What the U.S. government’s security testing protections mean for enterprises

Yesterday, the U.S. Department of Justice (DOJ) released a new policy announcing that “good-faith security research” will no longer be charged under the Computer Fraud and Abuse Act (CFAA).

The new policy offers protection for entities conducting “good-faith testing,” which is the investigation or correction of security flaws or vulnerabilities carried out in a way that’s designed to avoid any harm to individuals or the public 

What are the implications of the CFAA for enterprises? 

This new approach to the CFAA means that security testers, network owners and administrators are legally protected when testing security systems, while still criminalizing authorized access and those acting in “bad faith.” 

“For well over a decade now, cybersecurity leaders have recognized the critical role of hackers as the internet’s immune system. We enthusiastically applaud the Department of Justice for codifying what we’ve long known to be true: good-faith security research is not a crime,” said Alex Rice, CTO at HackerOne. 

Under the revised policy, entities acting in bad faith cannot use the CFAA as an excuse if they are scanning an organization’s systems for vulnerabilities in an attempt to extort them. 

Giving the greenlight to vulnerability management

One of the key implications of this pivot is that the U.S. government is giving organizations the green light to engage in vulnerability management.  

The DOJ’s recognition of security testing has been welcomed by many commentators in the security community and will uplift the vulnerability management market, valued at $13.8 billion in 2021 and anticipated to reach a value of $18.7 billion by 2026. 

Former global network exploitation and vulnerability analyst Mike Wiacek, now CEO of Stairwell, explains that while the CFAA put security researchers at risk of serious legal liabilities in the past, that barrier is now removed.

“Well-intentioned researchers have always been at risk due to the overly broad interpretation of the CFAA,” Wiacek said. He also noted that the change “adds a veritable army of new resources to the collective power of the entire cybersecurity community.” 

In this sense, organizations now have a community of security testers they can work alongside without worrying about any legal complications. 

As Rice explains, the update “further establishes bug bounty and vulnerability disclosure as best practices for all organizations, so there’s one more reason for hackers to engage in good-faith research and one less reason for organizations to hesitate about launching a disclosure policy.” 

Looking at the bigger picture

It’s important to note that the timing of the policy change also coincides with the U.S. government’s efforts to secure the supply chain, with the Open Source Software Security Summit II taking place just a few weeks ago — an event that brought the White House, OpenSSF and the Linux Foundation together with an aim toward improving the security of open-source software.  

While it’s difficult to say that the CFAA policy change is directly related to Biden’s executive order on improving the nation’s cybersecurity a year ago, it is clear there is a broader federal movement to equip private enterprises with greater support in securing their environments against external threat actors. 

After all, vulnerability management is critical not just for enterprise security but for national security, preventing supply chain attacks from wreaking havoc on private enterprises and federal agencies alike.