The Cyber Conspiracy Modernization Act is a new piece of legislation from Senator Mike Rounds and Senator Kirsten Gillibrand. This Act was introduced earlier this week with the goal of increasing the penalties under the Computer Fraud and Abuse Act (CFAA) and adding a specific penalty for conspiracy to commit computer crime. 

In this Security Flash, Bugcrowd Founder Casey Ellis and Americas CISO Trey Ford break down the Act, the potential impact, and what you can do to help protect good faith hackers.

 

What is the Computer Fraud and Abuse Act (CFAA)?

The CFAA is the main anti-hacking law, first created in 1986 by President Ronald Reagan (fun fact—he was inspired to create this law after watching War Games). It was last amended in 2008. This is an important tool for prosecuting cyber criminals and bad actors. However, the CFAA is quite broad. Specifically, there is language in the CFAA around “exceeding authorized access,” which is up to prosecutorial discretion. This means there are varying degrees of how it is interpreted. 

This was challenged a few years ago in a rather unexpected situation. In the 2021 case Van Buren v. United States, the Supreme Court ruled that the CFAA doesn’t prohibit using authorized access for unauthorized purposes. Although this Supreme Court case had more to do with strippers than it did with ethical hacking (no, that wasn’t a typo, the case was about a sting operation where Van Buren used authorized access to look up a stripper’s license plate), it still applies to the good faith security community. The ruling gave precedent for hackers and security researchers to use their access without fear of retribution.

 

The Cyber Conspiracy Modernization Act

The Cyber Conspiracy Modernization Act broadens what is already an ambiguous law, especially with the use of the word “conspiracy.” Adding conspiratorial motives as an aspect of the CFAA moves towards a direction of thought crime, not just action. In the absence of better clarification of what unauthorized access is, the application of “conspiracy” to such a broad law is extremely concerning. 

According to Casey Ellis, “While it’s important to be able to prosecute bad actors, broad and ambiguous anti-hacking laws like the CFAA create a chilling effect for security researchers. These helpful hackers form a vital part of the defensive cybersecurity and workforce and, in many ways, act as the internet’s immune system.”

 

What can you do to help?

Whether you’re a hacker, a cyber defender, or just a believer in the power of hacking for good, you can make a difference by contacting your senators and letting them know your concerns about this bill. It’s important to share how you and the hacking community use your skills to make the internet safer for everyone, including senators and their constituents. You can recommend the inclusion of carve-outs for good faith security research into the CFAA as a part of the Cyber Conspiracy Modernization Act. 

Trey Ford says it best. “Hackers are not bad. They make the internet safer. We need to make discussions around vulnerabilities safe. We must be able to talk openly about vulnerabilities and shorten the path from discovery to correction.”

Bugcrowd and the Hacking Policy Council stand ready to find safe and effective ways to establish a bright line between virtuous hacking and criminal activity.

Tags: