A draft CISA directive asks civilian agencies not to punish outsiders who probe their systems.
With a solicitation closing Sept. 2 on a vulnerability disclosure platform and a finalized binding operational directive apparently in hand, the Cybersecurity and Infrastructure Security Agency is getting ready to open the civilian government’s front door to individuals who might identify weaknesses in its defenses.
The directive would instruct civilian agencies to publish vulnerability disclosure policies that encourage security research by committing not to pursue or recommend legal action against individuals who probe government systems, as long as they honor certain stipulations.
Nextgov took a short trip back in time to get a better understanding of the motivations of the community of people who began the push to access and explore computer technology and their fear of prosecution, mainly under laws such as the Computer Fraud and Abuse Act, which has been criticized over broad and harsh application.
In 1998, members of a group called “The L0pht,”—which had demonstrated vulnerabilities in Microsoft’s encryption and passwords—tried to explain the basic impulse of the hacker archetype to Congress.
“For the past four years, the seven of us have been touted as just about everything from the hacker conglomerate, the hacker think tank, the hangout place for the top U.S. hackers, network security experts, and a consumer watch group,” one member, testifying under the handle “Mudge,” told the Senate Governmental Affairs Committee. “In reality, all we really are is just curious.”
But comments in response to CISA’s draft directive show government officials still skeptical of welcoming unidentified hackers to their systems and afraid of losing their power to enforce the law against fraud.
Allowing researchers to report vulnerabilities anonymously would “make it harder to separate malicious actors from authentic security researchers,” the Energy Department wrote, suggesting CISA allow only vetted and registered researchers any promises of legal restraint.
“We believe including a provision in any policy that makes a commitment regarding not pursuing legal action is ill advised because it will be impracticable to determine in many cases when external parties or researchers are proceeding in good faith,” wrote counsel for the Education Department’s inspector general office. The inspector general for the Federal Deposit Insurance Corporation had similar concerns, especially related to foreign nation states.
Nextgov spoke to some seasoned vulnerability disclosure coordinators, and Rep. Jim Langevin, D-R.I., to get a deeper understanding of what’s behind the pending policy and give implementers a glimpse of what lies in store.