Ethical hackers look for vulnerabilities in your systems, check all your outward facing apps and see if they can get in. However, these ‘crimes’ can get them into hot water if they are not protected. While transposing the EU Whistleblower directive into national law, Belgium took the opportunity to better protect these ‘digital whistleblowers’ – as long as they play by the new rules, which can be found on the CCB website.
22 / 02 / 23
A person or group of persons working together trying to enter your systems: does that sound scary? Not if this is an organised activity and you have been properly informed! In fact, it enables us all to benefit from the skills and knowledge of ‘ethical hackers’, who can tell you if one of your virtual doors isn’t properly locked.
Coordinated vulnerability disclosure policy (CVDP) or bug bounty programmes, already exist. For these, your organisation sets the rules allowing ethical hackers to hunt for vulnerabilities and provide relevant information.
But what if multiple organisations are involved, your organisation takes time to respond, or you don’t have a CVDP? Strictly speaking, from a legal perspective, the ethical hacker could not verify their findings. For example, an ethical hacker who explores a vulnerability using unauthorised access and copies your data to prove the vulnerability, is currently committing a criminal offence. And a programmer who reports on a safety issue that the company doesn’t want to solve (for whatever reason) is, for now, held liable.
But not anymore. From 15 February, new rules offer better protection and an additional role for the Center for Cyber Security Belgium (CCB), as the authority to whom the ethical hacker or programmer reports. Through the transposition of the NIS directive, the CCB was already the Belgian Computer Security Incident Response Team (CSIRT or CERT). The CCB already knows a lot about vulnerabilities, making them ideal for this role.
As this is Belgian law, the assets, networks and/or information systems must be fully located on Belgian territory for the ethical hacker to be protected.
Under the new rules, when a programmer reports on a potential vulnerability in their professional context, they are not considered to have breached their obligation of professional secrecy and do not incur any liability whatsoever regarding the transmission of information necessary to report a potential vulnerability to the CCB. Again, the law is only in effect when assets, networks or systems are located in Belgium.
If you are planning to come forward to report something wrong in your organisation, be aware that you are now better protected, but that the procedure for reporting an IT vulnerability is quite distinct from the legal rules for whistle-blowers, that is, people that wish to report information obtained in a professional context.
More information on the protection for whistle-blowers under Belgian law can be found on the website of the Belgisch Staatsblad/Moniteur Belge: