Experts speak out about proposed changes to hacking law

President Obama is proposing changes to the Computer Fraud and Abuse Act (CFAA), but will they do more harm than good?

Experts are starting to weigh in on the topic, and the reviews so far are mixed. On one side, the administration has made some concessions, which are useful. Yet, some of the punishments are overly severe and the wording in the proposal is vague in parts.

In his State of the Union address next week, President Obama is going to propose changes to the Computer Fraud and Abuse Act (CFAA). However, some aspects of the proposal have left security experts puzzled.

On Tuesday, President Obama said that his administration wanted “cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime.”

Case in point, the proposed changes to the CFAA increases the maximum five-year penalty to 10 years for pure hacking acts, such as circumventing a technological control (e.g. bypassing a firewall or other access control barrier).

Moreover, the proposed changes expanded on the vague definition of “exceeds authorized access” to include a hackers that accessed information “for a purpose that the accesser knows is not authorized by the computer owner.”

CFAA expert, Orin Kerr, said in a review of the law’s proposed changes, that his views were somewhat mixed, but that he was skeptical of the changes on the whole.

“On the downside, the proposal would make some punishments too severe, and it could expand liability in some undesirable ways. On the upside, there are some notable compromises in the Administration’s position. They’re giving up more than they would have a few years ago, and there are some promising ideas in there,” he wrote.

“If the House or Senate Judiciary Committees decides to work with this proposal, there’s room for a more promising approach if some language gets much-needed attention. On the other hand, if Congress does nothing with this proposal and just sits on it, letting the courts struggle with the current language, that wouldn’t necessarily be a bad thing.”

Soon after the proposed alterations were made public, Errata Security’s Robert Graham, pointed out that – based on his reading of the proposal – the changes to the CFAA would make accessing, or sharing links, to information that one knows to be restricted illegal. In an example, he created a fake link to employee information on the New York Times website.

Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT

— Rob Graham (@ErrataRob) January 14, 2015

“In next week’s State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above link illegal. The new laws make it a felony to intentionally access unauthorized information even if it’s been posted to a public website. The new laws make it a felony to traffic in information like passwords, where “trafficking” includes posting a link,” Graham wrote.

Even more, he noted, the proposal also wants to include criminal hacking into the RICO statute, making it a racketeering offence. This, Graham said means that someone could be guilty of being a hacker simply by acting like one.

“Hanging out in an IRC chat room giving advice to people now makes you a member of a ‘criminal enterprise’ allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”

“Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem. Most hacking is international and anonymous. They can’t catch the perpetrators no matter how much they criminalize the activities,” Graham concluded.

Salted Hash spoke to some experts about the changes, including those referenced by Kerr and Graham.

How will the law impact security researchers and professional (non-criminal) hackers, the ones who helped identify Heartbleed and Shellshock, the hackers who discover serious information disclosure issues and report them to be fixed (such as those on HealthCare.gov)?

Lance Cottrell, chief scientist at Ntrepid, agreed with Graham somewhat, saying that the proposed changes to the CFAA are “both too harsh on minor infractions and is difficult to apply to many real crimes.”

“Updates are desperately needed, but it is not clear that these proposed changes really address the issue. It is important that things like lying about your age (other than for fraud), which are common offline should not become criminal just because they are done online.”

Dr. Mike Lloyd, CTO at RedSeal, said that all security professionals agree that the threats described by the President are real, serious, and require a strong response, but since those responses are likely to be laws, we can expect some ugliness in them.

However, he added, “this doesn’t justify the extreme predictions of some commentators, implying that even clicking a link could bring the full weight of RICO down on otherwise innocent citizens.”

“From the point of view of researchers and white hats, one particular part of the President’s proposal is a case of this – a fix for an old problem of poorly phrased law. The original Computer Fraud and Abuse Act contains some disturbingly vague wording – in essence that any “access” to a protected computer that involved “information” was criminal,” Lloyd said.

“But as a researcher, what is “access,” and what is “information”? Suppose a well-intentioned researcher wants to render a public service by checking, say, how many machines connected to the Internet have the Heartbleed vulnerability. To do this, they must scan remote machines, but legally speaking, it seems this constituted “information” if taken from a computer that belongs to the US government.

“How could a researcher even tell that a machine was legally protected? It left many research projects in uncomfortable grey area – not likely to be prosecuted, but also not clearly legal. This is a good example of poorly written law, which overlooked important technical considerations – how can you check the health of a computer without taking “information” from it?

“The President’s proposal moves to fix exactly this gap, by redefining what we mean by inappropriate access – the information must have a financial value over $5,000. We can expect that the new laws will have similar flaws, and will need similar fixes. The good news, for researchers and white hats, is that some old issues are also being addressed.”

Suggesting that the onus really needs to be on the organizations that collect, store and use personal data, as opposed to focusing on penalizing people who access this data once it is in the public domain, Adam Kujawa, the head of Malware Intelligence at Malwarebytes, said that such organizations need to do more to ensure they’ve got everything in place to protect such data, and legislation should focus on enforcing this.

“These proposed laws don’t really do anything to prevent breaches or cyber-crime but merely punish those who aren’t skilled enough to hide their activity while living in the U.S. These proposed laws also won’t touch hackers in Eastern Europe and other countries with softer cybercrime legislation. Domestic hackers with a relatively low level of skill can also anonymize their actions to make it difficult for law enforcement,” Kujawa said.

“The best way, as always, to protect the data of users is to beef up security. If you house customer data, you should do as much as possible to protect this. Breaches are not done by script kiddies on their parent’s computers now, they are done by seriously talented crime organizations with intent and skill – an invisible adversary that is difficult to fight against which makes the best course of action an investment in protection rather than trying to fight shadows.”

As things stand current, what has been released to the public is a proposal and not the final product. But I’d like to hear your opinions. Feel free to leave a comment below, or if you’re in Washington D.C. this weekend, find me at ShmooCon and share them in person on or off the record.