Wednesday, January 14, 2015

Obama's War on Hackers

In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above (fictional) link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.

You might assume that things would never become that bad, but it’s already happening even with the current laws. Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barrett Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic. The proposed changes make such prosecutions much easier.

Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise”, allowing the FBI to sweep in and confiscate all your assets without charging you with a crime. If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking. (Civil libertarians hate the police-state nature of racketeering laws).

Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem.

Most hacking is international and anonymous. They can’t catch the perpetrators no matter how much they criminalize the activities. This War on Hackers is likely to be no more effective than the War on Drugs, where after three decades the prison population has sky rocketed from 0.1% of the population to a staggering 1%. With 5% the world’s population, we have 25% of the world’s prisoners – and this has done nothing to stop drugs. Likewise, while Obama’s new laws will dramatically increase hacking prosecutions, they’ll be of largely innocent people rather than the real hackers that matter.

Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. For example, a search engine like Google downloads a copy of every website in order to create a search “index”. This sort of thing is grandfathered in, but if “copying the entire website” were a new idea, it would be something made illegal by the new laws. Such copies knowingly get information that website owners don’t intend to make public. Similarly, had hacking laws been around in the 1980s, the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices.

The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as "national security" and "cyberterrorism", then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like "hacking". Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals.

Along with its Hacking Prohibition law, Obama is also proposing a massive Internet Surveillance law. Companies currently monitor their networks, using cybersecurity products like firewalls, IPSs, and anti-virus. Obama wants to strong-arm companies into sharing that information with the government, creating a virtualized or “cloud” surveillance system.

In short, President Obama’s War on Hackers is a bad thing, creating a Cyber Police State. The current laws already overcriminalize innocent actions and allow surveillance of innocent people. We need to roll those laws back, not extend them.


Fred said...

Orwell was prophetic, however he just was off by 31 years. Welcome to "Fahrenheit 2015."

Unknown said...

I think you're thinking of Ray Bradbury's "Animal House," where Bluto was happy to be a Delta, rather than one of those overly-smart Alphas?

Frank Haynes said...

Surely you meant to write "attackers" or "crackers" instead of hackers.

Hackers write code and are the good guys. This draws into question everything you write.

Joseph Pierini said...

Lighten up Frank. The Cracker vs Hacker arguments were pointless in the 90's and only make someone look like a troll in 2015.

Good post Robert, the disconnect by our government is disturbing and will stifle the advancement of cyber security rather than improve it

Mark Mullin said...

Robert for prezzydent!!!

Very good points - but we're doomed - this will have nasty implications on the lighter side of the business - how the hell do we even teach this stuff anymore ? That said, that plays right into Washingtons hands, now it could be illegal to even discuss exploits, which means U.S. organizations have no real security and the NSA has an easy job

Daniel said...

This sounds awefully like they are trying to put everyone behind bars who admits to having even seen the Snowden documents. Stasi - USA edition.

rwrizzo said...

Welcome to the Police States of America.
The US is quickly becoming a police state that cares more for corporations than it does people.

Stephen Mattin said...

> Orwell was prophetic, however he just was off by 31 years

No, Orwell was spot-on.