Cyber security investigations often mean carrying out tasks that by the letter of the (US or UK) are illegal – it is the nature of the job. In the United Kingdom we have two critical pieces of legislation that a cyber security consultant could fall foul of:
Computer Misuse Act 1990 (legislation.gov.uk)
Data Protection Act 2018 (legislation.gov.uk)
To carry out one of our training email phishing campaigns for a client, they have to sign a document, in which we describe in detail the scope of the tests, the times and the software we will be using. We also specify a member of our team who will be running the tests and I then overview the project – we both sign. The client has to have two people sign and one of them has to be a board member, a C-suite or owner of the business. That takes care of the Computer Misuse Act. The Data Protection Act could be a problem as we will be processing PII in a way that may contravene that – the client has to cover that.
There have been examples of investigators who have been accused of hacking – even arrested and prosecuted in some cases. Here is an example, although it worked out for the journalist – not so much for the Governor:
Here’s an amusing story about the Missouri State Governor – Smart Thinking Solutions
So it is good news that the United States government and law enforcement are going to examine the motive of hackers, when caught and those who are doing it in “good faith” will not be prosecuted. Recognising the value of highly skilled investigators to everyone’s cyber security.
US won’t prosecute ‘good faith’ security researchers • The Register
However, once technical people get hold of what the legislators say, they soon find the loopholes that non-technical people are blind to:
Clive Catton MSc (Cyber Security) – by-line and other articles