Hacking into computer systems is illegal in many countries — even if you’re a cybersecurity researcher figuring out how to better defend systems. But Portugal has just introduced an exemption for researchers, and the UK is thinking of doing so too.
Last week, British security minister Dan Jarvis set out a new approach to combatting computer crime, highlighting the damage that security breaches have done to the UK economy and emphasizing the importance of computer security researchers. The next day, the Portuguese parliament passed an act giving more protection to the same group.
In his speech, Jarvis explained how the UK’s 1990 Computer Misuse Act had outlived its usefulness, stating, “it can leave many cyber security experts feeling constrained in the activity that they can undertake. These researchers play an important role in increasing the resilience of UK systems, and securing them from unknown vulnerabilities. We shouldn’t be shutting these people out, we should be welcoming them and their work.”
He went on to say that the government is looking to upgrade current legislation. “We are looking at a legal change to the Computer Misuse Act. This would create a ‘statutory defense’ for these researchers to spot and share vulnerabilities, which would protect them from prosecution, as long as they meet certain safeguards.”
The Portuguese legislation also offers a degree of protection to security researchers, provided that they don’t seek to gain financial advantage and don’t breach data protection laws.
These updated approaches from the UK and Portugal are in line with other countries’ statutory protection for researchers; the Netherlands, France and Belgium have all introduced similar guidelines.
Jarvis’s proposals have been warmly received by the security industry. Charlotte Wilson, head of enterprise business, UK and Ireland at Check Point Software, said that the Computer Misuse Act was outdated and not fit for purpose. “As it stands, it treats security researchers in much the same way as cybercriminals, even when they are acting in good faith to strengthen defenses rather than undermine them,” she pointed out.
But, she added, “the solution is relatively simple: create a legal safe space that allows researchers to test systems and report vulnerabilities responsibly, without fear of prosecution. Portugal has recently taken this important step by introducing clear rules for good-faith testing and a framework for responsible disclosure. It’s a pragmatic model that recognizes the essential role researchers play in identifying and fixing security weaknesses and something the UK should seriously consider adopting.”
Wilson stressed, however, that organizations should not be entirely dependent on government action; businesses could also take steps to help researchers. “They should publish a clear vulnerability disclosure policy that outlines how researchers can safely report issues; respond swiftly to vulnerabilities and define boundaries by being transparent about what testing is permitted, how to report findings, and what the process entails.”
Her views were echoed by Dray Agha, senior manager of security operations at Huntress. “Organizations can support the process by rewarding responsible disclosure, avoiding knee-jerk legal threats, participating in community initiatives, and advocating for reforms that strike the right balance between preventing abuse and enabling legitimate research,” he said.
He added that the government should ensure that researchers are fully protected, calling for an independent oversight body to validate and support responsible research. “This could provide rapid advisory opinions, mediate disclosure disputes, and issue assurance letters so researchers are not left exposed when organizations are slow or uncooperative.”
And, he noted, companies are often slow to disclose security breaches, something which needs to change. “User organizations should be legally obliged to maintain a disclosure channel, acknowledge reports promptly, and work within a set remediation window. This lifts the burden from researchers and reduces the grey zone where they feel legally at risk,” he said.
This will be music to the ears of Dan Jarvis, who, in his speech, stressed the need for co-operation. “This work is not the responsibility of the government alone,” he said. “We need a whole of society approach. We can only create a proper deterrence through partnership, which is why the government and business are working together to improve our security. For too long, businesses and politicians have been under the misapprehension that cyber investment is a drag on growth. But this is a mistake. Cyber security keeps us safe – and is a key enabler of growth.”
Jarvis’s speech is only a precursor to any legislation, but it is clear that the UK is set to go down the path that other countries have taken, finally giving security researchers their day in the sun.
No Responses