Good faith hackers – they do exist

Cyber security investigations often mean carrying out tasks that by the letter of the (US or UK) are illegal – it is the nature of the job. In the United Kingdom we have two critical pieces of legislation that a cyber security consultant could fall foul of:

Computer Misuse Act 1990 (legislation.gov.uk)

Data Protection Act 2018 (legislation.gov.uk)

To carry out one of our training email phishing campaigns for a client, they have to sign a document, in which we describe in detail the scope of the tests, the times and the software we will be using. We also specify a member of our team who will be running the tests and I then overview the project – we both sign. The client has to have two people sign and one of them has to be a board member, a C-suite or owner of the business. That takes care of the Computer Misuse Act. The Data Protection Act could be a problem as we will be processing PII in a way that may contravene that – the client has to cover that.

There have been examples of investigators who have been accused of hacking – even arrested and prosecuted in some cases. Here is an example, although it worked out for the journalist – not so much for the Governor:

Here’s an amusing story about the Missouri State Governor – Smart Thinking Solutions

So it is good news that the United States government and law enforcement are going to examine the motive of hackers, when caught and those who are doing it in “good faith” will not be prosecuted. Recognising the value of highly skilled investigators to everyone’s cyber security.

Justice Department softens enforcement of hacking law in ‘good faith’ cases – The Record by Recorded Future

US won’t prosecute ‘good faith’ security researchers • The Register

However, once technical people get hold of what the legislators say, they soon find the loopholes that non-technical people are blind to:

DOJ’s New CFAA Policy is a Good Start But Does Not Go Far Enough to Protect Security Researchers | Electronic Frontier Foundation (eff.org)

Clive Catton MSc (Cyber Security) – by-line and other articles