Are Cybersecurity Researchers an Endangered Species?
Are Cybersecurity Researchers an Endangered Species?
As cybersecurity concerns become more prominent, it is becoming harder to be a cybersecurity researcher due to legislative constraints on the field.
Join the DZone community and get the full member experience.Join For Free
Barely a week goes by in IoT without some outrageous titled article about yet another connected device being hacked. In the last few weeks, we've seen a connected car wash, Segway scooter, and fish tank hacked and a smart gun unlocked and fired thanks to a magnet at the latest DefCon. However, when you dig a little deeper, it's easy to discover that most publicly declared hacks are actually the work of researchers who work in academia or cybersecurity companies, not cyber criminals who buy malware on the dark net and are keen for the exposure their illegal endeavors bring.
Last week almost every news outlet reported on the arrest of malware researcher Marcus Hutchins aka @malwaretechblog upon leaving the latest DEFCON by the FBI for allegedly being part of the distribution of banking malware Kronos in 2014. Hutchins was, of course, the cyber superstar and hero of many when he found and pulled the kill switch on the Wannacry ransomware this May. Hutchins was released on bail this week but is awaiting trial later in the year.
Last week also brought about the news that a bipartisan group of U.S. senators has put forward new legislation, The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 to address the significant security problems of the Internet of Things. The new bill, introduced on Tuesday, would require vendors that provide connected equipment to the U.S. government ensure products are patchable and meet industry security standards, according to Reuters. A notable part of the legislation is that it adds a research exemption to existing statutes including the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act (CFAA).
What's the Big Deal?
The Computer Fraud and Abuse Act (CFAA) is a particularly contentious piece of legislation when it comes to cybersecurity research. It's openly criticized by many in the tech space including Brian Krebs of Krebs on Security who asserts that it has been abused by government prosecutors and companies to intimidate and silence security researchers.
A notable example is the case of dental computer technician and software security researcher Justin Shafer of Texas who found himself facing possible prosecution under the CFAA after exposing security breaches in dental industry software. Shafer was responsible for exposing the fact that Dentrix software, produced by Henry Schein Dental, was misleading customers when it claimed to provide “encryption.” In collaboration with DataBreaches.net, he exposed the vulnerability and filed an FTC complaint that recently resulted in Henry Schein signing a consent order to settle Federal Trade Commission charges.
You might think that a software company would be grateful being made aware of a significant security breach but according to Dissent Doe, a pseudonym for a group of cyber activists:
"Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it 'without authorization' and should be charged criminally under CFAA."
Instead of commendation or kudos, being ignored or dismissed is the most common outcome. In 2014, Cesar Cerrudo wrote a blog post revealing vulnerabilities in traffic light systems in cities such as New York and San Francisco. He shares that when he took his concerns to the vendors, they were dismissed as unimportant:
"For instance, regarding one of the vulnerabilities, the vendor said that since the devices were designed that way (insecure) on purpose, they were working as designed and that customers (state/city governments) wanted the devices to work that way (insecure), so there wasn't any security issue."
So What About This IoT legislation?
The efficacy of the legislation is questionable. According to research academic Ariel Rabkin, it's unclear as to which researchers the legislation protects, with the legislation referring only to those "engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a contractor to a department or agency of the United States.”
He questions, "Does the statute mean to cover independent security researchers, or does it mean to only apply to those working in close cooperation with government contractors? The ambiguity could be resolved easily enough and should be."
Let's be clear, legislative amendments are hardly expedient. A temporary exemption to the Digital Millennium Copyright Act (DMCA) began in October last year after several years of discussion, lobbying, and delays. The Digital Millennium Copyright Act (DMCA) makes it illegal to circumvent controls that prevent access to copyrighted material. The result is that prior to the exemption, researchers couldn’t investigate and discover security vulnerabilities if doing so required reverse engineering or circumventing controls such as obfuscated code. Now researchers must meet a range of criteria to undertake their research legally. However, in a Catch22 kind of scenario, one of these is that the rule does not exempt researchers from other laws such as the CFAA, the very legislation that is called upon when charging security researchers.
What Happened to Justin Schafer Next?
This is where things get weird. No charges were filed against Shafer following the May 2016 raid. In January 2017, he was raided again and still no federal charges or state charges were filed. Then on March 31, the FBI raided Shafer for a third time and arrested him for cyber stalking. Not hacking, not anything to do with FTP servers, but cyber stalking. alleging he made comments about FBI agents and their families on social media.
Things get murky after this. A condition of Shafer’s pretrial release was that he not use social media. He wrote a blog post and ended up back in custody for breaching these conditions. There's been no news since and presumably, he'll stay there until the cyber stalking allegations go to trial.
We Need Security Researchers
It's easy to think of security researchers as noble adventurers on a quest to protect consumers and businesses from the evils of an insecure cyber world. I'm more compelled to believe that security experts seek the kudos (both in regard to reputation and commerce) that their efforts can bring in attracting future paid work. There is absolutely nothing wrong with this.
Security research is what keeps computer users safe. Without being aware of security vulnerabilities we cannot fix them, and we cannot make better computer systems in the future. While it is indeed possible that some experts may cross over to the dark side, they should be given the benefit of the doubt and be considered innocent until proven guilty. Until tech makers and users start questioning the (inadequate) protections afforded to security researchers and agitating for change, they remain in a state of insecurity.
Opinions expressed by DZone contributors are their own.