CFAA Plus: Moving Computer Law Past the World of the Boombox and Magnetic Tape

[music]

So yeah, uh thank you for coming to the uh policy talk. Uh this is some work that I did previously on some proposals to sort of move us a little bit forward on uh computer crime law. Um just, you know, because uh it's it's been about since the 80s. I didn't work quite as many 80s references into this as I would like, but I just want to begin by saying this is some 1986 legislation. It predates the internet and uh hackers go to jail for it. So, let me fix that. Bear with me. There we go. If this doesn't keep going, I'll use the other adapter. Yeah. Uh the federal computer crime law in the United States, it's a

bit of an interesting topic. Uh we don't talk about enough. Uh it's uh the core statutes are pretty much wire fraud and the computer fraud and abuse act. And one of the things that really inspired me to uh look into this a lot and get extremely familiar with it was just watching uh fairly early in my career as somebody downloaded a few text files, published some IMEI and went to jail. And then much uh much later in my career uh one of our local Pacific Northwest hackers ended up packing a large bank and also going to jail. And uh just the uh the applam with which these sorts of folks are sent to jail with at least

what appear to many of us to be sort of kind of we just do these things a lot and then you do them in sort of the wrong way and uh the differences between many years in prison or uh nothing/acolades. And um so the computer fraud and abuse act and the wire fraud statute are the two ways that hackers tend to get prosecuted. And then there's a collection of miscellaneous items. In one of the most recent cases, of course, this access device fraud uh and aggravated identity theft came up. But that this is how they usually charge uh get you for uh this the computer fraud and abuse act and then something else at least. Um so we'll concentrate mostly on

the CFAA. It has a number of different sections to it. Um they're not all equally used, but it covers basically these seven topics. Um the first one is pretty much never used. The lattermost one is basically ransomware and then the middle ones um of them it's mostly if I remember two and five that we see a lot of uh stealing information and damaging a computer. So the uh the downloading of PII is typically charged as 1032 and then the uploading of malware is typically uh 1030 A5 damaging a computer and then of course the ransomware. Now they they can as I was saying put you in jail for quite some time based on this stuff. Um and uh a large number of them

are felonies and a later slide will describe uh it's sort of a you know a a scheme by which we have devised to throw the book at hackers for uh for straying outside the bounds of what is allowed. So this for example is why things like safe harbor programs and bug bounties are so ridiculously important so that you don't end up getting the book thrown at you if somebody decides that what you were doing was in fact not what they wanted you to be doing. Now, the Computer Fraud and Abuse Act is a very interesting sort of piece of legislation because these things are not the most objective terms in the world. Um, and if

you're interested in this, actually, you can find it. It's just on justice.gov. It's their internal charging guidelines. Um, so they're not the most objective things in the world. And I'll I'll elucidate in the talk a little bit about why exactly that is. You know, the point of course being uh to levy very large penalties on hackers for uh doing the nasty hacking. Um what this does in society sort of I'll I'll branch into a lot of this sort of what is this in society in this talk is uh the penalty of felony that this is the worst absolute worst sorting hat that we have in our society um basically you know if you get charged with something uh we

declare all of society has the right to know that you were charged with this um and so society's puditive right to know that you were one of the people that did the bad thing we've used this a lot in history um certainly the history of marijuana legislation among other things and most drug policy honestly uh is just replete with examples of this how we dane as a society to say well these people are good and those people are bad and everybody has a right to know which of these two categories you fall in applying this to uh to our work can be very interesting and uh it's also kind of an expression of severity of course

like the you know 30 secondond highle overview is you've got sort of violation civil infractions misdemeanors and then of course felonies and the felonies are what come with the like we're going to greatly curtail your ability to participate in society permanently because of this thing that you have done as as a penalty and a sort of incapacitation and project uh protection of other people from you which are cornerstones of of a criminal justice system anywhere in the world. Uh so each of these have their own little criteria for which one is a felony versus which one is a misdemeanor. In this case uh in the 1030 A2 the stealing of information the thing that makes it a felony as

opposed to a misdemeanor is you used it to make money, you used it to commit another crime or civil tort. it was worth more than $5,000. Um related uh in the case of 1030A4 when you were accessing information for fraud. Uh that one is pretty much always uh their guidelines say it's a felony. Also uh ransomware also the same thing that kind of extortion. And the other one that is commonly used the damage this is uh they say it elevates it to a felony when you have an annual loss of $5,000 or more injures someone impacts their medical care. there's a threat to critical infrastructure, public safety, health, uh systems related to justice, national security, national defense, or 10 or

more protected computers in a year. Now, the reason that I'm going through this is not to stand up here and give legal advice. I, in fact, am not a lawyer at all, much less yours. But it is just to elucidate uh the context for kind of what what I would do if I were allowed to change anything about this. And I'm hoping that you might find something in there that you agree with and talk about it a little bit more. In the analysis of the CFAA felonies, it seems based on just a reading of it in its president, what Congress set out to do with this was uh make a felony uh of actions that

