Simon Whittaker was the head of cyber security for a Belfast-based consulting firm eight years ago. Instilnarrowly avoided having the Police Service of Northern Ireland smash his front door (See photo of warrant below) and was saved from an expensive fix job because a family member was home at the moment. Whittaker, a cyber security expert, was the innocent victim in a miscommunication that occurred when his work with the UK’s legislation clashed with his work. Computer Misuse Act of 1990 seems reasonable at first glance.
He explains, “What happened was that we were working on a client’s software demonstration for an NHS Trust,” he says. “Their software collected information from dark web sources and posted it on Pastebin.”
The accidental act was enough for the British intelligence apparatus to raise alarms. The National Crime Agency (NCA), got involved. Emails whizzed across the Atlantic to the Americans. Whittaker’s family was unaware that a crisis had developed.
An undated PSNI warrant
Whittaker says, “We had eight coppers at our front door and many people were very upset.” “It cost about PS3,000 for legal fees when all it was that a few words were posted on Pastebin.
We talk about using a “sledgehammer” to crack a nut. But it’s accurate insofar as they identified the smallest amount evidence – which wasn’t evidence because nothing had happened – but was enough.
What’s the punchline? The posts were discovered on Friday, 12 May, as part of an investigation into the WannaCry attacks that caused chaos in the NHS. Whittaker’s house was raided on the following Monday.
A screenshot of the PasteBin message
Security theater
What is the CMA and how did it nearly land Whittaker into the nick? It’s an important question that relates not only to Whittaker’s unpleasant experience but also to broader issues of legal overreach and government inertia, as well as the ability of Britain’s burgeoning cybersecurity economy to function at its full potential.
Indeed, The CyberUp campaign to reform the CMA estimates that UK security firms lose billions of pounds every year due to the CMA’s binding effect.
It defines the broad offense of Unauthorized Access to a Computer. This is a hard argument to make, because it makes cyber crime appear illegal. In its broadest application, the offence makes all hacking illegal. It is therefore woefully out-of-date because it fails to take into account the fact that legitimate security professionals and ethical hacker’s must sometimes access a computer with no authorisation in order to do their job.
Whittaker says it’s frustrating that a piece legislation has been around so long, but was brought in originally because there wasn’t any legislation.
This was the response of the Thatcher government. 35 years later, the crime of Unauthorised Access to a Computer has become the focus of a campaign that spans five years and is led by the CyberUp Group and supported in Parliament, among others, by Lord Chris Holmes. Whittaker says that it was clear in 1990 that it was impossible to predict the research would fall under information security.
No one expected that people would be open to bug bounty or having their IT investigated and researched. “I don’t believe anyone back then realized that this would be a thing. And if you look closely at the CMA’s underlying message, which is ‘Don’t Touch Other People’s Stuff’, it makes sense,” he says.
But the CMA does not allow for any research or understanding of the fact that there are cyber professionals whose job is to break things and to keep the nation safe and organisations secure,” he says.
Whittaker says that the CMA was a very broad piece of legislation. “The idea that it is still there after all these years, and hasn’t been adapted to the changes that we’ve seen in the last 20, 25 year that I’ve worked in the industry, seems quite bizarre.”
The legislation surrounding murder hasn’t been changed since 1861. Offences against the Person ActIt’s not as if the crime of murder has changed a lot since 1861. However, the computing world has changed a lot since 1990.”
A hand tied behind ourbacks
The CMA forces security professionals to operate in the UK with one eye on the letter and one hand behind their backs. Whittaker tells another story taken from Instil’s archive. “We looked at Shodan and identified that there was an Open Elasticsearch bucketwhich was dropping credentials for an extremely large mobile and fixed-line provider from Spain.
He says that every time a new order was received, the data would be dropped into this bucket. This bucket then contained names, addresses, phone numbers, bank details and other really interesting information.
We were very worried about reporting this. We were worried that we would be blamed for finding it. Why did you look? What were you doing at the time? What was going on? We asked our lawyers to assist us in making this responsible disclosure.
We did it privately, we never told anyone about it. But we spoke to the organisation and they were very grateful. The CISO of the organisation was very understanding but it cost us around two grand in legal costs to be able do it.
Pentesting within the law’s limits
Let’s go back to the early 2000s when Whittaker was working in software development and caught the cyber bug. A job sent him to Russia after an acquisition.
The Russians asked, “Have You Ever Had a Security or Pen Test?” We replied, “No, but don’t worry, we’re very good at this stuff”and within 20 seconds they had torn and broken us into pieces in multiple ways. I was watching the test, and I thought, “That’s so awesome, how do you do that?”
The amendment will allow us to compete, and protect ourselves and our citizenry in a better way. Simon Whittaker Instil
After 20 years, Whittaker’s company, originally Vertical Structure but now merging with Instil, has been able to provide a better level of protection for themselves and their citizens. is a Crest-accredited pentester and certified by the National Cyber Security Centre as a Cyber Essentialsis a certifying agency and a service provider that has been approved to provide services for the Cyber Essentials program.
We teach people how break things. We teach people to break into their systems. He explains that they teach people to break into their cloud infrastructure and how to model threats, so that they can begin to understand how to think of threats.
In practice, Whittaker and his staff are teaching people things that a judge could argue is against CMA in some shape or form. So, in addition to the legalities, Whittaker is very careful to educate his clients about the law and the limits of the CMA when they come up against them.
Whittaker says, “The papers have to be signed and the scope must be agreed upon.” “When we teach juniors, we probably spend a half-day going through the CMA, explaining to them how nervous they should be about these things, and making sure they’re aware of it.
It is definitely on our minds. If there is a breach of scope, you stop. You contact the customer and say “Listen, We’ve scanned a lot of IPs, We’ve done this and we’ve also done that”. You talk to the client about this regularly. Whittaker says, “We would rather pull back from the project than risk hitting a thir party when we are pen testing.”
Whittaker looks, perhaps a bit wistfully at the work done by security researchers in larger US or Israeli security organizations that have some leeway with such things. Or he looks to the work done in more lenient countries, such as the Baltics. There, the cyber research wings for prominent virtual private network providers produce large volumes of research on consumer technology flaws.
You hear stories, for example, about broadband provider X sending this box which is rubbish and could be accessed remotely. He says that he can hack into all of these things, but he can’t do the research in an official, responsible way because if he did, a lawsuit or arrest could be the result.
It’s frustrating for smaller organizations like ourselves. We want to be in a position to do this kind of research. We want to be able help. We want to provide this information. But it’s a very complicated situation.”
What would reforming the CMA mean to you?
As part of a larger Home Office review, the Computer Misuse Act will be reform. However, progress has been shaky at best and has stalled several times due to the Covid-19 epidemic and the successive collapses by Liz Truss and Boris Johnson.
This is frustrating for smaller organizations like us. We want to be in a position to do this research. We want to help. We want to be in a position to provide this information. But [the law makes it] complicated Simon Whittaker Instil
Fast forward to 2024, with a new Labour Government, and the situation seemed to be improving. In December 2024, the government rejected attempts by Lord Holmes and others to amend the Data (Access and Use) Bill to introduce a statutory defense for cyber professionals. Baroness Margaret Jones, under-secretary at the Department for Science, Innovation and Technology (DSIT), said that reform was a complicated issue.
While the government is looking at ways to improve defences, Jones says that there is still no consensus within the industry on how to achieve this. This is holding back the process.
The science minister Patrick Vallance spoke out after the police raised concerns that cyber criminals could exploit unauthorised access to systems on the pretext of identifying weaknesses.
The minister said that the introduction of these amendments could unintentionally increase the risk to UK cyber security. Not least because they would create a loophole cyber criminals can use to defend themselves from prosecution. They want things to move faster. Whittaker says that reform would make a difference in his security practice.
It would allow us to do more secure research. I’d like to be able look at things more closely and help people protect themselves. We could focus on our work instead of worrying about a breach or something else going wrong. He says it would be a big step up from what we see now – the ability to perform in an effective way.
We are only trying to give our teams and the experts we have in Belfast and across the country the ability to compete on a worldwide scale. He concludes that if the amendment is passed, we will be able compete and protect ourselves and citizens in a better way.
Isn’t it more important to keep the UK safe from the ever-changing and ever-expanding threats than enforcing an illegal definition of hacking when cyber criminals all over the world are aware that they’re breaking laws and don’t care?
