If you have been following the technology news over the last few days it has been filled with reports that Marcus Hutchins has been arrested by the FBI. For those that don’t know who Marcus is, you may remember the WannaCry attacks on the NHS last month. Marcus is a security researcher and was credited for stopping the attack on the NHS (or at least limiting the impact by finding the kill switch within the code).
So, the question is why does the FBI believe Marcus is a hacker and what are the charges against Marcus Hutchins? The FBI case is based on the Kronos banking Trojan, which collects bank account passwords and user details. He is being accused of creating and selling this code. It should be noted that the charges do not state he has used the code to gain from it by attacking anyone.
This has shocked the cybersecurity community as research in to vulnerabilities is a critical part of the process of finding vulnerabilities, with many companies offering ‘bug bounties’ for finding issues with their programmes.
This case raises a number of issues between where the cybersecurity community is and where the law is in relation to researching and stopping attacks. If this case progresses then the danger becomes researching and reporting will stop, and the ‘bad guys/girls’ have more opportunity to gain access to the network and end systems.
Ethical hacking and bug hunting are required to keep the public safe. If we are to start legal proceedings for researchers, then it’s a dark day for the industry. Being able to share information and code in good faith by helping other researchers is important for everyone.
I’m not a lawyer, however I believe the problem with this case has is in proving who has written the code. Software is complicated and requires a team approach; the case will therefore require the FBI to prove that he has written the programme and intended to use it for material gain.
The indictment has not provided many details and this may come out later if and when it proceeds to trial. However from what has been released at this time it seems to be an odd case of a researcher being between a rock and a hard place, or as they say, no good deed goes unpunished.
Ron Austin, Associate Professor, School of Computing and Digital Technology, Birmingham City University, UK