In the cybersecurity world, the law doesn’t always treat the good guys like good guys.
As Harley Geiger put it in a talk titled, “Fighting for Legal Protection for Security Researchers” at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, “doesn’t seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm.”
Yet laws at both the federal and state level, “tend to undermine that,” he said.
Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.
The good news, he said, is that things are improving, although it is is slow in coming.
Section 1201 of the DMCA, passed in 1998, “forbids unlocking software without the consent of the manufacturer,” Geiger said, “and controls access to protected work without the consent of the copyright owner.”
The intent of the law was to prevent music and movie piracy, but it has also cast a legal cloud over researchers’ efforts to reveal and/or repair security flaws that could be exploited by criminals.
That cloud has finally been lifted. “After years of lawyerly discussion, the changes went into effect just this past weekend,” Geiger said.
The amendment does come with a number of caveats, he said, including:
- The research has to be for security purposes only.
- The exemption covers consumer devices, voting machines, medical devices, but not things like critical infrastructure, airplanes and major hospital equipment.
- The product being investigated has to have been lawfully acquired.
- The research has to be done in a safe environment so techniques used to hack or otherwise compromise a product are not released in the wild.
- The research cannot violate other laws.
- It is temporary – only lasting two years.
“So we are petitioning the Copyright Office to make it permanent,” Geiger said.
The CFAA is even older – passed in 1986 – and while it was “visionary” at the time, “its age is showing,” Geiger said, contending that its prohibition on unauthorized access to proprietary software, “sweeps up both consumers and researchers.”
The law’s intent is to prevent people from accessing data they don’t own and hacking into computers they don’t own. “We don’t think that should go away,” Geiger said, “but it should be modernized.
While there have not been changes to the law yet, “the good news is that there is agreement that something needs to be done,” he said.
Sign up for CIO Asia eNewsletters.