The UK government has said it wants to hand out life sentences to anyone found guilty of a cyberattack that results in loss of life, serious illness, serious injury, or serious damage to national security (or a “significant risk thereof”. The plan, which frighteningly, is broadly written, is proposed as an update to Britain’s Computer Misuse Act 1990 and would also hand out harsher sentences to any hacker carrying out industrial (commercial) espionage. Even minor hacking crimes can result in sentences up to 14 years.
Experts note that the new laws could deem certain types of white-hat security research (e.g. penetration tests) to be illegal. According to Trey Ford, global security strategist at penetration testing firm Rapid7:
“Any researchers looking for the recent Heartbleed bug, which left a vast number of websites open to attack, could have been charged under British hacking laws.”
Similar tightening of cybersecurity laws have also been proposed in India and the United States.