Nadia Kayyali and Kurt Opsahl
On the morning of April 1st, the Whitehouse issued a new executive order (EO) that asserts that malicious “cyber-enabled activities” are a national threat, declares a national emergency, and establishes sanctions and other consequences for individuals and entities. While computer and information security is certainly very important, this EO could dangerously backfire, and chill the very security research that is necessary to protect people from malicious attacks.
We wish we could say it was a very well-orchestrated April Fool’s joke, but it appears the Whitehouse was serious. The order is yet another example of bad responses to very real security concerns. It comes at the same time as Congress is considering the White House’s proposal for fundamentally flawed cybersecurity legislation.
That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary). Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.
The most pernicious provision, Section 1(ii)(B), allows the Secretary of the Treasury, “in consultation with” the Attorney General and Secretary of State, to make a determination that an person or entity has “materially … provided … technological support for, or goods or services in support of any” of these malicious attacks.
While that may sound good on its face, the fact is that the order is dangerously overbroad. That’s because tools that can be used for malicious attacks are also vital for defense. For example, penetration testing is the process of attempting to gain access to computer systems, without credentials like a username. It’s a vital step in finding system vulnerabilities and fixing them before malicious attackers do. Security researchers often publish tools, and provide support for them, to help with this testing. Could the EO be used to issue sanctions against security researchers who make and distribute these tools? On its face, the answer is…maybe.
To be sure, President Obama has said that “this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity.” But assurances like this are not enough. Essentially, with these words, Obama asks us to trust the Executive, without substantial oversight, to be able to make decisions about the property and rights of people who may not have much recourse once that decision has been made, and who may well not get prior notice before the hammer comes down. Unfortunately, the Department of Justice has used anti-hacking laws far too aggressively to gain that trust.
As several security researchers who spoke up against similarly problematic terms in the Computer Fraud and Abuse Act recently pointed out in an amicus brief:
There are relatively few sources of pressure to fix design defects, whether they be in wiring, websites, or cars. The government is not set up to test every possible product or website for defects before its release, nor should it be; in addition, those defects in electronic systems that might be uncovered by the government (for instance, during an unrelated investigation) are often not released, due to internal policies. Findings by industry groups are often kept quiet, under the assumption that such defects will never come to light—just as in Grimshaw (the Ford Pinto case). The part of society that consistently serves the public interest by finding and publicizing defects that will harm consumers is the external consumer safety research community, whether those defects be in consumer products or consumer websites.
It’s clear that security researchers play an essential function. It was researchers (not the government) who discovered and conscientiously spread the news about Heartbleed, Shellshock, and POODLE, three major vulnerabilities discovered in 2014. Those researchers should not have to question whether or not they will be subject to sanctions.
To make matters worse, while most of the provisions specify that they apply to activity taking place outside of or mostly outside of the US, Section 1(ii)(B) has no such limitation. We have concerns about how the order applies to everyone. But this section also brings up constitutional due process concerns. That is, if it were to apply to people protected by the U.S. Constitution, it could violate the Fifth Amendment right to due process.
As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime.
NOTICE OF DATA BREACH Dear User, We are writing to inform you about a data security issue that may involve your Yahoo account information. What Happened? A copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. We are closely coordinating with law...
12:15am EDT Breaking News The hashtag #GasShortage is trending on twitter for Tennessee. It will soon be trending elsewhere. My brother reported to me a few minutes ago that Gas stations in Greensboro NC are out of gas and those truck stops have only about 7000 Gallons as of 1155pm EST. The immediate...
World Peace: The Final Chapter By Brooks Agnew Notes from 04 September 2016 World peace has been cited by pageant misses as their life’s work for more than a century. It is the stuff of happily ever fairy tales and Mendala shifting Disney movies. Guard dropping press releases misled Neville Chamberlain and countless other kings to...
Forgiveness by Luckee1 as heard on 30 August 2016 http://tfrlive.com/luckee-with-truth-frequency-news-66847/ I know when I was a girl, I was told that we had to forgive others. The adults, especially those associated with church, always talked about forgiving others. They also talked about how Jesus died for our forgiveness. They would talk about things like forgive your...
Original post is: Watch as amazing GcMAF treatment kills cancer cells in real time… holistic doctors ‘suicided’ over this stunning breakthrough A breakthrough cancer treatment appears to be the reason why a handful of holistic doctors were recently found “suicided” is now gaining worldwide attention as a potential universal cure for cancer. And new microscopic...