CyberUp view on the DoJ's new guidance for prosecutors

The US Department of Justice (DoJ) recently produced guidance for prosecutors as to when to prosecute instances of potential breaches of the Computer Fraud and Abuse Act (CFAA).

The most eye-catching aspect is that the DoJ now has guidance to “decline prosecution if the available evidence shows good faith security research” – a change which has been resoundingly welcomed by the US cyber security sector. This significant change to focus on the intent of the researcher will go some way to providing much needed clarity for US cyber security researchers.

The CFAA is the US equivalent to the UK’s Computer Misuse Act (CMA) – it criminalises unauthorised access to computers, and it does so in a way that has little regard for the intentions of the person accessing that computer.

In setting out their recent change to prosecutorial guidance, the DoJ stated: “As technology and criminal behavior continue to evolve …… it also remains important that the CFAA be applied consistently by attorneys for the government and that the public better understand how the Department applies the law.”

In this blog post we explain why we think this an important intervention, but also highlight the limits of prosecutorial guidance in protecting cyber security researchers, thereby making the case that – here in the UK – what is needed is meaningful reform of the CMA.

While other countries take steps to move their cyber crime regimes in the right direction, the UK risks being left behind if it doesn’t soon set out steps to reform the CMA.

A step in the right direction

The DoJ’s statement is right to acknowledge the complexity of cyber crime and the need for a nuanced understanding of technology, sensitivity of information, tools for lawful evidence gathering, coordination and victim concerns.

It is also encouraging to see that best practice in investigations and charging will take place in consultation with experts, and prosecutors will be required to make a notification of where a decision goes against expert consensus. We have long emphasised the need for skilled legal professionals to play a crucial role in the fair and effective prosecution of cyber crime. In fact, in the CyberUp Campaign’s Defence Framework, we set out that we believe that under a reformed CMA courts and prosecutors should be able to draw on expert witness testimony in considering whether an action was proportionate and followed standard industry best practice.

The DoJ also establishes a series of factors that they expect prosecutors to consider in making a charging decision, which include:

o   The sensitivity of the affected systems or information, and the likelihood and extent of harm arising from damage and disclosure

o   The degree to which concerns are raised regarding national security, Critical National Infrastructure, public health and safety, market integrity, international relations (and other national and economic impact)

o   The extent to which larger criminal endeavours are furthered or there is risk of bodily harm or national security

o   The impact on victims, third parties, or particular communities

o   The deterrent value of the investigation or the prosecution

It is once again encouraging to see these considerations being laid out by the DoJ – they mirror and build on factors that we have included in assessing Principle 1 of our Defence Framework, which states, “an act of unauthorised access is defensible where the (prospective) benefits of the act outweigh the (prospective) harms, including where action was necessary to prevent a greater harm”.

The UK Crow Prosecution Service (CPS) guidance is considerably more vague than what has been set out by their US counterparts. The CPS set out the following guidelines as public interest factors:

• The financial, reputational, or commercial damage caused to the victim(s);

• The offence was committed with the main purpose of financial gain;

• The level of sophistication used, particularly sophistication used to conceal or disguise identity (including masquerading as another identity to divert suspicion);

• The victim of the offence was vulnerable and has been put in considerable fear or suffered personal attack, damage or disturbance;

• The mental health, maturity and chronological age of the defendant at the time of the offence.

As mentioned, the central overwhelming positive from this policy statement is that the DoJ now have it as their guidance for prosecutors to “decline prosecution if the available evidence shows good faith security research”. This is defined as:

“accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services”

Including consideration of intent is crucial for better cyber security policy and legislation. We have long argued that one of the problems with the Computer Misuse Act is that Section 1 prohibits unauthorised access to computer material irrespective of whether this step was taken by a cyber security researcher with noble intentions, or by an internationally renowned gang of cyber criminals for nefarious ends, and the DoJ’s latest policy will go some way to rectifying this in the US.

The DoJ is also right to note that “claiming to be conducting security research is not a free pass for those acting in bad faith”. Indeed, in our Defence Framework we set out safeguards to ensure that nefarious activity can’t hide behind claims of good faith and/or credentials and experience.

No substitute for legislation

But, though this statement is extremely positive in many respects, it is ultimately still only guidance for prosecutors. It is not binding on prosecutors, who retain the ability to use their discretion where they would like to deviate from the guidance. This complicates the picture, and reduces the effect the guidance will have in terms of providing confidence to cyber security researchers that they won’t be prosecuted.

(This said, the charging guidance does matter, though, because it sets the default baseline for action.  If US Attorneys want to deviate from the guidance, then prosecutors would at least have to document why they want to deviate and provide some reasoning for the change. Though this documentation likely wouldn’t be public, it does provide some deterrence against frivolous charges.)

Another issue is that the legislation provides no protection at the state level – the way criminal justice works in the US, charges could still be brought by state prosecutors under legislation in individual states. Similarly, the guidance is not able to lessen the risk of frivolous or overboard civil litigation by private interests under the Computer Fraud and Abuse Act. Without a defence written into law, cyber security researchers can still face spurious legal action for reporting a vulnerability to a company – a practice known as liability dumping.

And finally, this guidance, by its nature, is setting out when prosecutors should and shouldn’t bring charges – it is not providing any change to what is and is not a breach of the law, which is still determined in the usual way according to the text of the Computer Fraud and Abuse Act. What this means is that companies that employ cyber security researchers will still face difficult decisions about what they ought to be instructing their employees to do – for instance, are you able, from a responsible corporate governance perspective, to say to your employees, ‘carry out these actions, they are technically a breach of the law but the chances of you being prosecuted are very small’? Faced with this choice, most responsibly minded companies will still err on the side of caution.

It is because of these drawbacks that we have been pushing for primary legislation to change the Computer Misuse Act – these changes had the support of two thirds of respondents to the Government’s consultation on the matter, and CyberUp polling with Savanta ComRes has revealed that 66% of the public back the changes. Anything less, like prosecutorial guidance – while clearly being a step in the right direction, like the DoJ’s most recent intervention – fails to fully solve the problem it is trying to solve – that of ensuring there is sufficient legal protection for legitimate cyber security conduct. Despite the fact other countries seem to be taking progressive steps where we are not, the UK still has the opportunity to lead the way. A statutory defence to protect cyber security research would be the first such piece of legislation anywhere in the world, and would mark this country out as being at the vanguard of the cyber security space.