Ford, the former Black Hat General Manager, was speaking at fifth B-Sides San Francisco where he gave an impassioned plea for the hacking community to get involved in order to change the dated laws in place for cyber security, and actively lobby to ensure there is a clear definition of what is legal and what is criminal for white hat hackers to help improve security
Pointing to current legislation like the age-old Computer Fraud and Abuse Act, the recently-introduced Aaron's Law, the presidential order 13636 for protecting critical infrastructure, NIST security framework v1.0, FedRamp and CISPA, Ford doubted if all of these are relevant in a modern age where cyber threats live large, and where government surveillance – pre and post Snowden – remains a major concern.
Ford said that standards are at least a “framework” and while he and some visitors criticised some – most notably PCI DSS, he urged experts from within the hacker community to come together and get involved.
“I want to challenge us to get out of our heads the idea of ‘I' and ‘you' and think about ‘we'. A lot of research is an exercise in ego – we enjoy that, the learning and discovery, and value elitism in our community. But we've got to get past perfection and set standards and goals, and then celebrate incremental wins.”
“We need to think ‘how are we going to make a difference?' We're going to have to organise, become part of the conversation, step up and be experts. We need to partner with industry, publicly endorse baseline knowledge and I am pretty sure we could argue over where criminal activity starts and stops, when attacks are evil or friendly actors, or just poking and prodding.
“The singular focus should be to protect consumers.”
As part of that focus, Ford and Rapid7 are now trying to establish an alliance in a bid to form legislation and devise laws to encourage and protect researchers.
He's urging white hats, researchers and other industry folk to go to password123.org, which after the talk was renamed with the title the ‘Security Transparency Alliance'.
At this time, it's essentially a glorified email list with a view to encouraging debate and – specifically – on implementing legislation which “protects security researchers”, “defines simply how research and criminal actions are different” and which “enables partnerships between the technology industry, community and government in protecting consumers.” Despite its infancy, Ford says that he has already held key meetings with some US senate groups.
“This is a fleeting opportunity to separate what we do from becoming criminalised or becoming essential to part of the Internet,” he summarised at the conference.
Ford's talk, entitled 'Legislative Realities', came after a recent interview with SC Magazine where he also urged that testing and notification should not be criminalised.
“The legislation impacting information security should be something everyone in the industry watches closely, and it's a priority for us at Rapid7,” said Ford, who also used to work for McAfee at gaming company Zynga, at the time.
“We need to see legislation achieve a balance of protection for researchers, clear guidelines for corporate due care, and simple definitions for criminal and malicious acts.”