Ethical hackers face tough sanction
Cyber expert reveals researcher swiped data from JamCOVID site
Published:Friday | February 4, 2022 | 12:12 AMEdmond Campbell/Senior Parliamentary Reporter -
Ethical hackers who find vulnerabilities on government or private websites in Jamaica could face a $3-million fine and three-year prison sentence if a provision in the Cybercrimes Act, 2015, remains and receives the nod from Parliament.
That threat could penalise actors such as Zack Whittaker, the security editor at American online newspaper TechCrunch who, last February, revealed that a cloud-storage server with uploaded documents had been left unprotected on the JamCOVID website.
It was also revealed during a parliamentary committee meeting on Thursday that information was swiped from the website by an unnamed “so-called security researcher” in the wake of Whittaker’s expose.
Ethical hacking or penetration testing refers to the practice of seeking to discover threats and cybersecurity vulnerabilities that may be exploited by someone with an ulterior motive.
In its submission to the Joint Select Committee examining the Cybercrimes Act, 2015, the Private Sector Organisation of Jamaica’s (PSOJ) had recommended that a framework be developed that provides for the recognition of ethical hackers in the new law.
That proposal was debated vigorously on Thursday by lawmakers and technocrats during a meeting of the committee.
Private-sector interests had raised concern that there was the danger that innocent actors who find vulnerabilities in interacting with a computer might not have wilfully done anything and could face sanctions under the law.
This concern was amplified by Julian Robinson, a member of the committee, who was opposed to provisions in the legislation that criminalise ethical hackers.
Wahkeen Murray, chief technical director in the Ministry of Science, Energy and Technology, told committee members that the proposed law did not make provision for ethical hackers to check on vulnerabilities in government computer systems.
“Any access must be that which is authorised and anything beyond that would fall possibly within the commission of one of the offences under the legislation,” she said.
“I am not sure you want to criminalise that kind of conduct, particularly where individuals are seeking to help,” Robinson replied.
He made reference to Whittaker, whose online correspondence indicated that the JamCOVID website was a soft target, with thousands of files at risk on the Internet.
The application, which was developed by the Amber Group in 2020, had allowed users to enter personal data, including medical records, before they had been given approval to enter Jamaica. The application was also used to track the movement of those placed in quarantine.
According to Robinson, the TechCrunch journalist would have been guilty of committing a crime under the Cybercrimes Act, 2015 that is now being reviewed.
“I don’t know if you want to discourage persons from doing that kind of work, which is done, frankly, all over the world,” he added.
Robinson argued that with the limited resources locally and the implementation of the National Identification System this year, the Government would never be able to find the internal resources to properly police its networks.
Lieutenant Colonel Godphey Sterling, head of the Cyber Incident Response Team (Ja-CIRT) in the Ministry of Science, Energy and Technology, told the committee that the “unwitting” discovery of vulnerabilities should be divided into two categories.
Sterling explained that in the first instance, someone can make a discovery as part of his job function, whether as an employee or third-party contractor.
He said an employee would have been indemnified by the terms of his contract, and as such, his discovery of vulnerabilities would not attract a penalty under the Cybercrimes Act, 2015.
However, the cybersecurity expert noted that if a third-party contractor who is operating with specific guidelines discovers a vulnerability and fails to mention it to the person who contracted him, but makes it public, he would commit an offence.
Commenting on the JamCOVID vulnerability that was discovered by TechCrunch, Sterling said the publication of that information caused “embarrassment to the owners of the resource”. He said it also allowed other persons who would not necessarily have been interested in the resource to try to do the same thing or to do worse.
He said that in a follow-up action, “a so-called security researcher actually exploited the vulnerabilities that were documented in Zack Whittaker’s article and exfiltrated data (unauthorised movement of data) from the site”.
Robinson said in many cases, ethical hackers inform the owners of computer systems or websites if they identify vulnerabilities, noting that they only go public in some instances where they feel that the organisation has ignored their message and had taken no steps to remedy the situation.
“There is a bit of ego in it because they want to show that they can get into particular websites. They will do it - and do it for fun - but they are not criminals,” he said.
But Sterling insisted that based on the “nature of how the country’s Internet-facing resources are sometimes secured, if we do not maintain the sort of deterrent effect of criminalising this activity, I fear that what we will do is, essentially, declare open season on these resources”.
Section 3 (1) of the proposed statute says a person who knowingly obtains, for himself or another person, any unauthorised access to any programme or data held in a computer commits an offence.
In the case of a first offence, the offender could face a fine not exceeding $3 million or imprisonment for a term not exceeding three years, or both such fine and imprisonment.