Why I Hope Congress Never Watches Blackhat

What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a “hacker adviser” (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the […]
From left Chris Hemsworth and directorproducer Michael Mann on the set of Blackhat.
From left, Chris Hemsworth and director/producer Michael Mann on the set of Blackhat.Frank Connor/Legendary Pictures and Universal Pictures

What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a "hacker adviser" (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the film.

I’ll explain my anxiety in a minute. First, the movie: Mann, the legendary director of hardboiled crime films like Heat, Collateral, and Miami Vice, always has been a stickler for authenticity, and he brought me into Blackhat as an adviser early on, before it had a title or a lead actor. If you’re wondering how one gets involved in a Michael Mann film, here’s how it works: Mann calls you on the phone. You think, "Why is Michael Mann calling me?" After a phone conversation and an interview in Los Angeles, you’re officially invited on board as a consultant.

It turned out Blackhat’s screenwriter had read my cybercrime book Kingpin, and he’d suggested me to Mann. When I showed up for my first consulting meeting, I expected to find a roomful of people crowded around a long conference table. Instead, it was just me and Mann, sitting in his office for five hours at a time. He had questions about malware, hacking, how modern computer intrusions play out. For subsequent meetings, I was given the current iteration of the screenplay (watermarked with my name, lest I leak it to the Pirate Bay), and we went over it line by line, looking at dialogue, discussing tweaks to the hacking and forensics scenes, and working on some of the procedural elements in the plot.

Kevin Poulsen at the Premiere of Blackhat.

Albert L. Ortega/Getty Images

Later, Mann brought in a second computer consultant, OkCupid hacker Chris McKinley, to write code for the movie and train leading man Chris Hemsworth in Linux basics, making Hemsworth officially the best-looking human to ever use a command line.

The result is in theaters today. I think Blackhat is an awesome movie: stylish, breathtakingly beautiful at times, and close to the metal in depicting a no-longer-scifi world where cybercrime is serious, profitable, and well-funded. I’m biased, of course, because of my involvement, and because I’ve been a fan of Mann’s work since the '80s. (In one meeting with him I embarrassed myself by recalling the name of the villain in the Miami Vice pilot, which he himself had forgotten.) Overall, the movie seems to be drawing radically polarized reviews, but I'm gratified that security geeks who’ve seen it have given it good gradeson authenticity.

It wasn’t until this week---Tuesday evening, to be exact---that my anxiety over the timing of the movie set in. That’s when the White House released its legislative proposal to "reform" US computer crime policy in reaction to the Sony breach. President Obama plans to formally announce it at the State of the Union next Tuesday, but the details are public now. And many are troubling.

The general thrust of the proposal is to broaden the reach of the Computer Fraud and Abuse Act, and boost penalties for violations. The White House proposal will quadruple the maximum possible sentence for some crimes from five years to 20. And where under current law some hacks are misdemeanors---specifically a first-time offense that doesn’t involve credit cards or more than $5,000 in information---those crimes will now be felonies. Additionally, CFAA violations would qualify for prosecution under the mob-busting RICO statute, meaning, for example, if a member of Anonymous is busted in a petty denial-of-service attack, she might now be held legally accountable for every cybercrime Anonymous has committed.

More disturbingly, the proposal includes sweeping language that directly impairs legitimate security work. It makes it newly illegal to "traffic" in any "means of access" into a computer if you have reason to know that someone will use it illegally. Releasing or using hacking code is a staple of cyber security work. Researchers publish it to demonstrate and describe the vulnerabilities they find, and professional white hats use it to audit their customers’ networks. Like many security tools, bad guys can use the software too, and they do. But a sober computer crime proposal doesn't ban tools that benefit thousands of people because one of them is a criminal. Security expert Robert Graham notes that even circulating a link could be considered a felony under the proposal.

Obama has struggled and failed to get similar CFAA changes through Congress in the past, but this time he has the Sony hack behind him---and now Blackhat. If it's farfetched to think lawmakers will be swayed by a work of Hollywood fiction, consider that it's happened before. Congress passed the original CFAA in 1984 in direct response to the seminal hacker flick Wargames. Politicians who saw the film felt an urgent need to punish hackers, lest one of them blunder into NORAD and trigger World War III. The result was a law that---after several revisions---led to cases like the Lori Drew and Andrew Auernheimer misfires: People charged for lying in their social networking profiles or conspiring to access an unpublished URL. In one recent case I wrote about, two gamblers were charged under the CFAA for exploiting a bug in video poker machines to beat the house.

Following the suicide of hacker activist Aaron Swartz two years ago, a proposal to put limits on the CFAA floated through the halls of Congress and out a window, never to be seen again. Now Obama is looking to go the other way and make the CFAA more powerful.

Don’t mistake Obama’s proposal for meaningful action, though. Computer crime sentences have already smashed through the ceiling of efficacy. At this very moment there are hackers, and even low-level credit card fraudsters, serving 20 year terms, and that didn’t deter the Sony intruders. As for the "trafficking" prohibition, when hacking tools are outlawed … well, you know the rest.

Nevertheless, I can say with absolute confidence that a lawmaker will soon be standing on the floor of Congress talking about Blackhat in the same breath as the Sony intrusion, railing about the grave threat to American lives that computer hacking poses if the president’s proposal isn’t enacted. I mean, this is a film in which malware makes a Chinese nuclear plant explode in the opening scene.

So let me say now to any politicians reading this, as one of the people who helped make Blackhat feel authentic, nuclear plants are not exploding. And if you think they might, then you should direct your efforts to locking down critical systems. Pour money into research, offer incentives for organizations to invest in security, pass disclosure laws that require public reporting of breaches, so consumers can hold negligent companies accountable. Blindly boosting sentences for the few hackers who get caught will do nothing to help. And outlawing security tools just because they can be abused will only aid the real blackhats.

Disclosure: As a hacker 20 years ago, the author pleaded guilty under an uncontroversial application of the CFAA.