In a move that could have major implications for enterprise penetration testing and other cybersecurity strategies, the U.S. Department of Justice last Thursday overturned one of its own policies, prosecutors said. Not to do Judge anyone who engages in “good faith security research”.
This is one of the common sense decisions that made me much more interested in exploring the basic DOJ policy (set in 2014 in the Obama era).
The law underlying the issue is the Computer Fraud and Abuse Act, which makes it illegal to access computers without proper authorization. It was passed in 1986 and has been updated several times since then.
It has also been misused, with many saying “exceed the authorized access” means almost no business owner likes it. This has created problems for legitimate security researchers and especially for pen testers who fear that there is a universally available need for their site owner’s blessing before pen-testing.
Inside Statement of, DOJ gives some excellent examples of behavior that no longer deserve to be judged: “Decorating an online dating profile contrary to the terms of service of the dating website; Create fictitious accounts on recruitment, housing, or rental websites; A social networking site uses a pseudonym that prohibits them; Checking sports scores in the workplace; Pay bills at work; Or a breach of an access restriction during the term of service is not sufficient for a federal criminal complaint. The policy focuses on departmental resources where a defendant is either not allowed to access a computer or was allowed to access a portion of the computer – such as an email account – and despite knowing the limitations, accessed a portion that extends his or her authorized access to the computer. Didn’t, like other users’ emails.
The statement further stated that there is a limit to “good faith”. “The new policy acknowledges that claiming to conduct security research is not a free pass for actors in bad faith. For example, discovering vulnerabilities in devices for extortion from their owners, even if claimed as research, is not in good faith. “
The practical thing is that there will always be a gray area. Let’s consider the example of the trial itself “for extortion from their owners to discover vulnerabilities in the device.”
True extortion is not gray: “We’ve got these 19 security holes in your system. Today we have $ 5 million in the middle of the day or we will post the details for world viewing. “
However, it’s not so clear: “We’ve found these 19 security holes in your system. We’re really good at finding holes. Would you like to discuss retaining my firm for cyber security services?” This is a sales pitch, without any obvious threat. Then again, “researchers” are silent about what they would do if the pitch was rejected or ignored.
What about the Bounty program? What if security researchers find these loopholes and want to pay from an advertising bounty program – and say that if the grant request is denied, they will tell everyone the details of the hole.
Mark Rush is an attorney specializing in cyber security issues and a former judicial prosecutor who prosecuted the first case involving computer fraud and abuse law. (Note: That case, with defendant Robert Tappan Morris, occurred in 1989. I’ve covered that trial every day in Syracuse Federal Courtroom for about a month, so it’s hardly a new issue.)
Rush prefers the new DOJ policy, but says it all goes back to prosecutorial prudence and deals with the details and situation in each case. “The real problem is that something written is missing, it’s about relying on the good nature of an independent prosecutor. Two people can view reports of the same activity and come to different legal decisions. There are hundreds of different values here. ”
One big difference, Rush says, is the community between 1989 and today. In the late 80’s, cybercrime was seen as more individualistic, with similarities in the physical world becoming more common. He cited the example of a thief who had inadequate security to break into a house and probably stole something small to prove that they had entered successfully. It was considered disgusting.
But today, he said, the community has a good idea, which means there is an acceptance that security research To be able to Benefit the whole community.
Even within the cybersecurity community, there is a difference between what a white hat can stay away from (often finding a way to access it through high-tech brute force) and what researchers and pen testers can stay away from. Penn testers prefer to be with publicly accessible documents and want to see how far they can go with those limitations.
Either way, these new guidelines will help make those prosecution decisions more appropriate Anything that allows security researchers to work with less fear is a good thing,
Copyright © 2022 IDG Communications, Inc.