EXECUTIVE SUMMARY:
This legal grey zone becoming black and white
In the US, the Supreme Court is slated to look at a case concerning the interpretation of the Computer Fraud and Abuse Act (CFAA). As it stands, the law can currently be used to target white-hat security researchers who hack into systems while scouting for vulnerabilities.
“Legal experts and technologists see the decision as a chance, after decades of ambiguity, to clarify just what well-meaning security researchers are allowed to do in probing third-party systems.”
The argument before the Supreme Court
The mobile voting firm, Voatz, contends that federal protections should only extend to authorized researchers, who have clear permissions to probe software and computer systems for vulnerabilities. The Voatz proposition narrows the definition of “authorized access” and implies that certain existing practices would become illegal.
More than 70 well-known cyber security practitioners, like Peiter “Mudge” Zatko, along with cyber security organizations, advocate for protections on behalf of white-hat and ethical technologists. In an open letter, security specialists commented that the Voatz argument refers to “independent good-faith security research as a threat to cybersecurity and glosses over harmful effects to security research from an overbroad CFAA.”
Why the US Department of Defense spends $34 million annually on bug hunting programs
In 2016, the Pentagon launched its Vulnerability Disclosure Program. Last year, 4,013 vulnerability reports were submitted to the Pentagon, of which 2,836 were validated and sent to engineers for mitigation. This class of vulnerabilities was not previously found by automated network scanning software, red teams, cyber inspections, or configuration checks. The ability to call on white-hat and ethical hackers yielded clear benefits.
Want to learn more about the arguments in the CFAA case? Want to discover how to protect your organization from the legal fallout after a cyber breach? On September 15th, join Cyber Talk and special guest, Daniel Garrie, for an exciting webinar on cyber security and the law. Learn more and register now.
