Rapid7’s public policy mission is part of our strong commitment to supporting the infosec community and advancing smart cybersecurity. Here are some examples of our cybersecurity policy work:
-
Computer Access Laws
Laws restricting computer access and use should carefully balance the need to combat cybercrime with the value of supporting security research, innovation, and other legitimate activity.
DMCA
The Digital Millennium Copyright Act (DMCA) can hinder good faith security research by restricting the ability to analyze software for vulnerabilities. We support changes to extend protections for security researchers without diminishing copyright.
CFAA
Independent security research is valuable for advancing cybersecurity, but the Computer Fraud and Abuse Act (CFAA) makes little distinction between beneficial research and malicious hacking. We support responsible CFAA reforms and clarifications to protectshield security researchers and internet users from overbroad liability.
States
Rapid7 occasionally advises states on computer access laws to protect consumers and businesses while avoiding obstacles to research and innovation.
Hack Back
Authorizing private entities to take active measures in retaliation against hacking risks undermining cybersecurity and causing collateral damage.
-
International Trade and Exports
Cybersecurity is a global effort that depends on the free flow of information across borders. Trade agreements and export controls should aim to boost security without imposing overbroad restrictions on global data flow.
International Trade
Modern day companies depend on reliable cybersecurity and global flow of information to succeed in the digital economy. Trade agreements and trade policy should reflect these priorities while preserving flexibility for future innovations.
Wassenaar Arrangement
The Wassenaar Arrangement - a 40-nation export control agreement - creates broad new export requirements on software. We believe export controls should be implemented in a manner that avoids unnecessary burdens on legitimate cybersecurity products.
-
Vulnerability Handling and Disclosure
Vulnerability disclosure and handling processes can help technology providers and operators quickly address vulnerabilities disclosed to them by external sources, such as researchers. Coordinated disclosure can also help protect security researchers by reducing the risk of conflict.
- Joint Comments on NIST Cybersecurity Framework version 1.1.2 – 01/19/18
- NIST Cyber Framework Updated with Coordinated Vuln Disclosure Processes – 12/19/17
- Rapid7 urges NIST and NTIA to promote coordinated disclosure processes – 04/19/17
- Joint Comments on NIST Cybersecurity Framework – 04/10/17
- Joint Comments on NTIA Internet of Things Green Paper – 03/13/17
- Vulnerability Disclosure Attitudes and Actions - NTIA working group report – 12/15/16
- NTIA Vulnerability Disclosure and Handling Surveys – 04/11/16
-
Internet of Things
Cybersecurity will be critical to safety, privacy, and public trust as Internet of Things (IoT) devices are more widely deployed. In addition to leading research on IoT, Rapid7 engages policymakers in considering how to best secure it from accidental breach and intentional cyberattack.
- Rapid7 Congressional testimony on IoT Cybersecurity – 04/30/19
- Communicating IoT Device Security Update Capability to Improve Transparency for Consumers (NTIA multistakeholder process) – 07/18/17
- Rapid7 comments to the National Highway Traffic Safety Administration on cybersecurity best practices for connected vehicles – 11/28/16
- Rapid7 comments to the Department of Commerce on cybersecurity and the Internet of Things – 06/01/16
- Rapid7 comments to the Food & Drug Administration on post-market guidance of cybersecurity in medical devices – 04/21/16
-
Digital Economy
For the digital economy to continue supporting significant economic growth and innovation, it must be driven by broad participation, competition, and secure foundational technologies.
Patents
Abusive patent lawsuits hinder economic growth and innovation, diverting resources away from product development, job creation, and providing social value. Rapid7 supports legal reforms that deter frivolous patent claims while protecting inventors.
Encryption
Commerce, government, and individual internet users rely on encryption for secure communications. Legal requirements to weaken encryption undermine cybersecurity, trust, innovation – and ultimately user security.
Net Neutrality
The principle of net neutrality has played an important role in providing users with equal access to digital content, empowering content creators of all sizes to compete on a more level playing field regardless of resources. Repealing net neutrality risks undercutting these opportunities and weakening full participation in the digital economy for small or independent content creators.
Our Recent Positions
Meet the Team
Harley Geiger is Director of Public Policy at Rapid7, leading the company's policy engagement with a focus on cybersecurity, privacy, computer crime, exports, and digital trade issues. He collaborates extensively with technical experts, trade groups, security researchers, and government officials to achieve workable policy solutions that advance security and protect consumers. Harley serves on the Industry Trade Advisory Committee on Digital Economies (ITAC8) at the U.S. Dept. of Commerce, where he advises on trade policy issues related to the information security industry. Prior to working at Rapid7, Harley was Advocacy Director at the Center for Democracy & Technology (CDT) and Senior Legislative Counsel for U.S. Representative Zoe Lofgren of California. Harley is a licensed attorney, CIPP/US certified, has testified before the U.S. House and Senate, and regularly speaks at events on technology policy.
Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.
Deral Heiland CISSP, serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
Tas Giakouminakis leads Rapid7’s Office of the CTO, focusing on security research, data science and public policy initiatives to better the security community through open and collaborative engagement. As Rapid7's co-founder and CTO, Tas previously led the development and integration of Rapid7’s award-winning solutions, driving the technical direction to enable customers through quality, simplicity, and innovation. Prior to founding Rapid7, Tas helped form Percussion Software, where he led the development of Percussion's first product. He has also developed software in the security and risk areas for CitiCorp. Tas serves on the Information Systems Technical Advisory Committee (ISTAC) at the U.S. Dept. of Commerce, where he advises on export controls related to information security products.
Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.