The National Information Infrastructure Protection Act of 1996 was enacted as part of Public Law 104–294. It amended the Computer Fraud and Abuse Act, which is codified at 18 U.S.C. § 1030. The United States, in a single statute, continues to address the core issues driving computer and information security at both domestic and international levels; that is, protecting the confidentiality, integrity, and availability of data and systems. These three themes provide the foundation for the Organization for Economic Cooperation and Development's (OECD) 'Guidelines for the Security of Information Systems'.
By patterning the amended Computer Fraud and Abuse Act on the OECD guidelines, the U.S. addresses how information technology crimes must be addressed--simultaneously protecting the confidentiality, integrity, and availability of data and systems. In most cases, a single point of reference--The Computer Fraud and Abuse Act, 18 U.S.C. § 1030--is provided for investigators, prosecutors, and legislators as they attempt to determine whether a particular abuse of new technology is covered under federal criminal law.
Section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information or restricted data, and subsequently performed some unauthorized communication or other improper act. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, control over, or subsequent transmission of the information itself. However, a person who deliberately breaks in to a computer for the purpose of obtaining properly classified or restricted information, or attempts to do so, should be subject to criminal prosecution for this conduct.
Subsection (a) (2) is, in the truest sense, a provision designed to protect the confidentiality of computer data. The subsection 1030(a) (2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. The provision has also been restructured to differentiate various aspects of protecting different types of information, thus allowing easy additions or modifications to offenses if these aspects are required to be addressed again.
Not all computer misuse warrants federal criminal sanctions. The challenge is that there is no single definitive clause that can accurately segregate important from unimportant information, and any legislation may therefore be under or over inclusive. For example, a frequent test for determining the appropriateness of federal jurisdiction--a monetary amount--does not work well when protecting information. The theft from a computer of a trial plan in a sensitive case (as in the case of the paralegal sentenced for theft of litigation trial plan) or the copying of credit reports might not meet such a monetary threshold, but clearly such information should be protected. Therefore, the act of taking all of this kind of information is now criminalized.
However, it is important to remember that the elements of the offense include not just taking the information, but abusing one's computer authorization to do so. For instance, during Operation Desert Storm, it was widely reported that hackers accessed sensitive but unclassified data regarding personnel performance reports, weapons development information, and logistics information regarding the movement of equipment and personnel. Subsection 1030(a) (2)(C) is designed to protect against the interstate or foreign theft of information by computer. Such a provision is necessary because, in an electronic environment, information can be "stolen" without transportation, and the original usually remains intact.
Section 1030(a) (3) protects the computer from outsiders, even if the outsider obtains no information. Thus, an intruder who violates the integrity of a government machine to gain network access is nonetheless liable for trespass even when he has not jeopardized the confidentiality of data. Section 1030(a) (2), on the other hand, protects the confidentiality of data, even from intentional misuse by insiders. Additionally, although a first violation of § 1030(a) (3) is always a misdemeanor, a § 1030(a) (2) violation may constitute a felony if the information taken is valuable or sufficiently misused.
When a computer is used for the government, the government is not necessarily the operator. The term 'non public' is intended to reflect the growing use of the Internet by government agencies and, in particular, the establishment of World Wide Web home pages and other public services. This makes it to perfectly clear that a person who has no authority to access any non -public computer of a department or agency may be convicted under (a) (3) even though permitted to access publicly available computers.
Subsection 1030(a) (4) insures that felony level sanctions apply when unauthorized use of the computer (or use exceeding authorization) is significant. Hackers, for example, have broken into Cray supercomputers for the purpose of running password cracking programs, sometimes amassing computer time worth far in excess of $5,000. In light of the large expense to the victim caused by some of these trespassing incidents, it is more appropriate to except from the felony provisions of subsection 1030(a)(4) only cases involving no more than $5,000 of computer use during any one-year period.
