Security Researchers Need Better Laws

Article By : Ann R. Thryft

They are also striking parallels between today's hackers and ancient ninja warriors.

Although cybersecurity researchers and ethical hackers are increasingly valuable in catching security holes, last month’s redefinition of the 1986 Computer Fraud and Abuse Act by the U.S. Supreme Court did little to shield them from accusations of computer crimes. Many hackers and researchers say the law is woefully out of date, and can result in unfair charges filed against white hats for doing legitimate security research.

Without ethical hackers or penetration testers, more than half of product vulnerabilities would go undiscovered. Sometimes, the vulnerabilities they discover aren’t patched before bad actors use them in damaging intrusions.

For example, the massive Kaseya attacks have taken two towns entirely offline and affected at least 1,500 organizations. Many are calling it the biggest ransomware attack ever.

Months ago, ethical hackers reported a major flaw in Kaseya’s virtual system administrator (VSA) product. The Dutch Institute for Vulnerability Disclosure discovered seven VSA vulnerabilities and privately alerted Kaseya. The company patched most and scheduled the rest, but one used in the recent attacks remained unpatched.

Why we need third-party hackers

As discussed, attacks on U.S. industrial control systems (ICS) and operational technology, especially in critical infrastructure, just keep on growing.

Last year alone, Bugcrowd saw a 65 percent increase in reporting of the most critical security vulnerabilities. But this trend began even before the increases created by the Covid-19 pandemic.

According to Claroty’s 2H 2020 Biannual ICS Risk & Vulnerability Report, vulnerabilities affecting ICS products disclosed in the second half of last year jumped 33 percent over the first half. Most of them – 61 percent –were found by third-party security researchers: cybersecurity companies, academics, independent ethical hackers and hacker groups.

Independent cybersecurity research is growing. (Source: Claroty) (Click image to enlarge.)

“The growth of the ICS vulnerability research market is due to the rising awareness of the importance of securing critical infrastructure and the potential damages of a successful attack on these systems,” Chen Fradkin, security researcher at Claroty, told EE Times. “As demand for ICS security solutions continues to grow, more companies are introducing a wide range of products, consulting services and vulnerability research services in the [operational technology] world. There are zero-day programs and cyber hacking competitions such as Pwn2Own that attract more independent researchers to ICS as well.”

Ninja, samurai, hackers

Like independent security researchers, Japan’s famous ninja used similar tools, but each had their own style, and each invasion attempt was determined by unique conditions. Like today’s hackers, ninja didn’t always get the respect they deserved. I’ve been thinking about this since reading The Book of Ninja. Some techniques for penetrating a medieval castle’s defenses parallel hackers’ strategies for breaching enterprise cybersecurity defenses.

In addition to military strategy and tactics, The Book of Ninja contains instructions for using an amazing array of burglar’s tools, specialized weapons, explosives and poisons. It emphasizes infiltrating enemy samurai fortresses, social engineering and stealing passwords—common tools also used by black and white hats.

Some instructions sound like advice for hackers. For example, infiltrating while your samurai lord opponent is off-guard before any war starts is reminiscent of threat actors secretly infiltrating SolarWinds’ networks months before they infected its Orion software.

“You should glean information about the target house you wish to infiltrate by talking to people or by observation and then take the appropriate tools for the opening of the doors,” advises the Book. Because ninja were undercover agents sent to spy, assassinate or destroy—some of the most well-trained military units in history—no one knew who they were. They could be disguised as anyone, from traveling musicians and monks to beggars, merchants, even women (!), making it easy to pass as the retainers of an enemy samurai lord.

Indeed, a samurai image is also used by one security research group devoted to ethical hacking, Sakura Samurai. To demonstrate the vulnerability of their security systems, the group has hacked the United Nations, the Fermi National Accelerator Laboratory and the government of India.

The group was founded to celebrate the rebirth of hacking as an ethical act. Like the original samurai, members value honor, trust, community and responsibility. “If you don’t have a system in place for people to tell you that you’ve got a security problem, then you’re only going to get hacked by advanced persistent threat actors, not people who want to help you,” said John Jackson, Sakura Samurai’s founder and independent security researcher. “The reality is, it’s pretty easy to tell the difference. What criminal is willing to send you a report on how to fix things?”

John Jackson, founder of Sakura Samurai.

But many non-hackers are confused by the differences between white and black hats. Jackson contends the labels themselves only add to the confusion.

Legitimate security researchers attempt breaches as part of their job. “Can you say you’re a white hat hacker if you’ve broken the law?” asked Jackson. “Not in the security research field. There’s really only gray and black hats.” These complexities in hacking and security research are reflected in what’s wrong with the Computer Fraud and Abuse Act (CFAA).

On June 3, the Supreme Court made a minor rewording change in one section of this 200-page document. It was designed to clarify the meaning of “unauthorized” access to a computer or network. That change is intended for the law to cover only those who don’t have legitimate access to a computer system, not those with legitimate access but “improper motives for obtaining the information that is otherwise available to them.”

Jackson said the high court decision didn’t go nearly far enough in narrowing the scope of the act. “The minor rewording itself was clumsily done and confusing. If you read the entire act, it’s evident that what’s defined as legal hacking is so limited they can pretty much charge a hacker for anything.”

Jackson and many other third-party researchers think the CFAA needs a do-over. “The CFAA was written in 1986, when computers were still making it into the mainstream,” he said. “In legislation stemming from the CFAA, the language is so broad that anyone accessing a computer in a way the federal government doesn’t like can go to jail.”

Some federal officials understand the complexities of hacking, but they’re not the ones who modified the law. “[It] needs to be ripped out and replaced with legislation that reflects today’s conditions,” said Jackson. “Hackers of all hat shades and information security professionals are avidly pushing for better modifications of the CFAA, if not a full redefinition.”

Replacement legislation should clearly distinguish criminal hackers from security researchers, or hackers with good intentions. “Let’s say hackers accessed your server,” said Jackson. “Did they take anything? Today, that would be illegal, but what if it was for a proof of concept and they deleted it promptly when they were done with it? Then that’s not criminal.”

The Electronic Frontier Foundation (EFF) agreed, publishing an opinion last year calling a then-proposed expansion of the CFAA “dangerous and misguided language. It described the proposed rewrite as a “zombie bill.”

Instead, what’s needed is “reform that reins in the CFAA and protects security researchers.” Before the current Supreme Court decision, EFF filed an amicus brief along with several cybersecurity firms, saying the “notoriously ambiguous” law has been interpreted too broadly, detailing the importance of “socially beneficial security testing.”

“The federal government needs to stop persecuting us, and start hiring us,” said Jackson. “If they refuse to hire hackers and continue to constrain us too much, then they need to stop pursuing us. Because if we don’t hack it, whatever it is, advanced persistent threat actors will.”

This article was originally published on EE Times.

Ann R. Thryft has written about manufacturing- and electronics-related technologies for Design News, Test & Measurement World, EDN, RTC Magazine, COTS Journal, Nikkei Electronics Asia, Computer Design, and Electronic Buyers’ News. She’s introduced readers to several emerging trends: industrial cybersecurity for operational technology, industrial-strength metals 3D printing, RFID, software-defined radio, early mobile phone architectures, open network server and switch/router architectures, and set-top box system design. At EBN Ann won two independently judged Editorial Excellence awards for Best Technology Feature. Currently, she is the industrial control & automation designline editor at EE Times. She holds a BA in Cultural Anthropology from Stanford University and a Certified Business Communicator certificate from the Business Marketing Association (formerly B/PAA).


Leave a comment