This blog post focuses on one of the remaining 14 pending amendments to the Cybersecurity Information Sharing Act (CISA). Amendment S.754 was proposed by Senator Whitehouse (D-RI), and would effectively expand the federal anti-hacking statute, the Computer Fraud and Abuse Act (CFAA), 18 USC 1030. We blogged about an earlier version of this legislation over the summer and have been in discussions with Senate staff off and on since then.
The Whitehouse amendment is significantly better than earlier versions, but we think it needs more work. Several of CDT’s most serious concerns have been mitigated, and the sponsors deserve credit for being open to feedback from civil society and security researchers. The revised amendment constrains the legislation’s “Shutting down botnets” section to violations of Sec. 1030(a)(5) of the CFAA, which helps address CDT’s concern that the section would be used for computer crimes unrelated to botnets. The revised amendment also modifies the “Stopping trafficking in botnets” section to reduce the risk of criminal penalties for paid security researchers that disclose exploits publicly or at conferences.
The Whitehouse amendment is significantly better than earlier versions, but we think it needs more work. Several of CDT’s most serious concerns have been mitigated, and the sponsors deserve credit for being open to feedback from civil society and security researchers.
While these are major improvements, CDT continues to oppose Senator Whitehouse’s S.754 amendment to CISA. Here is why.
- CDT believes Congress should not expand the CFAA, as this amendment does, without also including limiting language to re-balance the statute. For example, the amendment would be better if an excerpt of Aaron’s Law (perhaps Sec. 4, which makes modest changes to CFAA penalties) were included to balance out the amendment’s new criminal authorities.
- The amendment’s “Shutting down botnets” section [pg. 2] empowers the government to seek injunctions directing companies to take unspecified “other actions” – which can include hacking or modifying computers whose owners have committed no crime. [Pg. 3, line 7.] The amendment provides companies with immunity for anything that goes wrong – such as if the server of a hospital or small business is knocked offline. Company immunity is appropriate since the companies would be acting under government orders. [Pg. 3, line 11.] However, a victim of collateral damage may have no recourse since any suit against the government could be thwarted by sovereign immunity. CDT wants malicious botnets stopped, but any new authority to do this should provide protection to innocent users.
- The amendment would be better if it included a private right of action, or a requirement that the government demonstrate to the court that it has taken reasonable steps to minimize unintentional negative consequences.
- The amendment would also be better if it were clear that the government could only obtain the injunction for the purpose of correcting or repairing the damaged computers and preventing further damage.
- The amendment’s “Stopping trafficking in botnets” section is much broader than botnets. The section prohibits disclosure, for pay, of any “means of access” to any computer that is damaged if the disclosing party knows or has reason to know the paying party intends to use the means of access to damage the computer. [Pgs. 6-7.] Computers that are part of a botnet are “damaged,” as that term is defined under the CFAA, but around a third of all computers worldwide are “damaged” by malware in some manner. So any exploit of a vulnerability in commonly used technologies that can affect both damaged and undamaged computers, like popular software (such as MS Office, Java, Android, etc.), would qualify as the “means of access” computer for purposes of this provision.
- The amendment would be better if the “means of access” related specifically to botnets, which the amendment’s “Shutting down botnets” section loosely describes as 100 or more computers damaged in a 1-year period.
- CDT has reservations about the “reason to know” mens rea (the state of mind necessary to convict an individual of a crime). This language encompasses scenarios in which one security researcher sells an exploit to another researcher or company. If the first researcher has any “reason to know” that the second researcher might use the exploit unlawfully, the first researcher commits a felony – even if the second researcher never uses the exploit or has no intention of committing a crime. CDT wants to curb the sale of exploits to bad actors, but the legislation does not require that the purchaser of the exploit be a bad actor. We believe a better standard would be if the trafficker “knew” that the paying party would use the means of access to damage a computer. We understand the counterargument that a strict knowledge standard would create a loophole for willful ignorance, but the “reason to know” standard may still lead to unfair results.
We sincerely appreciate the hard work of Senators Whitehouse and Graham to revise the amendment to limit the potentially harmful impact on security researchers and innocent parties. However, the amendment ultimately broadens a cybercrime law that is already too broad, and does so in ways that can produce undesirable consequences.