Act will penalise the good guys

Proposed cyber crime laws are unsatisfactory and unhelpful

The last opportunity for mitigating the unintended consequences of incoming cyber crime laws has been squandered.

When the Police and Justice Act goes through in April, it will in all likelihood include clauses criminalising the distribution of hacking tools. And the Crown Prosecution Service guidance, which was designed to explain to the jittery ethical hacking industry how the updated law would avoid penalising a core part of their business, has signally failed to do so.

Pressure to address cyber crime is mounting. Electronic fraud alone is costing the UK more than £1bn per year and rising. And warnings from MI5 in December that the Chinese army is conducting wholesale cyber espionage against UK companies underline the scale of potential threats.

In such a context, there is no question that laws must be kept up to date. And it is a genuine challenge to balance the need for restrictions to be made at the level of principle, so as to remain relevant, without putting too much responsibility for interpretation on non-expert judges and juries.

But the proposals now sadly likely to take effect are unsatisfactory and unhelpful.
Not all the cyber crime-related aspects of the proposed legislation should be dropped – much-needed laws against denial of service attacks are also part of the package.

But the government should not allow its lack of technical understanding to tip the balance in the contest between right and wrong.

The ethical hacking industry has grown up specifically because it can be hard for businesses to assess the efficacy of IT security measures without expert testing. And by using widely available tools and sharing all relevant research, the industry keeps as up to date as the crooks.

By criminalising the distribution of online hacking tools, the government is putting the good guys at a major disadvantage. The Police and Justice Act plans may do more harm than good.