Note: this article was previously posted on Norse’s DarkMatters.
The problem with laws is that they are usually written by lawyers. The same could be said for proposed amendments to laws, such as those to the Computer Fraud and Abuse Act that President Obama proposed leading up to the 2015 State of the Union Address.
The root of this problem is that, many times, we lawyers get too focused on the details and never step back and see the bigger picture. I believe that is the case with the proposed changes to this law as it concerns improving cybersecurity by deterring outside hackers (i.e., non-privileged users).
This post will examine this issue by looking at the most likely big picture realities of this situation and not at the minutiae of the the President’s proposed changes (CFAA Proposal) to the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
The Two Primary Changes in the CFAA Proposal
The CFAA Proposal has several features that impact the CFAA but, in terms of changes to the statutory language, there are two major ones. First, it changes the statutory criminal punishments for various violations of the law and makes all outsider violations (i.e., accesses “without authorization”) a felony instead of starting as a misdemeanor and increasing to a felony with the enhancements.
Second, it adds language to the primarily insider (privileged users) violations provision (i.e., access that “exceeds authorized access”) to recognize the Intended Use Theory of access that represents the middle ground in the CFAA Circuit Split debate. The Intended Use Theory is what is followed most prominently by the United States Courts of Appeals for the Fifth and Eleventh Circuits.
Because this post focuses on the likely deterrent effect of the CFAA Proposal on outside hackers, and the proposed change to the “exceeds authorized access” provision is focused on insiders, this examination is limited to the changes in the punishments under the CFAA Proposal.
Changes in Statutory Punishments Will Probably Have Very Little Deterrence Effect on Outside Hackers
Practically speaking, whether the penalties are lowered or increased, they will probably not have a significant deterrent effect that would have any measurable impact on cybersecurity. People at the lower end of this spectrum, where we see these changes in the penalties taking place, usually are not the ones who are being pursued and prosecuted. There are several reasons.
1. The Authorities Do Not Have The Resources to Pursue Most of These Cases
The CFAA is a federal law and it is the Federal authorities who are charged with investigating and prosecuting these crimes, primarily the Secret Service, but the FBI does so as well.
The reality is, both the Secret Service and the FBI are too overwhelmed to be able to consistently devote time and resources to pursuing cases that fall below a certain level. In my own conversations with members of these agencies, they make it clear that there is not a set litmus test, but there are factors that they consider when deciding whether they will pursue a case:
- (1) Are the financial losses from the crime $1,000,000 or more?
- (2) Did the crime involve the public health and safety?
- (3) Did the crime involve national security?
- (4) Did the crime involve a segment of the nation’s critical infrastructure?
While this criteria may vary by jurisdiction, one can imagine it will not vary too much. If a case does not involve at least one of these elements, the reality is that it will not be pursued unless there is some other unique reason that gets their attention.
The punishment levels that the CFAA Proposal is focusing on are not at a level that will change this one way or another. Practically speaking, it seems the CFAA Proposal would have very little real world impact on cybersecurity.
2. Without Attribution, There is No CFAA Case
It is fairly rare for the authorities, much less private companies when seeking to pursue civil remedies, to be able to positively attribute outsider cyber attacks.
Pause for a moment and think about how many cyber attacks you hear about over the past year alone. Of those cyber attacks, how many do you recall ever being definitively attributed to any person or readily ascertainable organization.
The only one we really heard much about was the Sony attack which, though the government quickly attributed it to North Korea, it is still subject to debate.
In the law, you have to have a defendant to pursue a case. If you do not have a defendant that is ascertainable and identifiable, you do not have a case regardless of what the substantive law may or may not prohibit.
Practically speaking, unless the government can get a lot better at definitively attributing these cyber attacks to ascertainable people or organizations, these proposed changes will have very little real world impact on cybersecurity.
3. Without Getting the Cybercriminal Before a US Court, There is No CFAA Case
In those rare cases when a cyber attack can be definitively attributed, getting the perpetrator before the court to stand trial can be even more difficult. Consider the Sony hack and assume, for the sake of argument, that it was the government of North Korea that was responsible for the attack.
And, it could be definitively proven with clear and convincing evidence. In that case, North Korea violated the Computer Fraud and Abuse Act. So what? What if the United States Department of Justice decided to indict Kim Jong-un himself?
If the DOJ did, it would not be a first. In May 2014, the DOJ indicted 5 Officers of the Chinese People’s Liberation Army for an 8 year cyber espionage campaign of hacking into the computer systems of 6 United States companies to steal their trade secrets.
As of this writing, China has not turned over the officers to face trial in US courts. It does not appear that the indictment has had much effect. Consider the statement by FBI Director James Comey in October 2014: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Looking beyond foreign governments, consider the other non state-sponsored groups that are well known for hacking US companies. Consider the organized groups in former Eastern Bloc states like Russia and the Ukraine, which have been associated with the Target and Home Depot data breaches.
Assuming one of those groups is responsible for the cyber attacks against those companies, they violated the Computer Fraud and Abuse Act. So what? They violated other laws. But, even if we could attribute it directly to a specific group and could identify the individuals who devised the strategy for the attack, who gave the order to carry out the attack, and who executed the attack, so what?
It is a rare case where those countries have extradited individuals to face trials in the United States courts for cyber crime type offenses. In fact, in one of the only cases where a cyber criminal from Russia will be brought to the US to face justice, it was only because the cybercriminal, Vladimir Drinkman, was apprehended in Amsterdam and a Dutch court ordered his extradition to the US.
Practically speaking, when the bad actors who are conducting these cyber attacks against the US and US companies are sponsored by foreign states — or are the foreign states themselves — these proposed changes will have very little real world impact on cybersecurity.
Similarly, when the bad actors are individuals or groups that are based in countries that gain financially from or harbor those who carry out these kinds of attacks, or countries that do not cooperate with extradition with the US, we will see little, if any, real world impact from these proposed changes.
When you factor in the law of supply and demand and compare the tremendous amount of money to be made in the cybercrime industry versus the likelihood of an outside hacker being identified, apprehended, and tried in a United States court under the Computer Fraud and Abuse Act, these proposed changes just do not appear to be that significant of a deterrent.
That is not to say that some of the proposed changes to the CFAA are not positive or something that I may favor on a more granular level.
When looking at the big picture, however, it does not follow that, by enacting these proposed changes, we will “better meet the evolving threat of cyber-attacks, combat identity theft … protect our children’s information, . . . . [strengthen the vulnerabilities to] our nation and our economy . . . . or protect the technologies that have unleashed untold opportunities for people around the globe.”
And, if it does not accomplish these things for which the President argued as support in the State of the Union Address, what is the objective?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.