The US Department of Justice (DoJ) has announced that it will no longer prosecute ethical hackers under its anti-cyber crime law, the Computer Fraud and Abuse Act (CFAA).
The landmark change comes after a policy revision, stipulating that cyber security research conducted in “good faith” should not be prosecutable, came into force on Thursday.
There is no concrete guidance on what type of activity falling under the umbrella of ‘cyber security research’ is protected or unprotected under the new policy revision, but security researchers acting in a way that intentionally avoids harm will not be charged under the CFAA.
Cyber security researchers have previously been fearful of reporting security vulnerabilities in the past out of fear of being charged under the Act, but the US is now adopting a fresh perspective, saying vulnerabilities that are discovered responsibly benefit “the common good”.
“Computer security research is a key driver of improved cybersecurity,” said Lisa O. Monaco, deputy attorney general. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cyber security by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
The majority of security researchers (60%) speaking to Bugcrowd in 2020 said they had not reported security vulnerabilities they found in the past due to fear of being prosecuted under the CFAA.
The law has also threatened other areas of cyber security such as legitimate penetration testing. Security professionals working for Coalfire in 2019, for example, were handed criminal charges for breaking into Iowa’s Dallas County courthouse after being contracted by the state of Iowa.
The charges were ultimately dropped but the CFAA, which was drafted in 1986, well before the modern internet, has always threatened ethical security research.
The UK’s equivalent legislation, the Computer Misuse Act (CMA), has been criticised in the past for also not legally accepting ethical hacking as a benefit to society and industry.
Drafted in 1990 but currently under review, the CMA has been labelled an outdated piece of legislation and like the CFAA up until this week, it too outlaws good-faith ethical hacking.
A recent report from the CyberUp campaign, in partnership with techUK, showed that 80% of legitimate cyber security researchers have worried about being punished under the CMA while defending cyber attacks.
Ethical hacking’s protection from the CFAA received a boost last year in a significant ruling in the Van Buren vs United States case.
In it, the US Supreme Court ruled that a law enforcement officer, bribed by an outside individual, did not break any laws under the CFAA in accessing information from a computer for unsanctioned reasons.
Although Van Buren was authorised to access a police database, he was not authorised to hand over confidential information to an outside party in exchange for money, but the ruling meant he could not be prosecuted under the CFAA, leading onlookers to believe this could lead to positive implications for ethical hackers.
The latest policy revision to the CFAA has been greeted warmly by the cyber security community. Brian Higgins, security specialist at Comparitech, told IT Pro that “this is definitely a step in the right direction by the US authorities”.
“It’s unreasonable to place such disproportionate restrictions on a vital community of professionals, the majority of whom operate to high standards of ethics and integrity,” he said.
“Taking the gloves off, even to this extent, will allow a better understanding of the threats we face and the best way to defend against them. This proactive development in the United States will undoubtedly attract a lot of scrutiny from the international community, the majority of whom will be seeking to follow suit in some fashion.”
The DoJ said that individuals claiming to be conducting security research “is not a free pass for those acting in bad faith”. It used an example of extorting other people after discovering a vulnerability, all in the name of research, which would not be protected under the policy revision.
“Hacking itself, using its current common definition rather than the original, isn't inherently good or evil. Using it for profit and abuse is evil,” said Sam Curry, chief security officer at Cybereason to IT Pro. “Breaking the law is evil. But using it to improve security is a vital function without which we really can't resist the darker kind. In the world of cyber, this is great news for white hats and gives a ray of hope to some grey hats too.”
Although greeted warmly by many, other corners of the industry have criticised the DoJ for not making more allowances in its policy review.
Not setting a clear line as to what constitutes an offence in the process of ethical hacking, and what doesn’t, is the main point of contention for the Electronic Frontier Foundation (EFF), which said that it would be better if there was a technological restriction defendants would have to defeat in order to be charged under the CFAA.
“Instead of this clear line, the new policy explicitly names scenarios in which written policies may give rise to a criminal CFAA charge, such as when an employee violates a contract that puts certain files off limits in all situations, or when an outsider receives a cease-and-desist letter informing them that their access is now unauthorised,” it said.
The EFF also criticised the DoJ for saying that security research should be conducted “solely” in good faith, and it excludes “a lot of how research happens in the real world”.
