Prosecution of Cybercrimes

The potential impact of cybercrime continues to rise as more and more information is moved onto electronic platforms and more electronic devices come into use.  Data breaches have resulted in millions and even billions of records being compromised.  In 2005, a variant of the Blaster worm shut down railroad switching computers across the Southeast United States.  The stakes of cybercrime are high and rising, so the laws must be developed enough to allow prosecutors to combat these crimes effectively.

One of the first lines of defense against these violations is with private companies.  eBay (now together with PayPal) is particularly proactive in combating cybercrime.  It first tries to educate consumers, particularly about phishing.  It has provided information to various law enforcement agencies to expedite prosecution of cybercrime abroad.  Finally, eBay has actually sought feedback from law enforcement agencies regarding their satisfaction with eBay’s efforts.

When these preventative measures fail, the burden falls on legislatures and law enforcement to deter and prosecute these crimes.  One of the main avenues is through the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act was originally passed in 1986 and codified as 18 U.S.C. § 1030.  It was amended by the USA PATRIOT Act in 2001 to increase the maximum penalty for “intentionally damaging a computer” from five years in prison to ten years in prison.  Later in 2003, Congress revised the United States Sentencing Guidelines (“USSG”) with respect to violations of CFAA.  Although USSG were held merely advisory rather than mandatory by the Supreme Court in United States v. Booker, 543 U.S. 220 (2005), federal courts continue to apply them in an overwhelming majority of cases.  One upside of this is that some of the shortcomings of the USSG with respect to CFAA that I discuss can be avoided by judges in their application of the guidelines to each particular case.

In Richard Downing’s Article, “Thinking Through Sentencing in Computer Hacking Cases: Did the U.S. Sentencing Commission Get It Right?” he argues that sentences of violations of CFAA should take the following factors into account:

Monetary harm,

Intent,

The number of victims even if each suffers only a small harm,

Invasions of privacy,

Physical harm to individuals,

Harm to critical infrastructures, and

Harm to government functions

Monetary Harm:

The monetary harm of cybercrimes such as security breaches that lead to unauthorized access and denial of service attacks is more difficult to quantify than that of many conventional crimes.  This is particularly the case where the loss comes not from actual destruction of data but from the steps necessary to ensure that data has not been altered and is still reliable.  Another issue arises in the “theft” of data where the original remains intact but is copied.  The original owner isn’t deprived of ownership, but dissemination of that information can certainly cause a loss.  Some ways to value the harm from this kind of theft is to estimate its value on a legitimate market or even to look to its sale price on a black market if the offender sold the data or otherwise transmitted it so that it was ultimately sold.  Additionally, the cost of developing the data may serve as a useful estimate of the monetary harm from its theft.

USSG responds to situations that involve data destruction or impairment of systems that cause direct costs to the victims.  However, it fails to consider the types of harms that are caused by theft of data.  As discussed above, there are reliable ways to quantify, even if not exactly, the losses victims of theft of information suffer.  The USSG should take these real losses into account.

Intent:

Despite the sophistication and technical knowledge required to conduct many computer crimes, some offenses are committed unintentionally.  One such example is a juvenile who accidentally caused a telephone company computer to crash and shut down communication at a regional airport in Massachusetts in 1996.  The sentencing guidelines take intent of the offender into account in an imperfect way.  The USSG calls for a four level increase in cases involving intentional damage.  However, the same section provides that only the greatest of the increase between that available for intent and two other factors be applied.  So, the two level increase for a violation that involves theft of personal information is not considered because of the greater four level increase if the violator also intentionally causes damage.

Small Harm to Many Victims:

Imagine that a person writes malicious code that causes no direct financial harm other than loss of victims’ time in trying to remove it, and it infects 100,000 systems.  Here, Downing suggests that rather than call each victim as a witness, courts should allow prosecutors merely to present the testimony of several representative victims.  Then, an expert should be called to extrapolate the total harm based on his or her knowledge of the malicious code.  My first thought was that this would violate the Confrontation Clause, but this seems to be obviated if the witnesses aren’t labeled “representative” for the jury, especially not by the court itself.  The USSG does account for harm to a large number of victims but does not include those who do not suffer financial harm.  This is especially problematic in cases of mass privacy breaches.

