DoJ: White Hat Hackers Will No Longer Face Prosecution
Friday, May 20, 2022
The announcement has been welcomed by the ethical hacking and cybersecurity research community. The CFAA statute, enacted in 1986, prohibits accessing a computer without authorization or in excess of the authorization given. It has been criticized for being broad and ambiguous in what constitutes authorized access to a protected computer or what it means to exceed that authorization.
Reacting to the news, Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, praised the DoJ’s move: “This is a historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data.”
However, he believes the policy could initially be exploited by malicious actors. “On the other side, the DoJ may unwittingly open a Pandora’s box: the definition of “good faith” could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cyber-criminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement,” added Kolochenko. Read Full Article
BCS, The Chartered Institute for IT: Opensource: The devil is in the backdooring
eWeek UK: Cybersecurity in Digital Banking: Strengthen Defences by Knowing Your Weaknesses