Experts speak out about proposed changes to hacking law

The proposed changes to the CFAA are mixed bag of potential problems

1 2 Page 2
Page 2 of 2

Salted Hash spoke to some experts about the changes, including those referenced by Kerr and Graham.

How will the law impact security researchers and professional (non-criminal) hackers, the ones who helped identify Heartbleed and Shellshock, the hackers who discover serious information disclosure issues and report them to be fixed (such as those on

Lance Cottrell, chief scientist at Ntrepid, agreed with Graham somewhat, saying that the proposed changes to the CFAA are "both too harsh on minor infractions and is difficult to apply to many real crimes."

"Updates are desperately needed, but it is not clear that these proposed changes really address the issue. It is important that things like lying about your age (other than for fraud), which are common offline should not become criminal just because they are done online."

Dr. Mike Lloyd, CTO at RedSeal, said that all security professionals agree that the threats described by the President are real, serious, and require a strong response, but since those responses are likely to be laws, we can expect some ugliness in them.

However, he added, "this doesn't justify the extreme predictions of some commentators, implying that even clicking a link could bring the full weight of RICO down on otherwise innocent citizens."

"From the point of view of researchers and white hats, one particular part of the President's proposal is a case of this - a fix for an old problem of poorly phrased law. The original Computer Fraud and Abuse Act contains some disturbingly vague wording - in essence that any "access" to a protected computer that involved "information" was criminal," Lloyd said.

"But as a researcher, what is "access," and what is "information"? Suppose a well-intentioned researcher wants to render a public service by checking, say, how many machines connected to the Internet have the Heartbleed vulnerability. To do this, they must scan remote machines, but legally speaking, it seems this constituted "information" if taken from a computer that belongs to the US government.

"How could a researcher even tell that a machine was legally protected? It left many research projects in uncomfortable grey area - not likely to be prosecuted, but also not clearly legal. This is a good example of poorly written law, which overlooked important technical considerations - how can you check the health of a computer without taking "information" from it?

"The President's proposal moves to fix exactly this gap, by redefining what we mean by inappropriate access - the information must have a financial value over $5,000. We can expect that the new laws will have similar flaws, and will need similar fixes. The good news, for researchers and white hats, is that some old issues are also being addressed."

Suggesting that the onus really needs to be on the organizations that collect, store and use personal data, as opposed to focusing on penalizing people who access this data once it is in the public domain, Adam Kujawa, the head of Malware Intelligence at Malwarebytes, said that such organizations need to do more to ensure they've got everything in place to protect such data, and legislation should focus on enforcing this.

"These proposed laws don't really do anything to prevent breaches or cyber-crime but merely punish those who aren't skilled enough to hide their activity while living in the U.S. These proposed laws also won't touch hackers in Eastern Europe and other countries with softer cybercrime legislation. Domestic hackers with a relatively low level of skill can also anonymize their actions to make it difficult for law enforcement," Kujawa said.

"The best way, as always, to protect the data of users is to beef up security. If you house customer data, you should do as much as possible to protect this. Breaches are not done by script kiddies on their parent's computers now, they are done by seriously talented crime organizations with intent and skill - an invisible adversary that is difficult to fight against which makes the best course of action an investment in protection rather than trying to fight shadows."

As things stand current, what has been released to the public is a proposal and not the final product. But I'd like to hear your opinions. Feel free to leave a comment below, or if you’re in Washington D.C. this weekend, find me at ShmooCon and share them in person on or off the record.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)