Geo Focus: The United Kingdom
,
Geo-Specific
,
Legislation
Security Minister Dan Jarvis Endorses Security Researcher Protections
The U.K. government is considering amending its three-decade-old hacking law to include a “statutory defense” cover for security researchers, Security Minister Dan Jarvis said. The announcement comes amid concerns that the law penalizes white hat hackers for essential security practices such as participating in bug bounties.
See Also: How Payment Service Directive (PSD2) is Changing Digital Banking – Are You Ready?
Speaking at a Financial Times event on Wednesday, Jarvis said the government is looking at a “legal change to the Computer Misuse Act.” The regulation, codified in 1990, criminalizes unauthorized access to computer systems and data, heightening the legal risk for security research.
“These researchers play an important role in increasing the resilience of U.K. systems, and securing them from unknown vulnerabilities,” Jarvis said. “We shouldn’t be shutting these people out, we should be welcoming them and their work.”
The minister added that the government is considering a “statutory defense” mechanism under the law for security researchers to responsibly “spot and share vulnerabilities” without any legal risks.
British cybersecurity experts have pushed the government to amend the law, arguing the law stymies the British cybersecurity industry.
Different concerns about the law have come from insider government, with the National Crime Agency director general testifying before a parliamentary committee in 2023 that the outdated scope of the law prevents effective law enforcement actions (see: AI-Enabled Crimes Are Already Here, UK NCA Chief Says).
Although the Labour government in 2024 introduced Computer Misuse Act amendments that would have protected good-faith researchers as part of the Data Use and Access Bill that became law earlier this year, it didn’t obtain the necessary parliamentary support to move forward (see: Proposed UK White Hat Legal Shield Fails in House of Lords).
A spokesperson for the Cyber-Up campaign, a coalition lobbying the government to introduce the CMA updates, said the latest statement from the minister “sends a clear signal” that the government “understands the importance of enabling security researchers to operate without fear of prosecution for legitimate work.”
Verona Johnstone-Hulse, the head of government affairs at NCC Group and a long-term campaigner calling for the CMA revision, said it is vital for the industry to ensure that the proposal is enacted with extended protection to threat intelligence.
“Without a 21st-century legal framework, the very people working to protect us in cyberspace face legal jeopardy,” Johnstone-Hulse said.
