What US Government Security Tests Mean for Enterprises

We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!


Yesterday, the United States Department of Justice (DOJ) released a new policy to announce that “good faith security investigation” will no longer be charged under the Computer Fraud and Abuse Act (CFAA).

The new policy protects entities that conduct “good faith testing,” that is, investigating or correcting security flaws or vulnerabilities in a manner designed to prevent harm to individuals or the public

What are the consequences of the CFAA for companies?

This new approach from the CFAA means that security testers, network owners and administrators are legally protected when testing security systems, while still criminalizing authorized access and those who act in bad faith.

“For more than a decade, cybersecurity leaders have recognized the critical role of hackers as the internet’s immune system. We enthusiastically applaud the Department of Justice for codifying what we have long known to be true: Good faith security investigations are not a crime,” said Alex Rice, CTO at HackerOne.

Under the revised policy, entities acting in bad faith should not use the CAFA as an excuse when they scan an organization’s systems for vulnerabilities in an attempt to extort them.

Green light for vulnerability management

One of the main implications of this pivot is that the US government gives organizations the green light to engage in vulnerability management.

The DOJ’s recognition of security testing has been welcomed by many commentators in the security community and will vulnerability management marketvalued at $13.8 billion in 2021 and projected to be worth $18.7 billion by 2026.

Former Global Network Exploitation and Vulnerability Analyst Mike Wiacek, Now CEO of stairwellexplains that while the CAFA has put security researchers at risk of serious legal liability in the past, that barrier has now been removed.

“Well-meaning researchers have always been at risk because of the too broad interpretation of the CAFA,” Wiacek said. He also noted that the change “adds a veritable army of new resources to the collective strength of the entire cybersecurity community.”

In that sense, organizations now have a community of security testers that they can collaborate with without worrying about legal complications.

As Rice explains, the update further establishes “bug bounty and vulnerability disclosure as best practices for all organizations, so there’s one more reason for hackers to investigate in good faith and one less reason for organizations to hesitate about doing it.” launch a disclosure policy.”

Looking at the bigger picture

It’s important to note that the timing of the policy change also coincides with the US government’s efforts to secure the supply chain, with the Open Source Software Security Summit II taking place just a few weeks ago – an event that the White House, OpenSSF and the Linux Foundation together with a goal to improve the security of open source software.

While it’s hard to say that the CFAA’s policy change is directly related to Biden’s executive order On improving the country’s cybersecurity a year ago, it is clear that there is a broader federal move to equip private enterprises with increased support in securing their environments from external threat actors.

After all, vulnerability management is critical not only for corporate security, but also for national security by preventing attacks in the supply chain from harming both private companies and federal agencies.

The mission of VentureBeat is a digital city square for technical decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.