Impunity of Ethical Hacking: Legal Opinion Clarifies
On behalf of the National Test Institute for Cybersecurity NTC, the law firm Walder Wyss has prepared a detailed legal opinion entitled "Criminal liability of ethical hacking". One result of the opinion is that ethical hacking is exempt from punishment if certain general conditions are met.
The National Cybersecurity Test Institute (NTC) tests what is otherwise not tested. It examines digital products and infrastructures for vulnerabilities that are not or not sufficiently tested - even on its own initiative. The problem is that carrying out vulnerability analyses - if it involves (attempted or actual) intrusion into a third-party data processing system (penetration tests) - is potentially in conflict with the offense of hacking under Art. 143bis para. 1 of the Swiss Criminal Code. According to this, "anyone who unauthorizedly penetrates a third-party data processing system that is specially secured against access by means of data transmission equipment" is punished. In short: without an express order and without consent, the detection of security vulnerabilities is punishable under Swiss law as soon as the access security of another person's system is breached or an attempt is made to do so. The Swiss Criminal Code also criminalizes the manipulation and modification of data.
Justifiable emergency
If criminal norms are violated in the course of vulnerability analyses, justifiable necessity according to Art. 17 StGB can be invoked under certain circumstances. The intrusion into a system is only justified if there are concrete indications that a system is affected by potential security vulnerabilities. In addition, the discovery, documentation and information about these security vulnerabilities must serve the purpose of averting malicious access. From a subjective point of view, it is a prerequisite that the person authorized to act in an emergency must be aware of the emergency situation and act to save the threatened legal asset.
Publication of vulnerability assessment results
Before a detailed publication, the identified and documented security vulnerabilities should be completely eliminated. If this is not the case, the level of detail of a publication should be reduced to the necessary information. This will give system users adequate warning and the opportunity to protect themselves.
With the publication of the legal opinion, the NTC is making a contribution to the current National Cyber Strategy of the Swiss Confederation, which aims to institutionalize ethical hacking. The testing and verification laboratory in the canton of Zug works closely with research institutions, private cybersecurity companies and international experts. The NTC has been in existence since December 2020.
Source and further information: www.ntc.swiss
This article originally appeared on m-q.ch - https://www.m-q.ch/de/straffreiheit-von-ethical-hacking-rechtsgutachten-klaert-auf/
