The CFAA and Organized Crime

The CFAA was enacted to face the threat of online crime, particularly the acts of hackers. However, despite its legislative intent, the CFAA falls short of what it purports to do in several areas – one of them being online organized crime, or “cybergangs.”

Cybergangs are set apart from other “cybercriminals” due to the extra damaging effects a cohesive group can cause as opposed to an individual. Furthermore, within solo cybercriminals, there are those who mainly illegally enter computer systems for notoriety or out of curiosity, but cybergangs are predominantly created in order to attain financial gain or to commit denial of service attacks.

Cybergangs are able to launch attacks on service providers in an unparalleled fashion, causing greater damage than single hackers are able to. However, the CFAA has been unable to effectively punish members of cybergangs.

First and foremost, penalties under the CFAA are relatively light in comparison to the degree of the crimes cybergangs cause. The maximum penalty for a first time offender would be 10 years – and this is only for espionage related cases that rarely get prosecuted under the CFAA. Instead, the maximum penalties fall at around 5 years imprisonment. Although prison time increases for repeat offenders (10 years), the likelihood of finding and charging cybercriminals a second time is, at present, rather remote.

In actual prosecutions of cybergang members, the CFAA is usually nowhere to be found. Members of the notorious ShadowCrew credit card and identity theft forum were charged with credit card, bank card, identification document fraud, unlawful transfer of identification to facilitate criminal conduct, and conspiracy.[1]

Although it is difficult to tell whether the lack of usage of the CFAA is due to prosecutors unfamiliarity with it, whether it is because the penalties it contains are too light or otherwise, the lack of usage of the CFAA in dealing with cybergangs shows that the statute needs some further editing to specifically address the different types of cybercrime, especially those that cause the most damage to service providers and consumers.

Cybergangs specifically pose a unique threat as the interconnectivity of the internet facilitates group criminal activity. Shadowcrew, for example, was set up as a forum, with the main leaders, “Administrators,” and secondary leaders, “Moderators,” as well as “General Members.”[2] With this group structure in place, it is practically impossible to catch and individually charge each member with violating a prohibited act in the CFAA. Instead, the CFAA should either be amended (or possibly new legislation drawn up) to parallel what RICO does for organized crime – criminalizing the the organization to catch the individuals. Although simply adding a cybercrime component to RICO would be a possibility, organized crime on the internet will undoubtedly evolve as technology evolves, thus a dedicated piece of legislature would be most sufficient to address the issue.


~ by alyssaufl on December 2, 2009.

4 Responses to “The CFAA and Organized Crime”

  1. I agree, for the severe threat cybergangs potentially pose in our increasingly internet-reliant world, harsher sentences may be called for beyond that proposed in the CFAA. At the very least, it seems as though punishments should be increased for these leaders (administrators/moderators) to mirror the RICO. Criminal acts committed by general members of cybergangs in furtherance of the leaders’ cause or under the leaders’ orders should result in criminal charges not only against the general members of the cybergang that commit the crime, but the moderators and/or administrators of the organization as well. Creating and leading a cybergang may seem much less attractive when ten members’ criminal acts results in ten separate charges against the gang’s leader.

  2. While I too agree that organized cybercrime should be punished commensurate to the harm it creates, I have always had a significant issue with RICO and similar statutes. If Congress wants to punish a crime, then that crime should be punished in all circumstances. Considering the considerable amount of punishment already able to be handed down for individual internet crimes, I don’t think a statute like RICO is the answer. That said, if that is Congress’ intention, why not just fold internet crimes into RICO? A simple amendment to RICO could alter it from covering 27 federal crimes to a few more. Thus, instead of having the CFAA that isn’t well understood and underused, prosecutors could merely apply a solution they are familiar with.

  3. I believe this is too similar to criminal blue laws. Sure, we all want to punish people who steal credit card information, identities, and do things that we typically frown upon. However, the way the statute/law works, as it was written by people who don’t necessarily understand the difference between white hat hacking and black hat hacking. Thus, the FBI Cyber Crime division can’t simply start cracking down on individuals, since most of what people do on the internet would violate some form of internet law.

    Take for instance streaming videos. Most people have done it, whether it is youtube, or facebook, or whatever. What if that video is copyright protected. What if you send that link to a friend? You would be in violation of some form of internet law, but we obviously don’t want to punish you. The problem with the CFAA, and really any attempt to punish cybercrime/gangs/criminals…is that the line between punishable offense and “cool thing I want to show my friend” is often blurred with the internet…and there really is no way for our government to be able to track and regulate that activity.

    Not at least in a way that’s fair and just.

  4. […] A Final Note on the CFAA These past few blog entries on the CFAA have shown it to be a piece of legislation that has expanded beyond its original intentions over time. Orignally intended to combat hackers, the CFAA has now expanded, with each amendment, to reach employees accessing files on company computers and accessing of open wireless access points without express permission. However, despite its ability to reach far and wide, the CFAA does not fully address issues that seem to comport with its initial intent of combating hackers or new organized methods of hacking and fraud. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: