| News | Interview | IT security research: ethical issues and legal challenges

IT security research: ethical issues and legal challenges

IT security researchers can make a valuable contribution in dealing with cyber attacks - but they expose themselves to massive legal risks. What could a research-friendly IT security policy in Germany look like and how should vulnerabilities be addressed? The “bidt Werkstatt digital” is dedicated to the topic “(Always) closing gaps? How should the state deal with IT security gaps?”. We spoke with Professor Felix Freiling about possible solutions. He is a member of the bidt Board of Directors and Professor of Computer Science at the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU).

Cybersecurity and IT security research
© Song_about_summer / stock.adobe.com

Recently, there have been an increasing number of media reports about cyber attacks. In addition to private companies, state IT infrastructures are also increasingly being targeted. In your view, in which areas are the greatest dangers and risks for IT security breaches in Germany?

Felix Freiling: In principle, every area that relies on being protected by software alone is at risk, because security vulnerabilities exist in every type of software, in apps, web applications and operating systems. Finding them is very time-consuming. But when such gaps become known, they are also easy to exploit.

Cyber attacks on state institutions often target the so-called critical IT infrastructure. What is meant by this and what are the consequences for society as a whole if state IT infrastructure collapses in the worst case?

Felix Freiling: Roughly speaking, critical infrastructures are all systems that maintain important social functions. These include, for example, hospitals, the police or parts of the public administration. The consequences of attacks on such infrastructures can be seen from numerous incidents in the past. In July 2021, for example, after an attack on the IT infrastructure of the Anhalt-Bitterfeld district, nothing worked in the administration for months. A disaster situation was even declared.

The “bidt Werkstatt digital” deals with the topic “Closing gaps (always)? How should the state deal with IT security gaps?” In which cases should the state not close its security gaps immediately?

Felix Freiling: Security gaps are not only a gateway for criminals. They can also enable law enforcement agencies and intelligence services to penetrate the IT infrastructure of criminals in order to solve or cripple them. For this to happen, however, knowledge of the security vulnerability must not become known immediately. So a balance must be struck between the chances of penetrating the IT systems of criminals and the dangers to the general public that arise from not closing the security gap.

In the debate on IT security vulnerabilities, you suggest establishing a reporting and coordination centre. What tasks should such a body take on?

Felix Freiling: On the one hand, it should mediate between the parties involved, i.e. between the software manufacturers, the discoverers of vulnerabilities and the interested authorities. In addition, such a body would transparently weigh up the interests of the state in law enforcement against the interests of the general public in a secure infrastructure. There would then be less wheeling and dealing.

What do you understand by ethical hackers in this context and to what extent do they expose themselves to massive legal risks?

Felix Freiling: Ethical hacking is a branch of IT security research that deals with finding vulnerabilities in widely used software. The aim is always to do something good for the general public, i.e. to reduce the number of vulnerabilities on the internet. A good example of the dangers that ethical hackers expose themselves to is the case of Lilith Wittmann, who found a glaring security hole in the CDU’s election campaign app in 2021. Instead of closing the security hole, she was reported. The criminal proceedings have been dropped in the meantime, but of course this kind of thing intimidates. Such intimidation is commonplace.

Where do you think the legal framework needs to be adjusted?

Felix Freiling: The positive effects of people who conduct ethical IT security research should also be taken into account in the formulation of laws, for example in the form of exemptions in criminal law. But there are also exceptions to criminal liability in other places, such as copyright law, for example to establish interoperability, but not to search for software vulnerabilities. That doesn’t fit together in today’s world.