Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
-
Upload
andrea-nusi -
Category
Documents
-
view
218 -
download
0
Transcript of Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
1/23
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
2/23
Frequency and nature of CFAAprosecutions.
How DOJ makes CFAA charging dec
Sentencing under the CFAA.
Context intended to encouragelegitimate security research.Ob
jectives
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
3/23
Fed
eralism
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
4/23
C
omputerFra
ud&AbuseA
ct
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
5/23
Crimin
alCases
Investigation Prosecution Sente
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
6/23
Prosecution
Based on data from the Executive Officer of U.S. Attorneys Annual Statistical ReportFY 2014
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
7/23
ChargingCo
nsideration
s
Victim
ResultingHarm Sensitivityof Data
Deterrence
Harm to
National
Security &
Public
Safety
Prosecutors are directed to consider whether or not a substan
interest would be served by prosecution of a CFAA case in whic
evidence is expected to be sufficient to sustain a convict
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
8/23
Charging decisions for CFAA violat
are guided by DOJ prosecution poIn comparison to other federal criCFAA offenses are not chargedfrequently -- and prosecuting somengaged computer security reseaextraordinarily rare.
So
What?
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
9/23
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
10/23
Sen
tencing
Sentence
Max
Min
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
11/23
Sentence
Max
Min
Upward
Departure
Downward
DepartureSen
tencing
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
12/23
Sen
tencing
Federal
Sentencing
Guidelines
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
13/23
Sen
tencing
+ +
Seriousness
of Crime
Specific offense
Conduct
Adjustments
Criminal
History
6 categories
based on
criminal record.
Aggravating
orMitigating
Factors
Additional facts
increasing or
decreasing
seriousness.
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
14/23
Sen
tencing -
$50,000 Loss
18 U.S.C
(Inform
x 3
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
15/23
Sen
tencing -
$50,000 Loss
18 U.S.C
(Inform
x 3
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
16/23
Sentencing
+ +
Offense Level
Level 6
Offense
Characteristics
+ 6 ($50,000 loss)
+2 (access device)
+2 (sophisticated
means)
Adjustments -2 (Acceptance of
responsibility)
-1 (Timely notice)
Role in Offense
+2 (Organizer)
Defendants CriminalHistory
0 (Prior
misdemeanors)
Multiple Counts are
grouped, so the fact
that the hackhappened 3 times
does not result in
triple the sentence.
15 Final OffenseLevel = 18-24
Months
Upward/ Downward
Departure
Substantial
assistance
(reduction)
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
17/23
SentencingTrends
84
36
48
2
63
30
41
0
10
20
30
40
50
60
70
80
90
Securities Healthcare ID Theft Com
Average Guidelines Minimum and Average Sent
Average Guidelines Minimum Average Sentence
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
18/23
SentencingTrends
Since 200
sentences
1030 viol
routinely
the m
Guideline
that cimp
Category 1
50.6%
WithinGuidelines
Range
47.1 Below
Guidelines
Range
2.3% Above
Category 1
49.2%
WithinGuidelines
Range
49.3 Below
Guidelines
Range
1.5% Above
2012
All Federal
Cases
2012
Computer-
Related Cases
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
19/23
The average sentence for a CFAA
violation is about 23 months.Sentences for CFAA offenses routhave been below the minimum se
recommended by the Guidelines.So
What?
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
20/23
Does this mean concerns ab
chilling security research shbe disregarded?
So
What?
No.
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
21/23
Inve
stigation
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
22/23
Security
Researche
rs
z
Vulnerability
Scanning
MassScanning
Threats &
Disclosure
Critical
Infrastructure
Authorization
PII
-
7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA
23/23
BlackHat
SoundBytes
Computer security research isimportant we get it, really.
DOJ is not at war with researcher We are open toand have propo
amendments to the CFAA to avoicriminalizing trivial conduct.
Taking some common senseprecautions will go a long way toavoiding hassles with law enforce