Extracted from Law360
For years, cybersecurity teams, security firms and forensic investigators have talked about dark web monitoring as a potential tool in the corporate information security toolbox, and some have coordinated such efforts.
Companies’ cybersecurity programs need to be dynamic and responsive to current threats and, in turn, the threats companies anticipate are informed by cyberthreat intelligence.
The dark web can be a rich source of cyberthreat intelligence. Indeed, the dark web hosts websites dedicated to the sale and purchase of stolen data and forums where anonymous individuals can ask advice on how to find or exploit security vulnerabilities in devices or software.
More recently, dark web monitoring has gained traction among consumers as credit bureaus such as Equifax Inc. or identity theft-protection companies such as LifeLock Inc. now offer these services to identify if an individual’s personal information is offered for sale on the dark web.
But as dark web monitoring has crept into our social vocabulary and worked its way to be almost an industry standard part of our cybersecurity programs, it is easy to forget that entering the dark web is entering into a vast criminal underground of forums (or websites) run by criminals and dedicated to and developed for criminal activity. And as a result, entering the dark web necessarily imparts more risk than gathering cyberthreat intelligence through other methods. Dark web monitoring inherently involves seeking out and interacting with criminal enterprises.
But what are the rules of the road? Where is the line between criminal and noncriminal behavior when engaging on the dark web? These are issues that information security, risk management and legal professionals have grappled with — with little guidance from external sources — in deciding where to draw the line for their own internal teams, or more likely, when deciding whether to hire a third-party firm specialized in this area and for what services.
In February, however, the U.S. Department of Justice published a first-of-its-kind guidance from the government on navigating the dark web that provides information security practitioners and companies with useful guideposts to assess what activities may be acceptable and which may be problematic.
The Computer Crime and Intellectual Property Section of the Criminal Division of the DOJ released its guidance, “Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources."
The CCIPS prepared the guidance — with input from the National Security Division of the DOJ, Federal Bureau of Investigation, U.S. Secret Service and the U.S. Treasury's Office of Foreign Assets Control — to help companies assess the legal risk associated with information security practitioners gathering intelligence from online forums where computer crimes are discussed and planned and stolen data are bought and sold.
The guidance also addresses the legality of situations when private actors attempt to purchase their own stolen data (or stolen data belonging to others but with their authorization), malware or security vulnerabilities from potentially criminal actors.
In other words, the guidance aims to provide guidelines to private organizations that gather and use information found on the dark web as part of their cybersecurity activities. It does so by presenting a variety of scenarios and highlighting potential legal concerns with each.
Caveats and Assumptions: Limited Scope, Not Legally Binding
It is worth noting at the outset that the guidance’s scope is limited to a discussion of U.S. federal criminal law. As such, it does not focus on civil liability, state or international law or regulatory restrictions. It also expressly does not cover intelligence- or evidence-gathering relating to child pornography or illicit drugs.
The guidance warns that it is not legally binding and cannot comprehensively address all the legal issues that might arise when private organizations engage in this type of conduct. Thus, the CCIPS strongly recommends that private organizations consult with legal counsel on how to properly interpret and apply the guidance.
The guidance also expressly relies on several legally significant assumptions. First, it assumes dark web monitoring and communications are being performed by “private sector information security practitioners who gather information from Dark Market forums as part of their cybersecurity activities.”
Second, it assumes that the activities in question are conducted within U.S. jurisdiction and in a manner that is subject to U.S. federal criminal law. Lastly, it assumes the practitioners are engaging in these activities or obtaining information solely for legitimate cybersecurity purposes.
Changing any of these assumptions matters to the ultimate analysis. For example, the guidance might be less applicable to information security practitioners hired by outside counsel following a data breach and acting at the direction of counsel. Similarly, if the activities occur in jurisdictions outside the U.S., then the criminal law of other countries may be implicated, requiring separate analysis.
Not All Cyberthreat Intelligence-Gathering Is Created Equal
The guidance presents three scenarios of cyberthreat intelligence-gathering: (1) lurking in criminal forums to gather intelligence; (2) posting questions in these forums; and (3) engaging in dialogue or exchanging detailed information in these forums.
Practitioners may lurk — access, read and collect posts openly made in these forums — if a few precautions are taken. First, the practitioner must take care to only access the forum in an authorized manner. Using stolen credentials to access the forum, or using an exploit or other technique that gathers data from the server or system on which the forum operates rather than the forum’s authorized means of access, could constitute a violation of the Computer Fraud and Abuse Act and should be avoided.
Second, practitioners should avoid assuming the identity of an actual person without their permission or authorization because this may violate certain state and federal laws. However, the guidance specifically allows for the use of a fictitious persona or a pseudonym to gain entry to these forums. If these steps are followed, the guidance observes that lurking creates practically no risk of federal criminal liability.
Posting questions is more problematic because it raises the risk that the practitioner could become the target of a criminal investigation, particularly if the questions appear to solicit the commission of a crime. Generally speaking, the crime of solicitation “involves seeking another person to engage in a specified criminal act.”
