twitter facebook rss

The President’s CFAA and the disclosure problem

Posted by on January 26, 2015.

President_Barack_ObamaObama’s State of the Union speech gave cybersecurity a prominent position. The problem is the government’s view of security priorities usually puts intelligence agency demands first, military requirement second, business demands third, and the poor bloody user last of all. This speech seems to be little different, although it’s sufficiently vague to be anything you wish to read into it. History would suggest that we read the worst possible interpretation.

There are three primary proposals:

standardized breach notification rules across all States — currently there are 47 States with different rules; so this is a hugely beneficial idea. It will certainly help business, but whether it will be of any benefit to users will depend on the detail. I have my doubts. There will be too many loopholes, too many opportunities to not disclose. And there is always the danger that with business lobbying (just ask the EU about the problems of unifying multiple jurisdictions while under big business pressure) the result will be the lowest common denominator.

information sharing — the idea is to indemnify business against liability if it shares data including personal data with the government. Government, of course, has never been good at sharing information with anyone; and I doubt that this will change anything. It would be more beneficial if government could come up with a better means for businesses to share security information with each other, excluding personal information, excluding government, possibly anonymously, and excluding liability. Those companies happy to share information with government probably already do so.

updating the Computer Fraud and Abuse Act — technically, this is an opportunity to improve the law that drove Aaron Swartz to suicide, allowed Andrew (Weev) Auernheimer to be imprisoned for showing AT&T that it was making Apple customer details available on the web, and indicted Barrett Brown for merely linking to hacked material. But the government’s idea of updating the CFAA and the security industry’s idea are likely to be prison sentences apart. (In all of the above cases it is perfectly clear that the prosecutions served no public benefit whatsoever, and the primary motive is that these three men were a pain the FBI’s arse.)

It is the CFAA proposals that we shall look at here.

Following the death of Aaron Swartz there have been widespread calls to amend the CFAA to exclude ‘whitehat’ hacking; that is, computer intrusions designed to highlight vulnerabilities but do no harm. The danger in the current Whitehouse proposals is that they increase the scope of the Act but do little to protect whitehats.

Jen Ellis, senior director of community and public affairs at Rapid7 has written an excellent analysis. There are two primary problems: a loose definition of what amounts to ‘authorized access’; and the introduction of RICO to the equation. On the first, let’s skip straight to the Ellis conclusion:

This essentially means any research activity a business does not like becomes illegal. And you have to know the organization has banned it. Now while that does create a burden on the organization to state this (in their Terms of Service), it effectively means the end of internet-wide scanning efforts, which can be hugely valuable in identifying threats and understanding the reach and impact of issues.
Will the President’s Cybersecurity Proposal Make Us More Secure?

This conclusion begs a separate question: is whitehat security research of any genuine value? It would appear that the government doesn’t think so. Just about everyone else believes it is.

whitehatblackhatAn academic paper written last year (and discussed by on Thursday) makes this point:

Undisclosed vulnerabilities in publicly and privately deployed software systems are an important contributing factor to potentially highly damaging security incidents… Malicious hackers (i.e., black hats) keep searching for unknown zero-day software vulnerabilities and attempt to derive (monetary) benefit by either exploiting such vulnerabilities to steal data and damage service availability, or even by selling information about such vulnerabilities on black markets…

…Ameliorating this state of affairs, benign hackers (i.e., white hats) hunt for vulnerabilities and may notify important stakeholder organizations directly, or may communicate their findings to public vulnerability disclosure programs (VDPs).

In reality this academic research is not attempting to justify the work of whitehat researchers — it starts from the assumption that it doesn’t require justification. It does, however, comment on the number of companies (Google, Facebook, Mozilla, Microsoft etcetera) that offer rewards for vulnerabilities discovered by these researchers — it is simply more cost-effective and therefore valuable to reward independent whitehat researchers than to pay for their own in-house experts.

Only the government seems to disagree. In fact, not only is it seeking to make such research more difficult, it is dramatically toughening its sanctions. Typical is the introduction of the Racketeer Influenced and Corrupt Organizations Act (RICO) into the equation. RICO was originally designed to help take down mafia gangs by making ‘enterprise’ leaders liable for the crimes of their foot soldiers.

Now the stated intent is to make it as easy to take down cyber gangs as it was to take down mafia gangs in the late 20th century. The problem, as we have seen, is the CFAA is unlikely to differentiate between blackhats (and their criminal gang masters) and whitehats (and, in some instances, their company management). As Jen Ellis comments,

For a more specific example, let’s consider Metasploit, which is an open source penetration testing framework designed to enable organizations to test their security against attacks they may experience in the wild. Rapid7 runs Metasploit, so if a Metasploit module is used in a crime, would that make the leadership of Rapid7, a party to that crime? Would other Metasploit contributors also be implicated? This concern is just as valid for any other open source security tool.

Larry Page: terrorist?

Larry Page: terrorist?

Let’s take that one stage further. Google recently published details of a Microsoft flaw two days before Microsoft fixed it. In reality it was just a childish squabble between a pair of overgrown children. If Microsoft could fix the flaw in 92 days, there is no way it couldn’t have done so within the 90 day limit given by Google. But that’s not the point. Technically, if a criminal gang had taken the details published by Google and made successful cyber attacks within the two days before it was fixed, would that make Larry Page guilty of cybercrime under the RICO aspect of the CFAA? Frankly, if these proposals go ahead, I don’t see why not.

And now let’s take it one step even further. If the FBI/NSA/DHS/CIA ‘prove’ that terrorists are communicating via Google Mail encryption, will that make Larry Page a terrorist? A good argument perhaps for all of these wayward tech companies currently introducing PATRIOT-proof encryption to quietly back off…

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_legal, News_politics | Tags: ,