Justice Department softens enforcement of hacking law in 'good faith' cases
The U.S. government is altering how vigorously it enforces a central cybercrime law that security researchers, civil liberty advocates and others have long-argued is overly broad.
Under the change to enforcement of the 1986 Computer Fraud and Abuse Act (CFAA) — announced Thursday and first reported by Bloomberg — the Department of Justice will amend its charging policy to explicitly discourage going after so-called “good faith,” or ethical, security researchers.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa Monaco said in a statement accompanying the revamped policy.
“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” she added.
Federal prosecutors who seek to bring charges under CFAA must first consult with the Computer Crime and Intellectual Property unit inside DOJ's Criminal Division. If that office recommends going forward with charges, prosecutors must inform Monaco’s team and even then may need special permission to proceed.
However, ethical researchers who scour for and discover software vulnerabilities could still face prosecution under existing state laws or be sued in a court of law.
The guidance comes a little over a year after the Supreme Court ruled in a major CFAA case that the 1986 law does not apply when an authorized user utilizes data in improper ways. In that case, the court said a Georgia police officer did not violate the hacking law when he took money from an acquaintance to search a license plate database.
The DOJ said Thursday that law should only apply in instances when an outside hacker or authorized user actually breaks into a secure portion of an organization’s network, the court ruled.
The policy overhaul was welcomed among federal cybersecurity officials and the researcher community.
“Huge news—well done, Team DOJ!” Cybersecurity and Infrastructure Security Agency Director Jen Easterly tweeted.
Chris Vickery, a prominent cyber researcher, tweeted the new guidance "will hopefully improve the lives of people (like me) who fear retaliation for trying to do the right thing.”
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.