Should it be against the law to do research aimed at making the internet a safer place?
The obvious answer should be “no.” Yet when dealing with the US government, you can’t necessarily count on the obvious being obvious.
The Guardian recently reported that some US law enforcement officials have been using the Computer Fraud and Abuse Act to threaten some of the “world’s best-known security researchers” with indictments for violating provisions of the law in the research they conduct.
Even though the law states it only applies to certain “protected” computers, given the fact that the internet knows no state boundaries, case law has come to apply the law to pretty much every personal computer, smartphone, or tablet computer in the country. While certain provisions of the law specify “with intent to defraud” or “causes damage,” other provisions are forbidden with no regard to motive or loss. As a result, internet security researchers – “good guys” looking for ways to make the internet more secure – have been accused of violating the law and threatened with prosecution.
HD Moore, Chief Research Officer for Rapid7, a cybersecurity consulting company, was reportedly given a warning by US law enforcement officials over a project known as Critical.IO which scanned 18 ports across every IPv4 address over a year-long period. Moore was not scanning these ports in order to hack in and steal information – he was looking for vulnerabilities so that he could advise industry on vulnerabilities that need to be addressed. The research revealed flaws in Universal Plug and Play; the data continues to be evaluated.
Does it really make sense to tell legitimate researchers they need to stop what they are doing? That would be unilateral disarmament in the battle against cybercrime. The bad guys will certainly continue seeking vulnerabilities, and they will cover their tracks as they do so. It’s much better to have a friendly researcher discover vulnerabilities than it is to discover them after you’ve been hacked.
We’re all in favor of strong laws against cybercrime, but they have to make sense. The way the law is currently structured, relatively benign or insignificant acts – such as violating a vendor’s service agreement – can have the same five to 15 years in jail penalty as malicious behavior such as trying to break into a computer to steal credit card information.
PACid has a better idea than continuing the cat and mouse game between cybercriminals and the rest of us: a new paradigm in data security that would render the vast majority of current cybercrime methods obsolete, our “Bolt-on Strong Security.”