Hacking Laws May Make Security Researchers 'Endangered Species'
SAN FRANCISCO — The computer-security industry needs to take political action to prevent laws that would make basic research illegal, a prominent researcher said Monday (Feb. 24).
"We need legislation that protects security researchers," said Trey Ford, global security strategist with Boston security firm Rapid7. "We're about to become an endangered species. We're in danger of being criminalized and marginalized."
Speaking to an audience of fellow computer-security professionals at the BSides SF conference here, Ford explained that recent interpretations of the Computer Fraud and Abuse Act (CFAA) of 1986 threaten vital research.
The most famous recent CFAA prosecution involved Aaron Swartz, a digital-rights activist who faced decades in prison for having allegedly downloaded thousands of academic-journal entries. After plea-bargain negotiations fell through, Swartz hanged himself in January 2013.
"There's a massive, massive disconnect between the way the law was written and the way it's used," Ford said. "I don't think people are aware of the threats."
Researchers also face legal problems in other countries. German anti-hacking laws place tools used by security firms — such as Rapid7's own Metasploit — in a legal gray area. Earlier this month, a French blogger was fined $4,000 for downloading online files the French government had failed to protect.
In a political climate where cybersecurity has become a top priority, Ford said there are three possible courses regarding the next round of computer-security legislation.
"Should we outlaw the hackers? The CFAA is already doing that," he said. "Or should we register hackers? That way we'll know who the good guys are."
"Or," Ford said, "we can have a professional adult conversation."
To influence lawmakers, he said, security professionals need to stop quarreling with each other and unite to shape public opinion of their own profession.
"We need to change laws," Ford said. "There are roughly 60,000 CISSPs [Certified Information Systems Security Professionals] in the U.S. There are 211 million registered voters in the U.S, of which 121 million regularly vote. We're infinitesimally small. Congressmen aren't going to listen to us."
To succeed, he said, security researchers will need to help define which practices should be legal, and which illegal — or lawmakers with little understanding of computer security will do it for them.
"Who's going to write the next round of cyber legislation?" Ford asked. "If we can't step up, if we're not qualified to speak out, we're doomed."