Resident Evil 9, Stranger Than Heaven, and more of the key reveals from Summer Game Fest 2025 10 highlights from Geoff Keighley's annual livestream Feature by Samuel Roberts Editorial Director Published on June 7, 2025 Geoff Keighley's annual Summer Game Fest showcase had a few big moments, including a major showing from Capcom, some sharp-looking indie games from well-known developers, and a creative tie-in between Hitman and James Bond by IO Interactive. Find a selection of 10 key SGF 2025 highlights below, including all-new reveals and several worthwhile updates on already-announced games. End of Abyss Created by Section 9 Interactive, a Malmö-based studio of developers who worked on the Little Nightmares games, and published by Epic Games itself, this was the horror highlight of SGF. In End of Abyss, a combat technician explores a facility that's riddled with fleshy monsters, in what looks a little like a twin-stick survival horror shooter. New pathways will emerge in the game as players become stronger, suggesting something of a Metroidvania structure. This one doesn't have a specific release date yet beyond 2026, but it's coming to Xbox, PlayStation, and PC. Lego Voyagers This two-player Lego game from the developers of Lego Builders Journey left an impression with a simple but perfect pitch: what if you played as a single Lego brick, and the entire game was built around that notion? Anyone still craving high-value co-op experiences for couch play after finishing this year's wonderful Split Fiction should keep this beautiful-looking game on their radar. It's coming to PC and consoles, including the original Nintendo Switch, and will be playable either locally or online (with only one purchase necessary for the latter). Mina the Hollower To see this content please enable targeting cookies. Mina the Hollower, the long-awaited new game from Shovel Knight developer Yacht Club Games, got a release date of October 31, 2025 during SGF. This trailer will set off fireworks for anyone familiar with its inspirations: Link's Awakening and the other Game Boy Color Zelda games, for example, as well as the side-scrolling adventures of the Castlevania series. Marvel's Deadpool VR Rather a lot of licensed games made the cut in this Summer Games Fest (who could've predicted that this year's livestream would offer viewers a real-time strategy game tie-in to Game of Thrones, a TV show that ended on a contentious note in 2019?). Meta's big reveal at SGF was Deadpool VR, another superhero-themed exclusive coming to Quest 3, following last year's killer app Batman: Arkham Shadow. This game stars Neil Patrick Harris as Marvel's Merc with a Mouth, and comes from 'Splosion Man developer Twisted Pixel. As ever, Deadpool's delivered-via-sledgehammer meta humour is something of an acquired taste, yet the recent history of pop culture would suggest it's never been more popular. Deadpool VR's first-person combat and storytelling look authentic to the character, which is either a dream come true or a living nightmare, depending on who you ask. It launches exclusively on Quest 3 and 3S in late 2025. Ill and Mundfish's push into publishing Mundfish, the latest developer to move into publishing, had a big presence in this year's SGF livestream. That included a colourful-if-muddled trailer for Atomic Heart 2, a follow-up to its 2023 hit FPS. But perhaps more interesting was the horror-themed FPS Ill, the debut game from studio Team Clout. What could be more frightening than being chased by dozens of decaying bald men, and occasionally, some fetid-looking evil giant babies? This game will launch on PC, Xbox, PlayStation, but it doesn't have a release date yet. Scott Pilgrim EX Considering the Scott Pilgrim graphic novels ended 15 years ago, the longevity of a story about a down-on-his-luck 20-something fighting all his new partner's exes in sequence continues to amaze. This spiritual sequel to 2010's acclaimed Ubisoft tie-in Scott Pilgrim Vs The World: The Game sees Scott and six of his pals teaming up to fight three different warring gangs who have taken over Toronto. Developer Tribute Games (creators of the brilliant Teenage Mutant Ninja Turtles: Shredder's Revenge) comprises staff who worked on that prior Ubisoft title. Pleasingly for fans, too, series