Samuel Bucholtz, from Casaba Security, talks about hacking regulation and legislation with CSO in a series of topical discussions with industry leaders and experts.
Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. This week CSO is posting the final submissions for the second set of discussions examining security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you have thoughts or suggestions for the third series of Hacked Opinions topics, or want to be included as a participant, feel free to email Steve Ragan directly.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
Samuel Bucholtz, co-founder, Casaba Security (SB): Our lawmakers need to realize that cyber security is very distinct from intelligence gathering and law enforcement activities.
We can see this challenge at the core of the NSA itself. The agency has always been responsible for defending our country’s cyber assets while at the same time gathering intelligence and perhaps playing a more offensive role. This dichotomy has led to the very real, and insoluble internal struggle within it: when a vulnerability is found, do you preserve its secrecy and exploit it for gain or do you warn those you protect and get it fixed to prevent their exposure? New laws should try to address this state of affairs, not extend or even compound it.
We continue to see this misconception played out in threat intelligence sharing bills, the most recent version of which is the Cybersecurity Information Sharing Act (CISA) which recently passed in the Senate. The confusion is at two levels - first, that cybersecurity should be used in tandem with law enforcement and intelligence gathering to enable, support or reinforce those activities; and, second, that by doing so they won’t jeopardize Americans’ personal privacy and freedoms by giving too much power to the government.
It’s imperative for Congress to begin seeing cybersecurity in more focused terms - specifically, as a way to protect businesses and critical infrastructure. At the same time, it must also understand the inherent risks in cybersecurity as a potential surveillance tool - and it must do all it can to protect Americans’ personal freedoms and privacy.
Intelligence gathering and law enforcement activities are by their very nature a violation of privacy. We as citizens tolerate this violation because it is supposed to be controlled by a level of due process - namely, judicial review and the issuance of warrants. Cybersecurity activities are executed by private parties with no such judicial review. Thus at a minimum any law enacted should guarantee basic protection of citizens’ privacy. As part of this protection, businesses should never be asked to provide non-anonymized data without a warrant.
What advice would you give to lawmakers considering legislation that would impact security research or development?
SB: Too often lawmakers, government regulators and other public officials equate cybersecurity research and development with ‘weapon-making’ or ‘cyber arsenals.’ This taints the entire industry and undermines public and government support for this research and the programs (few that they are) that support it. Future legislation needs to properly equate security R&D with the protection of consumer privacy, personal freedoms, business interests and national security.
Treating software as a concrete asset (munitions, trade secrets, etc.) is a losing battle. A good example of this is the current Wassenaar Arrangement, which seeks to restrict intrusion software sales overseas much like traditional military technology. Software is fundamentally an idea that cannot be stopped without some type of thought control. Extending this metaphor, the creation or possession of an idea cannot be outlawed. The only thing that can or should be criminalized is the use of such ideas. A security tester using a “weaponized” piece of software on their own property should be treated the same as a person smoking a cigarette in their own home.
Instead of writing laws that prevent research or threaten those performing the research, lawmakers should focus on enabling the free exchange of ideas without arbitrary restrictions; after all this is what makes science work in all its other forms.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
SB: I would draw a big red line through the entire CISA bill as it is currently written (as of October).
The bill fails, as many attempts at government regulation do, in being too broadly worded and poorly defined to fairly protect the citizens of this country. Cybersecurity professionals spend much of our time finding the loopholes in poorly written software, but it often takes time and effort. It takes no time to find the loopholes in the currently written bill.
Now, given what you've said, why is this one line so important to you?
SB: In my view, CISA, in its current form, represents a serious threat to personal privacy and freedom. It’s a totally misguided piece of legislation - it does very little to balance the needs of national and business security with those of user privacy. It’s heavily tilted in favor of the law enforcement and intelligence communities and leaves consumers out in the cold.
As the Electronic Frontier Foundation noted in its analysis of the bill back in March: "The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act."
This is the type of heavy-handed cybersecurity legislation that we need to avoid, and it’s propagated through Congress’ misunderstanding of what cybersecurity should be used for. CISA is essentially about protecting corporate and intelligence agency interests, not the people’s interests. It shields corporations from prosecution; it essentially makes classified the details of what types of data are being trafficked by corporations and government agencies and how they’re used.
This law is impenetrable by the courts, it’s exempt from the Freedom of Information Act, and therefore it’s far too powerful and risky to implement. We cannot give the business community, law enforcement and government that much power and control over everyone’s information.
CISA is a great example of why we need a digital Bill of Rights that declares our basic freedoms when it comes to technology, and converts our most basic liberties into language relevant to the digital age.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
SB: No, I don’t. Threats don’t work, particularly for the research community. No one has the power any more to stop ideas, to stifle the free flow of information, to prevent people from asking questions or finding new ways to think about things or to solve problems. It is far better for companies and government agencies to work with the research community rather than to antagonize it.
Doing so will only make them a bigger target, and, besides, the research community is doing valuable work that mostly benefits the security of these companies and the US at large.
I think it is reasonable to ask a researcher to delay their announcement and most professionals will do so, but the mistake was made by the company who released the vulnerability in the first place, not the person who discovered it.
If companies do not want the “embarrassment” then they should spend more resources upfront trying to prevent it from happening. If their processes are so complicated that releasing a fix for their customers takes a long time, then they should reengineer their processes to allow for quicker turnaround.
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
SB: Statistics, trending data and anonymized data are all fine things to provide to the government. The government should in turn be collecting and sharing all the data they get with the rest of us. However, cybersecurity activities should be Chinese-firewalled from intelligence gathering activities.