you know you've been killing, maming, destroying things people depend on, cashing in or having particularly large or prolific impact as it was seen from 1986. [snorts] uh updating a little bit for today. However, uh $5,000 would be a little bit over 16,500 in today's money and ever growing and [snorts] uh is 10 computers really a lot? Now, these are interesting numbers because computers in society, of course, as we all know, have grown greatly in importance over the course of the decades. And uh you know, to spend $16,500 on a computer, we say, "All right, that's where it starts to get serious. If you've destroyed $16,500 worth, no, $5,000 worth of computing equipment. That could be as little as a

couple of servers infected with a virus. Now, but it's one of those thresholds that just magically never changes. Similarly, is 10 computers a lot. Well, remember that this legislation was created in a world where computers looked very much like this. This is an IBM system 370. It's a fairly common was a fairly common IBM mainframe turned into the Z architecture. Um so attack and defense designed for that world looks very different from attack and defense justified uh developed for the world in which we live now. This was sort of an era in which a computer was really a big deal. So we set out to define what is a protected computer. A protected computer is one where your

bank, financial institution, large company, multi-state network. Um of course the interstate commerce thing here comes again. Um you know a lot of a lot of mainframes existed. These are protected computers. They're being used for some protected purpose. Now, imagine the world of the 1980s where you've got these lines occasionally. Maybe a couple of lease lines exist. They're running asynchronous transfer mode. The OSI protocol stack is still used. Um, you know, you dial into something, do your batch operation and go away. Maybe you mail a deck of cards around. Um, a computer doing something that is multi-state is a little bit more of a big deal. a computer that's doing something financial is a little bit more

of a big deal in this world. Uh there's lots of mainframes. You can do little things to them that make the whole thing knock over. It's relatively easy. I wish I would have put a picture of a IBM lace card or IBM doily up here. It's a card in which you've punched all positions. You insert it into the middle of the deck and it crashes everything. It jams the card reader. You can't can't move forward. It's it's as though you put like a little uh little block on top of a hard disk platter or something. Very damaging. Doesn't really exist anymore. >> [snorts] >> uh computer was a really big deal both in terms of it was a big capital asset

that you put in place somewhere and it's also a big deal in terms of it is a mighty pain to fix it uh even just one little bit incident response very different thing back then involved a lot more screwdrivers for example was probably not a protected computer uh the add-on for this it's an Apple 2C if I recall u it's very expensive to connect it to the internet not a lot of people did not a lot of people could afford it there wasn't really a lot of reason to because in the era where the Computer Fraud and Abuse Act was created, uh, this didn't exist yet. This is the first website. Tim Berners Lee made it at CERN. Um, it's

just a little bit of text. There were about 10 of them. He has a list of all of them on this site somewhere. And, uh, this was the internet. And this was the internet after the Computer Fraud and Abuse Act was was formalized and passed into law. Uh, so you had your programs on discs. Sometimes you type them in from magazines. We did not download and run things. It simply did not exist. Uh there was kind of email, but it was sort of a local thing to an institution at at at Dartmouth. We just you ours has been renamed. It used to be called Blitz because they named it before email was really a thing that people talked about.

So very very very different kind of world. You know, you didn't get fishing emails where you would open it and then there would be an EXE and you would download a virus. In fact, there weren't EXEs. you typed the program in from from a book or you had it on a disc somewhere that you inserted or read it off a cassette tape. Uh network was a very very very big deal too. You might have at home an acoustic modem that your employer gave you. You might dial into a computer. Maybe some places that you did business with like the city or you know the the library or something you could dial into just that computer. You'd get a terminal screen.

You could type some commands in at it. You didn't really scan the network. If you were a phone freak, you kind of just dialed random numbers and if you heard a modem screaming at you, you're like, "Well, that's interesting. I'll dial that again with the acoustic coupler." But that's about as far as it went. Um, so if you were doing one of these things, you were kind of uh you were doing it with some degree of intentionality either to explore most likely to destroy things a little bit, but the the sort of u scan the whole internet spray and prey attack style, this this wasn't really a thing yet. Didn't really work. Uh computers were

largely sitting ducks in these days. There was very little in the way of of access control. Certainly not a lot in the way of firewalls, IDS's. Uh virus scanners were just beginning to be a thing. You didn't do it for long and you didn't do it at long distance. You'd tie up your phone line or the long distance bill would be incredible. Uh, if you had computers that were persistently connected together, either it was because you laid a line across your university campus all by yourself or uh you had a T1 that you leased from the phone company at ruinous expense to connect them together at high speed. This was very very very rare. Hackers

were also very different in those days. Viruses mostly written for fun and bragging rights. A lot of worms, you know, your computer would pop up a message when it booted, you are stoned. And that would be the extent of the virus and you would have to like reinstall its operating system or put in a new disc or something if you wanted to get rid of the virus. And they were kind of mischievous. You know, they would spread uh it was very cool to play Conway's game of life, but in real life, you would put uh put your thing on a floppy disc and then it would do something like in any computer that disc was inserted into would now get the

virus and replicate it again, maybe with some minor modification onto the floppy disc. This wasn't crimeware. No one was really going around ransoming uh stealing a whole bunch of PII. And in fact, you really couldn't because your virus could spread from computer to computer to computer, but you could hardly have a CNC. And if you did, you know, you'd have to have the phone somewhere that they could dial and the phone company would know it's you. Game over. Like, no, it wasn't really a thing. You didn't go through multiple hops in this way. Uh international communication was expensive, unusual, and loud. This was the era in which if you got an international phone call from

