**Legal Protection for Ethical Hacking: Only the First Step**
The Computer Misuse Act has been in place for over 25 years, but it's only now that the UK government has decided to introduce changes to provide legal protection for ethical hacking. This is a welcome move, but it's just the beginning.
It all started 40 years ago when four young British hackers, armed with a ZX Spectrum, BBC Micro, and Tatung Einstein, launched a cross-platform attack on British Telecom's Prestel service over dial-up modems at 75 bits per second. The CPUs of those home computers barely used ten watts between them, yet that was enough to get the crew in a lot of hot water.
Many days in court later, it turned out that no hacking laws had actually been broken. There were no hacking laws to break. This incident highlighted the need for legislation, and in 1990, the Computer Misuse Act was passed. The CMA made it a crime to access or alter data on computers without permission.
However, at the time, there weren't many cybersecurity researchers to be legitimized. But as the World Wide Web began to take shape, it became clear that cybersecurity researchers needed the right to research. Once again, something had to be done. And now, 25 years later, the UK government has finally noticed the need for change.
Cybercrime has become a multibillion-dollar global industry, and ill-intentioned foreign powers are riddling industry and the state with binary bullet holes. It's time to let the good guys do what the bad guys have been doing all this time – only in a legal and ethical way.
But there's just one problem: there aren't enough cybersecurity researchers to go around. The ones already in the wild are fully occupied doing other things. Changing the law to let white hats test live infrastructure using the tools, times, and techniques of their choosing is absolutely necessary – but it's not enough.
Ethical hacking has to become a national obsession, or at least, a high-profile, high-status pursuit with an on-ramp that delivers affirmation as quickly as possible. The many-eyes model of open source code security has to apply to live infrastructure too.
This might sound like nightmare fuel for CISOs and frontline defenders, who could reasonably regard the encouragement of many thousands of new attackers a vastly unwelcome extra burden. But in the same way that the Second Amendment of the US Constitution allows gun ownership as part of well-organized militias, the key part of any CMA changes has to be how legitimacy is defined.
For established career professionals, best practice, ethical codes, and a respected reputation among peers will do the trick. Likewise, those in appropriate formal education won't have problems if they behave themselves. But we need thousands more – that means telling everyone who may be up for it what ethical hacking is, providing accessible environments with the right mix of education and temptation, and making responsible use of that a condition of getting a badge to wear out in the real world.
Think of it as a learner's driving license – anyone can get one, and if you stick to the rules you're legitimate. The Prestel hackers were mischievous but ethical. Ignored and dismissed when they tried to report what they'd found, they turned up the heat until the headlines embarrassed the powers that be into action.
This won't create a cadre of superhackers overnight, although it will begin to fill that pipeline. It may not sound cheap until you compare it to a ransomware bill. And it may sound like extra work for under-funded, under-loved security teams – except that a hundred good guys hammering at your gates aren't attackers; they're there to lengthen the odds of the other lot getting in first.
More people of all roles will get experience of what bad security and good ethics look like. That's a much better place to make good security happen than where we are now. Let a thousand hacker clubs blossom in schools, in the workplace, in online spaces. Fill the socials with the message that it's legal, it's fun, and it can take you anywhere.
A white hat is smarter than a black hoodie. Spread the word.