Proposed US legal reforms could chill security sector
The Obama administration has proposed new cybersecurity legislation that critics fear would create a chilling effect for white-hat security researchers.
The proposed reforms include new provisions for information sharing between authorities, updating America’s Computer Fraud and Abuse Act (CFAA) and a national standard for data breach notifications.
Advocacy group the Electronic Frontier Foundation has opposed all three Bills, stating that they are all recycled versions of Bills that have failed to pass since 2011.
Similar to the now-defeated Cyber Intelligence Sharing and Protection Act, (CISPA), the proposed information sharing Bill “grants broad legal immunity for transmitting ‘cyber threat indicators’ - which could include [citizens’] communications - to the Department of Homeland Security (DHS) and private sector information sharing hubs,” the EFF said.
Freedom of the Press Foundation’s Trevor Timm meanwhile wrote in the Guardian that the proposed information sharing reforms are “just a thinly-veiled way to siphon off more of Americans’ private data without court oversight”.
Reforms to the CFAA would meanwhile drastically increase the penalties under the law. The CFAA was controversially used to prosecute Aaron Swartz for using the MIT campus network to download millions of journal articles from an academic database in 2011. Facing criminal charges that could have resulted in up to 35 years’ jail time, Swartz committed suicide.
“It’s shocking in light of the Aaron Swartz prosecution that the Administration is proposing to double, and in one case triple, the already draconian and redundant penalties under the CFAA,” the EFF said. The proposed reform would also remove the requirement for an “intent to defraud”, meaning an act as simple as sharing a password to a subscription service with a friend could be prosecuted with up to 10 years’ jail time.
Another proposed change would expand the definition of “exceeding authorised access” to include any access that the person may know the owner hasn’t authorised. Both reforms have the potential to have a chilling effect on the cybersecurity community, the EFF warned.
“The password clause expands the provision from criminalizing sharing passwords to sharing other ‘means of access’, while ‘having reason to know’ it might be misused. Second, the expansion of the definition may impact researchers who commonly scan public websites to detect potential vulnerabilities. These researchers should not have to face a felony charge if a prosecutor thinks they should have known the site prohibited scanning.”
ErrataSec security researcher Rob Graham has likewise called the proposed Bill “Obama’s war on hackers”. He stated that the proposed law would upgrade hacking to a “racketeering” offense and drastically increase hacking prosecutions of innocent people.
“Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open door for nation-state hackers and the real cybercriminals,” he said.
The Obama administration’s proposal would also introduce a national standard for disclosing data breaches, requiring companies handling 10,000 or more customers’ information to notify of a breach within 30 days.
According to the EFF, many states already have breach notification laws, and the Obama administration’s proposal would supersede these laws even when they have stronger protections.
But CipherCloud chief trust officer Bob West welcomed efforts by the administration to better align its privacy legislation with the rest of the world.
“We’re long overdue for more substantive legislation and the President’s proposals move us farther down the road,” he said. “This is a matter of both principle and practicality. Businesses function in a global environment, so the closer our laws are aligned with those in the rest of the world, the fewer cycles will be expended by companies. Collectively, these proposals signal we’re taking privacy more seriously.”
The AI regulation debate in Australia: navigating risks and rewards
To remain competitive in the world economy, Australia needs to find a way to safely use AI systems.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.