An exception to the Digital Millennium Copyright Act (DMCA) will go into effect this weekend, allowing white hat hackers to legally test the security of consumer-facing products for the purposes of alerting companies to potential bugs in their programs.
“This weekend, a security researcher will be able to circumvent a technological security measure […] if it’s done solely for the purpose of security testing,” said Harley Geiger, director of public policy at Rapid7.
Members of government are seeing this as a positive step forward for bettering Internet of Things cybersecurity practices and for improving relations between industry and hackers.
“We’re really talking about something that is going to be for the betterment and the security of these devices,” said Suzanne Schwartz, director of emergency preparedness and medical countermeasures at the Food and Drug Administration.
“Coordinated disclosure forms a really nice stopgap measure,” said Jessica Wilkerson, oversight associate for the House Committee on Energy and Commerce. She added that it would be beneficial for all to strengthen ties between the manufacturer and hacker communities. “If you combine your power for good, you actually have a much better chance of solving these problems.”
Members of the Department of Justice have also recently been trying to improve trust between white hat hackers and those they hack, namely by ensuring that those trying to do good are not prosecuted for what they do.
“The problem is that they don’t know where to go,” said Leonard Bailey, special council for national security, computer crime, and intellectual property at the Department of Justice. His office has tried to bring hackers into its conferences to better communicate what the hacker community is experiencing in this space.
Government too has benefited from “bug bounties” that look for vulnerabilities in their code, most notable of which was the “Hack the Pentagon” initiative.
“I think it really surprised everyone […] at how well it really worked,” said Charley Snyder, senior cyber policy adviser for the Department of Defense. “It’s really hard to make sure we have the eyeballs on all those applications that they really deserve.”
Though many parts of the government are looking forward to the security improvements that will likely come from the DMCA exception, some members of industry and government are concerned that the exemption may cause a flood of security notifications that are too much to handle at once.
“In terms of how to prepare for the flood, it’s really difficult,” said Snyder. “People submitting vulnerabilities to us, even if they are in a flood, means that they trust us.”
Schwartz suggested that those receiving security notifications should try to deal with them in a triage-style process, in which they deal with the most dangerous and pressing vulnerabilities first and reserve the others for when they have the time to address them.
Some are also concerned that hackers’ motives may not be entirely altruistic and that they may choose to expose product vulnerabilities in less than ethical ways.
“The one thing I think we struggle with is whether there are communitywide standards for hackers,” said Bailey.
“I think that we should be prepared for a mix of good and bad,” Geiger said.