Posts tagged Legal

4 min Public Policy

Expanded Protections for Security Researchers Under DMCA Sec. 1201

The Library of Congress announced that it would renew and expand legal protections for security testing under Section 1201 of the Digital Millennium Copyright Act (DMCA).

6 min Public Policy

Prioritizing the Fundamentals of Coordinated Vulnerability Disclosure

In this post, we aim to distinguish between three broad flavors of CVD processes based on authorization, incentives, and resources required. We also urge wider adoption of foundational processes before moving to more advanced and resource-intensive processes.

6 min Public Policy

Updating Data Security Laws - A Starting Point

A baseline requirement for commercial data security is often part of discussions on privacy and breach notification regulations. This issue deserves close attention to ensure any security regulation is both effective at protecting users while staying flexible enough to be practicable.

3 min Public Policy

Georgia should not authorize "hack back"

[Update 05/09/18: Georgia Governor Deal vetoed SB 315. In a thoughtful veto statement [https://gov.georgia.gov/press-releases/2018-05-08/deal-issues-2018-veto-statements] , the Governor noted that the legislation raised "concerns regarding national security implications and other potential ramifications," and that "SB 315 may inadvertently hinder the ability of government and private industries" to protect against breaches. The statement expressed interest in working with the cybersecurity and l

2 min Public Policy

Welcome transparency on US government's process for disclosing vulnerabilities

The White House recently released details on the US government's process for disclosing - or retaining - zero-day vulnerabilities. The new VEP charter provides answers to several key questions, but it remains to be seen how it will operate in practice.

3 min Breach Preparedness

The Legal Perspective of a Data Breach

The following is a guest post by Christopher Hart, an attorney at Foley Hoag and a member of Foley Hoag’s cybersecurity incident response team. This is not meant to constitute legal advice; instead, Chris offers helpful guidance for building an incident preparation and breach response framework in your own organization. A data breach is a business crisis that requires both a quick and a careful response. From my perspective as a lawyer, I want to provide the best advice and assistance I possibl

4 min Public Policy

Cybersecurity for NAFTA

When the North American Free Trade Agreement (NAFTA) was originally negotiated, cybersecurity was not a central focus. NAFTA came into force – removing obstacles to commercial trade activity between the US, Canada, and Mexico – in 1994, well before most digital services existed. Today, cybersecurity is a major economic force – itself a large industry and important source of jobs, as well as an enabler of broader economic health by reducing risk and uncertainty for businesses. Going forward, cybe

5 min Public Policy

Copyright Office Calls For New Cybersecurity Researcher Protections

On Jun. 22, the US Copyright Office released [https://www.copyright.gov/policy/1201/section-1201-full-report.pdf] its long-awaited study on Sec. 1201 of the Digital Millennium Copyright Act (DMCA), and it has important implications for independent cybersecurity researchers. Mostly the news is very positive. Rapid7 advocated extensively for researcher protections to be built into this report, submitting two sets of detailed comments—see here [/2016/03/15/rapid7-bugcrowd-and-hackerone-file-pro-res

2 min Public Policy

Legislation to Strengthen IoT Marketplace Transparency

Senator Ed Markey (D-MA) is poised to introduce legislation to develop a voluntary cybersecurity standards program for the Internet of Things (IoT). The legislation, called the Cyber Shield Act, would enable IoT products that comply with the standards to display a label indicating a strong level of security to consumers – like an Energy Star rating for IoT. Rapid7 supports this legislation and believes greater transparency in the marketplace will enhance cybersecurity and protect consumers. The

4 min Public Policy

Rapid7 issues comments on NAFTA renegotiation

In April 2017, President Trump issued an executive order [https://www.whitehouse.gov/the-press-office/2017/05/01/presidential-executive-order-addressing-trade-agreement-violations-and] directing a review of all trade agreements. This process is now underway: The United States Trade Representative (USTR) – the nation's lead trade agreement negotiator – formally requested [https://www.regulations.gov/docket?D=USTR-2017-0006] public input on objectives for the renegotiation of the North American F

