In the cybersecurity world, the law doesn’t always treat the good guys like good guys.
As Harley Geiger put it in a talk titled, “Fighting for Legal Protection for Security Researchers” at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, “doesn’t seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm.”
Yet laws at both the federal and state level, “tend to undermine that,” he said.
Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.
The good news, he said, is that things are improving, although it is is slow in coming.
Section 1201 of the DMCA, passed in 1998, “forbids unlocking software without the consent of the manufacturer,” Geiger said, “and controls access to protected work without the consent of the copyright owner.”
The intent of the law was to prevent music and movie piracy, but it has also cast a legal cloud over researchers’ efforts to reveal and/or repair security flaws that could be exploited by criminals.
That cloud has finally been lifted. “After years of lawyerly discussion, the changes went into effect just this past weekend,” Geiger said.
The amendment does come with a number of caveats, he said, including:
- The research has to be for security purposes only.
- The exemption covers consumer devices, voting machines, medical devices, but not things like critical infrastructure, airplanes and major hospital equipment.
- The product being investigated has to have been lawfully acquired.
- The research has to be done in a safe environment so techniques used to hack or otherwise compromise a product are not released in the wild.
- The research cannot violate other laws.
- It is temporary – only lasting two years.
“So we are petitioning the Copyright Office to make it permanent,” Geiger said.
The CFAA is even older – passed in 1986 – and while it was “visionary” at the time, “its age is showing,” Geiger said, contending that its prohibition on unauthorized access to proprietary software, “sweeps up both consumers and researchers.”
The law’s intent is to prevent people from accessing data they don’t own and hacking into computers they don’t own. “We don’t think that should go away,” Geiger said, “but it should be modernized.
While there have not been changes to the law yet, “the good news is that there is agreement that something needs to be done,” he said.
He added that legislation more friendly to legitimate research might be quicker in coming if the relationship improves between white-hat hackers and the owners of the products they investigate.
“We urge companies to adopt internal policies for accepting friendly information from researchers,” he said. “There’s no downside to having a plan for dealing with vulnerabilities.
But he said the research community needs to be flexible as well. The policy at Rapid7, he said, is to notify the vendor of a vulnerability first, wait 15 days before notifying US CERT (Computer Emergency Readiness Team) and then another 45 days before making it public.
He said public pressure from the security community needs to be specific about what the flaws are, and propose solutions. But he said even more important is that researchers, “be responsible.”
Making a flaw public before even notifying the vendor, he said, is a sure way to undermine any move to provide legal protection for researchers.
“There will be a backlash in policy land,” he said, “and that could lead to more restrictions.”