Cyber researchers get legal tips from DOJ

The Department of Justice issued some non-binding legal advice to security researchers who gather cyber intelligence from dark corners of the internet.

The document advises researchers and threat intelligence firms to create and follow organization-wide engagement policies, document their work and develop relationships with law enforcement if they plan to explore sites that "openly advertise illegal services and the sale of stolen credit card numbers, compromised passwords, and other sensitive information."

Researchers have many questions about the legality of cybersecurity intelligence gathering. For instance, passively lurking on online forums to gather intelligence -- even information that touches on criminal conduct -- is usually legal as long as the researcher is using legitimate credentials. However, DOJ said using exploits or "other techniques" to access or gather information from the server or system on which the forum operates could be viewed as gaining unauthorized access. More active actions, like posing questions or directly soliciting advice, can also present a "marginal legal risk" to researchers depending on whether their interaction furthers a crime.

While it is common for threat intelligence practitioners to use pseudonyms or false identities when engaging on forums, the document advises them to avoid "legally problematic" tactics like impersonating actual people or government officials.

Leo Taddeo, a former special agent in charge of the Cybersecurity Division at the FBI's New York City office, said that it's sometimes necessary to leverage some form of legitimate credentials to get past forum gatekeepers. Exactly how far a researcher can go to do so is likely to be a continuing debate.

"There are little pieces of identity that may be necessary to establish bona fides, so researchers are constantly trying to find the right mix of true and not true and fabricated credentials in order to gain entry into some of these forums, and creating a completely fabricated identity is really not easy," Taddeo said. "It's not easy to backstop it, it's not easy to create a legend and it's also not easy to fool some of these criminal groups because they have ways of checking to see you are who you say you are."

DOJ advises threat intelligence companies to mitigate this risk in a number of ways: create documented internal rules of engagement for acceptable conduct, use systems that are properly secured and not connected to the company's networks and establish trusted lines of communication with their local FBI office to avoid misunderstandings in the event their activities are swept up in an active investigation. They should also ensure their legal counsel is looped into the process and report any evidence of an ongoing crime to law enforcement.

The guidance is peppered with caveats and disclaimers, clarifying that it provides no actual rights or legal remedies for users, does not apply to government actors or other forms of non-cyber intelligence gathering and assumes the practitioner is obtaining the information solely for legitimate cybersecurity purposes.

Ari Schwartz, former White House senior director of cybersecurity at the National Security Council and coordinator of the nonprofit Cybersecurity Coalition, said that any attempt by law enforcement to better clarify the legal rules around gathering threat intelligence is helpful.

"Researchers have often been uncertain what to do when coming upon potentially illegal information," Schwartz said in a statement. "More clarity can only help to strengthen our security rather than chill the speech of those who want to do the right thing."

Intent matters, so the context of how a threat intelligence firm obtains information and how it plans to use it could impact its legal liability. For example, soliciting to purchase a company’s or a client's stolen data to take it off the black market is not illegal. Even if stolen data from other sources is co-mingled, there is little chance a company will face legal consequences if they have no intent to use it for illegal purposes and did not know, or had no reason to know, they were purchasing data that belonged to others.

DOJ advises companies to document their activities and how the information or samples obtained relate to ongoing work to create a paper trail in the event they fall under suspicion of law enforcement. They should take particular care not to offer technical assistance that could be used by criminals to improve malware or help them to breach networks.

"An individual may be found liable for aiding and abetting a federal offense if he or she takes an affirmative act -- even an act that is lawful on its own -- that is in furtherance of the crime and conducted with the intent of facilitating the crime's commission," the guidance states.

Taddeo said law enforcement is primary interested in two things when it comes to the legal landscape around threat intelligence research: cutting down on the signal-to-noise ratio between criminal activity and legitimate research efforts and denying criminals a blanket defense in the event they're charged by law enforcement.

"What the government doesn't want to do is constantly get their indictments and complaints and convictions thrown out of court because someone says, 'Well I was only doing research,'" said Taddeo. "What the government is saying is, 'Here's more evidence that you should have known if you were a true researcher, you would have done these things.'"

This article was first posted to FCW, a sibling site to GCN.