Content

SC Video: Are lawmakers are vilifying white-hat hackers?

Call it a tale of two legislations.

One bill is designed to establish a federal bug bounty program for State Department websites; the other is a proposed state law that threatens to have a chilling effect on vulnerability researchers and white-hat hackers.

Casey Ellis, founder and CTO of bug bounty platform provider Bugcrowd, addressed both in an interview with SC Media at RSA 2018.

Ellis expressed concern over Georgia Senate Bill 315, which makes it a crime for unauthorized individuals to deliberately access a computer or network, but does not carve out any exceptions for legitimate research and vulnerability hunting. The CEO said Bugcrowd attempted to engage in dialogue with state lawmakers in hopes of shaping the bill into "something that's at least less threatening to people that are operating in good faith." But for now, concerns remain, especially after the Georgia legislature passed the bill last March, sending it to the desk of Governor Nathan Deal (R), who has until May 8 to sign it.

Reportedly, a group of more than 50 experts, researchers and academics wrote a letter to Deal, asking him to veto the bill.

Ellis said that laws like SB 315 and the Computer Fraud and Abuse Act, as currently written, "operate on the assumption that if you're a hacker, you're automatically a bad person," adding that he worries this could become a legislative trend.

On the other hand, Ellis praised the "Hack Your State Department Act" bill -- introduced last March by Reps. Ted Lieu (D-Calif.), and Ted Yoho (R-Fla.) -- which is designed to establish a federal bug bounty program for State Department websites. This development follows other successful programs in which researchers were encouraged to "hack" the Pentagon and Air Force -- and Ellis said other government agencies will likely also follow suit, due to a dearth of available talent.

"They can't find people. They're having horrible trouble hiring and they're looking at this crowdsource model as a better way to get adversarial feedback into their organizations so they can reduce their risk," said Ellis.

During his interview, Ellis also talked about the uptick in interest among Internet of Things manufacturers to pursue bug bounty programs, as well as the need to ensure that security programs continue to leverage human creativity and ingenuity.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.