It didn't take long for information security professionals to take to Twitter, blogs, and social media to blast the latest White House proposals for cybersecurity legislation. A small group of civic-minded professionals are calling on the industry to stop complaining and actually do something about it.
New laws, and fixing existing laws, are important and necessary. In the days leading up to the State of the Union speech, President Obama unveiled a series of proposals for new cybersecurity laws which would protect user data, such as requiring organizations to disclose data breaches within 30 days of discovery and protecting students from aggressive data collection by educational apps and services. The proposals also called for updates to existing laws to give law enforcement more authority over cybercrimes. Information security professionals agree on the basic tenets, such as encouraging information sharing, letting law enforcement prosecute cybercrime, and protecting user privacy, J.J. Thompson, CEO and founder of Rook Security, told SecurityWeek.
"We all agree with the principles, but the current proposals are currently not set up for success," he said.
The problem lies in the fact that the proposals contain problematic language which, if left in the final legislation, would "gut our capability to respond" to data breaches and other security threats, Thompson said. The wording is vague in some areas, overly broad in others, and would result in security professionals unable to "use half of our toolset," he said. For example, a proposed change in the law around computer and cell phone spying devices would make it unlawful to manufacture, distribute, possess, or advertise "electronic communication intercepting devices." The change would limit what tools defenders can use to detect and respond to attacks, even tools such as intrusion prevention systems and packet sniffers, he said. Considering these tools are standard among Fortune 500 companies, the use of these tools would put practically all of them in violation of the law.
"If any InfoSec pro is positive about the new legislative proposal, I’ve not seen it," Jeremiah Grossman, founder and CTO of WhiteHat Security wrote on Twitter last week.
The proposals were clearly not written with much input from the information security industry or by someone who understands information security, Thompson said. To address this knowledge gap, he put the text of the White House proposal on GitHub and called on industry counterparts to make revisions and to rework the proposal into a workable alternative. Members of Congress are interested in seeing something better than what the White House currently has on the table, he said.
Giving the lawmakers a better starting point will make it more likely the final law, if passed, will be something the industry can work with.
In many areas, it is clear the writers did not use the correct terms. For example, in a section discussing data breaches, there is mention of the breached company having to conduct a risk assessment. However, it's clear that the section is actually referring to forensics, noted Thompson. Without the right verbiage, organizations would wind up doing the wrong thing just to stay compliant with the letter of the law, and there will be no improvements in security and privacy, he said.
Then there is the section for modernizing the Computer Fraud and Abuse Act where the phrase "intentionally accesses a protected computer without authorization" could be "argued six ways by any infosec pro worth their salt," Thompson said. Each one of these words are problematic, starting with the difficulty in proving intent, the question of what constitutes access, and what exactly it means for a computer to be protected.
"The proposals aren't broken, but the wording doesn't help," Thompson said. "It makes it harder to do our jobs."
The laws proposed by the White House neglected to place the burden of protecting data and users on companies, Gabriel Gumbs, managing director of research and products at WhiteHat Security, told SecurityWeek. The rewrite effort would introduce corporate accountability as part of the breach notification process. "It would be in the best interest of all for the White House to take seriously this re-write initiative and solicit further contribution from the information security community," Grumbs said.
Thompson decided to use GitHub's collaboration features because it's a platform many people are already familiar with. Getting involved with writing legislation can be a difficult—and intimidating—effort, but looking at the repository and pulling changes are things that may be easier to ask of information security professionals, he said.
Thompson is already working with a group of like-minded information security experts who have expressed interest in the effort, but he would like to see more people check out GitHub and get involved. Putting the project on GitHub makes the rewrite transparent and gives anyone concerned about the proposed legislation a chance to fix the problem.
"Does anybody really care, or do they just want to complain?" Thompson said.