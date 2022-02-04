Lawmakers could opt to keep provisions in the 2015 Cybercrimes Act which do not make exceptions for people who unwittingly discover cybersecurity risks on public or private networks, instead of amending the legislation to criminalise only wilful unauthorised ill-intended acts.

The issue, which was previously raised in the Private Sector Organisation of Jamaica's (PSOJ) submission to the parliamentary committee reviewing the Cybercrimes Act, was discussed at Thursday's sitting of the committee.

The PSOJ is also asking for ethical hackers to be recognised in the law.

These are people who carry out penetration testing, with the authority of clients, usually in countries where cyber ecosystems are not well developed. In jurisdictions where cyber infrastructure is more developed, the approach differs.

Head of cyber incident response at the Ministry of Science, Energy and Technology Lt Col Godphey Sterling cautioned against changing the legislation to accommodate ethical hacking without the expressed approval of the system owner.

He said removing criminality from that provision would be tantamount to legitimising illegal access to private property.

Lt Col Sterling said there should be a distinction made between people who innocently make the discovery as part of their job function, and those who, without the knowledge of, or authority from the system owner, try to hack into Internet-based resources.

He said those who act on permission or in relation to their job would be protected, but hacking into a system without authority, or discovering a vulnerability while operating within a specific scope, yet failing to mention it to the system owner or right holder, and instead make the information public, should be criminalised.

Sterling noted the JamCOVID situation where the individual who discovered the security lapse sought to communicate this to the owners of the app, and when the security issue was not addressed, went public with the information.

“We saw the result of that, in terms of the embarrassment to the owners of the resource and also the fact that it allowed other persons to try to do the same thing, or worse, where even a so-called security researcher actually exploited the vulnerability, which were documented in Zack Whittaker's article, and exfiltrated data from the site,” he lamented.

In February last year, Amber Group, the developer of the JamCOVID application and website which travellers use to enter personal data as they seek clearance to land in Jamaica, came under scrutiny when American technology magazine TechCrunch reported vulnerabilities in the app which, the magazine, said left files with sensitive data unprotected.

TechCrunch claimed that JamCOVID had exposed immigration documents, passport numbers and COVID-19 lab test results on close to half a million travellers — including Americans — who visited the island. Amber's founder Dushyant Savadia said the reports were defamatory and that no personal data were exposed.

On Thursday Sterling said security activists who are randomly testing Internet systems put small businesses in particular at risk. He stressed that there are provisions in the law for penetration testers to reach out to the system owners if they intend to conduct a probe.

Committee member Julian Robinson contended that hackers with malintent would not, in the first place, be seeking permission to test vulnerabilities on public networks and that the apprehension appeared to be more about Government saving face than facing any real threat.

“If you look around the world at how these guys operate, nobody is going to seek permission before they probe. They're there primarily to demonstrate their own expertise. There is a bit of ego in it because they want to show they can get into particular networks. They are not the criminals, and I don't think we should criminalise it. Where they go public is where they feel that either the organisation has not acknowledged, or has taken no steps. The activists tend to be focused more on public infrastructure, and public networks… While it can be very embarrassing to a Government, there is benefit in having persons who bring something to your attention and give you an opportunity to fix it,” he asserted.

Sterling argued that ethical hackers should not be conflated with security researchers and activists, as ethical hackers operate within the ambit of non-disclosure agreements, legislation, or specified intent of resource owners.