Hacking Law is for Hackers
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 85 | |
| Author | ||
| Contributors | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/62207 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 3060 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
AreaPhysical lawMathematicsAcoustic shadowGroup actionOnline helpDisk read-and-write headStreaming mediaBitDivision (mathematics)Descriptive statisticsMetropolitan area networkRule of inferenceHacker (term)Row (database)Multiplication signMusical ensembleInformation securityCybersexComputer animationLecture/Conference
02:04
Hacker (term)State of matterComputerLinker (computing)Group actionSoftware bugAnnihilator (ring theory)Service (economics)Goodness of fitNeuroinformatikPower (physics)Thermal conductivityProfil (magazine)Physical lawPresentation of a groupElectronic mailing listMathematicsTerm (mathematics)Civil engineeringAuthorizationInternetworkingCodeSubsetInformation securityExpert systemBitHacker (term)Latent heatProjective planeException handlingGame controllerMultiplication signInternet der DingeCASE <Informatik>Perspective (visual)DigitizingQuicksortLevel (video gaming)Office suiteElectronic visual displayDatabaseMereologyGraph coloringState of matterInterpreter (computing)Logic gateSinc functionDecision theoryRight angleArithmetic meanStatuteFacebookAnalogyCodeVideo projectorMalwarePasswordServer (computing)Denial-of-service attackVulnerability (computing)Film editingInteractive televisionCoordinate systemMorley's categoricity theoremLaptopPatch (Unix)Computer animation
11:05
Linker (computing)ComputerHacker (term)InternetworkingAuthorizationHill differential equationIRIS-TMathematicsConvex hullSheaf (mathematics)Software testingInformation securityVulnerability (computing)InformationService (economics)Dew pointCASE <Informatik>MultilaterationContent (media)NumberNeuroinformatikFormal languageSoftware testingBitTheoryBlock (periodic table)Limit (category theory)MereologyOrder (biology)CybersexDigital electronicsDependent and independent variablesType theoryWordOffice suiteMusical ensembleQuicksortAnnihilator (ring theory)Logic gateAuthorizationInternetworkingRight angleHacker (term)Direction (geometry)Information securityInformationMathematicsComputer fileAddress spacePhysical lawVulnerability (computing)State of matterAssociative propertySeries (mathematics)Heegaard splittingService (economics)Multiplication signEmailThresholding (image processing)Interpreter (computing)Decision theoryPhysical systemStatuteOnline service providerOnline helpGoodness of fitPhysicalismSocial classDirectory serviceComputer animation
20:06
ComputerSheaf (mathematics)MathematicsCivil engineeringInformation securityAuthorizationMinimal surfaceSoftwareHacker (term)Software testingVulnerability (computing)InformationCopyright infringementIntegrated development environmentConvex hullFormal languageException handlingMereologyQuicksortAnnihilator (ring theory)Goodness of fitDifferent (Kate Ryan album)BitPoint (geometry)Film editingControl flowLevel (video gaming)Suite (music)Limit (category theory)Form (programming)StatuteMomentumCircleType theoryCASE <Informatik>Internet der DingeMeasurementMultiplication signNeuroinformatikDigitizingSheaf (mathematics)Physical systemSoftware testingArithmetic meanOffice suitePosition operatorSoftwareAuthorizationComputer programmingCopyright infringementInformation securityVulnerability (computing)InformationMedical imagingMinimal surfacePhysical lawTerm (mathematics)Hacker (term)Integrated development environmentCivil engineeringEncryptionData conversionProcess (computing)Standard deviationParsingDesign by contractRight angleTraffic reportingScaling (geometry)Theory of relativityMechanism design1 (number)Musical ensembleDescriptive statisticsNumberIncidence algebraLibrary (computing)Component-based software engineeringSoftware bugStreaming mediaCybersexState of matterCategory of beingPattern recognitionPublic key certificateVariety (linguistics)LoginInformation technology consultingPersonal digital assistantTouch typingVapor barrierArithmetic progressionOrder (biology)Thermal conductivityElectronic mailing listSpeech synthesisDeclarative programmingRule of inferenceMathematicsComputer crimeComputer animationMeeting/Interview
29:08
Information securityComputerSoftware testingVulnerability (computing)Copyright infringementIntegrated development environmentInformationLimit (category theory)Hacker (term)Beta functionSheaf (mathematics)Physical lawRegulator geneProduct (business)System administratorQuicksortLimit (category theory)Right angleNeuroinformatikMereologyMultiplication signTwitterSoftware bugOffice suiteAuthorizationSoftwareTerm (mathematics)Bound stateMusical ensembleDifferent (Kate Ryan album)9 (number)Process (computing)Data conversionType theoryInstance (computer science)Self-organizationMathematicsCivil engineeringEvoluteVulnerability (computing)WordNormal (geometry)Drop (liquid)DepictionRule of inferenceLatent heatIncidence algebraTraffic reportingCybersexExploit (computer security)Sign (mathematics)Group actionView (database)Annihilator (ring theory)Component-based software engineeringInformation securityLine (geometry)DemosceneException handlingFrequencyReal numberSound effectHacker (term)Translation (relic)GoogolStreaming mediaFile viewerInternet der DingeDependent and independent variablesAssociative propertyLevel (video gaming)ImplementationFormal languageParameter (computer programming)PlanningArchaeological field surveyBitRepresentation (politics)Electronic program guideMassCASE <Informatik>Goodness of fitArithmetic progressionNumberDisk read-and-write headDivision (mathematics)Standard deviationMoment (mathematics)Flow separationCollaborationismState of matterGame controllerInformationMeasurementStatuteResultantComputer animationLecture/Conference
38:09
Convex hullLimit (category theory)Information securityComputerSoftware testingVulnerability (computing)Copyright infringementIntegrated development environmentInformationHacker (term)State of matterTime evolutionNumberWebsitePersonal identification number (Denmark)AuthorizationState of matterFormal languageWeb 2.0Annihilator (ring theory)InformationStatuteCASE <Informatik>Multiplication signGoodness of fitInformation securityLink (knot theory)Traffic reportingInformation privacyExecution unitInternet der DingeNeuroinformatikPasswordCybersexOnline helpExtension (kinesiology)PlanningField (computer science)Scripting languageSheaf (mathematics)Term (mathematics)Physical lawTrailGroup actionBasis <Mathematik>Computer crimePressureStatement (computer science)Open sourceData conversionIP addressDataflowLanding pageVulnerability (computing)Roundness (object)WebsitePhysical systemMereologyEvoluteMeasurementCodeSimilarity (geometry)Office suiteException handlingBitMusical ensembleDivisorDiscrete groupContext awarenessCategory of beingDegree (graph theory)Point (geometry)Different (Kate Ryan album)Differential (mechanical device)Server (computing)Set (mathematics)Level (video gaming)Greatest elementEvent horizonCartesian coordinate systemInformation technology consultingExploit (computer security)Source codeTable (information)QuicksortSqueeze theoremDependent and independent variablesFlagComputer animationMeeting/Interview
47:10
NumberWebsiteHacker (term)State of matterContrast (vision)Physical systemInformation securityAuthorizationControl flowSoftware testingSystem identificationInformationVulnerability (computing)Term (mathematics)SubsetInternetworkingInternet service providerNormal (geometry)System administratorCodeComputer crimeProduct (business)Computer networkData managementAuthorizationVulnerability (computing)CodeRegulator genePatch (Unix)Physical lawRoundness (object)Hacker (term)Table (information)Quantum statePairwise comparisonFormal languageNeuroinformatikSoftware bugSheaf (mathematics)QuicksortSlide ruleState of matterDirection (geometry)System administratorInternetworkingDataflowService (economics)AreaSoftwareProduct (business)Point (geometry)Term (mathematics)MereologyProcess (computing)Event horizonRenewal theoryContrast (vision)Arithmetic progressionInformation securityData managementPasswordBounded variationDivisorInclusion mapPoint cloudInstance (computer science)Server (computing)Front and back endsMilitary baseOffice suiteException handlingNatural numberLevel (video gaming)Limit (category theory)Type theoryPlastikkarteOrder (biology)FrequencyExpert systemOpen setNumberDegree (graph theory)outputRule of inferenceComponent-based software engineeringTowerContent (media)Forcing (mathematics)Multiplication signMusical ensembleRight angleLine (geometry)Presentation of a groupEvoluteComputer animation
