Problem with a hacking law that was inspired by a movie
The Computer Fraud and Abuse Act (1986), partly inspired by the movie WarGames, is still a major headache for white hat hackers in the US, executive director of the Electronic Frontier Foundation Cindy Cohn claims.
Legal frameworks have become an obstacle for the internet to become competitive and thriving, and having the security built-in instead of an optional add-on. Current legal frameworks, experts claim, have allowed for the misuse of the internet by repressive governments and tech companies and have caused serious mental health issues among internet users.
The most problematic, according to Cindy Cohn, is the Computer Fraud and Abuse act.
“This law has a very interesting history because it was passed in response to the movie WarGames (...) Maybe this law was not as well thought out as it should have been,” she said during the Collision tech conference.
WarGames (1983) is the movie with Matthew Broderick. He is playing a hacker who infiltrates the government systems, gains control over the U.S. nuclear arsenal, and nearly causes a large-scale nuclear war.
“What this law does is it makes it improper to exceed your authority on protecting computers. If you exceed your authority on that computer, then you have violated the anti-hacking laws, and it has very serious penalties. It is treated as burglary,” Cohn explained.
The problem is that this law does not differentiate between all the kinds of ways in which you might legitimately have a reason to access somebody else's computer. Ethical hacking means looking for the weak points in systems and informing the owners. The intent here is to disclose the findings to fix them before a less ethical counterpart comes around. So-called white-hat hackers often act with permission and give detailed reports on the level of risk. They are a comprehensive tool to test the defense measures of your organization.
“Security research depends on accessing other peoples’ computers because you cannot tell if a system is secure unless you do that. I think it has problems with just how the internet works. When the consequences of that are severe criminal penalties, it becomes a huge problem,” Cohn said.
Severe criminal penalties are only one side of a coin. As a result of this “bad law,” we have also lost lives. Programmer Aaron Swartz, Reddit co-founder, according to the Washington Post, killed himself amid "a lengthy legal battle over charges related to his bulk-downloading of documents from an academic database while connected to MIT's network."
“Aaron committed suicide rather than faced the very severe penalties of American anti-hacking laws. It is important that we recognize the stakes of having overbroad laws. It is not just people who go to jail who should not. We also have lost lives as a result of this bad law. That is enemy number one,” Cohn said.
After the tragic loss, Aaron's Law Act of 2013 was drafted to amend provisions of the Computer Fraud and Abuse Act. It defined the “excess of authority” much more clearly but was never passed in Congress.
A shifting sentiment towards ethical hackers
According to Cohn, the attitudes towards hackers accessing organizations’ computers and data are shifting.
“In my experience, we have seen a big change from when we started doing this kind of work in the late '90s or early 2000s. Bug hunters were treated as not OK, this idea that there would be white hat hacking did not exist. It was seen as a gritty underbelly. Now, I see a lot more respect for the security community,” she explained.
Now, it is common to hire companies for penetration testing, and independent bounty hunters have found their claim too. Many big companies, such as Apple and Google, have implemented bug bounty programs. The Pentagon developed bug bounty program “Hack Pentagon” was a turning point, and now more organizations are interested in productively working with hackers.
Yet, Cohn said, it depends on the sector: “As technology moves into new sectors, we have to fight these battles all over again.”
As an example, she pointed out the medical sector, reluctant to embrace outside help, at least at first.
“We represented people who were hacking into their heart monitors or insulin pumps to try and find whether they were secure or not. Because a lot of these report to the internet now, and it is a real risk to you if your heart monitor is reporting out to the internet, and somebody could send out a message back to it and turn it off or change it, it could be very dangerous,” she said.
Even though health organizations met it with resistance, attacked ethical hackers, and even threatened legal action, they started to value the help over time.
“We have managed to move that sector a little more so that they understand the value of the security. It depends on the sector, and we've been moving sector by sector to get the recognition of this more broadly,” she explained.