Following a new policy announced last week by the Department of Justice, security researchers helping banks and other companies shore up their cyberdefenses now have greater leeway without fear of prosecution.
The Thursday announcement said that “good-faith security research” that otherwise violates the Computer Fraud and Abuse Act of 1986 “should not be charged.” The announcement puts into writing a policy the department already follows, according to officials and former staff.
Legal and cybersecurity experts said the shift will create a safer environment for public security researchers, who spend their days searching in good faith for security flaws and vulnerabilities. Experts also said banks and lawmakers must implement their own policies and programs to fully exploit legal protections for security research.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa O. Monaco said in the press release announcing the change. “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Public cybersecurity researchers and not hired cybersecurity researchers are the ones most likely to benefit from this unofficial stance becoming official policy. In contrast to hired researchers, public researchers hunt for security flaws and conduct research on their own and then approach the impacted company with their findings afterward, according to Aaron Charfoos, partner in the litigation department at the law firm Paul Hastings.
The two kinds of security researchers share a common bond of acting in good faith, but the latter typically has more protections because they are “invited in” by the hiring company, according to Charfoos. The new guidance from the DOJ could change that.
Public security researchers "may now feel more freedom to investigate a broader range of systems, particularly in more regulated industries that are closely aligned with the federal government and regulators to begin with,” Charfoos said.
The guidance appears to protect many forms of nondestructive security research by internal, hired and even independent teams. That includes software bug hunting, port scanning and firewall testing.
However, some gray areas still remain, according to Scott Ferber, who spent a decade working for the Department of Justice and advised the attorney general on cyber and national security matters. Ferber is now a partner at the law firm McDermott Will & Emery.
“This policy provides clarity but not necessarily absolution in terms of what offensive activities a chief information security officer can undertake in exploring the intrusion on its own network,” Ferber said.
A chief information security officer digging into his or her own network would be legal but investigating or disabling the intruder’s network is less simple, Ferber said. He added that
A security researcher who identifies a security vulnerability and, in the process of disclosing it to the bank, asks for remuneration is another example where the legality is not clear. “Does that constitute extortion?” Ferber asked.
Asking for compensation (or, in some cases, demanding payment) for uncovering a security vulnerability is a practice that
Bug bounty programs are rare among banks, according to
According to Gerome Billois, a cybersecurity partner at Wavestone, bug bounties are scarce among even the world’s largest banks because they are difficult to implement.
Billois said being willing to devote resources to a bug bounty program is essential since it’s impossible to know how much a bank may need to spend for security disclosures beforehand. Promoting the program broadly enough to actually draw in security researchers is another key factor.
“Having a bug bounty program requires a high level of maturity to get good value for the money,” Billois said. “You need to be able to manage the relationship with the researchers, to scope what you want to be tested, to find a flexible budget, to correct the many flaws that could be found and also to manage and promote the program itself.”
Even in lieu of implementing a bug bounty program, the new guidance from the Department of Justice could force U.S. banks into fleshing out their strategy for interacting with security researchers, according to Billois.
“The main impact" of the new guidance for banks, and other companies mostly in the business-to-customer sector "will be the need for managing relationships with researchers and to provide answers in a timely manner,” Billois said. “Otherwise, their lack of response may be exposed publicly.”
For instance, researchers could post on social media about a bank's failure to respond quickly, potentially damaging the institution’s reputation.
The logistical challenges of bug bounty programs and security disclosure policies have created a market for companies seeking to help banks and other institutions address them. Among the most prominent players in that market is the platform HackerOne.
Alex Rice, the company’s co-founder and chief technology officer, said HackerOne has seen a 75% increase from last year in the number of banks adopting vulnerability disclosure policies and bug bounty programs.
“When the work of hackers takes place within the framework of a vulnerability disclosure policy, by means of which safe legal certainty is created for both parties involved, the new DOJ guidance bolsters protections for good-faith hackers,” Rice said. “However, we still need lawmakers to go further. As noted by Electronic Frontier Foundation, we need to see this good-faith policy exception codified into law and applied to civil penalties as well.”
Critics indeed say more change is needed. Andrew Crocker, a senior staff attorney with the Electronic Frontier Foundation,
But ultimately, Crocker said, the shift in policy by the Justice Department points in the right direction by recognizing “the invaluable contribution security research makes” in strengthening the security of digital systems, including those of financial institutions.
“For the areas that the DOJ policy does cover, it sends a strong signal to private actors that the government is less likely to treat this sort of research as criminal, so even in a civil lawsuit brought by a bank, for example, a court will at least take notice of the DOJ’s position,” Crocker said.