Invasion of Privacy:

USSG provide, generally, wide discretion in sentencing for how severely a violation of CFAA violates individuals’ privacy.  In cases that demonstrate a substantial privacy invasion, the guidelines recommend an upward departure in sentencing from the guideline range.  Downing specifically mentions a violation of CFAA as part of a larger stalking offense as an example of this.

Physical Harm to Individuals:

Physical harm resulting from a CFAA violation is readily imaginable (imagine an unauthorized user deleting reference to a severe allergy in electronic medical records), so the sentencing guidelines should be prepared to consider these possible harms.  USSG merely provide for a two-level increase if the offense consciously or recklessly involved risk of death or serious bodily injury.  Compare this to the four level increase for intentional destruction of data above.  As discussed above, the only reprieve here is that the USSG are merely advisory following Booker.

Harm to Critical Infrastructures:

Critical infrastructures are “systems and assets vital to national defense, economic security, and public health or safety.”  the Blaster worm (mentioned above) also crippled the safety systems of a nuclear power plant, which fortunately had its reactor offline for maintenance at the time.  More recently, nuclear facilities in Iran were infected with the Stuxnet worm: http://www.computerworld.com/s/article/9188147/Iran_admits_Stuxnet_worm_infected_PCs_at_nuclear_reactor.  Downing argues that we should not be overly worried about ramping up sentences for violations against critical infrastructure sites because they are generally well-protected.  Thus, attackers must generally know their targets and take specific, more sophisticated steps to breach those systems.  The ongoing experience with Stuxnet provides no counter-argument: it specifically targets Windows computers that manage “large-scale industrial-control systems in manufacturing and utility companies” and has been described as “the most sophisticated malware ever.”

Harm to Government Functions:

This category includes harms to government computers that are particularly difficult to quantify in monetary terms.  The best example of this is tampering with computer systems involved in an election.

The USSG would include many offenses that fall under this category as harm to critical infrastructures.  However, that list does not include systems used in the criminal justice system, failing to account for the felon who hacked into San Bernadino County’s systems to alter records to reflect that pending criminal charges against him were dismissed.  For the most severe disruptions considered by the guidelines, those that have a “debilitating impact” on government systems that are a part of critical infrastructure, the guidelines suggest imposing sentences above the normal guideline range.

Advertisements

~ by fmari on October 18, 2010.

11 Responses to “Prosecution of Cybercrimes”

  1. What concerns me are the harms to critical infrastructures. While they may be heavily protected, I would guess that there is some way to get through them if motivated and financed sufficiently. Terrorists would then not need to travel to the United States in order to actually cause a much greater impact to our country. Seeing that nuclear facilities were infected in Iran only makes me more concerned.

    I don’t think the terrorists would be very concerned about the potential penalties the sentencing guidelines call for, though. My guess is that these crimes would be committed overseas and the United States would never be able to get them here to be prosecuted. I suppose if we had a US citizen willing to do such a thing, then that would be something to worry about for the criminal.

    Hopefully our computer defense technology keeps improving with the technology owned by people motivated to hurt the United States.

  2. One of the main goals in sentencing guidelines is not only punishment, but also deterrence. The purpose of increasing these guidelines is to increase deterrence. I think that is very challenging in computer crime cases bc 1: I think the general public is much less aware of the crimes and sentencing that occurs regarding these crimes, and 2: I think that it seems a lot more surreal to both the person committing the crime, and the person who might potentially fall victim to a cyber criminal. In essence, this means that criminals don’t think they are going to be caught and people do not think they are going to fall prey to these individuals. This creates a situation where the length of sentencing is irrelevant because it is not serving its purpose; deterrence.

    Another interesting issue is that given the new-ness of the internet and the constantly developing technology, it seems to me that the constant stream of advancing technology would make it challenging to define many of these cyber crimes and place them in a box. It seems to me that as we define the different crimes and the harm caused thereby that the only true message we are sending to cyber criminals is to come up with more creative and innovative ways to carry out their misdeeds and avoid USS guidelines.

    It also bothers me that the USSG seems to create scenarios where there is criminal punishment for nuisance crimes that require prison sentencing with a very low threshold of proof or due process. As Frank mentioned in his blog, presenting the testimony of several representative victims without giving the accused person a chance to confront or defend himself properly to such accusations seems to me to very obviously shift the burden of proof from the prosecution to the defense. In a system where witnesses are much harder to come by and it is exceedingly difficult to prove who accessed what (imagine I log in to your computer and go crazy) stricter sentencing scares me more than it reassures me.