overseas, someone would go interrupt you and you know you would stop doing whatever you were doing and answering that knowing that they were paying a dollar a minute to talk to you. How about today? Well, uh international networks are ubiquitous. Uh there are near corporate ransomware gangs uh like wages benefits kinds of affairs, private cloud kind of affairs. Um they're always connected, they're always involved. Computers are everywhere doing everything all the time and they all talk to each other constantly and we don't even know who they're all talking to when we use them, which is new. Uh, and ubiquitous interstate commerce. You don't even think about doing interstate commerce. You used to be like, well, I

want to order from these people, but they're out of state and these people are in state, so I'll order from the people in state. No one really thinks this way anymore that much anyway. So, uh, other changes, precedent. Uh, the only picture that I had of the Supreme Court, I'm sorry, it's the front door. Uh there have been a few cases that have have changed the Computer Fraud and Abuse Act. Uh but not a lot of them. Uh just a couple come to mind. The first one is Van Baron. Uh it's a 2021 case that lays out what we call this gates up gates down sort of philosophy. Um they I don't think they really

specified in in the opinion whether gates up was secure or gates down was secure, but the meaning is roughly equivalent. Uh to make access criminal, there must have been at least some attempt to protect the system. Don't confuse this with the definition of protected system in the computer fraud and abuse act means a completely different thing. But uh to make access criminal uh there there has to at least have been something beyond the toos. This is this was very important. It resolved what's called a circuit split where uh some federal circuits decide one way and others the other way on a particular issue. And one of those issues was whether violating the terms of service of a website or something was

a criminal act. Uh, this case resolved that for good and said, "No, you can't make private laws that apply to the public by just typing things into terms of service and then anyone who passes through it goes to jail if they don't listen to you. That's absurd." So, we don't know, however, how much you have to do beyond that. We know that the terms of service isn't enough. Telling you to explicitly stop personally might be enough. Um, we just don't know, you know, do you have to have like good practice or do you have to have done anything at all? The other one that was a year later was a case called HighQ Labs versus LinkedIn here. Um, access to

openly published information is not criminal. At least there's that. You can crawl the internet all you like and they can't send you to jail because they don't appreciate that you did it. Um, these cases are not the most sympathetic, by the way. I just want to get that out there. Van Baron was a police officer who was selling access to the police information database in Georgia apparently. Uh that's that that's what the charge says and uh it wasn't the best. There was it was sorted uh and HighQ Labs was actually scraping LinkedIn data for their own purposes. Uh basically privacy invasion at scale said LinkedIn. Uh but they figured well okay this this is a civil matter. It's not

necessarily a criminal matter. Um so these two at least weaken it a little bit and they say well it's um it's not the case you know before Van Bur and Reinhardt didn't like it this this act very much and said the CFAA threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens that is accessing a website sharing your password for a streaming service. Well if you're sharing a password for a streaming service sure against the toos you're moving a password around that looks like uh trafficking and passwords to me. So, we've depended a lot on prosecutorial discretion. Um, I'll get to that. So, the the circuit split, does the computer need to be defended at all or just have

a toos? And the act is still ambiguous. There's a process in law called codification where you take these precedents and you you adjust the statute to say, well, okay, this is what we really meant by it. We're very sorry that we were unclear, says Congress. But that kind of hasn't happened for this. It's it's still just presidential. So, it remains that nobody knows what unauthorized access means. um since 1991. Back in 1991, the second circuit prosecuted Morris of the Morris Worm fame and uh held it doesn't really matter what computers he intended to break or not, federal or not. Um he broke some federal computers, therefore it was a protected system under the definition of the acts and also

authorization in that case. The big issue in that case, he did appeal it. The the issue was was the jury appropriately instructed on what authorization or unauthorized access meant? And the appeals court uh they kept his conviction in place. They upheld it and they said, "Well, uh authorization is a term that needs no no definition. It is in common use." You know that he opened the dictionary. Well, everyone knows what a horse is under the word horse, right? Is the most famous example. It's just yep, authorization. Do you have authorization or don't you? You ought to know. [laughter] Uh remember that in 1991 when this term was in common use, most people didn't have internet access. In fact, uh

the the internet, the worldwide web had just become a thing. Uh that was when Tim Berners Lee website was from and they decided that we it's done. We're already well aware what authorization needs. It needs no explication. So onward to uh how this ends up actually getting applied. Uh what is proportionate? This is where the prosecutotorial discretion actually comes in. Do we really take people and throw them in jail because they shared their video streaming service password with each other? We don't do that. Um, this is one of those things where, okay, we're giving people tools to take the nasty bad hackers and put them away and make them stop. Um, there aren't a lot

