As of today the United States Department of Justice has revised language surrounding CFAA (Computer Fraud and Abuse Act), to encapsulate “Ethical Hacking.”
Security researchers and penetration testers are what sets some of our standards when ensuring the every day computer user is safe from nefarious actors. It is now shown the United States government is finally realizing the value of penetration testing and cyber security professionals. There are statistics out there on how frequent attacks are, most are wildly varied, let’s just say for all intents and purposes, it’s A LOT. You don’t want to be on the end of an attack. These professionals are exactly the people you want on your team helping keep security fresh.
The DOJ was clear they don’t want this to be considered an easy out if you have ill-will in your intentions. This is to protect the people that are testing, fixing, or actively investigating flaws and vulnerabilities. In most circumstances, these ethical hackers will make outreach to their “target” to let them know their intention ahead of time to get permission to test the systems in question. This ensures everyone is in the know of tests occurring. With the previous rulesets in play and the backing of the US government, this could prove to be a massive step forward in stopping bad actors or mitigate their efforts before it gets too detrimental.
The converse could suggest this is a quick bait-and-switch to draw grey hats out, or just to crack down on any hacker regardless of intent to further control what people are allowed to do with computers. This is purely speculation and could be completely tinfoil inaccurate, but thought I should throw it out there.
The revision is limited to federal prosecutors, so if state officials become alarmed and want to press charges, they are still within their means.
This seems to be something to crack down on misinterpretation of what is considered good and bad faith actors. “Hacking” has been in the news when the Missouri Governor Mike Parson threatened a news reporter with prosecution when they “hacked” a government website exposing hundreds of thousands of social security numbers. What resulted is a very embarrassing Tweet-storm demonstrating how out of touch the governor was, and that his administration was confused on what hacking is. The reporter willingly gave the information to the state with ample time to rectify before reporting on the flaw. Hitting F12 is not a crime. This new revision is supposed to help mitigate this kind of nonsense, supposedly.
Ultimately, is can be good news for the digital security teams around the nation, that is, if the DOJ upholds the language “good faith” on their part as well.