Rapid7 Public Policy

Laws restricting computer access and use should carefully balance the need to combat cybercrime with the value of supporting security research, innovation, and other legitimate activity.

DMCA

The Digital Millennium Copyright Act (DMCA) can hinder good faith security research by restricting the ability to analyze software for vulnerabilities. We support changes to extend protections for security researchers without diminishing copyright.

• 11/14/21 - Rapid7 analysis on 2021 security researcher rules
• 07/16/21 - Ex Parte letter to Copyright Office on security researcher protection 
• 06/23/21 - Rapid7 joins statement on DMCA lawsuits against security tools
• 07/13/18 - Rapid7 response to DOJ letter on DMCA security researcher exemption
• 12/18/17 - Joint comments to the Copyright Office in support of strengthening the DMCA security researcher exemption 
• 06/28/17 - Copyright Office Calls for New Cybersecurity Researcher Protections
• 10/27/16 - Joint comments to Copyright Office on specific DMCA reforms to protect security researcher
• 03/15/16 - Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201
• 10/28/15 - New DMCA Exemption is a Positive Step for Security Researchers

CFAA

Independent security research is valuable for advancing cybersecurity, but the Computer Fraud and Abuse Act (CFAA) makes little distinction between beneficial research and malicious hacking. We support responsible CFAA reforms and clarifications to protectshield security researchers and internet users from overbroad liability.

• 06/04/21 - Proposed security researcher protection under CFAA
• 06/03/21 - Analysis of Supreme Court opinion narrowing CFAA
• 07/13/20 - Rapid7 joins CFAA brief to the Supreme Court

UK Computer Misuse Act

The UK's Computer Misuse Act (CMA) imperils the sharing of defensive security tools, provides no acknowledgement of the importance of good faith security research, and fails to define what constitutes authorization for access to systems. Rapid7 supports sensible reforms that clarify these issues and advance cybersecurity without creating opportunities for abuses.

• 06/08/21 - Rapid7 Position on the Computer Misuse Act 1990
• 06/07/21 - Home Office Call for Information Computer Misuse Act 1990

States

Rapid7 occasionally advises states on computer access laws to protect consumers and businesses while avoiding obstacles to research and innovation.

• 09/21/16 - Rapid7 Supports Researcher Protections in Michigan Vehicle Hacking Law
• 05/16/16 - Joint letter re Michigan vehicle hacking legislation

Hack Back

Authorizing private entities to take active measures in retaliation against hacking risks undermining cybersecurity and causing collateral damage.

• 06/17/21 - Rapid7 Position on Private Sector Hack Back
• 05/24/17 - Why Companies Shouldn’t Try to Hack Their Hackers 
• 04/17/18 - Georgia Should Not Authorize "Hack Back"

Cybersecurity is a global effort that depends on the free flow of information across borders. Trade agreements and export controls should aim to boost security without imposing overbroad restrictions on global data flow.

International Trade

Modern day companies depend on reliable cybersecurity and global flow of information to succeed in the digital economy. Trade agreements and trade policy should reflect these priorities while preserving flexibility for future innovations.

• 03/24/20 - Vulnerability disclosure in trade agreements
• 12/10/18 - Rapid7 comments to US Trade Representative on cybersecurity in US-EU Trade Agreement
• 10/24/17 - Joint letter to US Trade Representative on security research protections and anti-circumvention provisions in NAFTA
• 08/09/17 - Joint letter to US Trade Representative on cybersecurity provisions in NAFTA
• 06/12/17 - Rapid7 comments to US Trade Representative on NAFTA renegotiation objectives
• 04/07/17 - Statement before US International Trade Commission hearing on global digital trade

Wassenaar Arrangement

The Wassenaar Arrangement - a 40-nation export control agreement - creates broad new export requirements on software. We believe export controls should be implemented in a manner that avoids unnecessary burdens on legitimate cybersecurity products.

• 06/12/15 - Rapid7 FAQ on the Wassenaar Arrangement

Organizations are increasingly expected to disclose, receive, and act on information about cybersecurity incidents and vulnerabilities. Rapid7 works to ensure these requirements are harmonized and flexible, and that they avoid creating new opportunities for cyberattacks.

Cyber Incident Reporting

Numerous regulations require organizations to report significant cybersecurity incidents and events to government agencies. While transparency is helpful, it is important that reporting requirements do not interfere with the incident response process or expose organizations to additional risk.

• 11/08/23 - - Preparing for the Securities & Exchange Commission’s Cybersecurity Disclosure Rules
• 08/29/22 - - Comments to SEC on proposed cyber incident reporting rule 
• 08/26/22 - - Summary and chart of major current and proposed cyber incident reporting regulations
• 08/23/22 - - Rapid7 analysis of SEC’s proposed cyber incident reporting regulations
• 08/10/22 - - Navigating the evolving patchwork of cyber incident reporting regulations
• 03/10/22 - - Rapid7 analysis of Cyber Incident Reporting for Critical Infrastructure Act

Vulnerability Handling and Disclosure

Vulnerability disclosure and handling processes can help technology providers and operators quickly address vulnerabilities disclosed to them by external sources, such as researchers. Coordinated disclosure can also help protect security researchers by reducing the risk of conflict.