The definition of "protected computer" includes government computers, financial institution computers, and any computer "which is used in interstate or foreign commerce or communications." The term 'protected computer' was included to address the original concerns regarding intrastate "phone phreakers" (i.e., hackers who penetrate telecommunications systems). It also specifically includes those computers used in "foreign" communications. With the continually expanding global information infrastructure, with numerous instances of international hacking, and with the growing possibility of increased global industrial espionage, it is important that the United States have jurisdiction over international computer crime cases.
This section also caters to the problem of insider attack, given the rise in computer attacks from insiders such as disgruntled employees. For example, although those who intentionally damage a system should be punished regardless of whether they are authorized users, it is equally clear that anyone who knowingly invades a system without proper authority and causes significant loss to the victim should be punished as well, even when the damage caused is not intentional. In such cases, it is the intentional act of trespass that makes the conduct criminal.
To provide otherwise is to openly invite hackers to break into computer systems, safe in the knowledge that no matter how much damage they cause, they commit no crime unless that damage was either intentional or reckless. This subsection criminalizes all computer damage done by outsiders, as well as intentional damage by insiders, albeit at different levels of severity. The essence of this section is that intentional damage by trespassers and authorized users is a felony. Causing reckless damage is a felony for a trespasser, though not a crime for an authorized user. Causing negligent damage is a misdemeanor for a trespasser, and not a crime for an authorized user.
Although subsections § 1030(a)(5)(B) and (a)(5)(C) require that the actor cause damage as a result of his or her unauthorized access, damages are not limited to those caused by the process of gaining illegal entry. Rather, all damage, whether caused while gaining access or after entry, is relevant.
For example, intruders often alter existing log-on programs so that user passwords are copied to a file which the hackers can retrieve later. After retrieving the newly created password file, the intruder restores the altered log-on file to its original condition. Arguably, in such a situation, neither the computer nor its information has been damaged.
Nonetheless, the intruder's conduct allowed him to accumulate valid user passwords to the system, required all system users to change their passwords, and required the system administrator to devote resources to re-securing the system. Thus, although there may be no permanent "damage," the victim does suffer "loss."
As the network infrastructures continue to grow, computers will increasingly be used for access to critical services such as emergency response systems and air traffic control, and will be critical to other systems that we cannot yet anticipate.
Thus, any definition of "damage" must broadly encompass the types of harms against which people should be protected. The first is significant financial losses; the second is potential impact on medical treatment. Other aspects covered include causing physical injury to any person and threatening the public health or safety.
Subsection (a) (7) is designed to respond to a growing problem: the interstate transmission of threats directed against computers and computer networks. Such threats, if accompanied by an intent to extort, may already be covered in some instances by the Hobbs Act, 18 U.S.C. § 1951, which applies to interference with commerce by extortion. They also may be covered in some instances by 18 U.S.C. § 875(d), which applies to interstate communication of a threat to injure the property of another.
These concerns are not theoretical. In one recent case, for example, an individual threatened to crash a computer system unless he was granted access to the system and given an account. Another case involved an individual who penetrated a city government's computer system and encrypted the data on a hard drive, thus leading the victim to suspect an extortion demand was imminent.
It is worth noting that subsection (a)(7) covers any interstate or international transmission of threats against computers, computer networks, and their data and programs, whether the threat is received by mail, a telephone call, electronic mail, or through a computerized message service.
The provision is worded broadly to cover threats to interfere in any way with the normal operation of the computer or system in question, such as denying access to authorized users, erasing or corrupting data or programs, or slowing down the operation of the computer or system.
A recent case that was charged has been that of a contract employee who downloaded a zip file and transmitted said zipped file to an e-mail account on the NASA e-mail server, knowing that the zipped file in question would cause the computer system to drastically slow down or completely stop processing e-mail messages at the Glenn Research Center.
