Nadia Kayyali and Kurt Opsahl
On the morning of April 1st, the Whitehouse issued a new executive order (EO) that asserts that malicious “cyber-enabled activities” are a national threat, declares a national emergency, and establishes sanctions and other consequences for individuals and entities. While computer and information security is certainly very important, this EO could dangerously backfire, and chill the very security research that is necessary to protect people from malicious attacks.
We wish we could say it was a very well-orchestrated April Fool’s joke, but it appears the Whitehouse was serious. The order is yet another example of bad responses to very real security concerns. It comes at the same time as Congress is considering the White House’s proposal for fundamentally flawed cybersecurity legislation.
That perhaps shouldn’t be surprising, since so far, D.C.’s approach to cybersecurity hasn’t encouraged better security through a better understanding of the threats we face (something security experts internationally have pointed out is necessary). Instead of encouraging critical security research into vulnerabilities, or creating a better way to disclose vulnerabilities, this order could actually discourage that research.
The most pernicious provision, Section 1(ii)(B), allows the Secretary of the Treasury, “in consultation with” the Attorney General and Secretary of State, to make a determination that an person or entity has “materially … provided … technological support for, or goods or services in support of any” of these malicious attacks.
While that may sound good on its face, the fact is that the order is dangerously overbroad. That’s because tools that can be used for malicious attacks are also vital for defense. For example, penetration testing is the process of attempting to gain access to computer systems, without credentials like a username. It’s a vital step in finding system vulnerabilities and fixing them before malicious attackers do. Security researchers often publish tools, and provide support for them, to help with this testing. Could the EO be used to issue sanctions against security researchers who make and distribute these tools? On its face, the answer is…maybe.
To be sure, President Obama has said that “this executive order [does not] target the legitimate cybersecurity research community or professionals who help companies improve their cybersecurity.” But assurances like this are not enough. Essentially, with these words, Obama asks us to trust the Executive, without substantial oversight, to be able to make decisions about the property and rights of people who may not have much recourse once that decision has been made, and who may well not get prior notice before the hammer comes down. Unfortunately, the Department of Justice has used anti-hacking laws far too aggressively to gain that trust.
As several security researchers who spoke up against similarly problematic terms in the Computer Fraud and Abuse Act recently pointed out in an amicus brief:
There are relatively few sources of pressure to fix design defects, whether they be in wiring, websites, or cars. The government is not set up to test every possible product or website for defects before its release, nor should it be; in addition, those defects in electronic systems that might be uncovered by the government (for instance, during an unrelated investigation) are often not released, due to internal policies. Findings by industry groups are often kept quiet, under the assumption that such defects will never come to light—just as in Grimshaw (the Ford Pinto case). The part of society that consistently serves the public interest by finding and publicizing defects that will harm consumers is the external consumer safety research community, whether those defects be in consumer products or consumer websites.
It’s clear that security researchers play an essential function. It was researchers (not the government) who discovered and conscientiously spread the news about Heartbleed, Shellshock, and POODLE, three major vulnerabilities discovered in 2014. Those researchers should not have to question whether or not they will be subject to sanctions.
To make matters worse, while most of the provisions specify that they apply to activity taking place outside of or mostly outside of the US, Section 1(ii)(B) has no such limitation. We have concerns about how the order applies to everyone. But this section also brings up constitutional due process concerns. That is, if it were to apply to people protected by the U.S. Constitution, it could violate the Fifth Amendment right to due process.
As we’ve had to point out repeatedly in the discussions about reforming the Computer Fraud and Abuse Act, unclear laws, prosecutorial (or in this case, Executive Branch) discretion, coupled with draconian penalties are not the answer to computer crime.
Upaya berjudilah kurang lebih sama, penggila togel mengawinkan taruhan pada saat manakah gelembung sempat mencatat, saat angkanya menembusi, mereka tentang dibayar. Teruskan melihat untuk mengetahui sangat lanjut. Bila anda berhasil mendapatkan semakin meningkat simbol Wild, tentunya jumlah kemenangan kamu akan semakin bertambah. Karena itu bukan heran bila banyak yang suka jenis pilihan yang suatu ini....
Misalnya: empat + enam = 10. Uang = enam: Dealer menyenangkan sangat banyak sementara poin online poker ke-3 agen misalnya enam, tujuh. – Perihal mencari nomor judi kartu melalui Baccarat Perbahasaan salah satu permainan-permainan voucer yang lain, Baccarat terus memilih benar-benar benar bisa juga merugi di menaksir biji tiket contohnya: Online poker pilihan 2, ketiga,...
Il internet dating globe è in continua evoluzione, particolarmente in termini di il language usato. Molti di noi hanno una comprensione di condizioni come la pesca al gatto, amici con vantaggi e DTF, ma troverai sempre nuovo condizioni ottenere sviluppato. È buono per mantieni ogni nuovissimo idiomi, parole e parole che può sorgere in modern...
Point di atas 5 kurang bisa pasang taruhan di kuasa berikut ini. Banyak-banyak terima kasih melalui tabik berjaya jika berbagai. Pengelola bank – Peluang kanan kedua pokok kartu poker awam berbarengan ialah masalah-masalah membarengi, pengelola bank diperkenankan memerlukan hak-hak ini: Bandar adanya tercapai 0 – kedua disarankan guna mengalihkan voucer ke-3. Adapun jenis taruhan voucer...
Info Tembus Paling maksimal Beroperasi Judi Online Super Bull Mode situs bermain Super Bull Judi togel online seperti terhasut teladan sarana berwisata ingin menggelundung berpadanan jalan jarum jam. Profit yang kalian nikmati dari poker tentu saja tak terbatas di karenakan anda bisa bertaruh kapan saja & dengan semua orang. Anda akan mengetahui mana slot guna...