of hacker lawyers. There are even fewer hacker federal prosecutors and hacker FBI agents. Bless them all. But good luck to somebody outside of of the culture of security professionals who know where the line is trying to figure out from the outside what constitutes which ones they should pursue and which ones they wouldn't. Uh reasonable people can disagree all day about whether they get it right. So kind of what I'm leading into is an argument for recottification. The other big issue with this law is how are damages calculated? And this was something that if you if you look at the history of the uh the case of pursuant to the capital one hack, you can see a

lot of minations about how the damages were calculated. Um the algorithm is effectively as as any good lawyer will literally anything that you can link to this. Please go link to it and then we'll sort out which ones of these are are not useful to us later. Um, so you're looking at things like your your direct costs like, okay, this hacker came in and they ran up our cloud bill and they wrecked so many servers and hard disks and we had to spend this many hours restoring things from backup and doing this and that. Maybe we violated all these contracts and we broke our SLA. But also things like indirect costs like consultant costs for remediation

are in there, however much the consultant charges. um little things like, okay, these these uplifts in information security that we really ought to have done anyway, keeping our logs in order, running them through analytics, this kind of stuff, uh tend also to be included. And then uh this all comes from a doctrine uh that is basically the AHL skull doctrine in law which says if you go and assault someone on the street um it didn't matter that you didn't know that their bones were paper thin and you you killed them when you only intended to like knock them over some other you know you intended to do something bad you did something much worse than you intended you still did

something much worse than you intended and we're going to penalize you for that. Um, so the actual skull doctrine applies very strangely to the computer fraud and abuse act because the equivalent is your bad logging and your lack of a disaster recovery plan. So what is the penalty? Uh the costs are laid on the hacker's restitution fines and jail. Uh you saw before many of the penalties were uh gated on whether the the damage was over that critical $5,000 threshold. Millions upon millions of dollars sometimes assessed. uh ability to pay is of course not considered. So, good luck collecting. But, uh the costs are laid on the hacker as restitution is part of the penalty.

But who who is this hacker? Who's indicted? Do they care? There's a flag on this slide. I don't think they care all that much. Um so, you get them. Uh I don't think foreign state actors are going to answer our court summones. They're not meaningfully deterred by American law. we're unlikely to wage war to capture them. Um, if in one of the previous talks there was some discussion of a very very widescale Chinese implant in this room earlier, um, I don't think if we figure out the the big names and faces behind that, we're going to succeed in extraditing them from China. Um, we're not meaningfully deterring folks like this. In fact, they're heavily incentivized by the jurisdiction

that can deter them. and uh indicting threat actors who are employed by hostile foreign nations is effectively the equivalent of of sovereign whining. We're very angry. We're going to do something about it. Here's a if any of you have seen the FBI indictment of the various GRU agents uh responsible for one thing or another. I wish I put this up on my slide. It's like what is the point of doing this? It has some effect, but the effect is mostly to say we are very displeased and don't send those people as diplomats to the US. [laughter] So if you can't arrest all the GRU's hackers, what do you do? This again uh I'll tie back to but I

just want to introduce this concept that a public trust in society often comes with a duty to safeguard and this is something that we recognize in many other contexts but curiously not typically in the context of you getting hacked. So it is important to the functioning of society that you be able to put a high degree of trust in in the computer systems that you use and depend on all day in particular the computer systems that do things like decide whether you're allowed to eat food uh or decide you know whether you're allowed to live in a house uh kind of very important so I pulled this example from cryptocurrency there's a paper you can

read it if you want it is uh kind of a glowing paper about cryptocurrency but one thing that it does say is in their user survey of 990 users uh in 2017. So, grain of salt quite a long time ago, but it has only developed since then. Uh, certainly value fluctuation in the money was viewed as a high risk. Of course, it is. It's so volatile. But, um, below that, the next two things about which people are worried are both about hacking. They say we're not too keen on this cryptocurrency thing because we don't trust that there won't be a vulnerability in our hosted wallet or that someone won't put malware on our machine and steal all of our money and

then we can never get it back again. Of course, I'm not going to give a talk about cryptocurrency, but the point of this is to say if 18% of users, this is elsewhere in the paper, not in the graph, uh are reporting coin theft due to hackers. And most people who are using this thing say this is the big risk and we're scared off by using it. It's a very strong demonstration that confidence in the systems is the same as confidence in our society. Uh so trust strengthens institutions, right? Society provides us the financial system, communication, facilities and records of social formal social relations. Uh and as to the extent that we can trust that those records are

true, that is the extent to which we we feel confident participating in these aspects of the society that we've made and that is the attachment that we have to our social institutions. So society is strengthened when the people who are charged with the protection of these institutions actually do so. This turns from a let's avoid the nuisance, let's avoid financial loss into a nationbuilding question. So the sociology of the computer fraud and abuse act, however, uh well, it's socially normative in the United States because it's a piece of legislation and if you ignore its norms, you go to jail. It's very fukco and uh it basically says this. If you're participating in conventional American society, you

better not be a hacker. And if something is hacked, it's you, the countermorative person in society, that we're going to blame for this because you're the one that didn't follow the rules. Is that what a profound statement? Is that really what we want to do? I mean, hackers are of course a pretty counternormative bunch. In fact, many people will say that uh we're good at what we do because we're such a counternormative bunch. And because so much of our behavior has been normed out of society, we have those unique insights. We can hack things. Uh we can use things in ways that they weren't intended to do things that they were never intended to do.

