In a rising cacophony from their Twitter feeds and blogs, IT security pros have sounded the alarm about proposed revisions to the Computer Fraud and Abuse Act (CFAA).
Jeremiah Grossman, interim CEO of WhiteHat Security, tweeted on Thursday: “If any InfoSec pro is positive about the new legislative proposal, I've not seen it.”
Earlier in January, the White House published a legislative proposal (PDF) to amend the federal anti-hacking law criticized for being outdated and leading to aggressive prosecution against individuals, like computer programmer and activist Aaron Swartz, who committed suicide in January 2013.
The proposed revisions address various aspects of cyber crime, but notably would raise penalties for circumventing digital access barriers from starting at a misdemeanor to starting as a 3-year felony, according to Orin Kerr, Fred C. Stevenson research professor, George Washington University Law School. Additionally, the revisions address “unauthorized access” and what actions could be counted under that language.
Nate Cardozo, staff attorney, Electronic Frontier Foundation (EFF), explained to SCMagazine.com that the proposed changes also adjust traffic in lists of passwords. Currently, intent of fraud must be present to qualify as a crime. The revisions would switch this out for a ‘wrongfulness' requirement, the meaning of which, Cardozo said, remains unclear.
“This has the security community essentially terrified,” Cardozo said. “The security community is worried that this proposed modification will shut down the academic discourse in the United States."
That scenario "is clearly not what the Obama administration wants," he said. "They want to make the internet a more secure place, but if these modifications to the CFAA go into effect, researchers are going to think twice before publishing.”
Alex Muentz, adjunct professor in the Criminal Justice department at Temple University and consultant at OpenSky Corp., said in an emailed comment to SCMagazine.com that he's heard researchers contemplate about moving abroad to do their work.
“Vulnerabilities will still be found, but there's a strong incentive to sell them on the dark market since that doesn't expose them (researchers) to prosecution,” Muentz said. “Openly reporting vulnerabilities to the public may expose them.”
That fear of prosecution, in particular, has the security community and its advocates worried. Katie Moussouris, chief policy officer, HackerOne, expressed concern in a blog post about how the changes' “expanded language” could hamper vulnerability research and security testing activities, and perhaps, even breach reporting. However, the CFAA, the law under which Swartz was pursued, has always intimidated researchers, she noted.
“Even before these new proposals, the CFAA has had a long-standing chilling effect on security research, particularly affecting online services,” she wrote. “The risk to many well-meaning hackers was often too great to report vulnerabilities they found to organizations because they didn't know whether they would be met with genuine gratitude, grudging acceptance, a cease and desist, or law enforcement kicking in their door.”
Despite the chorus of discontent, the suggested revisions currently remain just that: suggestions. The legislation could gain traction in Congress or it could be set aside, said Gabe Rottman, legislative counsel and policy advisor at the American Civil Liberties Union (ACLU), in an interview with SCMagazine.com
“It's relatively early in this new Congress, and it's unclear how things are going to shake out,” he said. “I don't think anybody really knows what's going to happen; things could start moving really quickly, and we could see movement even in the next month.”
