The CFAA Has Come a Long Way, or Has It?

Presented at A New HOPE (2022), July 22, 2022, 7 p.m. (50 minutes)

On May 19th, for the first time in nearly a decade, the U.S. Department of Justice revised its guidelines for bringing charges under the Computer Fraud and Abuse Act (CFAA), instructing federal prosecutors to decline prosecutions if the conduct at issue involved "good faith security research." Under these new guidelines, accessing a computer "for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability," if carried out in a way designed to avoid harm to individuals and the public, would not be a criminal offense. On the books since 1986 - and enacted into law in direct response to the classic hacker flick *WarGames* - the U.S. Supreme Court and various lower courts have been continually shrinking the once-broad scope of the CFAA, and now DOJ itself has reconsidered the wisdom of its past practices. This talk will explore the contours of this new policy and how it affects the hacker community, including topics such as:   * Is this change too little too late, especially since it was an expansive use of prosecutorial discretion that lead to CFAA charges against Aaron Swartz in 2011 that tragically lead to him taking his own life in 2013?   * What was the driving force behind this radical policy shift?   * What binding effects do these guidelines have on U.S. Attorneys' Offices?   * What counts as "good faith security research?"   * What does *not* count as "good faith security research?"

Presenters:

  • Jay Kramer
    **Jay Kramer** is the managing director of the New York Office of the National Cyber-Forensics and Training Alliance and has served in several leadership roles at the Federal Bureau of Investigation as a special agent and attorney. Jay also served as the director of Cyber Resilience at Bristol Myers Squibb. Jay has responded to hundreds of cybersecurity and data privacy incidents including encryption/ransomware attacks and the loss of PII, PHI, or PCI.
  • Joel DeCapua
    **Joel DeCapua** is a supervisory special agent in the FBI’s Cyber Division. His day job consists of chasing a wide assortment of ransomware affiliates, money launderers, and online scammers. Joel enjoys spending his free time tinkering, researching, and sharing knowledge about network security - and writing terrible code.
  • Alexander Urbelis
    **Alexander Urbelis** is senior counsel for cybersecurity with Crowell LLP. Bridging the gap between legal and technical expertise, Alex is also the architect of an award-winning cyber threat intelligence platform designed to identify hallmarks of impending cyberattacks, cybersquatting, counterfeiting, and other malicious activities. Making international news in March 2020, Alex detected and helped to neutralize a state-sponsored intrusion attempt on the World Health Organization. For this and his additional work with DHS to identify pandemic-related fraud and misinformation, Alex was selected as a finalist for the Financial Times’ Innovative Lawyers Awards in 2020. His published works can be found within the Financial Times, CNN, the Philadelphia Inquirer, The Intercept, and 2600. Alex is a member of the technology advisory board of Human Rights First, the UL Security Council, the Uniform Law Commission Committee for the Study of Cybercrime, the Society of Professional Investigators, and you undoubtedly know him from Off The Hook.

Links:

Similar Presentations: