US Offers Bounty for Tips on State-Sponsored Cybercrime

Last week, the Biden administration announced a ‘new’ Rewards for Justice program offering up to $10 million USD for information relating to those who create and perpetuate ransomware attacks against U.S. infrastructure. The program, administered by the United States Department of State’s Diplomatic Security Service (DSS), promises a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

The State Department program was originally created in 1984 as an anti-terrorist program under the 1984 Act to Combat International Terrorism and was designed to reward those who provided information about international terrorism and to prevent acts of international terrorism against U.S. persons or property. It was designed to incentivize not only the arrest and conviction of foreign terrorists but also information that could be used to prevent or disrupt terrorist activities in the United States or against U.S. interests. The Biden administration has expanded the program’s scope to add cyberattacks by foreign nations against U.S. infrastructure.

One of the problems with the program is that, after providing information to the State Department, whether or not you get paid is completely up to the unfettered discretion of the Secretary of State. Karr v. Kerry, No. 1:14-CV-02099, 2014 WL 7139660, at *1 (D.D.C. Dec. 5, 2014). Thus, if you stick your neck out and cooperate with the State Department, you might get zilch.

The Rewards for Justice Program is administered by the Department of State, and the Secretary of State has “the sole discretion” to pay a reward, subject only to consultation with the Attorney General. 22 U.S.C. § 2708(b). The Secretary’s decision is “final and conclusive and shall not be subject to judicial review.” Id., § 2708(j); see Heard v. U.S. Dep’t of State, No. 08–02123, 2010 WL 3700184, at *3–4 (D.D.C. Sept. 17, 2010) (dismissing rewards program claim for want of subject matter jurisdiction). Plaintiff “acknowledges that the prosecution of a Rewards for Justice claim does not provide for judicial review[.]the administration of the Rewards Program lies within the ‘sole discretion’ of the Secretary of State, subject only to consultation with the Attorney General.” Heard v. U.S. Dep’t of State, No. 08–02123(RBW), 2010 WL 3700184, at *4 (D.D.C. Sept. 17, 2010) (citing 22 U.S.C. § 2708(b)).Sorg v. Rewards for Just., No. 2:13-CV-1068-RJS-EJF, 2014 WL 1758066, at *3 (D. Utah Apr. 30, 2014)

Since the reward is not only within the discretion of the State Department, and this discretion is not only unreviewable but there are no guidelines for granting/denying the discretion, those participating in the program would be best served by meeting in advance with representatives of the Diplomatic Security Services (DSS) and setting out specific guidelines and tasks; entering into some sort of “agreement” that if you do X, then you will be paid Y at a particular date and time.

Remember, the program was designed for “terrorist tips” and not as a conduit for cybersecurity professionals and threat intelligence companies to be paid for their work. It was never intended to act in lieu of a contract for threat intelligence services.

Foreigner

One of the restrictions on the program is that it is limited by its terms to finding “state actors.” That is, persons or groups that are “acting at the direction or under the control of a foreign government.” So, catching or thwarting Russian or Chinese hackers won’t cut the mustard unless you can show (or the State Department concedes) that these hackers were “acting at the direction or under the control” of their respective governments. The fact that the foreign government merely “looks the other way” or tacitly permits or acquiesces in the activity may not be sufficient.

In addition, the “foreign government” which is alleged to have violated the U.S. Computer Fraud and Abuse Act need not be a “hostile” or “adversarial” government. The bounty program works as much for Russia, China and Iran as it does for Canada, the UK and Australia. Just don’t expect too much of a bounty when you find that the RCMP has exceeded the scope of its authorization to access some computer in Vancouver, Washington. And with recent reports of Israeli spyware infecting Apple products, and the Indian government using spyware to spy on journalists, we might expect the State Department to be willing to “look the other way” at some violations of the CFAA while focusing more attention on things like Chinese hacking of Microsoft’s Outlook program. All state-sponsored hacking is not equal.

No Immunity

The program, as an anti-terrorist program, is intended to be a “tips” program—you give DSS info, and if they find it valuable, they give you money. But there’s risk to you—and not only that you might not get paid. If you break the law in getting the information that you give to the State Department—by obtaining information through fraud or deceit, by “exceeding the scope of authorization” to access a computer or computer database or through any other “unlawful” means, the State Department (and the Justice Department) is not liable for your actions, since you are not an “agent” of the government (more on this shortly).

Under what is called the “foreign silver platter” doctrine, if you hand something to the government—even if it is obtained lawfully, they can use it for prosecution or for other purposes. But if you hand the government stuff you got in violation of the law, your “reward” may be a federal indictment.

There’s nothing in the program which immunizes the tipster against consequences for crimes committed. In fact, the State Department can also turn you over to a foreign government for prosecution for violation of that country’s laws or regulations. So, hacking into a Chinese Ministry of State Security (MSS) database to find threats may subject you to prosecution under Article 27 of the Cybersecurity Law of the People’s Republic of China. And reporting your actions to the State Department may mean that you are put in handcuffs and thrown on the next plane to Beijing. Not likely, but possible. This comes under the broad category of “no good deed goes unpunished.”

Remember how I wrote that you should get something in writing about whether you will get paid for work that you intend to perform? The problem with that is that a court may conclude that your work then becomes work done as an “agent” of the government, essentially imposing the restrictions contained in the Fourth Amendment (and other speech and privacy regulations) to your actions as a “state actor.” But if you don’t get your expectations down in writing, then there’s a good chance that you won’t get paid for the work. Best advice: know what is legal and what is not, and don’t cross the line in your participation in the program. Generally, not breaking the law is good advice.

Navigating the Program

Remember that the purpose of the program is to find people and to find threats. Part of the purpose is also to prevent attacks. In applying for funds under the program, the best bet is to pair your activities to these stated goals of the State Department. The State Department has also established a TOR-based method of communicating with them; but again, you remain at their mercy. I mean, “their discretion” (Tor browser required). It appears that DSS will permit anonymous contact and will make payment using cryptocurrency.

Finally, remember that any funds you receive under the program are probably taxable. Wouldn’t want to get hung up on taxes like Al Capone. The program does not appear to have a specific point of contact or the name of a person you can talk to. In addition to the TOR node, the State Department does have a convenient toll-free number for reporting terrorist and cybercrime activities. 1-800-877-3927 (1-800-USREWARDS). Remember to press “1” for English.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark