Proposed Changes to the Computer Fraud and Abuse Act, Austin Powers, and You
Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
I share many of the concerns expressed by the security community, and have devoted much of my career to helping to foster mutual cooperation between hackers and organizations with something worth hacking. I've worked on ISO standards to define best practices around vulnerability disclosure and vulnerability handling processes. It's important to remind ourselves of ways that security researchers and organizations can work together if they are interested in helping make the Internet safer. As users of the Internet, we all benefit when those who are ultimately on the same side feel empowered to work together.
Even before these new proposals, the CFAA has had a long-standing chilling effect on security research, particularly affecting online services. The risk to many well-meaning hackers was often too great to report vulnerabilities they found to organizations, because they didn't know whether they would be met with genuine gratitude, grudging acceptance, a cease and desist, or law enforcement kicking in their door.
Criminals will not file a vulnerability report with you, I often explain to wary security teams. In the real world, we lack Austin Powers' good fortune and are never granted a grand Dr. Evil monologue outlining impending crimes. The hackers who come forward to tell you about a vulnerability are here to help, and it's worth it to get to the Acceptance Stage of the 5 stages of Vulnerability Response Grief as soon as possible.
It is more important than ever for companies who take security seriously to define their security response to welcome and encourage the hacker community to come forward to report security vulnerabilities. Security researchers who take the time to find and report security vulnerabilities should respect an organization's testing guidelines, use test accounts whenever possible to avoid violating other users' privacy, and overall strive to do no harm. We outline further best practices in our Vulnerability Disclosure Guidelines.
Hackers who want to help secure the Internet are everywhere, and they could be an early warning system if organizations are willing to listen. The CFAA has been around for a long time, and regardless of the proposed changes, it's time we worked towards a safe and healthy way for friendly hackers to communicate vulnerability information to affected vendors. That means organizations should make it easier for hackers to come forward to report their findings, and we can all leave the Dr. Evil villainy to Hollywood.
Katie Moussouris, Chief Policy Officer