Here's the TL;DR:

Software now runs everything and all software has flaws, which means that we, as consumers, are at risk. This includes YOU, and can impact your safety or quality of life. Sign this petition to protect your right to information on how you are exposed to risk: https://petitions.whitehouse.gov/petition/unlock-public-access-research-software -safety-through-dmca-and-cfaa-reform/DHzwhzLD

The petition

Last weekend a petition was posted on the White House website calling for reform of the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) to protect security research.

The issue is very important to me on a personal level, and I believe that once we get past the complexity, it matters to everyone, including you. People are generally unhappy if they think they are being put at risk, and that's really what's at the heart of this issue.

Understanding how you are at risk

A lot of people think that cybersecurity is something that only matters to people that are “high value” targets like celebrities or companies. Or they think security is just about their credit card info being stolen, and they don't care on a personal level because the banks sort all that out. This just isn't true anymore. Cybersecurity is now about safety. It's about the economy. It's about identity. It can seriously impact your safety and your quality of life.

Bear in mind that software is in EVERYTHING these days – cars, medical devices, security systems, washing machines, etc. For example, many cars now have over 100 MILLION lines of software code in them. And everything is connected to each other. So all our critical infrastructure, our financial markets, our homes and cities – everything has a higher degree of complexity and opportunity for something to go wrong or a bad guy to get in. I'm not trying to scare you, and I don't want to sound like a bad review for Die Hard 4, but the point is that the line between physical and virtual has become pretty irrelevant.

This is a risk that most people – me included – are not qualified to investigate or understand on a technical level. That's why we NEED security researchers.

Relying on researchers

We need people with the appropriate skills and knowledge to identify issues that put us at risk. Building technology is hard, particularly as the ecosystem for the technology becomes more complex. It's hard to predict every scenario that will occur and test the technology for its response. At some point, vendors have to decide their product or service has been tested enough and make it available to customers. It's important that if security issues then arise, people with the skills to find them and the desire to do so for the public good, are able to do so. You can bet the bad guys will be looking for them.

The best situation for criminals is that they are able to take advantage of security issues with no one being any the wiser. So you can summarize the need for security research as “sunlight is the best disinfectant.” In other words – we can only reduce risk by addressing security issues if they are found, understood, and disclosed.

The problem

Unfortunately, the way some of our current legislation works limits the ability of security researchers to do research. We need laws that protect intellectual property and prosecute cybercriminals. I'm not suggesting we open the gates and provide a free-for-all. But doesn't it seem a little self-defeating if the very law that was designed to protect us from cyber-attacks also limits the research that would reveal how we're at risk from these attackers so we can take necessary steps to protect ourselves?

Solving this is tough. You don't want to change the law in a way that lets criminals off the hook. But protecting people in the current climate means enabling and supporting security research. We have to find a way to do this, while also maintaining the integrity of the law itself and providing protection for the public and businesses.

How does this petition help?

The petition is a public statement of intent. It's a way to show that we care about the issue, and it's a chance to raise awareness outside of the information security community.

It is NOT an instant remedy. Legislative reform takes a long time, particularly with an issue that is very complex and evolving quickly. No one is going to wave a magic wand and make the problem go away. That doesn't mean the petition has no value; its existence puts the issue on the White House's radar. It's just one step in a long journey, and supports various other steps also being made; each step is important.

Please sign the petition. Please share it with your friends and families and coworkers. Help them understand why it matters. https://petitions.whitehouse.gov/petition/unlock-public-access-research-software -safety-through-dmca-and-cfaa-reform/DHzwhzLD

I believe that access to information about how we're at risk is a consumer right. I believe we have a basic right to information that enables us to protect ourselves. Please help us defend these rights.





@infosecjen

