Legal protection for ethical hacking under Computer Misuse Act is only the first step

I'm dreaming of a white hat mass

by · The Register

Opinion It was 40 years ago that four young British hackers set about changing the law, although they didn't know it at the time. It was a cross-platform attack including a ZX Spectrum, a BBC Micro, and a Tatung Einstein slamming British Telecom's Prestel service over dial-up modems at 75 bits per second.

The CPUs of those home computers barely used ten watts between them, yet that was enough to get the crew in a lot of hot water. Many days in court later, it turned out that no hacking laws had actually been broken. There were no hacking laws to break. Something must be done.

Official abuse of state security has always been bad, now it's horrifyingOpinion: UK holds onto oversight by a whisker, but it's utterly barefaced on the other side of the pondRupert Goodwins, 14 Apr 2025

In 1990, after a few false starts, something was done. The Computer Misuse Act was passed, and not a moment too soon. Computers now had processors that could warm a cup of tea, modems could skip along at 9,600 bps, and Tim Berners-Lee had just invented the World Wide Web to give tea drinkers something to do online. The CMA made it a crime to access or alter data on computers without permission. There were no exemptions for legitimate cybersecurity researchers, because there weren't many cybersecurity researchers to be legitimized.

However, the Prestel hack had prompted some far-sighted British institutions like the University of Strathclyde to start degrees in computer security. The first graduates were well into their early careers. As Berners-Lee's monstrous child started turning all to data before it, it became clear that cybersecurity researchers needed the right to research. Once again, something must be done.

Moore's Law does not apply to actual laws, alas. It's taken the UK government until now to get around to kicking off the requisite changes. It has finally noticed that in the past 25 years, cybercrime has become a multibillion-dollar global industry, ill-intentioned foreign powers are riddling industry and the state with binary bullet holes, and letting the good guys do what the bad guys have been doing all this time isn't the dumbest of ideas. God bless the United Kingdom's lawmakers.

There's just one problem. There aren't enough cybersecurity researchers to go around. The ones already in the wild are fully occupied doing other things. Changing the law to let white hats test live infrastructure using the tools, times, and techniques of their choosing is absolutely necessary, and it's absolutely not enough. Ethical hacking has to become a national obsession – or at least, a high-profile, high-status pursuit with an on-ramp that delivers affirmation as quickly as possible. The many-eyes model of open source code security has to apply to live infrastructure too.

This might sound like nightmare fuel for CISOs and frontline defenders, who could reasonably regard the encouragement of many thousands of new attackers a vastly unwelcome extra burden. But in the same way that the Second Amendment of the US Constitution allows gun ownership as part of well-organized militias, the key part of any CMA changes has to be how legitimacy is defined. For established career professionals, best practice, ethical codes, and a respected reputation among peers will do the trick. Likewise, those in appropriate formal education won't have problems if they behave themselves. We need thousands more.

That means telling everyone who may be up for it what ethical hacking is, providing accessible environments with the right mix of education and temptation, and making responsible use of that a condition of getting a badge to wear out in the real world. TryHackMe mixed with GalaxyZoo, but instead of crowdsourcing inspection of actual galaxies in the cosmos, doing it for actual organizations on the internet. Yes, you have a verified account. Yes, you will be logged. Yes, you will get a bounty payment if you get in. Think of it as a learner's driving license – anyone can get one, and if you stick to the rules you're legitimate.

The Prestel hackers were mischievous but ethical. Ignored and dismissed when they tried to report what they'd found, they turned up the heat until the headlines embarrassed the powers that be into action. Not great action, but 40 years is long enough to get the fine-tuning right, and to start making the most of it.

This won't create a cadre of superhackers overnight, although it will begin to fill that pipeline. It may not sound cheap until you compare it to a ransomware bill. It may sound like extra work for under-funded, under-loved security teams, except that a hundred good guys hammering at your gates aren't attackers. They're there to lengthen the odds of the other lot getting in first. Plus, and this may be the biggest plus of all, it means more people of all roles, getting experience of what bad security and good ethics look like. That's a much better place to make good security happen than where we are now.

Let a thousand hacker clubs blossom in schools, in the workplace, in online spaces. Fill the socials with the message that it's legal, it's fun, and it can take you anywhere. Unlike guns and cars, you can't directly kill anyone by mistake. A white hat is smarter than a black hoodie. Spread the word. ®

Whatever legitimate places AI has, inside an OS ain't oneOpinion: We're getting it baked into Windows whether we like it or notRupert Goodwins, 02 Dec 2025Vibe coding: What is it good for? Absolutely nothing (Sorry, Linus)Opinion: Coding purists once considered BASIC harmful. AI can't even manage thatRupert Goodwins, 24 Nov 2025Makers slam Qualcomm for tightening the clamps on ArduinoUpdated: But the Wiring folks were disenchanted even before Qualcomm swallowed ArduinoLiam Proven, 21 Nov 2025Big Tech's control freak era is breaking itself apartOpinion: AI slop, Trump tantrums, and zero humans answering phonesRupert Goodwins, 10 Nov 2025