RSA 2017: Poorly Constructed Laws a Danger to Research, Cybersecurity

A panel of subject matter experts took to the problems of legislating in the cybersecurity realm and what can happen when lawmakers don't properly understand the tech.

SAN FRANCISCO — The veritable flood of cybersecurity legislation in recent years has, on the surface, targeted malicious actors and consumer interests. But from the viewpoint of some operating in and around the cyberspace, many of the laws have also posed significant dangers to new innovations and ultimately the safety of networks.

Whether the limitations imposed by legislation relate to things like the ability to comprehensively test networks or devices for security flaws, or were simply written by lawmakers without a complete sight picture, the ramifications undeniably affect the technology realm. 

Experts from academia, policy and the security industry outlined the complex and frequently overlapping issues and what is at stake during a Feb. 15 panel conversation at the 2017 RSA conference. 

From the perspective of those in the legal space, legislation like the the 2016 Burr-Feinstein bill, was written in such a way that would have done away with encryption and would have had other unintended consequences, according to Nate Cardozo, senior staff attorney with the Electronic Frontier Foundation (EFF).

“If you read it literally, it would have outlawed general purpose computing,” Cardozo said. “When you look at it, that might have been a great boon for cybersecurity because if you just make computers illegal, then we have perfect cybersecurity.” 

Though the intent behind the legislation may have been to make the jobs of intelligence and law enforcement agencies easier though backdoor device access, it failed to address these critical issues, he said.

University of California, Davis, Professor Matt Bishop agreed, adding that the legislation would have also inadvertently opened the door to the “nasty folks” when the government was unable to protect the tool.

“In my experience saying, ‘Nobody except this population can use this piece of equipment,’ is a good way to get it out very, very quickly to the general population,” he said.

In addition, the professor argued that legislation can have a chilling effect on research and information sharing. He said his own experiences have solidified the importance of open information sharing and innovative research.

“My interest essentially in these laws is I don’t want them to restrict us understanding better what the threats are," Bishop said, "in us understanding better what the dangers are and us understanding better how to protect against their exploitation.”

With the bulk of the cybersecurity research done in the private sector and academia, Bishop argues that the impacts of limiting legislation would not only hurt overall network security, but also state and federal actors. 

“Government and state organization themselves don’t do all the security research. In fact, in most cases, they do very little,” he said. “So, the information that is discovered is fed back into them. I would even argue that these laws would weaken the country and the government, as well as other things.”

Panelist Matt Heine, principal software engineer with Raytheon, said one of the problems with many attempts to legislate technology is a general lack of understanding on the part of those writing and proposing the bills.

The results, he said, are often counter to the original intent. “Almost every technology bill seems to go through a period in which there’s some sort of added step by people who simply don’t understand the technology involved. It isn’t even wrong; it’s just completely orthogonal to what it professes to be trying to do.”

The panel agreed that education and leveraging subject matter experts was the first step toward more comprehensive and less restrictive legislation around technology and cyber.

“Part of it is actually defining what cybersecuity is,” Bishop argued, adding that the definition would be different for individual organizations.

The discussion also traveled to the topic of artificial intelligence and the autonomous code. While concerns about a piece of code running rampant on the worldwide stage might spark the fear that ultimately prompts legislaiton, the panelists seemed to settle on the need for “taking care” rather than legal solutions.  

“Certainly developing protocols and a way to ensure that we are doing what we think we are doing would help avoid a lot of accidents,” Heine said.

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at