The great irony of defending the world against malware is it requires security researchers to, well, mess with malware. This often leads them into gray areas, where something they might consider legitimate investigation or essential software development could, in the eyes of the law, be seen as criminal behavior.
This conundrum roiled the security community this week when the FBI arrested British security researcher Marcus Hutchins as he left the DefCon security conference in Las Vegas. The 22-year-old played a key role in shutting down the devastating WannaCry attack in May when he found a flaw in the ransomware that slowed its spread. But the Justice Department alleges that this white-hat hacker dabbled in more malicious endeavors three years ago, when, authorities say, he created a banking trojan called Kronos and conspired to sell it to criminals.
Many details of the case against Hutchins—who goes by the monikers MalwareTech and MalwareTechBlog—remain unknown, and it would not be the first time an upstanding hacker dabbled in criminal activity. But security experts who have read the federal indictment and those familiar with Hutchins’ work expressed skepticism at the suggestion that he intentionally created and distributed a malicious tool. Many security researchers consider the case a stark reminder that those who do not understand the nature or context of their work might question their intentions.
“Security researchers live in fear their contributions will be misinterpreted by the FBI [or] prosecutors,” says Robert Graham, an analyst with the cybersecurity firm Erratasec. “It’s perfectly reasonable to suppose that Hutchins is indeed the author of Kronos, and guilty of whatever they say. At the same time, it’s also reasonable to believe he isn’t. We already have similar cases of people going to jail for a long time because they happened to write code that was later used by evildoers. It concerns people like me, because frequently some of the code I write ends up in viruses.”
Often security researchers break or compromise the defenses of a computer, network, or other system to prove such an intrusion is possible, and find a way of addressing the vulnerability before criminals exploit it. Malware researchers in particular tend to examine and map criminal communities to better understand trends and potential attacks. This often requires working under a pseudonym, all of which can seem suspect to outsiders who might question why a researcher is hanging out on dark web forums or adapting and sharing malware samples. Similarly, writing software to expose security flaws helps organizations bolster their defenses, but can sometimes fuel criminal activity if the code inspires so-called black-hat hackers or finds its way into malicious tools.
“I have stayed further away from things I was not legally certain about—it has people nervous,” says Will Strafach, the CEO of mobile security company Sudo Security Group. “For threat intelligence, it is considered normal to try getting data from malicious servers however possible. Another thing some folks do is create personas in sketchy forums or chats, not actually engaging in activity, but trying to monitor developments to stay on the bleeding edge of things.”
In one prominent case from 2009, software developer Stephen Watt, who was 25 and working at Morgan Stanley at the time, wrote a packet-sniffing program (software that intercepts and records network traffic) at a friend’s request. Although such a tool can be used legitimately, like to help a system administrator keep tabs on a corporate network, friends of Watt used this one to steal millions of credit card numbers from the payment system of the discount department store chain TJX. Though he wasn’t directly part of the scam, Watt spent two years in jail because he built the tool and prosecutors presented evidence that he knew how it was being used.
Some lawmakers and regulators hope to protect security analysts who research, develop, and share tools across borders. The Wassenaar Arrangement, a voluntary agreement between 41 countries (including the US) that sets standards and licensing expectations for weapons export, specifically nods toward “intrusion software.” But many security experts worry that vague language within the agreement could do more to hinder than support international digital defense research.
Such ambiguity complicates daily security work. In July 2014, around the time the DoJ alleges that Hutchins developed Kronos, he tweeted, “Anyone got a kronos sample?” A few months before that he published a blog post titled, “Coding Malware for Fun and Not for Profit (Because that would be illegal),” about a different malware analysis project. He wrote, “A while ago some of you may remember me saying that I was so bored of there being no decent malware to reverse, that I might as well write some. Well, I decided to give it a go and I’ve spent some of my free time developing a Windows XP 32-bit bootkit. Now, before you get on the phone to your friendly neighborhood FBI agent, I’d like to make clear a few thing: The bootkit is written as a proof of concept, it would be very difficult to weaponize, and there is no weaponized version to fall into the hands of criminals.” Regardless of whether or not Hutchins built and marketed an illegal banking trojan a few months later, he clearly was wary of law enforcement scrutiny and the risks of malware research.
Security experts worry that fear of running afoul of the law will prevent researchers from pursuing important defense work. “This would definitely have a chilling effect,” says Chris Wysopal, the CTO of Veracode, a firm that audits software. “If there are some areas that are off limits to security research that would be bad because really a large part of it is trying to bypass security mechanisms and show that they can be bypassed. There are just so many things a malware researcher might do legitimately that might get them involved with a piece of malware. It’s fuzzy where the line is drawn.”
For now, the security community is watching the Hutchins case closely to see what message it sends about just where that line lies.