Strap in for a thrilling ride of legal terms and jargon! Legal stuff is certainly not the reason most red teamers perform assessments, but it is a vital part of the role. I’ve wanted to learn more about the actual legal requirements behind we do certain things such as Rules of Engagement, so hopefully this will save some of the pain for others who are interested.

As with anything legal – this post is not official guidance and always do your own research!

Table of Contents

Computer Misuse Act (CMA)

The Computer Misuse Act 1990, or CMA, covers a range of legal areas, and is closely related to the Data Protection Act (DPA), which concerns the usage and protection of data. In this post I will try and summarise what the CMA is, what it covers and the potential impacts.

The Crown Prosecution Service (CPS) has a great guide on this, which is well worth reading.

Definitions

The CMA doesn’t define what a computer is, due to the potential for this to rapidly change. Therefore it is considered as a device which can ‘store, process or retrieve information’.

A ‘Computer System’ is any “device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data”. ‘Computer Data’ is any “representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.”

The DPA defines personal data as any information relating to an identified or identifiable living individual.

Jurisdiction

Under section 4 of the CMA, liability for offences under sections 1, 3 or 3ZA requires proof of at least one ‘significant link’ with the ‘home country’ concerned (i.e. England and Wales). Notably this isn’t impacted if:

The accused isn’t in the home country at the time of the offence
The target of the CMA offence (e.g. the compromise host) isn’t in the home country
The technological activity which has facilitated the offending may have passed through a server based in the home country

Therefore, if someone commits a crime under Sections 1, 3 or 3ZA whilst in a foreign country, they may still be liable for prosecution within the UK if they are a UK national or their activity would be illegal in their current country.

As defined in section 5, in relation to an offence under Section 3ZA, any of the following rules would consist a ‘significant link’ with domestic jurisdiction:

That the accused was in the home country concerned at the time when s/he committed the unauthorised act (or caused it to be done);
That the unauthorised act was done in relation to a computer in the home country concerned;
That the unauthorised act caused, or created a significant risk of, serious damage of a material kind (within the meaning of that section) in the home country concerned.

As defined in section 6, even the act of conspiring to commit a crime under the CMA would be treated under the same ‘extended extra-territorial jurisdiction arrangements’. For example, you can be outside the UK whilst conspiring to commit a crime according to the CMA and still be liable for it within the UK.

Thresholds For Prosecution

The offence occurs when an individual causes a computer, which would include his own computer, to perform a function with intent to secure access.

This excludes simply having physical contact with a computer and the scrutiny of data without any interaction with a computer. Therefore the act of reading sensitive or confidential output or forms of eavesdropping are not crimes in themselves within the CMA.

The access to the program or data which the accused intends to secure must be ‘unauthorised’ access. For example:

There must be knowledge that the intended access was unauthorised; and
There must have been an intention to secure access to any program or data held in a computer.

The word ‘any’ indicates that the intent does not relate to the computer which the accused is at that time operating. Section 1(2) explains that the intent of the accused does not need to be directed at any particular program or data, mean that an attacker who accesses a computer without any clear idea of what they will find there would still be liable.

This can mean that a lot of the specific detail is pushed to individual policies when considering any testing or internal issues, such as acceptable use policies. Whilst these have no legal bearing, they would be a key consideration in cyber security testing. Cases such as DPP v Bignell [1998] 1 Cr App R8 highlight this, where police officers were found not guilty after requesting details for an indivudal which they didnt have permission to do so, but they did have legitimate access to the PNC.

Offenses

For cyber security professionals, the offenses highlight why effective approval processes are so important for testing, with all the offenses relying on the offender gaining unauthorised access to a system, and knowing that said access is not approved.

Section 1: Unauthorised access to computer material

The maximum penalty for this offense is 2 years imprisonment, making it the most ‘basic’ offense within the CMA. This relates to unauthorised access to a computer, where the access is unauthorised and the offender would know that at the time of the offense occurring.

Section 2: Unauthorised access with intent to commit or facilitate commission of further offences

The maximum penalty for this offense is 5 years imprisonment. This is somewhat of an extension to Section 1, due to the ‘further offenses’ detail. An example could be obtaining access with a view to transferring money.

