In United States v. Anastasio N. Laoutaris, 2018 WL 614943 (5th Cir. Jan. 29, 2018), the United States Fifth Circuit Court of Appeals affirmed a jury verdict finding Laoutaris guilty of two counts of computer intrusion causing damage, in violation of 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i) of the Computer Fraud and Abuse Act.
Laoutaris had been an IT engineer for Locke Lord LLP; following the termination of his employment, he accessed to the firm’s computer network and issued instructions and commands that caused significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts. This post-termination access was without authorization. He was ordered to pay restitution in the amount of $1,697,800 and sentenced to 115 months’ imprisonment.
On appeal, Laoutaris argued that “the evidence at trial was insufficient to support the jury’s verdict for both counts of conviction because there was no proof he was the person who accessed Locke’s network and caused the damage that occurred on the relevant dates.” Further, Laoutaris had an expert testify that the attacks came from China.
The Fifth Circuit disagreed and found “[t]he evidence at trial shows a rational jury could have found each essential element for the § 1030(a)(5)(A) offenses charged against Laoutaris, who elected to testify. Contrary to his assertions, there was ample circumstantial evidence identifying him as the perpetrator of these offenses.”
The government’s brief indicates that the following evidence was admitted on this issue, beginning at page 6:
At trial, the government presented a substantial volume of circumstantial evidence identifying Laoutaris as the intruder. Logs created by the servers on the Locke Lord network showed that the intruder on December 1 and December 5 connected to the network using LogMeIn, which was installed on the HOBK01 backup server in Houston, and accessed the network using the credentials of a Windows “master services account” called svc_gn and its associated password. (ROA.1463-1515, 2835-47.) The IP address of the intruder on December 1 and December 5 was 18.104.22.168. (ROA.2768, 2835.)
That IP address was assigned to The Planet. (ROA.1077-79.) Laoutaris was an employee of The Planet at the time. (ROA.1068-70; see also ROA.2635-83.) Kelly Hurst, Laoutaris’s supervisor at The Planet, testified that the IP address was The Planet’s public wireless network at the Houston corporate office, which employees would be able to use while working out of The Planet’s corporate office. (ROA.1077-78.)
*7 Laoutaris was also associated with the LogMeIn software running on the Houston backup server. The software program was installed by a person who identified his email address as “email@example.com.” (ROA.1304-07, 2848.) Records from Microsoft established that the account was created by “A.N. Laoutaris.” (ROA.2587.) Further, several Locke Lord employees testified that “firstname.lastname@example.org” was an email address they knew to be associated with Laoutaris. (ROA.1306.) Additionally, Laoutaris’s personnel file included his resume, where he used the email address, and an email he sent on his last day providing email@example.com as his forwarding email address. (ROA.2550.) Even after he quit, Laoutaris used that email address to send a message to a former colleague at Locke Lord making disparaging comments about the firm and his former supervisor. (ROA.2559-60.) Laoutaris continued using the email address as recently as July 2014, after he was indicted. (ROA.2681.)
The government also presented evidence establishing that Laoutaris had the password for the “svc_gn” account. The “svc_gn” account was the “master of all masters” account that had “no limits” on what it could do within the Locke Lord network. (ROA.1147.) IT engineers at Locke Lord explained that all of the engineers would from time to time use the “svc_gn” account when performing various tasks on the network and that all the *8 engineers had the password. (ROA.1147.) The jury heard evidence that Laoutaris asked for, and received, the password for the “svc_gn” account shortly before quitting the law firm. On August 10, 2011, a few days before Laoutaris quit, he requested the password from Michael Ger and Stan Guzic, two of the other IT engineers at Locke Lord. (ROA.2556-57.) Guzic testified that Laoutaris “constantly asked us for the password” and thus “to help him remember it, we used his name within the password itself” – specifically, “4nick8.” (ROA.1151.)
Not only was Laoutaris specifically tied to the December 1 and December 5 attacks, the government presented evidence tying him to at least 12 unauthorized intrusions into the Locke Lord network through LogMeIn. (ROA.2703-16, 2746, 2756, 2758, 2760, 2762, 2764, 2766, 2768, 2835, 2849.) Each of those intrusions originated from an IP address that was tied back to Laoutaris – either his home or his place of employment. (ROA.2703-16.)
The government’s brief also provides an excellent example of how to calculate a loss in a case such as this, beginning at page 12.
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.
Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?
The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:
The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.
Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?
I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.
Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?
What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?
A federal judge sentenced David Kent to a year and a day in prison and ordered him to pay $3.3 million in restitution and pay a $20,000 fine for accessing the computer network of Rigzone.com, an industry-specific networking website. Kent founded Rigzone.com, sold it for $51 million, and after the sale accessed the company’s network to obtain information to use for launching a competitor to Rigzone.com. The Complaint describes how Kent was able to do this by exploiting a source code vulnerability that he knew of from the original creation of the website. This is a big no-no. Under the Computer Fraud and Abuse Act, this type of unauthorized access is considered hacking just as if the Russians did it with super-secret James Bond-like gadgets and gizmos.
USA v. Kent, 1:16-cr-00385, U.S. District Court for the Southern District of New York
There has been a lot of buzz this past week about protesters indicating they plan to protest President-Elect Trump’s inauguration by launching a DDoS attack on the White House website. This plan has received some high-profile publicity by articles in magazines such as Forbes and PC World.
This post looked at the Sixth Circuit Court of Appeals case of Pulte Homes, Inc. v. Laborers’ Intern. Union of North America, 648 F.3d 295 (6th Cir. 2011), a case that did not deal directly with a DDoS attack but did deal with a labor union’s concerted email and telephone “attack” on a company of such a volume that it disrupted the company’s ability to do business. The Pulte Court held that such activity violated the Computer Fraud and Abuse Act (CFAA). Read more about the Pulte Court’s analysis here.
Applying the Pulte Court’s principle that a transmission that weakens a sound computer system–-or, by analogy, that diminishes the ability to use data or a system–-causes damage, the Pulte opinion and the cases it cites do support the proposition that it is a violation of the Computer Fraud and Abuse Act to DDoS a website.
So, if you try to DDoS the White House’s website in protest of Donald Trump becoming President of the United States, you will violate the federal Computer Fraud and Abuse Act and there is a decent chance that President Trump’s Department of Justice will then be coming after you. Now you know.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.