What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a “hacker adviser” (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the film.
I’ll explain my anxiety in a minute. First, the movie: Mann, the legendary director of hardboiled crime films like Heat, Collateral, and Miami Vice, always has been a stickler for authenticity, and he brought me into Blackhat as an adviser early on, before it had a title or a lead actor. If you’re wondering how one gets involved in a Michael Mann film, here’s how it works: Mann calls you on the phone. You think, “Why is Michael Mann calling me?” After a phone conversation and an interview in Los Angeles, you’re officially invited on board as a consultant.
It turned out Blackhat’s screenwriter had read my cybercrime book Kingpin, and he’d suggested me to Mann. When I showed up for my first consulting meeting, I expected to find a roomful of people crowded around a long conference table. Instead, it was just me and Mann, sitting in his office for five hours at a time. He had questions about malware, hacking, how modern computer intrusions play out. For subsequent meetings, I was given the current iteration of the screenplay (watermarked with my name, lest I leak it to the Pirate Bay), and we went over it line by line, looking at dialogue, discussing tweaks to the hacking and forensics scenes, and working on some of the procedural elements in the plot.
Later, Mann brought in a second computer consultant, OkCupid hacker Chris McKinley, to write code for the movie and train leading man Chris Hemsworth in Linux basics, making Hemsworth officially the best-looking human to ever use a command line.
The result is in theaters today. I think Blackhat is an awesome movie: stylish, breathtakingly beautiful at times, and close to the metal in depicting a no-longer-scifi world where cybercrime is serious, profitable, and well-funded. I’m biased, of course, because of my involvement, and because I’ve been a fan of Mann’s work since the ’80s. (In one meeting with him I embarrassed myself by recalling the name of the villain in the Miami Vice pilot, which he himself had forgotten.) Overall, the movie seems to be drawing radically polarized reviews, but I’m gratified that security geeks who’ve seen it have given it good grades on authenticity.
It wasn’t until this week—Tuesday evening, to be exact—that my anxiety over the timing of the movie set in. That’s when the White House released its legislative proposal to “reform” US computer crime policy in reaction to the Sony breach. President Obama plans to formally announce it at the State of the Union next Tuesday, but the details are public now. And many are troubling.
The general thrust of the proposal is to broaden the reach of the Computer Fraud and Abuse Act, and boost penalties for violations. The White House proposal will quadruple the maximum possible sentence for some crimes from five years to 20. And where under current law some hacks are misdemeanors—specifically a first-time offense that doesn’t involve credit cards or more than $5,000 in information—those crimes will now be felonies. Additionally, CFAA violations would qualify for prosecution under the mob-busting RICO statute, meaning, for example, if a member of Anonymous is busted in a petty denial-of-service attack, she might now be held legally accountable for every cybercrime Anonymous has committed.
More disturbingly, the proposal includes sweeping language that directly impairs legitimate security work. It makes it newly illegal to “traffic” in any “means of access” into a computer if you have reason to know that someone will use it illegally. Releasing or using hacking code is a staple of cyber security work. Researchers publish it to demonstrate and describe the vulnerabilities they find, and professional white hats use it to audit their customers’ networks. Like many security tools, bad guys can use the software too, and they do. But a sober computer crime proposal doesn’t ban tools that benefit thousands of people because one of them is a criminal. Security expert Robert Graham notes that even circulating a link could be considered a felony under the proposal.
Obama has struggled and failed to get similar CFAA changes through Congress in the past, but this time he has the Sony hack behind him—and now Blackhat. If it’s farfetched to think lawmakers will be swayed by a work of Hollywood fiction, consider that it’s happened before. Congress passed the original CFAA in 1984 in direct response to the seminal hacker flick Wargames . Politicians who saw the film felt an urgent need to punish hackers, lest one of them blunder into NORAD and trigger World War III. The result was a law that—after several revisions—led to cases like the Lori Drew and Andrew Auernheimer misfires: People charged for lying in their social networking profiles or conspiring to access an unpublished URL. In one recent case I wrote about, two gamblers were charged under the CFAA for exploiting a bug in video poker machines to beat the house.