Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?

On 15 February 2023, Belgium saw the entering into force of a new ‘whistleblower’ law, which legalised ‘ethical hacking’ even for cases where the hacked entity did not consent to it. In order to benefit from such decriminalisation, the law poses a number of conditions for ethical hacking, that have to be fulfilled in order for the hacker to be excused from any criminal liability. In this blogpost, we give an overview of the new Belgian whistleblower law from its definition of ethical hacking to the conditions for decriminalisation and conclude on the potential consequences of the law for the state of cybersecurity in Belgium and beyond.

When is hacking ‘ethical’?

A hacker is commonly understood in an IT context as somebody who gains unauthorised access to a computer system or network. Such unauthorised access can be motivated by criminal intentions, for example the extortion of money from those hacked by blocking them from accessing their system until they pay a ransom fee (so-called ‘ransomware attack’). Such hackers are typically referred to as ‘black hat hackers’.

Yet, there are also hackers motivated by other considerations, for example when hackers hack a computer system or network in order to demonstrate a vulnerability that could be exploited by a black hat hacker. These ‘ethical’ hackers are also called ‘white hat hackers’. The work of ethical hackers can be of great advantage for organisations managing computer or network systems, as they will be able to address any cybersecurity vulnerabilities before they are exploited and thus prevent cybersecurity incidents from occurring. Such ethical hacking can therefore be a means to improve the cybersecurity of IT systems from both companies and public authorities.

When is ‘ethical’ hacking legal under the new Belgian law?

Before the new Belgian whistleblower law, all forms of hacking, including ethical hacking, were punishable under Belgian criminal law, unless the entity being hacked had consented to it. The latter exception already enabled a variety of Belgian organisations to make use of ethical hackers to increase their level of cybersecurity, for example by putting in place (financial) rewards, so-called ‘bug bounties’, for ethical hackers that helped them discover a vulnerability. Cooperations between ethical hackers and organisations typically took place in the context of a ‘coordinated vulnerable disclosure policy’ (CVDP). A CVDP is a set of rules created by the organisation managing an IT system, which offers a legal framework for collaborations between that organisation and ethical hackers. It has to be published online, for example on the website of an organisation. Ethical hackers could try to indicate via the CVDP that they had consent for their activities in order to avoid criminal liability. A CVDP was however no bulletproof way of escaping liability for the ethical hacker, and such activities were therefore always conducted with the potential risk of criminal prosecution.

The new Belgian whistleblower law (Klokkenluiderswet) has changed the legal situation for ethical hacking in Belgium. A natural or legal person is now authorised to investigate organisations in Belgium for potential cybersecurity vulnerabilities, even if they have not consented to such investigations. This authorisation is dependent on the fulfilment of four conditions set by the law and can therefore not be understood as providing hackers with a ‘carte blanche’ for all forms of cybersecurity research. Only if these conditions are followed will the hacking no longer fall under the criminal prohibition for hacking of the Belgian Criminal Code.

The first condition set by the law is that ethical hackers cannot have the intent to cause harm or to obtain illegitimate benefits with their activities. The law therefore excludes that ethical hackers request payment in order to reveal any potential vulnerabilities that they discovered, unless this has been agreed upon in advance, for example as part of a bug bounty programme or a CVDP. Extorsion is not an activity endorsed by the law.

The second condition mandates that ethical hackers report any uncovered cybersecurity vulnerability as soon as possible to the Centre for Cyber Security Belgium (CCB), which is the national computer security incident response team of Belgium. Ethical hackers also need to report their findings to the organisation they were investigating, the latest at the time they are notifying the CCB over a vulnerability.

The third condition requires ethical hackers to not go further in their hacking than necessary and proportionate in order to uncover a cybersecurity vulnerability. Ethical hackers have to limit themselves to those activities that are strictly necessary for the objective of notifying a cybersecurity vulnerability. This condition is for example breached if a vulnerability is discoverable with less intrusive means than those chosen by the ethical hacker. Ethical hackers are also required to ensure that their activities do not affect the availability of the services of the organisation under investigation.

The final condition is an obligation for ethical hackers to not disclose information about the uncovered vulnerability to a broader public without the consent of the CCB. Ethical hackers can therefore not report on uncovered cybersecurity vulnerabilities in the media, for example by noting it in a blog post, unless they have the authorisation of the CCB.

What are the consequences of the new Belgian rules for cybersecurity?

The new Belgian whistleblower law only applies in Belgium. If a cybersecurity vulnerability concerns an IT system outside of Belgium, hacking might be covered by the rules of the country where the system is located. While the Belgian law is based on a European Union (EU) Directive (Directive 2019/1937), Belgium has decided to go beyond what is required, meaning that even within the EU there is a risk that the activities now legal under Belgian law are no longer so when its territorial boundaries are crossed. Any consequences of the new rules for cybersecurity are therefore limited in scope to Belgium.

Despite this inherent limitation of the new law, it can still be expected to facilitate the work of ethical hackers in Belgium, and consequently their contribution in the uncovering of cybersecurity vulnerabilities. Preventing cybersecurity incidents from occurring remains an important but hard-to-realise component of cybersecurity that benefits not only organisations by saving them from the reputational and economic damage associated with a severe cybersecurity incident but also individuals, who otherwise might suffer cybersecurity harms, such as identify theft.

That being said, questions remain about the exact delineation between legal (ethical) hacking and illegal hacking criminalised by the Belgian Criminal Code. This is because the new law uses the rather open terms ‘necessary and proportionate’ to describe what activities are now permitted. Necessity and proportionality will always depend on the concrete situation at hand making it at times difficult to predict which techniques can and cannot be used for ethical hacking. Moreover, the law omits to give certain details when it comes to notifying the public about cybersecurity vulnerabilities. As noted, ethical hackers cannot publish their findings without permission of the CCB, but there are no additional rules on how and when the CCB has to give such permission. This might impair an ethical hackers’ ability to warn the wider public of a vulnerability in cases the organisation is not willing or able to address it.

In the end, only time will tell the extent to which Belgium’s pioneering attempt at legalising ethical hacking factually improves cybersecurity in Belgium. Its provisions can however be considered as a (small) step towards increasing preventive cybersecurity practices among Belgian organisations.

This article gives the views of the author(s), and does not represent the position of CiTiP, nor of the University of Leuven.

Source