he recalls. They sought legal help for a responsible disclosure, costing them even more.
In the early 2000s, Simon’s passion for cybersecurity ignited when he witnessed a brutal penetration test in Russia. “They dismantled our systems in no time,” he says. Now, his company, Instil, not only teaches organizations how to safeguard their systems but also strives to navigate the hazy boundaries set by the CMA. “We spend considerable time educating juniors about the law and the importance of staying within the lines.”
Despite the challenges, Simon envies security professionals in countries with looser regulations. “In the Baltics or the US, they can conduct research more freely,” he notes. “We want to do the same, but existing laws complicate matters.”
The CMA is due for reform, but progress has been slow, especially during the COVID-19 pandemic and political upheavals. Recent attempts to amend the law have faced government pushback. Ministers claim that changes might unintentionally expose the country to greater risks from cyber criminals.
For Simon, reform would transform the landscape for his practice. “It would allow us to delve deeper into our research and empower our teams to compete globally,” he asserts. “Ultimately, it’s about keeping the UK safe in a world of evolving cyber threats.”