Ethical hacking is now allowed under Belgian law – Is your organisation ready?
Ethical hacking no longer illegal in Belgium
Cyber risks are skyrocketing and only expected to increase in the coming years. Boston Consulting Group recently indicated that 85% of cybersecurity leaders are worried about the rise in attacks. It’s clear that cyber resilience has not only become a hot topic in board rooms, but also for legislators, which are increasingly imposing additional obligations to reinforce the overall level of cyber resilience.
Whereas the implementation of automated vulnerability scans and penetration testing policies is already an established practice within Belgian IT organisations, ethical hacking was illegal and criminally sanctionable under Belgian law. But this changed recently. Earlier this year, the Belgian legislator amended the law of 17 April 2019 establishing a framework for the security of networks and information systems of general interest for public security (the Belgian NIS1-Act) to legalise ethical hacking if some conditions are met.
From now on, ethical hacking can be carried out by any natural or legal person (including employees or other members of the targeted organisation) to investigate and report vulnerabilities in networks and information systems located in Belgium without risking criminal liability if the ethical hackers respect the following conditions:
- It’s forbidden to act with a fraudulent intent or intention to harm. For example, ethical hackers are not allowed to blackmail the targeted organisation and request payments to not exploit or to not publicly disclose the discovered vulnerabilities.
- The Belgian Centre for Cyber Security (CCB) must be informed of the vulnerabilities as soon as possible. Additionally, ethical hackers also need to report their findings to the organisation they are investigating. This must be done (at the latest) at the time they notify the vulnerabilities to the CCB.
- It’s forbidden to go beyond what’s strictly necessary and proportionate to ascertain the existence of the vulnerabilities and notify its existence, which means that the least intrusive method should be used and that the availability of an organisation’s IT systems may not be affected while investigating it.
- Hackers are not allowed to publicly disclose the information collected about the vulnerabilities without the CCB's consent.
But there are still some grey areas regarding the exact scope of these obligations. What is necessary? What is proportionate? What about civil liability? So it’s interesting that the CCB has already announced that these new legal provisions will be reviewed and that additional or updated specifications may be introduced with the upcoming implementation of the NIS2-Directive in Belgian law.
Time to prepare for ethical hacking attempts
These new legal provisions have important implications for organisations with IT systems in Belgium, as it will no longer be possible to fully control who will try to hack their systems (in an ethical and legally permitted manner).
On the one hand, an organisation could choose to do nothing. As a result, no specific attention will go to this new possibility and the organisation could maybe stay under the radar of ethical hackers. But there are disadvantages to this approach. Doing nothing implies that ethical hackers can act on their own accord and contact you once they discover vulnerabilities. In this situation, these hackers will also need to contact the CCB directly, which means that you will have less (or no) control over the information that reaches the CCB. Additionally and similarly to installing (or not) an alarm on your house, not having any policy in place could trigger the interest of less well-minded individuals as it could be seen as an indication of ill-preparedness towards a potential attack.
The other choice would be to draw up a Coordinated Vulnerability Disclosure Policy (CVDP) in which the organisation explicitly states how ethical hackers can contact them once a vulnerability has been discovered. According to the CCB’s guidance on the topic, a CVDP can be seen as an accession agreement in which all contractual provisions are laid down and then accepted by the ethical hacker when deciding to participate in the elaborated programme. Introducing a CVDP clarifies the participants' legal situation and allows the organisation to, if necessary, go beyond the legally imposed conditions or to clarify them.
The advantages of having a CVDP are that your organisation will be able to determine how and when ethical hackers should contact your organisation. Furthermore, the CCB stated in its recent guidelines that when an organisation has published a CVDP, ethical hackers are only allowed to contact the CCB directly if they can’t reach the concerned organisation or if the organisation does not respond within a reasonable amount of time. In other words, this implies that a CVDP is a proper means to ensure that the information remains internal until the vulnerability has been remedied and it can ensure a continuous, legitimate and controlled information flow on the organisation’s potential vulnerabilities. So potential risks and damages that these vulnerabilities may cause can be effectively prevented or limited as much as possible.
Naturally, a CVDP may be more attractive and effective if it’s linked to a bug bounty programme in which participants are granted financial rewards according to the importance and quality of the information provided, but this is not a legal obligation.
Conclusion
Although these new provisions only apply to IT systems in Belgium, they do provide more clarity regarding the practice of ethical hacking. Organisations can choose to ignore these new legal provisions or use them to their advantage by implementing a CVDP, which could attract ethical hackers and facilitate the preventive improvement of an organisation’s IT systems.
But this could only be the beginning as legislators and regulators in other countries have started to show interest in this new law. If other countries start implementing similar provisions, this could increase the need for a CVDP covering all IT systems of an organisation.
If you’d like further information or legal advice in this respect, please contact the authors.