Contents
A new legal opinion shows how ethical hackers can remain unpunished. But the framework is very narrow.
Criminal hackers have rarely been mentioned in the media as often as in the last few weeks, because hacker attacks are increasing. But there are also good hackers: cybersecurity specialists who look for and report vulnerabilities.
Both the companies and organizations in which vulnerabilities are discovered and their customers and employees benefit from such ethical hackers. But legally, ethical hackers are treading on thin ice.
Legal position: That applies
According to the Criminal Code, hacking is explicitly forbidden. The so-called “hacker paragraph” criminalizes any attempt to penetrate a data processing system. It doesn’t matter whether damage was done, whether something was stolen, or whether the hackers had good intentions.
A new legal opinionwhich that National Cybersecurity Testing Institute (NTC) has commissioned now shows: There is a very narrow path that ethical hackers can walk in order to remain unpunished. This is where the “justifiable state of emergency” comes into play: anyone who commits a crime in order to avert an even worse danger will not be punished. This means that anyone who hacks someone in order to prevent a criminal hacker attack can possibly get away with it without being punished.
What are these circumstances? This requires a very careful approach: the target must be chosen consciously, the potential damage from an attack would have to be extremely large, and there must be evidence that a vulnerability actually exists.
Simply looking around a system and trying it out a bit, as many hobby hackers do, is not an option. Everything has to be carefully planned and documented so that it can be credibly presented to the court in the event of an indictment – because whether the justification is justified is ultimately at the court’s discretion.
What does that mean?
What are the consequences of this legal opinion for ethical hackers in Switzerland?
For hobby hackers justification by the state of emergency is probably not an option. This requires too much effort and the uncertainty remains too great. So ethical hackers should continue to focus on companies that explicitly work with ethical hackers. Anyone who finds a weak point in a company or organization where this is not the case could, in the worst case, end up in court.
For companies What this means: In order to be able to profit from ethical hackers, one must set up a responsible disclosure program – or even better: a bug bounty program. Otherwise you run the risk of not finding out about vulnerabilities, even if a hacker has found them.
And for the NTC, which commissioned the report, says: It can start with proactive tests of important systems. Very cautious and limited, but still.
Belgium is leading the way
Belgium shows that things could be done differently: Since the beginning of the year, the law there has expressly allowed ethical hackers to hack Belgian companies – provided they proceed in a reasonable manner and report the vulnerabilities found immediately.