“The Cyber:” Everything You Need to Know About Computer Security Research and More
Written by Chris Calabrese
In the early 1980s, two Hollywood screenwriters had an idea for a Cold War techno-thriller. The pitch: a teenage hacker “war-dials” telephone numbers (basically writes a script that calls numbers automatically looking for a modem to connect to) and inadvertently reaches a NORAD supercomputer. Hilarity ensues as the hacker plays chess and other games with “WOPR” (a computer designed to predict the outcome of a nuclear war that can also launch the missiles) until he accidentally runs a wargames simulation that almost leads to nuclear war.
That movie, 1983’s Wargames, almost never got made because the writers thought their premise too incredible. Surely, they believed, a NORAD supercomputer would never be accessible by a suburban teenager — the security would be too tight. As recounted by journalist Fred Kaplan, however, the writers did their homework and visited with a pioneer in the emerging field of computer security research, Willis Ware, then of the RAND Corporation.
Ware assured the writers that even a government machine might have a backdoor, just so the programmers could literally telecommute on the weekends. The writers continued writing, the movie was released, and it made a bunch of money while popularizing the nascent “hacker” subculture. Indeed, when President Ronald Reagan saw it opening weekend, he was so concerned about the implications of the film that he sent the federal government on its first foray into cybersecurity policy.
Almost four decades later, “the cyber,” as President Trump called it in his first debate against Secretary Hillary Clinton (which was the first debate to even feature the term “cyber”), continues to bedevil and fascinate the country. Newspaper headlines are dominated by cyber story after cyber story, including the ongoing national dialogue about Russian interference in the 2016 election.
Of all of this attention to cybersecurity issues, however, too little is being paid to arguably the most important constellation in the cyber universe: the thousands of researchers who toil, often in obscurity, to identify and mitigate cybersecurity vulnerabilities. And yet, this research is more important than many of us not in this world can appreciate.
To give just one compelling example, the October 2016 report from the director of national intelligence, and the heads of the FBI, Department of Homeland Security, and CIA made a splash largely because of the finding that Russian intelligence used the release of hacked emails from the Democratic National Committee and others to undermine then-candidate Hillary Clinton and benefit the campaign of now President Trump. But buried in that report was this one sentence: “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.”
That’s terrifying. For years, the conventional wisdom has held that “hacking” an election would be exceedingly difficult, because the hacker would have to have some sense of which states would end up being determinative of the final result, and would have to then coordinate an attack aggressive enough to change the appropriate number of votes but clandestine enough to not get caught.
Now, however, that conventional wisdom is starting to change. Although security researchers have shown repeatedly that not only are electronic voting machines almost invariably open to attack (and that the only secure solution is to couple electronic voting with an auditable paper trail), more than a dozen states have dramatically insecure voting machines without said paper trail. Though this election may have been about “doxxing” (releasing embarrassing emails about the Clinton camp), the next could very conceivably be a story about a hack that actually changes votes. And this is doubly concerning given that the margin of victory in the three most important swing states — Michigan, Wisconsin, and Pennsylvania — was on the order of 80,000 votes.
Unfortunately, the security researchers that we rely on to identify security flaws in our voting machines (and our connected cars, our wi-fi enabled pacemakers, our “Smart” thermostats, etc.) face a battery of legal and policy challenges that need to be addressed to encourage and protect responsible security research, which is essential to lift all cybersecurity boats.
For the past year, through a generous grant from the Hewlett Foundation, CDT has been exploring the landscape of computer information security research. We are engaged in an anonymous qualitative survey of security researchers to identify key themes and challenges in their work. We convened a two-day conference in Washington, D.C., with stakeholders from government, academia, industry, civil society, and the security research community to foster conversation on these key issues.
We’ve released a comprehensive white paper that we hope will help frame these conversations going forward. Our paper, titled “The Cyber: Hard Questions in the World of Computer Security Research,” takes a deep dive into four areas of focus. They are:
- The Law. Laws like the Computer Fraud and Abuse Act and the Digital Millennium Privacy Act can expose bona fide security research and researchers to potential legal scrutiny for harmless quotidian activity like internet scanning or automatically gathering publicly available data on the web. We look at these laws and a few others (including export controls), and suggest possible avenues for reform.
- The Enforcer. The Department of Justice has guidance on the books (recently disclosed publicly) that, among other things, requires prosecutors in the field to consult with the computer crime unit at DOJ before bringing charges. CDT’s white paper analyzes this guidance with an eye to identifying other areas where prosecutorial discretion could be applied to limit risk for socially beneficial research.
- The Incentives. Commercial “bug bounty” programs, which pay researchers for identifying and disclosing vulnerabilities, have exploded in recent years, as have non-remunerative policies for vulnerability disclosure that give researchers some comfort they will not be sued if they follow certain coordinated disclosure rules. We look into whether these programs and policies are successful and effective, and if there are best practices for such policies that companies should seek to adopt.
- The Ethics. Arguably the most fraught issue in computer security research today is whether the research “community” (which is fractured, to say the least) can or should agree on ethical “redlines,” like experimenting on a live system that could impact non-consenting users, that a researcher should never cross. On the one hand, many in the community argue that indeed such redlines are identifiable, and, in many cases, serve to constrain behavior in the wild. Others argue, however, that, even with the best of intentions, ethical redlines will be adopted by generalist judges and prosecutors as legal tests for laws like the CFAA, which could have severe unintended consequences.
Emphatically, we’ve held off in our white paper from making hard-and-fast policy prescriptions. Our intent, rather, was to create a document that would survey the legal and policy landscape such that interested readers would be able to dip in and out and quickly identify the most pressing questions that practitioners struggle with today. We hope that this document will frame the conversation going forward, and that it can be used by those interested in this policy debate to come to firmer conclusions about these difficult questions.
And these questions aren’t going away. “The cyber” will undoubtedly be one of the most impactful policy questions our society faces for decades to come. Everything we do, everyone we interact with, every thought we have, every move we make — all are facilitated, tracked, and influenced by our digital selves, and the computers that make these things possible.
Security in our connected devices isn’t just a matter of privacy or economics—often it’s a matter of physical and mental safety. And, if the election hacking story suggests anything, it’s that cybersecurity even goes to the integrity of our very way of life as a free society.
We hope this white paper serves as a helpful resource to the interested and invested. Please stay tuned to the CDT blog for a series of posts summarizing each of these “hard questions” and our findings.