«Cassandra Kirsch* “Borders and boundaries pose no obstacles for hackers. But they continue to pose obstacles for global law enforcement, with ...»
THE GREY HAT HACKER: RECONCILING CYBERSPACE REALITY AND
“Borders and boundaries pose no obstacles for hackers.
But they continue to pose obstacles for global law
enforcement, with conflicting laws, different priorities, and
diverse criminal justice systems. With each passing day, the
need for a collective approach—for true collaboration and timely information sharing—becomes more pressing.” Robert Mueller Director of the Federal Bureau of Investigation (2012)
diversity and motivations among numerous hacking subgroups, including LulzSec and AntiSec.4 In light of these breaches and a burgeoning cyber crime industry, the Federal Bureau of Investigation (“FBI”) has invested considerable resources over the last few years into the FBI’s Cyber Division in an attempt to address today’s increasingly sophisticated and evolving cyber threats.5 Once a tertiary priority for the FBI, cyber crime stands to overtake terrorism in rank.6 Nonetheless, rather than subside, hacking incidents continue to increase in number and scope.7 The 2013 Target breach affected nearly a third of the U.S. population,8 and the FBI
4. See Chloe Albanesil, Did Anonymous Hack Sony’s PlayStation Network or Not?, PC MAG.
(May 4, 2011, 5:15 PM), http://www.pcmag.com/article2/0,2817,2384919,00.asp; Agence FrancePresse, Hacker group AntiSec declares ‘war’ on U.S. police, THE RAW STORY (Aug. 6, 2011, 6:15 PM), http://www.rawstory.com/rs/2011/08/06/hacker-group-antisec-declares-war-on-u-s-police/;
Hao Li, Sony hacked again, LulzSec claims, INT’L BUS. TIMES (Jun. 2, 2011, 4:26 PM), http://www.ibtimes.com/sony-hacked-again-lulzsec-claims-287969; Kevin McCaney, AntiSec hackers expose data from 74 sheriff’s offices, GCN (Aug. 8, 2011), http://gcn.com/articles/2011/08/08/antisec-hack-74-sheriffs-data.aspx; Jason Schreier, Sony Hack Probe Uncovers ‘Anonymous’ Calling Card, WIRED (May 4, 2011, 2:08 PM), http://www.wired.com/gamelife/2011/05/sony-playstation-network-anonymous/. During 2011, media organizations were quick to label any hack as an attack by Anonymous. For example, the now infamous hack of the Playstation Network was first attributed to Anonymous, but was really organized by LulzSec. Compare Schreier, supra note 4., with Albanesil, supra note 4, and Li, supra note 4. AntiSec, similarly, has been called a “wing” of Anonymous, although it has taken on its own hierarchy and separate hacking exploits. See McCaney, supra note 4; Ryan Gallagher, Anonymous splinter group AntiSec wages war on ‘profiteering gluttons,’ THE GUARDIAN (Feb. 27, 2012, 6:00 PM), http://www.theguardian.com/technology/2012/feb/27/anonymous-splinter-groupantisec-waging-war.
5. See Ian Freedman, National Cyber Security: FBI unveils Next Generation Cyber Initiative, EXAMINER (Nov. 2, 2012), http://www.examiner.com/article/national-cyber-security-fbi-unveilsnext-generation-cyber-initiative.
6. See FBI Director: Cybercrime will eclipse terrorism, CNN MONEY (Mar. 2, 2012, 7:55 AM), http://money.cnn.com/2012/03/02/technology/fbi_cybersecurity/index.htm (statement of FBI Director Robert Mueller) (“Terrorism does remain the FBI’s top priority, but in the not too-distantfuture we anticipate that the cyberthreat will pose the greatest threat to our country.”).
7. See HP Research: Cybercrime Costs Rise Nearly 40 Percent, Attack Frequency Doubles, HP NEWS (Oct. 8, 2012), http://www8.hp.com/us/en/hp-news/press-release.html?id=1303754#.
