14 DAY TRIAL // Last week, the European Parliament adopted a new directive that toughened penalties for cybercrimes and enhanced cyber security cooperation between member states.
Some IT security experts are concerned with the fact that the new directive might criminalize ethical hackers who test websites and networks for vulnerabilities.
They're particularly concerned with section A of the directive which “penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices / tools used for committing the offences.”
However, experts from Randomstorm – a UK-based network security, vulnerability management and compliance firm that focuses on providing enterprise-level, proactive security management tools and services – highlight that there’s an “element of flexibility” in the directive.
“The Directive contains in the definitions of criminal offences listed in articles 3, 4, 5 (illegal access to information systems, illegal systems interference and illegal interference) a provision allowing to criminalise only 'cases which are not minor',” Randomstorm experts noted.
“This element of flexibility is intended to allow Member States not to cover cases that would, in abstracto, be covered by the basic definition, but are considered not to harm the protected legal interest, e.g. in particular acts by young people who attempt to prove their expertise in information technology.”
The company’s Co-Founder and Technical Director, Andrew Mason, commented, “Some people have expressed concern that the updated EU Cybercrime Directive could criminalise legitimate cyber security researchers and bug bounty hunters, whose work helps to make the internet safer for all users.”
He added, “This could have had serious repercussions for ethical hackers, so we are glad to see the European Commission has included a proviso recognising the need for information security professionals to hone their skills without fearing a jail sentence.”