Following a new policy announced last week by the Department of Justice, security researchers helping banks and other companies shore up their cyberdefenses now have greater leeway without fear of prosecution.
The Thursday announcement said that “good-faith security research” that otherwise violates the Computer Fraud and Abuse Act of 1986 “should not be charged.” The announcement puts into writing a policy the department already follows, according to officials and former staff.
Legal and cybersecurity experts said the shift will create a safer environment for public security researchers, who spend their days searching in good faith for security flaws and vulnerabilities. Experts also said banks and lawmakers must implement their own policies and programs to fully exploit legal protections for security research.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in the press release announcing the change. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Public cybersecurity researchers and not hired cybersecurity researchers are the ones most likely to benefit from this unofficial stance becoming official policy. In contrast to hired researchers, public researchers hunt for security flaws and conduct research on their own and then approach the impacted company with their findings afterward, according to Aaron Charfoos, partner in the litigation department at the law firm Paul Hastings.
The two kinds of security researchers share a common bond of acting in good faith, but the latter typically has more protections because they are “invited in” by the hiring company, according to Charfoos. The new guidance from the DOJ could change that.
Public security researchers “may now feel more freedom to investigate a broader range of systems, particularly in more regulated industries that are closely aligned with the federal government and regulators to begin with,” Charfoos said.
The guidance appears…