chevron-down Created with Sketch Beta.

ARTICLE

The Department of Justice’s New Guidance on the Computer Fraud and Abuse Act

Amanda Dennis

Summary

  • The DOJ’s May 2022 limits the scope of prosecutable violations of the CFAA.
  • Ethical hacking done in the name of security research will not be considered a violation of the CFAA.
  • This provides support for cyber insurers that wish to require potential insureds to conduct red teaming or pen testing.
The Department of Justice’s New Guidance on the Computer Fraud and Abuse Act
Bo Shen via Getty Images

In May 2022, the U.S. Department of Justice (DOJ) revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), indicating that the DOJ does not intend to prosecute ethical hacking. Ethical hackers are often referred to as “white hat hackers.” These hackers may use their capabilities to uncover security failings in a company’s system to help the company guard its business from outside hackers who may do damage to the company’s system. While white hat hackers are typically hired by a company to test the company’s information systems, some such hackers are freelance, motivated by public bug-bounty programs, or are focused on raising consumer awareness of vulnerable systems to address privacy concerns while still fully and discretely disclosing the actual vulnerabilities found to the system owners for full remediation.

The DOJ Provides Guidance on Prosecution under the CFAA

As cyber insurance claims have increased in frequency and severity over the last few years, cyber insurers are sharpening their focus on the security profile and security assessments of companies applying for cyber insurance. Companies seeking to assess for themselves their security and compliance with the governing standard, and to demonstrate to potential insurers that they have adequate security controls, may consider testing their systems, including “red teaming,” which is a realistic, unannounced attack on a company’s system. During red teaming, ethical hackers (typically hired security professionals) attempt to enter the company’s system to see how far within the system they can navigate without being detected or blocked. Another type of security test called “penetration testing” (or a “pen test”) is often used to provide a company with an overview of its current security system and help identify its vulnerabilities. In some instances insurers are starting to require the companies they insure to have outside entities perform pen tests on their systems. The DOJ’s May 2022 notice now confirms that such ethical hacking will not be subject to prosecution.

This decision not to prosecute is not extended to gray or black hat hackers. Gray hat hackers, unsurprisingly, live in a gray area, finding issues in a computer system without the owner’s permission and often without fully disclosing the vulnerabilities in a fair commercial manner. Gray hat hackers do not take the ethical approach of white hat hackers and may cause chaos within a system or may not alert the company of the vulnerabilities they discover. However, they will not go as far as a black hat hacker, and gray hat hackers often hack companies’ systems without seeking personal gain. Sometimes a gray hat hacker who finds an issue may report it to the owner and may request a small amount of money to fix the issue. The new DOJ policy would likely extend to good-faith efforts for compensation but not outright extortion untied to the commercial value of the security service actually provided. Black hat hackers are often categorized as “criminals” who hack a company’s internal system without permission and for their own personal gain. These are hackers whom cyber insurance typically protects against, as they may access a business’s or its customers’ data without permission and with ill intent.

The DOJ manual Prosecuting Computer Crimes explains that, pursuant to 18 U.S.C. § 1030(a)(2), it is a misdemeanor to (1) intentionally access a computer, (2) without or in excess of authorization, and (3) obtain information, (4) from financial records of financial institutions, a consumer reporting agency, the government, or a protected computer. This misdemeanor is raised to a felony if the above actions were committed for commercial advantage, private financial gain, in furtherance of any criminal or tortious act, or if the value of the information obtained exceeds $5,000. Violations of this section may result from black hat hacking, as black hat hackers act with malicious intent and for personal gain. Black hat hackers often “release malware that destroys files, holds computers hostage, or steals passwords, credit card numbers, or other personal information.” In some instances, black hat hackers will attempt to “plant malware that spies on staff and customer activity.” Such malware can often lead to far greater crimes being committed, such as allowing a hacker to monitor emails until a large payment is scheduled, then intervening through social engineering or other methods to attempt redirection of the payment to an account the hacker controls.

The press release accompanying the new DOJ policy explicitly states that the new policy does not give a free pass to those who merely claim to be conducting security research but in actuality were acting in bad faith. Where there is some question as to whether specific conduct was in good faith, the new policy advises prosecutors to consult with the Criminal Division’s Computer Crime and Intellectual Property Section.

There has been much discussion of the scope of the CFAA, which was first enacted in 1986. Some critics have raised concerns that “the law could potentially criminalize many of the everyday activities of computer users.” The DOJ’s May 2022 notice specifically addresses these concerns, noting that some of the hypothetical violations that have concerned some courts and commentators are not to be charged, such as “checking sports scores or paying bills at work” or “embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; or using a pseudonym on a social networking site that prohibits them. . . .”

The Supreme Court Provides Additional Guidance on Cybersecurity

The goal of the DOJ’s enforcement of the CFAA is to “promote privacy and cybersecurity.” The DOJ’s new policy comes after the Supreme Court decided the case of Van Buren v. United States, in which the Court considered whether an individual “exceeds authorized access” in accessing a computer with authorization but then obtains information located in particular off-limit areas of a computer, such as files, folders, or databases, in violation of the CFAA. The CFAA provides that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

This case arose from a former Georgia police sergeant’s access of a law enforcement database to gather information about a specific license plate number in exchange for money. Although the former sergeant used his own, valid credentials when searching for this information, he was in violation of a department policy against obtaining information from the database for non-law-enforcement purposes.

The former sergeant was subsequently charged with a felony violation of the CFAA because he had intentionally accessed “a computer without authorization” or in excess of “authorized access.” The Supreme Court reversed and remanded to the Eleventh Circuit, finding that an individual “exceeds authorized access” when he or she accesses a computer with authorization but obtains information located in specific areas of a computer that the individual is not authorized to access. Because the parties agreed that the former sergeant accessed the law enforcement database system with authorization, the only question was whether he could use the system to retrieve license plate information, which both sides agreed he could. Accordingly, the court found that he “did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.”

The Van Buren decision narrowed the scope of the CFAA and applied a gates-up or gates-down approach—one either is or is not authorized to access a computer system or certain areas of a computer system—which reinforces the cybersecurity concepts of authentication, authorization, and access control. Essentially, this approach relies on information technology permissions to determine whether the access to information related to the question of civil or criminal liability under the CFAA “exceeds authorized access.” For example, if an individual was not authorized to access a specific folder within a computer system, then the fact that that individual accessed that folder would be considered exceeding that individual’s authorized access. In addition, the Van Buren decision puts some onus on the companies themselves, instead of individuals, in that it obligates companies to consider which users should have access to sensitive information and requires that companies have a robust security system to control that access.

The DOJ’s May 2022 notice builds on Van Buren, further limiting the scope of prosecutable violations of the CFAA. White hat hackers, with ethical intent but not necessarily authorization to enter a business’s computer system to test its vulnerabilities, are no longer at risk of prosecution, given that ethical hacking done in the name of security research will not be considered a violation of the CFAA. This provides support for cyber insurers that wish to require potential insureds to conduct red teaming or pen testing. Or, where insurers want more control and direct reporting, the insurers can send in teams of their own—though it is often wise for an insurer to have consent for such tests included within the coverage contract. Now companies and individuals have clearer guidelines to follow to ensure adequate compliance with the CFAA.