Propping Up the Sky
The range, motivations, and sophistication of attacks is growing, but vendors clamoring like Chicken Little doesn’t actually help anything other than the bottom line. A lot has been said over the years about the use of "fear, uncertainty, and doubt" (FUD) to sell security services and software, but increasingly concerning is the fact that governments around the globe have responded to the use of FUD by either creating or considering legislation that may have a hugely damaging effect on how the computer security industry develops.
Proposed changes to the UK’s Computer Misuse Act (CMA) and the Police and Justice Act 2006 may make it a legal offense to supply or offer to supply technologies that can be used to commit an offense. If a researcher publishes an exploit, or a developer writes a tool that is subsequently utilized by an attacker, or even can be used, he or she may have committed a prosecutable offense. This new state of affairs isn’t limited to the UK. In Germany, changes to existing legislation have made it offense to sell, distribute, or acquire "hacking tools," and many legitimate security researchers have had to move on from Germany. Poland has the same sorts of legislation in place, and although this stops the development of legitimate tools useful to security professionals and administrators alike, it hasn’t impacted the creation of exploits by research groups such as Last Stage of Delirium. The growing legal clampdown on security (perversely enough, in the interests of increasing security) isn’t limited to Europe. The U.S. Patriot Act has become a stick with which to beat security researchers and invade personal privacy alike. Also in the U.S., the Digital Millennium Copyright Act (DMCA) has been employed to criminalize even legitimate reverse-engineering (thanks to supposed copyright infringement), making a criminal out of Dmitry Sklyarov, and impeding research by cryptographers and security consultants alike. And what has the security industry done about these legal trends? Thus far, not a lot.
Fear sells. A government, corporation, or individual that isn’t threatened directly is less likely to respond to a general threat by spending money to fix the problem. Politicians understand this trend, and the media are not slow to exploit it. Legislation is being created to address threats to the stability of computer networks, helped in no small part by security vendors’ tales of woe—something that, in itself, is no bad thing. Unfortunately, such legislation may ultimately be employed to halt or hinder legitimate security research, rather than targeting attackers. This is a bad thing, and one we need to address.