Part B Computer Misuse in America
Eoghan Casey
The Computer Fraud and Abuse Act (CFAA) was enacted in 1984 and was amended by the Computer Fraud and Abuse Act of 1986 (this act has been amended several times since). Unfortunately, the CFAA has not been very useful - it has only been used a few times since its enactment. Richard Morris is one of the few individuals to be prosecuted under the CFAA for releasing his infamous Internet worm.
CASE EXAMPLE (UNITED STATES v. MORRIS 1991):
 |
In 1988, Robert Morris, a graduate student at Cornell University and the son of the National Computer Security Center's chief scientist, made history by creating and letting loose a computer program that replicated itself repeatedly on thousands of machines on the Internet. This program, called a worm, exploited vulnerabilities in a widely used operating system called BSD UNIX. Although this worm automatically broke into computers and made efforts to hide itself, it made no explicit attempt to steal from or damage the computers it infected. In essence, its only purpose was to break into as many computers as it could. Morris later claimed that he was simply experimenting, trying to add to his already formidable knowledge of computers. Unfortunately, the experiment went terribly wrong. The worm was so successful at replicating itself that it overloaded the Internet bringing more than 6,000 installations to a grinding halt (Spafford 1989).
After a few days, the worm was eradicated, but the aftermath was even more dramatic than the event itself. The worm had demonstrated, more than any other single event, that the Internet was not secure and that trust alone was not sufficient protection against attack. Anger and fear overshadowed the trust that had made the Internet possible. People were out for blood and Morris made history once again by being the first person to be convicted by jury under the Computer Fraud and Abuse Act (CFAA) of 1986 (two others had been convicted under the CFAA but not by a jury). He was required to pay the maximum allowable under the CFAA ($10,000), serve three years probation, and contribute 400 hours of community service.
|
The CFAA was primarily designed to protect national security, financial, and commercial information, medical treatment, and interstate communication systems. The CFAA protects these systems against a wide range of malicious acts, including unauthorized access. In this statute, access to a computer is considered to be unauthorized if it is without permission, or it exceeds the permission originally granted. Therefore, authorized users can be liable under this statute if they do something that they were not permitted to do. In addition to addressing intrusion and damage, this statute prohibits denial of service attacks that cause a loss of $1,000 or more. Additionally, the CFAA allows any person who suffers a loss as a result of one of the actions covered by the Act to bring a civil action against the violator to obtain compensation.
An overview of this statute is provided in Table 3.1 with a summary of the most interesting portions.
| SECTION | SUMMARY | PENALTIES |
|---|---|---|
| Section (a)(1) | Obtaining unauthorized access to information regarding national defense, foreign relations, and atomic energy. | A fine and/or up to 10 years imprisonment for a first offense and up to 20 years for subsequent offenses |
| Section (a)(2) | Obtaining unauthorized access to records from a financial institution, credit card issuer, or consumer-reporting agency. | A fine and/or up to 1 year imprisonment for a first offense and up to 10 years for subsequent offenses |
| Section (a)(3) | Interfering with government operations by obtaining unauthorized access to their computers or computers that they use. | A fine and/or up to 1 year imprisonment for a first offense and up to 10 years for subsequent offenses |
| Section (a)(4) | Obtaining unauthorized access to a Federal interest computer to commit fraud or theft unless the object of the fraud and the thing obtained consists only of the use of the computer. | A fine and/or up to 5 years imprisonment for a first offense and up to 10 years for subsequent offenses |
| Section (a)(5)(A) | "Whoever ... through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if the person causing the transmission intends that such transmission will damage, or cause damage to, a computer, computer system, network, information, data, or program; or withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program" provided the access is unauthorized and causes loss or damage of $1,000 or more over a one year period or "modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals." | A fine and/or up to 5 years imprisonment for a first offense and up to 10 years for subsequent offenses |
| Section (a)(5)(B) | "Whoever ... through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system with reckless disregard of a substantial and unjustifiable risk that the transmission will damage, or cause damage to, a computer, computer system, network, information, data, or program; or withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data, or program" provided the access is unauthorized and causes loss or damage of $1,000 or more over a one year period or "modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals." | A fine and/or up to 1 year imprisonment |
| Section (a)(6) | Trafficing in passwords that affect interstate commerce or involve the password to a computer that is used by or for the US government | A fine and/or up to 1 year imprisonment for a first offense and up to 10 years for subsequent offenses |
| A Federal interest computer is a computer used exclusively by a financial institution or the US Government, used on a nonexclusive basis but where the conduct affects use by the financial institution or government or which is one of two or more computers used in committing the offense, not all of which are located in the same state. | ||
It is worth noting that the CFAA is not designed to exclude other laws. Therefore, the CFAA can be used to bring additional charges against an individual for a single crime as two members of a group called the Legion of Doom discovered.
CASE EXAMPLE (UNITED STATES v. RIGGS 1990):
|
In 1988, Robert Riggs gained unauthorized access to the computer system of a telephone company named Bell South and downloaded information describing an enhanced 911 system for handling emergency services in municipalities (e.g. police, fire, and ambulance calls). Riggs then gave the materials to Craig Neidorf who published them in an online newsletter called PHRACK. Riggs and Neidorf were charged under three separate laws: the CFAA; a federal wire fraud statute; and a statute prohibiting interstate transportation of stolen property. The court specifically noted that the CFAA could be used in conjunction with other laws.
Riggs was convicted for breaking into the Bell South computer system. The charges against Neidorf were dropped after it transpired that the materials he published were not as private as Bell South had claimed - they were selling copies to anyone who requested them.
|
Another noteworthy ruling involving the CFAA occurred when a recently dismissed bank employee named Bernadette Sablan was charged with damaging her employer's records [United States v. Sablan, 92 F.3d 865 (9th Cir. 1995)]. Sablan claimed to be drunk at the time and argued that she did not intend to do any damage. However, Sablan was convicted after the court determined that the CFAA only requires intent to gain unauthorized access to the computer and does not require intent to do damage.
All states except Vermont have additional computer crime statutes that extend the CFAA. These state statutes apply to all computers, not just government, financial, or communication systems. Also, many of these state statutes make it illegal to break into a computer (even if no damage is done), alter or destroy data (even if the damage is recoverable), steal services, deny another person access, or use the computer with intent to commit a variety of crimes. However, as with the CFAA, these state computer crime statutes are used infrequently. Because these laws are new and are often vaguely worded, it can be difficult to find attorneys who understand the issues and procedures. Also, few organizations (including law enforcement agencies) are willing to spend the time and resources necessary to investigate a computer crime when they are uncertain of the results.
EAN: 2147483647
Pages: 279