The US Department of Justice (DoJ), has announced that it will not prosecute hackers in good faith under the Computer Fraud and Abuse Act.
Yesterday’s statement announced a historic policy shift that said white-hat hackers would not face prosecution for accessing computers to improve cybersecurity.
Good-faith hacking is defined by the DoJ as “accessing a machine solely for the purpose of good-faith investigation and/or correction a security flaw/vulnerability, where such activity is conducted in a way designed to avoid any harm individuals or the general public, and where the information derived is used primarily to promote security or safety of the device, machines, or online services to the which the computer is accessed, or of those who use such devices and machines, or of such services.”
This move is immediate and will improve cybersecurity practices. It allows security researchers to find vulnerabilities within organizations without fear of being prosecuted.
Lisa O. Monaco, Deputy Attorney General, explained that computer security research is a key driver for improved cybersecurity. The department has never been interested to prosecute good-faith computer security research for a crime. Today’s announcement promotes cybersecurity by providing clarity and support for good-faith security experts who find vulnerabilities for the common good.
Read also: Testing strategies for penetration
The DoJ stressed that the new policy is not for everyone. This includes people who find vulnerabilities in devices in order to extort their owners.
The announcement was welcomed by the cybersecurity and ethical hacking research communities. The 1986 CFAA statute prohibits anyone from accessing a computer without authorization. It is controversial for its vagueness and unclear definition of authorized access to protected computers or the meaning of that authorization.
Ilia Kolochenko (founder of ImmuniWeb, and a member the Europol Data Protection Experts Network) praised the DoJ’s decision: “This is a historic moment for many security researchers whose voice was silenced by vendors or organizations threatening to file criminal charges for CFAA violations.” This decision will undoubtedly boost security innovation and security research. It will also help to strengthen software and hardware security, especially for the many insecure-by design IoT devices that now handle critical data.
He believes that the policy could be used by malicious actors at first. The DoJ could also open up a Pandora’s Box by unwittingly opening a Pandora’s box. Security researchers may have different definitions of good faith. The DoJ will eventually have to break its policy and press criminal charges against security researchers for a broad, but sincere, definition of good faith. Kolochenko said that we should wait for a few years to see how the CFAA enforcement evolves.”
John Bambenek is the principal threat hunter at Netenrich and he believes that this policy change was long overdue. The problem with the CFAA’s vague nature is that it has not taken into consideration the intent and desires of the ‘hacker’. I believe that two instances have occurred where a major company tried to get the FBI involved in bringing me to trial for benign behavior. It was a lucky coincidence that a case agent gave me a pass. Others were not so fortunate. Pro bono expert witness for a journalist, who was brought to court under California’s CFAA Version for simply downloading documents from an unprotected Dropbox Folder. This statute’s long history of government abuse is tragic. You can measure the cost of misused CFAA in dead bodies. While I would prefer to see the law change in order to close the door permanently, the DoJ’s decision in this matter is a joy.