The veteran researcher and blogger, Karvez, has written about a significant change in attitude among American law enforcement agencies towards security researchers. Karvez notes that the Department of Justice (DOJ) recently changed its policy regarding violations of the Computer Fraud and Abuse Act (CFAA), which remains the primary statute under which federal prosecutors prosecute cybercrime cases.
Under the new guidelines, prosecutors are now required to avoid accusing security researchers who act in "good faith" when detecting and reporting vulnerabilities. But what exactly does "good faith" mean? According to Karvez, the answer can be found in the world of medical research.
Just as kidney and heart researchers must adhere to strict ethical guidelines and avoid causing harm to human subjects, so too must security researchers exercise caution and restraint in their work. While the goal of security research is to uncover vulnerabilities and help improve cybersecurity, researchers must be careful not to cause harm or disrupt services in the process.
Karvez notes that many security researchers are motivated by a desire for recognition and reward for their discoveries. While this is understandable, it can also lead researchers to push the boundaries of ethical behavior in their eagerness to prove a point. For example, a researcher may discover a vulnerability in a website and instead of simply notifying the site's administrators, they may decide to "drink all the files on the server," as Karvez puts it. This kind of behavior not only puts the researcher at risk of being accused of malicious hacking but also potentially exposes sensitive data.
Karvez emphasizes that security researchers must exercise discretion and restraint in their work. They should focus on demonstrating their findings in a way that maximizes the benefit and minimizes the potential harm. Rushing to publish a discovery without fully considering the potential consequences is not only unethical but also counterproductive to the goal of improving cybersecurity.
The DOJ's new guidelines are a positive step towards encouraging responsible security research, but Karvez notes that there is still work to be done. The culture of cybersecurity needs to shift away from punishing those who uncover vulnerabilities and towards rewarding responsible disclosure. This will not only help improve cybersecurity but also foster greater trust between security researchers, law enforcement agencies, and the public.
In conclusion, security researchers play a vital role in improving cybersecurity, but they must do so responsibly and ethically. By exercising discretion and restraint, researchers can help build a culture of responsible disclosure that benefits everyone
Comments