School of Information assistant professor Deirdre K. Mulligan, working with colleagues at the Berkeley law school, has drafted a joint statement urging reform of the laws inhibiting cybersecurity research.
With the emergence of the “Internet of Things” and increasing connectivity between devices and computer systems, Mulligan and her co-authors highlight the growing importance of cybersecurity research. But many current laws actually inhibit research to improve these systems’ security, including the Digital Millennium Copyright Act, the Computer Fraud and Abuse Act, and the statutes amended by the Electronic Communications Privacy Act, they warn.
Examples sound like science fiction, but are quickly becoming science fact. When pacemakers were wirelessly hacked to give a heart a deadly jolt of electricity in a recent hacker demonstration, cybersecurity experts took notice — as did anyone with a pacemaker. Pacemakers are only one example of potentially vulnerable medical devices; defibrillators, ventilators, drug infusion pumps, and other implantable medical devices may also be at risk.
Modern cars are increasingly computerized and even connected to wireless networks. Research has shown that cars are “extremely fragile to attack” with multiple vulnerabilities that put even the most fundamental safety systems at risk. “Currently, there’s nothing to stop anyone with malicious intent and some computer-programming skills from taking command of your vehicle,” according to a recent article in Car and Driver magazine. “After gaining access, a hacker could control everything from which song plays on the radio to whether the brakes work.” But current laws discourage legitimate research that could uncover and correct these vulnerabilities, according to Mulligan and her co-authors.
The statement grows out of a workshop held at Berkeley in April, funded by the National Science Foundation. Over 30 leading cybersecurity experts have already signed the document.
The statement has been submitted to the U.S. Copyright Office with a comment urging approval of a research exemption to the anti-circumvention provisions of the Digital Millennium Copyright Act. The statement will be referenced again in subsequent proceedings before the Copyright Office and in other contexts.