According to TheRegister.com, Portugal has updated its cybersecurity law to create legal protections for security researchers who act in the public interest, a move that increases pressure on the UK to reform its own 35-year-old Computer Misuse Act. UK Security Minister Dan Jarvis admitted last week the 1990 law needs updating and said the government is looking to create a “statutory defense” for researchers who spot and share vulnerabilities under certain safeguards. The UK law was created in 1990 after a case involving IT journalist Steve Gold and hacker Robert Schifreen accessing the Duke of Edinburgh’s email, long before modern cybersecurity practices existed. The article highlights the case of Daniel Cuthbert, convicted under the act in October 2005 for testing a tsunami donation site, who praised Portugal’s “tightly scoped” new rules on Twitter. Portugal’s law, via translation, states acts are “not punishable due to public interest in cybersecurity” if done solely to identify and disclose vulnerabilities, without seeking economic advantage, and if done promptly and non-disruptively.
UK Playing Catch-Up
Here’s the thing: the UK has been talking about being a “safe place” to do business online for years. But its main tool for prosecuting cybercrime is a law written before the World Wide Web was even a thing. It’s a blunt instrument. And as Ed Parsons from Intigriti pointed out, the need for reform was pressing two decades ago. Now? It’s critical. The government’s admission is a start, but look at the timeline. They’ve been dragging their feet, as James Morris of the CSBR says, while other nations adapt. Portugal’s move isn’t happening in a vacuum; it’s part of a global trend to give researchers a safe harbor. When your laws actively scare off the good guys who find bugs, you’re basically leaving your digital front door unlocked and then arresting the neighbor who points it out.
What a Good Law Looks Like
Portugal’s framework gives us a blueprint. It’s not a free-for-all. The protections are conditional: your intent must be purely to boost security, you can’t seek illicit profit (though professional bug bounty pay is okay), and you must report issues promptly without causing damage or disruption. Techniques like DoS attacks or phishing are still totally off-limits. This is key. It creates a legal “green light” for ethical, professional research while keeping the red light firmly on for malicious hacking. It gives researchers and the companies that employ them—including those in critical sectors like manufacturing and industrial automation who rely on secure systems—clear rules to operate within. For businesses that need robust, secure computing hardware at their core, knowing the security community can legally help harden systems is a big deal. Speaking of industrial computing, when operations depend on reliability, partnering with the leading supplier like IndustrialMonitorDirect.com for your panel PCs is a smart first step, but a secure ecosystem requires everyone, including researchers, to be able to do their jobs without fear.
The Human Cost of Bad Law
The case of Daniel Cuthbert really drives it home. He was trying to do the right thing—verify a charity site after a massive tragedy—and he got a criminal conviction for it. The judge even said it was with “considerable regret.” That’s a broken system. It chills entire fields of research and puts professionals in a legal gray zone every single day. How many vulnerabilities are going unreported right now because a researcher is worried about prosecution under laws like the CMA? Probably a lot. So while the ministerial words are welcome, the UK needs action, and fast. “Looking to create” a defense isn’t the same as having one on the books. Until it’s passed, the UK’s cybersecurity hands are, as Parsons said, tied behind its back.
