The U.S. Cyber Security Unit of the Department of Justice (“DoJ”) has released its guidance on legal considerations when gathering online cyber threat intelligence and purchasing data from illicit sources for cyber security purposes (“Guidance”). Although the Guidance is not legally binding, it is intended to assist organizations assess the legal risks associated in gathering cyber threat intelligence from the dark-web under U.S. Federal law.
First and foremost, the Guidance recommends organizations that engage in online threat intelligence gathering, to consult with their legal counsel in order to assess the legal risks. In parallel, the DoJ recommends such organizations to draft “Rules of Engagement” including protocols, to outline acceptable conducts for employees who interact in dark-web forums. According to the DoJ, written protocols that address the legal, security and operational consideration of such gathering, are likely to discourage rash decisions and might assist in mitigating the risks which arise. Due to the sensitivity and nature of such activities, information security practitioners shall try to establish positive working relationships with law enforcement agencies and keep records of their gathering activities, in order to better protect themselves in cases of criminal investigations.
In terms of intelligence gathering, according to the DoJ, the mere passive collection of intelligence from the dark-web shall typically be considered as being legal, but only as long as the data was obtained through legitimate means and without criminal intent. However, accessing forums and other sources by exploiting vulnerabilities or using stolen credentials, may be considered illegal under the Computer Fraud and Abuse Act. According to the Guidance, the line between gathering threat intelligence and engaging in criminal activity can often be hard to discern, and organizations shall avoid posing specific questions that may be viewed as being in the nature of solicitation or exchanging any information with other forum participants, which could violate Federal conspiracy statues.
With regard to the purchasing of data and vulnerabilities, the DoJ states that typically there should be no legal risk when an organization buys its own information. However, knowingly purchasing the information of another organization, without authorization, or using such information, even if it was obtained by mistake, can give rise to a substantial legal risk, depending on the nature of the information obtained. Hence, the DoJ recommends organizations, that discover they purchased data to which they have no right to possess, to avoid access and immediately contact law enforcement agencies or the data owners. In addition, in some instances, organizations might be at risk even when buying their own information: The U.S. Federal law prohibits providing any material support to known terrorist organizations or conducting business with organizations and individuals from certain countries such as Iran and North Korea. Since prohibition requires knowledge of ties to sanctioned organization or countries and the identity of sellers on the dark web is typically masked, the risk of criminal proceedings is remote. However, civil proceeding may be imposed on the basis of strict liability, without requiring any knowledge of the other party’s ties to sanctioned entities.
Despite the risks of criminal liability, when conducted properly, the gathering of intelligence from the dark-web can improve the organization’s cybersecurity readiness and assist in preparing responses to threats, effectively and lawfully.