This further offence can be conducted at a separate time, it just requires the link between the two offenses. This second offense may not be technically feasible – but if it is attempted then they could be liable for a Section 2 offense.

Section 3: Unauthorised Acts with intent to impair, or with recklessness as to impairing the operation of a computer

The maximum sentence for this offense is 10 years’ imprisonment. This covers acts such as DDoS or deliberate damage. Importantly, deliberate modification of data is not necessarily covered by this, unless it impacts the reliability or availability of the data.

The specific acts covered are covered in Section 3(2), either by directly causing or enabling the following impacts:

‘Impair’ the operation of a computer
Prevent or hinder access to any program or data on the computer
Impair the operation of any program or its data

This doesn’t have to be a permanent impact, it can be a temporary impact (Section 3(5))

Section 3ZA: Unauthorised acts causing, or creating risk of, serious damage

Section 41(2) of the Serious Crime Act 2015 inserted section 3ZA, with effect from 3 May 2015.

This covers the causation, or ‘significant’ risk of causing ‘material’ damage. This again can be deliberately or ‘recklessly’ caused.

The maximum sentence is 14 years, unless the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in Section 3 (a) and (b), in which case a person guilty of the offence is liable to imprisonment for life.

This is intended to cover the most serious cases concerning Critical National Infrastructure (CNI), with a large number of damages covered by this section. Damage is referred to as being ‘material’ if it leads to any of the following (Sections 3ZA(2,3)):

Damage to human welfare in any place, specifically:
- Loss to human life;
- Human illness or injury;
- Disruption of a supply of money, food, water, energy or fuel;
- Disruption of a system of communication;
- Disruption of facilities for transport; or
- Disruption of services relating to health.
Damage to the environment of any place;
Damage to the economy of any country; or
Damage to the national security of any country.

Section 3A: Making, supplying or obtaining articles for use in offence under Section 1, 3 or 3ZA

The maximum sentence for this is two years’ imprisonment. The rationale behind the creation of this offence is the market in electronic malware or ‘hacker tools’; which can be used for breaking into, or compromising, computer systems. For this, an ‘article’ is any program or data held in electronic form. This is the section likely most relevant to red teamers, given the large number of people involved in the open-source community. Whilst it is unlikely that Section 3A offences would be charged against someone contributing to open-source projects, it it worth considering!

This covers a wide range of activity relating to committing an offence under Sections 1, 3 or 3ZA:

Someone making, adapting, suppling or offering to supply any ‘article’
This also includes obtaining an ‘article’ in order to supply or use it

This is based on some of the following criteria/guidance:

Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
Is the article available on a wide scale commercial basis and sold through legitimate channels?
Is the article widely used for legitimate purposes?
Does it have a substantial installation base?
What was the context in which the article was used to commit the offence compared with its original intended purpose?

Public Interest

The Crown Prosecution Service (CPS) has a great summary of the consideration for public interest in any case being raised:

As always, the public interest in a case features heavily. For example, where there is sufficient evidence to meet the evidential test under the ‘Code for Crown Prosecutors’, the following Public Interest factors should be carefully considered:

The financial, reputational, or commercial damage caused to the victim(s);
The offence was committed with the main purpose of financial gain;
The level of sophistication used, particularly sophistication used to conceal or disguise identity (including masquerading as another identity to divert suspicion);
The victim of the offence was vulnerable and has been put in considerable fear or suffered personal attack, damage or disturbance;
The mental health, maturity and chronological age of the defendant at the time of the offence.

Data Protection Act

The Act came into force on 25 May 2018. The Act updates data protection laws in the UK, supplementing the General Data Protection Regulation (EU) 2016/679 (GDPR), implementing the EU Law Enforcement Directive (LED), and extending data protection laws to areas which are not covered by the GDPR or the LED

The Act does not write the GDPR into UK law. The GDPR has direct effect in EU member states from 25 May 2018, which means the GDPR is already part of UK law. After the UK leaves the EU, the GDPR will be converted into UK law (with some amendments) under the European Union (Withdrawal) Act 2018.

