Why security pros don't like Obama's proposal for antihacking law
The tech community has long called for reforming the 1986 Computer Fraud and Abuse Act for its overly broad language. But now many worry a White House plan to toughen the law will have a chilling effect on work to expose software weaknesses.
Attendees of the 2014 Black Hat security conference in Las Vegas listened to keynote speaker Dan Geer, a longtime cybersecurity professional.
Reuters/File
Ever since the Sony Pictures hack last year, the White House hasÌýsharpened its focus on cybersecurity. President Obama has penned twoÌýexecutive orders meant to confront digital intrusions, and Congress isÌýpreparing to debate a key part of his cybersecurity plan – a mechanismÌýfor companies and government agencies to swap information on computer threats.
But one part of the Obama cybersecurity plan that hasn't attractedÌýmuch attention is a proposal that many researchers worry will hurt efforts to strengthen American corporate and governmentÌýcyberdefenses.
The White House unveiled a proposal in January to amend the 1986ÌýComputer Fraud and Abuse Act (CFAA), the federal antihacking law thatÌýcriminalizes "unauthorized access" – andÌý"exceeding authorized access"Ìý– to certain classes of "protected computers" that contain personal,Ìýfinancial, or government information.
As part of its overall plan to get tough on criminal hackers, the administration wants to expand the act so it includes harsher penalties and can be used byÌýprosecutors to go after so-called "insiders" who attempt to profit from their their access to secret or confidential data.
Critics have long argued that the law is out of date, overly broad,Ìýand has resulted in harsh penalties for seemingly minor computer crimes.ÌýIt was widely condemned following the 2013 death of Aaron Swartz, theÌýprogrammer and activist who committed suicide while under indictmentÌýfor breaking into a computer database at the Massachusetts InstituteÌýof Technology. Government prosecutors used the Computer Fraud andÌýAbuse Act to charge Mr. Swartz.
Now that the Obama administration wants to broaden the definition ofÌýcomputer crime and stiffen penalties – such as doubling the maximumÌýpenalty from 10 years to 20 years – for existing crimes, some securityÌýexperts say it will have a chilling effect on research and evenÌýcriminalize some of the most important and cutting edge security workÌýhappening today.
"It will have a negative impact on computer security if CFAA reformÌýpasses," says Dan Guido, founder of security company Trail of Bits andÌýhacker-in-residence at New York University's Polytechnic School ofÌýEngineering.
As it's currently written, the CFAA gives a vast amount of leeway to law enforcement and prosecutors, and changes to give them even broader powers may result inÌýoverzealous prosecution, says Mr. Guido. If the professionals are afraid ofÌýviolating the CFAA, they will be less likely toÌýlook for bugs inÌýexisting software. "Where does that leave us if we have to accept theÌýsecurity of the software we purchase because professionals are afraidÌýof violating CFAA?" he asks.
Even though security researchers worry about the proposed modificationÌýof the computer fraud act, they still want the law updated.
Modernizing the act is "incredibly important" because the current law,Ìýas written, is broad and ambiguous, says Lance Cottrell, chiefÌýscientist at Ntrepid, a maker of security software andÌýhardware. The penalties for minor infractions can be "absurdlyÌýsevere," he says. For example, using a nickname on FacebookÌýtechnically violates the social network's terms of service, and couldÌýpotentially be treated as a felony under the current law.
"While I'm certainly not in favor of the CFAA, the written letter ofÌýthe law is a minor aspect compared to how that law is put intoÌýpractice and prosecuted," says Jon Oberheide, cofounder ofÌýDuo Security.
The CFAA's main problem is its language, and that's going to be whereÌýmost of the scrutiny will fall during the latest effort to amend theÌýlaw, says JJ Thompson, founder of security consulting firmÌýRook Security.
The basic premise of the CFAA rests on the concept that "unauthorizedÌýaccess" or "exceeding authorized access" to certain classes ofÌý"protected computers" would be a crime if the computer containedÌýpersonal, financial, or government information. The law also says theÌýunauthorized access would be a crime if there is "intent to defraud."
The proposed changes by the White House expanded the definition ofÌý"exceed authorized access" to include "a purpose that the accesserÌýknows is not authorized by the computer owner" and removes theÌýmonetary motive. The proposal said the CFAA would apply if the personÌýacted "willfully."
The language, if Obama's proposal is left intact in the final amendments, would "gut ourÌýcapability to respond" to data breaches and other security threats,Ìýsays Mr. Thompson. A lot of the security appliances used by majorÌýenterprises, such as those for network monitoring and intrusionÌýprevention systems, access computers, potentially putting them inÌýviolation of the law as described in the proposal.
No draft bills orÌýamendments have been submitted in Congress, so it is impossibleÌýto tell how different the final language will be. But Thompson hasÌýbeen talking with members of Congress and other security professionalsÌýand is fairly upbeat that the actual language will not be asÌýproblematic as what was in the initial White House proposal.
Members of Congress are interested in working with the securityÌýindustry so that the law can workÌýas intended, Thompson argues. To be sure,Ìýconsidering theÌýnumber of recent Congressional hearings recently that have featuredÌýsecurity professionals, it appears that many members of CongressÌýare making the effort to understand the thorny issues plaguingÌýinformation security.
But not everyone shares Thompson's optimism. Security advocates and theÌýgovernment already disagree over the law's scope, and even though theÌýamendments are still in early discussion stages, it's likelyÌýthe changes will focus on giving law enforcement stronger tools to goÌýafter what they perceive as unauthorized access.
There is a section of CFAA that covers civil violations, such asÌýbreaking the software's end-user license agreement. For many in theÌýbug bounty community, this aspect of the CFAA has always been a littleÌýworrisome because researchers looking for flaws in the software they've purchased are breaking the license agreement.ÌýCompanies that run bug bountyÌýprograms realize a prosecutor could go after a researcher theyÌýcooperated with, or a researcher may face prison time if the softwareÌýmanufacturer gets angry over the bug reports.
"Angering the wrongÌýperson makes it easy to become a victim of a widely interpretedÌýreading of the CFAA," says Guido ofÌýTrail of Bits.
Considering that security professionals are frequently viewed asÌýantagonists because they are trying to get companies to acknowledgeÌýand fix security problems, retaliatory prosecution is a credibleÌýpossibility. "Where does that leave us if we have to accept the security of theÌýsoftware we purchase because professionals are afraid of violating the [license agreement]?" Guido asks.
One area that changes to the CFAA could significantly impact is in theÌýeducation arena, he says.
Basic research and investigation, theÌýkind of skills that students are expected to learn and master, willÌýbecome significantly more risky to perform if the law's scope becomeÌýbroader, Guido says.Ìý"How do we expect to train the cybersecurity experts we need if weÌýstifle their ability to learn?"
Ìý