56:12
InformationVulnerability (computing)ComputerInformation securityCopyright infringementComputer wormNetwork topologyComputer programChi-squared distributionBasis <Mathematik>Hill differential equationWorld Wide Web ConsortiumNewton's law of universal gravitationPrinciple of maximum entropyIntegrated development environmentComputer-generated imageryProduct (business)TelecommunicationComponent-based software engineeringPoint (geometry)NeuroinformatikNumbering schemeDependent and independent variablesException handlingPhysical lawInformation securityAddress spaceLine (geometry)Internet der DingeHacker (term)Office suiteAreaRight angleSimilarity (geometry)LengthInsertion lossStandard deviationCapability Maturity ModelMoment (mathematics)outputVulnerability (computing)Open setInformation technology consultingRevision controlProcess (computing)QuicksortPublic key certificateElectronic mailing listSelf-organizationCybersexVector potentialProcedural programmingArithmetic progressionComputer programmingAuditory maskingTouch typingVariety (linguistics)Vapor barrierDesign by contractOrder (biology)Thermal conductivityMessage passingComputer animation
01:02:15
File viewerVulnerability (computing)Sign (mathematics)QuicksortReal numberLattice (order)View (database)Civil engineeringPhysical lawTerm (mathematics)Arithmetic progressionIncidence algebraTranslation (relic)MereologyArchaeological field surveyBitNumberRegulator geneImplementationLevel (video gaming)Right angleElectronic program guideProduct (business)Streaming mediaException handlingAnnihilator (ring theory)Goodness of fitSoftware bugRepresentation (politics)Information securityState of matterComputer programmingPattern recognitionLine (geometry)Different (Kate Ryan album)Traffic reportingMeeting/Interview
01:09:07
WordNormal (geometry)Office suiteInstance (computer science)Data conversionType theoryRule of inferenceIncidence algebraQuicksortRegulator geneTraffic reportingVulnerability (computing)Sign (mathematics)Exception handlingGroup actionSystem administratorPhysical lawView (database)Right angleMultiplication signGoodness of fitAnnihilator (ring theory)Different (Kate Ryan album)Disk read-and-write headDivision (mathematics)Software bugProcess (computing)Term (mathematics)Computer programmingNeuroinformatikService (economics)Discrete groupHacker (term)Information securityAuthorizationNumberEvoluteCybersexLine (geometry)Bound stateEndliche ModelltheorieMeeting/Interview
01:16:00
Information securitySheaf (mathematics)ComputerSoftware testingVulnerability (computing)Office suitePhysical lawPoint (geometry)Discrete groupDecision theoryDegree (graph theory)Cartesian coordinate systemSet (mathematics)ConsistencyGreatest elementMechanism designState of matterMeeting/Interview
01:17:47
Point (geometry)Process (computing)FlagLevel (video gaming)TelecommunicationAreaPresentation of a groupLimit (category theory)Physical lawTable (information)State of matterMultiplication signNumberType theoryGroup actionCASE <Informatik>Expert systemOpen setFrequencyForcing (mathematics)TowerSqueeze theoremQuicksortRight angleDependent and independent variablesDegree (graph theory)AuthorizationSoftwareoutputPlastikkarteRule of inferenceMeeting/Interview
Transcript: English(auto-generated)
00:00
We have an hour and 35 minutes. We're not going to talk all that time. This is going to be a roundtable discussion. So we are going to open it up to the group after our presentation, where we kind of go through some of the basics. I'm sorry, your head is giving a shadow. I'm sorry, also, that we are not able to dim the lights just for this individual room, but we're
00:23
going to make it work. This is Hacker Law for Hackers. I wanted to let you all know this is an on-the-record room. So there's Chatham House Rules in the other room. This one is on the record and being streamed, just so you all know. Leave now if that's a problem, please.
00:41
And let's do it. So like the description says, we're going to go over some of the changes to hacking law that have occurred, particularly in the past year or so, 2021 to 2022, and look at some of the areas that are ripe now for community advocacy in changing hacking law to help hackers. So I'm Harley Geiger, and I am senior director
01:03
for public policy at Rapid7. I'm an attorney, and I've been working in cybersecurity and technology policy for many years. And we are really blessed to have this man right here from the Department of Justice co-presenting. Yeah, I'm Leonard Bailey. I'm serving as Harley's wingman today. I am from the Computer Crime and Intellectual Property
01:23
Section in the Criminal Division of the U.S. Department of Justice. I am the Social Counselor of National Security and head of our cybersecurity unit. Doesn't that sound very impressive? It is, in fact. My mom is very proud of me. It is, in fact. Very proud of me. Very impressive. So believe it or not. There are no speakers.
01:41
So the microphones are actually just for streaming. So when we open up to the group, we're going to have to pass around these mics, but there is no amplification. Are you having, can you raise your hand if you're having trouble hearing me? So we should be louder. OK, got it. Yeah, OK, really sorry. I thought I was already projecting. Feel free to crowd in a little bit closer if that helps.
02:02
I know the acoustics are not super. All right, first, this is not legal advice. It's very important that we get that out of the way. I really don't want anybody watching this to go and do a research project and think that this covers all the nuances in the law. The law is just riddled with little exceptions
02:22
and important things. We're not going to be able to cover all of that in this presentation. If you have questions, particularly about a specific research project, if you're worried about legal risks, then you should talk to a lawyer. Just not these lawyers. Do not rely on this presentation. OK, so let's start from the beginning.
02:41
Why do we care about hackers? Why do we care about the way that hackers are treating us a lot in our lives?
03:16
We need the talent. We need the insight from people like you. It's not going to be a small cadre of experts.
03:21
It's going to be the community. And from the government's perspective, it's exactly the same thing. We know this is a complicated problem. We're not going to solve it ourselves. AKA, the government also wants to hire you.
03:43
So, federal law has evolved in favor of hackers. I think that's a little bit provocative. I think that for a long time, the security community had this impression that federal law was stacked against them and that you will be nailed to the wall if you violate terms of service.
04:01
You'll be nailed to the wall if you are doing IoT research in your own basement under a 40 watt bulb. And I think that it's time to challenge that perspective. And I think that one of the reasons why we should challenge it has been the changes that have occurred just in the past year. So, 2021 and 2022 had a lot of changes. And they were almost all, at least in the United States,
04:21
at least at the federal level, sort of universally in favor of the hacking community. Are the acoustics better? Am I projecting enough now? Sort of, yeah. Doing the best I can without yelling, sorry. We're gonna cover the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act. These are the sort of two traditional
04:41
emojis of the security community. We're also gonna talk a bit about the international perspective. So, China's Coordinated Vulnerability Disclosure Law, and then some about the states, state laws. And then, like I said, we are gonna open it up to hear your perspective. I think we have a lot of talents and experience in this room. So, it's gonna get interactive.
05:02
We're definitely not gonna talk for the entire hour and a half. So, first up, the Computer Fraud and Abuse Act. So, the CFAA. This is maybe the most feared law in sort of the pantheon for the security research community. And we're gonna talk, start basics. We're gonna talk about what it does.
05:22
And it has a long list of restrictions. I categorize them like this. So, first, it's a criminal and civil statute, meaning that you can be prosecuted criminally by federal prosecutors, but you can also be sued privately. So, you can be sued by a company or by an individual
05:41
if you have violated the Computer Fraud and Abuse Act. Here, with the CFAA, we are talking almost entirely about other people's computers. So, it is about whether you are authorized to access or use the computer in certain ways. And since you're doing it on your own computer, you're presumably authorizing yourself. Now, it gets to be a CFAA issue
06:00
if you are interacting somehow with somebody else's computer and it's not just the laptop that's sitting here. It can be things like internet servers or somebody else's computer over the internet. Now, the CFAA restricts, among other things, accessing a computer without authorization. So, if you're authorized to touch my computer or not,
06:21
causing damage without authorization. Damage can include, for example, service disruptions, DDoS, dropping malware. It can even be altering code on somebody else's computer. That's considered damage without authorization. And then, intent to defraud. If you have intent to defraud
06:40
and you are trafficking in passwords or access codes, that's also a CFAA violation. And then extortion is another one. So, if you are saying, I will damage your computer or I will access your computer without authorization unless you pay me cash money, that is a CFAA violation. Oh, we have a new projector. So, most of that stuff, though,
07:01
is avoidable by good faith security researchers. If you are truly conducting good faith hacking, you are not going to be demanding money for where you're gonna threaten damage to a computer. You're not going around causing DDoS attacks or disruptions to service. So, you also don't have intent to defraud.
07:22
Your intent is to patch the vulnerability. It's to improve security. But there is another provision of the CFAA. And this one is arguably the most broad and most problematic for the security community. And that is, exceeds authorized access. That is where most of the action in the past year has occurred.
07:41
Did you wanna add anything before we launch into that? No, I think you hit all the buttons. So, exceeding authorized access. What that means is you have access to a computer. You're authorized to access it, but you may only be authorized to use it for certain things. So, I'm allowed to access this computer for work,
08:03
but I'm not allowed to go bug hunting on it. I'm not a hacker, personally. Or I may be able to access a social network, but not use my profile on the social network to go bug hunting or to conduct security research from there. So, that would be exceeding the authorization
08:22
that I have been given to access those computers. Now, that gave a lot of power, traditionally, to things like terms of service or acceptable use policies or employment agreements, because those were the documents. Those were the ways that your access was defined.
08:40
So, if you join a social networking service, they will have an acceptable use policy or terms of service that says, here are the things you're authorized to do. Usually, security research is not in that list. Same thing with employers. They do not usually authorize their employees to also go bug hunting on their computers, unless that's what you do professionally. So, gave a lot of control to that.
09:03
So, that's some of the basics about CFAA. Now, what has changed recently, and one of the big whoppers that has changed recently is Van Buren versus the United States. So, that is a Supreme Court case. It was decided in 2021, and that kind of declawed exceeds authorized access.
09:24
The facts of the case are pretty colorful. Van Buren was a police officer, and Van Buren was authorized to access a license plate database as part of his work. But Van Buren was not authorized to use that same license plate database
09:41
for personal, criminal purposes, and that is what Officer Van Buren did for money. He was brought up under charges under CFAA, and the Supreme Court in a five to three decision, was it five to three, or six to three? Anyway, it was not a five-four decision. It was a pretty clear cut
10:04
towards finding a narrow interpretation of CFAA. What they said was, essentially, the question is not if you've been authorized to use it for one purpose and then are using it for another. Instead, it is are the gates up or down, was their analogy, are you authorized to access the computer
10:20
or are you not authorized to use the computer? And so, for Van Buren, what that meant was, since he was authorized to use that computer for work, then it is not exceeding authorized access. It is not, by itself, a CFAA violation to use it for other purposes as well. And it may be illegal under other statutes,
10:43
just not under this really broad provision of the CFAA. This helps not only security researchers, but also a lot of ordinary consumers who use the internet and should not be under threat of a federal hacking crime simply for doing things like violating terms of service, lying about your age on Facebook, for example.
11:01
So that was a big deal. It also applies, in part, to publicly available computers. So if a computer or an asset is on the internet and it is publicly accessible, then you arguably have authorization to access that publicly accessible computer. And if you have access for it for one authorized purpose
11:23
under Van Buren, then it is not an exceeds authorized access crime any longer under the CFAA to also use it for another purpose. And that theory about publicly available computers was put to the test in another case in 2022.
11:41
This is Haikyuu versus LinkedIn. So Haikyuu versus LinkedIn. Haikyuu was scraping publicly accessible content from LinkedIn. LinkedIn went so far as to send a cease and desist order to Haikyuu saying, don't do this any longer. And the Ninth Circuit, which has traditionally looked at CFAA in narrow ways,
12:02
said that LinkedIn could not bring Haikyuu up on CFAA charges, or in this case it'd be a lawsuit, for scraping its publicly accessible content. It was publicly accessible. So it put Van Buren to the test on this issue of publicly accessible computers. So I want to give an example of sort of
12:21
where this may hit the road with an actual case, actual hacking. Did you want to add to that? Did I describe them correctly? You certainly did. I guess there are a couple things I'd toss out, which is one of the things I think we've learned from watching courts attempt to interpret technology and generally, is they're not great at it.
12:42
And what occurs is something that, in my office, we have these Talmudic discussions about whether something is like, in the cyber world, something like something else in the physical world, right? And that's what happens in these cases. And so the Supreme Court, for example, in Van Buren, spoke in language of gates up or gates down.
13:03
If the gates are down, the restrictions apply. If the gates are up, there was no lack of authorization. Exactly what a gate is may not be entirely clear, as we say here right now,
13:21
of the opinion where they make it clear that if, for example, there are files, directories that are quote, off limits to you, then the CFA applies. But what exactly off limits means also is something that's going to take some interpretive work in courts.
13:42
And so absolutely right, what Harley said, that this clearly has rained back the reach of the CFAA. There will be more work to be done, though, to figure out exactly what it means. There are things that didn't address, or just were outside the ambit of the decision. For example, what is accessing a computer under the CFAA?
14:04
Which I think is an important question for people in this community. When you're interacting with a computer, when does that cross the threshold of being accessed and might be actual under the statute? This case wasn't intended to address that. And so that's still out there to be resolved. All that said, everything Harley covered
14:20
was exactly spot on. Does anybody remember what this horrible human being did? Yes, go ahead.
14:46
That's right. So this horrible human being did find the addresses, email addresses of AT&T iPad users exposed on the public internet. And managed to scrape a great deal of this.
15:02
And I've been disclosed it to Gawker, I think. And was brought up on CFAA charges. And I raise this as an illustration that this type of prosecution was already difficult because there was a court split at the time. Van Buren resolved that court split.
15:21
And this kind of prosecution will be a lot harder going forward. It was publicly available information. And now there is not a court split. So not to say that there would not be any potential liability, but it would be a lot harder to bring a case like this now than it was previously. I just want to say one more thing about this case. I think it was US versus Spitler.
15:43
So Harley hit on this earlier. There was a perception that security researchers were being prosecuted barn-wide. And when we first began engaging with this community in 2014 or so, we took that back and we actually thought about that
16:00
because we were concerned. We wanted to make sure we weren't shilling research. And what we found in the last decade was this is the only case the federal government has brought against the security researcher. For security research. For security research. There may have been other cases brought by state authorities,
16:21
but this is the sole case in the last decade against the security researcher. Let me surprise some of you. And just so you know, you don't have to accept our word that the Center for Democracy and Technology also took a look at this. And in 2017, they found the exact same thing. That said, and we'll talk about this later,
16:41
there are reasons why this community associates the CFAA with, let's say, aggressive restrictions. And we'll get to that later, but I'll give you, spoiler alert, it has to do with the civil portion of the statute. So that is one change, is those series of cases,
17:01
Van Buren and IQ. It's a big deal. It solves a split that was in circuit courts for at least 10 years, I think. Now, limitations. That change, that's a different part of the statute than if you're causing damage or if you have intent to defraud. So if you cause damage,
17:21
or if you are out there trying to defraud people, this change is not actually gonna help you. This is about exceeding your authorized access. And it's federal, so it applies just to the federal law, just to CFAA, it's different from the states, and we're gonna cover the states in a bit. But it's still a big deal, and on top of that news, in 2022,
17:41
in fact, in the past, what, four months or so, the Department of Justice changed its charging policy for CFAA. And here is a look at that. Don't worry about reading through the block of text too carefully. We can parse this language a little bit later. But this is public, and who better to talk about it?
