Anyone who wants to detect and close IT security gaps should not have to risk punishment for doing so. Ensuring this is the aim of the Federal Justice Ministry’s draft reform of computer criminal law, which was sent to the states and federations for comment. The draft also states that espionage and data interception, especially in serious cases, should be punished more harshly in the future than before.
Advertisement
a particularly difficult case spirit of draft This usually occurs when the offender acts out of a desire for profit, acting professionally or as a member of a gang, or when the crime results in major property damage to the person concerned. The planned tightening should also include, for example, cases in which – for example from abroad – the functionality of critical infrastructure or the security of the Federal Republic or the Federal State is impaired. The fine should be increased to a prison sentence of three months to five years. Currently, spying on data can lead to a prison sentence of up to three years and intercepting data can lead to up to two years in prison.
Good intentions must be clear and visible
According to the information, to ensure better security of these systems, security researchers who break into IT systems with good intentions must meet three requirements so that their behavior is not considered criminal. First, the intrusion must have occurred with the intent to discover a security vulnerability. Second, there must be an intention to inform a responsible institution that can bridge the gap. Third, this action must be necessary to detect a security vulnerability.
“Anyone who wants to close IT security gaps deserves recognition – not a letter from the public prosecutor,” says Federal Justice Minister Marco Buschmann (FDP). Cybercriminals and foreign powers can use such gaps as entry points, for example to paralyze hospitals, transportation companies or power plants, spy on personal data or ruin companies.
202c will not be removed
However, the change in law was already being criticized. The CCC examined the draft of the new regulation two weeks ago and called the outcome “blunt.” On top of all this, the still-existing Paragraph 202C, also known as the “hacker paragraph”, troubles security researchers. It criminalizes the possession of devices that can be used to break into systems. According to the CCC, it could only become clear after retaliation such as a home search whether such devices were for the “good intention” that is now required. As the Ministry of Justice had emphasized when introducing the amendment, possession of these devices should remain free from impunity. However, since 202C will not be removed with the change, the CCC sees a “dangerous gray area.” However, Dennis-Kenji Kipker, professor of IT security law at the Bremen University of Applied Sciences, believes the new law is a good compromise.
(Never)
