The recent adoption of a new cybercrime convention at the United Nations has sparked considerable debate within the global cybersecurity community. While the UN Convention against Cybercrime aims to strengthen international cooperation to combat malicious hacking, the convention raises serious concerns for those involved the security research and ethical research.
The treaty’s provisions related to security research are contrary to best practices promoted by the US government and federal policies that protect good faith security research from prosecution. Despite these and other concerns, the treaty is expected to receive final approval from the General Assembly before the end of the year.
Although this treaty does not change existing computer crime laws, countries with less developed cyber laws may pass regulations that mirror the text of the UN treaty, and authoritarian governments may adopt a flawed text. ‘ use a contract to protect against the suppression and censorship of security researchers. and others.
Security researchers working in or collaborating with organizations in countries that have fewer protections for good faith security research and ethical research may find themselves at higher risk of legal consequences potential for activities that are both ethical and necessary for maintaining global cybersecurity.
For this reason, it is extremely important that the United States work with other countries to promote protections for such research on national law or law enforcement policies and practices.
Cooling innovation and reducing security
Bona fide security researchers, also known as ethical hackers, play a vital role in the fight against cybercrime. These people identify vulnerabilities in software, systems, and networks, so they can be patched or mitigated before malicious actors can exploit them.
Legal frameworks further support the efforts of security researchers by separating them from malicious cybercriminals, reducing legal liability for ethical research, and encouraging organizations to adopt policies to prevent vulnerability disclosures. get For example, the United States since 2020 has instructed all federal agencies to have vulnerability disclosure policies. The US Department of Justice has long recognized the importance of security research and recently announced that it will update the Vulnerability Disclosure Framework, which has reduced legal risk for security researchers, to address reporting of this -vulnerability for AI systems.
However, the broad and ambiguous language of the UN treaty risks hindering this vital work. The treaty requires countries to criminalize anyone who intentionally gains access to any part of a computer system “without right.” Although intended to prevent malicious hacking, the article makes no distinction between cybercriminals and legitimate security testing activities performed by unlicensed ethical hackers who work to increase security.
The language in the contract also prohibits the prohibition of the “unauthorized” transmission of non-public computer data. This ignores the intent of the breach and may apply to independent security professionals who, in the course of their work, may intercept signals to identify or verify security vulnerabilities in order to access the data protect, not take advantage of.
It also prohibits the “unauthorized” damage, deletion or alteration of computer data. This article may be misused by ethical hackers who manipulate data as part of controlled testing, such as penetration testing and red teaming, to identify weaknesses and improve system defenses.
The treaty criminalizes the deliberate and unauthorized interference with the operation of a computer system. This could also be detrimental to security research or red-team operations, which use simulated attacks to identify security weaknesses and improve defenses. Such activity could be considered “obstruction” under this broad definition, which could expose ethical hackers to legal risks even when their actions are aimed at increasing security.
Translating these provisions into criminal laws without clear safeguards or clarity could prevent legitimate security testing, ultimately making systems less secure and more vulnerable to real cyber threats. Rather than promoting the convention’s stated goal of increasing coordination and cooperation, this may lead to inconsistent and misused use of the convention, leaving researchers vulnerable in jurisdictions that do not specifically protect good faith activity.
The way forward
The treaty encourages signatories to recognize the contributions of legitimate security researchers, as long as their activities are intended to strengthen and advance security to the extent permitted by law. While this recognition is a positive step, it falls far short of encouraging signatories to establish legal protections for legitimate security research.
As recognition of the vital work of security researchers is not consistently reflected in the treaty’s restrictions on computer access and use and translated into meaningful protections for researchers, it will be up to member states to do so in national laws or through guidelines and best practices that companies do. and may be followed by law enforcement officers.
Although it may be too late to develop the text of this treaty, the United States can and should contribute its knowledge and expertise in protecting security research and focus and energy to adopt similar practices in other countries. This can be achieved in a number of ways.
For example, the US Agency for International Development and the State Department could include protections for security research in their cybersecurity capacity building programs. Alternatively, they could base digital capacity-building funds on promises from governments not to prosecute well-intentioned security researchers.
The US should also partner with capacity-building non-governmental organizations and like-minded governments to develop and disseminate best practices for implementing the treaty that recognize its importance and benefits. security research and what distinguishes ethical research from cybercrime.
These and other measures will help to ensure that policymakers around the world are aware of the treaty’s impact on security research and encourage them to change their legal frameworks to support provide, rather than hinder, ethical inquiry. By doing so, countries can foster a collaborative environment where the essential work of security researchers is valued and encouraged, strengthening our collective defenses against cyber threats.
Ilona Cohen is HackerOne’s chief legal and policy officer.
#cyber #convention #threatens #security #research