18:05
Yeah, so in May of this year, we announced this policy, and it's sort of maybe the capstone of a number of years of work with folks like Harley and others in this community, who, in a very open-handed way,
18:21
allowed us to understand better how the community works, and to get more comfortable with the idea that there may be some allowances for actors in this community, again, in the interest of improving cyber security. So in May of this year, we announced this policy that essentially says that,
18:42
in the system you was turning, we have 94 districts across the country that have federal prosecutors in them who are responsible for these types of cases. We are the office at Main Justice that oversees this statute. Every indictment across the country has to come through our office.
19:00
And so we promulgated the policy to the U.S. various offices, saying that they should decline a prosecution if the activity involved good faith computer security research, meaning, and I won't delve too far into this because we'll talk about this later on with the MCA, but essentially, activity that involves testing,
19:23
examining, correcting, accessing through to do those things to identify a security flaw or vulnerability. And it's done in a way that avoids harm to the public or individuals, and is primarily for the purpose of producing information to protect the class of devices,
19:41
machines, or online services. And so that's a lengthy way of attempting to capture what it is people we understand attempt to do in this community. And let me tell you, that wasn't easy to try to capture in words. It took a lot of doing and throwing, but we'll talk about this more. But here we are. The Department of Justice has changed its charging policy
20:02
for charging crimes under the CFAA to say you should decline it if the defendant is a good faith security researcher. The language that is up there, again, we'll parse through it a bit more, but that is borrowed from another part of the law where a lot of these conversations were happening, and is sort of becoming now a lot of standard language
20:21
around defining good faith security research, for better or worse, and nothing is perfect. But that, again, may, so this is in the past year, a big change, on the heels of those court cases. Now, the limitation there is that that is for criminal law. So it does not apply to civil suits. Remember, you can still be sued
20:40
under the CFAA by private companies. And I will say that, anecdotally, in speaking with researchers at Rapid7, and speaking with, while at Rapid7, speaking with researchers external to Rapid7 and within Rapid7, we are seeing that much more private lawsuits than over things like criminal prosecution.
21:02
You know, it is kind of a hard thing to measure, because a lot of the private lawsuits come in the form of a threat, like a cease and desist letter. It has never reached the stage where it actually becomes a lawsuit. A lot of times, the researcher will back down, or they'll work it out with the company, but it is still a major problem for researchers. So just that civil suit aspect of it.
21:23
The charging policy does not apply. Do we want to say anything else about CFAA? I guess there's only one other thing I should say, just in the interest of candor. Well, I said there have been no prosecutions of security researchers. There may be a question about, well, have they been investigated?
21:40
And there, I'd have to concede, there have been investigations, but you have to kind of cut us a little slack there, and that is because if you're, let's say, penetration testing a system that you don't have an agreement with, what you are necessarily doing is something that looks identical to someone who is actually trying to, let's say, break into a system.
22:02
And so there's no way of telling what's going on until and unless there's a little bit of investigative activity. And so there still could be a knock on the door asking, what are you doing? The point is that has not progressed and is not progressing to a prosecution. And so we also are better at understanding
22:22
the difference between certain types of activity that is actually a precursor to actual intrusions versus others. Like, for example, mere scanning, mere port scanning is not going to end up with someone knocking on your door
22:40
asking for your vulnerabilities, from the government, I should say. But that wasn't necessarily the case going back a decade ago. But I think that is something that has changed. So I just wanted to clear that one point. And so just to recap, the changes, those major court cases that are curbing in a big way,
23:00
the most problematic part of the CFAA and then the DOJ's charging policy change, all since 2021. This is the next big important one. So this is section 1201 of the DMCA. So the DMCA, the Digital Millennium Copyright Act. Here is a law that if it were proposed today,
23:20
would not even get a hearing in Congress. It is archaic and clunky and it wastes everybody's time. And arguably it is broader than the Computer Fraud and Abuse Act. Because remember I mentioned that the Computer Fraud and Abuse Act largely applied to other people's computers. Section 1201 of the DMCA applies to other people's computers and your computer.
23:41
So it can apply to you where you're doing IoT research in your basement under a 20 watt bulb. Like that, it does apply to you. What it does is, there we go. What it does is it restricts, here comes the lawyer's speech, circumventing a technological protection measure
24:01
to a protected work, a copyrighted work. So what does that mean for hackers? Circumventing a technological protection measure to a copyrighted work is what you do all the time to software. So a technological protection measure can be something like encryption or a login. So anything that is protecting access to software. And so that, because you license software,
24:23
does not mean that you have authorization from the copyright holder to conduct that research. And that can be software that is on your own device. Now it doesn't have to be just on somebody else's device. So arguably this has been broader. And a lot of times when I've seen cease and desist letters that are sent out to researchers, it's both.
24:40
There's a citation for CFAA as well as DMCA thrown in there. So I think the best thing about this law, the best you could say for it, is that it gives the Copyright Office, or technically the Librarian of Congress, but we'll just say the Copyright Office, the ability to, every three years, make an exception to this rule.
25:02
This prohibition on restricting or circumventing TPMs. And so 2015 was actually the first time that there was a security research exception to Section 1201 that did not rely on the authorization of the copyright holder.
25:20
And there was a lot of folks were doing unsung work in the community to try to make that happen. Andrew Matwyshyn, the Center for Democracy and Technology, EFF, you don't hear their names proclaimed from the rooftops, but this process was where a lot of the cutting edge conversations were happening for cybersecurity researcher protections.
25:42
And it evolved every three years, so 2015, 2018. In 2021, I think that what we finally have is decent protection that you can hang your hat on for the vast majority of research. And we're gonna look at the language. So, good faith research. Sorry if this is not a sharper image here for you.
26:03
Accessing a computer program solely for the purposes of good faith testing, investigation, or correction of a security flaw or vulnerability. So that's the research part. And then the rest are sort of caveats on doing it responsibly. So where the research is carried out in an environment designed to avoid harm to the public,
26:21
where the information that you're taking from it are used for security. So you're using it to promote the security of the devices that you are researching. And you're not, I had to throw this in, remember this is a copyright-based statute, and you're not using this information in the manner that it facilitates copyright infringement. Now, I don't know if you caught a lot of the language
26:41
in the Department of Justice's charging policy. It's identical. The Department of Justice borrowed from this exception that came out of the Copyright Office. This is, in fact, government's best attempt, best stab at articulating what y'all do when you're doing security research. And I know that there is a lot of different terms,
27:01
like white hat hacker, ethical hacker. They went with good faith, good faith security research, I think because good faith carries a lot of legal precedent. And now we are actually seeing that term come up in a lot of other places that we're not even gonna cover here. So for whatever it's worth, the description, white hat hacker, ethical hacker,
27:21
good faith security research is the one that has momentum in a lot of policy circles. Oh, please. How many of you are lawyers? Okay, a good number of us. So this one statute amuses me in part
27:40
because so there's this triennial process, right, whereby the librarian of Congress looks at the copyright laws and decides whether there's an exception. And it's, again, every three years. They sat around and said, two, no, that's not, four, for some reason. So every three years, there's a chance to alter the law.
28:03
Back in, I believe it was 2018, we became aware that this was up for consideration. And we decided we were gonna weigh in. And so we did something we hadn't done before, which was we issued a formal letter to the Library of Congress
28:22
in support of the security research exception because looking at it, we felt it made sense. And then in 2021, it was up again because some of the restrictions on security research that were in the exemption in 2015 were considered maybe too narrow.
28:40
And we looked at that again and found that we could actually agree with expanding it in various ways. And because part of my office from the Computer Crime and Intellectual Property section, we actually enforce the criminal DMCA provisions. The Library of Congress actually was pretty amenable to our position.
