In matters of cybersecurity law, ethical hackers (or “white-hat hackers”) sometimes hit upon gray areas. In finding and exposing cybersecurity flaws that could have led to expensive breaches, these researchers are constantly weighing the risk that they may face legal actions against them. In fact, in the past months, several such activities have, indeed, resulted in court cases and lawsuits. Seemingly unjust outcomes for work that could save companies from extensive monetary damage.
A significant part of the issue is that cybersecurity laws can trail badly behind the times, failing to support legitimate pentesting activities and instead treating them instead as acts of cybercrime or, in some cases, defamatory acts. In fact, a key piece of legislation in the field, the Computer Fraud and Abuse Act (CFAA), was penned in the 1980s, when computing and the threat landscape looked vastly different. Ethical hackers regularly cite this act as a source of frustration and an obstacle in doing their work.
A recent study from the Center for Democracy and Technology (CDT) intended to scope the legal issues threatening security researchers, hoping to offer a plan to support the discipline. After conducting interviews with prominent security professionals, CDT determined that a “risk-based” framework for ethical hacking activities could make a meaningful positive impact on the practice. Essentially, by giving pentesters and researchers an idea of potential legal consequences for different actions, the group hopes to aid the decision-making process behind reporting vulnerabilities. This, in turn, should help influence more frequent reports.
Recently, about 50 established members of the pentesting community signed an open letter urging lawmakers to support them in their important work. Hopefully, this and other acts of advocacy will begin to take root and displace the current obstacles to security research.
However, until legal threats become substantially less burdensome, ethical hackers need guidance to navigate the minefield of cybersecurity law. In addition to CDT’s proposed “risk-based” framework, researchers should seek ongoing education from experienced professionals who understand these challenges.
Lunarline offers best-in-class pentesting education through our School of Cybersecurity, and we can help you understand the risks of the trade. For more information contact us online today.