Government Regulations

CyAN launches pro-researcher legislative action partnership

patch network cables connected to switch
The new initiative looks to smooth legal difficulties encountered by security researchers (kynny/iStock via Getty Images)

The Cybersecurity Advisors Network (CyAN), in partnership with the CyberPeace Institute, Disclose.io and the UN Paris Call Working Group, launched a global advocacy group to reduce legal interference on cybersecurity research.

“At a time of unprecedented scale and seriousness of cyberattacks threatening our personal information, the continuity of our businesses and the systems and infrastructure that support our societies, we find the very people we rely on to protect us remain under threat," said Peter Coroneos, vice president of CyAN and leader of the project dubbed the Zero Day Legislative Initiative, in a press release.

A quick glance at the release notes on any Patch Tuesday gives a snapshot of how many patched vulnerabilities are reported by researchers. But, in America and abroad, hacking and copyright laws often predate recognition of how important those researchers are to the cybersecurity ecosystem. In the U.S. third-party, volunteer cybersecurity researchers face a complex network of laws in order to find and disclose vulnerabilities. For example, despite a major Supreme Court ruling last year, there is a lot of uncertainty in the United States around how the Computer Fraud and Abuse Act views security research. Whether or not the research violates copyright anti-circumvention laws depends on the Library of Congress regularly renewing an exemption for security research.

CyAN said the initial focus of the partnership will be in jurisdictions where there are already efforts to address the problem or ones they can find local partners they can support.

Several big-name researchers have loaned expertise into the establishment of the alliance. Partner Disclose.io focuses on contractual language to permit research. Cyan also consulted with LutaSecurity CEO and disclosure guru Katie Moussouris; former top U.S. cyber diplomat Chris Painter; and Ciaran Martain, the first CEO of the UK National Cyber Security Centre.

"It’s high time the world’s laws provided these good-faith hackers safer ways to perform their vital research essential to securing the modern world,” Moussouris said in a statement.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Related

GAO: Most Biden cybersecurity EO requirements achieved

Forty-nine of 55 requirements under the Biden administration's executive order aimed at bolstering federal IT systems' cybersecurity defenses were noted by the Government Accountability Office to have already been fulfilled by the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the National Institute of Standards and Technology, reports FedScoop.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.