29:03
So just to kind of give you a little more history on how this came to be. I think I wanna put it a little more bluntly. The Department of Justice stood up for researchers on two separate occasions in this process over a period of years. They put their money where their mouth is and got involved with another agency saying,
29:21
do better to protect researchers. That is really substantive. From a law enforcement agency, when they say that they wanna protect researchers, they, it's behind the scenes, it's kind of inside baseball, but it actually, I was there. I was one of the people that was pushing the Copyright Office to have better protections. And the Department of Justice's letters had a big effect on the Copyright Office
29:40
actually improving these protections. And I'll- I'm sorry, I have to jump in here just so this is entirely a kumbaya moment. One of the things that did happen though over these years is that people in this community were willing to sit down with us and have good candid conversations about the way in which research is conducted.
30:01
And so I think this is really a good example of collaboration between what in many times is viewed as antagonistic parties, but actually are two parties that are working towards a common goal, which is better security and protection of people's information and assets.
30:21
So this was 2021 when this was released. I think it was late 2021. But consider the timeline also, right? 2015, it started before 2015. So this was a period of like seven, eight years just working with the Copyright Office alone on this. I think EFF had started even several years before that. I mean, it like talk about,
30:40
you know, the way that policy moves slowly. One of the reasons for that is because you, oh, we managed to do it. That's terrific, I'm assuming. Is that better for everybody? Awesome, thank you. Yeah, so I'll tell you just a war story.
31:01
So in 2018, we heard from other trade associations and other sort of interests who wanted copyright to be better protected and thought that was more prioritized than security research. And they said things like, if we don't have restrictions on security research, we're going to have unfettered hacking of elections.
31:23
We're gonna have people hacking planes. We're gonna have people hacking cars on highways. It'll be, you know, there'll be hacking cars in such a way that they're violating pollution laws to which our response had always been, well, there are other laws that take care of that. We don't have to rely on this one to do it. But that took, you know, like at least four years to overcome that argument.
31:42
And now we have. The language that you see here does not have that same caveat in it. This is an example of research. Why would this not fit the language that we just saw? Yes. Because it's not a controlled state matter. That's right.
32:01
That's right. So this was on a highway. But this particular example was brought up in the Section 1201 proceedings as both a for and against, right? We were saying, well, look, the research actually didn't result in Jeep recalling these vehicles for safety purposes.
32:20
This was valuable to society. On the other side, we heard people saying, no, this is terrible. Look at what these folks can do. They can stop it on a highway and put everybody at risk. So yes, this is one of those caveats. This is why this specific example made a lot of ways in policy land and is one of the reasons why that language there.
32:41
Yes. So it'd be authorized access to the machinery, right? To the computer, maybe, but not to the software on the computer because the software is copyrightable
33:00
and that's the way Section 1201 works is that you have to get the authorization of the copyright holder. And in this case, they did not have authorization of the copyright holder even if they had the authorization of the person who owned the Jeep. Art?
33:21
Yes. Took them in a technical measure. Yeah, that's the requirement of the statute. I think it probably depends on the specifics.
33:53
So a big limitation on that, right? So now you have, again, just in the past year, you've got much better protections
34:00
under Section 1201 of the DMCA for good faith security research. There is a limitation to it, which is that that protection, it does not apply. And actually the Copyright Office cannot make it apply. They're not authorized by law to trafficking in the tools. So if you are making the tools available publicly,
34:21
even not-for-profit, put it out on Twitter, then that may violate Section 1201 of the DMCA, but a different part of it, one that does not fall under the protections that we just discussed. So the act of research is protected, but the disclosure of the tools and the techniques may not be. Yes.
34:42
Yes, there will be time for questions, but if you want, we're gonna be loose with it.
35:36
If you're talking about, will a civil lawsuit look at the DOJ's charging policy change?
35:41
It may be persuasive, but it's not going to control. And it's a different standard of proof, right? So in a civil proceeding, it'll be a preponderance of the evidence versus beyond a reasonable doubt in a criminal case. So there would be a different standard also used.
36:00
Be careful, that's what I would say.
36:36
It starts to look like extortion. And I think that's not best practices
36:41
for research under any circumstances. And I think that, I would just say, it probably depends on the specifics, but you definitely don't want to give the impression that you have exploits that you might use if they do not pay you. That is something that comes up both under Section 1201 and also comes up under CFAA.
37:02
Question for the streaming.
38:02
Correct me if I'm wrong, if I mischaracterize it. So for example, if you're doing research on the dark web, you come across what is apparently stolen data and you access it, are you violating the CFAA? And the simple answer to that under those facts is no. I'm glad to say that one thing I can recommend to you
38:22
is one of the things that the cybersecurity unit that I had has done is we've produced various white papers on issues that people in the community and the industry have flagged for us as legal issues that they're interested in seeing if we could provide some guidance on. The one we released in February of 2020
38:41
is intelligence gathering on the dark web or purchasing your information back on the dark web. If you did a web search for cybersecurity unit DOJ, you'll land, there'll be a landing page and on there are links to various white papers. One of them actually covers
39:00
and I think is rather instructive on this issue. Yeah, no, I guess in lawyer's speak, you wouldn't be actually accessing a computer without authorization, right? The data is out somewhere else, right?
39:23
But it's not, you have not accessed the computer from which it was stolen. It is just data that someone has posted somewhere and you're accessing their computer with authorization as it's posted on the web. But that would not be a CFAA violation by itself.
39:42
But that's CFAA, I mean, there are other laws that can apply like receipt of stolen property, some privacy laws, so it depends on the situation and just I think be aware that there are more laws in the CFAA that may apply to that situation. And on that score, I would recommend the paper that I flagged because we get into some of the other issues.
40:22
In Weasley, the simple answer is the facts will matter, right? So if you, for example, love the case that we talked about before, he had access through this AT&T server, which was configured to essentially populate certain fields
40:43
when you access it if you had an AT&T iPad. He identified what some would argue is a security vulnerability that shouldn't have existed. He wrote then a Perl script that allowed him to do that 116,000 times, which did then kind of move it out
41:03
of what today we would consider good-faith security research. Now, if you're saying you accessed this, you saw this, and then perhaps you reported it, that would help, right, in terms of what we're thinking. You should be in the mindset, though, of thinking how will someone perceive my actions?
41:24
Not my intent, but my actions, because it's very difficult to discern what your motives are. So if someone, for example, identifies your IP address coming from wherever you are as accessing this particular server, and there's nothing else going on,
41:40
again, you may get a knock at the door, there may be some questions. You should do everything you can, though, to make it clear what it is you're doing. Again, the same paper I talked about before goes into this a bit, that is, to the extent that, for example, you work for a company, and there is a work plan that demonstrates that this is a manner in which you collect
42:01
cyber threat intelligence information. That would be helpful. Not dispositive, necessarily, but helpful. But that's the advice I could give you here. Put yourself in the mindset of, without knowing your intent, what do my actions look like, and how can I demonstrate that my actions are not those, actually, of someone who would do this for malicious purposes?
42:22
All right, thank you. I'm gonna try to get us back on track. If we have questions that are not directly related to what we're talking about, we should hold those to the end. We do have time for a round table, so we will have time to get to the questions, but let's try to keep it to what we're talking about now, just for the flow of conversations that folks get the information. We were talking about section 1201 of the DMCA,
42:44
and we said that this Good Face security research exception, which came out in 2021, provides good protection, but does not cover trafficking. So trafficking in the tools, the exploits, the techniques, so trafficking sounds like it might be
43:01
more complicated than it is, but it could just be public disclosure of those things. And this is the basis of the Apple versus Corellium lawsuit. This was partially settled in 2021. We don't have the details of the settlement, but originally it was that Corellium was violating that trafficking portion of the statute.
43:22
And one of the reasons that it was settled, in fact, was from pressure from the cybersecurity community. It put out a statement saying, we should not be suppressing the use of cybersecurity tools. We don't want there to be the case that public disclosure of techniques and tools is outlawed under section 1201.
