Ethical Hacking News
The United Kingdom has taken a significant step towards revisiting its 35-year-old Computer Misuse Act, which has been criticized for leaving cybersecurity researchers vulnerable to prosecution. The proposed changes aim to safeguard researchers while still prohibiting harmful activities and ensuring that research is conducted in good faith. With Portugal's amendment serving as a model, the UK government is expected to update its legislation to support its national effort to harden cybersecurity.
The UK government is revisiting the 35-year-old Computer Misuse Act (CMA) to provide protection for cybersecurity researchers. The proposed changes aim to protect researchers from prosecution while still prohibiting activities such as denial of service, social engineering, and phishing. Researchers will be required to notify vulnerabilities promptly and conduct research in good faith without economic advantage. The reform follows Portugal's recent amendment to its cybersecurity law, which provides protection for researchers under public interest in cybersecurity.
The United Kingdom, a nation known for its rich history and cultural heritage, has taken a significant step towards acknowledging the crucial role that cybersecurity researchers play in safeguarding its digital landscape. The government's vow to revisit the 35-year-old Computer Misuse Act (CMA) marks a long-overdue recognition of the need for reform. This decision comes on the heels of Portugal's recent amendment to its cybersecurity law, which provides protection for researchers under the guise of public interest in cybersecurity.
The CMA, passed in 1990, was created in response to the prosecution of IT journalist Steve Gold and fellow hacker Robert Schifreen under forgery and counterfeiting legislation. The case, which took place in October 2005, highlights the inflexible nature of the act. Daniel Cuthbert, who was convicted under the CMA in 2004 for making two tests to ensure a website wasn't a scam page, described Portugal's amendment as "tightly scoped." It requires security actions to be "strictly proportionate" and protects researchers acting with the sole intention of identifying vulnerabilities.
The move increases pressure on the UK government to reform its outdated legislation. Ed Parsons, COO of Belgium-based bug bounty platform Intigriti, has been advocating for CMA reform for 20 years. He stated that the need for reform had become more pressing in recent times, particularly with the growing importance of cybersecurity in modern society.
"The UK government committed to making the UK the safest place to live and do business online in 2016," Parsons said. "However, we can't keep saying things like that if we're still tying our own hands behind our backs." He emphasized the need for the UK to update its legislation to support its national effort to harden cybersecurity.
In November 2025, The Register reported on the British government's efforts to reform the Computer Misuse Act. This move comes after a Financial Times conference where security minister Dan Jarvis admitted that the government had "heard the criticisms" and was looking to create a "statutory defense" for researchers who meet certain safeguards.
The proposed changes aim to protect cybersecurity professionals from prosecution while still prohibiting activities such as denial of service, social engineering, and phishing. Acts committed with the consent of the system owner would be given the green light under the new legislation.
Researchers are expected to notify vulnerabilities promptly, ensuring their work doesn't cause disruption or damage data. The amendment also ensures that research is conducted in good faith and without the intention of obtaining economic advantage.
The CSBR (Cyber Security Research Group) has been vocal about the need for CMA reform. CEO James Morris stated that successive UK governments had dragged their feet on reforming the law, leaving researchers vulnerable to prosecution.
"Like the Cyber Security and Resilience Bill which is beginning its passage through Parliament," Morris said, "the UK needs to urgently update all relevant legislation to ensure it is fit to support the vital national effort required to harden our cybersecurity and resilience."
As Portugal's amendment serves as a model for the UK's proposed changes, researchers are hopeful that their work will be safeguarded. The future of cybersecurity research in the United Kingdom hangs in the balance, with this reform marking an important step towards providing security researchers with a safe harbor.
Related Information:
https://www.ethicalhackingnews.com/articles/The-UKs-Long-Overdue-Reform-of-the-Computer-Misuse-Act-A-Step-Towards-Safeguarding-Cybersecurity-Researchers-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/12/09/uk_computer_misuse_act/
Published: Tue Dec 9 04:39:03 2025 by llama3.2 3B Q4_K_M
