International approaches to reform: Belgium’s new legal safe harbor for ethical hackers

As the CyberUp Campaign continues to call for urgent reform of the Computer Misuse Act in the UK, we have been looking towards international examples of recent updates to cyber crime legislation that should act as models for the UK to consider, because they better reflect the realities of the 21st century cyber defensive industry, and clearly acknowledge the importance of legal protections for the individuals that operate within it.

Here, Alexander Melly of the CyberUp Campaign, reviews and explains why the Belgian approach is one that UK policy-makers might want to learn lessons from:

 In February 2023, just a week after the UK Home Office published its long-awaited, yet lacklustre response to the review of the Computer Misuse Act it commenced in May 2021,

Belgium became the latest nation to update its cyber laws to reflect the rapidly evolving cyber security sector.  The Centre for Cyber Security Belgium (CCB) published a new legal framework for reporting network and information system vulnerabilities, designed to encourage individuals to report vulnerabilities without fear of legal repercussions.

Article 550(b) of the Belgian Criminal Code outlines the procedural limitations of criminal computer hacking along with criminal sentencing guidelines. The central tenant of the new framework is to allow: “any natural or legal person, acting without fraudulent or malicious intent, to investigate and report existing vulnerabilities in networks and information systems located in Belgium, provided that certain conditions are strictly respected.” The new legal framework makes clear that changes to the legal guidelines will not replace the Coordinated Vulnerability Disclosure Policy (CVDP) set out by private companies, but rather add additional protections for individuals who may be working within a private organisation under CVDP or out of the bounds of an established company.

Scope & Intention

As outlined in our ‘Defence Framework’, an actor’s intent, proportionality, and competence should all play a role in determining the legitimacy of their cyber security activities, to help determine whether any statutory defence we’d like to see in a reformed Computer Misuse Act, should indeed apply to them.

It is heartening to see the Belgian approach adopt a similar concept. A key part of the Belgian framework is the inclusion of statutory obligations for those who discover vulnerabilities. In addition, the guidance specifically addresses the scope of what a good actor must take into account when reporting a network vulnerability. The new framework lays out five obligations for those searching for network vulnerabilities:

1. They must limit yourself strictly to the facts necessary to report a vulnerability. Thus, they must not act beyond what is necessary and proportionate to verify the existence of a vulnerability.

2. They must act without fraudulent intent or desire to harm.

3. As soon as possible after the discovery of the potential vulnerability (and at the latest at the time of reporting to the national CSIRT), they must inform the organisation responsible for the system, process, or control of the vulnerability.

4. They must as soon as possible report the discovered vulnerability to the CCB.

5. They must not publicly disclose information about the discovered vulnerability without the agreement of the national CSIRT.

 Under each obligation, the CCB establishes further details that make clear what are acceptable and unacceptable actions. The framework states that “actions must be strictly limited to the facts that are necessary to allow the research and the reporting of a vulnerability of a network and information system”.

The framework also goes on to explicitly outline nine examples of disproportionate actions, a lot of which chime with the findings of the CyberUp Campaign’s legitimate activities research:

●       Installation of malicious software (malware): viruses, worms, Trojan horses, or other

●       Distributed Denial Of Service (DDOS) attacks

●       Social engineering attacks

●       Phishing attacks

●       Spamming attacks

●       Password theft or brute force attacks

●       deletion of data from the computer system

●       Realization of foreseeable damage to the visited system or its data

●       Other offenses  e.g. burglary, theft, assault, etc

Data Protection, Confidentiality, and Consequences

An encounter with personal data is defined in the new framework as: “the storage, modification, retrieval, consultation, use or disclosure of any information that may relate to an identified or identifiable natural person.”

 If an actor encounters personal data, they are required to follow the EU General Data Protection Regulation (GDPR). If personal data is suspected to be or has been lost, “you must also inform the responsible organisation and the Data Protection Authority (DPA), as soon as possible and no later than 72 hours after becoming aware of it”. This timeline is another safeguard against bad actors exploiting cyber regulations because without following the specific guidance on personal data, the researchers face liability.

The framework’s legal protection of vulnerability researchers acting in good faith extends to protecting the identity of the actor. While those who respect and follow the legal framework are protected in Belgium under Belgian law, those who do not act in good faith (i.e. do not meet the requirements and recommendations in the framework) “will continue to be punishable under criminal and civil law”.

Conclusion

Belgium's new framework is a step in the right direction to encourage good faith actors to find, report, and ultimately patch network and information system vulnerabilities. We find the detailed and specific measures within the framework an excellent example of how to protect cyber security professionals by enshrining in law legal protections for those who report vulnerabilities, whilst still ensuring those who act in bad faith are effectively prosecuted. As the CyberUp Campaign continues to call for reform of the Computer Misuse Act in the UK, the values set out in the Belgian framework of “collaboration with the competent services of the Public Prosecutor's Office” are a shining example of the public-private partnership needed to tackle 21st-century cyber threats.

We hope that the UK Government will consider the recent progress made in Belgium as regards cyber security legislative reform, when considering how best to implement a new UK legal framework which clarifies the situation of those undertaking cyber security work with good intentions, and how a statutory defence would work practically to enshrine those better protections.