Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Copyright law is intended to act as a shield to protect intellectual property owners. Recently, however, Cisco Systems Inc. used copyright as a hammer to prevent a computer security researcher named Michael Lynn from disclosing flaws in Cisco software. Cisco’s actions have been roundly criticized in information security circles as an attempt by a large company to use copyright law to silence its critics. Lynn was a computer security researcher for Atlanta-based Internet Security Systems. Part of Lynn’s job involved taking apart various types of computer software to look for potential vulnerabilities, or “bugs.” These bugs are rampant in computer software, and are used by hackers to install spyware, viruses or worms; to steal information; or to just take over or shut down computer systems. In January, Cisco disclosed the existence of, and a patch for, a particular vulnerability that could have led to a Denial of Service attack against the routers that essentially control the Internet. After Cisco made its announcement, ISS wondered whether there were other — undisclosed — vulnerabilities in the Cisco software that could affect potential ISS clients. According to Lynn, ISS tasked him with searching for flaws. There are several ways to hunt for bugs, but one of the most common is by “decompiling” or “disassembling.” Computer software is typically written by programmers in a computer language (like “C++” or COBOL) and then compiled or assembled into languages, called object code or machine code, that can be more easily understood by computers. This code is essentially unreadable, and, if you want to see what the code actually commands a computer to do, the code must be reverse-engineered. After decompiling Cisco’s code, Lynn found that the situation was more serious than Cisco had disclosed. There were other vulnerabilities in the code that would have allowed attackers to either redirect Internet traffic or shut down the routers — effectively crippling the Web. ISS notified Cisco of its discovery in mid-June, and invited Cisco to examine what Lynn had found. In early July Lynn showed Cisco representatives a PowerPoint presentation about the vulnerability that he had prepared to deliver later that month at Black Hat, an annual Las Vegas computer security show. The presentation showed how the vulnerability was discovered, and how it could be exploited (more on that later). It also included approximately 30 or so heavily edited lines of computer code — extracted from the millions of lines in the router software — that demonstrated the existence of the vulnerability in question. Lynn and ISS offered to allow Cisco to co-present at the Black Hat conference, but, according to Cisco, Black Hat demurred. (While Cisco did provide background information for this column, the company would not comment further on its actions.) Sometime after that, Cisco decided it did not want Lynn to make his presentation, claiming that it could be used to exploit the vulnerability and cause harm to the Internet. At Cisco’s request, ISS agreed to withdraw the presentation, but Lynn and Black Hat did not. When ISS told its employee to comply, Lynn quit. Cisco, now joined by ISS, filed a lawsuit in federal district court in San Francisco seeking to enjoin the distribution of the printed presentation, and requesting that all copies of the presentation (in program materials, CD’s, and on Lynn’s computer) be removed. Cisco viewed Lynn’s presentation as a tutorial on how to shut down the Internet. However, Lynn claimed that he took great pains not to disclose any exploits, and in fact never specifically disclosed any bugs. “I never explained how the vulnerability could be exploited nor did I explain what the vulnerability was. What I did do was prove that it was possible for someone to exploit vulnerabilities on Cisco routers,” Lynn wrote in an e-mail. These are distinctions without a difference: No law prohibits disclosing a vulnerability — or even an exploit. Since the contents of the presentation were not actionable, Cisco’s lawsuit went after the method that Lynn used to find the vulnerability. As a Cisco licensee, ISS agreed to a so-called “click-wrap” End User License Agreement, which contained a provision that prohibited reverse-engineering the software — unless expressly permitted by law. In its suit, Cisco alleged that this clause protected its copyrighted code — and the trade secrets contained therein — and was binding on Lynn through his employment with ISS. The litigation never made it to court: Lynn and Black Hat agreed not to distribute the speech, and ripped all copies out of the preprinted conference materials. But it was a pyrrhic victory for Cisco: Copies of the presentation were immediately put on the Internet, and the publicity from the litigation drew thousands of people to those sites. Indeed, the vulnerabilities disclosed in Lynn’s presentation were not full patched until November. Now let’s face a few facts here. Cisco was not upset because Mike Lynn reverse-engineered the software, or because he distributed Cisco code. Copying small amounts of code for public comment — particularly something of such compelling public interest as potential security vulnerabilities — is almost undoubtedly a fair use. It would be as if a whistleblower released a quote from a memo about safety problems at a nuclear power plant, and was sued for infringing the copyright of the memo’s author. Security researchers routinely examine computer code for vulnerabilities — often by reverse-engineering. In fact, there was never any indication that Lynn personally attempted to exploit the vulnerabilities he discovered. However, it is also likely that, had Lynn made his presentation before Cisco distributed patches for the vulnerability, there could have been serious security repercussions. Nevertheless, copyright law is the wrong instrument to use to prevent dissemination of security vulnerabilities or exploits. This is particularly true where the copyright claims are “bootstrapped” to a licensing agreement, prohibiting the user from doing something that copyright law generally permits — reverse engineering. The final agreement between Lynn, Black Hat, Cisco and ISS leaves unsettled questions about how far companies can take copyright law. Yes, those who discover security vulnerabilities have an obligation to responsibly disclose vulnerabilities, and not to exploit them. However, neither contracts nor copyright law should prevent people from evaluating the security of software that they have purchased and licensed. That is not what copyright law is all about. It should not be used as a sword to skewer critics. From 1984 to 1991, Mark D. Rasch led the U.S. Department of Justice criminal division’s efforts to investigate and prosecute computer and high-tech crime. He is currently senior vice president and chief security counsel at Internet security firm Solutionary.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.