What the U.S. government’s security testing protections mean for enterprises

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Yesterday, the US Department of Justice (DOJ) announced a new policy that “Good-Faith Security Research” will no longer be charged under the Computer Fraud and Abuse Act (CFAA).

The new policy provides protection for organizations conducting “Good-Faith Testing”, which seeks to investigate or correct security vulnerabilities or vulnerabilities that are designed to prevent any harm to individuals or the public.

What are the implications of CFAA for ventures?

This new approach to CFAA means that security testers, network owners and administrators are legally secure when testing security systems, while still criminalizing those with authorized access and “bad faith”.

“For more than a decade now, cyber security leaders have recognized the crucial role of hackers as the immune system of the Internet. “We strongly applaud the Department of Justice for codifying what we have long known to be true,” said Alex Rice, CTO at HackerOn.

Under the revised policy, organizations operating in bad faith will not be able to use CFAA as an excuse if they are scanning an organization’s system for vulnerabilities in an attempt to mislead them.

Giving greenery to vulnerability management

One of the main implications of this pivot is that the US government is giving green light to organizations to engage in vulnerability management.

The DOJ’s recognition of security testing has been welcomed by many critics in the security community and will stimulate the vulnerability management market, which is valued at $ 13.8 billion in 2021 and is expected to reach $ 18.7 billion by 2026.

Mike Wisek, a former global network exploitation and vulnerability analyst who is now the CEO of Sterwell, explains that the barrier that CFAA puts security researchers at risk of serious legal obligations in the past has now been removed.

“Well-intentioned researchers have always been at risk because of the CFAA’s overly comprehensive interpretation,” Yasek said. He also noted that the change “adds a real army of new resources to the collective power of the entire cyber security community.”

In this sense, organizations now have a community of security testers they can work with without worrying about any legal complications.

As Rice explains, the update “establishes bug bounty and vulnerability advertising as best practice for all organizations, so there is one more reason for hackers to engage in goodwill research and one less reason for organizations to hesitate to launch a disclosure policy.”

Looking at the bigger picture

It is important to note that the timing of the policy change coincides with the US government’s efforts to secure the supply chain. Foundation.

While it is difficult to say whether the change in CFAA policy is directly related to Biden’s executive order to improve the nation’s cyber security a year ago, it is clear that There is a federal movement. .

After all, vulnerability management is important not only for enterprise security but also for national security, preventing supply chain attacks from infringing on private enterprises and federal agencies alike.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.