The White House in January proposed updates to the Computer Fraud and Abuse Act that have stirred controversy within the cybersecurity industry.
The proposals would allow prosecution under the CFAA of insiders who abuse their ability to access information, while setting aside insignificant conduct.
“If the proposed legislation were to be enacted, it would certainly have a chilling effect on cybersecurity research,” Chris Doggett, managing director at Kaspersky Lab North America, told TechNewsWorld.
The current law already does this sometimes, and the proposed legislation “makes [stultifying research] much easier to do by broadening the definition of illegal activities while removing some of the aspects, such as intent, that mitigated risk for those who were doing bona fide research,” Doggett continued.
White Hats at Risk?
The amendments proposed seek to promote better cybersecurity information sharing between government and the private sector, provide targeted liability protection for participating companies, improve Americans’ privacy, and suggest advancing guidelines for the federal government’s development, receipt, retention, use and disclosure of information.
They also aim to allow prosecution of the sale of botnets, and criminalizing the overseas sale of financial information stolen from the United States, such as credit card and bank account numbers.
The suggested amendments also seek to update the RICO Act to apply to cybercrimes.
Adding the concept of racketeering could see online security communities or those who share information about exposures subject to prosecution, Doggett pointed out. “The removal of the ‘with intent to defraud’ provision and replacing it with [the] ‘willfully traffics’ [clause] makes their actions illegal even though their intent may be good and their actions appropriate.”
Still, there is no doubt that cyberattacks are a real and ongoing problem.
The United States Department of Homeland Security responded to 257 credible threats to the U.S. critical infrastructure in 2013, Brian Foster, CTO of Damballa, told TechNewsWorld.
Meanwhile, attacks on U.S. government websites continue apace, and the government appears unable to combat these hackers. For example, the hackers who penetrated the U.S. State Department’s unclassified email system three months ago are still in the system, despite efforts to eliminate them.
The barrier to entry for cybercriminals is low, Foster pointed out, adding, “information is readily available about how to perpetrate attacks and there’s a thriving underground economy for buying the tools to do it.”
United We Fall
Section 6 of the proposed legislation essentially says it’s illegal to share such information so long as the person sharing it knows, or should know, that someone else might abuse it.
That’s akin to allowing the government to prosecute gun manufacturers when their products are used in the commission of crimes, and it is causing great concern.
To test this issue, researcher Mark Burnett released a database of 10 million passwords he built over the years into the public domain, removing identifiers. All the data was, at one time, publicly available and discoverable by search engines.
Burnett is currently within the law because he has no intent to commit or facilitate a crime, but the proposed amendments to the CFAA might change that.
Fear and Loathing in the Security Industry
The CFAA’s language is vague, and “I’m not sure how much it will club researchers for the time being,” Derek Manky, senior security strategist at Fortinet’s FortiGuard Labs, told TechNewsWorld.
For example, Fortinet monitors activity for Heartbleed, and “it is tough to tell if a Heartbleed attack, which leaks data by nature, is just a pen test or an actual attack,” Manky remarked.
If, however, a law is imposed to limit or stop researchers from responsibly disclosing vulnerabilities, “in my professional opinion it is a backwards step since now the bad guys will — for the most part — always beat the good guys [in] the arms race,” Manky continued.
Companies are likely to use the amendments to clamp down on independent security research, noted Richard Blech, CEO of Secure Channels.
“We may not know if a system is safe, even if it’s tested,” Blech told TechnewsWorld, “hackers can always find an unexpected flaw. But we sure will know that our systems aren’t safe if they’re not tested, or if testing is prevented.”
At the same time, “we don’t want to allow too much leeway to think that cybercriminals can get away and dodge bullets when it comes to breaking the law,” Manky said.
“In the physical world, we don’t have the concept of packs of people breaking into homes and companies to conduct unauthorized tests of physical security,” remarked Rob Enderle, principal analyst at the Enderle Group. “If they did, they’d be arrested and might get shot in the process. So, “if you don’t have legal authority to test the security of a thing, then your act should be illegal.”
Step Back and Breathe Deeply
Stung by the criticism, the United States Department of Justice in March defended this approach on the grounds that criminals not only use botnets to commit fraud but also to commit other crimes. The DoJ asserts that it has no interest in prosecuting legitimate security researchers, academics, or system administrators.
For this reason, the DoJ says it requires that the government prove beyond a reasonable doubt that the individual intentionally trafficked in a means of access he or she knew to be unlawful, and prove the individual knew or had reason to know, that the means of access would be used to commit a crime by hacking. It’s discussing the issue with security researchers and groups, and with Congress, to ensure that it avoids chilling legitimate security research.
“I think the idea that everyone should be free to test security is frankly nuts,” Enderle told TechNewsWorld. “Managing the current mess has become problematic as the lines between criminal and legitimate researcher are badly blurred, especially in Asia and Europe.”