Is it always bad when you get hacked?

Cybersecurity experts have uncovered a serious security vulnerability that allowed anyone to obtain vaccination certificates. This event opened a discussion on the topic of so-called ethical hacking. Can hacking be ethical and legal? It can, under certain conditions.

Very few applications and software products are created without the need for further patching and removal of security vulnerabilities. Updates to our computers and mobile devices typically remove a large number of identified vulnerabilities with every single update we install. 

Who are ethical hackers

Although we now associate the word hacker with someone who acts illegally and tries to gain access to someone else’s computer or data through various types of attacks, this may not always be the case. The attackers we usually think of as hackers are also referred to as black hats in the cybersecurity community. 

However, there are also professionals and communities of people who prefer to report vulnerabilities they discover rather than exploit them. These people, also called ethical hackers, have become a very important component of improving the security of software products. This has led nowadays to the introduction of programs or the organization of special competitions (such as Pwn2Own) by large software companies to improve the security of their products and to reward people who have helped them to do so. In addition to organising competitions, companies often hire ethical hackers. In this case, we are talking about so-called software penetration testing, which aims to penetrate the system and reveal its vulnerabilities. 

Google even has a group of people (Project Zero) who focus on finding vulnerabilities in various software of Google as well as of other companies. Here, however, they take a different approach and give developers 90 days to patch vulnerabilities and then make them public after that time has elapsed. The aim is to put pressure on software developers to remove vulnerabilities in the shortest possible time, thus minimising the time for black-hat hackers to discover them.

What makes this approach interesting for us, the ordinary users? For example, if someone finds a vulnerability in a healthcare system and reports it to its creators, the latter can remove it. Otherwise, it could happen that someone else comes along and, by exploiting this vulnerability, learns details about our health status or manipulates our medical records. Such cases are happening more and more frequently in the world, and especially during the pandemic period, a number of hospitals, particularly in the US, have been the target of hacker attacks. 

For the sake of completeness, it should be added that there are also so-called grey hats. They search for vulnerabilities without the consent of the system owner, but their aim is not (as with ethical hackers) to exploit the vulnerabilities found, but to draw attention to them. Most of the time they want to get some reward for themselves, they are trying to understand the working principle of the system or they just want to help improve security if they succeed in discovering a new vulnerability.

Ethical hacking in a nutshell

How does this process work? We certainly wouldn’t want a vulnerability to be made public as soon as it is discovered. We need to patch it, otherwise someone else could use the disclosed vulnerability as a guide to break into systems. 

So, by default, ethical hackers will wait until a company has remediated the reported vulnerabilities before disclosing their impact, how they discovered them, and usually what exploits they may have led to. 

The criminal law dimension of ethical hacking

Although the conduct of ethical hackers itself fulfils the elements of computer crimes such as the unauthorised processing of personal data or unauthorised access to a computer system, it may not be illegal from a criminal law perspective.

There are at least two ways to justify ethical hacking as lawful conduct. The first way is to apply one of the circumstances, which if it occurs, the conduct is not considered a criminal offense (the so-called circumstance precluding illegality).

One of the circumstances precluding illegality is the performance of a right or obligation, which may include the performance of obligations under contracts. This will often be the case for ethical hacking, which is carried out on the basis of pre-agreed and concluded contractual terms (this means, for example, that a company hires an ethical hacker itself to carry out penetration testing of its systems, or organises a competition for such a purpose). 

The second way is to apply the so-called substantive corrective. Despite the fulfilment of the legal elements of the offence, its impact on society should also be taken into account. In the case of less serious offences (so-called misdemeanours), it is possible not to consider the conduct as a criminal offence, given the minor seriousness of the conduct. The use of substantive corrective allows such results. However, the substantive corrective cannot be interpreted arbitrarily, but takes into account certain criteria, such as the manner in which the act was carried out and its consequences; the circumstances in which the act was committed; or the degree of culpability of the perpetrator.

Imagine cases of ethical hacking carried out in the public interest, without the intention of damaging the computer system or causing any damage, in order to draw attention to security issues. At the same time, ethical hackers will not publish such events until the errors have been rectified. Such circumstances add to the fact that a material corrective may be applied.However, to our knowledge, the Slovak courts have not yet addressed ethical hacking. 

Someone has “ethically” hacked us – how to respond?

The “ethically” hacked entity should first of all verify the validity of the notification and communicate with the other party. If the rights and interests of individuals such as customers or citizens may have been compromised, transparency is absolutely key.

Communicating the vulnerability discovered and how it has been remedied should be the bare minimum in terms of transparency and trust.

At the same time, the notification of a security incident to the competent authorities or even to the individuals themselves is a requirement of a number of cybersecurity or data protection laws. Of course, the vulnerability should be remedied as soon as possible and similar situations should be prevented in the future by thoroughly testing the software at all stages of its development and maintenance, including penetration testing.