In my newsfeed are articles in prominent publications discussing the problems with the federal Computer Fraud and Abuse Act from very different perspectives.
In the “the CFAA is dangerous for security researchers” corner we have White Hat Hackers and the Internet of Bodies, in Law360, discussing how precarious the CFAA (and presumably, the state hacking laws such as Texas’ Breach of Computer Security / Harmful Access by Computer laws) and Digital Millenium Copyright Act can be for security researchers.
In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.
Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?
This reminds me of a piece I wrote about the CFAA and the broader national policy discussion a few years ago, Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue? In that piece I stated,
The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:
The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.
Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?
I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.
Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?
What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?