In a move that could have a major impact on enterprise penetration testing and other cybersecurity tactics, the US Department of Justice last Thursday reversed one of its own policies by telling prosecutors not to prosecute anyone involved in “good-faith security research.”
This is one of those common-sense decisions that makes me far more interested in exploring the original DOJ policy (set in 2014, during the Obama era).
The underlying law at issue is the Computer Fraud and Abuse Act, which made it illegal to access a computer without proper authorization. It was passed in 1986 and has been updated several times since then.
It's also been abused, with many taking the “exceed authorized access” to mean almost anything a business owner didn’t like. This has caused problems for legitimate security researchers and specifically for pen testers who fear they need the blessing of a site owner before pen-testing what is publicly available.
In its statement, DOJ offered some excellent examples of conduct that would no longer merit prosecution: “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.”
The statement also said that “good faith” has its limits. “The new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as research, is not in good faith.”
The practical matter is that there will always be gray areas. Let’s consider Justice’s own example of “discovering vulnerabilities in devices in order to extort their owners.”
True extortion is not gray: “We found these 19 security holes on your system. Give us $5 million by midnight tonight or we’ll post the details for the world to see.”
This, however, isn't as clear cut: "We found these 19 security holes on your system. We’re really good at finding holes. Do you want to discuss retaining my firm for cybersecurity services?” That's more of a sales pitch, with no explicit threat. Then again, the "researchers" are silent about what they would do if the pitch was refused or ignored.
What about bounty programs? What if the security researchers found these holes and wants a payout from an advertised bounty program — and says if the bounty request is denied, they''ll tell everyone the details of the holes.
Mark Rasch is an attorney specializing in cybersecurity issues and a former Justice Dept prosecutor who happened to prosecute the very first case involving the Computer Fraud and Abuse Act. (Note: That case, with the defendant being Robert Tappan Morris, happened back in 1989. I covered that trial every day for almost a month in a Syracuse federal courtroom, so this is hardly a new issue.)
Rasch likes the new DOJ policy, but said it all goes back to prosecutorial discretion and dealing with elaborate details and circumstances in every single case. “The real problem has been that, absent something in writing, it’s about relying on the good nature of an individual prosecutor. Two people can look at the exact same activity report and come to different legal conclusions. There are a hundred different value judgments at play.”
One big difference, Rasch said, between 1989 and today is community. Back in the late '80s, cybercrime was viewed as more individualistic, with analogies back to the physical world more common. He offered the example of a thief breaking into houses to prove that their security was insufficient and perhaps stealing something small to prove that they successfully broke in. That was considered abhorrent.
But today, he said, there is a better sense of community, meaning that there is an acceptance that security research can benefit the whole community.
Even within the cybersecurity community, there are differences between what a whitehat can get away with (finding ways to break in, often via high-tech brute force) and what researchers and pen testers can get away with. Pen testers like to stay with publicly-accessible documents and see how far they can go with that limitation.
Either way, this new guidance should help those prosecution decisions be more appropriate. Anything that allows security researchers to do their jobs with less fear is a good thing,