Cyber CrimeFall 2015

Computer FRAUD statutes are hybrids between unauthorized access and fraud statutes18 USC 1030(a)(4)knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[all violations felonies, 5yrs max 1st offense, 10 years if a prior 1030 conviction]Similar to the federal wire fraud statute

18 USC 1343having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice

If this statute is a combination of:18 USC 1030(a)(2) and18 USC 1343 (wire fraud)What does (a)(4) do that these two statutes dont?The Senate Report accompanying (a)(4) has some clues

Concerned that computer usage extraneous to an intended fraud covered by (a)(4) if patterned after mail/wire fraud statuteJust using a computer to commit fraud isnt enough to trigger (a)(4) use of a computer must be more directly linked to the fraudWithout authorization or in excess of authorizationDistinguish between theft via computer and computer trespass

106 F.3d 1069 (1st Cir. 1997)Up front, appellate court says lower court should have acquitted Czubinski on all countsIRS employee who was accessing confidential tax return documents of all sorts of people for non-work problemsDA prosecuting his father, former political rival, romantic interest, his siblings business affiliatesHe knowingly disregarded IRS rules by observing confidential information he accessedWas evidently involved with the KKK, said at one point he may build some dossiers on people and accessed data on members of the David Duke presidential campaign

Didnt perform any unauthorized searches after 1992, wasnt charged/worked at IRS until 1995Was charged with a scheme:To build dossiers on KKK associatesTo seek info on the DA prosecuting his fatherTo perform opposition research on political rival

Court did not find the access unauthorized, cited the Congressional intent that he had been given access to the items by IRSAlso found no wire fraud (he was charged with that as well) because in their opinion, more or less, nothing of value was takenOpinion included language scolding prosecutors for bringing charges under the broad wire fraud statute, as well as admitting inflammatory evidence regarding Ds involvement with the KKK

Computer Damage Statutes

Focus on harm inflicted on computer ownerTwo typesThose focused on conduct that exceeds privileges to use a computerCombine unauthorized access with some minimal amount of harm/damage (usually in $$)Those focused on denial of privileges to other usersLook more towards deleting/damaging/altering or rendering inaccessible files or programsThe line between the two types is fuzzy (a lot of conduct does both), so many states combine the two

Most recently amended in 2008Three different offensesFirstknowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;Secondintentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

Thirdintentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

A lot of overlap between the 3, but:First is geared toward releasing code that causes damage, such as viruses, or DoS (denial of service) attacksThe authorization doesnt apply to the access, it applies to the damageSo, an employee may be authorized to test data, or perhaps encrypt it (which can be construed as destroying it)

Second and third are variations on unauthorized accessThere are two key differencesThe THIRD statute must caused both damage AND some amount of lossSecond difference is to mens reaSECOND statute requires recklessnessTHIRD statute imposes strict liability with respect to causing impairmentSo this third one punishes even accidental damage without authority. Congressional intent is to punish those who damage systems, even accidentally, when theyve intentionally trespassed in another computer system

Violations of (A), (B) or (C) become felonies if there is a prior 1030 convictionViolations of (A) or (B) are a misdemeanor unless one of SIX enhancements are added (which must be indicted and proved), which makes it a felony, even on the first offenseThese are all under Section 1030(c)(4)Violation of (A) causing serious injury, 20 year max felonyIf causes death knowingly or recklessly, life in prison See 1030(c)(4)(E), (F).

(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;(III) physical injury to any person;(IV) a threat to public health or safety;(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or(VI) damage affecting 10 or more protected computers during any 1-year period;

1) What is the methodology for calculating the $5,000 amount (most common felony aggravator)?2) What mens rea applies with respect to each of the final elements (including aggravators)?

Note: In two of our three cases, their outcomes actually modified the language of 1030(a)(5) to its current form.

Defendant was the PC administrator for Slip.net, an Internet service providerInstalled hardware/software and did tech support, had intimate system knowledgeWas unhappy with his job, quit, then started sending threatening e-mails to old bossD remained a paying customer at the ISP, used a Switch User program to take over secretarys Slip account

President found out and terminated the Ds legit account, but this didnt stop the DHe created new user accounts and accessed a primary billing computer, the Lemming

D changed admin passwords, altered the registry, deleted entire billing system, deleted two internal databasesCompany spent collectively about 154 hours repairing damage, bought new software, and hired a consultant for tech supportDefendant was convicted, 3 years probation, 180 days house arrest, $9,147 in fines, and appealed, focusing on the amount in controversy

Court first looks at Congresss intent, note damage threshold added in 1996 but dont believe its intent was to limit statuteD argues jury instruction could have confused jury into thinking the damage included costs for building a safer, more secure systemCourt says noD argues govt. failed to prove $5,000 damageTook hours spent times hourly rate plus software cost - $10,092Prior holding that hours times rate was acceptable calculation for these purposesCourt finds there was sufficient evidence, rejects Ds arg.

Look to 18 USC 1030(e)(11)(11) the term loss means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service

$20K for IBM contractors to investigate intrusion and verify dataUS v. Millot, 433 F.3d 1057 (8th Cir. 2006)$50,000 for expected lost profitsB&B Microscopes v. Armogida, 532 F. Supp.2d 744 (WD PA 2007)Executive travel expenses to GermanyNexans Wires SA v. Sark-USA, Inc., 319 F.Supp/2d 468 (SD NY 2004)

Carlson was an avid Philadelphia Phillies fan

Convicted of violating 1030(a)(5)

Began using Phillies online bulletin boards, turned into sending thousands of e-mails to addresses at the Phillies and sports writersFrom addresses not his own, such as Special Prosecutor@fbi.govE-mails titled Mariners didnt trade A-Rod and Sign JASON GIAMBISent THOUSANDS of spoofed e-mails from various addresses to the Phillies and othersJury found he intended to cause damage when sending those e-mails

At trial, Carlson admitted a flood of bad e-mails would impair ability to find/open good e-mails (but only a few minutes)He did not intend flooding spoofed senders account with auto-repliesCourt focused on his significant computer savvy, said consequences of his actions could be reasonably foreseen, upheld conviction

availability of dataFairly straightforward destruction of data, encrypting data, taking a computer offline (either directly or for repairs) DoS attacks, viruses, etc.integrity of dataComputer security industry focuses on 1) content and 2) source/authentication (bears on the accuracy and credibility of the information)Newspaper example paper prints correct story but attributes it to the wrong source the CONTENT is credible, but the SOURCE is incorrect

Sablan left a bar and went to her old job, a bank, where shed been firedUsed key shed kept to get inLogged into mainframe, changed several files, deleted others severely damaged filesAt trial, court rules that intentional element applied only to the access, not the damage

Court notes 1030(a)(5) is ambiguous as to its mens rea requirementComma after authorization doesnt resolve goes back to legislative intent (cites Morris)Intentional applies only to access elementCourt refuses to overturn Morris, rejects Sablans argument that the mens rea requirement applies to the damage element (as opposed to just the access) upholds conviction

Court also rejects argument that mens rea must be applied to all elements of a statute or be found un-ConstitutionalCase law says that scienter should apply to each statutory element which criminalizes otherwise innocent conductBut the CFAA here doesnt do that, you must have the wrongful intent element to be convicted under this statute (i.e., intentionally accessing a federal interest computer without authorization)