UMp1cqwzSxY. The 2012 Cost of Cyber Crime Study by Hewlett-Packard “revealed a 42 percent increase in the number of cyberattacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.” Id.
8. Elizabeth A. Harris & Nicole Perlroth, For Target, the Breach Numbers Grow, N.Y. TIMES (Jan. 10, 2014), http://www.nytimes.com/2014/01/11/business/target-breach-affected-70-millioncustomers.html?hpw&rref=business&_r=1. Over eight years, Hackers allegedly targeted 15 financial institutions, including JPMorgan Chase & Co., Citigroup Inc., and E-Trade, as part of a nearly two-year-long scheme to hack into customer accounts online to steal at least $15 million and 160 million credit and debit card numbers; see Daniel Beekman, Hackers hit companies like Nasdaq, 7-Eleven for $300 million, prosecutors say, N.Y. DAILY NEWS (July 26, 2013, 12:41 PM ), http://www.nydailynews.com/news/national/russians-ukrainian-charged-largest-hacking-spree-u-shistory-article-1.1408948; see also Dave Paresh, Chase, Citigroup among bank reportedly hacking in $15-million heist, L.A. TIMES (June 13, 2013), http://articles.latimes.com/2013/jun/ 13/business/la-fi-mo-banks-allegedly-hacked-in-cyberheist-20130613; World’s Biggest Data 2014] THE GREY HAT HACKER 385 warns that attacks similar to the Target breach “will continue to grow in the near term” despite its efforts.9 FBI officials admit the agency is losing the “War on Hackers:”10 it is no longer a question of who will be hacked, but when.11 Due to the low entry costs into the cyber crime market,12 number of computers involved in transnational commerce, and shortage of available law enforcement,13 cyber crime has become a growth industry.14 Effectively combating cyber crime requires existing laws and the roles of federal and local officials to evolve. In building the nation’s collective capabilities to fight the cyber threat, we “need to look at alternative architectures that are more secure... that allow critical infrastructure owners and operators to better spot threat actors and to provide information to law enforcement to track and to catch them.”15 Given the complexities of investigating and regulating cyber crime, law enforcement and the legislature should take note from some progressive corporate vendors and consider an unlikely ally in the hacker community: the grey hat hacker.
To the general public, “hacker” is a term synonymous with a member of the cyber criminal underground, but not all hacking is created equal. Indeed, the purpose, techniques, and intent of hackers differ greatly within the international Breaches, INFO. IS BEAUTIFUL, http://www.informationisbeautiful.net/visualizations/worlds-biggestdata-breaches-hacks/ (last updated Dec. 31, 2013). In 2013, over 70 million U.S. customers were affected by the Target breach and another 38 million in the Adobe hack. See Adobe Breach Impacted At Least 38 Million Users, KREBSON SECURITY, http://krebsonsecurity.com/2013/10/ adobe-breach-impacted-at-least-38-million-users/ (last updated Oct. 29, 2013, 9:26 PM); Harris & Perlroth, supra note 8.
9. Anjli Raval, FBI warns retailer of more cyber attacks, FIN. TIMES (Jan. 24, 2014, 12:14 AM), http://www.ft.com/intl/cms/s/0/e52517f8-8480-11e3-b72e-00144feab7de.html#axzz2xrKor42x. The Recent Cyber Intrusion Events Directed Toward Retail Firms report confirms that 20 hacking cases in 2013 involved the same kind of malicious software used against Target Corp; Jim Finkle & Mark Hosenball, Exclusive: FBI warns retailers to expect more credit card breaches, REUTERS (Jan. 24, 2014, 12:53 AM), http://uk.reuters.com/article/2014/01/24/us-target-databreach-fbiidUKBREA0M1UF20140124. The report provides details the risks posed by “memory-parsing” malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles. Id.
10. Devlin Barrett, U.S. Outgunned in Hacker War, WALL ST. J. (Mar. 28, 2012, 10:31 AM), http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html.
