Ethical hacking in the Baltics: Comparative legal map

11.02.2022 Ethical hacking in the Baltics: Comparative legal map

By Counsel Dmitri Teplõhh, Senior Associate Mari-Liis Orav, Associate Arina Stivriņa and Junior Associate Mindaugas Beniušis

Generally, there are three main types of hackers, each symbolized by a hat of a different colour (a concept originating from old-timey spaghetti Western movies). Black hats are the “villains” – hackers with criminal or malicious intentions, aiming to profit or harm the hacked organization or individual, or simply cause havoc and chaos. White hats are the “good guys” – hackers that carry out penetration tests or other activities of their craft with the permission of the tested system owner, with no illicit intentions and for a generally good cause. Grey hats, falling somewhere in the middle, and balancing on both sides of the spectrum – hack just see if they can, for bounty and so on – with good or neutral intentions, albeit without permission.

The latter two fall under the umbrella term of ethical hacking – hacking performed in search for exploits, bugs, gaps in the IT system, to warn the owner of any vulnerabilities they are not aware of. Such activities are generally exercised for good – to help patch exploits and increase the security of IT systems. Hacking with the system owner’s permission (i.e., penetration testing as part of an IT system audit) usually raises no critical legal issues. In contrast, grey hat hacking without malicious intent creates more legal ambiguity. Quite a few forward-thinking companies have announced bounty programs that reward individuals for finding and reporting security exploits in their systems. However, the legal technicalities may easily leave such individuals in uncertainty – entering an IT system without the owner’s prior approval may, depending on the system and jurisdiction, amount to administrative or even criminal liability.

This leaves the hacker in a predicament – on one hand, they are encouraged by the company to disclose any exploits for a reward. On the other hand, they risk being prosecuted on the grounds of formal composition of the crime. The owner of the IT system suffers, too – even if the exploit of a system was found and reported, such an action may formally amount to a data security breach subject to notification, resulting in additional administrative hurdles and even further formalities.

Therefore, a regulated approach to ethical hacking can settle a number of ambiguities for all of the parties concerned.

Lithuania

The Lithuanian Criminal Code prohibits illegal influence on electronic data and IT systems, as well as illegal interception and use of electronic data. However, according to the Criminal Code, even illegal connection to an IT system can result in imprisonment for up to 2 years (3 years if the system is of national importance). Such provisions leave ethical hackers in an undoubtably dangerous position when hunting for bounties – a mere connection to a system can leave them open to criminal investigation and sanctioning.

Luckily, last summer Lithuania took initiative to address ethical hacking and encourage the initiative of responsible disclosure. This initiative was meant to address abovementioned inconsistencies, further the Lithuanian Cybersecurity strategy and encourage the cooperation between the public and private sectors in the name of improving IT security. Effective since 17 June 2021, the newly introduced amendments of the Lithuanian Cybersecurity Law lay down a procedure for notification of security vulnerabilities / gaps, thus rendering the ethical hacking a lawful activity, subject to, however, the following requirements:

  • System integrity:
    1. operation, functionality, services provided as well as data availability or integrity of the system may not be disrupted or compromised;
    2. no attempt is made to guess or use illegally obtained passwords;
    3. persons with access to non-public information relevant to the search for vulnerabilities are not manipulated;
  • Limitation of activities:
    1. search activity related to a gap shall be ceased as soon as the vulnerability is identified;
    2. no excess actions (other than the ones necessary for confirmation of security gap) are performed in relation to the system data in question;
  • Reporting. A report with stipulated information of the found gap shall be submitted within 24 hours either to:
    1. the cybersecurity subject (owner of the system); or
    2. National Cyber Security Centre, as a supervisory authority and responsible intermediary.
  • Confidentiality. Information regarding the vulnerability shall not be disclosed, except for the submission of the report. Disclosure of any gaps can be made more freely only after the recipient of the report has evaluated the severity of the vulnerability, and such delay can last for up to 90 days.

Naturally, such stringent requirements of controlled reporting and limited disclosure are rather restrictive and provide limited incentive for bounty hunting: a formal report and limited disclosure makes the whole process cumbersome and difficult to implement in practice. Further, the Law on Cybersecurity does not address the effects of a successful vulnerability identification on the legal implications pertaining to data protection – formally, even disclosed bounty hacking amounts to a data breach (in terms of data confidentiality at the least).

Nonetheless, it as an important first step in accommodating an actual practice in the market and a viable tool for increasing cyber security. We still have yet to see how this institute operates in practice; however, the National Cyber Security Centre already receives a tangible number of reports on various bugs found on websites.

Latvia

The Latvian Criminal law prohibits unauthorised modification, damage, destruction, or the deliberate introduction of false information into an automated data processing system, knowingly interfering with the operation of an automated data processing system, where the security of the system is damaged or destroyed, if substantial damage has been done. The substantial damage criterion is fulfilled when one of the following thresholds are met – material damage exceeds 5000 EUR, or material damage exceeds 2500 EUR and interests protected by law are harmed, or substantial harm to interests protected by law is established.

While the substantial damage threshold may impede prosecution of hacking, it does not exclude prosecution on other grounds, such as blackmail. In order to address ethical hacking and encourage the initiative of responsible disclosure, the process of coordinated responsible disclosure has been approved on December 14th by the Cabinet of Ministers. It allows (but does not make it mandatory) state institutions and municipalities to adopt own responsible disclosure policies.

The adoption of the process of coordinated responsible disclosure is a big step towards rendering ethical hacking a lawful activity and avoid unnecessary prosecution of ethical hackers. Moreover, unofficially it is known that no new legislation to address ethical hacking and encourage responsible disclosure will be proposed until the implementation of NIS2 Directive.

Estonia

Various computer-related crimes are also punishable under Estonian criminal law (e.g., illegal obtaining of access to computer systems, interference with computer data, hindering of functioning of computer systems) and similar issues referred to above may arise in practice. To our knowledge, there are no similar initiatives to that of Lithuania mentioned above. It may be noteworthy that in relation to a case regarding security holes in the state information system last year, it was mentioned in the media by the Estonian Information System Authority that they are developing a bounty system, which also requires changes in the current laws.

At the same time, most of the crimes in the Penal Code require the respective act to be “illegal” (e.g., “Illegal obtaining of access to computer systems by elimination or avoidance of means of protection is punishable by a pecuniary punishment or up to three years’ imprisonment”). In case of bounty programmes with clear rules notified to the hacker beforehand, it could potentially be argued that the victim has consented (in the scope of the rules of the programme and provided that the hacker knew of the rules beforehand), and the act is therefore not illegal – and, therefore, not punishable. However, this take is hypothetical and has not, to our knowledge, been tested in practice regarding ethical hacking.

Still, many other issues remain, including regarding the company’s requirement to notify the relevant authorities of data incidents/breaches, as well as situations where the company has not defined a clear bounty programme. Nonetheless, some movement and initiative can be seen; hopefully, soon all ethical hackers in the Baltics will be able to freely employ their skills in maintaining the highest standard of cybersecurity in both private and public sectors.