Posts tagged Public Policy

4 min Public Policy

National Cybersecurity Awareness Month 2016 - This one's for the researchers

October was my favorite month even before I learned it is also National Cybersecurity Awareness Month [https://www.dhs.gov/national-cyber-security-awareness-month] (NCSAM) in the US and EU. So much the better – it is more difficult to be aware of cybersecurity in the dead of winter or the blaze of summer. But the seasonal competition with Pumpkin Spice Awareness is fierce. To do our part each National Cybersecurity Awareness Month, Rapid7 publishes content that aims to inform readers about a p

5 min Public Policy

Rapid7 Supports Researcher Protections in Michigan Vehicle Hacking Law

Yesterday, the Michigan Senate Judiciary Committee passed a bill – S.B. 0927 [http://www.senate.michigan.gov/committees/files/2016-SCT-JUD_-09-20-1-01.PDF] – that forbids some forms of vehicle hacking, but includes specific protections for cybersecurity researchers. Rapid7 supports these protections. The bill is not law yet – it has only cleared a Committee in the Senate, but it looks poised to keep advancing in the state legislature. Our background and analysis of the bill is below. In summary

1 min Public Policy

NIST 800-53 Control Mappings in SQL Query Export

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats. What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say

2 min Nexpose

Getting More Out of Nexpose Policy Reports

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security program, not to mention a requirement for many industry and regulatory compliances like PCI, DSS, and FISMA. With Nexpose, you can automate this assessment using our Policy Manager feature. Back in March we launched two brand new policy report templates, Policy Rule Breakdown Summary and Top Policy Remediations, to help organizations understand h

1 min Nexpose

New Policy Reports in Nexpose

With Nexpose, you can assess your network for secure configurations at the same time as vulnerabilities, giving you a unified view of your risk and compliance posture. The latest version of Nexpose focuses on making it easier to understand how well you're doing and the actions to take to improve overall compliance. Starting with Nexpose 6.2.0, users now have access to two brand new policy reports that help you take control of your compliance program and focus on what is important. The first r

8 min Public Policy

Security vs. Security - Rapid7 supports strong encryption

We should embrace the use of strong encryption without compelling companies to create software that undermines their product security features.

7 min Public Policy

Wassenaar Arrangement - Recommendations for cybersecurity export controls

The U.S. Departments of Commerce and State will renegotiate [https://www.bis.doc.gov/index.php/forms-documents/doc_download/1434-letter-from-secretary-pritzker-to-several-associations-on-the-implementation-of-the-wassenaar-arrang] an international agreement – called the Wassenaar Arrangement [http://www.wassenaar.org/about-us/] – that would place broad new export controls on cybersecurity-related software. An immediate question is how the Arrangement should be revised. Rapid7 drafted some initi

4 min Public Policy

Rapid7, Bugcrowd, and HackerOne file pro-researcher comments on DMCA Sec. 1201

On Mar. 3rd, Rapid7, Bugcrowd [https://bugcrowd.com/], and HackerOne [https://hackerone.com/] submitted joint comments to the Copyright Office urging them to provide additional protections for security researchers. The Copyright Office requested public input [http://copyright.gov/fedreg/2015/80fr81369.pdf] as part of a study on Section 1201 [https://www.law.cornell.edu/uscode/text/17/1201] of the Digital Millennium Copyright Act (DMCA). Our comments to the Copyright Office focused on reforming

2 min Public Policy

I've joined Rapid7!

Hello! My name is Harley Geiger and I joined Rapid7 as director of public policy, based out of our Washington, DC-area office. I actually joined a little more than a month ago, but there's been a lot going on! I'm excited to be a part of a team dedicated to making our interconnected world a safer place. Rapid7 has demonstrated a commitment to helping promote legal protections for the security research community. I am a lawyer, not a technologist, and part of the value I hope to add is as a repr

13 min Public Policy

12 Days of HaXmas: Political Pwnage in 2015

This post is the ninth in the series, "The 12 Days of HaXmas." 2015 was a big year for cybersecurity policy and legislation; thanks to the Sony breach at the end of 2014 year, we kicked the new year off with a renewed focus on cybersecurity in the US Government. The White House issued three legislative proposals, [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] held a cybersecurity summit, and signed a new Executive Order, all before the end of February. The OPM br

5 min Public Policy

New DMCA Exemption is a Positive Step for Security Researchers

Today the Library of Congress officially publishes its rule-making for the latest round of exemption requests for the Digital Millennium Copyright Act (DMCA).  The advance notice of its findings [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-27212.pdf] revealed some good news for security researchers as the rule-making includes a new exemption to the DMCA for security research: “(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or

9 min Public Policy

Why I Don't Dislike the Whitehouse/Graham Amendment 2713

[NOTE: No post about legislation is complete without a lot of acronyms representing lengthy and forgettable names of bills. There are three main ones that I talk about in this post: CISA – the Cyber Information Sharing Act of 2015 – Senate bill that will likely go to vote soon.  The bill aims to facilitate cybersecurity information sharing and create a framework for private and government participation. ICPA – the International Cybercrime Prevention Act of 2015 – proposed bill to extend law en

6 min Public Policy

Will the Data Security and Breach Notification Act Protect Consumers?

Last week, the House Energy and Commerce Committee published a discussion draft of a proposed breach notification bill – the Data Security and Breach Notification Act of 2015 [http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/analysis/20150312DataSecurityDraft.pdf] . I'm a big fan of the principles at play here: as a consumer, I expect that if a company I have entrusted with my personally identifiable information (PII) has reason to believe that information has be

8 min Public Policy

How Do We De-Criminalize Security Research? AKA What's Next for the CFAA?

Anyone who read my breakdown on the President's proposal for cybersecurity legislation [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] will know that I'm very concerned that both the current version of the Computer Fraud and Abuse Act (CFAA) [http://www.law.cornell.edu/topn/computer_fraud_and_abuse_act_of_1986], and the update recently proposed by the Administration [http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tool

10 min Public Policy

Will the President's Cybersecurity Proposal Make Us More Secure?

Last week, President Obama proposed a number of bills to protect consumers and the economy from the growing threat of cybercrime and cyberattacks. Unfortunately in their current form, it's not clear that they will make us more secure. In fact, they may have the potential to make us more INsecure due to the chilling effect on security research. To explain why, I've run through each proposed bill in turn below, with my usual disclaimer that I'm not a lawyer. Before we get into the details, I want