The Justice Department is trying to assure security researchers prosecutors they have no interest in going after them.
Security firms have raised concerns about a DOJ proposal intended to make it easier to prosecute the cyber crooks behind botnets — a method of infecting networks of computers and using them to conduct cyber crime.
The point of contention is the department’s recommendation to prohibit the sale or transfer of “means of access” to a botnet.
Researchers argue this change could potentially allow the DOJ to prosecute legitimate researchers investigating digital crimes.
Private investigators often uncover vulnerabilities — a “means of access” — and either share that data publicly or use the information to better understand digital crime.
It’s possible sharing those findings could expose researchers to legal risks, security experts warn.
“We take this concern seriously,” Assistant Attorney General Leslie Caldwell wrote in a blog post. “We have no interest in prosecuting such individuals, and our proposal would not prohibit such legitimate activity.”
The topic came up during a Thursday House Intelligence Committee hearing.
Ranking member Adam SchiffAdam Bennett SchiffOvernight Hillicon Valley — Hacking goes global Schiff calls on Amazon, Facebook to address spread of vaccine misinformation Spotlight turns to GOP's McCarthy in Jan. 6 probe MORE (D-Calif.) called security researchers “one of our valuable assets” and wondered if the government might be chilling their work if these amendments are implemented.
“There are no guidelines that are accepted through the government or elsewhere that say this is how you do this,” replied Richard Bejtlich, chief security strategist at leading security firm FireEye. “We need to find ways to provide sort of a safe harbor or guidelines.”
Caldwell stressed that the proposal would put the burden on the government “to prove, beyond a reasonable doubt, that the individual intentionally undertook an act (trafficking in a means of access) that he or she knew to be wrongful.”
“The government would similarly have to prove that the individual knew or had reason to know that the means of access would be used to commit a crime by hacking someone else’s computer without authorization,” Caldwell added.
Bejtlich reminded lawmakers Thursday that security researchers are a positive force in combating cyber crime. The information they discover could be sold for great sums on the black markets.
“They’re acting altruistically in order to do their part in this conflict we have,” he said.