Legislation threatens security research and privacy, claims report

Hewlett Packard Enterprise has released its hefty annual cyber-risk report, stating that well-intentioned legislation is putting cyber-security research and privacy at risk.

The long arm of the law may end up strangling research, says HPE's annual report
The long arm of the law may end up strangling research, says HPE's annual report

Hewlett Packard Enterprise's (HPE) new cyber-risk report has not been shy in claiming legislators are ‘pushing research underground'.

The report, which HPE releases every year, coalesces all the company's security research into one hefty, 100-page document. Among its conclusions this year were that governments are impinging upon the tech industry's ability to develop, as well as squashing privacy rights in the wake of mounting international security threats. 

The authors of HPE's new report write, “When horrific events occur impacting the lives of many, there is a natural reaction to do something to try to prevent future occurrences. Too often, the ‘something' incurs unwanted consequences to go along with the intended result. This is the case with various proposed regulations governing cyber-security.” 

SCMagazineUK.com spoke to Andrzej Kawalec, CTO for enterprise security at HPE. He told SC, “In a fundamental sense we think that the approach that has been taken around security regulation is putting some parts of research underground.”

Research into things like connected cars, a subject around which there is an enduring hoo-ha, is sure to be stifled by incoming regulation.

Kawalec feels that the tech and cyber-security industries have largely overcome their teething problems of bringing civil action against well-intentioned security researchers, allowing them to look into heretofore unknown security vulnerabilities in the form of responsible disclosure programmes. The number and scope of those programmes has even increased in the last couple of years and, today, security researchers can for the most part work openly.

By “limiting the areas in which you can do legitimate research”, Kawalec told SC, one can bring about a sea change: “You can implement a change in behaviour for security researchers.”

New legislation may play a part in pushing those researchers back into the shadows, says Kawalec. Singled out for the report's criticism is the Wassenaar arrangement. The arrangement, signed by 41 countries, means to set export controls on arms and, with any luck, prevent the massive build up of arms in any one country.

The arrangement was updated in 2013 to draw cyber-space within its reach. The update included all manner of tools used in legitimate cyber-security research as well as malicious attack. The scope of this update, says HPE's report, echoing Facebook and Google before it, is so broad as to prohibit and even criminalise much of what is considered today to be legitimate penetration testing, responsible disclosure and security research.

Going forward, says the report, HPE expects “to see increased implementation of the Wassenaar Arrangement and other legislation resulting in decreased efficacy in the security community”. 

"The end result means [that] creating a better protection solution becomes harder and takes more time. This, in turn, increases the likelihood of successful breaches as the environment favors those operating in the black market.” 

HP felt the sting of the Wassenaar arrangement when, late last year, the company was forced to pull sponsorship from the Pwn2Own contest in Japan because of the complexities of the international arrangement. 

“There is a lot of political pressure”, as Kawalec puts it, “trying to decouple privacy and security efforts.”

HPE's report states that this year, “many lawmakers in the US, UK, and elsewhere claimed that security was only possible if fundamental rights of privacy and due process were abridged.” 

This has perhaps been more a case of headline grabbing, not just for the cyber-security industry but for the general public too, with not only the series of bloody attacks which Europe and Africa suffered in the last year, but with the advent of intrusive propositions like the much-maligned Investigatory Powers Bill and international calls for ‘backdoors' in encryption.

The report echoes US senator Patrick Leahy's remarks earlier this year: “Protecting our privacy rights and protecting our country are not part of a zero-sum equation. We can do both.”

HPE's report highlights a number of other themes that have come to the fore this year:

“If 2014 was the Year of the Breach” says the report, “2015 was the Year of Collateral Damage as certain attacks touched people who never dreamed the might be involved in a security breach.”

HPE also seem to have come to the conclusion in the last year that “the industry didn't learn anything about patching”. The most exploited bug from 2014 continued to the most exploited bug of 2015.  Adobe and Microsoft released more patches than either company had ever done in history, to apparently little effect. Vendors can send over as many patches as they like, but end users still don't trust them enough to install, often disabling automatic update features or fearing that patches, while fixing some things, will break others.  

End users don't appear to trust automatic updates and the industry is going to have to claw back that trust if it doesn't want the most exploited bug of 2014 to be the most exploited bug in 2016 too. 

David Hood, managing director of ANSecurity spoke to SC, to offer his take on HPE's conclusion: "The question, as is always the case when it comes to creating and implementing new regulations, is how are the lawmakers interacting with the industry to create legislation that will work?"

In the industry, said Hood "there is a tendency to sweep breaches under the carpet and indeed, security companies don't often talk about how they overcame a breach because they simply don't want to admit they were targeted. This results in an ethos of secrecy where no best practices are shared within the industry which can stifle learning and technology advancements so we certainly don't want regulation that will force the IT security sector further down the secrecy road."

Meanwhile, in related news, a collection of tech companies have banded together to admonish EU regulators for dampening the speed of progress with the passage of overbearing regulations both locally and internationally. An alliance of Uber, AirBnb and 45 other tech companies have written an open letter to the Prime Minister of The Netherlands, Mark Rutte who is also currently president of the EU. The letter encourages European legislators to support competition and "continue to seek to ensure that local and national laws do not unnecessarily limit the development of the collaborative economy to the detriment of Europeans".