On Thursday, the U.S. Department of Justice announced a change in its policy for pressing charges against hackers under the Computer Fraud and Abuse Act (CFAA). The federal agency said it would no longer charge ethical or white hat hackers, i.e., those involved in “good-faith security research,†in violation of CFAA.
The announcement comes as a great relief for the white hat community, considering CFAA was enacted in 1986 when the internet was in its infancy. The federal hacking law was often a cause of concern for ethical hackers hacking into computer systems to identify security vulnerabilities and entry points that malicious attackers could exploit.
Deputy attorney general Lisa O. Monaco said, “The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.â€
The ‘common good’ encompasses testing, analysis, and remediation of any security issue. However, CFAA explicitly prohibits anyone from accessing a computer/system without authorization or beyond what is authorized. The ambiguity in the language used in the bill obscures the scope of what makes up an unauthorized entry or what exactly constitutes excess authorization.
The existing policy on CFAA “focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer — such as one email account — and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails,†the DoJ stated.
See More: An Ethical Hacker’s Guide to External Attack Surface Management
Following the announcement, the digital rights group Electronic Frontier Foundation (EFF) supported the exclusion of white hats from the CFAA. They stated, “The Computer Fraud and Abuse Act is a vague law that chills important white-hat security testing of computers we use for critical tasks every day.â€
The DoJ clarified that even though the new CFAA policy eliminates the legal troubles for ethical hackers, it won’t offer a free pass to those acting in bad faith under the pretense of conducting security research. This is important to dissuade extortion of organizations whose system(s) are found to host security flaws.
Conversely, an organization may also sue legitimate security researchers engaged in vulnerability disclosure. EFF added, “Sadly, computer manufacturers and system operators often do not want to hear about security flaws in their machines — learning about these problems means they’ll have to spend time and resources fixing them.â€
“But it’s better for all if these flaws come to light. The bad guys will find them, even if we do not talk about them and public awareness of security vulnerabilities creates pressure for manufacturers to address the problems and to build safer technologies for everyone in the future.â€
Vulnerability disclosure is a sensitive issue that can threaten the organization where a vulnerability may reside and all relevant stakeholders. Therefore, companies suing or threatening to sue security researchers aren’t unheard of.
This is why responsible vulnerability disclosure is key to avoiding any legal action, more so than whether or not researchers were acting in “good-faith†or not.
DoJ’s announcement is a policy shift and not a legal shift. So, the definition of what constitutes an unauthorized entry and who is considered a black hat and who a white hat is, is also ambiguous, at least concerning CFAA.
A hacker being sued for irresponsible disclosure of vulnerabilities may not be considered a black hat. Still, at the same time, the organization suing them may have a valid legal claim about any damages it may have suffered.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!