Last night President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many within the security community believe that the president's proposed cybersecuirty legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.
"Obama's recommended cybersecurity legislation will do absolutely nothing to stop the hackers we're concerned about or protect any of the companies who were victimized. It certainly won't protect 'the children,'" says Jeremiah Grossman, founder of WhiteHat Security. "What the proposed legislation would do is criminalize professional routine security research that’s been crucial in protecting companies and citizens at large. This outcome would be disastrous."
Of particular concern is the proposal to update the Computer Fraud and Abuse Act. Some of the proposed "modernizations" include the expansion of the definition of "exceeding authorized access" language to include any kind of authorized access for a "purpose that the accesser knows is not authorized by the computer owner," a new definition ripe for broad misinterpretation by the courts.
"If passed, it will have a broad chilling effect on security researchers while the courts sort out the definition," says Jonathan Cran, vice president of operations at the bug bounty program firm Bugcrowd. "Disclosure policies and bug bounties provide a form of safe harbor for researchers, and we'd encourage organizations that want to continue engaging the research community in the face of the CFAA to start a disclosure program. "
But CFAA changes aren't the only ones proposed. Additional proposed changes include the addition of hacking to laws related to racketeering and organized crime that could potentially bring the heavy hand of the law even on people who associate with hackers.
"Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise”, allowing the FBI to sweep in and confiscate all your assets without charging you with a crime," explained Rob Graham of Errata Security in a blog on the topic.
Meanwhile, another change to existing law around "computer and cell phone spying devices" makes it unlawful to manufacture, distribute, possess or advertise "electronic communication intercepting devices."
"This is good in intent, but will negatively affect positive cyber security outcomes by limiting the tool set that the good guys can use to detect and respond to attacks from bad guys as 'wire or electronic communication intercepting devices' are standard tools that are used in all global 500 organizations today," says J.J. Thompson, CEO of Rook Security.
Thompson says it is clear that the proposed law changes were made without much input from the security industry. He wants to stimulate better collaboration between the politicians and the industry through a cyber law rewrite on GitHub.
For his part, Grossman believes that if the government is going to dedicate more resources to cybersecurity, they'd be better off helping the industry shore up weak software and train a cadre of security professionals.
"A better idea would be for the federal government to allocate budget dollars to perform software security audits on key commercial and open source software that the country relies upon," he says. "Additionally, allocating dollars toward professional cybersecurity education as a vocation would give us the talent needed to execute these goals. Policies that protect real cybersecurity research and promote education would dramatically improve our defenses against cyberattacks."