Do we really want to continue to enforce a norm like that with the level of force that we're using with these many many many years in jail and many millions of dollars of restitution? Um, and I'm not by any means saying what we should do is we should norm a wild west scenario of going around and destroying computers left and right just because they can be. But there is a balance to be struck here. So what does reform look like? And this is the part of the talk where I have said this many times to many different contexts. But the more people who talk about it and the more people who understand why you might want to do

something like this, the better. And my hope is that everyone here will understand sort of that that change is possible that a better world might look like something else. Have some of your own ideas. Talk to people about it. Uh the only way that we can change parts of society is by speaking those changes into existence. So that process of codification that I was talking about earlier, saying, "All right, the the law passed, no one knew what it meant. The court told us what it meant. Now we should maybe go back and revisit it to make sure that it means what we wanted it to mean." Uh, this unauthorized thing exposes a very deeper moral, right? There's almost a hierarchy

of harms here toward people who are getting hacked. On the low end, we have, well, that's not what we wanted. You know, we we really appreciate it if you use this resource this way and not that way. you know, above that is, well, that's very pesky and annoying. You're causing us a lot of loss and we really would like you to stop. You know, uh your uh your bot is knocking over our website, using it too much. Um [clears throat] above that, we're getting into the things where I would agree, you know, the the text of the Computer Fraud and Abuse Act does have a pretty good role in dealing with these kinds of things.

Highly damaging to critical infrastructure, maybe even loss of life. You're knocking over hospitals. um people are dying of preventable deaths because uh there there was hacking and it damaged something inappropriate. I would like to point out as well just kind of as an adjunct anecdotally uh ransomware gang operators seem to have a a social norm amongst themselves as we have studied these groups and dumps of their chat rooms and this and that um that crossing this line between pesky and annoying and highly damaging to property and life is one to cross with some caution and be selective about against whom you cross this line. Uh ransomware gangs do not particularly love when their affiliates knock over

hospitals, uh power plants, draw the attention of the the government, uh draw the attention of their own government where they may be doiciled, um do something that becomes politically important. Uh so if even they can acknowledge this surely also. Um and then of course the last one, threats to civil society. Uh this is like you uh you pull some implant that as somebody discussed earlier we're causing mass calls to 911 for whatever reason because something has gone ary in our house this sort of threat to civil society. Um it's hard for one statute to do all of this justice. Certainly one that kind of conflates these things and sorts them out based on the thing to which they

were done and whether or not they crossed a low dollar value threshold. Uh rather than sort of why was this done? What was the fullcale impact of this thing? So, what's the goal then of a better statute? Uh, well, we only have so many things that we can do with United States law. We can prevent the operation of ransomware gangs in the United States. Certainly, we can steer people in the United States toward pro-social behavior. Uh, rehabilitative justice rather than branding people on the forehead that they're a felon for life. Assign responsibility where responsibility is actually due and address the things that we can actually address. So rather than indicting you know random foreign intelligence agents,

what can we actually address? Um I have about five changes to propose with this and then a few closing steps and then we'll branch into questions. The first one is this notion of a cyber vandalism infraction. Not everything in law has to generate a criminal record. You there are options to deal with behavior in our society even within the criminal justice system. What a shocker. that involves something other than uh dragging people out of bed in three at three in the morning under force of arms and throwing them in jail for a decade. Uh we could probably stand to address things like website defacements, nuisance hacking, little DOS attacks over games and things like this in this

way. Say, all right, the proverbial slap on the wrist, at least the the first time, could you please do something useful with your life? um community service, probation, fine, but treat it like graffiti, not like a national security threat, because that's fundamentally what it is. You know, for everyone who is in our field defending systems today, um I would hazard that a very large number, if not the majority, have at least at one point in their lives done something that affected more than 10 computer systems or maybe cost somebody more than $5,000 in instant response to fix. And then, you know, now we're here doing this. It happens. So stop making felons of of board vandals and teenagers. It's

kind of futile. Uh currently there is nothing in the computer fraud and abuse act or any of those additional charges that I mentioned earlier such as aggregated identity theft, access device fraud that is just an infraction. Uh the second one is to preempt this sort of bundling up with wire fraud. You occasionally see the argument in case text where we argue uh as of course there are far too few hacker lawyers we argue this that when you take a password and you say hey computer this is my password that you have committed fraud now fraud is a a legal term very specific definition fraud is you told me something that wasn't true and in consequence of this I gave you something

of value those are the elements of fraud if that's the primary issue if the issue is regardless of whether it had the trappings of computers you you told me something that wasn't true and then I sent you a huge wire transfer um and you did it over the telephone. This is just wire fraud. We don't need to tie it up with these issues of okay, you logged into a computer and did this versus you just did this. Uh if that's the primary issue, just do it like that. Uh we really also conversely should not call it wire fraud when there wasn't really anyone who was defrauded. Right? you told the computer this is my password

