{"id":6170,"date":"2025-12-11T00:54:07","date_gmt":"2025-12-11T00:54:07","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6170"},"modified":"2025-12-11T00:54:07","modified_gmt":"2025-12-11T00:54:07","slug":"making-cybercrime-illegal-wont-stop-it-making-cybersec-research-legal-may","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6170","title":{"rendered":"Making cybercrime illegal won\u2019t stop it; making cybersec research legal may"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Hacking into computer systems is illegal in many countries \u2014 even if you\u2019re a cybersecurity researcher figuring out how to better defend systems. But Portugal has just introduced an exemption for researchers, and the UK is thinking of doing so too.<\/p>\n

Last week, British security minister Dan Jarvis<\/a> set out a new approach to combatting computer crime<\/a>, highlighting the damage that security breaches have done to the UK economy and emphasizing the importance of computer security researchers. The next day, the Portuguese parliament passed an act<\/a> giving more protection to the same group.<\/p>\n

In his speech, Jarvis explained how the UK\u2019s 1990 Computer Misuse Act<\/a> had outlived its usefulness, stating, \u201cit can leave many cyber security experts feeling constrained in the activity that they can undertake. These researchers play an important role in increasing the resilience of UK systems, and securing them from unknown vulnerabilities. We shouldn\u2019t be shutting these people out, we should be welcoming them and their work.\u201d<\/p>\n

He went on to say that the government is looking to upgrade current legislation. \u201cWe are looking at a legal change to the Computer Misuse Act.\u00a0This would create a \u2018statutory defense\u2019 for these researchers to spot and share vulnerabilities, which would protect them from prosecution, as long as they meet certain safeguards.\u201d<\/p>\n

The Portuguese legislation also offers a degree of protection to security researchers, provided that they don\u2019t seek to gain financial advantage and don\u2019t breach data protection laws.<\/p>\n

These updated approaches from the UK and Portugal are in line with other countries\u2019 statutory protection for researchers; the Netherlands, France and Belgium have all introduced similar guidelines.<\/p>\n

Jarvis\u2019s proposals have been warmly received by the security industry.\u00a0Charlotte Wilson<\/a>, head of enterprise business, UK and Ireland at Check Point Software, said that the Computer Misuse Act was outdated and not fit for purpose. \u201cAs it stands, it treats security researchers in much the same way as cybercriminals, even when they are acting in good faith to strengthen defenses rather than undermine them,\u201d she pointed out.<\/p>\n

But, she added, \u201cthe solution is relatively simple: create a legal safe space that allows researchers to test systems and report vulnerabilities responsibly, without fear of prosecution. Portugal has recently taken this important step by introducing clear rules for good-faith testing and a framework for responsible disclosure. It\u2019s a pragmatic model that recognizes the essential role researchers play in identifying and fixing security weaknesses and something the UK should seriously consider adopting.\u201d<\/p>\n

Wilson stressed, however, that organizations should not be entirely dependent on government action; businesses could also take steps to help researchers. \u201cThey should publish\u00a0a clear vulnerability disclosure policy that outlines how researchers can safely report issues; respond swiftly\u00a0to vulnerabilities and define boundaries\u00a0by being transparent about what testing is permitted, how to report findings, and what the process entails.\u201d<\/p>\n

Her views were echoed by Dray Agha<\/a>, senior manager of security operations at\u00a0Huntress. \u201cOrganizations can support the process by rewarding responsible disclosure, avoiding knee-jerk legal threats, participating in community initiatives, and advocating for reforms that strike the right balance between preventing abuse and enabling legitimate research,\u201d he said.<\/p>\n

He added that the government should ensure that researchers are fully protected, calling for an independent oversight body to validate and support responsible research. \u201cThis could provide rapid advisory opinions, mediate disclosure disputes, and issue assurance letters so researchers are not left exposed when organizations are slow or uncooperative.\u201d<\/p>\n

And, he noted, companies are often slow to disclose security breaches, something which needs to change. \u201cUser organizations should be legally obliged to maintain a disclosure channel, acknowledge reports promptly, and work within a set remediation window. This lifts the burden from researchers and reduces the grey zone where they feel legally at risk,\u201d he said.<\/p>\n

This will be music to the ears of Dan Jarvis, who, in his speech, stressed the need for co-operation. \u201cThis work is not the responsibility of the government alone,\u201d he said. \u201cWe need a whole of society approach. We can only create a proper deterrence through partnership, which is why the government and business are working together to improve our security. For too long, businesses and politicians have been under the misapprehension that cyber investment is a drag on growth.\u00a0But this is a mistake.\u00a0Cyber security keeps us safe \u2013 and is a key enabler of growth.\u201d<\/p>\n

Jarvis\u2019s speech is only a precursor to any legislation, but it is clear that the UK is set to go down the path that other countries have taken, finally giving security researchers their day in the sun.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Hacking into computer systems is illegal in many countries \u2014 even if you\u2019re a cybersecurity researcher figuring out how to better defend systems. But Portugal has just introduced an exemption for researchers, and the UK is thinking of doing so too. Last week, British security minister Dan Jarvis set out a new approach to combatting […]<\/p>\n","protected":false},"author":0,"featured_media":6171,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6170"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6170"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6170\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6171"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}