Companies have a vested interest when it comes to ferreting out IT problems before cybercriminals manage to launch attacks in the wild. The recent Mirai infections are proof positive that compromised Internet of Things (IoT) devices paved the way for serious consequences.
But it’s not always so easy. Beyond the efforts of malicious actors to strike in unexpected places at unforeseen moments, there’s also the problem of legislation. Most notably, the Digital Millennium Copyright Act (DMCA) has effectively handicapped white-hat hackers by making it illegal to circumvent obfuscated code or reverse engineer devices to discover security vulnerabilities.
New DMCA exemptions, however, may enable increased white-hat activity with significantly lower chances of getting blacklisted.
In Good Faith
As noted by Infosecurity Magazine, the new exemption, authorized just last week, allows much greater freedom for white-hat hackers. As long as they stay within the bounds of the Computer Fraud and Abuse Act (CFAA), they’re no longer in danger of legal challenges. There are a number of stipulations, however.
For example, security researchers must lawfully acquire any technology or programming they plan to test. In addition, their actions must be “solely for the purpose of good-faith security research.” Part of this requirement necessitates a controlled setting designed to avoid public harm if vulnerabilities are uncovered. Any research must begin after Oct. 28, 2016.
A Temporary Fix
While this is welcome news for white-hat firms and private security researchers, it’s worth noting that, for the moment, this is only a two-year exception. If policymakers can’t agree on a long-term solution, the DCMA will revert to its original form in 2018.
Critics of the status quo, such as the Electronic Frontier Foundation (EFF), argued that even these exemptions were too long. Many private companies claimed that any white-hat activity would naturally open the door to more malicious efforts.
Closing the Gap
Expect the removal of current DMCA prohibitions to produce some interesting feedback, especially when it comes to IoT.
According to Autoblog, one industry ripe for better security controls is vehicle manufacturing. Researchers have already demonstrated the ability to take control of cars, both moving and at rest, but many automakers have leaned heavily on potential DMCA-based litigation against white-hat hackers for cracking their code rather than designing better security measures in the first place.
Ideally, the two-year window will give researchers the time they need to showcase some of the most critical flaws plaguing IoT devices, in turn prompting better security from manufacturers.
DMCA Exemptions Not a Cure-All
But white hats aren’t a cure-all. As noted by Motherboard, some IT pros have suggested that in the wake of widespread Mirai attacks, an army of good guys could launch its own version of an IoT take to wrest control from cybercriminals and then deploy a kind of security-enhancing virus.
Sound far fetched? It is. It would have been illegal under old DMCA rules — now it’s just a bad idea.
It’s also a word of warning: Just because white-hat hackers can do something doesn’t mean they should. New, more flexible digital legislation offers a viable way to limit malicious attacks, but it’s important to strike balance between not doing enough and doing way, way too much.
The DMCA was never intended to cover the current IT landscape and has historically handicapped white-hat hackers. New DMCA exemptions are a step in the right direction, but they only go so far. Informed, adaptable legislation is the next step forward.