Let me tell you about Dave*.
We met a while back and would chat whenever we happened to run into each other. That is, until one day I mentioned a cyber security event for high school students that I was planning called 1NTERRUPT. His eyes lit up, after which the conversation steered towards the technical details. I was astonished by how clearly he knew his stuff. Finally, I stopped and said, “I thought you were a painter. How do you know all this?” He smiled, and said, “Yeah, about that…”
Turns out that by his teens, Dave was a knowledgeable coder who couldn’t resist a challenge. Even today when I mention the thrill of trying to outwit a skilled adversary or solve a difficult problem, you can see that fire in his eyes re-ignite. Unfortunately, at one point, he could not pass up the challenge of trying to crack a federal database. He spent three days and nights barely sleeping until he finally got in. Eventually he was caught and subsequently banned from working with computers. Now in his 30s, he has finally been permitted to work as a coder; he writes mobile apps, but he is permanently banned from federal employment.
Dave should have been punished for his transgressions, but I still believe our cybercrime laws sometimes go too far. In any situation, a law should do three things: it should be written using a solid comprehension of the issue it is meant to address; it should be narrowly focused to reduce the risk of abuse; and it should be applied consistently and fairly. I would argue that current cybercrime laws like the Computer Fraud and Abuse Act (CFAA) meet none of those criteria. Furthermore, I would assert that these laws serve the unintended consequence of aiding the cybercriminal groups from whom we need protection by driving away the people whose help we desperately need.
Allow me to cite an example. Back in May, an article published in The Guardian detailed a number of incidents where the CFAA was used to threaten legitimate researchers to the point where some now have started walking away from the research field altogether. How are we supposed to mount an effective defense when the law can’t distinguish between defense and offense? How are we supposed to recruit future defenders when kids read about the tragic case of Aaron Swartz and see major corporations like Oracle fighting against pragmatic reform of the CFAA?
Here’s my prediction for the future if no changes are made to the CFAA and if new laws of its ilk (CISPA/CISA in the US, DRIP in the UK, etc.) are passed: kids who are still willing to learn about cyber security in accordance of those laws will have a substandard skill level, which puts our defense at a disadvantage. Kids like Dave, whose tenacity and complex problem-solving skills are of the utmost value in defeating complex threats, will still find ways to satisfy their curiosity, activities which may or may not be legal. Unless we can find ways to help them channel that curiosity in safe, positive ways, we run the risk of putting more kids through the legal ringer and casting them out, or worse, turning them against us.
I would like to see communities establish/support hacker spaces and create cyber defense events where kids can learn and experiment with these techniques without having to worry about running afoul of the law. This was one of my motivations for creating 1NTERRUPT. I also believe it is on us in the security community to help educate the public, as well as help policy makers understand the value of creating effective, targeted cybercrime laws. (Please see my blog post regarding my proposals on reform of the CFAA.) Until then, the more legitimate researchers are persecuted, the more Daves of the world have no options to safely advance their skills. Sadly, in this world, our cybercrime laws would not only aid the criminals; it would make new criminals out of our defenders.
* Dave is not my subject’s real name, and I’ve changed some identifying details so as not to expose this person’s identity.
By Marc Blackmer, Founder, 1NTERRUPT
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.