Dark day when we put bug hunters in the dock
The mainstream technology news over the last few days has been filled with reports that Marcus Hutchins has been arrested by the FBI. For those who don’t know Marcus, he’s the British techie who helped thwart the WannaCry assault on the NHS, writes Ron Austin, Associate Professor of Computing and Digital Technology at Birmingham City University.
As well as an IT generalist and enthusiast, Marcus is an independent security researcher and if you don’t credit him for stopping the attack on the NHS, he did at least limit the impact by finding the kill switch within the code.
So why does the FBI believe he is a hacker and what are the charges against Marcus Hutchins? The FBI case is based on the Kronos banking Trojan, which collects bank account passwords and user details. He is being accused of creating and selling this code. It should be noted that the charges do not state he has used the code to gain from it by attacking anyone.
This has shocked the cybersecurity community as research into vulnerabilities is a critical part of the process of finding vulnerabilities, with many companies offering ‘bug bounties’ for finding issues with their programmes.
This case raises a number of issues between where the cybersecurity community is and where the law is, in relation to researching and stopping attacks. If this case progresses then the danger becomes that researching and reporting will stop, and the ‘bad guys/girls’ have more opportunity to gain access to the network and end systems.
Ethical hacking and bug hunting are required to keep the public safe. If we are to start legal proceedings for researchers, then it’s a dark day for the industry. Being able to share information and code in good faith by helping other researchers is important for everyone.
And I’m not a lawyer, but I believe the problem this case has, is in proving who has written the code. Software is complicated and requires a team approach; the case will therefore require the FBI to prove that Marcus has written the programme and intended to use it for material gain.
The indictment has not provided many details and this may come out later if and when it proceeds to trial. However, from what has been released at this time it seems to be an odd case of a researcher being between a rock and a hard place or; as they also say -- no good deed goes unpunished.