43:40
It is a bad cybersecurity situation to say everybody must develop their own because those tools will not be as good and able to actually improve cybersecurity. Yes, is one of the things that was kind of eye-opening
44:05
about the lawsuit, was that there did not seem to be an exception for open source. And if the techniques and tools can circumvent a technological protection measure to a copyrighted work, which a lot of open source tools do, then yes, it could violate that.
44:21
This is not a part of the statute that we see come up very often. And I think that it was under the radar quite a bit and it is one that we don't have that opportunity to come to the Copyright Office every three years for an exception. That has to be something that is done by Congress and Congress does what Congress does. So we talked about CFAA and we talked about DMCA.
44:45
I want to look at the states as well. So if you are, wherever you reside, if you look up your state and then computer crime law, it will be worthwhile to take a look at those statutes. Many of them are very similar to the Computer Fraud and Abuse Act.
45:01
They use similar language, access without authorization. Some of them say exceeds authorized access, just like the CFAA did. What's different, one of the things that's different is that it has not gone through that evolution that we just discussed for CFAA. There is no Van Buren counterpart to state computer crime laws. There's no DOJ charging policy.
45:21
It does not apply to the state computer crime laws. Those are enforced by states. They go through state courts. This is our federalist system. And so some of the states end up actually having language that is even more broad than the CFAA. Missouri, which is actually where I'm from, is one of those examples. And in 2021, we had this issue
45:42
where the St. Louis Post-Dispatch, a reporter for the St. Louis Post-Dispatch, found on their Department of Education website that the social security numbers of many educators were revealed. And this was not a very complicated exposure. It looked like hitting F12 and looking at the source of the website revealed this.
46:01
It was disclosed to the agency, which initially said thank you. Somehow it became political and the governor said that this was hacking and this was unacceptable and that we should have a law enforcement investigation. The Highway Patrol did investigate the Post-Dispatch and did investigate the reporter. No charges were brought. And what the Highway Patrol said at the time
46:20
was that there was no criminal intent. Obviously, this is true. This is also true for good faith cybersecurity research. That's also not what's required in the statute. The statute does not require criminal intent. It actually does not require intent to defraud. It is whether or not you are accessing the computer at all. It also, Missouri is one of those states that says that if you disclose an access code
46:42
or a password without authorization, then you are in violation of their state law. Now in the CFAA, if you're disclosing an access code or a password, that requires intent to defraud to be illegal under the CFAA. Here again, no intent to defraud. It's just if you should have known that you did not have authorization
47:00
to disclose the password. So for example, you're conducting IoT research. One of the routine things that you see with IoT cybersecurity research is finding a hard-coded password in the device. Are you allowed to disclose that under Missouri law? Do you have authorization to do it? This is what I'm talking about. It would not be in violation under CFAA,
47:20
arguably not anymore under DMCA now that we have that protection. But you have state laws that are just as broad or more broad than the CFAA and don't have some of the same limiting factors that we've discussed. Maryland is another. So in Maryland, in fact, so Missouri is one where it says if you are disclosing a password
47:42
or an access code without authorization, Maryland in fact makes it a crime, home of the NSA, makes it a crime to try to identify an access code or a password. So not even just the disclosure, the act of research to try to identify the password or the access code is illegal.
48:02
Again, no intent to defraud required. And then by contrast, like just to show you some of the variation here, there's the state of Washington. The state of Washington actually has, and the only one I know of in states, it has a bona fide security researcher protection. And this is, here they call it white hat security research.
48:22
The way they do it is they say you can't do a bunch of stuff without authorization, just like CFAA, but without authorization is defined. And without authorization does not include white hat security research. And if you see the definition of white hat security research up there at the top, you'll see that a lot of that also mimics the language that was in that section 1201 exception.
49:11
So there are, somebody should repeat the question. Sorry. So I guess the question is whether, when should someone who's doing computer security research be concerned about Missouri law?
49:21
Is it essentially anyone who's operating anywhere on the planet should be concerned about Missouri law given the nature of the internet and the jurisdictional reach of some statutes? I guess the short answer is it depends, but there are various jurisdictional bases
49:42
for these statutes. So if you have your victim in the state, so if the computer accessing is in the state, you certainly should be concerned, right? If you yourself are located in the state, you should be concerned. There's a separate question of like if a company
50:03
that is incorporated, but has an office in that, no, if their headquarters is in Missouri, but the servers are, the backend is in California, hosted by Amazon or whoever, do you have to be concerned? Not clear, exactly.
50:20
In the wonderful world of cloud computing, there's the separate question of how exactly jurisdiction works. I can tell you in those first two instances though, you should definitely be concerned. And how would you know, right? How do you know if the computer that you're accessing is in one of these states? This is why it is something that matters to everybody no matter what state you're in.
50:41
Also get a lawyer who knows venue and jurisdiction and can maybe remove it to federal court. The issue of consent and authorization often kind of merge,
51:27
but I think conceptually for the Wiretap Act, the 18 U.S.C. 2511, and the Computer Fraud and Abuse Act, they're actually quite separable. So the idea of having two party consents,
51:41
both parties on the line, consenting is a requirement for I think 12 states across the country. I don't think that those map to any sort of comparable language in those states' computer laws. All right, I want to cover this international aspect of the law as well.
52:02
And then we are barreling towards the round table portion so I hope that there are more questions and we haven't answered them all already. So in 2021, China publicized, after a comment period, it publicized a coordinated vulnerability disclosure and patching law. It is the regulations on the management
52:22
of security vulnerabilities of network products. And this law requires companies to have vulnerability disclosure policies. That's great. It requires patching of vulnerabilities. This is required. It also, though, requires vendors
52:41
to disclose vulnerabilities to the government within two days of discovery. So you discover the vulnerability, you flow it up to the government. Two days, that is going to be a lot of unpatched vulnerabilities. Researchers, believe it or not, are actually kind of encouraged. You're encouraged to have bug bounties if you're a vendor.
53:01
But remember, the vulnerabilities that you hear flow up to the government within about two days. Now what is very different from the way that we are used to things here in the US is that there is a strict restriction on public disclosure of the vulnerabilities and a strict restriction on publishing tools.
53:22
So as a security researcher, under this law, and at least under the letter of the law, can't speak to how it's enforced on the ground. I have no visibility into that. But the letter of the law is that you must report the vulnerability either to the vendor or to the government. So these are your options. And remember, if you report it to the vendor, the vendor reports it directly to the government anyway. So bug bounties, CVD, and it flows to the government.
53:47
And the penalties for violating this can include imprisonment. I mean, it is a criminal law. But it also includes things like administrative fines. I mean, there's a wide array of penalties. So this is in stark contrast sort of to the direction
54:02
that we are moving in with the United States where it comes to adopting coordinated vulnerability disclosure, sort of recognizing the hacker community in our criminal laws, and also continuing to preserve the ability to disclose vulnerabilities publicly.
54:20
So this is the last slide. Well, last substantive slide. So where do we go from here? And just want to wheel it back to the point that we made at the beginning that a lot of the researcher community had previously been focused on the Computer Fraud and Abuse Act, but that exceeds authorized access, terms of service problems, and Section 1201 of the DMCA.
54:41
I would argue that you can still do that. Those things are absolutely not perfect, but you're not gonna get the same bang for your buck that you had prior to 2021, right? Now, areas of greater legal risk would argue are in the US states, which have not had any of that same evolution as federal law. International laws like China's CVD law is another big one.
55:04
Speaking of CVD, another area to focus on is continued adoption of coordinated vulnerability disclosure with private companies. And one reason for that is, remember, not all of the protections under CFA apply to private lawsuits. Those are often the greater threat than criminal liability.
55:21
And for Section 1201 of the DMCA, that protection, although it comes up for renewal every three years, I'm relatively confident it is pretty baked at this point. We may be able to improve it some further, but I doubt that unless there's a major event that we would do a lot of backsliding. What does need improvements in a major way is the trafficking portion.
