Samuel Bucholtz, from Casaba Security, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.\n\nHacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. This week CSO is posting the final submissions for the second set of discussions examining security research, security legislation, and the difficult decision of taking researchers to court.\n\nCSO encourages everyone to take part in the Hacked Opinions series. If you have thoughts or suggestions for the third series of Hacked Opinions topics, or want to be included as a participant, feel free to email Steve Ragan directly.\n\nWhat do you think is the biggest misconception lawmakers have when it comes to cybersecurity?\n\nSamuel Bucholtz, co-founder, Casaba Security (SB): Our lawmakers need to realize that cyber security is very distinct from intelligence gathering and law enforcement activities.\n\nWe can see this challenge at the core of the NSA itself. The agency has always been responsible for defending our country\u2019s cyber assets while at the same time gathering intelligence and perhaps playing a more offensive role. This dichotomy has led to the very real, and insoluble internal struggle within it: when a vulnerability is found, do you preserve its secrecy and exploit it for gain or do you warn those you protect and get it fixed to prevent their exposure? New laws should try to address this state of affairs, not extend or even compound it.\n\nWe continue to see this misconception played out in threat intelligence sharing bills, the most recent version of which is the Cybersecurity Information Sharing Act (CISA) which recently passed in the Senate. The confusion is at two levels - first, that cybersecurity should be used in tandem with law enforcement and intelligence gathering to enable, support or reinforce those activities; and, second, that by doing so they won\u2019t jeopardize Americans\u2019 personal privacy and freedoms by giving too much power to the government.\n\nIt\u2019s imperative for Congress to begin seeing cybersecurity in more focused terms - specifically, as a way to protect businesses and critical infrastructure. At the same time, it must also understand the inherent risks in cybersecurity as a potential surveillance tool - and it must do all it can to protect Americans\u2019 personal freedoms and privacy.\n\nIntelligence gathering and law enforcement activities are by their very nature a violation of privacy. We as citizens tolerate this violation because it is supposed to be controlled by a level of due process - namely, judicial review and the issuance of warrants. Cybersecurity activities are executed by private parties with no such judicial review. Thus at a minimum any law enacted should guarantee basic protection of citizens\u2019 privacy. As part of this protection, businesses should never be asked to provide non-anonymized data without a warrant.\n\nWhat advice would you give to lawmakers considering legislation that would impact security research or development?\n\nSB: Too often lawmakers, government regulators and other public officials equate cybersecurity research and development with \u2018weapon-making\u2019 or \u2018cyber arsenals.\u2019 This taints the entire industry and undermines public and government support for this research and the programs (few that they are) that support it. Future legislation needs to properly equate security R&D with the protection of consumer privacy, personal freedoms, business interests and national security.\n\nTreating software as a concrete asset (munitions, trade secrets, etc.) is a losing battle. A good example of this is the current Wassenaar Arrangement, which seeks to restrict intrusion software sales overseas much like traditional military technology. Software is fundamentally an idea that cannot be stopped without some type of thought control. Extending this metaphor, the creation or possession of an idea cannot be outlawed. The only thing that can or should be criminalized is the use of such ideas. A security tester using a \u201cweaponized\u201d piece of software on their own property should be treated the same as a person smoking a cigarette in their own home.\n\nInstead of writing laws that prevent research or threaten those performing the research, lawmakers should focus on enabling the free exchange of ideas without arbitrary restrictions; after all this is what makes science work in all its other forms.\n\nIf you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?\n\nSB: I would draw a big red line through the entire CISA bill as it is currently written (as of October).\n\nThe bill fails, as many attempts at government regulation do, in being too broadly worded and poorly defined to fairly protect the citizens of this country. Cybersecurity professionals spend much of our time finding the loopholes in poorly written software, but it often takes time and effort. It takes no time to find the loopholes in the currently written bill.\n\nNow, given what you've said, why is this one line so important to you?\n\nSB: In my view, CISA, in its current form, represents a serious threat to personal privacy and freedom. It\u2019s a totally misguided piece of legislation - it does very little to balance the needs of national and business security with those of user privacy. It\u2019s heavily tilted in favor of the law enforcement and intelligence communities and leaves consumers out in the cold.\n\nAs the Electronic Frontier Foundation noted in its analysis of the bill back in March: "The public won\u2019t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act."\n\nThis is the type of heavy-handed cybersecurity legislation that we need to avoid, and it\u2019s propagated through Congress\u2019 misunderstanding of what cybersecurity should be used for. CISA is essentially about protecting corporate and intelligence agency interests, not the people\u2019s interests. It shields corporations from prosecution; it essentially makes classified the details of what types of data are being trafficked by corporations and government agencies and how they\u2019re used.\n\nThis law is impenetrable by the courts, it\u2019s exempt from the Freedom of Information Act, and therefore it\u2019s far too powerful and risky to implement. We cannot give the business community, law enforcement and government that much power and control over everyone\u2019s information.\n\nCISA is a great example of why we need a digital Bill of Rights that declares our basic freedoms when it comes to technology, and converts our most basic liberties into language relevant to the digital age.\n\nDo you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?\n\nSB: No, I don\u2019t. Threats don\u2019t work, particularly for the research community. No one has the power any more to stop ideas, to stifle the free flow of information, to prevent people from asking questions or finding new ways to think about things or to solve problems. It is far better for companies and government agencies to work with the research community rather than to antagonize it.\n\nDoing so will only make them a bigger target, and, besides, the research community is doing valuable work that mostly benefits the security of these companies and the US at large.\n\nI think it is reasonable to ask a researcher to delay their announcement and most professionals will do so, but the mistake was made by the company who released the vulnerability in the first place, not the person who discovered it.\n\nIf companies do not want the \u201cembarrassment\u201d then they should spend more resources upfront trying to prevent it from happening. If their processes are so complicated that releasing a fix for their customers takes a long time, then they should reengineer their processes to allow for quicker turnaround.\n\nWhat types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?\n\nSB: Statistics, trending data and anonymized data are all fine things to provide to the government. The government should in turn be collecting and sharing all the data they get with the rest of us. However, cybersecurity activities should be Chinese-firewalled from intelligence gathering activities.