As Digital Journal reported, the U.S. legislature recently approved a new legal framework termed ‘The Defending the Integrity of Voting Systems Act. This Act could make hacking federal voting systems a crime, and issue is of importance for the way companies currently work and may need to work in the future, in terms of assessing and protecting their own systems.
Providing an update on the bill and the overall issue for Digital Journal Casey Ellis, Chief technology Officer at Bugcrowd. The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet, according to Ellis, it has come to serve as a barrier for the betterment of our society by barring security researchers from doing their job.
In the context of the discussions, online voting vendor Voatz filed an amicus brief supporting the broader interpretation of the CFAA, in part to dissuade the work of ethical hackers. Responding to Voatz’s argument, Ellis and other Disclose.io members wrote a letter in September outlining why security research and the work of ethical hackers are vital to the public’s best interest.
looking at the situation, Ellis says: “Van Buren v. United States is extremely important because it has the potential to put a stop to any broadening of the scope of the Computer Fraud and Abuse Act (CFAA). The CFAA was originally passed by Congress in response to growing threats from malicious actors, yet it serves as a barrier for the betterment of our society by barring security researchers from doing their job. Every time that it is broadened, good-faith hackers are disproportionately affected.”
Looking at the Supreme Court discussions, Ellis notes: “Much of the hearing was a reflection of the dramatic shifts in how computers and computer networks work between 1986 when the CFAA was first penned, and 2020. The role of Terms of Services agreements, the difference between technical and authorized access, the need for prosecutorial protection against clearly malicious actors, and the overall ambiguity in distinguishing between “legal and illegal” in modern computer systems.”
However, there is hope for change, as Ellis indicates: “While the conversation of directly impacting cybersecurity research was only lightly addressed, many of the concepts flagged in an Amicus Briefing from the EFF, CDT, Bugcrowd and others, and the subsequent letter from congress people, security companies, and cybersecurity researchers were covered in the argument.”
In terms of the importance of the issue, Ellis summarizes: “Cybersecurity leaders have an obligation to support the ethical hacker community as they defend the safety of the Internet. If the CFAA’s definition of “exceeds unauthorized access” is allowed, it risks criminalizing any acts that violate a website’s terms of services, from lying about your name on a web form to the socially beneficial security testing that ethical security researchers undertake. This works directly against the goals of a safer and more resilient Internet.”
