The Department of Justice (DoJ) is offering up a list of legal considerations for industry to consider when gathering online cyber threat intelligence and possibly viewing or acquiring data from illicit sources.
The document was prepared by DoJ’s Cybersecurity Unit (CsU) in response to questions from industry, and is intended to “help organizations adopt effective cybersecurity practices,” and make sure they do that legally.
“This document focuses on information security practitioners’ cyber threat intelligence gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold,” the documents reads. “It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in ‘Dark Markets.’”
CsU emphasizes that companies should follow two consistent rules when gathering online cyber threat intelligence or collecting data: don’t become a perpetrator, and don’t become a victim.
“Organizations anticipating they will engage in those activities should consult with their legal counsel to assess the legality of planned activities,” CsU said. It also said companies shouldn’t undertake those activities “without a deliberate assessment of risk,” and should consider cultivating relationships with local Federal Bureau of Investigation and Secret Service field offices.
Two big tips that CsU offers on lawfully collecting intelligence in online forums:
- Passively collecting intelligence is typically not illegal, but accessing forums without authorization or surreptitiously intercepting communications could raise legal concerns; and
- Creating a fake online persona is generally not illegal, but do not assume the identity of an actual person without their consent.
CsU recommends that companies create a compliance program, or “rules of engagement,” to outline acceptable and legal conduct. It also recommends companies prepare to be investigated because “it is possible that individuals engaged in legitimate cybersecurity may become the subject of a criminal investigation.”
Additionally, CsU recommends practicing good cybersecurity, reporting uncovered criminal activity to law enforcement, not providing information in forums that could facilitate a crime, and involving “your legal department in operational planning.”