creator Bryan Lee O'Malley is behind the story on this project. With four-player co-op part of the mix, Scott Pilgrim EX launches in 2026. Casino Royale's Le Chiffre comes to Hitman: World of Assassination With IO Interactive's James Bond game First Light not arriving until 2026, this reveal was a real treat for fans of 007, and a fun stopgap. Actor Mads Mikkelsen joined IO's Hakan Abrak on-stage in announcing that his Casino Royale villain Le Chiffre has been added to Hitman: World of Assassination's Paris level as a limited-time Elusive Target. Players have until July 6 to take him out. Blighted Guacamelee studio Drinkbox is behind this visually stylish action RPG, which looks like it'll scratch the itch of anyone who got deep into Hades but wants something with a fresh twist (or co-op) to play. The setting is described as a 'psychedelic western nightmare' by the developers, and a 'blighted' mechanic alters the difficulty of the game dynamically depending on how afflicted the player is. It's coming soon to Steam. Stranger Than Heaven First unveiled last year as Project Century, this deeper look at the next project by Like A Dragon developer RGG Studio showed off the game's 1943 (seemingly) period Japanese setting, as well as its combat and other gameplay elements like moral choices (of the Xbox 360 era 'spare/kill' variety). Considering the last trailer was set in 1915, it would appear to suggest the game takes place across multiple decades. It's exciting to see this studio trying something a little different, even if some of the parts are superficially similar. Resident Evil Requiem The reveal of the ninth mainline Resident Evil game closed the livestream with a bang. Requiem is slightly hard to grasp from this first trailer, perhaps by design: the protagonist is an agent called Grace Ashcroft, and we see several glimpses of the ruins of Raccoon City amid the horrors in this teaser. No doubt Capcom will gradually put the pieces together in the run-up to its February 27, 2026 release date on PC, Xbox, and PlayStation. It firmly looks like a stylistic follow-up to the first-person hits Resident Evil 7 and Village. On-stage, it was promised the game will feature "high-stakes cinematic action" as well as survival horror.

It looks like a machine built in the background of a Nine Inch Nails video – blunt, dirty, furious. The Droog X Volcon Grunt doesn’t care about looking sleek. It’s industrial as hell and twice as aggressive. You don’t ride it, you strap in for the kind of electric street brawl that leaves burn marks on the asphalt and a vibration in your teeth. Based on the Volcon Grunt EVO, Droog Moto’s latest creation wears its attitude like armor. The frame looks sculpted with a sledgehammer and finished by a welder who ran out of patience but had plenty of talent. Up front, a thin horizontal LED headlight slices through the night like a katana caught mid-swing. The fat tires – massive 8-inch-wide slabs of rubber – promise grip on anything short of lava. Gravel, sand, pothole-ridden backstreets? It’s game on. Designer: Droog What makes this brute tick is a dual 60V battery configuration, delivering a top speed of 60 mph with a torque curve that feels immediate and unforgiving. It’s powered by a 10.6 kW Gates carbon belt drive system, which means you’re getting that sweet, near-silent thrust that only a torquey electric drivetrain can give. It’ll cover up to 60 miles on a single charge – plenty of time to stir up trouble or head off-grid without breaking a sweat. But here’s the trick: while it looks like something that belongs in a post-apocalyptic scrapyard drag race, there’s precision in the chaos. Droog’s aesthetic might scream Mad Max, but the execution is meticulous. Custom LED lighting, a brutally minimalist saddle, and a stance that looks like it’s always mid-pounce. This is where off-road DNA meets streetfighter brawn… and the result isn’t subtle. Only two of these beasts exist… and one’s already spoken for. That’s less of a production run and more of a clarion call. If you see one in the wild, you’re either at an elite underground race meet or you’ve stumbled into Bruce Wayne’s mansion.The post The Droog X Volcon Grunt Is a Street-Legal Post-Apocalyptic Electric Monster first appeared on Yanko Design.

The day after his inauguration in January, President Donald Trump announced Stargate, a $500 billion initiative to build out AI infrastructure, backed by some of the biggest companies in tech. Stargate aims to accelerate the construction of massive data centers and electricity networks across the US to ensure it keeps its edge over China. This story is a part of MIT Technology Review’s series “Power Hungry: AI and our energy future,” on the energy demands and carbon costs of the artificial-intelligence revolution. The whatever-it-takes approach to the race for worldwide AI dominance was the talk of Davos, says Raquel Urtasun, founder and CEO of the Canadian robotruck startup Waabi, referring to the World Economic Forum’s annual January meeting in Switzerland, which was held the same week as Trump’s announcement. “I’m pretty worried about where the industry is going,” Urtasun says.  She’s not alone. “Dollars are being invested, GPUs are being burned, water is being evaporated—it’s just absolutely the wrong direction,” says Ali Farhadi, CEO of the Seattle-based nonprofit Allen Institute for AI. But sift through the talk of rocketing costs—and climate impact—and you’ll find reasons to be hopeful. There are innovations underway that could improve the efficiency of the software behind AI models, the computer chips those models run on, and the data centers where those chips hum around the clock. Here’s what you need to know about how energy use, and therefore carbon emissions, could be cut across all three of those domains, plus an added argument for cautious optimism: There are reasons to believe that the underlying business realities will ultimately bend toward more energy-efficient AI. 1/ More efficient models The most obvious place to start is with the models themselves—the way they’re created and the way they’re run. AI models are built by training neural networks on lots and lots of data. Large language models are trained on vast amounts of text, self-driving models are trained on vast amounts of driving data, and so on. But the way such data is collected is often indiscriminate. Large language models are trained on data sets that include text scraped from most of the internet and huge libraries of scanned books. The practice has been to grab everything that’s not nailed down, throw it into the mix, and see what comes out. This approach has certainly worked, but training a model on a massive data set over and over so it can extract relevant patterns by itself is a waste of time and energy. There might be a more efficient way. Children aren’t expected to learn just by reading everything that’s ever been written; they are given a focused curriculum. Urtasun thinks we should do something similar with AI, training models with more curated data tailored to specific tasks. (Waabi trains its robotrucks inside a superrealistic simulation that allows fine-grained control of the virtual data its models are presented with.) It’s not just Waabi. Writer, an AI startup that builds large language models for enterprise customers, claims that its models are cheaper to train and run in part because it trains them using synthetic data. Feeding its models bespoke data sets rather than larger but less curated ones makes the training process quicker (and therefore less expensive). For example, instead of simply downloading Wikipedia, the team at Writer takes individual Wikipedia pages and rewrites their contents in different formats—as a Q&A instead of a block of text, and so on—so that its models can learn more from less. Training is just the start of a model’s life cycle. As models have become bigger, they have become more expensive to run. So-called reasoning models that work through a query step by step before producing a response are especially power-hungry because they compute a series of intermediate subresponses for each response. The price tag of these new capabilities is eye-watering: OpenAI’s o3 reasoning model has been estimated to cost up to $30,000 per task to run.   But this technology is only a few months old and still experimental. Farhadi expects that these costs will soon come down. For example, engineers will figure out how to stop reasoning models from going too far down a dead-end path before they determine it’s not viable. “The first time you do something it’s way more expensive, and then you figure out how to make it smaller and more efficient,” says Farhadi. “It’s a fairly consistent trend in technology.” One way to get performance gains without big jumps in energy consumption is to run inference steps (the computations a model makes to come up with its response) in parallel, he says. Parallel computing underpins much of today’s software, especially large language models (GPUs are parallel by design). Even so, the basic technique could be applied to a wider range of problems. By splitting up a task and running different parts of it at the same time, parallel computing can generate results more quickly. It can also save energy by making more efficient use of available hardware. But it requires clever new algorithms to coordinate the multiple subtasks and pull them together into a single result at the end.  The largest, most powerful models won’t be used all the time, either. There is a lot of talk about small models, versions of large language models that have been distilled into pocket-size packages. In many cases, these more efficient models perform as well as larger ones, especially for specific use cases. As businesses figure out how large language models fit their needs (or not), this trend toward more efficient bespoke models is taking off. You don’t need an all-purpose LLM to manage inventory or to respond to niche customer queries. “There’s going to be a really, really large number of specialized models, not one God-given model that solves everything,” says Farhadi. Christina Shim, chief sustainability officer at IBM, is seeing this trend play out in the way her clients adopt the technology. She works with businesses to make sure they choose the smallest and least power-hungry models possible. “It’s not just the biggest model that will give you a big bang for your buck,” she says. A smaller model that does exactly what you need is a better investment than a larger one that does the same thing: “Let’s not use a sledgehammer to hit a nail.” 2/ More efficient computer chips As the software becomes more streamlined, the hardware it runs on will become more efficient too. There’s a tension at play here: In the short term, chipmakers like Nvidia are racing to develop increasingly powerful chips to meet demand from companies wanting to run increasingly powerful models. But in the long term, this race isn’t sustainable. “The models have gotten so big, even running the inference step now starts to become a big challenge,” says Naveen Verma, cofounder and CEO of the upstart microchip maker EnCharge AI. Companies like Microsoft and OpenAI are losing money running their models inside data centers to meet the demand from millions of people. Smaller models will help. Another option is to move the computing out of the data centers and into people’s own machines. That’s something that Microsoft tried with its Copilot+ PC initiative, in which it marketed a supercharged PC that would let you run an AI model (and cover the energy bills) yourself. It hasn’t taken off, but Verma thinks the push will continue because companies will want to offload as much of the costs of running a model as they can. But getting AI models (even small ones) to run reliably on people’s personal devices will require a step change in the chips that typically power those devices. These chips need to be made even more energy efficient because they need to be able to work with just a battery, says Verma. That’s where EnCharge comes in. Its solution is a new kind of chip that ditches digital computation in favor of something called analog in-memory computing. Instead of representing information with binary 0s and 1s, like the electronics inside conventional, digital computer chips, the electronics inside analog chips can represent information along a range of values in between 0 and 1. In theory, this lets you do more with the same amount of power.  SHIWEN SVEN WANG EnCharge was spun out from Verma’s research lab at Princeton in 2022. “We’ve known for decades that analog compute can be much more efficient—orders of magnitude more efficient—than digital,” says Verma. But analog computers never worked well in practice because they made lots of errors. Verma and his colleagues have discovered a way to do analog computing that’s precise. EnCharge is focusing just on the core computation required by AI today. With support from semiconductor giants like TSMC, the startup is developing hardware that performs high-dimensional matrix multiplication (the basic math behind all deep-learning models) in an analog chip and then passes the result back out to the surrounding digital computer. EnCharge’s hardware is just one of a number of experimental new chip designs on the horizon. IBM and others have been exploring something called neuromorphic computing for years. The idea is to design computers that mimic the brain’s super-efficient processing powers. Another path involves optical chips, which swap out the electrons in a traditional chip for light, again cutting the energy required for computation. None of these designs yet come close to competing with the electronic digital chips made by the likes of Nvidia. But as the demand for efficiency grows, such alternatives will be waiting in the wings.  It is also not just chips that can be made more efficient. A lot of the energy inside computers is spent passing data back and forth. IBM says that it has developed a new kind of optical switch, a device that controls digital traffic, that is 80% more efficient than previous switches.    3/ More efficient cooling in data centers Another huge source of energy demand is the need to manage the waste heat produced by the high-end hardware on which AI models run. Tom Earp, engineering director at the design firm Page, has been building data centers since 2006, including a six-year stint doing so for Meta. Earp looks for efficiencies in everything from the structure of the building to the electrical supply, the cooling systems, and the way data is transferred in and out. For a decade or more, as Moore’s Law tailed off, data-center designs were pretty stable, says Earp. And then everything changed. With the shift to processors like GPUs, and with even newer chip designs on the horizon, it is hard to predict what kind of hardware a new data center will need to house—and thus what energy demands it will have to support—in a few years’ time. But in the short term the safe bet is that chips will continue getting faster and hotter: “What I see is that the people who have to make these choices are planning for a lot of upside in how much power we’re going to need,” says Earp. One thing is clear: The chips that run AI models, such as GPUs, require more power per unit of space than previous types of computer chips. And that has big knock-on implications for the cooling infrastructure inside a data center. “When power goes up, heat goes up,” says Earp. With so many high-powered chips squashed together, air cooling (big fans, in other words) is no longer sufficient. Water has become the go-to coolant because it is better than air at whisking heat away. That’s not great news for local water sources around data centers. But there are ways to make water cooling more efficient. One option is to use water to send the waste heat from a data center to places where it can be used. In Denmark water from data centers has been used to heat homes. In Paris, during the Olympics, it was used to heat swimming pools.   