The rift caused by the arrest of Marcus Hutchins has only gotten wider among the cyber security community. Since Hutchins’ arrest on August 2nd shortly after attending the 2017 Black Hat security conference, there has been ongoing support from the cyber security community for him. However this has created tension between cyber security experts and intelligence agencies in the United States and now in the UK. Hutchins was arrested for allegedly aiding in the creation and distribution of the malware known as Kronos. The maximum amount of time Hutchins can face for these charges is about 40 years.
Prosecutors have claimed that Hutchins, in 2014, wrote the code for Kronos and helping an unidentified co-defendant distribute and sell the malware. U.S. Attorney Michael Chmelar stated that Hutchins admitted, “that he was the author of the code that became the Kronos malware” in initial discussions with the FBI. On Monday August 14, Hutchins pleaded not guilty for all six charges against him. He is out on bail but with a few conditions, including GPS tracking, internet access with limitations against the “sinkhole” he used to stop the WannaCry outbreak. Hutchin’s joked on his twitter account: “Based on my current data set if I go into an airport lounge I have a 1 in 4 chance of being arrested by the FBI.”
Marcus Hutchins became something of a celebrity when he helped to stop the WannaCry outbreak. He even stopped the subsequent DDoS attack that the WannaCry hackers attempted to launch. For his actions in the UK, Hutchins gained some fame among the cyber security community. To an extent though, his name would have faded into obscurity without the irony of a cyber security hero turned criminal hacker. Depending on the outcome of this case, Marcus Hutchins may become a full martyr.
What has recently added to the tension between cyber security experts and intelligence agencies is that the UK’s GCHQ, Britain’s spy agency, knew well in advance about the FBI’s intent to arrest Marcus Hutchins. Spy chiefs knew that Hutchins was being watched by the US but decided not to intervene in the hopes of avoiding the “headache of an extradition battle,” the Times had reported from a closed source. The source had stated more specifically: “Hutchins’ arrest frees the British government and intelligence agencies from yet another headache of an extradition battle.”
The precedent that this case can set is a dangerous one. If Hutchins is convicted for contributing to the code for Kronos then it means that the act of writing software can now be criminalized in the United States, other countries could follow if this happens. In this case prosecutors are having to prove intent to distribute or sell the malware or else they risk pushing cyber security experts to the margins. Common practice among cyber security researchers is to act as criminals on the darknet who have malicious intent in an effort to gain the trust of malicious actors. To the unknowing observer defining a difference in behavior between a criminal and a cyber security expert would be tough, maybe impossible.
In the cyber security community, this means that their work can be disrupted, and there may now be trust issues since cyber security experts can’t trust intelligence agencies to not arrest them for working. One notable cyber security expert, Kevin Beaumont, has already sworn not to share cyber intelligence with the UK government, until the Hutchins have a favorable resolution for cyber security. Specifically Beaumont has stated: “I’m withdrawing from dealing with the NCSC and sharing all threat intelligence data and new techniques until this situation is resolved. This includes through Cyber Security Information Sharing Partnership. Many of us in the cyber security community openly and privately share information about new methods of attacks to ensure the security for all, and I don’t wish to place myself in danger.”
Beaumont’s expression through the entire blog post is one shared among many in the cyber security community. Hutchins arrest and trial will be a defining moment that may make or break very necessary relationships between people and their governments.