4 min Public Policy

White House Cybersecurity Executive Order Summary

Yesterday President Trump issued an Executive Order on cybersecurity: “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” [https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal] The Executive Order (EO) appears broadly positive and well thought out, though it is just the beginning of a long process and not a sea change in itself. The EO directs agencies to come up with plans for securing and modern

4 min Public Policy

12 Days of HaXmas: Year-End Policy Comment Roundup

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. On the seventh day of Haxmas, the Cyber gave to me: a list of seven Rapid7 comments to government policy proposals! Oh, tis a magical season. It was an active 2016 for Rapid7's polic

4 min Research

NCSAM: The Danger of Criminalizing Curiosity

This is a guest post from Kurt Opsahl [https://twitter.com/kurtopsahl], Deputy Executive Director and General Counsel of the Electronic Frontier Foundation [https://twitter.com/EFF]. October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA [/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers] and the 30th anniversary of the

4 min Public Policy

National Cybersecurity Awareness Month 2016 - This one's for the researchers

October was my favorite month even before I learned it is also National Cybersecurity Awareness Month [https://www.dhs.gov/national-cyber-security-awareness-month] (NCSAM) in the US and EU. So much the better – it is more difficult to be aware of cybersecurity in the dead of winter or the blaze of summer. But the seasonal competition with Pumpkin Spice Awareness is fierce. To do our part each National Cybersecurity Awareness Month, Rapid7 publishes content that aims to inform readers about a p

5 min Public Policy

Rapid7 Supports Researcher Protections in Michigan Vehicle Hacking Law

Yesterday, the Michigan Senate Judiciary Committee passed a bill – S.B. 0927 [http://www.senate.michigan.gov/committees/files/2016-SCT-JUD_-09-20-1-01.PDF] – that forbids some forms of vehicle hacking, but includes specific protections for cybersecurity researchers. Rapid7 supports these protections. The bill is not law yet – it has only cleared a Committee in the Senate, but it looks poised to keep advancing in the state legislature. Our background and analysis of the bill is below. In summary

8 min Public Policy

Security vs. Security - Rapid7 supports strong encryption

We should embrace the use of strong encryption without compelling companies to create software that undermines their product security features.

7 min Public Policy

Wassenaar Arrangement - Recommendations for cybersecurity export controls

The U.S. Departments of Commerce and State will renegotiate [https://www.bis.doc.gov/index.php/forms-documents/doc_download/1434-letter-from-secretary-pritzker-to-several-associations-on-the-implementation-of-the-wassenaar-arrang] an international agreement – called the Wassenaar Arrangement [http://www.wassenaar.org/about-us/] – that would place broad new export controls on cybersecurity-related software. An immediate question is how the Arrangement should be revised. Rapid7 drafted some initi

4 min Public Policy

Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201

On Mar. 3rd, Rapid7, Bugcrowd [https://bugcrowd.com/], and HackerOne [https://hackerone.com/] submitted joint comments to the Copyright Office urging them to provide additional protections for security researchers. The Copyright Office requested public input [http://copyright.gov/fedreg/2015/80fr81369.pdf] as part of a study on Section 1201 [https://www.law.cornell.edu/uscode/text/17/1201] of the Digital Millennium Copyright Act (DMCA). Our comments to the Copyright Office focused on reforming

2 min Public Policy

I've joined Rapid7!

Hello! My name is Harley Geiger and I joined Rapid7 as director of public policy, based out of our Washington, DC-area office. I actually joined a little more than a month ago, but there's been a lot going on! I'm excited to be a part of a team dedicated to making our interconnected world a safer place. Rapid7 has demonstrated a commitment to helping promote legal protections for the security research community. I am a lawyer, not a technologist, and part of the value I hope to add is as a repr

13 min Public Policy

12 Days of HaXmas: Political Pwnage in 2015

This post is the ninth in the series, "The 12 Days of HaXmas." 2015 was a big year for cybersecurity policy and legislation; thanks to the Sony breach at the end of 2014 year, we kicked the new year off with a renewed focus on cybersecurity in the US Government. The White House issued three legislative proposals, [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] held a cybersecurity summit, and signed a new Executive Order, all before the end of February. The OPM br

