Article Lead Image

Tom Lohdan / flickr (CC by 2.0) | Remix by Max Fleishman

Anti-botnet amendment to CISA raises concerns for cybersecurity research

Critics say it could have a 'chilling effect' on vulnerability disclosures.


Kevin Collier


Posted on Oct 15, 2015   Updated on May 27, 2021, 7:24 pm CDT

Oh, the irony.

A Democratic senator wants the Senate’s big cybersecurity bill to also fight botnets—legions of malware-infected computers that can be controlled by a single attacker. Critics, however, say the amendment, proposed by Sen. Sheldon Whitehouse (D-R.I.), could make it more difficult to combat the very cyber threats the bill is intended to negate.

“Advanced botnets,” Whitehouse said in a press release issued on Tuesday, after the Department of Justice announced it had arrested a Moldavian man for allegedly operating a large botnet, “are a significant threat to the more than 100 million Americans who bank online.”

Whitehouse used that arrest as an opportunity to tout his proposed amendment to the controversial Cybersecurity Information Sharing Act. But that amendment, critics say, would make CISA even worse.

“The language itself is much broader than botnets, and could introduce some negative consequences for Internet users and security researchers.”

CISA, which is expected to soon go before the Senate for a vote, is designed to make it easier for private companies to share cyber threat information with the government. The idea is to make it easier for the two sides to team up to detect and fight cyberattacks, but critics say the legislation offers inadequate privacy protections for individuals whose personal information is handed over to the government.

“The amendment that was proposed by Sen. Whitehouse purports to shut down botnets,” Harley Geiger, senior counsel at digital civil-liberties group the Center for Democracy and Technology, told the Daily Dot. “However, the language itself is much broader than botnets, and could introduce some negative consequences for Internet users and security researchers.”

The CDT is primarily concerned with two areas. The first is the general lack of specific language with regards to botnets—that term is brought up sparingly, leading to fears that the bill could be used to apply to other online behaviors. The second is an area of the amendment apparently designed to dissuade the sale of botnets, which prohibits disclosing information about vulnerabilities.

“What worries us specifically about this language is that it would appear to encompass a situation where a cybersecurity researcher discloses to the public or in a conference [the existence of a vulnerability],” Geiger said. “That’s actually a pretty common occurrence, and one that’s very valuable for cybersecurity.”

Public disclosures of vulnerabilities serves as one of the primary ways companies learn what they need to fix. So, theoretically, the Whitehouse amendment could create a “chilling effect,” he said, wherein researchers are reluctant to share vulnerabilities with the public for fear of violating federal law, effectively causing more problems in the very area CISA ostensibly aims to help.

Whitehouse’s office, Geiger noted, has spoken with CDT about the language in the amendment, though it’s not clear their concerns will result in changes to the legislation.

Two sources with knowledge of the situation who requested to not be named, including a Senate aide, said that while there has yet to be a formal whip for votes, Whitehouse’s amendment appeared likely to pass.

Photo via Tom Lohdan/Flickr (CC by 2.0) | Remix by Max Fleishman

Share this article
*First Published: Oct 15, 2015, 7:07 pm CDT