Hackers at the State Service

With the entry into force of the new European directive for cybersecurity, Portugal will legalize computer espionage, creating ethical hacker brigades that, in order to detect vulnerabilities, will be able to enter the systems of companies and public institutions without asking for permission and say anything to anyone.

For this, the Cybercrime Law will have to be amended in its article 6, where illegitimate access to digital systems is criminalized. This decriminalization proposal arises in the articulate of the proposal of law aimed at authorizing the government to transpose to domestic law to directive 2022/2555 (NIS2). This diploma is intended to ensure a high common level of cybersecurity throughout the European Union (EU).

The proposal for the approval of the transposition, with the inclusion of the amendment to the Cybercrime Law, has been in the Assembly of the Republic since February 14 and its content will remain, although the change in legislature provides for the ‘death’ of the projects in the portfolio and obliges the presentation of a new proposal in the next legislature. But the articulate of the new document will be the same because, on the one hand, the new government has the same party root, and, on the other, the EU has already threatened to apply sanctions to Portugal for the delay in the transposition of NIS2, which should have occurred in October last year. It is an urgent process. « If the winner of the elections were, the proposal in the new legislature will never undergo significant technical changes »told the Sunrise The Director-General of the National Security Office (GNS), António Gameiro Marques, who at the end of the month is expected to leave the position. Questioned by Sunrise Regarding whether the government intends to maintain the project, the Ministry of Presidency considered it to be «Inopportune to be commenting on initiatives that will only be assumed in the next legislature».

Transposed to the directive, the change in the Cybercrime Law will allow the creation of brigades of ‘hackers Ethicals’, not police, who will report directly to the National Cyberrseness Center (CNCs), an entity so far directed by a GNS sub-director-general, but who, with the new law, will reinforce his function of national authority in the field of cybersecurity. The GNS, along with the National Communications Authority, will pass the Sector National Authority.

Change the cybercrime law, decriminalizing illegitimate access to computer systems, has the purpose of “The State is not penalizing who, for benign reasons, intends to mark the authorities the existence of vulnerabilities that, if exploited by people with bad intentions, can greatly negatively impact their functioning and thus the served community», Explains António Gameiro Marques. And advances: « The concept that is intended to be implemented, and this part of the legislation was widely discussed, namely with the Judicial Police, is that of the responsible dissemination of vulnerabilities, also known as coordinated vulnerabilities disclosure. ». That is, it said: «It is a process in which security investigators, or hackers ethical, discover vulnerabilities, weaknesses or software failures, hardware or systems and communicate them to the organization or affected supplier ».

Thus, with the approval of the transposition, the Cybercrime Law will have an amendment to article 8 with the title ‘acts not punishable by public interest of cybersecurity’, determining, in paragraph 1, that «There are no punishable facts likely to embody the crimes of illegitimate access and illegitimate intercession provided for, respectively, in Articles 6 and 7, if, cumulatively, the following circumstances are cumulatively.» The first is that the «Agent acts with the unique intention to identify the existence of vulnerabilities in the information and communication technology information, products and services (….) And with the purpose of, through its dissemination, contributing to the safety of cyberspace».

According to the proposal, the hacker Ethical will always have to report the execution of the CNCS espionage act and the one, for its part, must report to the PJ if there is evidence of crime. If the hacker Detecting any anomaly in the system, you should report it to the owner, to repair it, as well as CNCs, for knowledge, and delete this report within 10 days.

Go beyond the directive …

The point is that nowhere in the European directive, the obligation for the EU member states to create hackers Ethics for supervising compliance with European cybersecurity rules.

«In Directive 2022/2555 (NIS 2) Nothing is about this proposal of decriminalization, and therefore, a legislative option. On the other hand, in the exhibition of reasons for Bill No. 50/XVI/1st there is also no mention of the grounds or reasons for this option, which does not allow to determine what led the government to propose this exclusion of unlawfulness in the case provided therein »explains to Sunrise Lawyer Ricardo Sardo.

This causidic, a cybercrime expert, signs the opinion of the Bar Association about the law filed by the previous government and believes that the proposal of the future executive will have the same technical content. The text, he says, as it is the result of a broad consensus. António Gameiro Marques also recalled that the proposal received the contribution of over 120 entities.

Not so consensual will be, for lawyers, the issue of decriminalizing illegitimate access to computer systems, even in the specific case of access to legitimate purposes, such as verifying system weaknesses to be rectified.

«There are greater questions that rise»warns Ricardo Sardo, underlining: «From the outset, there is a risk, even if reduced, of hackers Professionals can access a system, under the cloak or justification of ‘legitimacy’ and ‘goodness’, to meet the requirements and, in a camouflaged and not detected, access information or data illegitimately, or for illegitimate purposes’. In this sense, it argues: « This concrete proposal requires broad discussion and profound analysis, precisely due to the existing risk of illegitimate access. »

Being professional secrecy the ‘sacred cow’ of lawyers, Ricardo Sardo also warns: « In this proposal of law, no specific rule on the compatibility of rules on cybersecurity and the regime of professional confidentiality is not foreseen, given that the Bar Association has in its systems matters and sensitive and confidential information. ». And appeals: « It is necessary to adapt the rules on access to their systems and communication to the authorities with professional secrecy (which is perfectly possible in terms of the directive), the fundamental principle of our legal system. ».

Contacted by Sunrisethe Superior Council of the Judiciary reported that «Reserves the issuance of opinion for the proper moment of the legislative process». The Attorney General’s Office and the Judicial Police did not answer the questions.