Last night President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many within the security community believe that the president’s proposed cybersecuirty legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.
“Obama’s recommended cybersecurity legislation will do absolutely nothing to stop the hackers we’re concerned about or protect any of the companies who were victimized. It certainly won’t protect ‘the children,'” says Jeremiah Grossman, founder of WhiteHat Security. “What the proposed legislation would do is criminalize professional routine security research that’s been crucial in protecting companies and citizens at large. This outcome would be disastrous.”
Of particular concern is the proposal to update the Computer Fraud and Abuse Act. Some of the proposed “modernizations” include the expansion of the definition of “exceeding authorized access” language to include any kind of authorized access for a “purpose that the accesser knows is not authorized by the computer owner,” a new definition ripe for broad misinterpretation by the courts.