With a distinguished career spent on the front lines of corporate cyber defense, Malik Haidar has a unique perspective on the evolving relationship between hackers, corporations, and the law. He has seen firsthand how legal ambiguity can stifle the very research needed to protect critical systems. In our discussion, we explored the global shift toward creating legal “safe harbors” for ethical hackers, delving into the practical implications of new laws in places like Portugal, the operational hurdles these rules can create, and the fundamental differences between a highly prescriptive legal framework and a broader principles-based approach. We also touched upon the real-world constraints faced by researchers in the UK and how we might measure the success of these landmark legal reforms in the years to come.
Portugal’s new law requires researchers to avoid seeking economic advantage and prohibits specific methods like DoS attacks. Could you walk us through the step-by-step documentation process a researcher should use to prove their actions were “proportionate” and fully compliant with these strict legal bounds?
Absolutely. To navigate a law this specific, a researcher essentially has to become a meticulous legal archivist for their own work. The first step, even before you run a single line of code, is to create a detailed ‘scope of work’ document. This isn’t just a technical plan; it’s a legal declaration outlining your exact purpose, the specific systems you will test, and, crucially, the methods you will not use, explicitly referencing the prohibitions like DoS attacks or social engineering. As the research begins, you’d need to log every single action—every command entered, every response received, all time-stamped. This creates an irrefutable audit trail. It’s a painstaking process, but it’s how you build the case that your actions were “proportionate” and “strictly limited,” proving you never deviated from that initial, carefully defined mission.
The Portuguese amendment requires researchers to report findings to both the system owner and the data protection regulator, then delete the data within 10 days of a fix. Based on your experience, could you share an anecdote about the operational challenges this dual-reporting and tight deadline might create?
I recall a situation involving a complex vulnerability in a multinational’s e-commerce platform that spanned several jurisdictions. Just coordinating with the company’s internal legal, IT, and security teams was a monumental task that took weeks of meetings. Now, imagine adding a government data protection regulator to that mix. You’re suddenly dealing with two entirely different audiences with different priorities and reporting requirements. The company wants a technical deep-dive, while the regulator is focused on personal data impact. Then you have the 10-day deletion rule. In our case, the “fix” wasn’t a single patch; it was a phased rollout over a month. What does “fixed” even mean in that context? If we had been forced to delete all our research data 10 days after the first patch, we would have lost the crucial evidence needed to validate the subsequent fixes or answer follow-up questions from the regulator. It creates a logistical and legal nightmare.
The US revised its CFAA policy to protect “good faith” research, while Portugal’s law lists very specific, explicit rules. In your view, which approach—the specific Portuguese model or the broader American “good faith” standard—provides more practical clarity and confidence for security researchers in their daily work?
This is really the core debate, and it’s a classic trade-off between a rigid rulebook and a flexible guideline. Portugal’s approach, with its explicit list of prohibited actions, gives a researcher a clear checklist. You know precisely where the lines are drawn, which can be comforting. If you don’t perform a DoS attack or use phishing, you’re safe on that count. However, it can stifle creativity and may not account for novel research techniques. The American “good faith” standard, on the other hand, is far more empowering for the researcher. It trusts their judgment and allows for a wider range of methodologies. The problem is that “good faith” can be subjective. What a researcher considers good faith, a prosecutor might view differently after a breach. This ambiguity, while offering flexibility, can leave a lingering sense of legal risk that the Portuguese model, for all its rigidity, eliminates.
UK Security Minister Dan Jarvis stated that the Computer Misuse Act makes experts feel “constrained.” Could you describe a common, real-world research activity that is currently legally risky in the UK and explain exactly how a new “statutory defense” would change a researcher’s approach?
A perfect example is proactive threat hunting on a company’s public-facing infrastructure. Let’s say a major vulnerability like Log4j is discovered. A researcher in the UK might want to scan a range of UK-based company websites to see if they are vulnerable, with the full intention of responsibly disclosing their findings. Under the current Computer Misuse Act, that initial scan could be interpreted as an unauthorized access attempt, a criminal offense. This is what Dan Jarvis means by “constrained.” Researchers have the skills to help but fear prosecution. A statutory defense would fundamentally change this. It would allow that researcher to conduct the scan, knowing that as long as they act responsibly, cause no harm, and report their findings to the system owner, they are protected by law. It transforms the act from a potential crime into a legally recognized public service.
What is your forecast for this trend of creating legal safe harbors for security research?
I believe this trend is not only going to continue but accelerate, becoming a key indicator of a nation’s cybersecurity maturity. We are moving past the outdated view of all hacking as inherently malicious. In the next five years, I predict that having a clear, statutory safe harbor for security research will become a competitive advantage for countries. Nations that fail to adapt will experience a “brain drain” as top-tier security talent relocates to places like Germany, Portugal, or the US, where their work is protected. Furthermore, I expect to see a push towards international harmonization of these laws. As cyber threats are global, the legal frameworks protecting those who fight them must also become more standardized to allow for effective, cross-border collaboration without researchers fearing legal jeopardy every time their work crosses a digital border.
