The Computer Fraud and Abuse Act of 1986,, enacted into law today as United States Code Title 18 Section 1030, is the primary federal law governing cybercrime in the United States today. It has been used in such famous cases as the Morris Worm and in the prosecution of notorious TJX hacker Albert Gonzalez. When black hats around the world have nightmares about FBI agents breaking down the doors, it is the CFAA that is giving those nightmares substance.
On the other hand, it has also been used to go after such apparently innocuous uses as browsing Facebook and checking personal email on company time, creating a fake MySpace user account, or downloading open source software tools.
More disturbing for anyone in cybersecurity work is the trend of charging or suing security researchers for uncovering and disclosing system vulnerabilities. The cases of Andrew Auernheimer, Mike Lynn, and Zack Anderson, each either prosecuted or threatened with legal action under the auspices of the CFAA for disclosing or moving to disclose security holes in computer systems, have all had a chilling effect on the willingness and ability of researchers to secure public infrastructure and widely used computer systems.
In other cases, the nearly unlimited penalty system of the statute has resulted in wildly unbalanced punishments for even minor violations, such as the three felony counts against journalist Matthew Keys for leaking credentials to the LA Times website that resulted in some minor digital graffiti, or the charges against hacktivist Aaron Swartz for downloading free journal articles that left him facing $35 million in fines and up to 11 years in federal prison.
In any case, cybersecurity professionals need to be intimately familiar with the terms and uses of the CFAA, both to be aware of what actions could constitute crimes against the systems they are protecting, and to avoid running afoul of being charged with such crimes themselves in the course of their own work.
Creating Crimes Out of Digital Thin Air
With the creation of computers came the opportunity to commit entirely new types and classes of crimes, crimes that existing statutes crafted to handle only a physical reality simply didn’t cover. In the 1970s and early ‘80s, many phone phreaks and early computer hackers ran rampant through online systems unhampered by worries of legal complications. Laws either didn’t exist or investigators were not sophisticated enough to collect evidence to prosecute them… even if they could catch them.
The CFAA was passed as an amendment to the Comprehensive Crime Control Act of 1984, which had been the first major piece of legislation to address the suddenly relevant field of computer crime. But the original Section 1030 left much to be desired in terms of providing tools to prosecute computer crimes. In part, it had been a slightly hysterical response to the seminal hacker movie “War Games” that had been released the previous year, and had been drawn rather narrowly envisioning similar scenarios to those shown in the movie.
The CFAA offered a more comprehensive and powerful set of prosecutorial tools to address criminal uses of computer, including criminalizing:
- Distribution of malicious code
- Undertaking denial of service attacks
- Trafficking in passwords or other access control mechanisms
The Act defines a category of system called a “protected computer” that originally included systems that had a substantial federal interest. In theory, state laws would cover other computers. However, due to several expansions in the definition and a generous interpretation of the Commerce Clause of the Constitution, as a practical matter almost any computer in the country is covered by the CFAA.
The Act has continued to be amended over the years to refine the definitions and to expand coverage into other aspects of cybercrime. Between 1988 and 2008, the law was amended nine times. Updates included:
- Expanding protection to financial institutions and other private computers
- Including civil actions under the auspices of the act
- Adding tampering and attempted extortion
- Including taking information off of systems
- Expanding the types of predicate offenses for enhanced penalties
Adding Civil Offenses to CFAA Expanded Cases Under the Law
One of the most important additions, and the most controversial, was the 1994 amendment that expanded offenses under the act as causes for civil action as well as criminal prosecution. This allowed private corporations and individuals to bring suit in civil court against alleged perpetrators.
This gives cybersecurity professionals, in concert with corporate legal departments, a powerful tool to use in hacking cases even when law enforcement doesn’t get involved. The standards of evidentiary proof are substantially lower in civil cases: a preponderance of evidence versus ‘beyond a reasonable doubt.’ This can make it much easier to get a judgment in cases where the evidence isn’t rock solid.
On the other hand, this amendment has also allowed major hardware and software vendors to exert their influence on security research. In 2005, router manufacturer Cisco used threats of a CFAA case against security researcher Mike Lynn, who had uncovered holes in the company’s ubiquitous IOS software, to prevent him from disclosing the information to Cisco users.
With the company’s routers propping up much of the infrastructure underlying the internet, the case had serious implications. Cisco believed that exposure would result in further attacks; customers and other security researchers believed that failing to disclose the vulnerabilities would leave them vulnerable to attacks they could not defend against.
Lynn signed an injunction agreeing not to disclose his research, but the community was incensed and confused.
The Future Status of the CFAA is Uncertain
These sorts of abuses pale in comparison to the potential for abuse by malicious prosecutors. The ability to throw potential jail time at accused hackers for relatively minor offenses can make the Act a serious threat to freedom. The continuing rapid advance of technology and imprecision of the language in the Act also creates as many problems for cybersecurity professionals as it solves.
Apparently routine or uncontroversial technical actions can be interpreted as offenses under the act. In several cases, for instance, simply changing an IP address—something that can happen automatically and without the user’s knowledge in a DHCP network—has been interpreted as “circumventing a technical control” under the definitions of the Act. It’s left to judges and prosecutors, many of who have zero technical knowledge or understanding of computers, to determine how the law applies. This is a frightening prospect to anyone working in the field today.
The Electronic Freedom Foundation and American Civil Liberties Union have each pressed for updates to the law to help clarify some of these matters and to pull its teeth for pursuing accidental or ambiguous violations. In 2013, Representative Zoe Lofgren introduced the Aaron’s Law Act of 2013 in the House of Representatives to limit penalties to purely criminal acts and to remove terms of service violations from the prosecutable offenses entirely.
Despite strong support from many cybersecurity researchers and civil liberties organizations, Aaron’s Law failed to pass in both 2013 and 2015, in part due to industry opposition.
At the same time, in objective terms, the law has not been effective in suppressing cybercrime. Computer crimes have exploded since it was enacted. With the international and distributed nature of most attacks today, it may actually be easier to use the CFAA to prosecute well-meaning security researchers than the malicious actors it was designed to combat. Information security staff have to proceed cautiously when working with third-party code or systems—but be aware of the ways the CFAA can be used to defend their own systems at the same time.