When the Supreme Court handed down its decision in Van Buren v. United States, cybersecurity professionals nationwide breathed a sigh of relief. Asked to determine the scope of the United States’ main federal anti-hacking law, the court adopted a limited interpretation of the Computer Fraud and Abuse Act (CFAA). Had the ruling come out differently, it could have created more risk for so-called “white hat” hackers who search for flaws in software as a public service.
But even after Van Buren, white hats continue to face some lingering legal uncertainty under the CFAA and other laws. Meanwhile, the United States faces nothing short of a cybersecurity crisis, and U.S. authorities have begun to acknowledge that “black hat” hackers (particularly those overseas) appear largely unmoved by the threat of prosecution. That is, the specter of liability may be discouraging white hats from doing innocuous or beneficial security research, without meaningfully deterring malicious hacking. This topsy-turvy state of the law—and those who wield it as a cudgel to threaten researchers—is a weakness in U.S. national security.