While the guidance notes there are few federal statutes that might apply to the solicitation of activity that could be a computer crime, there are “many state solicitation statutes that might apply” depending on the jurisdiction. And even though the practitioner may have no intention of soliciting criminal activity, some questions may pique the interest of law enforcement and trigger an investigation.
The riskiest course of action is to engage in extended dialogue with members of the criminal forum or to exchange detailed information. The risk is that members of the forum ask the practitioner to engage in criminal, or at least borderline criminal, activity to prove trustworthiness. By engaging more fully with the criminal forum, the practitioner may also cross the line into the broad federal inchoate crimes of aiding and abetting a federal offense or conspiracy.
Dark Web Purchases: Buyer Beware
The guidance also discusses the possibility of making purchases on the dark web of information previously stolen from the organization or of information relating to a security vulnerability. Before addressing the legal risks of such purchases, the guidance notes several practical and business risks associated with making purchases on the dark web.
For example, if a company tries to repurchase its stolen data, it runs the risk that the seller may take the money and run or use the proceeds to fund further criminal activity. The seller might keep a copy of the data and sell it to others. Perhaps the seller already sold copies and is unable to stop previous copies from being further disseminated. The buyer also runs the risk of receiving a trojanized version of its data.
The fact that a buyer is likely to have little legal recourse against a seller further exacerbates these risks. These sellers will often be anonymous, located outside the reach of U.S. courts or paid using untraceable, nonrefundable forms of payment such as cryptocurrency, making enforcement a practical impossibility.
Moving beyond the practical enforcement and business risks associated with such purchases, the guidance notes at the outset that a party attempting to purchase its own data or security vulnerability is not likely to be charged by federal prosecutors because of the lack of criminal intent. Nevertheless, a party engaging in such purchases should carefully consider the following:
- Who is the legitimate data owner? A purchaser should be the legitimate owner of the stolen data or an agent of the legitimate owner.[1]
- What is the type of data being sold? A purchaser should be careful to avoid acquiring another’s data whose transfer or mere possession can trigger civil or criminal liability (e.g., trade secrets belonging to another or malware designed to intercept electronic communications, which may violate the wiretap act).
- Who is selling the data? A purchaser should be careful to not provide financial support to individuals or organizations in violation of federal law, regulation or executive order, such as designated foreign terrorist organizations.
The answers to these questions will impact the legal risk associated with such dark web purchases.
Steps for Mitigating Risk
Overall, the guidance provides a list of best practices and steps organizations can take to mitigate risk when gathering intelligence from the dark web.
First and foremost, if companies engage in activities on the dark web other than mere passive intelligence collection, they should be prepared to be investigated. They should work with counsel to create a written operational plan for conducting cyberthreat intelligence-gathering and then keep good records of how they have used that plan.
The plan should outline the acceptable conduct for the organization’s personnel and contractors interacting with criminal elements. The plan should also ensure the organization practices good cybersecurity when communicating with criminal elements (i.e., the organization should use systems not connected to the company network and that are properly secured).
Such plans and records will not only protect the organization’s systems and infrastructure but can help short-circuit a criminal investigation by showing the actions were taken as part of a legitimate cybersecurity operation.
Second, the guidance encourages organizations to take reasonable steps to prevent conducting business with parties that are subject to economic and trade sanctions. The CCIPS recognizes, however, that this may be difficult given the anonymized nature of dark web communications.
Third, the guidance recommends that organizations form early, ongoing relationships with their local Federal Bureau of Investigation field office or Cyber Task Force and their local U.S. Secret Service field office or Electronic Crimes Task Force.
In addition to potentially preventing an unnecessary investigation into the organization’s activities, the guidance observes that early engagement with law enforcement may also help ensure that the organization’s activities do not unintentionally interfere with an ongoing or anticipated investigation by law enforcement and creates a channel for reporting evidence of any ongoing or eminent criminal activity.
While not addressed by the guidance, there are two additional steps organizations may wish to take that may further reduce the risks associated with cyberthreat intelligence-gathering. Due to the fact-specific nature of these intelligence efforts, predicting in advance all places where the lines between permissible and criminal behavior may fall will be difficult.
Thus, as organizations create operational plans for these activities, they should foster an if-in-doubt, ask-first culture for their cybersecurity practitioners involving the legal department early, often and where the ice seems to be growing thin.
Finally, in the area of security vulnerabilities, organizations may also consider working with counsel to establish a vulnerability reporting and incentive program. The practical risks associated with purchasing vulnerabilities on the dark web cannot be fully mitigated.
Establishing a vulnerability reporting and incentive program, often called a bug bounty or responsible disclosure program, can help push the market for discovering (and ultimately paying for) these vulnerabilities away from criminal elements and to trusted sources with vetted, legitimate security researchers.
While such programs will not address all possible reasons to make purchases on the dark web, they may reduce the likelihood that vulnerabilities are discovered — and exploited — by criminal elements in the first place.
[1] The Guidance uses the concept of the “data owner.” However, in practice, the concept of legal ownership of data is uncertain for certain data sets.