- German law may soon be modernized to protect ethical hackers
- Stricter punishments for data spying also included
- Move follows recent high-profile attacks on European governments
Lawmakers in Germany are drafting legislation to provide legal protections for cybersecurity researchers who uncover and responsibly report security vulnerabilities to vendors.
The proposed legislation will look to modernize Germany’s digital law, ensuring ethical security researchers can be confident in their legal cover, whilst destructive cybercriminals can expect more severe punishments, with stricter penalties for serious cases of data espionage and interception.
“Anyone who wants to close IT security gaps deserves recognition – not a letter from the public prosecutor” said Dr Marco Buschmann, the Federal Minister of Justice.
Ethical hacker protections
Protections for researchers will be provided under a strict set of criteria. Research must be carried out with the aim of identifying a security risk or vulnerability in order to be protected. The researcher must also intend to report the identified vulnerability to a ‘responsible entity capable of addressing the issue’, such as the software manufacturer or system operator.
Finally, the actions taken to access the system must be necessary to identify the vulnerability, which prohibits excessive access outside of security research.
The new punishments will impose stricter penalties, especially on those who target critical infrastructure, such as transport networks or hospitals. This type of attack could soon lead to a prison sentence ranging from three months to five years.
European critical infrastructure has seen a significant rise in cyberattacks in recent years, especially since the Russian invasion of Ukraine. The discovery of security vulnerabilities by cybersecurity researchers can be crucial in protecting these institutions from cyberattacks by discovering and reporting flaws before malicious actors.
Until now, ethical hackers and researchers have often fallen into a legal grey area, where even well-intentioned disclosure could result in criminal prosecution. The move to protect researchers will reduce uncertainty and therefore help improve cybersecurity across the board.
Via BleepingComputer
+ There are no comments
Add yours