4 min
Public Policy
Expanded Protections for Security Researchers Under DMCA Sec. 1201
The Library of Congress announced that it would renew and expand legal protections for security testing under Section 1201 of the Digital Millennium Copyright Act (DMCA).
6 min
Public Policy
Prioritizing the Fundamentals of Coordinated Vulnerability Disclosure
In this post, we aim to distinguish between three broad flavors of CVD processes based on authorization, incentives, and resources required. We also urge wider adoption of foundational processes before moving to more advanced and resource-intensive processes.
6 min
Public Policy
Updating Data Security Laws - A Starting Point
A baseline requirement for commercial data security is often part of discussions on privacy and breach notification regulations. This issue deserves close attention to ensure any security regulation is both effective at protecting users while staying flexible enough to be practicable.
3 min
Public Policy
Georgia should not authorize "hack back"
[Update 05/09/18: Georgia Governor Deal vetoed SB 315. In a thoughtful veto
statement
[https://gov.georgia.gov/press-releases/2018-05-08/deal-issues-2018-veto-statements]
, the Governor noted that the legislation raised "concerns regarding national
security implications and other potential ramifications," and that "SB 315 may
inadvertently hinder the ability of government and private industries" to
protect against breaches. The statement expressed interest in working with the
cybersecurity and l
2 min
Public Policy
Welcome transparency on US government's process for disclosing vulnerabilities
The White House recently released details on the US government's process for disclosing - or retaining - zero-day vulnerabilities. The new VEP charter provides answers to several key questions, but it remains to be seen how it will operate in practice.
5 min
Public Policy
Copyright Office Calls For New Cybersecurity Researcher Protections
On Jun. 22, the US Copyright Office released
[https://www.copyright.gov/policy/1201/section-1201-full-report.pdf] its
long-awaited study on Sec. 1201 of the Digital Millennium Copyright Act (DMCA),
and it has important implications for independent cybersecurity researchers.
Mostly the news is very positive. Rapid7 advocated extensively for researcher
protections to be built into this report, submitting two sets of detailed
comments—see here
[/2016/03/15/rapid7-bugcrowd-and-hackerone-file-pro-res
2 min
Public Policy
Legislation to Strengthen IoT Marketplace Transparency
Senator Ed Markey (D-MA) is poised to introduce legislation to develop a
voluntary cybersecurity standards program for the Internet of Things (IoT). The
legislation, called the Cyber Shield Act, would enable IoT products that comply
with the standards to display a label indicating a strong level of security to
consumers – like an Energy Star rating for IoT. Rapid7 supports this legislation
and believes greater transparency in the marketplace will enhance cybersecurity
and protect consumers.
The
4 min
Public Policy
Rapid7 issues comments on NAFTA renegotiation
In April 2017, President Trump issued an executive order
[https://www.whitehouse.gov/the-press-office/2017/05/01/presidential-executive-order-addressing-trade-agreement-violations-and]
directing a review of all trade agreements. This process is now underway: The
United States Trade Representative (USTR) – the nation's lead trade agreement
negotiator – formally requested
[https://www.regulations.gov/docket?D=USTR-2017-0006] public input on objectives
for the renegotiation of the North American F
4 min
Public Policy
White House Cybersecurity Executive Order Summary
Yesterday President Trump issued an Executive Order on cybersecurity:
“Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure.”
[https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure]
The Executive Order (EO) appears broadly positive and well thought out, though
it is just the beginning of a long process and not a sea change in itself. The
EO directs agencies to come up with plans
4 min
Research
NCSAM: The Danger of Criminalizing Curiosity
This is a guest post from Kurt Opsahl [https://twitter.com/kurtopsahl], Deputy
Executive Director and General Counsel of the Electronic Frontier Foundation
[https://twitter.com/EFF].
October is National Cyber Security Awareness month and Rapid7 is taking this
time to celebrate security research. This year, NCSAM coincides with new legal
protections for security research under the DMCA
[/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers]
and the 30th anniversary of the
8 min
Public Policy
Security vs. Security - Rapid7 supports strong encryption
We should embrace the use of strong encryption without compelling companies to create software that undermines their product security features.
7 min
Public Policy
Wassenaar Arrangement - Recommendations for cybersecurity export controls
The U.S. Departments of Commerce and State will renegotiate
[https://www.bis.doc.gov/index.php/forms-documents/doc_download/1434-letter-from-secretary-pritzker-to-several-associations-on-the-implementation-of-the-wassenaar-arrang]
an international agreement – called the Wassenaar Arrangement
[https://www.wassenaar.org/about-us/] – that would place broad new export
controls on cybersecurity-related software. An immediate question is how the
Arrangement should be revised. Rapid7 drafted some init
2 min
Public Policy
I've joined Rapid7!
Hello! My name is Harley Geiger and I joined Rapid7 as director of public
policy, based out of our Washington, DC-area office. I actually joined a little
more than a month ago, but there's been a lot going on! I'm excited to be a part
of a team dedicated to making our interconnected world a safer place.
Rapid7 has demonstrated a commitment to helping promote legal protections for
the security research community. I am a lawyer, not a technologist, and part of
the value I hope to add is as a repr
13 min
Public Policy
12 Days of HaXmas: Political Pwnage in 2015
This post is the ninth in the series, "The 12 Days of HaXmas."
2015 was a big year for cybersecurity policy and legislation; thanks to the Sony
breach at the end of 2014 year, we kicked the new year off with a renewed focus
on cybersecurity in the US Government. The White House issued three legislative
proposals,
[/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure]
held a cybersecurity summit, and signed a new Executive Order, all before the
end of February. The OPM br
9 min
Public Policy
Why I Don't Dislike the Whitehouse/Graham Amendment 2713
[NOTE: No post about legislation is complete without a lot of acronyms
representing lengthy and forgettable names of bills. There are three main ones
that I talk about in this post:
CISA – the Cyber Information Sharing Act of 2015 – Senate bill that will likely
go to vote soon. The bill aims to facilitate cybersecurity information sharing
and create a framework for private and government participation.
ICPA – the International Cybercrime Prevention Act of 2015 – proposed bill to
extend law en