Regardless of the amount of damage caused by an attack, Sections (a)(1) and (a)(7) are felonies. Similarly, sections (a)(3) and (a)(5)(C) are misdemeanors; the amount of damage is irrelevant. Sections (a)(5)(A) and (a)(5)(B) are felonies, but only if damage is caused as is outlined by 18 U.S.C. §1030(e)(8), which defines damage as the impairment to the integrity or availability of data, a program, a system or information that causes loss aggregating at least $5,000 in value during any one year period to one or more individuals; anything that modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; causes physical injury to any person; or threatens public health or safety
Section (a)(2) has its own damage provision: a violation under this section may be a felony, but only if the offense was committed (1) for purposes of commercial advantage or private financial gain, or (2) in furtherance of any criminal or tortious act in violation of the Constitution, or laws of the U.S. or of any State, or (3) if the value of the information obtained exceeds $5,000. Otherwise, it is a misdemeanor. Finally, the amount of damage is so important to Section (a)(4) that there is no violation at all unless the value of the thing obtained is more than $5,000 in any one-year period.
Although the five thousand dollar requirement appears clear, uncertainties surrounding what can be included in the calculation of damage. For example, if only the links of a web page is altered in an attack without actual damage to the system, meeting the five thousand dollar threshold may be difficult. Additionally, it may be difficult to determine a fixed amount in damages if an attacker used a victim's computer only to launch attacks.
The seriousness of a breach in confidentiality depends, in considerable part, on either the value of the information or the defendant's motive in taking it. Thus, the statutory penalties are structured so that merely obtaining information of minimal value is only a misdemeanor, but certain aggravating factors make the crime a felony.
More specifically, the crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.
As for the monetary threshold, any reasonable method can be used to establish the value of the information obtained. For example, the research, development, and manufacturing costs, or the value of the property "in the thieves' market," can be used to meet the $5,000 valuation.
"Loss" can include any monetary loss that the victim sustained as a result of any damage to computer data, a program, a system or information. In addition, loss includes the costs that were a natural and foreseeable result of any damage, and any measures that were reasonably necessary to restore or re-secure the data, the program, the system, or information. An impairment of the data's integrity may occur even though no data was physically changed or erased if the victim suffered a "loss." Therefore, a victim of a computer compromise would be advised to calculate the amount of damage based on these and similar factors. Should the victim decide to involve federal law enforcement, a timely estimate of the amount of loss may assist in swiftly tracing the attacker.
For section 1030(3) (a) (b), penalty can be an appropriate fine and /or up to 1 year in prison, 10 years if it is a repeat offense. While the sentencing has been a progressive step, it also highlights the need to draft parallel laws that would make software companies and other information technology providers legally accountable for weak or lax security. This will be an important step towards ensuring security at the design level itself. The notion that a company can produce a consumer product that is systemically flawed, and not be liable, must be addressed by law as well.
A sub-part to the penalties under 18 U.S.C. 1030(c) introducing fines and potential life sentences for offenders who either knowingly or recklessly attempt to or cause death to any person. The cyber security enhancement act also provides for fines and prison terms up to 20 years for offenders who knowingly or recklessly attempt to or cause serious bodily injury. However, recklessness is not usually treated as rising to a sufficient criminal level of intent to warrant such prison terms. For instance, recklessness in a contemporary context can also be an employee running a disk without a virus check.
Under this section, the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
Note that the term "protected computer" also includes a computer which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
For section 1030(4) (a), penalty can be an appropriate fine and /or up to 5 years in prison, 10 years if it is a repeat offense. The maximum statutory penalty for each count in violation of Title 18, United States Code, Section 1030(a)(4) is five years imprisonment and a fine of $250,000, plus restitution if appropriate. However, the actual sentence will be dictated by the Federal Sentencing Guidelines, which take into account a number of factors, and will be imposed in the discretion of the Court.
This section was recently used in the prosecution of former Cisco employees who exceeded their authorized access to the computer systems of Cisco Systems in order to illegally issue almost $8 million in Cisco stock to themselves.
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.
A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a) (5) (B) (i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action however, may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. We had mentioned the need to address this legally in the previous discussion.
COMMENTS