The ethical and legal dilemmas of threat researchers
Threat intelligence is mainstreaming into a de-facto everyday tool of cyber-defense. But all that intelligence must be collected, analyzed, and prepared by someone. Enter threat researchers, the advanced scouts of cybersecurity. They are becoming more numerous and conspicuous as more intelligence on illicit hacker activity is demanded. Threat researchers trawl through the dark web, pick apart malware, reverse engineer exploits, track outbreaks across the Internet, and set up honeypots to surveil attacker activity.
They also find themselves weaseling around in the slippery space between what is acceptable and what is forbidden. To get to the truth on the ground, they can find themselves using stealth, misdirection, and even outright deception. This is when threat researchers can find themselves in unpredictable legal and ethical situations with consequences that they and their employers never anticipated. I’m going to pose a series of scenarios based on actual threat researcher incidents to illustrate these dilemmas.
How far is too far?
We’d assume that it’s the government’s job to protect us from those things that we cannot defend against. In cyberspace, that is rarely true. Consider the case where a threat researcher uncovers a large botnet composed of hijacked critical infrastructure devices. Warnings to the owners and manufacturers are ignored, especially since there is no information on the specific exploit being used. Without the particulars on the nature of the compromise or a reported crime by the actual victim, law enforcement couldn’t be bothered. That is the problem with intelligence, it rarely provides a smoking gun or the whole story.
To gather more information on how the botnet was constructed and by whom, the researcher could break into the compromised devices and perform forensics. Despite intention, in the eyes of the law, this act would be no different than what the botnet creator has done. Unauthorized access is a clear violation of the Computer Fraud and Abuse Act. When an agent of the law does this, they need a court order that is referred to as OIA or “Otherwise Illegal Activity.” For a civilian, it invites arrest, lawsuits, and the very least, termination of employment. What are the alternatives for the researcher? Ignore this massive threat? Disclose the information publicly and hope the attacker doesn’t trigger an attack, disappear, or change tactics? Worst of all, disclosure could inspire copycat attacks and make things worse.
What to do about stolen data?
Consider the other things that are discovered on darknets: email addresses, passwords, text messages, financial information, photographs, and even private videos. What happens when a security researcher uncovers this kind of stolen data? Do they have the right to search through it? Analyze it? How much of it should they publish it? What if the data was from a public figure?
Take this a step further, what should happen when a threat researcher finds evidence of crimes committed? Police are rarely interested in ill-gotten, dubiously-sourced data except for intelligence purposes (which means the researcher will see no immediate action). On the other hand, journalists are usually interested, but they will publish their findings.
Keeping everything secret might not seem like such a bad thing, as many organizations are leery of potential liabilities or blowback. There is a real tension between the sharing of intelligence versus causing more mayhem about the disclosure of threats. This is why threat researchers know about things that are happening that are not being shared openly.
Sometimes the actions chosen by threat researchers aren’t a question of legality but instead a question of ethics. In most cases, there is no legal obligation to report a crime (encouraging or helping plan a crime is another matter). Is it ethical for a researcher to impersonate a cyber-criminal with the intent of gaining access to illicit forums? Or to try to trick criminals into revealing their secrets? This goes beyond honeypots, creating actual fake identities and trolling the dark nets and criminal forums in an undercover guise.
As an aside, it seems to me there are times when so many threat researchers are stumbling around in the dark web that I’m reminded of The Man Who Was Thursday. In that book (spoiler alert), a police officer infiltrates a cabal of anarchists, all of which turn out to be undercover police themselves. I wonder how many threat researchers are surveilling and taking notes on each other? I wonder how many threat researcher publications have hampered law enforcement or intelligence agency investigations?
For the most part, threat researchers try to remain anonymous in online forums, but at the same time, it’s not always possible. Some forums necessitate a level of participation in order for anyone to trust you. What happens when those same criminals start bragging about their crimes? And producing details? Should the researcher go ahead and publish this information, possibly spoiling an investigation? Report it to the authorities? Ignore it?
There are no clear threat researcher guidelines as to what researchers should do. In many cases, consultation with an attorney often results in any action that smacks of impropriety being discouraged. The result being that nothing useful related to threat research could be found or shared. In fact, this is the reason that conversations with corporate attorneys are often avoided by threat researchers.
In many cases, threat researchers are making these kinds of decisions on their own. This can yield unpredictable results as there is no defined code of conduct for threat research, nor are there any professional standards. There is no telling if one threat researcher will do the same thing as another. Often a threat researcher may opt for the choice that maximizes their deniability and minimizes the blowback, such as producing obfuscated warnings and omitting telling details.
Undeclared threat researchers gone wild
I have also seen situations where IT professionals have been caught violating the rules and then claiming it was not done for criminal gain but under the aegis of “threat research.” I’ve been part of several security investigations where IT personnel were terminated for conducting their own supposed threat research while using company equipment. Whatever their intentions, for most organizations, the liability for this kind of rogue action is indefensible.
Where do we go from here?
Ethically, it is understood that security professionals should act to preserve the safety and welfare of society as well as adhere to the highest ethical standards of behavior. When wrestling with these predicaments, one question to ask is are your actions adding to existing harms? Are you making the problem better or worse? But even then, sometimes the outcome is unclear.
I don’t want to go as far as pushing for threat researchers to licensed, certified, or required to adhere to a code of standards. We already have plenty of those in the cyber-security industry. I raise this topic to make people aware, as it is a growing problem and one that not enough people are talking about.