We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Yesterday, the US Department of Justice (DOJ) released a new policy announcing that “good-faith security research” will no longer be charged under the Computer Fraud and Abuse Act (CFAA).
The new policy offers protection for entities conducting “good faith testing,” which is the investigation or correction of security flaws or vulnerabilities carried out in a way that’s designed to avoid any harm to individuals or the public
What are the implications of the CFAA for enterprises?
For enterprises, this new approach to the CFAA means that security testers, network owners, and administrators are legally protected when testing security systems, while still criminalizing authorized access, and those acting in “bad faith.”
“For well over well over a decade now cybersecurity leaders have recognised the critical role of hackers as the internet’s immune system. We enthusiastically applaud the Department of Justice for codifying what we’ve long known to be true: good faith security research is not a crime,” said HackerONE CTO Alex Rice.
Under the revised policy, entities acting in bad faith can’t use the CFAA as an excuse if they’re scanning an organization’s systems for vulnerabilities in an attempt to extort them.
Giving the greenlight to vulnerability management
One of the key implications of this pivot is that the US government is giving organizations the greenlight to engage in vulnerability management.
The DOJ’s recognition of security testing has been welcomed by many commentators in the security community and will uplift the vulnerability management market, valued at $13.8 billion in 2021 and anticipated to reach a value of $18.7 billion by 2026.
Former global network exploitation and vulnerability analyst and now CEO of Stairwell, Mike Wiacek explains that while the CFAA put security researchers at risk of serious legal liabilities in the past, that barrier is now removed.
“Well-intentioned researchers have always been at risk due to the overly broad interpretation of the CFAA,” Wiacek said. He also noted that the change “adds a veritable army of new resources to the collective power of the entire cybersecurity community.”
In this sense, organizations now have a community of security testers they can work alongside without worrying about any legal complications.
As Rice explains, the update “further establishes bug bounty and vulnerability disclosure as best practices for all organizations, so there’s one more reason for hackers to engage in good-faith research and one less reason for organizations to hesitate about launching a disclosure policy.”
Looking at the bigger picture
It’s important to note that the timing of the policy change also coincides with the US government’s efforts to secure the supply chain, with the Open Source Software Security Summit II taking place just a few weeks ago, bringing together the White House, OpenSSF, and the Linux Foundation to improve the security of open source software.
While it’s difficult to say that the CFAA policy change is directly related to Biden’s executive order on improving the nation’s cybersecurity a year ago, it’s clear there is a broader federal movement to equip private enterprises with greater support in securing their environments against external threat actors.
After all, vulnerability management is critical not just for enterprise security but for national security, preventing supply chain attacks from wreaking havoc on private enterprises and federal agencies alike.