Get started on your cybersecurity degree at American Military University.
Later this month, the Supreme Court is scheduled to hear Van Buren v. United States, a case long-awaited by the cybersecurity community on the nation’s primary anti-hacking law, the Computer Fraud and Abuse Act (CFAA). The Court’s decision on Section 1030(a)(2) will determine whether companies can block researchers from analyzing systems to uncover vulnerabilities, pinpoint cybercrime sources and warn of potential bad actors and fraud schemes. Such findings help to protect us and improve the cybersecurity efforts of both public and private sector organizations. The Court’s ruling will either be a significant win for the security community, setting the legal parameters for legitimate security research or a detrimental roadblock, pushing security researchers into perilous situations and society into the digital Dark Ages.
The CFAA currently prohibits intentionally accessing a computer without authorization or in excess of authorization, but fails to define what “without authorization” and “exceed authorized access” mean. Within the law’s current scope, security researchers could be prosecuted for such actions as looking for vulnerabilities. In this case, the Court has the opportunity to decide if anyone with authorized access to information on a computer for specific purposes violates the law if they use that access for purposes beyond those prescribed.
About half of the circuit courts across the country have ruled on the provision, with some taking a broad interpretation of the phrase “exceed authorised access” and the others taking a narrow interpretation. The Supreme Court’s ruling could settle this split in the lower courts and either improve or constrict the legal protections for cybersecurity researchers. If the Court accepts a narrow interpretation of the provision, it would mean a considerable win for cybersecurity researchers and improve their legal standing. A broader interpretation would greatly increase the risk to security researchers and likely lead to poorer cyber in general.
Tenable filed an amicus brief alongside the Electronic Frontier Foundation, the Center for Democracy and Technology and fellow cybersecurity firms in support of narrowing the scope of the law. The U.S. government’s interpretation of this notoriously ambiguous law has been too broad and has suppressed and hampered security research with serious implications for the security of every U.S. citizen.
Enacted in 1986 — a time where smartphones were science fiction and personal computers were reserved for the wealthy — the CFAA hasn’t aged well. Its applicability to security research has only diminished over the last thirty-plus years as technology’s role in our society has gone from novelty to necessity.
As our reliance on the digital world has expanded — everything from our power grids to smart vehicles are now “hackable” — so too have the threats from adversaries around the world. The ability to conduct cybersecurity research unimpeded is critical for cyber companies like Tenable to help uncover vulnerabilities and stop adversaries in their tracks.
In the last two years, our researchers have discovered more than 200 zero-days — or previously unknown and unpatched vulnerabilities — in some of the most ubiquitous software and hardware. A few of the team’s biggest finds were in widely used consumer technology, including Amazon-owned Blink security camera systems and Zoom. This type of research allows us to partner with technology vendors to help them secure their products and protect people like you and me from becoming the next cybercrime victim.
One of the best ways an organization can protect itself from cyberattacks is by maintaining strong cyber hygiene. But strong cyber hygiene requires organizations to understand where they’re vulnerable. It’s imperative not to create a chilling effect on security research by raising the legal liability for researchers working to responsibly disclose dangerous vulnerabilities and help organizations secure their cyber domain.
The Supreme Court is, and will be, an increasingly important force in shaping the future of cybersecurity and privacy. Technology-related cases will only increase in frequency as we live more connected and online lives. Seemingly straightforward laws, like the CFAA and its implications, become incredibly complicated, incredibly quickly.
Technology, cybersecurity and privacy cases could have a long-lasting effect on how Americans interact with technology and how much control they have or don’t have over their data. The Supreme Court’s positions on cybersecurity, technology and digital rights will affect the outcome of these cases and shape the future of technology and society. The interpretation of existing law in a technology-informed way is critical for society.