and then it gave you some services. Uh there are also theft of service. We view theft of service as dramatically less um important punitively as as wire fraud which is very much a you have your hand in someone's pocket and you're stealing unbounded amounts of money from them. Uh another change would be potentially impose a duty to secure at least some of your computers. So that eggshell skull doctrine, right? It's very important in our society because what it does operatively is it prevents you from having a general duty to armor yourself. You don't have to go about in kevlar all the time. Um because people are not allowed to assume that you're fairly resilient when they take a swing at you

on the street. That's what that's for. It's not for this. It is not really there to indemnify the levers open of barn doors, the banks with tin vaults, and other egregious careless behavior. So why do we have a statute that operates to protect that kind of thing? Um we shouldn't judge computer crimes as though the evil hacker came in and robbed an otherwise peaceful rainbows and butterflies computer system that was otherwise basically unprotected. Even if individuals should merit this kind of protection, large institutions should have certain obligations. The law should acknowledge the massive power imbalance between individuals and large institutions such as banks. Um, this is particularly important because we don't necessarily want to have a society in which each individual

is responsible, as we do now, unfortunately, for detecting every fishing attempt, for randomizing every password, for making sure that they never install a virus, etc., etc., ad nauseium. Uh, another potential change that we could embark on is, uh, limit the damages. Say, all right, direct loss, fine, direct loss. you know, somebody broke into your stuff and they actually caused you some amount of damage and it wasn't because of some problem that you created. It was because they got the better of you and they caused you a huge amount of damage. How much value was impaired on your balance sheet? This kind of stuff is direct loss. However, um one wonders why it is necessary to

include work that frankly needed to be done anyway. you know, um things like making sure that your logging is in order, taking an inventory of all of your systems, uh actually performing some scans, checking that your builds and software are what you think that they are, uh building out your corporate DRP in some cases, right? Uh settlements and lawsuits that you had to pay because a civil court found that you were negligent in protecting the information. This doesn't really seem like the evil hacker came in and caused you a whole bunch of damage. This seems like blaming somebody for your own kind of not having fulfilled your duty. And this is I really really really want to emphasize

that because this is equivalent impose a duty to defend. In other contexts like with HIPPA, we do impose this duty. We say all right, if you're going to store protected health information, you have to be at least, you know, this good. You have to do the following practices. You have to do the following audits. You have to make sure that you've got this in order because people are trusting you with this information, right? Not every entity has these rules and they're not all equivalent. Uh a lot of them are a kind of a hodgepodge. It's, you know, very expensive consultants to figure out what you even have to do. And sometimes you don't really have to do anything at

all. So we'll notice, for example, that in these uh these large bank hacks, the bank doesn't tend to be charged. You know, even though they had the resources to prevent it most often, and then they chose not to, even if the problem was something like a security misconfiguration and they just didn't audit it. They keep cutting their security program year after year after year. more people in this room become unemployed. Uh the pen test becomes a little check in the box that you have to do in an afternoon rather than over the course of a month. The scope is very tightly limited because they don't want to hear the findings. You've all been there. We've all been there.

[clears throat] This stuff operates to weaken that public trust and frankly also to weaken society because the public trust is not being met. So really we would benefit a great deal from a definition of what these public trusts are. Rather than saying you damaged 10 computers when a computer was a huge mainframe and it came on a semi-truck, now you've damaged 10 computers, you probably have 10 computers within 2 yards of you right now. Um, rather than doing that, perhaps we should concentrate on the human dimension. How many people were actually affected by this and concentrate as well on what are the baseline duties that you have to do? You have to at least install patches.

You have to protect your systems with passwords. You have to get a pentest done. Maybe there are some other best practices that we could follow. maybe well okay you know it's mitigating that you didn't even go through ISO272 you were missing all of these controls you don't even know what is coming or going in your network you've never heard of a firewall um [clears throat] maybe maybe the hacker isn't to blame for this and the reason that this is so particularly important out of all of the things that I have said this duty to defend is most critical uh the last time that I raised this in a different context uh directly more directly toward the government I

simply got told well this sounds a lot like victim blaming doesn't Well, not really. You know, I'm having a hard time having empathy for the bank that decided to lay off its information security team. Really, really, really I am. This isn't in any way the equivalent of saying, "Well, you better make sure that you don't present yourself as vulnerable in public at all. It is categorically different." And in fact, the people who are most vulnerable in public are, you know, the people who are depending on these institutions naively. They don't have our expertise. they're not going through and saying, "This bank's website looks like it's from 1995 and acts like it, too. I'm going to go

with a different bank." Or if they are, you know, maybe they're doing that and the new one is full of trackers and ends up leaking all of their bank account details to a third party uh tracking provider anyway and some attackers get it anyway. And you know, you don't know unless you're looking and people shouldn't have to. So, the duty to defend is in fact the opposite of victim blaming. The duty to defend is to say you have to protect the people that depend on you who are actually the victims in this case. You know, the the law says that the bank is the victim of the hack. Um but you know, really, is it

the bank? Is it the bank shareholders or is it all of the people who couldn't use their bank account, their debit card is turned off because it was stolen, fraudulent credit cards opened in their name because the bank leaked their PII? That seems more like a victim to me. And we currently blame them by the way all the time. Uh and then the last policy point that I sort of wanted to raise as just sort of food for thought is to recognize this concept called principal agency. There was a very interesting case in Canada last year. Um an airline had a chatbot. The chatbot made all kinds of promises you wouldn't even believe. Yeah, we'll refund that. We'll