  3. I’m pretty defense oriented, okay, I’m extremely defense oriented to the point that I throw up a little in my mouth just looking at a State Attorney’s office. (No offense, Holly!)

    However, I see no issue with using representative witnesses instead of hailing every “victim” to court to testify against the defendant. I understand Confrontation Clause arguments but at some point, the trotting of witnesses to the stand becomes repetitive and irrelevant.

    I think any court would rule against Confrontation Clause and cite an efficiency of justice standard to limit making all witnesses appear.

    I’m also troubled by Downing’s assertion that we don’t need to increase sentencing for attacks on critical infrastructures. It would seem those would be the ones we want to deter criminals from even thinking about attacking. I’d advocate a position of attacking critical infrastructures is an act of treason against the United States, if done by an American citizen.

    Of course, if a citizen could hack one of these infrastructures, I’d probably want them to work WITH the FBI. (I saw Live Free or Die Hard…Justin Long, anyone?)

  4. I’m pretty defense oriented, well, let’s be honest, extremely defense oriented.

    However, I don’t believe the Confrontation Clause gives a defendant the right to hail all his witnesses against them because at some point judicial efficiency will overcome repetitive and what would become irrelevant testimony by more witnesses than representative witnesses. If the courts did force the prosecution to put on every witness, I think it would be a non-prosecutable offense since no prosecutor would want to take the time to put on 100 thousand witnesses to secure a conviction.

    I, too, am disturbed by the idea that harm to critical infrastructures aren’t considered by Downing to be a type of crime we should ratchet up penalties. His line of reasoning is also questionable. Those types of infrastructures are heavily secured for a reason and breaking into them would be a major threat to our country. I’d advocate making it a treason for a US citizen to break into any critical infrastructure.

    Of course, if a US citizen could hack into one of these critical infrastructures, I would want them working WITH our government and FBI.

    (I saw Live Free or Die Hard…Justin Long, anyone?)

  5. I think companies need to learn a lesson from eBay and PayPal. While I was surprised to learn how proactive eBay has been, since I used to use it all the time and never received any information about phishing, etc. (or that I remember at least), I think it is a great idea. Also, because the potential impact of cybercrime continues to rise, I agree that the laws must be developed enough to allow prosecutors to combat these crimes effectively. I think that eBay providing information to various law enforcement agencies will help to further develop the law, and probably faster than if they weren’t. It must also be comforting to eBay and PayPal users because it seems as though their information is better protected, and that the monitoring of that information and keeping it secure is important to the companies.

    With the Sentencing Guidelines, I do think it is important to take some of the factors listed into account, but it seems so silly to me how the sentencing guidelines takes the intent of the offender into account. And in response to Daniella’s comment about the situation where the length of sentencing being irrelevant because it is not serving its purpose – what do you think would help fix that? As for the physical harm to individuals, I had never even considered that possibility, and agree that the USSG should be prepared to consider these possible harms. I guess the question is the same regardless of whether the crime is a cybercrime or not, but I would really love to understand why people would commit them – especially something like an unauthorized user deleting reference to a severe allergy in electronic medical records.

    I work in the Bradford County SAO and our office just went paperless (Alachua has been for a little while now). I can’t even imagine what they would do if someone hacked into STAC, the program the office uses. All the case information is contained in that one program.

  6. I tried but couldn’t come up with a better way to quantify the monetary harm resulting from an unauthorized data access event. Obviously, if someone gets hold of your credit card number and charges a Caribbean vacation on it, that would be easily quantifiable. But simple access and the threat of dissemination is much harder to nail down in terms of tangible damage. Although it seems a bit backward, I agree that the value of the harm can be at least generalized from a combination of the value of such information on a black market and the time it takes to repair infrastructure or computer systems after an attack.

    I also think that the solution to the many-affected-but-slightly-harmed problem you’ve described makes the most sense of the available options. Although I could see foreseeability issues (like how would a programmer of a virus know before launching it whether his infectious creation would hit 100, 100,000 or 1,000,000 individuals?), the necessity of intent seems to outweigh this factor. If a person sets out to create self-replicating malware, it shouldn’t matter how well they did it. What’s important is that the person had intent to cause disruption to others’ lives. I still think that the punishment should be more severe, however, if the person intended to cause some sort of financial harm rather than just temporarily inconveniencing a large number of people.

