Hackers are increasingly attacking the IT systems of companies, authorities and institutions. In the process, they are causing major damage in some cases. Cybercrime is facilitated by the restrictive German legal situation regarding the disclosure of software security vulnerabilities. This is the conclusion of a position paper published on November 25, 2021, by an interdisciplinary team of researchers from computer science and law. The innBW member FZI Forschungszentrum Informatik coordinated the study. The experts' recommendation: The German government must enable balanced conditions for responsible and coordinated disclosure of IT security vulnerabilities by the security research community. The current legal situation, on the other hand, creates deterrent effects.
Cyber attacks are a major problem
Cyberattacks are targeted attacks on larger computer networks important to a specific infrastructure from the outside for sabotage, information gathering and extortion. For 86 percent of all companies, the attacks result in damage. One in ten companies feels its existence is threatened as a result, according to a survey by the industry association Bitkom. However, it is difficult to develop counter-strategies in this country due to the current legal situation. The interdisciplinary team from all over Germany, coordinated by the FZI Competence Center IT Security, describes in detail in the analysis why this is the case and how it could be changed.
Independent and public-interest IT security research in Germany faces a dilemma: testing information and communication technology products for existing security vulnerabilities. This also includes proactive testing of products freely available on the market. Although the methods and technical procedures used are similar to those of cyber criminals, the intention is quite different: if security vulnerabilities are found, they are reported to product managers, who are thus offered an opportunity to secure their products and thus protect both their company and their customers from damage. Since researchers are legally bound to scientific honesty, however, they are not allowed to run projects if they might violate applicable law.
Security researchers in court because of their work
Examples such as that of a team of researchers from universities in Berlin, Munich and Erlangen-Nuremberg from 2018 show the need for reform: the team had to go to court because of the planned publication of their research results. The proceedings were brought to an end with the conclusion of a Coordinated Disclosure Agreement. This year, independent security researchers, who are sometimes referred to as "ethical hackers," faced criminal charges and even house searches despite reporting data leaks that affected numerous individuals. Legislators must now put a stop to this, according to the authors of the paper.
About the FZI
The FZI Research Center for Information Technology, with headquarters in Karlsruhe and a branch office in Berlin, is a non-profit institution for information technology application research and technology transfer. It brings the latest scientific findings in information technology to companies and public institutions and qualifies young people for academic and business careers or the leap into self-employment. Supervised by professors from various faculties, the research groups at the FZI develop interdisciplinary concepts, software, hardware and system solutions for their clients and implement the solutions found as prototypes. The FZI House of Living Labs provides a unique research environment for application research. The FZI is an innovation partner of the Karlsruhe Institute of Technology (KIT).
