Why security pros don't like Obama's proposal for antihacking law
Ever since the Sony Pictures hack last year, the White House has听sharpened its focus on cybersecurity. President Obama has penned two听executive orders meant to confront digital intrusions, and Congress is听preparing to debate a key part of his cybersecurity plan 鈥 a mechanism听for companies and government agencies to swap information on computer threats.
But one part of the Obama cybersecurity plan that hasn't attracted听much attention is a proposal that many researchers worry will hurt efforts to strengthen American corporate and government听cyberdefenses.
The White House unveiled a proposal in January to amend the 1986听Computer Fraud and Abuse Act (CFAA), the federal antihacking law that听criminalizes "unauthorized access" 鈥 and听"exceeding authorized access"听鈥 to certain classes of "protected computers" that contain personal,听financial, or government information.
As part of its overall plan to get tough on criminal hackers, the administration wants to expand the act so it includes harsher penalties and can be used by听prosecutors to go after so-called "insiders" who attempt to profit from their their access to secret or confidential data.
Critics have long argued that the law is out of date, overly broad,听and has resulted in harsh penalties for seemingly minor computer crimes.听It was widely condemned following the 2013 death of Aaron Swartz, the听programmer and activist who committed suicide while under indictment听for breaking into a computer database at the Massachusetts Institute听of Technology. Government prosecutors used the Computer Fraud and听Abuse Act to charge Mr. Swartz.
Now that the Obama administration wants to broaden the definition of听computer crime and stiffen penalties 鈥 such as doubling the maximum听penalty from 10 years to 20 years 鈥 for existing crimes, some security听experts say it will have a chilling effect on research and even听criminalize some of the most important and cutting edge security work听happening today.
"It will have a negative impact on computer security if CFAA reform听passes," says Dan Guido, founder of security company Trail of Bits and听hacker-in-residence at New York University's Polytechnic School of听Engineering.
As it's currently written, the CFAA gives a vast amount of leeway to law enforcement and prosecutors, and changes to give them even broader powers may result in听overzealous prosecution, says Mr. Guido. If the professionals are afraid of听violating the CFAA, they will be less likely to听look for bugs in听existing software. "Where does that leave us if we have to accept the听security of the software we purchase because professionals are afraid听of violating CFAA?" he asks.
Even though security researchers worry about the proposed modification听of the computer fraud act, they still want the law updated.
Modernizing the act is "incredibly important" because the current law,听as written, is broad and ambiguous, says Lance Cottrell, chief听scientist at Ntrepid, a maker of security software and听hardware. The penalties for minor infractions can be "absurdly听severe," he says. For example, using a nickname on Facebook听technically violates the social network's terms of service, and could听potentially be treated as a felony under the current law.
"While I'm certainly not in favor of the CFAA, the written letter of听the law is a minor aspect compared to how that law is put into听practice and prosecuted," says Jon Oberheide, cofounder of听Duo Security.
The CFAA's main problem is its language, and that's going to be where听most of the scrutiny will fall during the latest effort to amend the听law, says JJ Thompson, founder of security consulting firm听Rook Security.
The basic premise of the CFAA rests on the concept that "unauthorized听access" or "exceeding authorized access" to certain classes of听"protected computers" would be a crime if the computer contained听personal, financial, or government information. The law also says the听unauthorized access would be a crime if there is "intent to defraud."
The proposed changes by the White House expanded the definition of听"exceed authorized access" to include "a purpose that the accesser听knows is not authorized by the computer owner" and removes the听monetary motive. The proposal said the CFAA would apply if the person听acted "willfully."
The language, if Obama's proposal is left intact in the final amendments, would "gut our听capability to respond" to data breaches and other security threats,听says Mr. Thompson. A lot of the security appliances used by major听enterprises, such as those for network monitoring and intrusion听prevention systems, access computers, potentially putting them in听violation of the law as described in the proposal.
No draft bills or听amendments have been submitted in Congress, so it is impossible听to tell how different the final language will be. But Thompson has听been talking with members of Congress and other security professionals听and is fairly upbeat that the actual language will not be as听problematic as what was in the initial White House proposal.
Members of Congress are interested in working with the security听industry so that the law can work听as intended, Thompson argues. To be sure,听considering the听number of recent Congressional hearings recently that have featured听security professionals, it appears that many members of Congress听are making the effort to understand the thorny issues plaguing听information security.
But not everyone shares Thompson's optimism. Security advocates and the听government already disagree over the law's scope, and even though the听amendments are still in early discussion stages, it's likely听the changes will focus on giving law enforcement stronger tools to go听after what they perceive as unauthorized access.
There is a section of CFAA that covers civil violations, such as听breaking the software's end-user license agreement. For many in the听bug bounty community, this aspect of the CFAA has always been a little听worrisome because researchers looking for flaws in the software they've purchased are breaking the license agreement.听Companies that run bug bounty听programs realize a prosecutor could go after a researcher they听cooperated with, or a researcher may face prison time if the software听manufacturer gets angry over the bug reports.
"Angering the wrong听person makes it easy to become a victim of a widely interpreted听reading of the CFAA," says Guido of听Trail of Bits.
Considering that security professionals are frequently viewed as听antagonists because they are trying to get companies to acknowledge听and fix security problems, retaliatory prosecution is a credible听possibility. "Where does that leave us if we have to accept the security of the听software we purchase because professionals are afraid of violating the [license agreement]?" Guido asks.
One area that changes to the CFAA could significantly impact is in the听education arena, he says.
Basic research and investigation, the听kind of skills that students are expected to learn and master, will听become significantly more risky to perform if the law's scope become听broader, Guido says.听"How do we expect to train the cybersecurity experts we need if we听stifle their ability to learn?"
听
