Business IT defences at risk

Dual use tools are used by both security professionals and hackers

UK businesses’ ability to protect themselves against cyber attacks is under threat from legal changes criminalising key aspects of legitimate security research.

Legislation designed to crack down on the proliferation of hacking tools on the internet could penalise reputable companies hired to test the efficacy of firms’ IT defences.

And guidelines issued by the Crown Prosecution Service (CPS) last week to reassure the nervous industry have only confused the issue further, according to security experts.

The CPS guidance is badly phrased and wrongly targeted, Cambridge University Computer Laboratory researcher Richard Clayton told Computing.

“The politicians don’t understand how complicated this area is,” he said. “The document is not useless, but it has not calmed the industry ­ there are still a lot of twitchy people out there.”

Security research is traditionally published in an open-source model ­ creating “dual use” tools that can be used by either professional security researchers or criminal hackers.

Simply outlawing distribution will limit firms’ ability to protect themselves, according to Paul Vlassidis, head of security testing company NCC Group.

“The more research that is out there, the more effectively my team can do their job,” he said.

“If we have to divert large amounts of our resources into doing all the research ourselves, it will put prices up and make us less effective.”

The amendments to the 1990 Computer Misuse Act, due to come into force in April as part of the Police and Justice Act, are designed to bring the UK into line with an international cyber crime treaty signed in 2001.

The government is taking the wrong approach, said Peter Sommer, IT security expert and London School of Economics research fellow.

“The danger all along has been that UK businesses’ security will be at risk because researchers can’t do their jobs properly,” he said. “The government could have satisfied the treaty in better ways.”

Criminalising distribution was always going to cause problems, said Lord Erroll, a member of the House of Lords committee on personal internet security.

“It was perhaps foolhardy to go down this route ­ I don’t think the guidance has cleared up some areas at all,” he said.