Part 1 – Definitions

Several key terms are used within the DPA:

Term	Meaning
Personal Data	Any information relating to an identified or identifiable living individual. This definition does not include the extra detail in the GDPR which goes on to define an ‘identifiable living individual’
Identifiable Living Individual	A living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Processing	In relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as: collection, recording, organisation, structuring or storage; adaptation or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment or combination; or restriction, erasure or destruction.
Data Subject	The identified or identifiable living individual to whom personal data relates.
Controller and Processor	Part 1 does not provide a single definition of controller and processor. Instead it points to the relevant Chapter or Part of the Act for the specific definition of these terms. As a general rule the definitions of controller and processor mirror those of the GDPR: ‘controller’ means the natural or legal person who alone or jointly with others determines the purpose and means of the processing of personal data; and ‘processor’ means the natural or legal person who processes personal data on behalf of the controller.
Filing System	Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis
The applied GDPR	The GDPR as applied by Part 2 Chapter 3. In practice this means that the Act extends GDPR standards to: processing outside the scope of EU law or processing outside the scope of the GDPR other than processing covered by Part 3 (LED processing) or Part 4 (IS processing)
LED (Law Enforcement Directive)	Used where data is processed by competent authorities for law enforcement purposes

Part 2 – Data Processing

Part 2 of the DPA sets out how data processing can occur, and is heavily linked to the implementation and support of GDPR. Whilst GDPR was automatically enacted due to EU membership at the time, it provides the provision for member states to tailor the language to suit local laws and government. Some examples of this are DPA Part 2 Section 8 which more precisely implements GDPR Article 6 (1)(e), detailing the specific government and public bodies which can process data.

Special Categories

Schedule 1 details the various conditions which permit processing of special categories of personal and criminal offence data:

Part 1 – Conditions relating to employment, health and research
- For an employer to process data under this part, any controllers must have an appropriate policy document in place
- For public health bodies to process data, it must be conducted under the responsibility of a health professional or other person who has a duty of confidentiality under enactment or law.
- For research purposes, it must have a public interest and be in accordance with Article 89(1) GDPR (as supplemented by s19 of the Act)
Part 2 – Substantial public interest conditions
- This includes a wide range of potential topics, but all must follow the same underlying principles of being limited and only what is necessary.
Part 3 – Additional conditions relating to criminal offence data
Part 4 – Appropriate policy document and additional safeguards
- Should such data be processed, several further policy documents must be created, which must:
  - Explain how the controller complies with the data protection principles set out in Article 5 of the GDPR;
  - Explain the controller’s policies for the retention and erasure of personal data processed under the relevant condition; and
  - Be retained, reviewed and (if appropriate) updated by the controller and (if requested) made available to the Information Commissioner, until six months after the controller ceases carrying out the processing.
- Where appropriate policy documentation is required, the controller’s records of processing activities (under Article 30 of the GDPR) must include:
  - Details of the relevant condition relied on;
  - How processing satisfies Article 6 of the GDPR (lawfulness of processing); and
  - Details of whether the personal data is retained and erased in accordance with the appropriate policy documentation (and if not the reasons why not).

Data Transfer

From the GDPR regulations:

The GDPR imposes a general prohibition on the transfer of personal data outside the EU, unless:

Article 45 – the transfer is based on an adequacy decision;

Article 46 – the transfer is subject to appropriate safeguards;

Article 47 – the transfer is governed by Binding Corporate Rules; or

Article 49 – the transfer is in accordance with specific exceptions. One of the specific exceptions is where the transfer of personal data outside the EU is necessary for important reasons of public interest (Article 49(1)(d)).

The GDPR doesn’t apply to all processing of personal data occurring in the UK. It doesn’t cover processing which is:

Outside the scope of EU law, such as immigration issues relating to third-country nationals on humanitarian grounds;
Outside the scope of the GDPR, such as ‘common foreign and security policy activities’ (Article 2(2)(b) GDPR), or manual unstructured processing of personal data held by an FOI public authority.

