On February 27, 2020, the Cybersecurity Unit of the Justice Department’s Computer Crime and Intellectual Property Section released a guidance document addressing “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.” The guidance considers only federal criminal law, not potential civil liability or risks under state or foreign law, and it emphasizes the importance of seeking legal guidance about particular activities “because minor changes in facts can substantially alter the legal analysis.” Nonetheless the guidance offers a number of best practice recommendations that may be helpful to the growing number of organizations that engage in or hire another organization to undertake “cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold.”
Two Fundamental Rules
At the outset the guidance emphasizes “two rules to always follow”:
- Don’t be a perpetrator: Consult with legal counsel and consider cultivating a relationship with local FBI and U.S. Secret Service field offices if contemplating these types of operations.
- Don’t be a victim: Because online cyber intelligence gathering “may involve interacting with sophisticated criminal actors” organizations undertaking these activities should “remain vigilant, institute appropriate security safeguards, and adhere to cybersecurity practices that will minimize the risk [of being] victimized.”
The guidance then offers three tips for online intelligence collection:
- Passively collecting intelligence typically is not illegal: “Doing nothing more than passively gathering information from an online forum, even one on which criminal conduct related to computer crime is conducted, is unlikely to constitute a federal crime, particularly when done without any criminal intent.”
- Access forums lawfully: “Accessing a forum in an unauthorized manner, such as by exploiting a vulnerability or by using stolen credentials, can implicate” the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the Access Device Fraud statute, 18 U.S.C. § 1029.
- Do not assume someone else’s identity without consent: “Using a fake online identity to gain access to or participate in a forum where criminal conduct is occurring, standing alone, is typically not a violation of federal criminal law. However, assuming the identity of an actual person without his or her permission rather than manufacturing a false persona can cause legal problems.”
Six Recommended Best Practices
The guidance then considers a series of scenarios in which actors seeking information for legitimate cybersecurity purposes may interact with participants in different kinds of sites and forums on the dark web: lurking; asking questions; exchanging information with others; purchasing stolen data; and purchasing vulnerabilities. From those scenarios, the guidance derives six best practice recommendations:
- Create “rules of engagement”: Establish and follow “deliberately crafted protocols that weigh legal, security, and operational considerations beforehand.”
- Be prepared to be investigated: “Having trusted lines of communication established in advance” with federal law enforcement “can avoid misunderstandings.
- Practice good cybersecurity: “[U]se systems that are not connected to your company network and are properly secured when communicating with cyber criminals.”
- Promptly report information about an ongoing or impending computer crime uncovered during intelligence gathering activities to law enforcement.
- Do not provide any valid, useful information that can be used to facilitate a crime.
- Involve your legal department in operational planning.
Two Additional Takeaways
- The Justice Department’s issuance of this guidance reflects the Department’s welcome recognition that “[i]nformation gleaned from . . . online forums and other communication channels where illegal activities are planned and malware used to commit illegal acts and stolen data are sold . . . can be a rich source of cyber threat intelligence and network defense information about past, current, or future cyber attacks or intrusions; malware samples; criminals’ tactics, tools, and procedures that are in current use or under development; and aliases and identities of individuals engaged in attacks and intrusions.” But such cyber intelligence activities raise difficult legal questions that will often turn on the precise facts about methods and intent because “when private parties join or participate in these online forums to collect information for lawful purposes, the line between gathering threat intelligence and engaging in criminal activity can be hard to discern.”
- Online cyber intelligence-gathering activities may raise substantial legal risks under state or foreign law as well as federal law. Purchasing data or cyber information, for example, may implicate state statues governing receipt of stolen property or possession or use of certain kinds of personally identifiable information. Those non-federal legal regimes should also be considered in assessing whether to undertake particular online intelligence-gathering efforts.