November 1, 2016 By Douglas Bonderud 2 min read

Companies have a vested interest when it comes to ferreting out IT problems before cybercriminals manage to launch attacks in the wild. The recent Mirai infections are proof positive that compromised Internet of Things (IoT) devices paved the way for serious consequences.

But it’s not always so easy. Beyond the efforts of malicious actors to strike in unexpected places at unforeseen moments, there’s also the problem of legislation. Most notably, the Digital Millennium Copyright Act (DMCA) has effectively handicapped white-hat hackers by making it illegal to circumvent obfuscated code or reverse engineer devices to discover security vulnerabilities.

New DMCA exemptions, however, may enable increased white-hat activity with significantly lower chances of getting blacklisted.

In Good Faith

As noted by Infosecurity Magazine, the new exemption, authorized just last week, allows much greater freedom for white-hat hackers. As long as they stay within the bounds of the Computer Fraud and Abuse Act (CFAA), they’re no longer in danger of legal challenges. There are a number of stipulations, however.

For example, security researchers must lawfully acquire any technology or programming they plan to test. In addition, their actions must be “solely for the purpose of good-faith security research.” Part of this requirement necessitates a controlled setting designed to avoid public harm if vulnerabilities are uncovered. Any research must begin after Oct. 28, 2016.

A Temporary Fix

While this is welcome news for white-hat firms and private security researchers, it’s worth noting that, for the moment, this is only a two-year exception. If policymakers can’t agree on a long-term solution, the DCMA will revert to its original form in 2018.

Critics of the status quo, such as the Electronic Frontier Foundation (EFF), argued that even these exemptions were too long. Many private companies claimed that any white-hat activity would naturally open the door to more malicious efforts.

Closing the Gap

Expect the removal of current DMCA prohibitions to produce some interesting feedback, especially when it comes to IoT.

According to Autoblog, one industry ripe for better security controls is vehicle manufacturing. Researchers have already demonstrated the ability to take control of cars, both moving and at rest, but many automakers have leaned heavily on potential DMCA-based litigation against white-hat hackers for cracking their code rather than designing better security measures in the first place.

Ideally, the two-year window will give researchers the time they need to showcase some of the most critical flaws plaguing IoT devices, in turn prompting better security from manufacturers.

DMCA Exemptions Not a Cure-All

But white hats aren’t a cure-all. As noted by Motherboard, some IT pros have suggested that in the wake of widespread Mirai attacks, an army of good guys could launch its own version of an IoT take to wrest control from cybercriminals and then deploy a kind of security-enhancing virus.

Sound far fetched? It is. It would have been illegal under old DMCA rules — now it’s just a bad idea.

It’s also a word of warning: Just because white-hat hackers can do something doesn’t mean they should. New, more flexible digital legislation offers a viable way to limit malicious attacks, but it’s important to strike balance between not doing enough and doing way, way too much.

The DMCA was never intended to cover the current IT landscape and has historically handicapped white-hat hackers. New DMCA exemptions are a step in the right direction, but they only go so far. Informed, adaptable legislation is the next step forward.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today