interline you onto a new airline. We'll get you there. And [clears throat] of course they didn't, right? And uh the consumer said, "Hey, wait a minute. They told me. And the court said, "Yep, they told you." All right. Because um this this computer that the airline didn't really control, you know, it's a chatbot. How are you going to you anyone in this room can make a chatbot say whatever they wanted to say? But they said, well, this concept of principal agency says, um, I'm the principal. I tell you to do something on my behalf. You're the agent. Uh, if somebody else talks to you, it's like they're talking to me. Can a chatbot be an agent? Uh,

that court said absolutely. Can a web server be an agent? Well, if it says 200, okay, here's your bank balance. Says 200. Okay. Of course, you may have this list of of uh serial numbers. Um, says 200. Okay. Yep. You're allowed to watch this movie. Um, is it really up to you to second guessess it and say, "Well, in this whole Byzantine and complex system, what did the the employees of this corporation that I have never talked to and can never talk to want?" Uh, that is a little bit odd. Better to recognize principal agency and says, "If your computer, if you publish something, you know, I don't put my secrets. I don't write them down in a

book and put them in the public library and hope that nobody knows the call number." That would be very strange behavior. But on the internet, we do it all the time when we put a thing, you know, just kind of publish it, put it in GitHub, um, publish our private keys, uh, you know, put something on a web page that anyone can just download with a URL that they can easily find. Uh, that sort of conduct, downloading that file has been charged. It probably should not be chargeable because we should probably recognize that the computer as an agent said, "Yeah, you can have that." So, those are all of my policy proposals. I've of course left

the uh requisite 10 minutes or question, but I did want to point out uh one additional policy thing previously. Um my colleagues had uh had just published this report hot off the press from chaos to capability uh describes sort of a similar but uh unrelated uh going through of unleashing the capability of people like us to actually fix the problem. Uh and says well uh the the private market is pretty good at building capability for exploits. why do we keep this so close to the chest and say well this is uh use of force the military can do these exploits but we're not going to trust you with it uh which kind of is the same not the same this

has the report contains nothing that I just talked about I didn't participate in its writing but it just goes to say I think that the tide of the times change that we need goes toward it's not magical lightning bolts coming from my fingers when I'm hacking the computer it's just stuff that people do we happen to be really good at it. So let's make sure that we have a live for [applause]

all right. Thank you for the talk. Um, until now law hasn't or like criminal law hasn't done much to to change things, but we've been like for years we've been kind of leaning on insurance >> like so as as people get extorted or as damages like like go up then in order to get insurance is more expensive, people have to go through audits. Do you see like that being going hand in hand or do you think the the insurance industry is a natural ally to help with getting the law of change? >> A decade ago I was very very very bullish on this. Um my enthusiasm has been somewhat tempered based on an observation of results. I think that um

if you look at other structures of of liability in our society, oftentimes insurance are the people who are applying kind of a one-sizefits-all um you know, you must do the following irrational things or forgo the following things that seem completely and utterly harmless because the insurance policy simply cannot be customized enough to meet your own individual needs. And computers have so many varied things that they can do. Uh we have seen some good results. I mean, there are a lot of penetration tests that occur because an insurance company will refuse to pay out your damages. We've also seen some negative results. In fact, one of the first things that ransomware gangs go for is to figure out if they can get

your insurance policy documents to see how much they can ding you for. And this is a rapidly developing area. I hope that it converges upon we actually just have to defend the systems and then everything else falls into place. >> Okay. So, do you think it would help if we legalized ransomware? >> [laughter] >> I think that that's a very interesting perspective and I think the first thing that I want to know is why you think that would help. Um and you know the legalizing of ransomware. I mean why right? Uh this is sort of similar to the should we have a group of people who is empowered under some kind of cyber letter of mark type operation to go

through and do penetration testing of general public systems. Um, and if you think about whether that is okay, it might help to crystallize whether this this much more um, you know, should we then be allowed to to use force to make our our demand that we get paid uh, in this context uh, should that be allowed? Um, it is an interesting moral question. I think I leave open uh, whether it ought to be the case that everybody should be required to operate some kind of vulnerability disclosure program or bug bounty program. And in practice, we are seeing that more and more. or if you want people to actually buy your software and services that they will

require you to operate such a program. >> So what is the incentive for legislators to change the laws here? Because right now they have a big hammer and they get to choose how they use it. Why would they why why would they allow a smaller hammer? >> It is a different hammer. It is about capability. Um certainly I think as more people become aware of the performative nature of indicting foreign threat actors that we will never be able to bring to answer in a way that will never actually cause us less problems um becomes a kind of a theater that will be less and less and less effective over time. We need some lever to hold

accountable the people who are actually allowing these constant hacks to continue and cause chaos in our society. Uh, and so taking away the hammer that allows you to absolutely swat that mosquito, uh, and replacing it with a hammer that says, "But the people who can do something about this actually do have to do something about this." Um, may actually be a preferable scenario. Uh, even if your view of government is that government seeks to accumulate power, which is a perfectly legitimate view. Um maybe on the opposite end of the spectrum from the previous question, do you think that are there any cases where you would have to have this and even this dialogues with your change number

