The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA).
Under the change to the enforcement of the 1986 Computer Fraud and Abuse Act (CFAA) — announced today the Department of Justice will amend its charging policy to explicitly discourage going after so-called “good faith,” or ethical, security researchers.
“Computer security research is a key driver of improved cybersecurity,” Deputy Attorney General Lisa Monaco said in a statement accompanying the revamped policy.
“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good,” she added.
Federal prosecutors who seek to bring charges under CFAA must first consult with the Computer Crime and Intellectual Property unit inside DOJ’s Criminal Division. If that office recommends going forward with charges, prosecutors must inform Monaco’s team and even then may need special permission to proceed.
However, ethical researchers who scour for and discover software vulnerabilities could still face prosecution under existing state laws or be sued in a court of law.
The guidance comes a little over a year after the Supreme Court ruled in a major CFAA case that the 1986 law does not apply when an authorized user utilizes data in improper ways. In that case, the court said a Georgia police officer did not violate the hacking law when he took money from an acquaintance to search a license plate database.
The DOJ said Thursday that the law should only apply in instances when an outside hacker or authorized user actually breaks into a secure portion of an organization’s network, the court ruled.
The policy overhaul was welcomed among federal cybersecurity officials and the researcher community. The new policy replaces an earlier policy that was issued in 2014 and takes effect immediately.