As the Cybersecurity Information Sharing Act (CISA) is making its way through the Senate, it has stirred up more controversy with Senator Sheldon Whitehouse’s proposed amendment to the Computer Fraud and Abuse Act (CFAA), that he argues, would give law enforcement more tools to fight hackers. The Amendment would provide for increased sentences (up to 20 years) of those who harm computers connected to “critical infrastructure.”
For me personally, the timeline of events surrounding the discovery of Lenovo’s SuperFish malware is ironic. Just a couple of days before it was discovered, I had a telephone call with a friend named Jon Stanley. Jon is someone I consider to be an elder statesman of the CFAA as he has been digging deep into the law for a long time — much longer than I have — and our call was basically to chat about all things CFAA-related. (to get a glimpse of what it’s like to talk to Jon, check this out)
One of the things we talked about was our favorite CFAA opinions and Jon told me his was Shaw v. Toshiba, 91 F.Supp.2d 926 (E.D. Tx. 1999). I had skimmed the high points a few years back but never really taken the time to go through it slowly and enjoy it like a snifter of brandy, so after we hung up, I pulled it up and began reading.
I immediately turned to the point that Jon and I discussed which is where the court focused on the silliness of folks trying to argue the Computer Fraud and Abuse Act is a “hacking” law – ha, the court knocked it out of the park! “[T]his Court does not see a blanket exemption for manufacturers in Title 18 U.S.C. § 1030; nor does it see the term ‘hacking’ anywhere in this statute.” Id. at 936. I love that statement — I have never seen the term “hacking” in there either and, to hear people continue referring to it that way makes me wonder if they also refer to the mail and wire fraud statute as intending to keep the crooked city slickers from taking advantage of honest country folk. (seriously, see page 1)
How does this apply to the Lenovo SuperFish Malware?
So now you’re probably wondering where I’m going with this, right? And, what it has to do with the Lenovo SuperFish malware?
The issue in Shaw was whether a computer manufacturer’s sale of laptop computers containing devices with defective microcode that erroneously caused the corruption or destruction of data without notice was a violation of the CFAA, because the instructions given by the defective microcode were an unauthorized transmission. Toshiba argued several things but, most applicable here, that “Congress never intended for the CFAA to reach manufacturers; rather, the CFAA is geared toward criminalizing computer ‘hacking.'” In other words, Toshiba argued that, because it was a manufacturer that did all of its “stuff” before the computer was shipped and sold to Shaw, its activities were not prohibited by the CFAA. The Court disagreed with Toshiba’s narrow interpretation:
Perhaps. But it seems more plausible that Congress, grappling with technology that literally changes every day, drafted a statute capable of encompassing a wide range of computer activity designed to damage computer systems–from computer hacking to time bombs to defective microcode.
Brilliant. Ultimately, the Court denied Toshiba’s Motion for Summary Judgment and allowed the case to proceed.
The lawsuits against Lenovo have already started to drop and will surely continue coming. While I have not read the individual complaints, I’d say it’s a safe bet there are some CFAA claims in there — and if not, maybe they should give Shaw v. Toshiba a read (and not just for pleasure).
So, here’s a little test for you: if they do bring a CFAA claim, do they have to plead the $5,000 loss?
Hey Jon, by the way, thank you!
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes across the United States and, through the Mackrell International Law Network, around the world.
Read my latest post on Norse’s DarkMatters: Will Changes to the CFAA Deter Hackers?
A plea deal has been entered in the case of US v. Salinas. Mr. Salinas’ legal team successfully negotiated an agreement that reduced a 44 felony count indictment down to a single misdemeanor count.
Tor Ekeland led Salinas’ legal team and did the heavy lifting on getting this deal done. I am honored that Tor invited me to be a part of the team as well; it was great to have the opportunity to work alongside such outstanding lawyers as Tor, Alma Garza, Meredith Heller, and the rest of the Team. Thanks Tor!
Read more about the details of the case on Tor’s website:
This morning, Fidel Salinas entered a guilty plea to one misdemeanor violation of the Computer Fraud and Abuse Act CFAA. When Tor Ekeland P.C. entered Mr. Salinas case on a pro bono basis he was facing a 44 felony count Indictment for various computer crimes. Tor Ekeland, working alongside Firm partner Meredith Heller and local counsel Alma Garza and Shawn Tuma sucessfully negotiated a resolution of Mr. Salinas’ Indictment down to a single misdemeanor count. Sentencing is scheduled for February 2, 2015 in the Southern District of Texas.
You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research.
The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.
Let us know what you think by tagging your comments with #DtR on Twitter!
I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!
This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was Philip Beyer (@pjbeyer).
Thank you Raf, James, Michael and Phil — this was a lot of fun!
“[T]here are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese” -FBI Director
The pervasive threat that cyber espionage poses to American business is not a new topic on this blog — we have been talking about it for a few years. But you do not have to take my word for it; there is a “higher authority” on the subject. No, not that high! But the Director of the FBI is pretty high.
Here is the transcript of what FBI Director James Comey had to say about the Chinese cyber espionage efforts. If you follow the link at the bottom, you can watch the video of his interview:
“What countries are attacking the United States as we sit here in cyberspace?”
“Well, I don’t want to give you a complete list. But the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry,” said FBI director Comey.
“What are they trying to get?”
“Information that’s useful to them so they don’t have to invent. They can copy or steal to learn about how a company might approach negotiations with a Chinese company, all manner of things,” said Comey.
“How many hits from China do we take in a day?”
“Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese,” said Comey.
“The Chinese are that good?”
“Actually,” the FBI director replied, “not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”