The Freedom of Information Act (FOIA) is mentioned a lot in Section 2, there are several key takeaways:

Unstructured data (i.e. Paper records) are not subject to FOI requests, as it would be too onerous, though the general GDPR rules/principals still apply

Data previously reseved for usage by LED can be shared so long as its usage is still relevant to its original purpose, whilst following the key pillars of GDPR. For example, sharing anonymized crime statistics to help reduce crime.

Part 3 – Law Enforcement Processing

From the ICO website:

Part 3 regulates the processing of personal data by competent authorities (“competent authorities”) for the purposes of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security” (together “law enforcement purposes”).

This Part implements the Law Enforcement Directive EU2016/680 (LED) into UK law, with additional provisions. The LED came into force in 2016 and EU member states had until May 2018 to adopt national legislation implementing its provisions

Part 4 – Intelligence Services Processing

National security falls outside the scope of EU law. The activities of the UK intelligence services are therefore outside the scope of the GDPR and the LED. Part 4 of the Data Protection Act introduces a data protection regime applicable to processing of personal data by the intelligence services, such as The Security Service, the Secret Intelligence Service and the Government Communications Headquarters.

Part 5 – The Information Commissioner

The Information Commissioner is the UK’s national supervisory authority for the purposes of the GDPR, the LED and the Act and shall continue to be the UK’s designated authority for the purposes of the Convention 108.

Part 6 – Enforcement

The Information Commissioner has several powers as part of their role:

Information Notice
- “To require someone to provide information that the Commissioner reasonably requires for her functions or for certain investigations”
- The minimum time must be complied with is within 24 hours notice.
Assessment Notice
- “To require a controller or processor to submit to an assessment as to data protection compliance”
- The minimum time must be complied with is within 7 days notice.
Enforcement Notice
- “To require a person to take the steps specified in the notice, or to require that a person refrains from taking certain steps.”
- The minimum time must be complied with is within 24 hours notice.
Penalty Notice
- “To require a person to pay to the Commissioner the amount specified in the notice.”
- The minimum time must be complied with is within 28 days notice.

Each item has various reasons why a person doesnt have to comply, though most would not be applicable to red team exercises. The most relevant one would be when the notice is withdrawn in writing. Outside of this, the following exceptions apply:

Where personal data is being processed for the special purposes, for Assessment Notices
Where the processing is for the special purposes, unless the Commissioner has issued a s174 determination and the court has granted leave for the notice, for Enforcement Notices

Fines

The maximum fines which can be levied follow the GDPR structure:

“the standard maximum amount”: the higher of 10,000,000 EUR or (in the case of an undertaking) 2% of the undertaking’s total annual worldwide turnover in the preceding financial year.
“the higher maximum amount”: the higher of 20,000,000 EUR or (in the case of an undertaking) 4% of the undertaking’s to

Legal Powers To Inspect

A warrant may be issued if a court judge is satisfied that there are reasonable grounds to suspect that crime under the Act has been or is being committed, or that a person has failed, or is failing, to (in summary):

Comply with the data protection principles, data subject rights and controller/processor obligations set out in the GDPR or the Act;
Communicate a personal data breach to the Information Commissioner or a data subject; or
Comply with the principles for transfers of personal data to third countries, non-Convention countries and international organisation

In addition, a judge must also be satisfied that there are reasonable grounds to suspect that evidence of the failure or offence can be found on the premises, or could be viewed using equipment on the premises. This warrant will only be issued if various conditions are met:

At least seven days have passed since the Information Commissioner gave notice in writing demanding access to the premises in question.
Access was demanded at a reasonable hour, but access was unreasonably refused; or entry was granted by the occupier, but they unreasonably refused to allow the Information Commissioner to carry out the required searches and inspections.
The occupier of the premises was notified by the Information Commissioner that an application for the warrant had been made.
If the personal data is processed for the special purposes, then this activity is covered under Section 174.

Complaints & Avoidance

It is clearly an offence to delete information which may realistically be required to be retained by an Information Commissioner. The only defense to this is if the destruction/disposal would have occurred regardless of the notice being given. This is Part 6, Section 148.

Part 6, Section 170 details the criminal offenses relating to obtaining and retaining personal data without the consent of the controller or retaining data without permission.

