30In accordance with our objective of promoting the development of cybersecurity in the country, it is imperative for us to make known our position on the criminalization of ethical hacking approved by the Joint Commission in charge of the draft Law on Computer Crimes, on March 2.
Ethical hacking is about identifying flaws in computer systems and reporting them responsibly. With this, the reported vulnerabilities are corrected, preventing them from being used by criminals to steal, alter or hijack our data, improving the security of computer services and the Internet in general.
Ethical hacking is not new, but long-standing in cybersecurity. It has enabled serious and responsible professionals to help identify and correct faults in mobile devices, databases, and communications and transportation systems. One case was the vulnerability in the biometric mechanism of the application of the unique key of the Civil Registry (March 29, 2020), which allowed anyone to impersonate another only by manipulating a photo. An honest specialist, after exploring the application, detected this anomaly and notified it promptly. The mobile app was quickly corrected, improving the security of all Chileans.
There are those who argue that such actions should only be done with the express consent of the owner of the computer system. In an ideal world that would be true, but behind these computational platforms there are not always employees, managers and organizations that want to face the reputational impact of admitting the failure, investing what is necessary to repair it or, simply, may lack the technical capacity to recognize the existence of the vulnerability. Ethical hackers have seen how the legal threat has historically been used to “kill the messenger,” silencing bad news at a low cost to the headline.
Why deal with annoying investigators if it is easier to make the report disappear by implying that a crime was committed upon discovering the flaw? Will the ethical hacker want to go to trial for publishing it? Unfortunately, it is the community that ends up paying the cost when an expert is silenced. Hiding behind legal threats and failing to fix the flaw often leaves security cracks intact, now making them available to criminals. Worse, it prevents citizens from informing themselves and demanding greater guarantees regarding the affected computer system.
The Joint Commission in charge of the draft Law on Computer Crimes in Congress, approved a text that, although it contains important advances, unfortunately penalizes ethical hacking. In its article two it sanctions any action that “overcoming technical barriers or technological security measures accesses a computer system”, regardless of its motivation. Obtaining “explicit authorization” from the holder is proposed as a palliative mechanism, but in practice it is not realistic for the reasons mentioned.
After more than three years of debate in the Senate and the Chamber of Deputies, and with the feedback of technical and legal experts, the Joint Commission had achieved a consensus text to approve an ethical hacking with reasonable limitations and conditions, such as a registered investigation and report the failure immediately. However, in a last-minute negotiation, this option was ignored and the text rejected. When Congress passes the resulting report, as it likely will, our cybersecurity will become the “emperor’s new suit,” where systems are secure because no one dares to report otherwise. Had it been law a couple of years ago, it is reasonable to wonder whether the aforementioned failure of the application of the Civil Registry would have come to light or not.
With this action, parliamentarians lose the opportunity to give Chile modern legislation, which would have allowed us to lead internationally in cybersecurity.
The cThe opinion column is the sole responsibility of its author, and does not necessarily reflect the editorial line or position of El Mostrador.