Water can also serve as a type of battery. Energy generated from renewable sources, such as wind turbines or solar panels, can be used to chill water that is stored until it is needed to cool computers later, which reduces the power usage at peak times. But as data centers get hotter, water cooling alone doesn’t cut it, says Tony Atti, CEO of Phononic, a startup that supplies specialist cooling chips. Chipmakers are creating chips that move data around faster and faster. He points to Nvidia, which is about to release a chip that processes 1.6 terabytes a second: “At that data rate, all hell breaks loose and the demand for cooling goes up exponentially,” he says. According to Atti, the chips inside servers suck up around 45% of the power in a data center. But cooling those chips now takes almost as much power, around 40%. “For the first time, thermal management is becoming the gate to the expansion of this AI infrastructure,” he says. Phononic’s cooling chips are small thermoelectric devices that can be placed on or near the hardware that needs cooling. Power an LED chip and it emits photons; power a thermoelectric chip and it emits phonons (which are to vibrational energy—a.k.a. temperature—as photons are to light). In short, phononic chips push heat from one surface to another. Squeezed into tight spaces inside and around servers, such chips can detect minute increases in heat and switch on and off to maintain a stable temperature. When they’re on, they push excess heat into a water pipe to be whisked away. Atti says they can also be used to increase the efficiency of existing cooling systems. The faster you can cool water in a data center, the less of it you need. 4/ Cutting costs goes hand in hand with cutting energy use Despite the explosion in AI’s energy use, there’s reason to be optimistic. Sustainability is often an afterthought or a nice-to-have. But with AI, the best way to reduce overall costs is to cut your energy bill. That’s good news, as it should incentivize companies to increase efficiency. “I think we’ve got an alignment between climate sustainability and cost sustainability,” says Verma. ”I think ultimately that will become the big driver that will push the industry to be more energy efficient.” Shim agrees: “It’s just good business, you know?” Companies will be forced to think hard about how and when they use AI, choosing smaller, bespoke options whenever they can, she says: “Just look at the world right now. Spending on technology, like everything else, is going to be even more critical going forward.” Shim thinks the concerns around AI’s energy use are valid. But she points to the rise of the internet and the personal computer boom 25 years ago. As the technology behind those revolutions improved, the energy costs stayed more or less stable even though the number of users skyrocketed, she says. It’s a general rule Shim thinks will apply this time around as well: When tech matures, it gets more efficient. “I think that’s where we are right now with AI,” she says. AI is fast becoming a commodity, which means that market competition will drive prices down. To stay in the game, companies will be looking to cut energy use for the sake of their bottom line if nothing else.  In the end, capitalism may save us after all. 

Expert Head Artist - Sledgehammer Games - Toronto, ONActivisionToronto Ontario M5E 1G6 Canada5 minutes agoApplyJob Title:Expert Head Artist - Sledgehammer Games - Toronto, ONRequisition ID:R024569Job Description:Your MissionAs Expert Head Artist at Sledgehammer Games, you will oversee the creation of character portraits, hair authoring, blend shape capture as well as helping with facial rig development and performance.You are an expert communicator, collaborator, and ambassador for the team. You will collaborate with Tech Art, Tech Anim, Leads and Directors to create photo real portraits that adhere to quality standards and tone of Call of Duty franchise. Aiming for the utmost realism in execution while maintaining PBR standards and working within technical guidelines.You understand the head creation, both from scan and from scratch. You can mentor your team, proactively find solutions, and deliver significant feedback to both internal and external developers with confidence.This is an onsite position at our office in Toronto, ONThis position requires travel to our studio location in California, US for photo shoot sessions.What you bring to the tablePriorities can often change in a fast-paced environment like ours, so this role includes, but is not limited to the following responsibilities:Create realistic portraits, from sculpt or scan portraits.To author and leading the creation of hair.Create documentation of processes for others to follow as needed.Work closely with Leads, Directors and Artist to maintain the style and quality bar of CoD franchise.Works closely with the Tech Anim, Tools, Engine, and Tech art counterparts from Sledgehammer and other CoD studios to develop new workflows or improve existing tools and technologies to streamline team efficiency.Provides feedback to both internal and external artists regarding quality and technical execution.Proactively helps to troubleshoot and fix problematic content.Be a trusted gatekeeper for performance, efficiency and quality.Research subject matter relating to objectives to ensure an authentic experience.Pushing the quality of the character heads for millions of fans to enjoy.This position requires travel to our studio location in California, US.Player ProfileMinimum requirements:12+ years in the game industry working in art capacity.At least one shipped AAA title, from beginning to finishing a product, including work on an actor/actresses’ likeness either from scan, or made from scratchInspiring portfolio demonstrating focus and commitment to realistic characters especially portraits and likeness.Has experience with the entire scanning process, from the photo capture session, processing capture data to a control/game rig (the asset ready for animation).E xperience in creating realistic portraits, both from scan data and from scratchExperienced with facial rigging (blendshapes, bone base rigs or hybrid) and FACS (facial coding system.)Experienced with texturing for facial, including makeups.Experience with photogrammetry/ scanning/ PCAP tools and software.Knowledge & SkillsAble to create in-game realistic portraits from scratch.Strong anatomy knowledge.Strong understanding in creating character art assets in multiple major 3D and 2D packages (Zbrush, Maya/ 3DS Max, Photoshop, Substance) for console hardware (Xbox, PS, PC.)Excellent understanding of Physically Based Rendering system and techniques.Knowledgeable with skin and hair shaders and the ability to create in-game hair.Knowledgeable in processing raw head scan to a finished in-game asset.Possesses in-depth understanding of game engines, pipelines, and processes.Key AttributesRock solid communication across departments and problem-solving skills.Proven ability to thrive in a challenging and often ambiguous environment.Takes direction well and can confidently give clear concise directionWillingness to improve and learn new skillsAble to work under pressure and meet production deadlinesYour PlatformSledgehammer Games is a leading developer in the video game industry, best known for its work on the Call of Duty franchise. Since our inception in 2009, the studio has delivered iconic titles like including Call of Duty: Advanced Warfare, Call of Duty: WWII (2017), and, most recently, Call of Duty: Modern Warfare III.As industry leaders in first-person shooter development, our commitment to excellence is reflected in every detail of our games, from highly polished multiplayer experiences to emotionally engaging single-player campaigns. At Sledgehammer Games, we believe in pushing boundaries, redefining the possibilities of interactive storytelling, and setting new standards for visual and gameplay fidelity. Together, we aim to deliver world-class gaming content that continues to set the bar for quality, innovation, and player engagement.We are excited to invite a talented and passionate developer to join our growing team as an Expert Head Artist based in our Canadian studio. In this role, you will work collaboratively with our talented teams across the globe, including our locations in the United States, Australia, Canada, and the United Kingdom. If you're ready to be part of a dynamic and collaborative environment where your skills can make a real impact, we invite you to explore career opportunities with us.To learn more about our studio, please visit us at www.sledgehammergames.com .Our WorldAt Activision, we strive to create the most iconic brands in gaming and entertainment. We’re driven by our mission to deliver unrivaled gaming experiences for the world to enjoy, together. We are home to some of the most beloved entertainment franchises including Call of Duty®, Crash Bandicoot™, Tony Hawk’s™ Pro Skater™, and Guitar Hero®. As a leading worldwide developer, publisher and distributor of interactive entertainment and products, our “press start” is simple: delight hundreds of millions of players around the world with innovative, fun, thrilling, and engaging entertainment experiences.We’re not just looking back at our decades-long legacy; we’re forging ahead to keep advancing gameplay with some of the most popular titles and sophisticated technology in the world. We have bold ambitions to create the most inclusive company as we know our success comes from the passionate, creative, and diverse teams within our organization.We’re in the business of delivering fun and unforgettable entertainment for our player community to enjoy. And our future opportunities have never been greater — this could be your opportunity to level up.Ready to Activate Your Future?We love hearing from anyone who is enthusiastic about changing the games industry. Not sure you meet all qualifications? Let us decide! Research shows that women and members of other under-represented groups tend to not apply to jobs when they think they may not meet every qualification, when, in fact, they often do! We are committed to creating a diverse and inclusive environment and strongly encourage you to apply.We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, gender identity, age, marital status, veteran status, or disability status, among other characteristics.We are committed to working with and providing reasonable assistance to individuals with physical and mental disabilities. If you are a disabled individual requiring an accommodation to apply for an open position, please email your request to accommodationrequests@activisionblizzard.com. General employment questions cannot be accepted or processed here. Thank you for your interest. Create Your Profile — Game companies can contact you with their relevant job openings. Apply

Eight years ago, Simon Whittaker, head of cyber security at Belfast-based consultancy Instil, narrowly avoided having his front door smashed in by the Police Service of Northern Ireland (PSNI) (see photo of warrant below) and was only saved from an expensive repair job because a relative was home at the time. Whittaker was the innocent victim of a misunderstanding that arose when his work as a cyber security professional butted heads with legislation contained in the UK’s Computer Misuse Act (CMA) of 1990 that at first glance seems sensible. “What happened to me is that we were working with a client who was working with an NHS Trust, demonstrating some of their software,” he explains. “Their software picked up information from various dark web sources and posted this information on Pastebin.” This post was made on Tuesday 9 May 2017 (remember this date – it’s important) and the information contained several keywords, including “NHS” and “ransomware” (see screenshot of Pastebin page below). This accidental act was enough to trip alarm bells somewhere in the depths of Britain’s intelligence apparatus. The National Crime Agency (NCA) got involved, emails whizzed back and forth over the Atlantic to the Americans. Unbeknownst to Whittaker and his family, a crisis was developing. “We ended up with eight coppers at our door and a lot of people very upset,” says Whittaker. “It cost us about £3,000 in legal fees, when all that had happened