The legislation is a bipartisan bill that was introduced last year (2019) (by bill was introduced by Sens. Richard Blumenthal (D-Conn.), Sheldon Whitehouse (D-R.I.), and Lindsey Graham (R-S.C.)). The bill has been passed onto the President of the U.S., for approval.
The main concern with the new legislation is in relation to foreign hackers targeting the 2020 elections. This process is seemingly underway and Microsoft has announced it has seen evidence of hackers in Russia, China, and Iran targeting political groups.
Looking at the issue, Casey Ellis, who is the founder of the company Bugcrowd, states that the new legislation would, at the same time as making systems safer, simultaneously criminalize the efforts of ethical hackers. Such individuals are types of security researchers who spend their efforts highlighting systemic weaknesses in voting systems and then highlight issues of concern to legislators. According to Ellis, the new bill represents a backwards move and one that would ultimately be counter-productive.
An ethical hacker is a person who examines the security of computer systems by looking for weaknesses and vulnerabilities in target systems. These researchers deploy similar knowledge and approaches as the typical malicious hacker. However, the outcome is different. The ethical hacker seeks to operate in a legitimate manner and to bring to the public attention weaknesses in a give system so that the system can be improved.
Ellis says that: “By enacting the Act, the U.S. government seeks to deter adversaries from meddling with the voting process. However, the biggest impact is potentially criminalizing the actions of good-faith hackers conducting security research to help secure the election process.”
He adds that: “If security researchers are legally unable to discover vulnerabilities in voting systems, then malicious hackers have an open field to exploit undiscovered vulnerabilities within electoral systems.”
There are more factors to consider, according to Ellis: “This bill could make ethical security research of second hand and aftermarket voting equipment illegal. This will have practical impact on the ability for voting machine security research to be conducted.”
Further to the legislative agenda, Ellis notes that: “The Computer Fraud and Abuse Act (CFAA) was originally passed by Congress in response to growing threats from malicious actors, yet it prevents security researchers from doing their job.”
There are also broader lessons for security services to consider, which Ellis summarizes as: “Cybersecurity leaders have an obligation to support the ethical hacker community as they defend the safety of the Internet.”