Expert: working as a “white hacker” can lead to criminal liability

MOSCOW, 18 Oct – PRIME. Any users who check computer systems in Russia for security, including white hat hackers, may be held criminally liable for their activities, Yevgeny Tsarev, an expert in the field of cybersecurity and law, who manages the RTM Group, told RIA Novosti.

“Any use of programs that in one way or another affect the computer information protection system may result in criminal penalties. Persons with education and experience in the field of computer technology are at particular risk, since it is assumed that they are aware of the risks of using such software. In general, a criminal can become both an IT specialist who creates programs for checking Internet platforms and services for vulnerabilities, and any Internet user using network scanners or password guessing applications,” Tsarev said.

He noted that all pentesters (specialists in system security analysis) use programs to check for vulnerabilities, and half of them – without the use of a contract or remotely (from home, for example). “And this is several hundred people across the country. But the main risk group is more than 10 thousand students of the specialty of information security and IT, who use such tools thoughtlessly. Almost every one of them scans on their own initiative at least once a year,” the expert specified.

Thus, according to the expert, programs that, according to the criteria, fall under “neutralizing security tools” (scanners, applications for decryption and testing security tools) are in a gray zone of legal regulation. It is important to use only certified software.

“The independent use of scanners and other programs from the Internet can be regarded as a crime, so it is better to delegate such a task to professionals involved in information security. Companies licensed to carry out technical protection of confidential information have experience in this area and understand the risks of using certain programs,” Tsarev said.

According to him, a suitable option for identifying vulnerabilities is a pentest, which requires a competent drafting of a contract. In the documents, it is important to define in detail the subject and boundaries of such testing, to regulate the risks and responsibilities of the parties. This will allow legitimate security research and prevent future hacking threats.