In advance of ShmooCon, Rapid7 co-organized the Hackers On The Hill event with the omnipresent Beau Woods of I Am The Cavalry. The event aims to help give security pros an opportunity to learn about engaging in public policy relating to cybersecurity. The event brought around 70 hackers to Capitol Hill to engage in meetings with Congressional offices, discuss cybersecurity policy issues of interest to the security research community, and provide resources and education on how to make policy advocacy more effective. It was a great event! A good turnout from the research community (in town for Shmoo), a beautiful room on the Hill secured with the help of Congressional staff, and lots of positive engagement in the meetings with Congressional offices towards the latter half of the day. Check out the website and Twitter handle for more - here’s looking forward to doing it again in 2021.
As part of that event, I gave a presentation on the state of cybersecurity policy, and produced a brief guide for visiting Congressional offices. Since then, I’ve received positive feedback and several requests to post the guide and the slides. So here we go.
The Unofficial Guide to Meeting With Congressional Offices was a resource to participating hackers preparing for their first Hill meetings. We created a version specially for the event, but here is an updated version for you to use if you are interested in briefing Congress.
The Hacking Policy presentation is available here. The presentation gave an overview of the volume and themes of cybersecurity policy activity at the federal and state levels, then focused on several specific cybersecurity topics - lovingly handpicked as possibly of interest to the hacker audience. Finally the presentation gave some resources for policy research and a few tips on effective advocacy. The slide graphics themselves are based on public domain government posters that I Photoshopped to be more cyber(TM) .
Here is a brief summary of some takeaways from the Hacking Policy presentation:
When looking at the cybersecurity policy landscape, it’s important not just to look at Congress (which often gets the most attention), but also Executive Branch agencies and the states. For many issues, agencies and states are more active.
Reviewing the past year, there is a lot of cybersecurity activity in Congress, executive agencies, and the states - hundreds of bills, regulations, and other actions that touch on cybersecurity in some way. Policymakers know that cybersecurity is an important issue - which was not necessarily the case five to ten years ago - the conversation has evolved to debate on what to do about cybersecurity.
While there is good diversity in the categories of cybersecurity policy issues under consideration, there are also common tensions holding back progress, such as fears of harming innovation with liability.
Taking a closer look at specific cybersecurity policy issues of interest to the security research community -
- Internet of Things: In the current Congress, much of the action on IoT security relates to federal procurement (the IoT Cybersecurity Improvement Act), smart cities, and reports and commissions on how to approach IoT security. However, there are already many reports, best practices, and guidance about IoT security circulating - some of which comes from executive branch agencies. NIST is finishing its voluntary IoT security baseline, and sectoral regulators have released voluntary guidance on IoT within their jurisdiction (i.e., FDA for medical devices, NHTSA for cars, etc.). The states have galloped ahead with laws and legislation that would require baseline security requirements for IoT.
- Privacy: The cybersecurity issues we watch out for here are 1) security requirements for personal information, 2) exemptions for cybersecurity activity from privacy requirements, and 3) the effect of preemption on state cybersecurity laws. Dozens of privacy bills in Congress have data security, but wrangling over enforcement and preemption are seriously stalling progress. Numerous states are also considering privacy legislation at varying stages of advancement, with California (again) and Washington likely to take action this year.
- Coordinated vulnerability disclosure: In Congress, only a couple bills include CVD - the IoT Cybersecurity Improvement Act would require it for government IoT vendors, and several bills would require specific federal agencies to incorporate bug bounties. The real action here is the executive agencies: OMB and CISA joined forces with a draft rule that would require all federal civilian agencies to have a vulnerability disclosure policy. Sectoral regulators, like FDA and NHTSA, are including CVD in voluntary guidance.
- Encryption: Discussion about requiring government access to encrypted communications is beginning to surge again, with public statements from the Attorney General, the President, and senior Members of Congress. In December, Senate Judiciary hearings examined this question, with the Chairman and Ranking Member favorably inclined to restricting strong encryption. There is little current legislation on the subject, with the ENCRYPT Act protecting encryption and the draft EARN IT Act that could undermine it via a Commission report.
- Supply Chain: This issue is tied to, but not exclusively based on, concerns about 5G security and Chinese espionage. Congress is focused on the government’s own activity - such as making sure its procurement and subsidies have supply chain security requirements. Meanwhile, the Dept. of Commerce (tasked by Executive Order) is drafting a regulation restricting transactions with countries designated as adversaries, and the Dept. of Homeland Security is coordinating a task force on supply chain security that (among other things) is developing a framework for public-private information sharing on supply chain risk.
- CFAA / Computer crime: Most legislation in this area would expand the reach of the Computer Fraud and Abuse Act and state equivalents, and there is very little movement on legal protection for security researchers. In particular, the International Cybercrime Prevention Act in Congress, and several computer crime laws proposed in states. Congress is also considering legislation requiring bug bounties for individual agencies, and modifying the CFAA to permit “hack back” by planting beacons in stolen data.
- DMCA Sec. 1201: Some of the most productive conversations on legal protection for security research happen in this arena. Protection for security research under DMCA Sec. 1201 has made significant progress since the Librarian of Congress’ 2015 rulemaking. The rule is up for renewal every three years, with 2021 on schedule next. Agencies like DOJ and NTIA have weighed in positively with the Copyright Office on this issue. The Copyright Office issued a study in 2017 calling on Congress to change DMCA Sec. 1201 to give security researchers more flexibility. Congress has yet to take this up, but has begun a series of hearings on DMCA that may examine this issue in context of broader reform.
That’s a lotta cyber policy! But the status of cyber policy issues, legislation, and regulation is evolving all the time. Here are some additional resources if you want to track them: For federal legislation, check out <https://www.congress.gov>. For federal regulation, check out <https://www.regulations.gov>. For state legislation, check out <https://www.ncsl.org>.
As you go forth to advocate on issues that matter to you, remember that it is easy to just point out problems. The most valuable approach is to propose solutions that don’t create other big problems, articulate it to the right officials, and navigate the politics and processes to make progress on the solution. It’s not easy and takes practice, but I believe in the security community’s ability to make real change if we work together.
* * *
Thanks again to everyone who came out to Hackers On The Hill 2020, and much gratitude to the participants and co-organizers. Hopefully we’ll run it back in 2021, and no doubt cyber policy will be even more cyber by then. Until that time, any feedback is welcome, and especially your experiences in advocating on cybersecurity policy since the event.