Why security pros don't like Obama's proposal for antihacking law

The tech community has long called for reforming the 1986 Computer Fraud and Abuse Act for its overly broad language. But now many worry a White House plan to toughen the law will have a chilling effect on work to expose software weaknesses.

Ever since the Sony Pictures hack last year, the White House has sharpened its focus on cybersecurity. President Obama has penned two executive orders meant to confront digital intrusions, and Congress is preparing to debate a key part of his cybersecurity plan – a mechanism for companies and government agencies to swap information on computer threats.

But one part of the Obama cybersecurity plan that hasn't attracted much attention is a proposal that many researchers worry will hurt efforts to strengthen American corporate and government cyberdefenses.

The White House unveiled a proposal in January to amend the 1986 Computer Fraud and Abuse Act (CFAA), the federal antihacking law that criminalizes "unauthorized access" – and "exceeding authorized access" – to certain classes of "protected computers" that contain personal, financial, or government information.

As part of its overall plan to get tough on criminal hackers, the administration wants to expand the act so it includes harsher penalties and can be used by prosecutors to go after so-called "insiders" who attempt to profit from their their access to secret or confidential data.

Critics have long argued that the law is out of date, overly broad, and has resulted in harsh penalties for seemingly minor computer crimes. It was widely condemned following the 2013 death of Aaron Swartz, the programmer and activist who committed suicide while under indictment for breaking into a computer database at the Massachusetts Institute of Technology. Government prosecutors used the Computer Fraud and Abuse Act to charge Mr. Swartz.

Now that the Obama administration wants to broaden the definition of computer crime and stiffen penalties – such as doubling the maximum penalty from 10 years to 20 years – for existing crimes, some security experts say it will have a chilling effect on research and even criminalize some of the most important and cutting edge security work happening today.

"It will have a negative impact on computer security if CFAA reform passes," says Dan Guido, founder of security company Trail of Bits and hacker-in-residence at New York University's Polytechnic School of Engineering.

As it's currently written, the CFAA gives a vast amount of leeway to law enforcement and prosecutors, and changes to give them even broader powers may result in overzealous prosecution, says Mr. Guido. If the professionals are afraid of violating the CFAA, they will be less likely to look for bugs in existing software. "Where does that leave us if we have to accept the security of the software we purchase because professionals are afraid of violating CFAA?" he asks.

Even though security researchers worry about the proposed modification of the computer fraud act, they still want the law updated.

Modernizing the act is "incredibly important" because the current law, as written, is broad and ambiguous, says Lance Cottrell, chief scientist at Ntrepid, a maker of security software and hardware. The penalties for minor infractions can be "absurdly severe," he says. For example, using a nickname on Facebook technically violates the social network's terms of service, and could potentially be treated as a felony under the current law.

"While I'm certainly not in favor of the CFAA, the written letter of the law is a minor aspect compared to how that law is put into practice and prosecuted," says Jon Oberheide, cofounder of Duo Security.

The CFAA's main problem is its language, and that's going to be where most of the scrutiny will fall during the latest effort to amend the law, says JJ Thompson, founder of security consulting firm Rook Security.

The basic premise of the CFAA rests on the concept that "unauthorized access" or "exceeding authorized access" to certain classes of "protected computers" would be a crime if the computer contained personal, financial, or government information. The law also says the unauthorized access would be a crime if there is "intent to defraud."

The proposed changes by the White House expanded the definition of "exceed authorized access" to include "a purpose that the accesser knows is not authorized by the computer owner" and removes the monetary motive. The proposal said the CFAA would apply if the person acted "willfully."

The language, if Obama's proposal is left intact in the final amendments, would "gut our capability to respond" to data breaches and other security threats, says Mr. Thompson. A lot of the security appliances used by major enterprises, such as those for network monitoring and intrusion prevention systems, access computers, potentially putting them in violation of the law as described in the proposal.

No draft bills or amendments have been submitted in Congress, so it is impossible to tell how different the final language will be. But Thompson has been talking with members of Congress and other security professionals and is fairly upbeat that the actual language will not be as problematic as what was in the initial White House proposal.

Members of Congress are interested in working with the security industry so that the law can work as intended, Thompson argues. To be sure, considering the number of recent Congressional hearings recently that have featured security professionals, it appears that many members of Congress are making the effort to understand the thorny issues plaguing information security.

But not everyone shares Thompson's optimism. Security advocates and the government already disagree over the law's scope, and even though the amendments are still in early discussion stages, it's likely the changes will focus on giving law enforcement stronger tools to go after what they perceive as unauthorized access.

There is a section of CFAA that covers civil violations, such as breaking the software's end-user license agreement. For many in the bug bounty community, this aspect of the CFAA has always been a little worrisome because researchers looking for flaws in the software they've purchased are breaking the license agreement. Companies that run bug bounty programs realize a prosecutor could go after a researcher they cooperated with, or a researcher may face prison time if the software manufacturer gets angry over the bug reports.

"Angering the wrong person makes it easy to become a victim of a widely interpreted reading of the CFAA," says Guido of Trail of Bits.

Considering that security professionals are frequently viewed as antagonists because they are trying to get companies to acknowledge and fix security problems, retaliatory prosecution is a credible possibility. "Where does that leave us if we have to accept the security of the software we purchase because professionals are afraid of violating the [license agreement]?" Guido asks.

One area that changes to the CFAA could significantly impact is in the education arena, he says.

Basic research and investigation, the kind of skills that students are expected to learn and master, will become significantly more risky to perform if the law's scope become broader, Guido says. "How do we expect to train the cybersecurity experts we need if we stifle their ability to learn?"