The arrest of Marcus Hutchins, 23, by the FBI last month in Las Vegas has thrust information security researchers - and their tactics - into the legal limelight.
Hutchins, who uses the handle MalwareTech online, has been accused of developing the Kronos banking Trojan. He faces up to 40 years in prison if convicted of all charges filed against him.
"If you look at any of the major [cybercrime] takedowns that have been organized by police forces around the world, they've always had it done in partnership with the private sector."
In a move that might upset fans of nominative determinism, however, Hutchins denies all wrongdoing.
White Hats Operating in Gray Zones
For some cybersecurity researchers, Hutchins' arrest highlights the challenges they face when combatting cybercrime and the sometimes gray legal zones they may be forced to navigate.
To outsiders, for example, seeing independent cybersecurity researchers trade malware samples or infiltrate hacker forums in an attempt to obtain samples of new types of attack code might seem to employ tactics that only police or intelligence services should be allowed to use.
But that's not the way that cybersecurity works in the real world. In part, that's due to the relatively specialized expertise required to research and track online-enabled crime. But governments worldwide also continue to underspend on related resources for their law enforcement agencies, according to Dublin-based information security expert Brian Honan, who advises the EU's law enforcement agency Europol on cybersecurity matters.
As a result, when it comes to cracking down on online child sexual abuse, CEO fraud, online extremism and recruitment, as well as ransomware attacks and other malware campaigns, most takedowns today happen thanks to police forces working "in partnership with the private sector," Honan told me at the Infosecurity Europe conference in London.
That is a remarkable fact. "If you look at any of the major [cybercrime] takedowns that have been organized by police forces around the world, they've always had it done in partnership with the private sector," Honan says. "Now, can you think of any other area of policing - where they've investigated a murder, investigated rapes, investigated bombings, etc., [where] a private security firm is the key partner in doing that task?"
Hutchins, who works for a security firm based in Los Angeles, apparently spent much of his free time studying and helping to eradicate malware.
British security researcher Stuart Winter-Tear, for example, notes that the same Hutchins who was been arrested by the FBI remains featured on the U.K. National Cyber Security Center's website as the "accidental hero" who stopped WannaCry, after he registered a nonsensical domain that he found in the code.
The NCSC, which is part of British intelligence agency GCHQ, functions as the country's computer emergency response team. According to a report published Sunday, GCHQ knew in advance that the FBI planned to arrest Hutchins (see Report: British Officials Knew of Marcus Hutchins Arrest).
But it's not clear if that single-sourced report holds water. For starters, GCHQ is an intelligence agency, and matters relating to arrests would have been more likely to have been routed to the government's home office - in charge of justice-related matters - or else the National Crime Agency, which is Britain's version of the FBI.
GCHQ declined to discuss Hutchins' arrest or the Sunday Times report. "This is a law enforcement matter and it would be inappropriate to comment further," an NCSC spokesman told me.
Fellow Researchers Signal Discontent
In the wake of Hutchins' arrest and the British government allegedly learning about it in advance, however, some private researchers have threatened to stop assisting authorities. They include Hutchins' friend and fellow British researcher, Kevin Beaumont, who tweets as GossiTheDog.
I'm not working with NCSC and U.K. Gov when they won't do anything when researchers get vanned in US on questionable grounds.— Kevin Beaumont (@GossiTheDog) August 5, 2017
Beyond the emotion, however, federal cybercrime cases have historically tended to be very tight. While the indictment against Hutchins is slim on details, federal prosecutors may still have substantial evidence to bring to bear.
Earlier this month, prosecutor Dan Cowhig said in federal court that Hutchins "admitted he was the author of the code of Kronos malware and indicated he sold it" after he was arrested by the FBI in Las Vegas. Neither Hutchins nor his attorney could be immediately reached for comment on those allegations.
But Hutchins has pleaded not guilty to all related charges, and his attorney, Marcia Hoffman, has told reporters that her client "will be fully vindicated."
Is Selling Malware a Crime?
From a legal standpoint, however, experts say the case raises interesting questions.
For example, attorney Orin Kerr, an expert on criminal procedure and computer crime law, responded to the indictment by asking: "Is it a crime to create and sell malware?" That is an actual, open question, and he argues that the government would have to prove Hutchins and his unnamed co-defendant sold the malware with an intent to do harm.
Legally speaking, however, it's also not clear that federal prosecutors have a right to bring charges against Hutchins, says attorney Alex Berengaut at Covington & Burling, who says that doing so may violate Hutchins' constitutional rights. In the words of the United States Court of Appeals for the Second Circuit, in a judgment cited by Berengaut, "there must be a sufficient nexus between the defendant and the United States."
No doubt, federal prosecutors will attempt to prove that such a nexus exists. It may even relate to the location of Hutchins' unnamed co-defendant.
As the case proceeds, however, one irony is that the evidence against Hutchins, as well as his potential exoneration, may both rely, at least in part, on the efforts of private information security researchers who have the skills necessary to unravel the inner workings of malware. And as underfunded law enforcement agencies seek to battle cybercrime, they would do well to manage their relationship with the private sector as carefully as possible.
August 24: This story has been updated with comment from attorney Marcia Hoffman.