two? Uh the one about wires. >> Uh so there are some crimes that are they have aggravated like let's say you murder and you murder a family member, a politician or a I don't know a political activist. Do you think that there are still uh frauds in computer science that should be deemed more uh more more serious? Well, if you reach into a banking system and you start sending yourself wire transfers out of somebody's general fund, uh that sounds like wire fraud to me. Um if you go around and poke in the network a little bit and maybe you create a couple of VMs, this sounds a little bit less like wire fraud. And I

think that uh the work to make these definitions clear uh really needs to be done. But in practice, what has been happening is these two often are tied together handinand and there's not much distinction made. And I think that when you force people over that line and you say, "Well, you're already a felon. You can't be a double felon." Uh maybe we're really denying ourselves the opportunity to appropriately treat the more serious conduct. Why do you think that market forces or like financial values tend to drive these laws or be the primary drivers of these laws in contrast to like the human piece that you talked about um and and and above that really and then also if you could

scroll back to the slide uh that talked about the interpretation of risk for people in crypto the chart you had. >> Yep. >> So we're saying that like for the denial of service attack the 51% saying that it's low risk. Mhm. >> And then only 32% saying it's high risk. That's how you interpret that. >> Uh yeah, that that most people felt that denial of service attack was a very low risk, although some people felt that it was a very high risk. >> Okay, cool. All right. I just wanted to make sure I was interpreting the chart right. But yeah, my my question about market forces and why that tends to drive legislation and prioritization of

that instead of the human impact there. >> I don't know that market forces necessarily do drive legislation. Uh my experience is that what drives legislation tends to be people clamoring for it and there are certain structures of clamoring for it which might be done by uh corporate interests or by private individual forces. Uh the zeitgeist follows certain rules. It's out of scope of this. Um but I think that if I had to say a couple of things about that topic more broadly. Um, another thing that this chart shows kind of as a corollary is that people are astonishingly bad at determining risk in general and we all know it. Um, relying on people to prioritize for themselves what to

mitigate uh means that if this is to be gone by, uh, the most very most important thing that you can do is hedge all of your assets and then below that is preventing them all from getting stolen wholesale by a stealer. Um, so I think that that's why uh certainly when we see well this person went and they hacked the bank, they hacked the phone company, they did it. Uh, we have a sort of knee-jerk response to that that doesn't really correlate and in fact operates at a wholly different level of abstraction both policy and like just psychologically um from what is required to actually fix the problem. >> Thank you. So in your list of solutions you have uh

kind of imposing a duty to secure and um duty to defend. Did you imagine that kind of working through regulation, working through civil liability or criminal even criminal liability for uh kind of falling short of that duty? Well, we already have some civil duty to defend. Uh certainly every time that somebody gets hacked like this, there's a criminal case against the hacker. And within the criminal case against the hacker most often is the civil case against the entity hacked. Uh and this goes back to well this happened because of you because of you we breached our duty. Um it is the because of you that we that we breached our duty that I'm trying to attack a little bit here and

say well maybe that's you know that's the one that hit you. But of all the rocks that hit your windshield do you blame the rocks? Um it's it's a little bit sticky, but I I would actually advocate that a criminal duty to defend is probably uh a good answer here. Um some people have told me very cynically that what this in fact does is it puts a larger mode around existing entrenched actors. Um, what I actually think about it though is that [clears throat] um, when all that you're doing is finding people, um, your your ability to influence people who have unbounded sums of money is extraordinarily limited and it becomes an economic decision whether

you should bother to protect the public trust, which doesn't seem to me the correct lever to produce the desired outcome. >> All right, another question. You talked about the lack of hacker prosecutors, lack of hacker, I don't know, assembly people, but even more rare is hacker judges. Um, so our ability to make like sense out of the laws that already exist or our way to interpret it. Um, that's very rare for a judge to go and actually learn a programming language just to be able to do a case. It's happened, but like once. Um, do you think that there's do you think that we have a way to influence the judicial system to help because they have to interpret what our

rights are or do you think that it's the best way is to try to influence the staff members that like that that support the senators and people that think the internet's a series of tubes? >> It's all the same. Um, it's all the same. I could give a whole talk about why I don't hate that metaphor as much as maybe I ought to. But um when decisions are rendered [sighs] uh the inputs to the decisions are manifold. I think uh in I believe it was the Van Beerren case in which the court described um generally in in public statements about the case. Um we're a court. [clears throat] We'll need experts to explain this. You know, we're

experts in law. We're not experts in that. Uh they do listen. Uh certainly serving as an expert witness very very very helpful to society in general. even if it doesn't pay well and causes you unending amounts of legal liability. But uh beyond that, decisions are also often rendered with reference to the congressional records. So doing things like telling staffers about this and making sure that in the large colloquium published in the federal register when they make regulations and in the congressional record of what the debate said, there is some discussion of these kinds of trade-offs in a technical term. That information absolutely makes its way into the judicial system. Thank you. [applause]

[music]