Industry breathes a sigh of relief as legal threat recedes

US Computer Fraud and Abuse Act: What the landmark Van Buren ruling means for security researchers

ANALYSIS Following years of consternation, the US legal landscape appears to have tilted decisively in favor of ethical hackers, as a recent Supreme Court decision effectively narrows the scope of what constitutes ‘unauthorized access’ under the Computer Fraud and Abuse Act (CFAA).

The CFAA dates back to 1986. Although the legislation has been subject to a series of amendments over the years, civil rights groups and computer security professionals have continued to criticize its many perceived shortcomings.

Most concerns focus on the law’s scope, with critics arguing that the CFAA has been extended beyond far beyond policymakers’ original objectives when they laid them out more than three decades ago.

The CFAA now covers “a broad range of conduct far beyond its original intent”, according to the US National Association of Criminal Defense Lawyers (NACDL).

Concerns about the CFAA have centered mostly around the way the act makes use of a computer “without authorization” a criminal offence.

Given that there is no accompanying definition of what “authorization” entails, this raises the specter of computer users inadvertently breaking federal law for things like using an application in a way that breaches its license agreement.

And the act’s broad provisions makes huge swathes of computer security work, including ethical hacking, penetration testing, and participating in bug bounty programs, fraught with legal risk.

BACKGROUND CFAA: How a Supreme Court ruling could have serious ramifications for ethical hackers

But a fresh decision in the Supreme Court relating to Van Buren vs. United States (PDF) limits the act’s scope in a way that could make cybersecurity professionals’ work easier and less anxiety-inducing.

As explained by a team of privacy lawyers from Cooley, a California-based legal practice, the Van Buren decision “appears particularly favorable to cybersecurity researchers, whose work often involves accessing computer systems in ways that violate terms of service or other policies”.

According to the legal team, the latest Supreme Court decision mitigates the threat to security researchers by “rejecting the view that the CFAA allows criminal penalties for violating circumstance-based access restrictions” and placing more onus on the information that is subsequently obtained.

The Daily Swig asked industry experts for their views on the decision and how it may impact information security professionals in both the US and beyond:

Jordan LaRose, managing consultant for incident response at F-Secure

The much-maligned CFAA, created nearly 40 years ago when computers were in their infancy, was a constant threat to security researchers and practitioners seeking to exploit and document vulnerabilities for the betterment of cybersecurity.

Researchers must always take steps to distance themselves from the constraints of this law with how they pursue and publish their research. At best, this slows process and at worst deters it altogether.

Read more of the latest cybercrime news

The reason this decision is such a landmark for our field and a positive portent for the future is that it contradicts opinions and decisions filed by circuit courts previously that pushed for charges under the CFAA simply because the defendants used software in a way that violated private agreements or corporate policies.

In order to understand the mind of a malicious actor, we must often think, act, and develop just as they would. Working in security already creates plenty of paranoia through battling people who could steal your identity or destroy your digital life. Seeing the Court move away from antiquated laws … and promote a healthy cybersecurity community is some of the best news we've had in years.

Ben Carr, chief information security officer, Qualys

The intent of the law itself, to prosecute hackers, is valid. But its ambiguity has long posed a potential problem for the security industry. A lot of legitimate activity such as ethical hacking or investigation research could technically be in breach of the CFAA, if it were interpreted incorrectly.

The debate here centers around who is at fault if someone gains unauthorized access. For example, if a systems designer gave a higher level of access to a user than they were intended to have, it should be considered the fault of the designer rather than the user themselves.

RELATED US court offers clarity on evaluating ‘future risk’ injuries in data breach class action litigation

The responsibility should lie with the system’s owner, and this latest ruling appears to support that view. The Supreme Court’s ruling is certainly a step in the right direction to gaining more certainty on the remit of this law, but the ambiguity still remains.

We need to deter and prosecute actual [criminal] hackers. If lawmakers can work alongside cybersecurity experts to use their input when scoping out new regulations at the point of their design, this could make the process more effective at catching the bad guys and avoid waiting nearly three decades for clarity.

 The CFAA is too imprecise to cover all types of cybercrime and attacks

Corey Nachreiner, CTO, WatchGuard Technologies

The biggest problem with the Computer Fraud and Abuse Act (CFAA) is that it is too vague. That vagueness leads to overly broad interpretations and usages of the law in situations that may not apply.

The CFAA is too imprecise to cover all types of cybercrime and attacks, but has also been used to prosecute those with ultimately good intentions. For instance, security researchers often test systems by seeing if they can bypass some authorization control. This could be interpreted as “exceeding authorization” by the CFAA. The CFAA could be used to stop this valuable research.

Van Buren is [a case] that should prevent litigants from prosecuting users who leverage authorized access for security research or to gather evidence. But it also leaves a legal hole that could allow malicious insiders to get away with bad acts. We need more detailed laws to cover those types of cases.

Cyber law does need to exist. The best thing law makers – who generally don’t understand the technical nuances of cybercrime – could do, is to work with the infosec community in helping to craft these laws.

Mike Anderson, chief digital and Information officer at Netskope

The Supreme Court’s majority opinion recognized that violations of the CFAA “would attach criminal penalties to a breathtaking amount of commonplace computer activity”.

IT security professionals should look at the Van Buren ruling as an opportunity to thoroughly analyze how they can successfully authorize access to sensitive information to only those who need it most. It will require an even more proactive approach to security measures.

The ruling also suggests that penetration testers and ethical hackers will need permission to hack into [sensitive] files to prove they did not exceed authorized access.

The federal government has a responsibility to keep its data and systems, and by extension, the country and its citizens safe and secure. And government entities need to be aware of the issues to defend against them.

Updated policies around how we communicate vulnerabilities and keep that data safe, particularly for federally sensitive data, are warranted and essential.

Additional reporting by James Walker.

YOU MIGHT ALSO LIKE CVE board slams DWF project for publishing ‘unauthorized’ CVE records