DOJ: Congress looked into CFAA updates but effort was stalled by extortion concerns
Congress looked into amending the 1986 Computer Fraud and Abuse Act (CFAA) to address concerns from cybersecurity researchers before the Justice Department announced last month that it would revise how it enforces the law, a top DOJ official said Monday.
Leonard Bailey, head of the cybersecurity unit at the DOJ, was speaking about the changes to how CFAA will be enforced on good-faith security researchers at the RSA cybersecurity conference when he was asked about further concerns some researchers still have.
An attendee questioned whether the new DOJ charging guidelines – handed down on May 19 – could be rescinded or changed by another administration.
Bailey said the Justice Department was approached by Congress for potential language that could be added to CFAA that would carve out exceptions for security researchers, but they opted instead for revisions to the DOJ’s charging policies.
“We certainly have looked at language. We’ve been asked by The Hill but we’ve been trying to find language that we felt in the statute would accomplish the same things without becoming a very permissive tool that someone who is actually not a good-faith security researcher might use, and we found it hard,” Bailey said.
“So in the meantime, right now, I think building out from this, establishing that there is something that looks like good-faith security research will make it easier later on to say ‘It looks like this, this and this, and this is what a statute would say to capture that.’”
Spokespersons for the House and Senate Judiciary Committees did not immediately respond to requests for comment.
The Justice Department said in May that it would no longer be charging “good-faith security research” and defined it as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
Deputy Attorney General Lisa Monaco said at the time that the DOJ “has never been interested in prosecuting good-faith computer security research as a crime” and that the announcement was an effort to provide “clarity for good-faith security researchers who root out vulnerabilities for the common good.”
Bailey noted that the CFAA has only been used once against a cybersecurity researcher and that even outside organizations have noted the law is almost never used to target those working in security.
But he explained that much of the concern around CFAA among security researchers is because of its use by private companies, which often wield the law as a justification for cease and desist letters.
One of the difficulties the DOJ and Congress have faced in protecting security researchers is understanding the line between good-faith research and discovered vulnerabilities used to extort organizations.
“One of the challenges we run into in defining what good-faith research is versus something else. There are instances where ‘is this an extortionate exchange or is this someone trying to do disclosure in some way,’” Bailey explained.
“We anticipate there will be follow up conversations on when coordinated disclosure that is done in a clumsy way that might be seen as a threat by the recipient of that request, might be viewed as extortionate by someone else,” he said. “That is something we’re going to have to talk about more. In the meantime, what we are focused on is making sure that we can define what good-faith security research is so that we can encourage that and provide it with some sort of shield.”