5 min Public Policy

New DMCA Exemption is a Positive Step for Security Researchers

Today the Library of Congress officially publishes its rule-making for the latest round of exemption requests for the Digital Millennium Copyright Act (DMCA).  The advance notice of its findings [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-27212.pdf] revealed some good news for security researchers as the rule-making includes a new exemption to the DMCA for security research: “(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or

9 min Public Policy

Why I Don't Dislike the Whitehouse/Graham Amendment 2713

[NOTE: No post about legislation is complete without a lot of acronyms representing lengthy and forgettable names of bills. There are three main ones that I talk about in this post: CISA – the Cyber Information Sharing Act of 2015 – Senate bill that will likely go to vote soon.  The bill aims to facilitate cybersecurity information sharing and create a framework for private and government participation. ICPA – the International Cybercrime Prevention Act of 2015 – proposed bill to extend law en

1 min Legal

Rapid7's Comments on the Wassenaar Arrangement Proposed Rule for Controlling Exports of Intrusion Software

For the past two months, the Department of Commerce's Bureau of Industry and Security (BIS) has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the Wassenaar Arrangement. You can read about the proposal and Rapid7's initial thoughts here [/2015/06/13/response-to-the-us-proposal-for-implementing-the-wassenaar-arrangement-export-controls-for-intrusion-software] . The consultation window closed on Monday, July 20th

8 min Metasploit

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement.  You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie

7 min Metasploit

Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software

On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf] for implementing new export controls under the Wassenaar Arrangement. These controls would apply to: * systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; * software specially designed or modified for the development or production of suc

6 min Public Policy

Will the Data Security and Breach Notification Act Protect Consumers?

Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015 [http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/analysis/20150312DataSecurityDraft.pdf] . I'm a big fan of the principles at play here: as a consumer, I expect that if a company I have entrusted with my personally identifiable information (PII) has reason to believe that information has be

8 min Public Policy

How Do We De-Criminalize Security Research? AKA What's Next for the CFAA?

Anyone who read my breakdown on the President's proposal for cybersecurity legislation [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] will know that I'm very concerned that both the current version of the Computer Fraud and Abuse Act (CFAA) [http://www.law.cornell.edu/topn/computer_fraud_and_abuse_act_of_1986], and the update recently proposed by the Administration [http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tool

10 min Public Policy

Will the President's Cybersecurity Proposal Make Us More Secure?

Last week, President Obama proposed a number of bills to protect consumers and the economy from the growing threat of cybercrime and cyberattacks. Unfortunately in their current form, it's not clear that they will make us more secure. In fact, they may have the potential to make us more INsecure due to the chilling effect on security research. To explain why, I've run through each proposed bill in turn below, with my usual disclaimer that I'm not a lawyer. Before we get into the details, I want

4 min Public Policy

Petition for Reform of the DMCA and CFAA - Why I Care, and Why I Think You Should Too.

Here's the TL;DR: Software now runs everything and all software has flaws, which means that we, as consumers, are at risk. This includes YOU, and can impact your safety or quality of life. Sign this petition to protect your right to information on how you are exposed to risk: https://petitions.whitehouse.gov/petition/unlock-public-access-research-software -safety-through-dmca-and-cfaa-reform/DHzwhzLD The petition Last weekend a petition [https://petitions.whitehouse.gov/petition/unlock-public

3 min Research

Supporting the Security Community - Why I Joined Rapid7

Hey SecurityStreet! I wanted to say hello, as I am new to the Rapid7 team - and excited to be working with you. Three Things * Who is this 'Trey guy' * Why Rapid7? * What are you doing? (… which is all I want to talk about!) 'Who?' By way of introduction, my name is Trey Ford and I am joining the R7 team as Global Security Strategist, after serving as General Manager at Black Hat for the last two years. I will continue working on the Black Hat Review Board, and may announce a couple of