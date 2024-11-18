The United Nations Cybercrime Treaty has entered the final route and is moving to a General Assembly vote with the U.S. and the UK supporting the draft.
However, the treaty has been controversial, raising concerns around security and individual privacy abuses — and does not seem to distinguish between threat actors and ethical hackers.
Techopedia polls security experts to explain what the United Nations Cybercrime Treaty means and its ramifications across the world — is the treaty a well-intentioned backfire?
United Nations Cybercrime Treat Moves Closer to General Vote
On November 12, Recorded Future reported that the United Nations cybercrime treaty had cleared final hurdles and was heading to a full vote. After the draft of the treaty (PDF) was approved, U.S. officials recognized that several countries still have concerns over how the treaty could lead to human rights violations, surveillance, harassment of tech employees, and infringement on individuals’ privacies.
Jonathan Shrier, U.S. representative to the UN, spoke positively about the treaty in a published PDF, saying:
“This agreement lays out a framework to enable broad international cooperation to fight the acute global threat of cybercrime while preventing its misuse to enable an ever-growing trend of restrictions on fundamental freedoms.”
Shrier called for governments worldwide to pass domestic laws to act as safeguards and strong protections that mitigate any risks within the treaty.
‘The Treaty Does Not Distinguish Cybersecurity Experts from Cybercriminals’: HackerOne
HackerOne — the organization grouping the largest community of ethical hackers in the world — reached out to Techopedia to share a letter they sent to administration officials opposing the language of the United Nations Treaty.
HackerOne told us that the treaty does not recognize cybersecurity experts.
Ilona Cohen, Chief Legal and Policy Officer of HackerOne, explained why laws should include safeguards for security researchers.
”Legal frameworks increasingly support the efforts of security researchers by distinguishing them from malicious cybercriminals, reducing legal liability for ethical hacking, and incentivizing organizations to adopt policies to receive vulnerability disclosures.”
Cohen said that, since 2020, the U.S. has directed all federal agencies to have vulnerability disclosure policies.
“The U.S. Department of Justice has long recognized the importance of security research and recently announced that it will update its Vulnerability Disclosure Framework, which minimized legal jeopardy for security researchers, to address the reporting of vulnerabilities for AI systems,” Cohen said.
However, according to Cohen, the language of the United Nations Cybercrime treaty is so ambiguous that it puts the works of cybersecurity teams, penetration testers, ethical hackers, red teams, attack simulation organizations, and many others at risk by not differentiating them from criminals.
“The treaty obligates countries to criminalize anyone that intentionally gains access to any part of a computer system ‘without right’.
“The article (treaty) makes no distinction between cybercriminals and legitimate security testing activities performed by ethical hackers who do not have explicit permission but are working to enhance security.”
The language in the convention also prohibits the interception of non-public transmissions of computer data “without right”, ignoring the intent of the intrusion.
This can implicate independent security professionals who, during their work, may intercept signals to identify or validate security vulnerabilities to protect but not exploit the data.
The treaty also outlaws the intentional damaging, deletion, or alteration of computer data “without right”.
“This article could be misapplied to ethical hackers who manipulate data as part of a controlled test, such as penetration-testing and red-teaming, to identify weaknesses and improve system defenses,” Cohen from HackerOne said.
Criminalizing Ethical Hackers Again?
The United Nations treaty risks criminalizing the intentional and unauthorized hindering of the functioning of a computer system — in many cases this is exactly what ethical hackers do.
“This could be detrimental to security research or red-teaming activities, which utilize simulated attacks to identify security weaknesses and improve defenses,” Cohen added.
In the letter to officials, HackerOne said that the broad definitions of the United Nations treaty subject ethical hackers to legal risks even when their actions are aimed at enhancing security.
If the treaty is passed as is, without any modifications, countless organizations may think twice about the legal risks before they hire the much-valuable services that offensive security experts provide.
The treaty could, therefore, affect bug bounty and vulnerability disclosure programs. These programs are leveraged by all big tech companies, from Google to Amazon to Microsoft, and are extremely popular in the medium business tech sector.
Cohen spoke about the issue at hand:
“Rather than promoting the convention’s stated aim of increasing coordination and cooperation, this could lead to inconsistent application and misuse of the treaty, leaving researchers vulnerable in jurisdictions that do not explicitly safeguard good-faith activities.”
We asked Cohen what exactly HackerOne is advocating for.
“We respectfully encourage the United States to 1) continue to work at the United Nations to incorporate protections into the treaty language, if possible, and 2) to work with other countries to encourage the incorporation of protections for such research into national law or law enforcement policies and practices,” Cohen from HackerOne told us.
Cohen added that if the U.S. cannot advance a protocol to the convention that adequately provides protections for cybersecurity researchers, they suggest the U.S. Agency for International Development and the State Department incorporate policy best practices that protect security researchers.
Alternatively, digital capabilities-building programs should be conditioned so governments do not prosecute good-faith security researchers.
The Bottom Line
While the intentions of the United Nations Cybercrime Treaty are well-placed, the vague language of the text reveals that United Nations legislators lack the expertise to legislate technical issues like cybersecurity.
In today’s world, security researchers, penetration testers, ethical hackers, researchers, and investigators who work to make systems secure may be legally undistinguished from cybercriminals.
The United Nations Cybercrime Treaty must include provisions to avoid abuse of the text that may lead to the invasion of individual privacies and protect cybersecurity experts. If not, experts call for governments worldwide to install their own laws to protect citizens and the wider cybersecurity sector.