Vulnerability reporting in Belgium: A safe harbour for ethical hackers
In today’s digital landscape, businesses and organisations face the constant threat of cyber-attacks. It is essential for them to take steps to protect themselves and their customers from any data leaks, sabotage, ransomware attacks, espionage, etc.
Whereas hackers are regarded as “cybercriminals”- actively seeking out corporate vulnerabilities to steal sensitive data, conduct sabotage or espionage – there exist well-intentioned people actively looking for vulnerabilities to help companies realize the importance and necessity of protecting their information systems from malicious activities and intruders.
Indeed “ethical” hackers, also known as “white hat” hackers, could now play an essential part in this riks mitigation effort. They can identify any vulnerability in a company’s systems and provide assistance to remediate them before malicious actors can exploit them.
Knowing that, a new legal framework describing how a natural or legal person with no fraudulent intent or intention to cause harm can detect and shall report existing vulnerabilities in information systems in Belgium came into force on 15th February 2023.
A strict new legal framework for reporting vulnerabilities
Taking that point into account, the CCB implemented in February 2023 a new framework stipulating that anyone is allowed to investigate companies whose information system is located in Belgium and to report any discovered vulnerability, without having signed any agreement with the concerned company.
But this is not without following a set of strict rules:
- The actions taken must be strictly proportionate to the demonstration of the existence of a vulnerability. This means it cannot be exploited beyond what is necessary to show evidence of the security weakness. For instance, are considered ‘disproportionate’ and ‘unlawful’ actions such as : phishing attacks, social engineering attacks, DDoS, brute force attacks, copying altering and/or deleting data from a system, etc.
- The actions must be taken in a purely well-meaning manner and without any fraudulent or harmful intent. Framing is forbidden.
- As soon as a vulnerability has been detected, ideally within 72h, it must be notified in a formal written report to the concerned organisation and the CCB, acting as the national CSIRT.
- Personal data may not be deliberately processed during an investigation unless it is absolutely necessary to prove a security issue. They must also be deleted as soon as the vulnerability has been reported.
- The confidentiality of data must be maintained. No information about the discovered vulnerability should be disclosed without CCB’s agreement and no IT data or personal data must be transferred to any third party.
A better protection for well-intentioned people
In 2020, the Belgian government already begun to encourage companies to collaborate with ethical hackers, by adopting the Coordinated Vulnerability Disclosure (CVD) policies. The latter allows well-intentioned people to research and report the potential existence of vulnerabilities in their systems.
Belgium can be considered as a pioneer in promoting CVD policies. Companies recognised their value to early detect vulnerabilities – which ultimately lead to improve their security strategies and gain greater insight into their systems. However, in reality, the lack of judicial protection discouraged the well-intentioned individuals from reporting newly discovered vulnerabilities for fear of lawsuits from the concerned company
For these reasons, this brand new policy has set Belgium as one of the main actors in the cybersecurity scene in Europe. As it is the first European country to address such a situation. It provides all ethical hackers in Belgium a guarantee that no criminal nor civil actions will be taken against anyone who strictly complies with the terms and conditions of this framework and who has not intentionally caused damage to the systems investigated.
Even if this initiative seems new and ground-breaking, in hindsight, it also appears to be in harmony with the Cybersecurity Strategy of Belgium 2.0 2021-2025. In this strategy, Belgium has made as its principal mission to be « one of Europe’s least vulnerable countries in the cyber domain », while stressing the importance of alerting and informing about cyber threats and vulnerabilities as « a shared responsibility of all stakeholders ».
A new step and opportunity for the Belgian Cybersecurity Strategy
Indeed, the Coordinated Vulnerability Disclosure framework proposed by the CCB stems (1) from the global policy inspired by the Cybersecurity Strategy Belgium 2.0; (2) from the application of the Belgian Act on the Protection of Whistleblowers of November 28th, 2022 and; (3) from the law of December 8th, 2022 on “reporting channels and the protection of whistleblowers of integrity breaches in federal public sector bodies and within the integrated police”.
By the promulgation of this law, and the publication of this framework, the CCB gained new prerogatives and a central place in the coordination of vulnerability disclosures. With a collaborative approach between policy makers, industry actors, academia and researchers.
The CVD process published by the CCB was already praised by an ENISA study in 2022, highlighting its growing weight and its increasingly present activity in the European cybersecurity landscape. According to ENISA, a national or European CVD policy could help organisations and public administrations to set vulnerability management as a priority and encourage security practices.
If similar policies already exist in countries such as France or the Netherlands, Belgium was the first European country to institutionalise and promote ethical hacking. By considering practitioners as whistleblowers, and protecting them via a legal framework. For example, France has a Coordinated Vulnerability Disclosure policy only targeting “researchers”, through a derogation to the Code Pénal from the Defense Code. The French law does not provide immunity for researchers with regards to the criminal law or such. In this context, it only envisages two protective legal frameworks that can explain the partial protection of the security researcher.
The implementation of a national legal framework, defining and considering the practice of ethical hacking in complementarity with the national cybersecurity policy, will greatly encourage this practice to increase the level of cybersecurity and resilience of Belgium, and ultimately of Europe. Indeed, the absence of a legal framework and legal protection is one of the major obstacles to the practice of ethical hacking, with the low allocation of resources, according to a recent ENISA study of February 2023.
With this law, Belgium can thus encourage companies and institutions to generalise bug bounty programs and the practice of ethical hacking, and to increase cooperation between the various cybersecurity stakeholders, like public private partnerships which is also emphasised in the Belgium’s NCSS 2021-2025.
The EU landscape on Coordinated Vulnerability Disclosure may evolve even further due to the NIS2 directive and the upcoming Cyber Resilience Act pointing out the importance of vulnerability considerations and encouraging EU Member States to take further actions. Thanks to this pioneering law in terms of its progress at European level, a new step has been taken in promoting the cybersecurity of Belgian companies and citizens!