  7. One thing that was concerning to me was that physical harm to an individual is punished by less of a step up than intentional destruction of data. You mention something like deleting an allergy from an online medical record, but physical harm can stem from almost any kind of cybercrime. Identity theft could prevent a person from getting health insurance, obtaining a mortgage and having a place to live, or something far more sinister. I remember reading a case (Remsburg v. Docusearch, Inc.) where a guy used an information culling website to get info like workplace and SSN on a woman, whom he eventually stalked and killed. Even emotional distress from undergoing phishing scams could be considered physical harm if it rises to the level of interfering in someone’s life. If anyone has ever tried to deal with a scam, or help someone deal with a scam, the headache alone is a significant physical harm.

    I’m not saying that destruction of data isn’t bad, because it could be extremely dangerous and destructive. It just seems that the level increase system is too black and white for the gray and growing grayer area of cybercrime. It seems to me that physical harm should be at least as much of a step up as destruction of data, and that the punishment should be decided on a completely case by case basis.

  8. A two percent increase for an offense that consciously or recklessly involved risk of death or serious bodily injury versus a four level increase for intentional destruction of data? Come on. I understand that intent and destruction of data are important (after all, it is easy to unintentionally commit cyber crimes) but you would think that something that is so much more obviously qualitative, like PHYSICAL HARM to a victim of these computer crimes, would hold more strength.

  9. I too agree the thought of a such a highly scaled punishment based on cyber damages seems a little ridiculous when considered against the scaling of crimes in the non-virtual world. At the same time, the potential for widespread damage of a cyber crime does create an odd conundrum in that personal crimes are often singular while a virtual crime can end up affecting thousands if not millions of individuals, as Nick observed.

    Perhaps the punishments associated with the CFAA are intended to be harsh in order to work as preventative to anyone who might consider intentionally pursuing large scale destructive acts over the Internet.

  10. On the higher scale of punishment for intentional crimes over crimes that involve physical harm debate, I think it’s important to remember that these guidelines are not mutually exclusive. Someone who causes physical harm with no intent will receive a lesser sentence than someone who causes physical harm with intent in real life and in a virtual crime scenario. Intent involves a higher state of culpability, it’s not that the crime is more or less punishable, it’s that the perpetrator’s state of mind makes him more or less deserving of punishment. I think the guidelines got it right – someone who maliciously intends to steal/corrupt data is more culpable than someone who accidentally causes physical harm (maybe deleting that allergy from your medical files was a mistake made by a medical intern while entering your records into the new paperless system).

  11. My very first issue is the fact that judge seem to adhere to the USSG despite the Guidelines being advisory. I can agree that the considerations you listed are valid. However, I believe that the judge should consider the totality of circumstances and make an overall judgment, rather than say “monetary harm 2 levels, intent 4 levels, etc.”

    Monetary harm – As you stated, the USSG “fails to consider the types of harms that are caused by theft of data.” Judges can and should consider these harms. In civil cases, each side can present its calculation of loss. Why not do the same in criminal law?

    Intent – I favor a simple calculation: If intent, then harsher punishment. If not, then consider it a mitigator. I actually think intent should be an element of the crime because if the person is doing something on the internet and inadvertently harms someone, why should they go to prison?

    The number of victims even if each suffers only a small harm – I think considering aggregate harm is a good idea. If 100 people suffer a loss of $1, it is the same as if 1 person loses $100. The harm is the same. And we are talking about criminal, not civil. As long as the state can prove the loss, it should be considered. I do not see Confrontation issues if this information is presented only during sentencing. For example, if an element of the crime is harm, one victim suffices to prove harm. If that witness suffices, despite there being 2+ victims, then the element is still satisfied. Then, during sentencing, the state could be required to provide sworn affidavits of victims, or prove the loss in some other manner. At a sentencing hearing the defendant can have the opportunity to rebut the information, like with the monetary loss above. We do something similar already with the bifurcated trail for petty theft 1 prior: after being found guilty by a jury of the petit theft at issue, the state attorney must then prove that this is the second theft. I hope my analogy is clear…

    I won’t go through each consideration, but my point is that there are ways for a judge to fairly consider each of these, and render a sentence tailored to the circumstances of each case. I think the Guidelines should be just that: guidelines. Their purpose was fairness in sentencing, i.e. same punishment for the same crime. However, every circumstance makes each crime unique, and thus deserving of tailored punishment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: