DOJ's totally non-binding guide to legal cyber research
- By Derek B. Johnson
- Mar 03, 2020
Private security researchers and threat intelligence firms that visit black market online forums for research should create internal rules, document their work and have established relationships with law enforcement, according to new guidance from the Department of Justice.
The document offers non-binding legal guidance for how to navigate cyber intelligence gathering on the internet, particularly for sites that "openly advertise illegal services and the sale of stolen credit card numbers, compromised passwords, and other sensitive information."
The Computer Fraud and Abuse Act and DOJ's interpretation of the law looms large over many of the outstanding questions. For instance, passively lurking on online forums to gather intelligence -- even information that touches on criminal conduct -- is usually legally safe as long as the researcher is using legitimate credentials. However, DOJ said using exploits or "other techniques" to access or gather information from the server or system on which the forum operates could be viewed as gaining unauthorized access. More active actions, like posing questions or directly soliciting advice can also present a "marginal legal risk" to researchers depending on whether their interaction furthers a crime.
While it is common for threat intelligence practitioners to use pseudonyms or false identities when engaging on forums, the document advises them to avoid "legally problematic" tactics like impersonating actual people or government officials.
Leo Taddeo, a former special agent in charge of the Cybersecurity Division at the FBI's New York City office, told FCW that it's sometimes necessary to leverage some form of legitimate credentials in order to get past forum gatekeepers. Exactly how far a researcher can go to do so is likely to be a continuing debate.
"There are little pieces of identity that may be necessary to establish bona fides, so researchers are constantly trying to find the right mix of true and not true and fabricated credentials in order to gain entry into some of these forums, and creating a completely fabricated identity is really not easy," Taddeo said. "It's not easy to backstop it, it's not easy to create a legend and it's also not easy to fool some of these criminal groups because they have ways of checking to see you are who you say you are."
DOJ advises threat intelligence companies to mitigate this risk in a number of ways: create documented internal rules of engagement for acceptable conduct, use systems that are properly secured and not connected to the company's networks and establish trusted lines of communication with their local FBI office to avoid misunderstandings in the event their activities are swept up in an active investigation. They should also ensure their legal counsel is looped into the process and report any evidence of an ongoing crime to law enforcement.
The guidance is peppered with caveats and disclaimers, clarifying that it provides no actual rights or legal remedies for users, does not apply to government actors or other forms of non-cyber intelligence gathering and assumes the practitioner is obtaining the information solely for legitimate cybersecurity purposes.
Adam Meyers, vice president of threat intelligence at CrowdStrike, told FCW in a phone interview that most organizations regularly conducting threat intelligence have teams of lawyers dedicated to identifying where the legal lines are for their researchers. However, he said, university researchers or companies who dabble in threat intelligence research may not have access to those resources and are often in need of greater clarification on what is in and out of bounds.
Ari Schwartz, former White House senior director of cybersecurity at the National Security Council and coordinator of the nonprofit Cybersecurity Coalition, said that any attempt by law enforcement to better clarify the legal rules around gathering threat intelligence is helpful.
"Researchers have often been uncertain what to do when coming upon potentially illegal information," Schwartz said in a statement to FCW. "More clarity can only help to strengthen our security rather than chill the speech of those who want to do the right thing."
Intent matters, so the context of how a threat intelligence firm obtains information and how it plans to use it could impact its legal liability. For example, soliciting to purchase your own or a client's stolen data to take it off the black market is not illegal. Even if stolen data from other sources is comingled, there is little chance a company will face legal consequences if they have no intent to use if it for illegal purposes and did not know, or had no reason to know, they were purchasing data that belonged to others.
DOJ advises companies to document their activities and how the information or samples obtained relate to ongoing work in order to create a paper trail in the event they fall under suspicion of law enforcement. They should take particular care not to offer technical assistance that could be used by criminals to improve malware or help them to breach networks.
"An individual may be found liable for aiding and abetting a federal offense if he or she takes an affirmative act -- even an act that is lawful on its own -- that is in furtherance of the crime and conducted with the intent of facilitating the crime's commission," the guidance states.
Taddeo said law enforcement is primary interested in two things when it comes to the legal landscape around threat intelligence research: cutting down on the signal-to-noise ratio between criminal activity and legitimate research efforts and denying criminals a blanket defense in the event they're charged by law enforcement.
"What the government doesn't want to do is constantly get their indictments and complaints and convictions thrown out of court because someone says, 'Well I was only doing research,'" said Taddeo. "What the government is saying is, 'Here's more evidence that you should have known if you were a true researcher, you would have done these things.'"
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.