As Dean of Research for our graduate school (sans.edu), I often assist students in developing their research ideas. The research conducted by our students is valuable and important to defend our networks against highly organized and well-funded threat actors. Any restriction on our student's ability to conduct their research, and sharing their results freely, only adds additional unnecessary burdens on us as network defenders. With that, I am happy that I was able to co-sign the attached statement by the Electronic Frontier Foundation (EFF) on behalf of the SANS Technology Institute. Legal threats against good faith security researchers only discourage the open exchange of ideas. If we hope to have a chance to defend, we will have to keep exchanging these ideas, learn and we need to continue to be curious hackers exploring the technologies that are the foundation of our everyday living.
We the undersigned write to caution against use of Section 1201 of the Digital Millennium Copyright Act (DMCA) to suppress software and tools used for good faith cybersecurity research. Security and encryption researchers help build a safer future for all of us by identifying vulnerabilities in digital technologies and raising awareness so those vulnerabilities can be mitigated. Indeed, some of the most critical cybersecurity flaws of the last decade, like Heartbleed, Shellshock, and DROWN, have been discovered by independent security researchers.
However, too many legitimate researchers face serious legal challenges that prevent or inhibit their work. One of these critical legal challenges comes from provisions of the DMCA that prohibit providing technologies, tools, or services to the public that circumvent technological protection measures (such as bypassing shared default credentials, weak encryption, etc.) to access copyrighted software without the permission of the software owner. 17 USC 1201(a)(2), (b). This creates a risk of private lawsuits and criminal penalties for independent organizations that provide technologies to researchers that can help strengthen software security and protect users. Security research on devices, which is vital to increasing the safety and security of people around the world, often requires these technologies to be effective.
Good faith security researchers depend on these tools to test security flaws and vulnerabilities in software, not to infringe on copyright. While Sec. 1201(j) purports to provide an exemption for good faith security testing, including using technological means, the exemption is both too narrow and too vague. Most critically, 1201(j)’s accommodation for using, developing or sharing security testing tools is similarly confined; the tool must be for the "sole purpose" of security testing, and not otherwise violate the DMCA’s prohibition against providing circumvention tools.
If security researchers must obtain permission from the software vendor to use third-party security tools, this significantly hinders the independence and ability of researchers to test the security of software without any conflict of interest. In addition, it would be unrealistic, burdensome, and risky to require each security researcher to create their own bespoke security testing technologies.
We, the undersigned, believe that legal threats against the creation of tools that let people conduct security research actively harm our cybersecurity. DMCA Section 1201 should be used in such circumstances with great caution and in consideration of broader security concerns, not just for competitive economic advantage. We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good faith security research In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.
Black Hills Information Security
Electronic Frontier Foundation
Grand Idea Studio
SANS Technology Institute
Social Exploits LLC
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022