Leonard Bailey, Special Counsel for National Security at the U.S. Department of Justice Computer Crime & Intellectual Property Section, spoke at the Black Hat 2015 Conference in Las Vegas on August 5th. If you missed his presentation, here are the key take-aways.
CFAA prosecutions are very rare
In 2014 there were 56,218 federal criminal cases filed by the DOJ. Of those, only 194 were for computer fraud. While charging decisions for CFAA violations are guided by DOJ prosecution policy, Mr. Bailey said that, “in comparison to other federal crimes, CFAA offenses are not charged frequently, and prosecuting someone engaged in computer security research is extraordinarily rare.”
Would substantial federal interest be served?
Mr Bailey said “prosecutors are directed to consider whether or not a substantial federal interest would be served by prosecution of a CFAA case in which admissible evidence is expected to be sufficient to sustain a conviction.”
When deciding whether or not to bring CFAA violation charges against an individual, DOJ prosecutors consider the potential harm to national security and public safety, the sensitivity of the data in question, who the victim is, and if the actions are a part of a larger criminal activity.
He indicated that consideration of these factors is often one of the methods used to determine if a suspected threat actor is a real threat or a security researcher doing his job.
Even if convicted, the sentence is likely to be light
In today’s criminal justice system federal sentencing guidelines play a factor in determining the latitude that judges have when handing down sentences. There are various calculations including the severity of the offense and the criminal history of the defendant that must be factored against these guidelines. Mr. Bailey says that “The average sentence for a CFAA violation is about 23 months.”
He goes on to explain that “sentences for CFAA offenses routinely have been below the minimum sentence recommended by sentencing guidelines.” The DOJ and federal judges have not, heretofore, been inclined to “throw the book” at CFAA violators, even when convicted.
Security Researcher or Hacker?
Mr. Bailey says that the DOJ understands that computer security research is important and that the DOJ is not at war with researchers. In fact, he says that the DOJ has proposed amendments to the CFAA that would avoid criminalizing trivial conduct. This is exactly the kind of conduct that legitimate security researchers are generally engaged in.
Throughout much of the research process many of the actions of legitimate researchers mirror those of threat actors. Until threats are made or valuable information is sold or otherwise disclosed, it is nearly impossible to determine – based on observable actions alone – the intent of the attacker.
Mr. Bailey emphasized, however, that taking some common sense precautions will go a long way toward avoiding hassles with law enforcement, such as getting permission from likely targets before beginning your research, when possible. Obviously, such permission is often not granted, but documenting the intent of your research is helpful and always avoid harming the target systems or exfiltrating enough information that harm could be done if that information was disclosed or sold on the dark market.
“Like” our Facebook Page and leave a comment.