Although the exact wording varies, hacking without permission is a criminal offense in most countries.
Let’s note one thing right away: none of the authors involved in the book that this blog post comes from have legal expertise. They are all computer technicians with various specialties, but law is not one of them. However, a few general statements can be made.
Unauthorized Hacking Is Punishable by Law
For example, in Germany, the so-called Hacker Article, Section 202c of the German Criminal Code, applies.
Section 202c: Preparing to Spy on and Intercept Data: “Any person who prepares an offense under Section 202a or Section 202b by producing, obtaining for himself or another, selling, giving to another, distributing or otherwise making accessible passwords or other security codes that enable access to data (Section 202a(2)) or computer programs whose purpose is the commission of such an offense shall be punished by imprisonment for not more than two years or a fine. (2) Section 149 (2) and (3) shall apply mutatis mutandis.”
In this context, Section 202a or Section 202b deal with further aspects of IT security, namely the spying on and interception of data. Section 149 deals with the counterfeiting of currency and stamps.
In the Austrian Criminal Code, there are comparable formulations in Section 118a and Section 126a to c. Similarly, you can read Articles 143 and 144 in the Swiss Penal Code.
A simple port scan can therefore already be considered preparation for a criminal offense under Section 202c. At first glance, this seems absurd: such scans are ubiquitous, and there is no reasonable means against them. If your company’s security system or firewall detects such a scan and you can trace the underlying IP address back to Ukraine, for example, then what do you want to do as the company’s security manager?
Of course, you can try to find out who owns the IP address or from which internet provider the scan originated. Even if you succeed, you may well end up only encountering computers that are themselves compromised and remotely controlled by the attacker from a completely different location. So in a nutshell: even if you know that other hackers from abroad perform port scans incessantly, you still must not start a port scan on someone else’s computer yourself.
Although the law does not state it explicitly and does not differentiate between responsible and criminal hackers, “goodwill” use of hacking tools, such as in the context of a pen test, is usually accepted. Nevertheless, it should be clear to you that the use of hacking programs outside of test systems absolutely requires written permission!
Also keep in mind that hacking often crosses national borders: even if a company is headquartered in Germany, for example, it may have servers that are located in Ireland or the US. This makes the legal assessment even more complicated.
Negligent Handling of IT Security Is Also a Criminal Offense
It’s not just unauthorized hacking that can get you into hot water. Neglecting your company’s security is also increasingly becoming a problem. In doing so, it’s better not to look to the past, when even monumental data leaks went unpunished or resulted in only comparatively small fines.
In the meantime, both public perception and the range of punishment have changed drastically: in 2019, Facebook was fined $5 billion in the US for sharing its members’ personal data too carelessly with third-party companies. In the UK, a further fine of £500,000 was added for the same offense—with a note that the penalty would have been significantly higher had the General Data Protection Regulation (GDPR) already applied at the time of the data transfer (we’ll get to that in a moment).
In Germany, the Federal Data Protection Act (BDSG) formulates the rules to which companies that manage and store personal data must adhere. From the perspective of this book, the safety and protection requirements formulated in Section 9 of the act are particularly relevant. In addition to more general security measures (physical protection including fire protection measures, password checks, backups, etc.), it’s stipulated there, among other things, that the transmission of data must be encrypted, and that this must be done in accordance with the current technological state of the art. In the case of serious violations, fines and imprisonment are provided for. This also applies, for example, in the event that a hacker was able to steal and publish data from your company because your protective measures were not state of the art.
In Austria, the handling of personal data is regulated by the Data Protection Act of 2000. In particular, Section 14 requires a company or organization to take appropriate data security measures.
European General Data Protection Regulation
Detached from national laws, the GDPR has applied to all EU countries since May 2018. Rules concerning the processing of personal data are laid down there. The provisions will be integrated into the corresponding national laws and replace or supplement the previous provisions.
The aim of GDPR is to achieve uniform standards within the EU. For many countries, this is accompanied by a tightening of the provision and a much higher range of penalties. Fines of up to 4% of the company’s worldwide turnover are possible! After an initial grace period, there have now been a number of proceedings, some of which have resulted in severe penalties for the companies responsible.
In the United Kingdom, the GDPR also applied until Brexit. Since then, there have been transitional rules. The EU has issued an adequacy decision in which the UK is considered a safe third country (in terms of data protection). This is particularly important for cross-border cloud solutions.
Critical Infrastructure, Banks
A special case is the area of critical infrastructures which includes energy and water supply, healthcare and finance, and telecommunications. In accordance with the guidelines of the European Programme for Critical Infrastructure Protection (EPCIP), for example, the Act to Increase the Security of Information Technology Systems (IT Security Act) was passed in Germany in mid-2015.
In addition to an obligation to implement comprehensive security measures, these laws also contain significant threats of punishment and the obligation to report security incidents to a government reporting office.
Stricter security rules also apply to banks and financial service providers. This includes the obligation to have a security officer who is independent of day-to-day operations and, in particular, the regular IT security department to monitor IT security and provide a report on it on a quarterly basis.
Security Guidelines and Standards
European standards stop at nothing, not even IT security. Worth mentioning in the context of this book in particular are the international standards ISO/IEC 27001 and 27002:
- ISO 27001: The Information Security, Cybersecurity, and Privacy Protection: Information Security Management Systems: Requirements standard defines guidelines for the establishment and operation of a documented information security management system.
- ISO 27002: This international standard contains recommendations for control mechanisms for information security.
Unfortunately, the full text of the standards is only available for a fee (see https://www.iso.org). But you can find brief summaries of the standard on Wikipedia. See http://s-prs.co/v569601 and http://s-prs.co/v569602.
Editor’s note: This post has been adapted from a section of the book Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.
Comments