The US Department of Justice (DoJ) has announced it will no longer prosecute “good faith” hackers under the Computer Fraud and Abuse Act (CFAA).
The historic policy shift was announced in a statement yesterday, which declared that white hat hackers will not be prosecuted for accessing a computer when done to improve cybersecurity.
The DoJ defined good-faith hacking as “accessing a computer solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines or online services to which the accessed computer belongs, or those who use such devices, machines or online services.”
The move, which takes effect immediately, is designed to improve cybersecurity practices by enabling security researchers to identify vulnerabilities in organizations without fear of prosecution.
Deputy Attorney General Lisa O. Monaco explained: “Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
However, the DoJ emphasized that the new policy “is not a free pass for those acting in bad faith.” This includes individuals who discover vulnerabilities in devices for the purposes of extorting their owners, even if claimed as research.
The announcement has been welcomed by the ethical hacking and cybersecurity research community. The CFAA statute, enacted in 1986, prohibits accessing a computer without authorization or in excess of the authorization given. It has been criticized for being broad and ambiguous in what constitutes authorized access to a protected computer or what it means to exceed that authorization.
Reacting to the news, Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, praised the DoJ’s move: “This is a historical moment for many security researchers whose voices were silenced by vendors and organizations threatening to file criminal complaints for CFAA violation. The decision will certainly bolster security innovation and research, helping to fortify software and hardware security, particularly of the innumerable insecure-by-design IoT devices that now start handling critical data.”
However, he believes the policy could initially be exploited by malicious actors. “On the other side, the DoJ may unwittingly open a Pandora’s box: the definition of “good faith” could vary broadly among security researchers. Eventually, the DoJ will have to either break its own policy and press criminal charges for overbroad, albeit sincere, interpretation of good faith, or let creative cyber-criminals off the hook. We should wait for a couple of years to monitor the evolution of the CFAA enforcement,” added Kolochenko.
John Bambenek, principal threat hunter at Netenrich, argued that this policy move is long overdue. “The problem with the CFAA is that its vague nature has never taken into account the desires and intent of the ‘hacker.’ I believe that on two occasions, a major organization attempted to get the FBI to prosecute me for otherwise benign behavior. I simply got lucky that a case agent took a pass. Others have not been so lucky. I did pro bono expert witness work for a journalist who was taken to court under California’s CFAA version simply for downloading documents from an unprotected Dropbox folder. The long history of government overreach of this statute is both well-known and tragic. The cost of misuse of the CFAA can be measured, quite literally, in dead bodies. I would rather have the law changed to close this door for good, however, in the absence of congressional action, I celebrate the decision of the DoJ in this matter.”