Advertisement

The UN cybercrime convention threatens security research. The US should do something about it

The UN treaty's broad and ambiguous language risks stifling vital work.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
cyber norms
The United Nations flag (Getty Images)

The United Nations’ recent adoption of a new cybercrime convention has sparked significant discussion within the global cybersecurity community. While the UN Convention Against Cybercrime aims to enhance international cooperation to combat malicious hacking, the convention raises serious concerns for those involved in security research and ethical hacking. 

The treaty’s provisions related to security research conflict with best practices encouraged by the U.S. government and federal policies that protect good-faith security research from prosecution. Despite these and other concerns, the treaty is expected to receive final approval from the General Assembly by the end of the year.

Though this treaty will not directly alter existing computer crime laws, nations with less-developed cybercrime laws may pass regulations that mirror the text of the UN’s convention, and authoritarian governments may use the flawed text of the convention to justify suppression and censorship of security researchers and others.

Security researchers operating in or collaborating with entities in countries with fewer protections for good-faith security research and ethical hacking may find themselves at heightened risk of potential legal consequences for activities that are both ethical and essential to maintaining global cybersecurity. 

Advertisement

For this reason, it is critically important that the United States work with other countries to encourage the incorporation of protections for such research into national law or law enforcement policies and practices.

Chilling innovation and reducing security

Good-faith security researchers, also called ethical hackers, play a crucial role in the fight against cybercrime. These individuals identify vulnerabilities in software, systems, and networks, so that they can be patched or mitigated before malicious actors can exploit them. 

Legal frameworks increasingly support the efforts of security researchers by distinguishing them from malicious cybercriminals, reducing legal liability for ethical hacking, and incentivizing organizations to adopt policies to receive vulnerability disclosures. For example, the United States since 2020 has directed all federal agencies to have vulnerability disclosure policies. The U.S. Department of Justice has long recognized the importance of security research and recently announced that it will update its Vulnerability Disclosure Framework, which minimized legal jeopardy for security researchers, to address the reporting of vulnerabilities for AI systems.

However, the UN treaty’s broad and ambiguous language risks stifling this vital work. The treaty obligates countries to criminalize anyone that intentionally gains access to any part of a computer system “without right.” While purportedly intended to prevent malicious hacking, the article makes no distinction between cybercriminals and legitimate security testing activities performed by ethical hackers who do not have explicit permission but are working to enhance security. 

Advertisement

The language in the convention also prohibits intercepting non-public transmissions of computer data “without right.” This ignores the intent of the intrusion and can implicate independent security professionals who, in the course of their work, may intercept signals to identify or validate security vulnerabilities to protect, not exploit, the data. 

It also outlaws the intentional damaging, deletion, or alteration of computer data “without right.” This article could be misapplied to ethical hackers who manipulate data as part of a controlled test, such as penetration-testing and red-teaming, to identify weaknesses and improve system defenses. 

The treaty criminalizes the intentional and unauthorized hindering of the functioning of a computer system. This could also be detrimental to security research or red-teaming activities, which utilize simulated attacks to identify security weaknesses and improve defenses. Such activities could be considered “interference” under this broad definition, potentially subjecting ethical hackers to legal risks even when their actions are aimed at enhancing security.

Translating these provisions into criminal laws without explicit protections or clarifications could discourage legitimate security testing, ultimately making systems less secure and more vulnerable to real cyber threats. Rather than promoting the convention’s stated aim of increasing coordination and cooperation, this could lead to inconsistent application and misuse of the treaty, leaving researchers vulnerable in jurisdictions that do not explicitly safeguard good-faith activities.

The path forward

Advertisement

The treaty encourages signatories to recognize the contributions of legitimate security researchers, provided their activities are intended to strengthen and improve security to the extent permitted by law. While this acknowledgment is a positive step, it falls far short of encouraging signatories to establish legal protections for legitimate security research. 

Because recognition of security researchers’ vital work is not consistently reflected in the treaty’s restrictions on computer access and use and translated into meaningful protections for researchers, it will be up to member countries to do so in national laws or through guidelines and best practices that companies and law enforcement officials can follow.

While it may be too late to improve the text of this treaty, the United States can and should contribute its knowledge and experience in protecting security research and bring focus and energy to the adoption of similar practices in other countries. This can be accomplished in several ways. 

For example, the U.S. Agency for International Development and the State Department could incorporate protections for security research into their cybersecurity capacity-building programs. Alternatively, they could condition digital capacity-building funds on the commitments from governments that they will not prosecute good-faith security researchers. 

The U.S. should also partner with nongovernmental capacity-building organizations and like-minded governments to develop and disseminate best practices for implementing the treaty that recognize the importance and benefits of security research and differentiate ethical research from cybercrime.

Advertisement

Taking these and other steps will help ensure that policymakers around the world are aware of the treaty’s implications for security research and encourage them to adapt their legal frameworks to support, rather than hinder, ethical hacking. By doing so, nations can foster a cooperative environment where the essential work of security researchers is valued and encouraged, ultimately strengthening our collective defenses against cyber threats.

Ilona Cohen is the chief legal and policy officer at HackerOne.

Ilona Cohen

Written by Ilona Cohen

Ilona Cohen is the chief legal and policy officer at HackerOne.

Latest Podcasts