Private sector and police aggression towards hackers is forcing bug hunters to operate outside the law, according to former LulzSec hacker Mustafa Al-Bassam.
Al-Bassam argued during a discussion at the Innotech 2014 Summit that UK laws regarding vulnerability disclosures are misguided, and only protect firms from public shaming and do little to bolster the nation’s cyber security.
“The law is disproportionate. The law does a lot to punish hackers. At the moment I think companies ultimately need to be held responsible for poor security,” he said.
“At the moment if a hacker finds a bug and discloses it or contacts the company they can be prosecuted.
“A lot of security researchers are living in fear because of the way the law is right now. The law should not be designed to punish people that are trying to help.”
Al-Bassam was a member of the infamous LulzSec team that went on a ’50 days of Lulz’ hacking spree in 2011 and 2012.
LulzSec members mounted cyber attacks against numerous government and private sector targets, including the UK Serious Organised Crime Agency (now the National Crime Agency), the FBI and News International.
Al-Bassam said the legal issues hampering bug hunters’ efforts are exacerbated by an overly aggressive approach to cyber crime by UK law enforcement.
“I think the atmosphere that exists within policing is a problem. I felt in my case the police were more motivated by getting a result than what’s good for the world. They called us cutting-edge cyber criminals,” he said.
“I felt they were trying to improve their career, and they have. A lot of the people handling my case are in MI5 now.
“They just wanted to get a conviction, throw some people in jail and further their career. They weren’t thinking about what was good for the world.”
The former Lulzsec hacker said that organisations should follow the example of technology companies such as Twitter, Facebook and Microsoft and launch bug bounty programmes.
“If a company has a bug bounty programme they’ll pay for it. Companies need to have a responsibility to protect customers and they need a programme [like this] in place so security researchers can submit a bug without fear,” he said.
Speaking at the same summit, legal expert Alex Carlile QC said that the law has moved on since LulzSec’s operations.
“To be prosecuted it has to decide if there’s a crime and it’s in the public interest to prosecute. There’s been a change in the ideas around this in recent years,” he said.
“Take a charity site, for example. If it was found people could steal from the website or compromise user data, I’d be surprised if it was decided it is in the public interest to prosecute.
“I think companies should be happy they were hacked by Lulzsec not the Chinese government. That said, we have to be careful about this issue.”
Carlile conceded that more work must be done by the public and private sectors to improve UK cyber security.
“I’ve worked for the current and former government on this [collaboration between the public and private sector] and both have found it very difficult,” he said.
“[Companies] and the government need to talk to each other, to share each other’s talents in order to help serve what is in the public’s interest.”
Increasing collaboration between the public and private sectors has been a goal of governments and law enforcement agencies across the world for the past three years.