As the new executive director for (ISC)², one of my most critical goals is to be a global ambassador for our membership. Recently, the U.S. White House proposed reforms to the Computer Fraud and Abuse Act (CFAA) of 1986, which aim to prosecute those who exceed authorized access to online networks. If this proposal is enacted by law, it could make it more difficult for cybersecurity practitioners to perform their jobs to defend their organizations against malicious threats.
Many (ISC)² members, with a high degree of professionalism and ethics, use tools that could fall under such prosecution for penetration testing and assessment purposes. But many of the critical functions of an information security practitioner today rely upon their ability to accurately research, assess and defend against attacks.
We strongly recommend including an exception for our members and other information security researchers like them who are currently acting in good faith and reporting vulnerabilities directly to companies and governments alike. This information sharing is happening today, and many vulnerabilities are reported and consequently repaired in an expeditious manner. In its proposed form, we see the potential for CFAA to threaten our members, researchers and integral information security best practices. The fear caused by the threat of prosecution may result in many researchers deciding not to share vulnerability information, or being forced into not performing research at all. If we cannot assure future information security practitioners that work hard will be rewarded with appreciation rather than indictment, we will steer them away from this profession at a time the world can ill afford it.
At (ISC)², our vision is to inspire a safe and secure cyber world. We can’t do it alone. And we must work together with our membership, government, industry and academia to create a framework that helps protect the global online community against emerging threats.
A few weeks ago, I delivered a personal letter to the director of cybersecurity privacy, civil liberties and policy for the U.S. White House Ari Schwartz to make an appeal to make exceptions to their proposal. I encourage our membership and other industry professionals to comment on this matter as well. Please feel free to post your thoughts and opinions in the comment section of this blog below.
-David Shearer, CISSP, PMP, Executive Director, (ISC)²