Email Security

    Supreme Court Offers Justice for Cybersecurity Threat Hunters
    Options

    A ruling by America’s highest court is expected to protect the growing ranks of security researchers and bug bounty hunters against legal liability.

    by Karen Lynch
    gettyimages-114169549.png

    Key Points

    • Cybersecurity threat hunters help companies stay ahead of cybercriminals by identifying security flaws that need to be fixed.
    • To date, however, U.S. law has had a chilling effect on security researchers.
    • A recent Supreme Court ruling is expected to reduce their exposure to criminal charges and civil lawsuits.

    The cybersecurity community is praising a recent U.S. Supreme Court ruling for reducing legal obstacles to the practice of threat hunting. “The Van Buren decision is especially good news for security researchers, whose work discovering security vulnerabilities is vital to the public interest but often requires accessing computers in ways that contravene terms of service,” the Electronic Frontier Foundation (EFF) said.[1]

    The court effectively narrowed the scope of the 35-year-old Computer Fraud and Abuse Act (CFAA), which had made cybersecurity threat hunters work under the threat of potential criminal and civil liabilities. “Security researchers have for decades operated in a legal grey area because the law as written exposes their work to prosecution, even if the goal is to improve cybersecurity,” according to one report.[2]

    The Law vs. Cybersecurity Threat Hunting

    The CFAA has been used to prosecute hundreds of high- and low-level hackers, and has often engendered controversy, Wired reported.[3] Its provisions cover a range of offenses from computer trespassing to damage, fraud and theft.

    The case before the Supreme Court addressed a seemingly unrelated matter involving a policeman’s handling of law enforcement data. Yet it presented a larger question — specifically about what it means to exceed authorized access to a computer system. “The government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity,” the justices ruled.[4]

    As it has applied to security researchers, this CFAA interpretation has had a chilling effect at every step: “from conducting security research in the first place, to disclosing security flaws that they discover, to going public with security flaws when companies refuse to patch them,” the EFF told the Supreme Court. “The result of this perverse system of incentives is that discoverable security vulnerabilities remain undetected or unpatched, effectively waiting for attackers to find and exploit them.”

    Now, the Supreme Court decision will help protect public-interest security research. But more is needed, according to Columbia University’s Knight First Amendment Institute. Congress should amend the CFAA to eliminate any remaining uncertainty and create a safe harbor for researchers, the institute said.[5]

    CFAA’s Real World Impact

    Cybersecurity researchers said the CFAA has been a sword hanging over their heads, even as their occupation has become more structured, respectable and lucrative over time.

    On the one hand, many in government, industry and the cybersecurity community — including threat hunters at Mimecast — have worked out mutually beneficial arrangements that harness and even incentivize security research financially. Some of the world’s biggest tech companies run so-called “bug bounty” programs, inviting cybersecurity threat hunters to responsibly hack into their systems and inform them of any flaws. So does the U.S. Defense Department.[6]

    Facebook, for example, celebrated the tenth anniversary of its bug bounty program in November, citing more than 130,000 findings, of which nearly 7,000 were paid bounties (totaling about $2 million in 2020 alone).[7] The company posts its thanks for responsible disclosures, as well as payout guidelines for specific types of findings.[8]

    Yet other companies have continued to ignore threat hunters’ findings or threaten lawsuits under the CFAA. “Even as some companies have expressed appreciation for the work of independent security researchers, others have proven quick to lash out against them,” the EFF told the court.[9]

    In one case, a top credit reporting agency sat on a reported flaw for months, the EFF said, and attackers ultimately stole the personal information of nearly 150 Americans. In another, a security researcher was reported to the FBI by a voting technology company.

    Cybersecurity Threat Hunters in Profile

    Cybersecurity threat hunting brings the power of crowdsourcing, technological prowess and other benefits to bear against mounting cyber risk.

    In the midst of the pandemic, for example, “hackers have risen to the challenges presented by the past year, from supporting businesses through rushed digital transformations to committing more time to protecting healthcare providers,” according to the 2021 Hacker Report.[10] The report, published by the HackerOne bug bounty platform, paints the following picture of threat hunting in practice:

    • 1 million threat hunters are registered on its platform, which is one of the biggest.
    • They earned a total of $40 million in 2020.
    • 85% of hackers say they do it to learn; 76% do it for the bounties; and 62% hack to advance their career.
    • 82% of them do it part-time.
    • 37% have studied computer science at a post-graduate level.
    • 27% have not reported a bug because of a previous negative experience with the company in question.

    Many cybersecurity companies also report security flaws to major technology platforms, as they scan the environment for threats to their customers. Mimecast, for example, has made several responsible disclosures to other companies, and invites responsible disclosures of vulnerabilities in its own systems and services.

    The Bottom Line

    Following a recent Supreme Court ruling, cybersecurity threat hunters face fewer legal obstacles to the work they do — discovering and responsibly reporting security flaws in companies’ technologies and networks. The court case represents an important milestone in the evolution of crowdsourced security at a time of mounting cyber risk.

     

    [1]Van Buren Is a Victory Against Overbroad Interpretations of the CFAA, and Protects Security Researchers,” Electronic Frontier Foundation

    [2]The Supreme Court Will Hear its First Big CFAA Case,” TechCrunch

    [3]The Most Controversial Hacking Cases of the Past Decade,” Wired

    [4]Van Buren v. United States,” U.S. Supreme Court

    [5]Comments on Supreme Court Decision in Van Buren v. United States,” Knight First Amendment Institute

    [6]Hack the Army 3.0 Furthers Innovative Bug Bounty Program to Defend Networks, Data,” U.S. Army

    [7]Marking the 10th Anniversary of Our Bug Bounty Program,” Facebook

    [8]Thanks!,” Facebook

    [9]Brief of Amici Curiae,” Electronic Frontier Foundation

    [10]The 2021 Hacker Report,” HackerOne

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top