was a few words had been posted on Pastebin. “We talk about using a sledgehammer to crack a nut, but it’s quite accurate, inasmuch as they had identified the smallest amount of evidence – that wasn’t even evidence because nothing happened – but it was enough.” And the punchline? It just so happens that the posts were identified on Friday 12 May as part of the investigation into the WannaCry attack, which caused chaos across the NHS. Whittaker’s home was raided the following Monday. So, what is the CMA, and how did it almost land Whittaker in the nick? It’s a big question that speaks not only to his unpleasant experience, but to wider issues of legal overreach, government inertia and, ultimately, the ability of Britain’s burgeoning cyber security economy to function to its full potential. Indeed, the CyberUp campaign for CMA reform estimates that the UK’s security firms lose billions every year because the CMA effectively binds them. In a nutshell, it defines the broad offence of Unauthorised Access to a Computer. At face value, this is hard to argue with because it appears to make cyber crime illegal. However, in its broad application, what the offence actually does is to make all hacking illegal. As such, it is now woefully outdated because it completely fails to account for the fact that, from time to time, legitimate security professionals and ethical hackers must access a computer without authorisation if they are to do their jobs. “It’s so frustrating, the idea that there’s a piece of legislation that’s been around for so long that was originally brought in because they didn’t have any legislation,” says Whittaker. “Somebody broke into Prince Philip’s email account, a BT account, and they didn’t have any legislation to do them under, so they got them under the Forgery and Counterfeiting Act.” Whittaker is referring to a 1985 incident in which security writer and educator Robert Schifreen hacked the BT Prestel service – an early email precursor – and accessed the Duke of Edinburgh’s mailbox. Schifreen’s archive, preserved at the National Museum of Computing, reveals how he hacked Prestel to raise awareness of potential vulnerabilities in such systems. In a 2016 interview, Schifreen told Ars Technica that he waited until after 6pm on the day of the hack to be sure that the IT team had gone home for the evening and couldn’t interfere. He even tried to tell BT what he was doing. The CMA was the Thatcher government’s response to this, and 35 years on, the offence of Unauthorised Access to a Computer is now at the core of a five-year-plus campaign led by the CyberUp group and backed in Parliament by, among others, Lord Chris Holmes. Whittaker says it is very clear that in 1990, it was impossible to predict that research would fall into the information security domain.  “Nobody expected there would be people open to bug bounties or to having their IT researched and investigated. I don’t think anybody back then realised that this was going to be a thing – and if you look at the underlying message of the CMA, which is, ‘Don’t touch other people’s stuff’, there is some sense to that,” he says. “But what the CMA doesn’t do is put any kind of allowance for research or understanding that there are cyber professionals out there whose job it is to try to break things, to try to keep the nation secure and organisations safe,” he adds. “The CMA was a piece of legislation that was very broad, and the idea that it’s still there after this amount of time, and hasn’t been adapted in accordance with the changes we’ve seen over the last 20, 25 years that I’ve been in the industry, is quite bizarre,” says Whittaker. “The legislation around murder hasn’t changed since 1861 in the Offences Against the Person Act. It’s not like the offence of murder has changed hugely since 1861, whereas the computing world has changed dramatically since 1990.” Cutting to the core of the problem, what the CMA does in practice is force security professionals in the UK to operate with one eye on the letter of the law and one hand tied behind their backs. Whittaker recounts another story from Instil’s archives. “We had a look on Shodan, and identified there was an open Elasticsearch bucket that was dropping credentials for a very large mobile phone and fixed-line provider in Spain. “Every time a new order came in, it dropped their data into this bucket, which then provided names, addresses, telephone numbers, bank details, lots of really interesting stuff,” he says. “We were very concerned about reporting this. Because we had found it, we were concerned there was going to be blame associated with us. Why were you looking? What were you doing? What was happening here? We engaged our lawyers to help us do that responsible disclosure to them. “We did it privately – we’ve never spoken about it to anybody, but we spoke with the organisation and they were ultimately very grateful. Their CISO was very understanding, but it still cost us about two grand in legal fees to be able to do it.” Whittaker can recount many other stories of how people who are just trying to do some public-spirited research into similar issues have had to either stop and not do it, or travel to another jurisdiction to do it, because of the CMA. To more deeply understand how the CMA hamstrings the UK’s cyber professionals, let’s go back in time again, this time to the early 2000s, when Whittaker, then working in software development, caught the cyber bug after a job took him to Russia following an acquisition. “One of the first things the Russians asked us was, “Have you ever had a security or pen test?’ We said, ‘No, but don’t worry, we’re really good at this stuff’, and within 20 seconds, they had torn us to pieces and broken us in multiple different ways. I was watching the test and I said, ‘That’s so cool, how do I work out how to do that?’” If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way Simon Whittaker, Instil About 20 years down the line, Whittaker’s company, founded as Vertical Structure, but now merging into InstilCrest-accredited penetration tester, and certified by the National Cyber Security Centre (NCSC) as a Cyber Essentials certifying body and an assured service provider for the Cyber Essentials programme. “We teach people how to break things. We teach people how to break into their own systems. We teach people how to break into their own cloud infrastructure, how to do threat modelling, so they can start to understand how to think about threats,” he explains. But in practice, this means Whittaker and his team are teaching people to do things that a court could argue is against the CMA in some way, shape or form, so in addition to the technicalities, he is also very careful to teach his clients all about the law and how to operate within its confines when brushing up against hard limits. “The pieces of paper have to be signed, the scope has to be agreed on,” says Whittaker. “When we’re teaching juniors, we spend probably half a day going through the CMA and detailing to them exactly how nervous they have to be about this stuff, making sure they are aware of it. “It is definitely at the forefront of our minds. And if there is a breach in scope, you stop. You contact the client and say, ‘Listen, we’ve scanned too many IPs, we’ve done this, we’ve done that’. You speak to the client regularly about making sure that doesn’t happen. “In all of our considerations, we would rather pull back on the project rather than risk hitting a third party when we’re pen testing,” says Whittaker. He looks, maybe a little wistfully, to the work of security researchers at larger US or Israeli security organisations that have a little leeway in such things, or to the work of those in more lenient jurisdictions, such as the Baltics, where the cyber research wings of prominent virtual private network providers churn out large volumes of research, often on big flaws in consumer technology. “You hear, for instance, stories about broadband provider X that sent this box that is rubbish and can be accessed remotely. I can hack all of those things, but I can’t go and do the research in a responsible, formal way, because if I do, I run the risk of being arrested or sued,” he says. “It’s really frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But it’s very complicated.” The Computer Misuse Act is currently up for reform as part of a wider Home Office review of the act, but progress has been shaky and stalled out several times thanks to the Covid-19 pandemic and the successive collapses of Boris Johnson’s and Liz Truss’s governments. It’s frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But [the law makes it] very complicated Simon Whittaker, Instil Cut to 2024 and a new Labour government, and things seemed to be moving again. But then in December 2024, attempts by Lord Holmes and other peers to have the Data (Access and Use) Bill amended to introduce a statutory defence for cyber professionals were rebuffed by the government, with under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones saying reform was a complex issue. The government is considering improved defences through engagement with the security community, but Jones claims that to date, there is no consensus on how to do this within the industry, which is holding matters back. More recently, science minister Patrick Vallance weighed in after police highlighted their concerns that allowing unauthorised access to systems under the pretext of identifying vulnerabilities could be exploited by cyber criminals. He said: “The introduction of these specific amendments could unintentionally pose more risk to the UK’s cyber security, not least by inadvertently creating a loophole for cyber criminals to exploit to defend themselves against a prosecution.” But after many years and frequent engagement with the government, the campaigners, while keeping things civil, are clearly frustrated – and understandably so. They want things to be moving faster. Whittaker says reform would be the difference between night and day for his security practice. “It would allow us to be more secure in our research. I’d love to be able to just look at things in more detail and help people secure themselves. It would allow us to focus on our jobs instead of being worried that we’re going to breach something or that something else is going to go wrong. It would be a step change from what we currently see – that ability to perform in a useful way,” he says. “All we are trying to do is give our teams, these experts that we have right here in Belfast and around the country, the ability to be able to compete on a global scale. If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way,” he concludes. And when all is said and done, isn’t keeping the UK safe in the ever-changing, ever-expanding threat landscape more important than enforcing a blanket definition of hacking as an illegal act when cyber criminals around the world know full well they’re breaking the law and simply don’t give a damn? Timeline: Computer Misuse Act reform January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming. June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws. November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs. May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world. June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work. August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform. September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution. January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990. February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed. March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers. November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress. July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting. July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work. December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster. December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee. January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.