November 1, 2016 By Douglas Bonderud 2 min read

Companies have a vested interest when it comes to ferreting out IT problems before cybercriminals manage to launch attacks in the wild. The recent Mirai infections are proof positive that compromised Internet of Things (IoT) devices paved the way for serious consequences.

But it’s not always so easy. Beyond the efforts of malicious actors to strike in unexpected places at unforeseen moments, there’s also the problem of legislation. Most notably, the Digital Millennium Copyright Act (DMCA) has effectively handicapped white-hat hackers by making it illegal to circumvent obfuscated code or reverse engineer devices to discover security vulnerabilities.

New DMCA exemptions, however, may enable increased white-hat activity with significantly lower chances of getting blacklisted.

In Good Faith

As noted by Infosecurity Magazine, the new exemption, authorized just last week, allows much greater freedom for white-hat hackers. As long as they stay within the bounds of the Computer Fraud and Abuse Act (CFAA), they’re no longer in danger of legal challenges. There are a number of stipulations, however.

For example, security researchers must lawfully acquire any technology or programming they plan to test. In addition, their actions must be “solely for the purpose of good-faith security research.” Part of this requirement necessitates a controlled setting designed to avoid public harm if vulnerabilities are uncovered. Any research must begin after Oct. 28, 2016.

A Temporary Fix

While this is welcome news for white-hat firms and private security researchers, it’s worth noting that, for the moment, this is only a two-year exception. If policymakers can’t agree on a long-term solution, the DCMA will revert to its original form in 2018.

Critics of the status quo, such as the Electronic Frontier Foundation (EFF), argued that even these exemptions were too long. Many private companies claimed that any white-hat activity would naturally open the door to more malicious efforts.

Closing the Gap

Expect the removal of current DMCA prohibitions to produce some interesting feedback, especially when it comes to IoT.

According to Autoblog, one industry ripe for better security controls is vehicle manufacturing. Researchers have already demonstrated the ability to take control of cars, both moving and at rest, but many automakers have leaned heavily on potential DMCA-based litigation against white-hat hackers for cracking their code rather than designing better security measures in the first place.

Ideally, the two-year window will give researchers the time they need to showcase some of the most critical flaws plaguing IoT devices, in turn prompting better security from manufacturers.

DMCA Exemptions Not a Cure-All

But white hats aren’t a cure-all. As noted by Motherboard, some IT pros have suggested that in the wake of widespread Mirai attacks, an army of good guys could launch its own version of an IoT take to wrest control from cybercriminals and then deploy a kind of security-enhancing virus.

Sound far fetched? It is. It would have been illegal under old DMCA rules — now it’s just a bad idea.

It’s also a word of warning: Just because white-hat hackers can do something doesn’t mean they should. New, more flexible digital legislation offers a viable way to limit malicious attacks, but it’s important to strike balance between not doing enough and doing way, way too much.

The DMCA was never intended to cover the current IT landscape and has historically handicapped white-hat hackers. New DMCA exemptions are a step in the right direction, but they only go so far. Informed, adaptable legislation is the next step forward.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today