New Rule Takes Handcuffs Off Ethical Hackers

A new rule takes taking effect today expanding protections for white hat hackers—security researchers who disclose the software vulnerabilities they uncover to manufacturers or to the public rather than exploiting them.

Advocates say the change will lead to more ethical hackers finding dangerous flaws in the software underlying cars, medical devices and other connected products before the bad guys find them.

In 2011, for example, researcher Jay Radcliffe demonstrated how he could hack his own insulin pump to force it to deliver a fatal dosage. Last year, researchers Charlie Miller and Chris Valasek remotely disabled the brakes of a Jeep Cherokee by worming in through a connected entertainment system.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Critics of the new rule say the flaws uncovered by white hat hackers could fall into the wrong hands, that the change will undermine copyright protections and that companies are capable of testing for security flaws themselves.

Some of those concerns are shared by regulators at the Transportation Department and the Food and Drug Administration, according to the rule from the Copyright Office, which was issued last year but takes effect today.  

The rule is a temporary exemption to the 1998 Digital Millennium Copyright Act, which expanded copyright protections for software and related products. Under Section 1201 of the DMCA, manufacturers can challenge people who undermine “technological protection measures” designed to prevent people from copying or altering software and products such as CDs and DVDs.

The rule, which will last through 2018, exempts researchers who break past those defenses on consumer devices so long as they do it “solely for the purpose of good-faith security research,” do it in a controlled environment that doesn’t put anyone in danger and don’t violate any other laws.

The rule includes specific exemptions for hacking into cars and certain medical devices. It would not apply to industrial systems such as nuclear power plants and air traffic control systems.

The shift is particularly important now when software is creeping into ever-more devices, said Kit Walsh, a staff attorney with the Electronic Frontier Foundation.

“There’s a very strong market push for vendors and internet of things companies to create cool, new connected features and market those, but without independent security researchers there’s not as much of a countervailing push to make sure they do it right,” she said. “Time and again, we’ve seen home automation systems, vehicles and medical systems deployed without being adequately secured.”

EFF filed a lawsuit against the Copyright Office in July seeking to invalidate parts of Section 1201. It’s one of several digital rights organizations urging major revisions to the section as part of a Copyright Office study.

Among the revisions researchers are seeking is that the Copyright Office will give the temporary exception a presumption of renewal so it will be easier get it renewed during the next triennial review in 2018, said Harley Geiger, director of Public Policy at Rapid7, a security research firm.

An added benefit of the change might be that more companies embrace independent researchers, Geiger said, either by creating standard procedures for them to share vulnerabilities they discover or by creating incentive programs known as “bug bounties” to encourage researchers to vet their systems.

“The entire goal of this research should be to improve cybersecurity for consumers and devices in general,” he said. “There are just too many devices, the software is just too complex to reasonably expect manufacturers’ internal teams to catch every vulnerability. Independent researchers can help find those gaps and plug them.”