Impunity of Ethical Hacking: Legal Opinion Clarifies
On behalf of the National Test Institute for Cybersecurity NTC, the law firm Walder Wyss has prepared a detailed legal opinion entitled "Criminal liability of ethical hacking". One result of the opinion is that ethical hacking is exempt from punishment if certain general conditions are met.
The National Test Institute for Cybersecurity NTC tests what is otherwise not tested. It examines digital products and infrastructures for vulnerabilities that are not or not sufficiently tested - even on its own initiative. The problem: The performance of vulnerability analyses - insofar as they involve the (attempted or actual) penetration of another party's data processing system (penetration tests) - is in potential conflict with the hacker offense under Art. 143bis para. 1 SCC. Accordingly, it is punishable "whoever by means of data transmission equipment unauthorizedly penetrates a third-party data processing system that is specially secured against his access". In short, without an explicit order and without consent, the detection of security vulnerabilities is punishable under Swiss law as soon as the access security of a third-party system is overcome or an attempt is made to do so. In addition, the Criminal Code makes the manipulation and alteration of data a punishable offense.
Justifiable emergency
If criminal norms are violated in the course of vulnerability analyses, justifiable necessity according to Art. 17 StGB can be invoked under certain circumstances. The intrusion into a system is only justified if there are concrete indications that a system is affected by potential security vulnerabilities. In addition, the discovery, documentation and information about these security vulnerabilities must serve the purpose of averting malicious access. From a subjective point of view, it is a prerequisite that the person authorized to act in an emergency must be aware of the emergency situation and act to save the threatened legal asset.
Publication of vulnerability assessment results
Before a detailed publication, the identified and documented security vulnerabilities should be completely eliminated. If this is not the case, the level of detail of a publication should be reduced to the necessary information. This will give system users adequate warning and the opportunity to protect themselves.
With the publication of the legal opinion, the NTC is making a contribution to the current National Cyber Strategy of the Swiss Confederation, which aims to institutionalize ethical hacking. The testing and verification laboratory in the canton of Zug works closely with research institutions, private cybersecurity companies and international experts. The NTC has been in existence since December 2020.
Source and further information: www.ntc.swiss
