November 1, 2016 By Douglas Bonderud 2 min read

Companies have a vested interest when it comes to ferreting out IT problems before cybercriminals manage to launch attacks in the wild. The recent Mirai infections are proof positive that compromised Internet of Things (IoT) devices paved the way for serious consequences.

But it’s not always so easy. Beyond the efforts of malicious actors to strike in unexpected places at unforeseen moments, there’s also the problem of legislation. Most notably, the Digital Millennium Copyright Act (DMCA) has effectively handicapped white-hat hackers by making it illegal to circumvent obfuscated code or reverse engineer devices to discover security vulnerabilities.

New DMCA exemptions, however, may enable increased white-hat activity with significantly lower chances of getting blacklisted.

In Good Faith

As noted by Infosecurity Magazine, the new exemption, authorized just last week, allows much greater freedom for white-hat hackers. As long as they stay within the bounds of the Computer Fraud and Abuse Act (CFAA), they’re no longer in danger of legal challenges. There are a number of stipulations, however.

For example, security researchers must lawfully acquire any technology or programming they plan to test. In addition, their actions must be “solely for the purpose of good-faith security research.” Part of this requirement necessitates a controlled setting designed to avoid public harm if vulnerabilities are uncovered. Any research must begin after Oct. 28, 2016.

A Temporary Fix

While this is welcome news for white-hat firms and private security researchers, it’s worth noting that, for the moment, this is only a two-year exception. If policymakers can’t agree on a long-term solution, the DCMA will revert to its original form in 2018.

Critics of the status quo, such as the Electronic Frontier Foundation (EFF), argued that even these exemptions were too long. Many private companies claimed that any white-hat activity would naturally open the door to more malicious efforts.

Closing the Gap

Expect the removal of current DMCA prohibitions to produce some interesting feedback, especially when it comes to IoT.

According to Autoblog, one industry ripe for better security controls is vehicle manufacturing. Researchers have already demonstrated the ability to take control of cars, both moving and at rest, but many automakers have leaned heavily on potential DMCA-based litigation against white-hat hackers for cracking their code rather than designing better security measures in the first place.

Ideally, the two-year window will give researchers the time they need to showcase some of the most critical flaws plaguing IoT devices, in turn prompting better security from manufacturers.

DMCA Exemptions Not a Cure-All

But white hats aren’t a cure-all. As noted by Motherboard, some IT pros have suggested that in the wake of widespread Mirai attacks, an army of good guys could launch its own version of an IoT take to wrest control from cybercriminals and then deploy a kind of security-enhancing virus.

Sound far fetched? It is. It would have been illegal under old DMCA rules — now it’s just a bad idea.

It’s also a word of warning: Just because white-hat hackers can do something doesn’t mean they should. New, more flexible digital legislation offers a viable way to limit malicious attacks, but it’s important to strike balance between not doing enough and doing way, way too much.

The DMCA was never intended to cover the current IT landscape and has historically handicapped white-hat hackers. New DMCA exemptions are a step in the right direction, but they only go so far. Informed, adaptable legislation is the next step forward.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today