11. Robert S. Mueller, III, Dir., Fed. Bureau of Investigation, Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies, Address at the 2012 RSA Cyber Security Conference (Mar. 1 2012), available at http://www.fbi.gov/news/speeches/combating-threats-inthe-cyber-world-outsmarting-terrorists-hackers-and-spies.
12. See Anthony Wing Kosner, Target Breach Of 70 Million Customers’ Data Used Bargain Basement Malware, FORBES (Jan. 15, 2014, 11:44 PM), http://www.forbes.com/sites/ anthonykosner/2014/01/15/blackpos-malware-used-in-target-attack-on-70-million-customersretails-for-1800/ (noting that the malware used in the Target breach, BlackPOS, is available on underground cyber crime forums for as low as $1,800).
13. Mueller, supra note 11.
14. See Tony Bradley, Cybercrime: A Recession-Proof Growth Industry, PC WORLD ( Feb. 5, 2011, 8:44 PM), http://www.pcworld.com/article/218850/cybercrime_a_recession_proof_growth_ industry.html.
15. Mueller, supra note 11.
386 NORTHERN KENTUCKY LAW REVIEW [Vol. 41:3 hacking community. From political hacktivists, to the hacker posting software security flaws on a public forum, to the Paypal hackers selling personal information on the black market, people hack for a number of reasons. Within these various subgroups of hacking, hackers largely fall into three “shades” of hats recognized by the security industry: white hat, black hat, and grey hat.16 White hats are members of the security industry hired specifically to find security flaws, whereas black hats break into systems for no other reason than to commit a crime of some sort or to profit.17 Somewhere in between the two extremes is the grey hat hacker, operating on the fringe of civil and criminal liability to report security vulnerabilities.18 Although largely absent from the 21st century mainstream hacker narrative, grey hat hacking has been around since at least the mid-1990s.19 Collectively, “grey hats” form a sort of neighborhood watch in cyberspace, contributing an essential element of self-governance and consumer protection.20 Enlisting the assistance of technologically-savvy individuals who are disproportionately exposed to risk may influence the safety of the Internet in ways that other legal solutions, primarily criminalizing certain behavior, cannot.21 Corporate vendors, such a Google and PayPal, have already begun tapping into this security resource through incentivizing reports of security flaws through their bug bounty programs.22 However, this sub-group of the hacking community operates, regardless of participation in bug bounty programs, under exceedingly low thresholds for both criminal and civil liability.23 The intersection between grey hat hacking activities and legal realities resurfaced in 2012 with the controversial and heavily publicized verdict of United States v. Auernheimer.24 Andrew “Weev” Auernheimer and Daniel Spitler, members to the “grey hat” group Goatse Security, published on the Gawker website a vulnerability affecting over 100,000 iPad customers on
AT&T’s website.25 The vulnerability would leak e-mail addresses to anyone who typed a ICC-ID into the URL bar (search bar).26 In other words, any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier: no password, cookie, or login procedure was required to bring up a user’s private information. Nonetheless, the two were charged under the Computer Fraud and Abuse Act (“CFAA”) for “unauthorized access” and the verdict was returned against them.27 The verdict has been heavily criticized by security professionals: the verdict of Auernheimer disincentivizes cyber security researchers from finding security flaws, which in turn makes the rest of us less safe on the Internet and frustrates the efforts of corporate bug bounty programs.28 This paper focuses not only on the current state of the law regarding grey hacking, but also what a legal regime that recognizes grey hacking as a legitimate part of the security industry could and should be. Part I examines the history and motivations within the grey hat hacking community. Part II discusses the legal implications of recent interpretations of the CFAA on the grey hacking community, and Part III looks at recent corporate endeavors to incorporate grey hacks into their security regime and whether doing so provides a feasible alternative to the status quo. Part IV looks ahead and proposes a Congressional response to resolve the inconsistencies between cyber space realities and jurisprudence by updating the language of the CFAA and creating a safe harbor provision for the grey hat community. Through establishing proper incentives and safe harbors for the grey hat hacker, private and public entities can take better advantage of the wealth of untapped talent and initiative behind much of the technological progress on the Internet.