Shall We Play A Game? 30 Years of the CFAA

Presented at BSidesLV 2016, Aug. 2, 2016, 11 a.m. (85 minutes)

2016 marks the 30th anniversary of the Computer Fraud and Abuse Act (CFAA), the main anti-hacking law in the US. Since its inception, the CFAA has been deeply contentious, with strong criticism raised that it is overly broad and vague, too harsh (or conversely not harsh enough) in sentencing, and that it is fundamentally unable to keep up with the speed of evolution of the technology usage it is designed to police. Perhaps more troubling for the security community, the CFAA contains both civil and criminal causes of action, enabling some technology vendors to use it as a handy stick to threaten security researchers away from making important disclosures. This, combined with the factors above, is widely believed to be creating a chilling effect on security research. Yet recent attempts to update the CFAA have proven fruitless and highly contentious, with disagreement and frustration on all sides of the debate. In this session, we will discuss the purpose and history of the CFAA, high profile cases and lessons learned, the impact on security research, and our predictions for the future of the CFAA. To cover all that ground, this session will be an unusual mixture of presentation and panel. In the first half, Jen Ellis (security research advocate) and Leonard Bailey (DOJ) will provide a factual overview of the law. In the second half, Leonard will be joined by Nate Cardozo (EFF lawyer), Cristin Flynn Goodwin (Microsoft lawyer), and Tod Beardsley (Rapid7 security researcher) to discuss their varied points of view on this contentious law, and their hopes for future application and developments.

Presenters:

• Tod Beardsley - Security Research Manager - Rapid7
  Tod Beardsley is the Security Research Manager at Rapid7. He has over twenty years of hands-on security experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod speaks at security and developer conferences on open source security software, managing the human "Layer 8" component of security, and reasonable vulnerability disclosure handling. He can be contacted via the many addresses listed at https://keybase.io/todb.
• Cristin Goodwin - Assistant General Counsel - Microsoft
  Cristin Flynn Goodwin is the Assistant General Counsel for Cybersecurity in Microsoft's Trustworthy Computing division. Cristin counsels Microsoft businesses on a range of cybersecurity legal issues, and is the lead counsel for Microsoft's Government Security Program (GSP) which provides governments with a structured, legal means to access source code and affirm there are no back doors in Microsoft products or services, as well as to share information about threats and vulnerabilities. She helped launch the GSP's Transparency Centers in June of 2014 to enable secure government access to source code in response to the Edward Snowden allegations. Since 2008, she has been Microsoft's lead counsel for Microsoft's security incident response processes and security updates for over a billion customers around the world. Cristin also provides legal counsel for Microsoft's cybersecurity public policy worldwide, supporting her clients and legal and policy experts in Microsoft's subsidiaries worldwide. Goodwin was also actively engaged in the policy, technology and legal work that ensued with the Federal government in the years following 9/11. She can be followed on Twitter @CristinGoodwin.
• Leonard Bailey
  Leonard Bailey joined the Department of Justice's Terrorism and Violent Crime Section (TVCS) in 1991 and served as Special Counsel and Special Investigative Counsel to the Department's Inspector General in the late 1990's. In 2000, he joined the Computer Crime and Intellectual Property Section (CCIPS) where he has prosecuted computer crime and intellectual property cases; advised on matters related to searching and seizing electronic evidence and conducting electronic surveillance; and chaired the Organization of American States' Group of Government Experts on Cybercrime. Between 2009 and 2012, he focused on DOJ cyber policy while serving as Senior Counselor to the Assistant Attorney General for the National Security Division and an Associate Deputy Attorney General. He returned to the Criminal Division in 2013 where he is currently Special Counsel for National Security in CCIPS. Mr. Bailey is a graduate of Yale University and Yale Law School. He has taught law courses at Georgetown Law School and Columbus School of Law in Washington, D.C.
• Jen Ellis - VP of community and public affairs - Rapid7
  Jen Ellis is Rapid7's Vice President of Community and Public Affairs. She believes security practitioners are the guardians of Society's trust in technology, and works extensively with security professionals, technology providers/operators, and various Government entities to promote better collaboration. She believes this is our best path to reducing cybercrime and protecting consumers and businesses. To this end, Jen also provides free skills training to security professionals so they can get greater buy-in and achieve more positive security outcomes. She has testified before Congress and spoken at numerous security industry events.
• Nate Cardozo - Senior Staff Attorney - Electronic Frontier Foundation
  NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation's digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.

Links:

• https://bsideslv2016.sched.com/event/7aPa/shall-we-play-a-game-30-years-of-the-cfaa

Similar Presentations:

• AppSec USA 2013 / Computer Crime Laws - Tor Ekeland, Attorney
• Black Hat USA 2015 / Take a Hacker to Work Day - How Federal Prosecutors Use the CFAA
• THOTCON 0x6 (2015) / Hacking the CFAA: What You Need to Know, What’s Happening, and Where It’s Going.