How legal are port scans and war driving? That is: twenty years have passed, we are still going round and round

Recently, the response that the National Cybersecurity Agency gave to a spontaneous “vulnerability reporter” to which it was highlighted that the way in which the “hole” had been identified could have violated criminal law (for moreover, given the public nature of the “attacked” resource, even liable to prosecution ex officio, i.e. without the victim complaining about the fact).

ACN’s legally rigorous and hastily criticized response is proof that in the “security expert” community, old habits die hard. Twenty years have passed since I wrote an article addressing the subject, but despite the time, we are still at the same point: someone (keeps) think(s) that their “superior knowledge” or an unidentified “duty morale” are sufficient to justify the commission of a crime, i.e. what, with an already old-fashioned language at the time, the law on computer crimes calls “unlawful access to a telematic system”.

In reality, like it or not, if you commit a crime — and prove, without authorization, that a vulnerability works on a specific site it is [usando tecniche come “port scanning” e “war driving” ndr.] — one must be punished. At most, if “good intentions” were actually demonstrated, one could be entitled to a reduced sentence for having acted, as the Penal Code says, for “reasons of particular moral or social value”.

In other words, It’s one thing to find a vulnerability in software and report it (but also in this case there are problems relating to the protection of the industrial and intellectual property of the developer); it is another thing to say that the system reachable via the abc.xyz domain is vulnerable to a particular attack because it was actually launched. In the first case, net of other potential problems, one would not be directly committing a unauthorized access; in the second yes. Simple as that as the Anglo-Saxons would say.

“Moral duty” or “independent research” are justifications widely practiced by those who carry out penetration tests unauthorized. Sometimes it’s about people actually in good faith, but lacking legal awareness of what they are doing. In other cases, and not from today, we are faced with subjects who, wrapped in a hacker’s cloak – or rather, wearing the hooded sweatshirt that in mainstream iconography has replaced “the adolescent with pimples who ‘pierces’ the NASA or the Pentagon”— they are looking for visibility, work or, more simply, both.

Regardless of the reasons that concern specific cases, the public debate on unauthorized pen-tests sees the supporters of their legalization pitted against the “penalty takers” who, on the other hand, continue to believe that such a practice should be discouraged and, indeed, sanctioned . Unfortunately, and it is inevitable, this is a dialogue of the deaf because the two positions are based on irreconcilable presuppositions. On the one hand, even assuming their good faith, there are the supporters of ethical hacking, on the other there are the “lawyers” who place the “rule of law” – the primacy of the law – above any motivation individual.

Put in these terms, then, the debate on pen-tests is no longer about technical issues or quibbling in legal definitions, but concerns a theme that has occupied jurists and philosophers for millennia: should we follow ethics or the law? Do we or do we not have the right to do “what is right”? Intuitively, also due to the widespread belief induced by the fake egalitarianism of social networks that one’s ideas have an absolute value, the answer would favor the superiority of ethics over the law. But then, one should ask which ethics we are talking about, i.e. individual or state ethics.

The former is irrelevant because individual beliefs are valid for oneself and not for others; while the second is incompatible with a democratic system, because State ethics are an attribute of even secular theocracies, such as Nazi Germany or the Soviet Union. If we are to continue living in a democracy, then, we have no alternative but to abide by the law (no matter how imperfect) and if the law punishes unauthorized pen-tests, then so be it. Those who carry them out know what they risk.

There is nothing to prevent, in the political dimension, from discussing whether it is not the case to legalize abusive pen-tests and, indeed, given the situation it would also be urgent need to address the issue. However, such a reflection should also involve the irresponsibility (in the sense of lack of a clear legal responsibility) of the software houses and who uses their products to provide services to the public. This is what we are talking about, at EU level, with the Cyber ​​Resilience Act, the regulation that should require hardware and software manufacturers to carry out security tests as an integral part of the technical documentation. It is not a perfect solution, but it is a first step towards the goal of making all the elements of the supply chain responsible. Other immediately feasible possibilities for regulating pen-tests would be the transposition currently underway of the NIS2 Directive and the second additional protocol to the Budapest Convention on cybercrime. So, the regulatory instruments are all there and are already being adopted. All that is needed is political will to address the pen-test question, not the subjective “ethical motivation”, whatever it may be.