by The United States and the UK are supporting the draft of the United Nations Cybercrime Treaty, which is in its final stage and is set for a General Assembly vote. The treaty has been controversial due to concerns about security and personal data invasions and lacks a distinction between danger actors and ethical hackers.
The UN Cybercrime Treaty Is Nearing a General Vote
Recorded Future said on November 12 that the United Nations cybercrime treaty had passed its last round of approval and was on its way to a full vote. Following the approval of the treaty’s text (PDF), U.S. authorities acknowledged that a number of nations remain concerned about the treaty’s potential to result in surveillance, harassment of computer workers, human rights abuses, and invasions of privacy.
U.S. UN representative Jonathan Shrier praised the deal for its potential to combat cybercrime and limit fundamental freedoms. He urged governments to enact domestic legislation to protect against risks associated with the treaty, stating that it lays a foundation for international collaboration.
HackerOne claims that “the treaty does not distinguish cybersecurity experts from cybercriminals.”
HackerOne, the world’s largest ethical hacker community, has submitted a letter to Techopedia criticizing the UN Treaty’s wording, stating that cybersecurity specialists are not recognized under the treaty. HackerOne Chief Legal and Policy Officer Ilona Cohen emphasized the need for security researcher protections to be incorporated into legislation, stating that the treaty’s wording does not adequately address the needs of cybersecurity professionals.
Legal frameworks are increasingly supporting security researchers’ work by separating them from cybercriminals, reducing ethical hacking liability, and encouraging companies to implement vulnerability disclosure procedures. The US has mandated vulnerability disclosure standards for all federal departments since 2020, and the Department of Justice plans to update its Vulnerability Disclosure Framework to address AI system vulnerabilities, minimizing legal jeopardy for security researchers.
Cohen argues that the United Nations Cybercrime Treaty’s vague language fails to differentiate between criminals, cybersecurity teams, penetration testers, ethical hackers, red teams, and attack simulation outfits, posing a threat to their efforts. The treaty mandates countries to prosecute anyone who willfully gains access to a computer system without permission and fails to differentiate between legitimate security testing by ethical hackers and cybercriminals.
The convention prohibits intercepting private computer data communications “without right,” disregarding the intrusion’s purpose, and purposeful destruction, erasure, or modification of computer data. However, ethical hackers who alter data for controlled tests, such as penetration testing and red-teaming, may be misunderstood by this article.
Making Ethical Hackers a Crime Again?
The United Nations treaty could potentially make it illegal to intentionally and without authorization interfere with a computer system’s functionality, potentially harming security research and red-teaming activities. HackerOne’s letter to officials suggests that the wide definitions of the treaty expose ethical hackers to legal concerns, even when their actions are intended to improve security.
If the treaty remains unchanged, corporations may reconsider hiring offensive security experts due to legal hazards. This could impact bug reward and vulnerability disclosure programs, which are used by major tech companies like Google, Amazon, and Microsoft, which are popular in the medium-sized IT industry.
HackerOne’s Cohen emphasized the potential for inconsistent application and misuse of the convention, leaving researchers vulnerable in jurisdictions that don’t explicitly safeguard good-faith activities. He urged the United States to continue working at the United Nations to include protections in treaty language and collaborate with other nations to promote the inclusion of protections for such research in national law or law enforcement policies and practices.
HackerOne’s Cohen emphasized the potential for inconsistent application and misuse of the convention, leaving researchers vulnerable in jurisdictions that don’t explicitly safeguard good-faith activities. He urged the United States to continue working at the United Nations to include protections in treaty language and collaborate with other nations to promote the inclusion of protections for such research in national law or law enforcement policies and practices.
The Bottom Line
Although the United Nations Cybercrime Treaty has good objectives, its ambiguous wording shows that UN lawmakers are not qualified to enact laws pertaining to technological matters like cybersecurity.
In the modern world, researchers, investigators, ethical hackers, penetration testers, and security researchers who strive to make systems safe may be legally confused with cybercriminals.
Provisions that prevent misuse of the text that could result in the invasion of personal privacy and safeguard cybersecurity professionals must be included in the United Nations Cybercrime Treaty. If not, experts urge countries throughout the world to enact their own legislation to safeguard citizens and the broader cybersecurity industry.
Rick here from China, we are the factory producing different container houses used as office, accommodation, hotel, school and hospital etc. Please check more information on our website: http://www.containerspeedyhouse.com/ Contact us by email: [email protected] or whatsapp: +8615150130346. More videos are on our Youtube: https://www.youtube.com/@containerspeedyhouse