55:42
So I actually think that this is, what we talked about here today, the progress on CFA, DMCA is in part due, in large part due to security community advocacy. It has been a powerful force, but now let's turn it towards the areas of greater legal risk, and especially the states where we are all from
56:03
and where our lawmakers have similar processes to the federal lawmakers. I think that that is the next area where we can get the best bang for our buck in our advocacy. And that is the security research exception from 1201 DMCA. If you wanna look at it some more, I figured we might end up talking about it
56:20
in this Q&A session, which begins now. Yes, please. Coming to the GSME to present on the China law. So I'm the chair of the fraud and security group. We have an industry CVD scheme.
56:40
So it's still quite unclear to us. We have asked MIIT what the situation is and not got a response. So for companies that are involved in our CVD committee, some of which are Chinese, whether they have to disclose those vulnerabilities. So that's the first point I wanna make, which is of concern. The second one is on the international law aspect.
57:01
So in the UK, we have the, what's called the PSTI bill going through parliament right now, which is the product security and telecommunications infrastructure bill, which is our IOT act when it gets passed. And in that, there'll be a requirement for companies to provide CVD. And a lot of that work has been promoted really from here.
57:22
So thanks everyone for getting that just close to the line and getting into law. So thank you. The proliferation of coordinated vulnerability disclosure policies and standards, I think it deserves its own talk of similar length, but that is another major area of progress from the hacker community into policy.
57:41
Peter, you, so you were, the UK is looking at the computer misuse act also, right? And one of the things that the government is considering there, I think one of the questions that they asked was, should there be an explicit protection for security researchers? Do I have that right?
58:00
Yeah, so I'm David. Peter is around this week. Yeah, so the home office has consulted on this and I think at the moment, they're kind of quite busy with other things, but that's what they're looking at. And I think clearly, you know, the precedent work that's happening in the United States is gonna feed into that. So I personally was quite pleased to see all of this
58:21
because we can put that into that work. I think there's a lot of, there's a lot of kind of input needs to go into it. There's a maturity of thinking that needs to happen. So on the PSTI bill actually, when it went to the House of Lords, which is our upper house, there were questions raised about whether
58:42
by putting CVD into law, that they're creating a defense for malicious hacking. And so then it got into this kind of basically letters of mark discussion, which I don't think we wanna go down that road, to be honest. So, I mean, so the UK right now has a process
59:01
where they're looking at the Computer Misuse Act, it's sort of their version of the CFAA. So if you have contacts with the UK government, or if you wanna get involved with that, see David and see about weighing in. And I mean, that is an area of open consultation right now, looking at potential legal protections for researchers in the UK. Yes, Samit.
59:20
Oh, I'm sorry, following question on this. Remove my mask. As you can tell, I'm from the UK as well. Accent kind of gives it away. One of the dangers that we're looking at in the UK with that rethink of the Computer Misuse Act, is organizations in the UK trying to define
59:42
cybersecurity researchers as people who have received a certification handed out by government department and who have registered on a government list as being validated security researchers. And that's one of the big problems and one of the dangers that we're seeing in the UK is.
01:00:00
their definition of cybersecurity researcher is kind of being pushed towards a government-approved cybersecurity researcher which is a danger that we need to fight against and an ongoing struggle with this review of the Computer Misuse Act because we kind of don't want to lock out people who are not government sanctioned in some way that's
01:00:22
absolutely I'm glad you raised that that's absolutely real so the UK government also put out a consultation on certification for cybersecurity professionals and this would be certification for a variety of cybersecurity professional jobs it's if you work in the UK or if your work
01:00:40
touches the UK this this affects you but one of them was was security researchers and yes it lends itself to being on an approved government list being a certified in order to to conduct security research which is I mean a huge barrier to entry for a what is in the United States at least a very decentralized community yes and sorry I mean that was UK UK specific
01:01:06
I wanted to quickly follow up on the issue of global anti-disclosure program requirements and CVD requirements as well as some bounties and contracts from a tremendous amount of money which is also about potential implications so we don't have provisions that we kind of
01:03:35
take the first part of that question first and I want to put unless you want to answer the CVD question I want to put Art Mannion on the spot
01:03:46
you heard me the question about the next next next frontier for CVD in in the marketplace what do you think and reminder that the microphones don't have
01:04:05
a speaker that's for the stream so we still have to project I did hear I mostly tracked I meet let's see so I think you've touched on them here and then a meet with the commercial contractual stuff hard so bug bounty
01:04:21
related disclosure policy related safe harbor but not in strict legal safe harbor terms but I appreciate right now good faith security research so contractually and in bug bounty and disclosure programs I think there's going to be progress there right if people are agreeing and planning those agreements there's less likely to be any conflict whether civil or you know
01:04:42
recognition from a government perhaps or federal prosecution the Chinese law is a good example it's concerned a lot of us although the implications are not clear yet I don't think but what if how many countries are there on the planet 200 some if you depending how you count what if every sovereign state
01:05:02
has its own report to the government law with different numbers of days and different different industries and things so that has the potential to get really messy and I'm sure particularly a multinational corporation or researcher who works across you know country lines would appreciate something more
01:05:20
globally standard as opposed to you know meeting a meeting a third party to tell them how to talk to this country that country that country I think that could be a mess but the jury's out still do you have a view as to where the CVD adoption might spike next like are there sectors or is it just sort of company by company I don't think I have a real viewer opinion there's a lot
01:05:46
of progress which is great to see UK was mentioned the rest of Europe in the NISA and the NIS to has disclosure stuff built in there I believe I think it's gonna go through so you know those are signs of progress the Chinese
01:06:00
stuff is concerning but again I'll speak for myself I'm reading a English Google translation don't know how the law is actually implemented in country so not sure yet so I guess my own part I don't know where the next the next sectors of the economy or sectors of the market that will implement CVD will will be like where the sort of the low-hanging fruit
01:06:21
is but I know that you've noticed the same thing which is that coordinated vulnerability disclosure policies are now being built into a lot of cybersecurity laws so the infrastructure incident reporting act has a nod towards it there are there laws like you know things like the IOT cybersecurity and Innovation Act right that had a requirement that if you were going to
01:06:42
sell IOT to the government that you must have a coordinated vulnerability disclosure policy this too which is like a critical infrastructure protection law that is being proposed in Europe is that a pretty advanced stage requires coordinated vulnerability disclosure policies we're seeing it in a lot of sort of regulations that you may not even expect from different
01:07:02
agencies for just for their particular sector are at the very least promoting coordinated vulnerability disclosure you had mentioned please my company's also been tracking the implementation of CVD by IOT companies over the past five years we're just about to do the
01:07:20
research again so we look at about 330 companies the top the top IOT products in countries across the world and we started out it was less than 10% of companies had any way for a security researcher to contact them and that includes you know the security dot text as well and looking
01:07:43
on a website and that only increased even in light of all of this global activity promoting CVD that only increased to less than 20% in our last year's survey so even with the threat of regulation even with laws in place there's a huge amount of companies you know four in five IOT companies are
01:08:06
not doing anything and that's just a bit that you can see so it's really concerning to me I mean you know when the laws come in I'm hoping that obviously the stick comes out and they actually do something but it'll be really interesting to see what happens this year and next year in our surveys if there's this massive increase or not there's a there's this trope
01:08:23
right that policy and regulation is always way behind where the private sector is I don't think that's true for coordinated vulnerability disclosure we're seeing it built into a lot of cybersecurity laws best practices you know guides things like that out of DC at least the UK the EU China and I
01:08:43
think that its representation in new cybersecurity regulations is more more broad than where we're seeing it actually in the marketplace so there is still a lot of ketchup I would not I'm optimistic because it is making its way into policy but there is still a long way to go in terms of actual adoption so the question is whether the good faith exception is is a matter of
01:09:20
law or policy I guess and why should why should folks care so in regard to the CFA and the federal policy it is it is a matter of policy right so it is not written into the law and that has certain dangers folks have flagged that that means is possible that another administration could have a
01:09:43
different view of this or a different Attorney General or turn another head of the criminal division I will say that we have a number of policies that I think are comparable that have persisted across multiple administrations and they had not as a matter of course like changed every
01:10:01
