In November, as Central Intelligence Agency Director John Brennan prepared his remarks for the Global Security Forum, he knew he would revise the speech that he had practiced days earlier.
The event, organized by the Center for Strategic and International Studies, a Washington, D.C.-based think tank, would be attended by academics, security professionals and policymakers. It was just three days after the Paris terror attacks that left more than 130 dead.
Toward the end of his presentation, he bluntly told the audience, “Congress over the past few years has tried, so far without success, to pass laws addressing the need for comprehensive cyber policy, especially on information sharing. The fact is, 20th century laws cannot effectively deal with 21st century threats.”
Brennan’s comments point to an interesting question, and certainly one that applies not only to information sharing, as he implied, but to many broader aspects of cybersecurity policy. Is it even possible for legislative developments to keep up with the rate of innovation among hackers?
It is worth asking? Even if legislators passed all of the laws being proposed to stymie cyberthreats from hackers and criminal groups, would hackers simply innovate around the new legislation and continue undeterred?
When discussing ineffective and outdated legislation, the starting point is the Computer Fraud and Abuse Act (CFAA). For the past 20 years, the CFAA has been the primary legislation used to prosecute hacking and related offenses. The federal legislation was enacted in 1986 as an amendment to an earlier computer fraud law that was part of the Comprehensive Crime Control Act of 1984 – before commercial email was available for the general public and prior to the advent of text messaging and downloadable applications.
While the original intent of 18 U.S.C. 1030, the federal law from which CFAA emerged, was to include cases “with a compelling federal interest,” its scope has progressively broadened to include nearly any crime that involves a computer, even as penalties and statutes that define punishments according to monetary damages remain fixed.
The minimum threshold that relegates a CFAA-related offense as a felony has not increased from its original value of $5,000 in damages, says Tor Ekeland, a New York-based defense attorney whose practice represents defendants in high profile computer law cases in federal courts.
Critics say the CFAA‘s overly broad scope, a legislative culture of fear, plus a poor understanding of the cyber issues among legislators, has led to an overreaching legal environment. Prosecutors target nearly any computer crime under the federal legislation, with outsized punishments including 25-year sentences for felonies.
“If they had been prosecuting computer crimes in the 70s the way they are now, Steve Jobs and Bill Gates would be in jail,” says Ekeland.
“There are routine aspects of system administrators’ jobs that are felonies,” he says, adding that he believes legislation and judges deciding cyber cases need to get more input from all sides of the debate. This would include researchers, security professionals and activists – not only those who are inclined by their professional allegiances to advocate for a defensive posture.
Criminals don’t follow the law
Alex Heid, chief research officer at SecurityScorecard, a New York-based firm whose mission is to empower organizations with collaborative security intelligence, says legislators should focus less on outlawing specific cyber activities and devote more on defining the intentions of the individual.
Attempts to prevent hacking primarily through legislation tend to overlook the fact that criminals, by definition, do not follow the law. As a result, legislative developments affect researchers and security professionals more than the intended targets, says Heid.
This point would be easy to dismiss. Governments, of course, are tasked with creating laws to advance the well-being of the societies they serve. To abandon this task, of course, would lead to anarchy. And yet, legislation – especially edicts that penalizes hackers – is one the least effective tools in the struggle for information security.
That is owing to the fact that the most profound attacks are often executed by offshore actors and nation-state-sponsored hackers, especially from countries that don’t have extradition treaties with the U.S.
For a sense of the scope of the problem, last year the U.S. Senate Armed Services Committee released a report detailing the successes of Chinese hackers who were able to penetrate the networks of 50 government contractors and steal sensitive information. The report, “Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors,” showed that in all but two of the breaches, the U.S. Transportation Command (TRANSCOM) – which provides air, land and sea transportation for the Department of Defense – was not made aware of the breaches.
Further, it takes an enormous amount of resources to catch a cybercriminal. When prosecutors do achieve a conviction, the convicted “hacker” is often a low-level miscreant, not the well-organized hacking group that authorities would have preferred to catch.
For example, Matthew Keys, a former Reuters journalist, provided login information to the hacktivist group Anonymous that enabled it to hack into the website of the Los Angeles Times and alter information. Keys was a former employee who seemed to harbor a grudge against the parent company of the former employer that fired him months earlier.
Certainly, he possessed few or none of the coding skills one typically associates with hackers. However, he was convicted of conspiracy to make unauthorized changes to the website, transmitting malicious code and attempted transmission of malicious code. Meanwhile, the hacker who used the login information that Keys provided to make changes to the Times’ website – a hacker who goes by “Sharpie” – was not prosecuted.
The limitations of legislation are clear. But what are the alternatives? To start, balancing incentives is a goal that has been underutilized for too long, say experts. Underfunded and understaffed information security professionals face constant resistance from C-suite management reluctant to invest in the necessary tools. How might this dynamic be different if corporations were incentivized by the specter of civil liability to strengthen their information security efforts?
Ekeland believes it should be a felony to store personally identifying information that is not password protected, but one need not advocate this approach to expect a shift in the dynamic. Currently, corporate boards have little incentive other than reputational factors, to invest heavily in much-needed information security solutions.
In November, Moody’s announced plans to weigh cyber risks as part of corporate credit ratings. Mike Buratowski, VP of cybersecurity services at Fidelis Cybersecurity, a Boston-based firm that equips organizations to detect, investigate and stop advanced cyberattacks, says the decision is another factor that will incentivize boards of director to invest in cybersecurity. “They are trying to meet that nebulous web of cybersecurity due diligence – and it’s hard to quantify,” says.
Might this eventually be followed by efforts from regulatory agencies to enforce cyber best practices? The tech sector has been intentionally under-regulated, in part because it has been a chief driver of the U.S. economy. “No one wants to be blamed for hampering innovation,” says Karl Rauscher (left), strategic advisory board chairman at Sonavation, a Palm Beach Gardens, Fla.-based company that designs and manufactures tools for secure authentication, including biometric fingerprint sensors. He also is chief architect of cyberspace policy at the Institute of Electrical and Electronics Engineers (IEEE).
In the same way that a focus on punitive legislation has its limitations, regulatory requirements alone will not solve cyber problems. Through cooperation, Rauscher says, individuals can create solutions to the problems that we create.
“I think the key is in the people,” he says.