Improve Cybersecurity by Allowing Vulnerability Research
Written by Erik Stallman
Today, the White House is bringing together executives of major U.S. technology companies and leaders of technology policy organizations, including CDT’s own Nuala O’Connor, for a summit on cybersecurity and consumer protection. The agenda will focus on a range of issues brought to the fore by recent high-profile hacks into the networks of Sony Pictures Entertainment and the healthcare provider Anthem.
Unfortunately, one basic issue not on the agenda is removing unnecessary barriers to computer security research. Throughout the country, academics, engineers, and “white hat” hackers are working to uncover and repair security vulnerabilities in software and networks, and to understand and defang the malicious code that exploits those vulnerabilities. Paradoxically, some of this work may be illegal under current law.
As CDT explained in an earlier post, Section 1201 of the Digital Millennium Copyright Act makes the circumvention of “technological protection measures” controlling access to copyrighted works unlawful. That means a researcher who uncovers a software vulnerability by circumventing, for example, digital rights management (DRM) software, is breaking the law. Concerns over 1201 liability led researchers to delay publicizing information on potential exploits of Sony’s “rootkit” DRM, which ultimately infected half a million computers worldwide.
Last week, CDT filed comments with the U.S. Copyright Office asking it to recognize a 1201 exemption for computer security research. Noted cryptographer Bruce Schneier, copyright expert Pam Samuelson, law professor Candice Hoke, and computer scientist Douglas Jones joined the filing. Our comment asked that the Librarian of Congress grant the petition for exemption filed by Professor Matthew D. Green and the petition filed by Professors Bellovin, Blaze, Felten, Halderman, and Heninger. Both petitioners filed extensive comments in support of their petitions, providing evidence of genuine harm tied to the chilling effect of 1201 liability on computer security research and explaining why Section 1201’s existing exemptions for security testing and reverse engineering are insufficient.
Implementing a computer security research exemption will require certain standards with respect to how research is conducted and results are disclosed. The petition by Professors Bellovin et. al points toward existing ISO standards used by responsible companies engaged in security research for guidance. Standards for good-faith research and disclosure should also reflect the views and input of the academic research community. Unfortunately, the uncertain legality of computer security research under Section 1201 inhibits the full dialogue the research community must have to develop and implement appropriate standards.
As anyone who has had to download a seemingly weekly security update on his or her computer knows all too well, cybersecurity is always something of a cat-and-mouse game between malicious hackers and the individuals and entities trying to protect our devices and networks against them. Perhaps there is no “winning” this game, but there are some very straightforward steps we can take to improve our defenses. Among them, the Librarian of Congress, in consultation with the Copyright Office, should ensure that Section 1201 does not unnecessarily impede essential computer security research.