The Federal Ministry of Justice in Germany is in the process of developing a new moderation of computer criminal law that aims to withdraw ethical hacking from criminal prosecution. This initiative is being undertaken to reduce legal risks for cybersecurity specialists, allowing them to carry out necessary tests on computer systems without fear of facing criminal charges.
This bill is designed to protect individual researchers and IT companies specializing in security who test computer systems to identify vulnerabilities and strengthen security measures. The Ministry’s position is that specialists, known as “White Hackers,” who work in the interest of security should not be penalized for their actions.
German Minister of Justice, Marco Bushman, highlighted the importance of identifying information security gaps for the benefit of society as a whole. Currently, unauthorized access to data is considered a criminal offense under the country’s legislation. The proposed amendments will impact three articles of the Criminal Code, specifically on obtaining access to data (§202A), interception of data (§202B), and changing data (§303A), ensuring that researchers in the field of information security are not deemed to have acted “unauthorized” and therefore exempt from punishment.
In addition to providing protection for ethical hackers, the bill also includes stricter punishments for malicious hacking. Serious violations could result in imprisonment for a period ranging from three months to five years. Criteria for particularly severe cases include actions leading to significant financial losses, actions carried out for selfish motives or as part of a criminal group, actions affecting critical infrastructure’s accessibility, functionality, integrity, authenticity, or confidentiality, and actions that threaten the security of the Federal Republic of Germany or its territories, including those originating from abroad.
The Minister emphasized the potential consequences of vulnerabilities in IT systems in today’s interconnected world. Cybercriminals and foreign entities can exploit security gaps to launch attacks on hospitals, transportation companies, power plants, steal personal data, and cause damage to businesses.
The Ministry of Justice clarified that the mere possession of hacker tools is not considered a criminal offense. The bill is currently under review until December 13, 2024, following which it will be presented to parliament for approval.