On August 31, 2023, the Women in Cyber Association hosted a remarkable event, Women in Cyber Days. This event connected cyber enthusiasts and provided a platform for the exchange of knowledge and experiences. Successful women in the cybersecurity field shared their insights, making it a valuable occasion for experts, professionals, and students alike to become part of the Women in Cyber community.
As one of the panellists at this event, I had the privilege of participating in a discussion on “Security Incidents and the Law.” The panel featured experts in the field who provided valuable insights into the new data protection act and the notification obligations. In this article, I will focus on the second part of the panel discussion, which delved into the intriguing world of “Ethical Hackers and the Law.”
Understanding Ethical Hacking
In recent years, the term “hacker” has acquired an often negative connotation due to cyber incidents. However, it’s important to note that a hacker itself isn’t inherently malicious. A hacker is basically a person interested in technology and trying to understand behaviours of computer systems by breaking or bypassing security mechanisms. Depending on the motivation of the hacker, he can hack maliciously or legally and ethically, with the permission of the owner.
This is why we refer to the term “Ethical Hacker” or “Security Researcher”. Ethical Hackers are individuals motivated by a genuine interest in technology and a commitment to improving cybersecurity. Their motivation is to identify vulnerabilities within computer systems, networks, and applications, all while acting with good intentions and seeking to enhance security.
Ethical Hacking resp. Bug Bounty vs. Penetration Testing
During the discussion, the distinction between Ethical Hacking and Penetration Testing («Pentesting») came up. While these terms are sometimes used interchangeably, there are differences. Ethical Hacking is a broad term, encompassing various methods and approaches to identifying vulnerabilities. Hence the interesting question would be what the difference between Bug Bounty and Pentesting is as both are methods used in cybersecurity.
Pentesting is a structured framework with predefined and close-ended questions and a specific problem statement. Hence, pentesters aim to answer those specific questions in their work.
Ethical Hacking is more open-ended. In essence, ethical hackers can use a range of techniques to continuously uncover relevant security vulnerabilities, making it a versatile approach for enhancing cybersecurity and often allows to find vulnerabilities that remained unseen in traditional methods.
Legal Framework for Ethical Hacking
The legal aspect of Ethical Hacking is a critical concern. In Switzerland, as in many countries, hacking without proper authorization is explicitly prohibited by law. However, in Bug Bounty the ethical hackers operate within a controlled framework and require consent from the client as well as a Legal Safe Harbor to protect ethical hackers from legal prosecution.
An expert opinion from Walder Wyss on behalf of the National Test Center (NTC), suggests that Ethical Hacking may be justified under certain conditions. This justification revolves around the concept of “justifiable emergency,” allowing ethical hackers to intervene to prevent malicious hacker attacks without legal consequences.
The Limits of Ethical Hacking
Ethical Hacking, while a vital tool for enhancing cybersecurity, comes with limits. Ethical hackers must operate within predefined boundaries and adhere to a “playground” with established rules. These rules, defined in our so-called Program Policy, dictate the scope of testing, ensuring that ethical hackers don’t stray into unauthorized areas as well as other important elements like coordinated vulnerability disclosure (CVD).
The Global Perspective
Is it safer for ethical hackers to operate in other countries than Switzerland from a legal perspective? While fundamental issues remain similar worldwide, some countries like the Netherlands and Belgium have established Legal Safe Harbors for ethical hackers, providing greater legal certainty. However, the need for such legal safeguards is a universal concern for ethical hackers globally.
Supporting Ethical Hackers
The law and policymakers have a role to play in supporting ethical hackers. Creating national Legal Safe Harbors, similar to those in the Netherlands and Belgium, could offer ethical hackers greater legal protection and certainty. In fact, there are concrete plans to institutionalize Ethical Hacking in Switzerland, as outlined in the National Cyber Strategy (NCS). Ethical Hacking will be an integral and important part of the new NCS in Switzerland.
Diversity in Ethical Hacking
Finally, we touched upon the issue of diversity in Ethical Hacking. While the field has been male-dominated, efforts are underway to bring more women into the Ethical Hacking scene. Encouraging young women to pursue STEM (Science, Technology, Engineering & Math) education and providing mentorship opportunities are crucial steps in fostering greater gender diversity in cybersecurity.
In conclusion, the discussion on “Ethical Hackers and the Law” at Women in Cyber Days 2023 shed light on the complex and evolving landscape of Ethical Hacking. With legal frameworks evolving to accommodate Ethical Hacking and initiatives to promote diversity in the field, the future looks promising for ethical hackers committed to securing our digital world.
Head of Legal & Compliance
Bug Bounty Switzerland AG