Saturday, January 17, 2015

Criminalizing Modern Security Research

My high school physics teacher quietly taught me that all locks have vulnerabilities. He was an “amatuer locksmith,” and while I never learned exactly how to pick a lock from him, he explained enough about how locks work that I figured it out. I took this skill to college where, with other like minded individuals, I become a minor part of a like-minded community of students called hackers. With our skills, we were free to roam just about anywhere. My favorite destination was the roofs of various campus buildings. It was a liberating experience.

If I had caused physical harm or damage as part of our “hacker” activities, who would be to blame? Based on the proposed updated law enforcement guidelines, then you may very well hold my high school physics teacher partially responsible for helping me understand the vulnerabilities in standard locks, how I could massage the internal tumblers of a lock until I found the correct sequence that would allow me to turn the cylinder to disengage the lock. When translated to cybersecurity, that same teacher, indeed any security researcher, could face 20 years in prison for disclosing a technology vulnerability due to changes that President Obama is proposing in cybersecurity law.

Rob Graham, a respected cybersecurity industry insider, argues that the proposal amounts to new war against hackers. In his opinion, Graham correctly notes how security researchers, by conducting activities that look like malicious hacking, can run afoul the law. He also explains why the law will be about as effective as the War on Drugs, which is to say, not. Kevin Poulsen, a former hacker, further opines about the proposed increased punishment and the constraints the new law would place on building and distributing software commonly used by security professionals and hackers alike. Rather than repeat those insights, I will focus on the changes proposed in one key paragraph of the law most commonly associated with cybersecurity, the already controversial Title 18 of the United States Criminal Code, section 1030 - Fraud and Related Activity in Connection with Computers (18 USC 1030).

Originally implemented as part of the Computer Fraud and Abuse Act (CFAA) enacted by the US Congress in 1986 and updated on several occasions, including as part of the U.S. Patriot Act in 2002 and more recently in 2008 as part of the Identity Theft Enforcement and Restitution Act, 18 USC 1030 is the same statute used to prosecute Aaron Swartz and countless other hackers. In response to the hacks against Sony, attacks that the FBI has already attributed to international miscreants outside of the bounds of US Law, the White House has proposed a new update.

In the update, the White House proposes that Congress modify paragraph 1030(a)(6) so that the statute apply to “whoever”:
Knowingly and willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking.

Note that I’ve highlighted the changes in bold

The first proposed change, the added word “willfully,” replaces the relatively clear phrase, “with intent to defraud.” Later, the proposal adds paragraph 1030(e)(13), which states:
The term “willfully” means intentionally to undertake an act that the person knows to be wrongful.

Such a change makes the statute much more vague and subjective. In criminal proceedings, the Federal prosecutor accepts the burden to prove that an alleged perpetrator falls under the statutory criminal definition. “Intent to defraud” has a very specific application, one in which the prosecutor must prove that the defendant intended to cause harm. The proposed “intent to do wrong” qualification significantly broadens the statutory applicability to some more subjective measure of “wrongness.” When a child who keeps trying to access his father’s Xbox Live account finds a vulnerability that gives him access, he had certainly done something “wrong,” he was trying to defeat an electronic mechanism that was implemented to prevent his access. A prosecutor could argue that the child’s actions meet the legal definition proposed in 1030(e)(13). It may be a ridiculous argument to make against a 5 year old, but what about a 16 year old? It’s that subjectivity that causes the proposal to be suspect.

Whereas the current law explicitly refers to the sharing of access credentials, “passwords” in paragraph 1030(a)(6), the second proposed change substantially expands the definition of what warrants protection. By adding the phrase, “or any other means of access,” the proposal changes how the statute applies by including any vulnerability, method, or mechanism that someone may use to access a target system, basically including just about anything that can be exploited to provide access.

While the proposed expanded subjectivity and breadth is reason enough to be wary, it’s the elimination of current constraints to statutory applicability that is most worrisome. Embedded in the final clause of paragraph 1030(a)(6) is the phrase, “knowing or having reason to know.” Security research, both academic and commercial, naturally results in the discovery of technical vulnerabilities that, when exploited, can cause harm. When researchers disclose their findings, they do so to extend the state-of-the-art in protecting systems, helping educate each other so that they may do more good as a community. Doing otherwise, essentially reinforcing a “security-by-obscurity” behavior that has been proven to fail, is detrimental to our collective cyber defensive posture. In disclosing a vulnerability, security researchers will acknowledge the high likelihood that hackers will exploit the vulnerability before every subject system can be fixed, thereby meeting the proposed “having reason to know” criteria.

The result is that the proposed changes to 18 USC 1030 will force security researchers to conduct their work under the constant threat of persecution. As a normal function of their positions, vulnerabilities disclosed on social media, in papers, or at conferences, is “willfully” trafficked, and each will come with an understanding that some miscreant could misuse it to cause harm. That will have a chilling effect on the entire security industry as organizations will likely censor security research to limit legal exposure.

Rather than proceed with a reactionary approach to the very real security challenges that we face by making unwarranted changes to 18 USC 1030, the US government should take a more proactive approach to cybersecurity. That begins with funding research focused on developing new tools and techniques that help individuals and organizations detect and better defend against emerging cyber threats. It includes diplomacy and conducting offensive cyber operations against foreign foes actively targeting domestic financial and state assets. Furthermore, it includes recruiting those same domestic hackers and security researchers that 18 USC 1030 aims to criminalize.