06 Aug This 80s-era criminal hacking law scares cybersecurity researchers
LAS VEGAS — Since it was instituted in the 1980s, the Computer Fraud and Abuse Act has been the government’s primary tool for going after malicious hackers. But it’s also has drawn the ire of cybersecurity researchers who fear the law is too broad — and potentially criminalizes some of the things they do to help make systems safer.
At the Black Hat USA security conference Wednesday, a top Department of Justice official tried to convince a ballroom of cybersecurity researchers that they shouldn’t be in fear.
“We have a great deal of respect for the people in this room,” Leonard Bailey, special counsel for national security in the Department of Justice’s Computer Crime & Intellectual Property Section, told the group. “My goal today is to provide information you can use to better manage your risk when you do what you do.”
Prosecutions of criminal computer fraud is a small part of what the agency does, Bailey said. But cybersecurity professionals should think carefully about the scope of their research and the way they approach companies when they discover a security flaw, he said.
The CFAA was passed in 1986 — an era in which computer crimes were often poorly understood on Capitol Hill. This was more than a decade before the Internet became part of most Americans’ everyday lives, and lawmakers view of hackers was largely shaped by Hollywood: An 1983 hearing on computer security started with a clip from the movie “WarGames,” which featured a teenager nearly causing a nuclear war after accidentally hacking into government computers.
The law has been broadened over the years — to the point where some prosecutors have used it go after people for things like violating a Web site’s terms of service. (Think about that the next time you “borrow” someone’s HBO Go login.)
One of the most high-profile prosecutions under the CFAA was Aaron Swartz, a reddit co-founder and online activist. Swartz committed suicide in 2013 while facing felony charges after allegedly downloading millions of documents in bulk from a scholarly database — a terms of service violation.