Home / Blogs

A Cancerous Computer Fraud and Misuse Act

Gunter Ollmann

As I read through multiple postings covering the proposed Computer Fraud and Misuse Act, such as the ever-insightful writing of Rob Graham in his Obama's War on Hackers or the EFF's analysis, and the deluge of Facebook discussion threads where dozens of my security-minded friends shriek at the damage passing such an act would bring to our industry, I can't but help myself think that surely it's an early April Fools joke.

The current draft/proposal for the Computer Fraud and Misuse Act reads terribly and, in Orin Kerr's analysis — is "awkward".

The sentiment behind the act appears to be a lashing out response to the evils that have been recently perpetuated by hackers — such as the mega breaches, DDoS's, password dumps, etc. — without any understanding of how the "good guys" do their work and operate at the forefront of stopping these evil-doers.

For those non-security folks, the best analogy I can think of is that a bunch of politicians have been reading how attackers are using knives to cut and stab people in their criminal endeavors, and that without knives those crimes would not have happened. Therefore, to prevent knife-based crime, they legislate that carrying a knife, manufacturing a knife, or using a knife to cut flesh, is punishable with 20 years prison.

Unfortunately, the legislation is written so poorly and generic, that the definition of "knife" includes butter knifes and scalpels — and overnight the medical profession of surgery becomes illegal. Even the process of helping those poor souls that have been stabbed by a criminal can no longer be saved by a scalpel wielding doctor.

That, in a nutshell, is what many feel the impact of this act will be on the Internet security industry. Penetration testing, bug hunting, and vulnerability research will be caught by this and, as Rob Graham postulates, there is reason to speculate that even posting a link to a vulnerability could land bot the poster and the clicker on the wrong side of the law.

One of the budding industries that will feel this the most will be threat analysis and companies/services that focus on early alerting and attribution of cybercrime. And that in my mind is particularly ominous.

Now, with that all said, is the act salvageable? Maybe — but it'll need a lot of work. I've heard a few folks argue that this US act is very similar to the UK's Computer Misuse Act of 1990. I mostly agree that a parallel act in the US would be helpful in dealing with the current plague of cybercrime, but what's been proposed thus far has the polish and refinement of a rusty piece of barbed-wire.

The only organization that'll benefit from the act as proposed right now is the US' privatized incarceration services.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppDetex

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform