How White Hats Get Dirty

By: James Trusty

Historically, undercover operations by law enforcement would run into problematic “loyalty tests,” designed to make sure that the criminal conspirators could trust the “new guy.” Biker gangs would ask this “pledge” to beat someone up or take drugs, knowing law enforcement agencies would likely not let that happen, even in an undercover capacity. Prostitution stings could be compromised by either a John smart enough to ask for a free sample or by a prostitute who would not discuss price until the date was well underway. Cybercriminals operating on the Darknet[1] will often employ their own loyalty test—the new guy has to demonstrate access to stolen personal identifying information (“PII”) or get someone to vouch for the malware he has designed or spread successfully in the past. This need for proof of bona fide criminal status is just as problematic in the cyber world as it is on the streets.

These loyalty tests pose serious challenges for law enforcement agents, who can only go so far in establishing their criminal bona fides. But in today’s era of cyber security firms serving as virtual police across a wide variety of industries, the Department of Justice (“DOJ”) recognized the need to give some guidance to private security firms, who increasingly find themselves chasing the bad guys into Darknet criminal forums, the modern day equivalent of Deadwood, or some other lawless frontier town.

When assessing possible criminal liability for investigative work, the starting point of the DOJ memo is to acknowledge that private investigators will likely not harbor a criminal intent when they drop into the netherworld of cybercrime, but they nonetheless can find themselves on the scary end of a criminal investigation by federal or state law enforcement personnel. From the agent’s perspective, it may not be readily apparent that the forum comments of John Doe are actually bait being thrown out by the John Doe Security Company. If the investigator used a pseudonym to gain acceptance into this particular forum, the choice of identity becomes a huge factor to law enforcement players – a fake name is expected and acceptable, a stolen identity is its own crime and extremely problematic. Presence and conversation within the forum can also create criminal liability—“lurking” in a forum to simply gather threat intelligence has “practically no risk of federal criminal liability.”[2]   Posing questions, like “what’s the best way to hurt Target?” could implicate serious crimes based upon legal concepts of solicitation or even conspiracy. The risk of liability in an investigative chat is more serious than one might think at first blush—actual on-line criminals can be very skilled at sniffing out poseurs. If the new guy sounds stiffly non-committal, then his new Darknet friend may smell a trap. If he finds himself drifting into a committed relationship with the target, he may weave a criminal chat log that will only be untangled with great effort.

In the memo from DOJ (https://www.justice.gov/criminal-ccips/page/file/1252341/download) the cyber security experts discuss the application of U.S. federal criminal law to these Dark Market private investigations and they give fairly specific scenarios to demonstrate their concerns. The basic premise is that cybersecurity firms need to be careful to avoid being labeled as perpetrators or finding themselves victimized by walking into traps. DOJ recognizes that these forums are highly profitable and sophisticated in counter-investigative techniques, and that even with open advertising of illegal services, stolen credit card number sales, compromised passwords and more, the door to the illegal kingdom is typically well-guarded. To crack that door open, investigators are going to be tempted towards giving bona fides and making comments that can nudge a well-meaning investigator in the direction of criminal liability. DOJ gives some Best Practices tips to help keep the white hats on the side of the white hats:

• Creating “Rules of Engagement” so that ad hoc investigative efforts do not boomerang into possible criminal liability;
• Establish lines of communication with law enforcement to avoid becoming investigated by these agencies and to avoid jeopardizing any federal investigations into the same bad guys; and
• Document operational plans and maintain good records, which will corroborate the security firm’s contention of not having a criminal intent.

In recent years we have seen the rise of ransomware to extort businesses and local governments to pay cybercrooks who have exploited security gaps and are able to shut down operations with a few strokes of their keyboard. Consequently, investigators will patrol the Darknet in search of stolen data, security vulnerabilities, or malware designed to disrupt or destroy the business or its products. The basic DOJ position here is that in reaching out to the hostage-takers it is very much like any kidnapping scenario – choosing not to involve law enforcement enhances the risk that the hostage (i.e., data or vulnerability) will not be safely returned, no matter what ransom is paid. Further, connecting up with these particular criminals could lead the investigator into dangerous territory – possible criminal exposure for material support of terrorists, strict liability in civil jurisprudence for dealing with people or countries who are off-limits (for example, OFAC-designated individuals from places such as North Korea, Iran and Russia) or risk of liability from retrieving your own stolen data while it is commingled with data belonging to other companies.

The DOJ guidance is practical and timely. It does not overstate the likelihood of cyber threat investigations leading to criminal liability for the good guys, but it does make it clear that there are practical steps that can be taken, always in connection with legal counsel’s guidance, to keep the hats white while riding into the seediest of frontier towns.

[1] As described by DOJ, “Dark Markets are found on the TOR (“the Onion Router”) network, which is a collection of computers designed to obfuscate the origin of online communications…[b]ecause the location of sites operating as TOR hidden services is concealed and difficult to trace, TOR hidden services are a preferred technique for hosting sites associated with illegal activities.” Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, DOJ Cybersecurity Unit, February 2020, p. 1 footnote 4.

[1]Legal Considerations, p. 6.