The Cybersecurity Unit (“CsU”) of the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice (“CCIPS”) has released its guidance on “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources” (“Guidance”). The CsU prepared the Guidance—with input from the FBI, the U.S. Secret Service, and the Office of Foreign Asset Control—to help companies assess the legal risk associated with information security practitioners gathering intelligence from online forums in which computer crimes are discussed and planned and stolen data is bought and sold. The Guidance also addresses the legality of situations in which private actors attempt to purchase their own stolen data (or stolen data belonging to others but with the “data owners’” authorization), malware, or security vulnerabilities from potentially criminal actors.
In other words, the Guidance aims to provide guidelines to private organizations that gather and use information found on the Dark Web as part of their cybersecurity activities. It does so by presenting a variety of “scenarios” and highlighting potential legal concerns with each scenario.
Steps to Mitigate Risk
Overall, the Guidance provides a list of best practices and steps organizations can take to mitigate risk when gathering intelligence from the Dark Web. First and foremost, if companies engage in activities on the Dark Web other than mere passive intelligence collection, they should be prepared to be investigated. As such, they should work with counsel to create a written operational plan for conducting cyber threat intelligence gathering and then keep good records of how they have used that plan. The plan should outline the acceptable conduct for its personnel and contractors interacting with criminal elements. The plan should also ensure the organization practices good cybersecurity when communicating with criminal elements. Such plans and records will not only protect the organization’s systems and infrastructure but can help short-circuit a criminal investigation by showing the actions were taken as part of a legitimate cybersecurity operation.
Second, the Guidance encourages organizations to take reasonable steps to prevent conducting business with parties that are subject to economic and trade sanctions. However, CsU recognizes this may be difficult given the anonymized nature of Dark Web communications.
Lastly, the Guidance states organizations may want to form early, ongoing relationships with a local FBI field office or Cyber Task Force and the local U.S. Secret Service field office or Electronic Crimes Task Force. In addition to potentially preventing an unnecessary investigation into the organization’s activities, the Guidance states that early engagement with law enforcement may also help ensure that the organization’s activities do not unintentionally interfere with an ongoing or anticipated investigation by law enforcement and creates a channel for reporting evidence of any ongoing or eminent criminal activity.
Not All Cyber Threat Intelligence Gathering Is Created Equal
The Guidance presents three scenarios of cyber threat intelligence gathering: (1) “lurking” in criminal forums to gather intel; (2) posting questions in these forums; and (3) engaging in dialogue or exchanging detailed information in these forums. Lurking—simply reading or collecting posts openly made in these forums—creates “practically no risk of federal criminal liability” so long as the practitioner is not accessing the forum in an unauthorized manner or impersonating an actual person without that person’s authorization. Posting questions is more problematic as it raises the risk the practitioner could become the target of a criminal investigation, particularly if the questions appear to solicit the commission of a crime. Even though the practitioner may have no intention of soliciting criminal activity, some questions may pique the interest of law enforcement and trigger an investigation.
The riskiest course of action is to engage in extended dialogue with members of the criminal forum or to exchange detailed information. The risk is that members of the forum ask the practitioner to engage in criminal (or borderline criminal) activity to prove trustworthiness. By engaging more fully with the criminal forum, the practitioner may also cross the line into aiding and abetting a federal offense or even into conspiracy.
Dark Web Purchases: Buyer Beware
The Guidance also discusses the possible need to make Dark Web purchases of information previously stolen from the organization or of information relating to a security vulnerability. Setting aside whether there are practical enforcement and business risks associated with such purchases (several of which the Guidance identifies), the Guidance states that a party attempting to purchase its own data or a security vulnerability is not likely to be charged by federal prosecutors because of the lack of criminal intent. Nevertheless, a party engaging in such purchases should carefully consider the following:
- Who is the legitimate “data owner”? A purchaser should be the “legitimate owner” of the stolen data or an agent of the “legitimate owner.”
- What is the type of data being sold? A purchaser should be careful to avoid acquiring data whose transfer or mere possession can trigger civil or criminal liability (e.g., trade secrets belonging to another or malware designed to intercept electronic communications).
- Who is selling the data? A purchaser should be careful to not provide financial support to individuals or organizations in violation of federal law, regulation, or executive order.
The answers to these questions will impact the legal risk associated with such Dark Web purchases.
The Guidance’s Caveats: Its Scope Is Limited And It Is Not Legally Binding
It is worth noting that the CsU repeatedly limits the Guidance’s scope to a discussion of U.S. federal criminal law. As such, it does not focus on civil liability, state or international law, or regulatory restrictions. It also expressly does not cover intelligence or evidence gathering relating to child pornography or illicit drugs. Furthermore, the Guidance states it is not legally binding and cannot comprehensively address all the legal issues that might arise when private organizations engage in this type of conduct. Thus, the CsU “strongly recommend[s]” that private organizations consult with legal counsel on how to properly interpret and apply the Guidance.