• 11/08/23 - Preparing for the Securities & Exchange Commission’s Cybersecurity Disclosure Rules
• 04/25/22 - Joint comments to NIST on coordinated disclosure standards and the NIST Cybersecurity Framework v2
• 01/19/18 - Joint Comments on NIST Cybersecurity Framework version 1.1.2
• 12/19/17 - NIST Cyber Framework Updated with Coordinated Vuln Disclosure Processes
• 04/19/17 - Rapid7 urges NIST and NTIA to promote coordinated disclosure processes
• 04/10/17 - Joint Comments on NIST Cybersecurity Framework
• 03/13/17 - Joint Comments on NTIA Internet of Things Green Paper
• 04/11/16 - NTIA Vulnerability Disclosure and Handling Surveys

Sensitive information and critical IT face serious challenges from ransomware, breaches, and other risks. As regulations emerge to strengthen cybersecurity, Rapid7 engages policymakers to ensure safeguards required by regulations are both effective and grounded in risk management.

Critical Infrastructure

Resilient critical infrastructure is key to global competitiveness and quality of life. Rapid7 supports ensuring that critical infrastructure has the resources and standards in place to protect against cybersecurity threats and operate effectively.

• 03/10/22 - Rapid7 analysis of Cyber Incident Reporting for Critical Infrastructure Act
• 06/01/21 - Analysis of Biden cybersecurity order impact on private companies
• 05/21/21 - Rapid7 calls for cybersecurity in infrastructure modernization
• 04/20/21 - Overview of the EU’s draft NIS 2 Directive

Ransomware

Combatting the ransomware pandemic will require effort on multiple fronts, including through government intervention. Rapid7 is active in the Ransomware Task Force and supports policy measures to enable adoption of security best practices, improve understanding of the threat, reduce opportunities for criminals to prosper, and improve opportunities for criminal prosecutions.

• 01/26/22 - How Ransomware is Changing US Federal Policy
• 05/24/22 - Revisiting the Ransomware Task Force report, one year on
• 07/26/21 - Decrypter FOMO No Mo’: Five Years of the No More Ransom Project
• 04/01/21 - Ransomware Task Force report: Combatting Ransomware 
• 10/06/20 - Ransomware payments and OFAC sanctions

Personal Information Security

Security of consumer’s personal information is a matter of privacy, safety, and dignity. Rapid7 supports strong uniform rules on personal data security to provide consumers with consistent protection, and to provide enterprises with certainty.

• 11/10/21 - Rapid7 analysis of GLBA security requirements update

IoT and Smart Products

Cybersecurity is critical to safety, privacy, and public trust as Internet of Things (IoT) devices and smart products are more widely deployed. In addition to leading research on IoT and connected products, Rapid7 engages policymakers in considering how to best secure it from accidental breach and intentional cyberattack.

• 09/17/20 - Analysis of IoT Cybersecurity Improvement Act
• 08/27/20 - Rapid7 on IoT cybersecurity regulation
• 04/30/19 - Rapid7 Congressional testimony on IoT Cybersecurity
• 07/18/17 - Communicating IoT Device Security Update Capability to Improve Transparency for Consumers (NTIA multistakeholder process)
• 11/28/16 - Rapid7 comments to the National Highway Traffic Safety Administration on cybersecurity best practices for connected vehicles
• 06/01/16 - Rapid7 comments to the Department of Commerce on cybersecurity and the Internet of Things 
• 04/21/16 - Rapid7 comments to the Food & Drug Administration on post-market guidance of cybersecurity in medical devices 

For the digital economy to continue supporting significant economic growth and innovation, it must be driven by broad participation, competition, and secure foundational technologies.

Patents

Abusive patent lawsuits hinder economic growth and innovation, diverting resources away from product development, job creation, and providing social value. Rapid7 supports legal reforms that deter frivolous patent claims while protecting inventors. 

• 03/06/19 - Joint letter to Massachusetts General Court

Encryption

Commerce, government, and individual internet users rely on encryption for secure communications. Legal requirements to weaken encryption undermine cybersecurity, trust, innovation – and ultimately user security.

• 03/31/16 - Security vs. Security – Rapid7 supports strong encryption

Net Neutrality

The principle of net neutrality has played an important role in providing users with equal access to digital content, empowering content creators of all sizes to compete on a more level playing field regardless of resources. Repealing net neutrality risks undercutting these opportunities and weakening full participation in the digital economy for small or independent content creators.

• 12/14/17 - FCC Repeals Net Neutrality: What Now?
• 12/07/17 - Standing with Massachusetts technology leaders in support of net neutrality