Section 173 provides that, where a subject access or data portability request has been received, it is an offence for a controller or related persons, including a processor, to take action to prevent the sharing of information which an individual would be entitled to receive. It is a defence if the action would have occurred regardless of the request or if the person charged acted in the reasonable belief that the individual was not entitled to receive the information.

Fraud Act 2006

The CPS guidance is really useful for this law! In many cases, fraud can be considered (or comprised of) theft – so potentially charges can be levied under other existing laws relating to theft. A lot of the contents of this law relate to deception, so only specific parts could relate to red teaming. The CPS also highlight that criminal convictions for fraud can be raised, but may be more appropriately handled via regulatory or civil proceedings.

For all cases of fraud, the below must be true, with the maximum sentence being 10 years.

The defendant’s conduct must be dishonest;
His/her intention must be to make a gain or cause a loss or the risk of a loss to another.
No gain or loss needs actually to have been made.

This highlights the crux of all potential fraud cases relating to cyber security testing (“his/her intention must be to make a gain; or cause a loss or the risk of a loss to another”). A well defined and scoped test will ensure that no loss/gain is obtained, with testing simply being performed to simulate such activity.

Section 2 – Fraud by false representation

The following must be true for someone to be culpable of a Section 2 offence:

Made a false representation
Dishonestly
Knowing that the representation was or might be untrue or misleading
With intent to make a gain for himself or another, to cause loss to another or to expose another to risk of loss.

Section 6 – Possession of articles for use in fraud

For a section 6 offence, he defendant must have:

Had possession or control of;
An article;
For use in the course of or in connection with any fraud.

The wording draws on Section 25 of the Theft Act 1968. The proof required is that the Defendant had the article for the purpose or with the intention that it be used in the course of or in connection with an offence.

The CPS makes specific guidance on those ‘involved in the development of computer software … to test the security of computer or security systems’. For these cases, the defence must rely on the lack of intention to commit fraud.

Section 7 – Making or supplying articles for use in frauds

A section 7 offence occurs when the defendant:

Makes, adapts, supplies or offers to supply any article;
For use in the course of or in connection with fraud;
Knowing that it is designed or adapted for use in the course of or in connection with fraud (Section 7 (1) (a)) or
Intending it to be used to commit or assist in the commission of fraud (Section 7 (1) (b).

Again, the CPS make specific mention about cyber security testing:

A person who makes an article specifically for use in fraud, for example, a software programme to create a phishing website or send phishing email, may be ambivalent about whether the person to whom it is supplied actually uses it for fraud. He will fall foul of Section 7 (1) (a) but will not have the necessary intention for Section 7 (1) (b).

The manufacturer of articles that are capable of being used in or in connection with fraud but have other innocent uses will not fall foul of this section unless he intends that it should be used in a dishonest way (Section 7 (1) (b)).

Human Rights Act

There are 14 ‘articles’ in the Human Rights Act (With 1 & 13 being fulfilled by human rights being enshrined in UK law). This is the UK’s implementation of the European Convention on Human Rights (ECHR)

For cyber security testing, Article 8 is the main item to consider (“Respect for your private and family life”). The key definition is of a ‘private life’, preventing the media and other individuals from interfering with your life. It also covers the secure, private storage of any PII relating to an individual.

This can have several impacts on red teaming, typically covered in a rules of engagement, for example ensuring that appropriate permissions are in place for:

Gathering of private messages/internal chats
Key logging
Monitoring of web traffic/activity

The underlying concepts tie into GDPR, focusing on data minimisation and proportionality of testing/data storage.

Related Acts

Investigatory Powers Act 2016

Whilst this is unlikely to occur during a red team exercise, the Investigatory Powers Act covers the unlawful interception of a public telecommunication system, a private telecommunication system, or a public postal service.

Misconduct in Public Office

This is covers the common-law offence of misconduct in public office, for example, where a police officer misuses the Police National Computer (PNC). Whilst again this is unlikely to occur during red team operations, it highlights the importance of detailed logging and deconfliction processes if performing identity based attacks, or leveraging legitimate accounts to access systems.