Anti-piracy bill threatens security tests

A bill designed primarily to protect digital copyright laws contains a provision that could make illegal the network security testing often used by federal agencies to gauge how safe their networks are from hacker attacks or other unauthorized uses.

The legislation, called the Digital Millennium Copyright Act, is designed to stamp out worldwide software piracy by protecting the copyright of software products. However, several representatives of computer security concerns and computer science academics vigorously oppose the bill, saying it would cripple their computer security business and research efforts.

The provision in question is intended to prevent software pirates from breaking the encrypted codes used to protect copyrighted software as it is transmitted via the Internet.

But according to Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, the bill would prevent businesses and researchers from launching penetration tests or researching computer security problems such as viruses. Spafford recently sent a letter, co-signed by representatives of 48 computer security companies and academic institutions, to various members of Congress opposing the bill, which has been passed by the Senate and the House Commerce and Judiciary committees. The proposed legislation could go to the House floor as early as this week.

While hackers regularly exploit security weaknesses they find in commercial off-the-shelf software by using a technique called reverse engineering, security experts do the same to identify and warn users of problems and to build patches for the holes. Because the bill would prohibit reverse engineering, it would prevent authorized researchers from exploring weaknesses in COTS products and from other work, such as picking apart new computer viruses to build defenses against them, Spafford said in the letter.

If passed in its current form, the bill— also known as the World Intellectual Property Organization Copyright Treaties Implementation Act— could threaten the national security of the United States because of its potential to "imperil computer systems and networks throughout the United States, criminalize many current university courses and research in information security and severely disrupt a growing American industry in information security technology," according to the letter.

An executive with a company that performs authorized "white hat" attacks on commercial and government networks said the bill "could make us liable for prosecution for even pinging [poking around in a network for weaknesses] a network that contains copyrighted material." The source, who asked not to be named, added that the bill's restrictions on the teaching of encryption come close to "outlawing even the knowledge of encryption."

Despite the recent cries from the information security community, there is little indication that a potential ban on reverse software engineering will be a hot point of debate once the bill makes its way to the House floor. "It doesn't seem like it's going to be that contentious," said Pete Sheffield, spokesman for the Commerce committee.

The effect of the bill on federal agencies is unclear. Thomas Burke, assistant commissioner for information security at the General Services Administration, said the National Security Agency and the National Institute of Standards and Technology have been working to certify many software products for security— eliminating the need for other agencies to perform some security testing, which might involve reverse engineering. NSA would be exempt from the copyright law. Moreover, Burke said, agencies may be able to work closely with the creators of software products to avoid copyright infringement when testing products for security.

But Minneapolis-based information security consultant Bruce Schneier, president of Counterpane Systems, said NSA does not have time to test all software products and that agencies cannot rely on vendors to find their products' security weaknesses. "Vendors don't want to tell you what the flaws are. Vendors want to sell products," he said.

The bill would have a chilling effect on the information security field, Schneier said. "This is scary bad. This basically means that you can't do research on computer security," he said.

While computer security companies have been vigorously fighting the bill, its proponents say the benefits to software makers could be substantial. In 1997 alone, worldwide losses from the piracy of business software topped $11 billion, said Mark Traphagen, vice president and counsel of the Washington, D.C.-based Software Publishers Association.

*****

Digital Millennium Copyright Act

Purpose: To eliminate worldwide software piracy by protecting the copyright of software products.

Issue : While the bill is supported by most software vendors, computer security companies and researchers claim a provision of the bill would cripple their computer security business and research efforts.

Status: Could be sent to the House floor this week.