For years, courts and commentators have mused about hypothetical Computer Fraud and Abuse Act (CFAA) violations by computer security researchers. On May 19, 2022, the United States Department of Justice (DOJ) published changes to its CFAA enforcement policy, which are effective immediately, addressing these concerns and giving some comfort to white hat security researchers. However, the guidance leaves gray areas, especially when individuals find security flaws and vulnerabilities in businesses that do not offer rewards for information about their findings through a bug bounty program. Likewise, the guidance may incentivize threat actors to pose as bona fide security researchers, meaning businesses must continue to be vigilant in their cybersecurity efforts. The DOJ’s updated policy, key considerations for security researchers, and recommendations for businesses are further discussed below.
The new policy indicates federal prosecutors should decline prosecution if available evidence shows the actor’s conduct consisted of, and intended to, engage in good-faith security research. Under the policy, good-faith security research means:
“Accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the access computer belongs, or those who use such devices, machines, or online services.”
The policy update further clarifies what will not be considered “good-faith security research” by stating that security research “for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services” would not be considered good faith. This is a critical clarification with the year-over-year increase in ransomware attacks and cyber extortion gang activity. It signals that the CFAA remains a viable tool in DOJ’s fight against cybercrime as cybercriminals cannot avoid prosecution merely by claiming their actions were good-faith security research.
To avoid criminalizing ordinary activity, the guidance requires a high showing of mental state. Prosecutors must prove a defendant “was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct.” Evidence that a network owner or operator unambiguously informed a defendant that they did not have the authorization to access the computer or area of the computer, such as a written cease and desist letter, may be sufficient to meet the burden of proof. Thus, businesses should try putting threat actors on notice that their actions are not authorized.
Overall, the revised charging guidance appears welcome, as it furthers the DOJ’s enforcement goals while providing some peace of mind to white hat security researchers. The change should help promote cybersecurity by allowing good-faith researchers to discover security vulnerabilities.
But the language referencing extortion may give some security researchers pause. Participating in a traditional bug bounty program should not carry risks under this updated policy because a company that offers a bounty in advance is not being extorted. However, various security researchers regularly scan for and seek out exploits, reaching out to companies without bug bounty programs and offering to disclose their findings for a fee. In most cases, if the company does not pay for the exploit the security researcher will disclose it to a security blogger, publishing the exploit, building their credentials by getting credit for the finding, and publicly shaming the company, potentially alerting the public to a security incident. Such behavior falls into a gray area and may not be protected by DOJ’s updated policy.
In addition, it is important for security researchers to recognize this updated policy only pertains to CFAA charges brought by the DOJ. It does not preclude the possibility of criminal or civil penalties in other jurisdictions (e.g., under state or international statutes) or other liability.
One side effect of DOJ’s new charging policy may be that businesses see an uptick of not only good-faith actors, but also threat actors attempting to access their environments and sensitive information. Threat actors and scammers may try to use this policy to mask their unlawful activities as those expressly permitted by the policy. They may claim the policy protects their attempts to infiltrate businesses or offer to disclose vulnerabilities in exchange for payment. Threat actors may also attempt to portray themselves as “security researchers” to access sensitive information.
Given that risk, businesses should:
For more information about security measures that your organization can deploy or for assistance in responding to a cyberattack, please contact one of the authors or a partner or senior counsel member of Foley & Lardner LLP’s Cybersecurity and Privacy Team.
The authors gratefully acknowledge the contribution of Lauren Hudon, 1L law student, Marquette University Law School, and summer clerk at Foley & Lardner LLP.