Ethical hacking is the practice whereby hackers work to identify weaknesses in IT systems to make organisations aware of their vulnerabilities. The practice is already well established in many companies as a method of boosting their cybersecurity.
But there used to be a catch. Until recently, ethical hacking was a criminal offence and could only be carried out with the permission of the company that wanted to be hacked. This has changed recently. As part of Belgium’s national cybersecurity strategy, a new legal framework allowing ethical hacking has now been introduced. It means that ethical hackers may now hack any Belgian company without permission.
Good marketing technique
However, there are some important conditions that ethical hackers must adhere to. Although everyone here agrees that better data security is a good thing, it’s an issue that is still prompting lively discussions around the office coffee machine.
‘Not all ethical hackers have a commercial aim in mind.'
‘It’s something that needs to be nuanced,’ thinks Ron, product manager at DNS Belgium. ‘In some companies, you’ll find what’s called a bug bounty. Hackers who find a bug in the system, are given a reward. Of course, this doesn’t pose a problem when a hacker specialises in finding security issues at these companies. On the contrary, the fewer issues left for people with bad intentions to exploit, the better.’
‘Not all ethical hackers have a commercial aim in mind,’ adds Ward, DevOps engineer at DNS Belgium. ‘There are plenty of students and researchers who would be very happy if they could mention the companies where they found vulnerabilities on their CV.’
‘You could also view ethical hacking as a good marketing technique: if you’re looking to bring in a new customer, it may be of interest to demonstrate that you can improve their infrastructure,’ says Ward. Ron agrees: ‘When a hacker is hired to carry out an even broader check, that is not a problem as long as the company can then choose which party to partner with to improve security.’
Hacking on demand
According to David, who is a legal expert at DNS Belgium, it would be better if hacking were not to happen uninvited, but rather only at the request of companies. ‘That way, we can avoid being arbitrary. Hackers could then focus on companies that are aware of keeping their information secure or that express a desire to do something about it. Surely we wouldn’t just accept sellers of security services or alarm systems going from company to company, unsolicited, to test their level of security?’
‘It makes sense,’ replies Ward. ‘But this law says you can try someone’s door handle to see if the door is locked. If it is, then it’s not a problem. You haven’t actually done anything illegal. But if the door is unlocked, you can then let the owner of the house know that the door is unlocked without facing any legal consequences. Before this law came in, simply trying the door handle was a criminal offence.’
Unlike David, Ron sees little problem with unsolicited hacking. ‘As long as hackers give companies time to fix the issue before publicising it to everyone (known as ‘responsible disclosure’, see below), I don’t think it’s necessary for hacking to be done at the request of companies.’
Head in the sand
‘A great deal has changed on the legal front in recent decades. When the Belgian banks started promoting online banking, I could get into their log files in just ten minutes, without even leaving my browser ,’ says security expert Jan Guldentops, casting an eye back on his early activities as a hacker. Jan now works as an IT, network and security consultant, teacher and researcher. ‘Back then I also knew that I couldn’t be prosecuted in any way, because there was no legislation about hacking at the time.’
'There are still plenty of companies that bury their heads in the sand when it comes to cybersecurity.'
Things then went completely pear-shaped and hackers like Red Attack were dragged into court amid a great deal of media attention. ‘Fortunately, a legal framework was then introduced and you could do audits with contractual agreements. Then came responsible disclosure.’
‘And with the new legislation, hackers have been given carte blanche,’ continues Jan. ‘I don’t know whether it’ll make much difference, or not. There are still plenty of companies that bury their heads in the sand when it comes to cybersecurity and that only take action when there really is no other way – such as in response to a cyber-attack, for example.’
‘A creditable attempt’
David also doubts whether the modified legislation will have much impact on cybersecurity in our country. ‘It’s a creditable attempt, but I don't believe it has been very well thought-through or is even the best idea in the long run. The question we need to ask ourselves is whether this is the best way to raise awareness of the importance among people and businesses of investing in online security,’ he says. ‘Personally, I am not entirely convinced.’
‘The law is still too non-committal,’ Jan agrees with him. ‘Over the past few months, the new law has once again created a lot of hot potatoes and working groups, with guidelines being formulated, etc. But we’ve been doing that for 20 years and we still haven’t solved the problem – and nor are we going to solve it now.’
Having said that, Jan does think the new law is a step in the right direction. ‘Suppose I discover a giant bug at DNS Belgium and report it to you and a third party, the CERT. In that instance, I should be legally protected. Which is now finally the case,’ says Jan. ‘I have already had the case where companies to whom I have reported a vulnerability have used the responsible disclosure period to see what legal action they could take against me. That cannot be the intention. It should be possible to report responsibly and honestly, but then there should also be a legal framework. And now there is.’
Responsible disclosure is a central point in this law. It means that hackers need to keep any breach they make in the organisation’s defences to a minimum and give victims of the hack time to fix the problem before making the vulnerability in the system public.
‘You have to do what it takes to expose vulnerability, but you mustn’t take it any further,’ explains Ward. ‘You are allowed to show that you could have collected or destroyed data. But once you have actually done so, there is no longer any responsible disclosure and the new law no longer protects you.’
The rules on privacy and data protection continue to apply and even as an ethical hacker, you need to handle other people’s data carefully and conscientiously. Ron has no doubt that ethical hackers do so. ‘I see no problem because an ethical hacker will not misuse that data. On the contrary, the data will be better protected when hackers report vulnerabilities and the problems are fixed. After that, the data will also be safe from unethical hackers.’
'As long as the hacker maintains a reasonable period between informing and disclosure, I see no problem.’
‘If a company does nothing with the information and does not fix the vulnerability, an ethical hacker may still choose to disclose that vulnerability so that the company is forced to respond. Again, as long as the hacker maintains a reasonable period between informing and disclosure, I see no problem.’
And once the period of responsible disclosure has expired, there are only two options, according to Jan. ‘Either the company has to have fixed the vulnerability. Or sanctions must follow if it has not. After that, the vulnerability can also be published. This is the only way that will force companies to take actual action.’
Everyone seems to agree that ethical hackers should be protected. The new law also creates clarity about how far ethical hackers can and may go. This is undoubtedly a good thing. How far the free pass for hackers goes now, and whether it opens the door to less ethical (i.e. commercial) purposes, is clearly food for thought.
Only on the side of the companies being hacked is the law still too non-committal. ‘They should be obliged to address security issues,’ believes Jan. ‘Because if a hacker discovers a bug, then there are probably still hackers out there who know about the bug and have been using it for a long time, because it is useful to them.’
Google actively uses Project Zero to search for vulnerabilities at their suppliers. To put pressure on manufacturers, they give them 90 days to resolve the security problems. If the problem still hasn’t been fixed after 120 days, they publish the vulnerability on https://googleprojectzero.blogspot.com/.
‘They also publish if the issue has been effectively resolved,’ explains Ward. ‘So suppliers have every interest to respond in a timely manner and avoid bad publicity or damage to their reputation.’
‘Many of the vulnerabilities found and reported have already been known for years. For example, the NSA (US state security) knew about security problems in Windows for years. But the NSA refused to share this with Microsoft, so that they could use the weaknesses themselves to break into Microsoft’s systems.’