2016 marks the 30th anniversary of the Computer Fraud and Abuse Act (CFAA), the main anti-hacking law in the US. Since its inception, the CFAA has been deeply contentious, with strong criticism raised that it is overly broad and vague, too harsh (or conversely not harsh enough) in sentencing, and that it is fundamentally unable to keep up with the speed of evolution of the technology usage it is designed to police.
Perhaps more troubling for the security community, the CFAA contains both civil and criminal causes of action, enabling some technology vendors to use it as a handy stick to threaten security researchers away from making important disclosures. This, combined with the factors above, is widely believed to be creating a chilling effect on security research. Yet recent attempts to update the CFAA have proven fruitless and highly contentious, with disagreement and frustration on all sides of the debate.
In this session, we will discuss the purpose and history of the CFAA, high profile cases and lessons learned, the impact on security research, and our predictions for the future of the CFAA. To cover all that ground, this session will be an unusual mixture of presentation and panel. In the first half, Jen Ellis (security research advocate) and Leonard Bailey (DOJ) will provide a factual overview of the law. In the second half, Leonard will be joined by Nate Cardozo (EFF lawyer), Cristin Flynn Goodwin (Microsoft lawyer), and Tod Beardsley (Rapid7 security researcher) to discuss their varied points of view on this contentious law, and their hopes for future application and developments.
NATE CARDOZO is a Senior Staff Attorney on the Electronic Frontier Foundation’s digital civil liberties team. In addition to his focus on free speech and privacy litigation, Nate works on EFF's Who Has Your Back? report and Coders' Rights Project. Nate has projects involving cryptography and the law, automotive privacy, government transparency, hardware hacking rights, anonymous speech, electronic privacy law reform, Freedom of Information Act litigation, and resisting the expansion of the surveillance state. A 2009-2010 EFF Open Government Legal Fellow, Nate spent two years in private practice before returning to his senses and to EFF in 2012. Nate has a B.A. in Anthropology and Politics from U.C. Santa Cruz and a J.D. from U.C. Hastings where he has taught first-year legal writing and moot court. He brews his own beer, has been to India four times, and watches too much Bollywood.
Jen Ellis is the Vice President of Community and Public Affairs at Rapid7, a security data and analytics company. In this role, Jen’s primary focus is on building productive collaboration between those in the security community and those operating outside it. She works extensively with security researchers, technology providers and operators, and various Government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cybercrime and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including HOPE, SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides. Talk to me about Archer, Phineas & Ferb, why British chocolate is so much better than US chocolate, cybersecurity policy, and driving consumer adoption of security practices and awareness.
Cristin Flynn Goodwin is the Assistant General Counsel for Cybersecurity in Microsoft’s Trustworthy Computing division. Cristin counsels Microsoft businesses on a range of cybersecurity legal issues, and is the lead counsel for Microsoft’s Government Security Program (GSP) which provides governments with a structured, legal means to access source code and affirm there are no back doors in Microsoft products or services, as well as to share information about threats and vulnerabilities. She helped launch the GSP’s Transparency Centers in June of 2014 to enable secure government access to source code in response to the Edward Snowden allegations. Since 2008, she has been Microsoft’s lead counsel for Microsoft’s security incident response processes and security updates for over a billion customers around the world. Cristin also provides legal counsel for Microsoft’s cybersecurity public policy worldwide, supporting her clients and legal and policy experts in Microsoft’s subsidiaries worldwide. Goodwin was also actively engaged in the policy, technology and legal work that ensued with the Federal government in the years following 9/11. She can be followed on Twitter @CristinGoodwin.
Tod Beardsley is the Security Research Manager at Rapid7. He has over twenty years of hands-on security experience, reaching back to the halcyon days of 2400 baud textfile BBSes and in-band telephony switching. Since then, he has held IT Ops and IT Security positions in large footprint organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod speaks at security and developer conferences on open source security software, managing the human "Layer 8" component of security, and reasonable vulnerability disclosure handling. He can be contacted via the many addresses listed at <https://keybase.io/todb>.