four years or anything like of that sort but that is one one important distinction that if it's written into law it is less likely to change the reason it's not is because it's very difficult to get anything written in to law right now so so this is not a bad a bad second to that Congress can
01:10:22
spend trillions of dollars but they can't change the law I did want to jump on one issue about bug bounties that would just prompt something I wanted to kind of say as a kind of public service announcement and it's it's something that that we've noticed I think over the last few years and that is well we are very supportive of bug bounty programs because we think they
01:10:45
do a good job of letting the different parties know where lines are drawn what is in bounds what's out of bounds the one danger that we see that has manifested in a few places is it also in some instances has created a
01:11:00
entitlement among researchers such that there's a feeling that if I did some work here I better get paid which can inform the manner in which any discussion about compensation or disclosure or things occur and in the
01:11:20
worst instances is exactly we talked about earlier can turn into a conversation that looks a lot more like an extortionate type of demand rather than some some engagement to try to improve security and so I just drop that as a caution you know in the course of reviewing indictments that have come through our office you know we've had a couple of instances where
01:11:44
researchers used maybe some improvident words in the manner in which they approach this and this harkens back to an issue that I've flagged before which is I truly believe it would be in this community's interests to work on norms
01:12:03
that are some sort of baseline understanding of what you know security research and engagement looks like so that those like me who are outside the community would try to apply those rules have something to go to that's not imposed on the community by us but rather something organically developed so
01:12:23
that there's actually buy-in and an understanding and a real you know true depiction of that the way in which you things should occur so I that's my PSA that I wanted to just drop on you I realized we skipped over your second question on well I skipped over to on incident reporting and how that
01:12:43
interacts with the CFAA and one thing I have noticed so there's there's incident reporting there are a lot of regulations already on the books and a lot that are being proposed that would require a company to report a cybersecurity incident to the government to their regulator and the definition of cybersecurity incident is usually something that is significant not just
01:13:04
you know a you know an insignificant exposure but something that is relatively significant that the government knows about it and can take action to protect others something and this is another you know sort of sign of the evolution in thinking about policy and hackers a lot of these laws
01:13:22
actually have an exception to the incident requirements that it doesn't qualify as a reportable incident if it is something that was brought to you by a good faith security researcher many of them don't use necessarily those words and I think a lot of times it requires authorization of the of the
01:13:40
computer holder so like but something like a bug bounty if you know if a bug bounty has brought it right it's a coordinated vulnerability disclosure process now that it may not qualify for incident reporting purposes to have to report it to the regulator this is a sort of thinking that we I think five ten years ago couldn't imagine but they're building it into things that you know as somewhat niche cyber incident reporting and so there they
01:14:04
have a mind towards this community even there yes eighty percent of what you
01:14:41
said that's okay crisis you at least for this question take the mask off sorry twenty percent comes from someone who is from the UK about how
01:15:45
discretion on the policies exercise in the US by our investigators and prosecutors and kind of taking as a model that there's a comparable law in the UK where there were a lot of discretion is used to determine what is in the public interest so in terms of the discretion I guess the policy
01:16:07
does state and you know promulgated by the deputy attorney general's office to all is that one should decline if it meets these criteria the question of when it meets these criteria is a matter of discretion to some degree but
01:16:24
no more so than I would say applying our laws right to see whether the set of facts meets the requirements here and so on I think there's in some ways unavoidably a certain degree of discretion that's that's exercised but
01:16:41
one of I think the positive things is one of the things that helps when you have exercises of discretion is to have oversight and transparency and so this wouldn't be a decision that would be made solely by for example the US Attorney's Office we oversee all of CFA indictments so it would come through us
01:17:02
as well and the point of that which was practice was adopted in 2016 was to try to harmonize how these things are done nationally right so if you have one collection point you can have greater consistency than you would have in 94 different districts and so there is discretion we believe though that we
01:17:24
have mechanisms for for kind of leveling that out and making sure that it is consistent you'll notice at the bottom of the charging policy it mentions consulting with prosecutors that's where specific applications
01:17:46
well the question was the policy applies to charging decisions not
01:18:54
investigative activities so is is there any point in perhaps having a comparable policy that applies to investigations rather than just
01:19:03
prosecutions it's an interesting point I don't think we have considered it in part because at least we haven't yet detected a problem but hopefully engagements like this would flag that and if we did see a problem
01:19:23
it's something we certainly could consider whether a similar policy on the investigative level would make sense at this point it doesn't exist and we haven't really thought of it but you know could that change if there actually were but a need absolutely
01:19:48
so first up a suggestion to folks which was that reaching out to law
01:21:29
enforcement to establish a relationship so that they know and are familiar with you in case there is a need for a knock at the door because there is some activity that they're interested in is a good practice and I
01:21:41
would I would foot stomp that that in fact is something that we flag in the white paper I mentioned earlier having the situation can be very helpful secondly though there was a question about whether accessing a criminal network it'll say you are a researcher who is accessing a ransomware groups server whether that could potentially get you prosecuted under the
01:22:02
CFAA and I guess to that I would I would say this whenever someone tells me prosecutors can indict a ham sandwich my response to them is yes but then we would have to try the ham sandwich right and that would be ridiculous so
01:22:22
it's the same thing here one of the things that we think about one of the actually in 2016 we released our CFA charging policy that was broader about considerations for federal prosecution there has to be a substantial federal interest in a prosecution or a force to bring it we do assess whether for
01:22:42
example that's a case that is not going to play very well right now there may be extenuating facts and I think that it's impossible that such a case could be brought but by and large that it's unlikely that said I do think
01:23:04
you know the one thing that I often caution researchers about is that even if they're being good guys they should understand they do not have card launch right that there are people who are investigators who have been given the authority to do certain types of activities are invasive and that that
01:23:22
should be left to them so reporting something that you've seen is an important first step
01:23:40
only about five more minutes before we have to clear the room for the next panel and let everyone else also know if you don't have one of these limited edition DEFCON policy stickers please feel free to see me I laid them out on the table but I know that the folks that were standing didn't get one if you want one then hit me up yes
01:24:24
a few suggestions but I think the simplest one would be to contact the electronic frontier foundation they you know work in litigation in this area they may not represent you but they may know other people that do it's probably easier than a Google search or me just giving you a bunch of names right now
01:24:40
just contact them that's probably that's a good first start they also have on my resources I believe they do yes all in the
01:25:02
policymaking process and a lot of it will at least in the United States I think a lot of it at this stage is going to be engaging directly with policymakers I don't know of any like open comment periods for CFAA DMC or States I do think that you get your best bang for the buck right now in the
01:25:22
States like I mentioned you know the states don't hear from experts to the same degree as the the federal policymakers do and you know it may be slow going at first but I think that once you build that relationship and you'll see it come to fruition if you want to target an open comment period then I think talk to talk to Stephen about about what's going on in
01:25:42
the UK there are these rule-making processes that are open for public comment and people like you in this room actually do have an outsized voice in those and what I mean by that is talking to the people who in this process they have to review them and then adjudicate the the answer
01:26:03
it's not about numbers it's not that 100 people said yes and you know 50 people said no it's the quality of the comment that really is what matters to them and having some sort of sophistication an understanding of the actual issues and be able to present that is something that the people who
01:26:23
adjudicate these rules and decide how they should be shaped really look at so these public comment periods are something that if you're interested there's some things that you should take seriously I actually think it would make a great DEFCON presentation to just go through where to find these public comment periods and like how to how to engage with them because it is
01:26:40
this is how the government like there's this feeling that the government is in this ivory tower and you can't communicate with them and it is actually not true at all like they they are acquired by law to solicit input from the public whenever they come out with a lot of major rules and so another time but there is in fact a lot of opportunity yes
01:27:18
DEFCON policy will be able to help you I'll be able to connect you with
01:27:21
folks you know depending on what you're looking at everyone thank you so much thank you for coming thank you thank you to the people that were standing the whole time and again let me know if you want a sticker and hope to see you around