Following a new policy announced last week by the Department of Justice, security researchers helping banks and other companies shore up their cyberdefenses now have greater leeway without fear of prosecution.
The Thursday announcement said that “good-faith security research” that otherwise violates the Computer Fraud and Abuse Act of 1986 “should not be charged.” The announcement puts into writing a policy the department already follows, according to officials and former staff.
Legal and cybersecurity experts said the shift will create a safer environment for public security researchers, who spend their days searching in good faith for security flaws and vulnerabilities. Experts also said banks and lawmakers must implement their own policies and programs to fully exploit legal protections for security research.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in the press release announcing the change. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Public cybersecurity researchers and not hired cybersecurity researchers are the ones most likely to benefit from this unofficial stance becoming official policy. In contrast to hired researchers, public researchers hunt for security flaws and conduct research on their own and then approach the impacted company with their findings afterward, according to Aaron Charfoos, partner in the litigation department at law firm Paul Hastings.
The two kinds of security researchers share a common bond of acting in good faith, but the latter typically has more protections because they are “invited in” by the hiring company, according to Charfoos. The new guidance from the DOJ could change that.
“[Public security researchers] may now feel more freedom to investigate a broader range of systems, particularly in more regulated industries that are closely aligned with the federal government and regulators to begin with,” Charfoos said.
The guidance appears to protect many forms of nondestructive security research by internal, hired and even independent teams. That includes software bug hunting, port scanning and firewall testing.
However, some gray areas still remain, according to Scott Ferber, who spent a decade working for the Department of Justice and advised the attorney general on cyber and national security matters. Ferber is now a partner at law firm McDermott Will & Emery.
“This policy provides clarity but not necessarily absolution in terms of what offensive activities a chief information security officer can undertake in exploring the intrusion on its own network,” Ferber said.
A chief information security officer digging into his or her own network would be legal but investigating or disabling the intruder’s network is less simple, Ferber said. He added that a 2020 document from the Justice Department provides guidance on what is in and out of bounds with respect to responding offensively to a security incident.
A security researcher who identifies a security vulnerability and, in the process of disclosing it to the bank, asks for remuneration is another example where the legality is not clear. “Does that constitute extortion?” Ferber asked.
Asking for compensation (or, in some cases, demanding payment) for uncovering a security vulnerability is a practice that bug bounty programs are designed to address. Companies with such programs pay people who disclose security vulnerabilities to them — an alternative to selling information about the vulnerability to criminals on the dark web.
Bug bounty programs are rare among banks, according to a report from French consulting group Wavestone. Instead, some banks have vulnerability disclosure policies, which typically provide a safe harbor to security researchers by promising the company will not pursue legal action against them if they follow the company’s disclosure rules.
According to Gerome Billois, a cybersecurity partner at Wavestone, bug bounties are scarce among even the world’s largest banks because they are difficult to implement.
Billois said being willing to devote resources to a bug bounty program is essential since it’s impossible to know how much a bank may need to spend for security disclosures beforehand. Promoting the program broadly enough to actually draw in security researchers is another key factor.
“Having a bug bounty program requires a high level of maturity to get good value for the money,” Billois said. “You need to be able to manage the relationship with the researchers, to scope what you want to be tested, to find a flexible budget, to correct the many flaws that could be found and also to manage and promote the program itself.”
Even in lieu of implementing a bug bounty program, the new guidance from the Department of Justice could force U.S. banks into fleshing out their strategy for interacting with security researchers, according to Billois.
“The main impact [of the new guidance] for banks, and other companies mostly in the [business-to-customer] sector, will be the need for managing relationships with researchers and to provide answers in a timely manner,” Billois said. “Otherwise, their lack of response may be exposed publicly.”
For instance, researchers could post on social media about a bank not responding quickly, potentially damaging the institution’s reputation.
The logistical challenges of bug bounty programs and security disclosure policies have created a market for companies seeking to help banks and other institutions address them. Among the most prominent players in that market is the platform HackerOne.
Alex Rice, the company’s co-founder and chief technology officer, said HackerOne has seen a 75% increase from last year in the number of banks adopting vulnerability disclosure policies and bug bounty programs.
“When the work of hackers takes place within the framework of a vulnerability disclosure policy, by means of which safe legal certainty is created for both parties involved, the new DOJ guidance bolsters protections for good-faith hackers,” Rice said. “However, we still need lawmakers to go further. As noted by Electronic Frontier Foundation, we need to see this good faith policy exception codified into law and applied to civil penalties as well.”
Critics indeed say more change is needed. Andrew Crocker, a senior staff attorney with the Electronic Frontier Foundation, recently wrote that the DOJ’s new policy “falls far short of protecting security researchers from overzealous threats, prosecutions, and the [Computer Fraud and Abuse Act’s disproportionately] harsh prison sentences.”
But ultimately, Crocker said the shift in policy by the DOJ points in the right direction by recognizing “the invaluable contribution security research makes” in strengthening the security of digital systems, including those of financial institutions
“For the areas that the DOJ policy does cover, it sends a strong signal to private actors that the government is less likely to treat this sort of research as criminal, so even in a civil lawsuit brought by a bank, for example, a court will at least take notice of the DOJ’s position,” Crocker said.