Cyber Crime

Fall 2015

Computer FRAUD statutes are hybrids between

unauthorized access and fraud statutes
18 USC 1030(a)(4)
knowingly and with intent to defraud, accesses a
protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers
the intended fraud and obtains anything of value, unless
the object of the fraud and the thing obtained consists only
of the use of the computer and the value of such use is not
more than $5,000 in any 1-year period
[all violations felonies, 5yrs max 1st offense, 10 years if a
prior 1030 conviction]

Similar to the federal wire fraud statute

18 USC 1343
having devised or intending to devise any
scheme or artifice to defraud, or for obtaining
money or property by means of false or
fraudulent pretenses, representations, or
promises, transmits or causes to be transmitted
by means of wire, radio, or television
communication in interstate or foreign commerce,
any writings, signs, signals, pictures, or sounds for
the purpose of executing such scheme or artifice

If this statute is a combination of:

18 USC 1030(a)(2) and
18 USC 1343 (wire fraud)

What does (a)(4) do that these two statutes

dont?
The Senate Report accompanying (a)(4) has some
clues

Concerned that computer usage extraneous

to an intended fraud covered by (a)(4) if
patterned after mail/wire fraud statute
Just using a computer to commit fraud
isnt enough to trigger (a)(4) use of a
computer must be more directly linked to the
fraud
Without authorization or in excess of
authorization
Distinguish between theft via computer and
computer trespass

106 F.3d 1069 (1st Cir. 1997)

Up front, appellate court says lower court should
have acquitted Czubinski on all counts
IRS employee who was accessing confidential
tax return documents of all sorts of people for
non-work problems
DA prosecuting his father, former political rival,
romantic interest, his siblings business affiliates
He knowingly disregarded IRS rules by observing
confidential information he accessed
Was evidently involved with the KKK, said at one point
he may build some dossiers on people and accessed
data on members of the David Duke presidential
campaign

Didnt perform any unauthorized searches

after 1992, wasnt charged/worked at IRS
until 1995
Was charged with a scheme:

To build dossiers on KKK associates

To seek info on the DA prosecuting his father
To perform opposition research on political rival

Court did not find the access unauthorized,

cited the Congressional intent that he had
been given access to the items by IRS
Also found no wire fraud (he was charged
with that as well) because in their opinion,
more or less, nothing of value was taken

Opinion included language scolding prosecutors

for bringing charges under the broad wire fraud
statute, as well as admitting inflammatory
evidence regarding Ds involvement with the KKK

Computer Damage Statutes

Focus on harm inflicted on computer owner

Two types
Those focused on conduct that exceeds privileges
to use a computer
Combine unauthorized access with some minimal
amount of harm/damage (usually in $$)

Those focused on denial of privileges to other users

Look more towards deleting/damaging/altering or
rendering inaccessible files or programs

The line between the two types is fuzzy (a lot of

conduct does both), so many states combine
the two

Most recently amended in 2008

Three different offenses
First
knowingly causes the transmission of a
program, information, code, or command, and as a
result of such conduct, intentionally causes
damage without authorization, to a protected
computer;
Second
intentionally accesses a protected computer
without authorization, and as a result of
such conduct, recklessly causes damage; or

Third
intentionally accesses a protected computer
without authorization, and as a result of such
conduct, causes damage and loss.

A lot of overlap between the 3, but:

First is geared toward releasing code that causes
damage, such as viruses, or DoS (denial of
service) attacks
The authorization doesnt apply to the access, it
applies to the damage
So, an employee may be authorized to test data, or
perhaps encrypt it (which can be construed as
destroying it)

Second and third are variations on

unauthorized access
There are two key differences
The THIRD statute must caused both damage AND
some amount of loss
Second difference is to mens rea
SECOND statute requires recklessness
THIRD statute imposes strict liability with respect to
causing impairment
So this third one punishes even accidental damage
without authority. Congressional intent is to punish those
who damage systems, even accidentally, when theyve
intentionally trespassed in another computer system

Violations of (A), (B) or (C) become felonies

if there is a prior 1030 conviction
Violations of (A) or (B) are a misdemeanor
unless one of SIX enhancements are added
(which must be indicted and proved), which
makes it a felony, even on the first offense

These are all under Section 1030(c)(4)

Violation of (A) causing serious injury, 20

year max felony
If causes death knowingly or recklessly, life in
prison See 1030(c)(4)(E), (F).

(I) loss to 1 or more persons during any 1-year period (and,

for purposes of an investigation, prosecution, or other
proceeding brought by the United States only, loss resulting
from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of
the United States Government in furtherance of the
administration of justice, national defense, or national
security; or
(VI) damage affecting 10 or more protected computers
during any 1-year period;

1) What is the methodology for calculating

the $5,000 amount (most common felony
aggravator)?
2) What mens rea applies with respect to
each of the final elements (including
aggravators)?

Note: In two of our three cases, their outcomes

actually modified the language of 1030(a)(5) to its
current form.

Defendant was the PC administrator for

Slip.net, an Internet service provider
Installed hardware/software and did tech
support, had intimate system knowledge
Was unhappy with his job, quit, then started
sending threatening e-mails to old boss
D remained a paying customer at the ISP,
used a Switch User program to take over
secretarys Slip account

President found out and terminated the Ds

legit account, but this didnt stop the D
He created new user accounts and accessed
a primary billing computer, the Lemming

D changed admin passwords, altered the

registry, deleted entire billing system,
deleted two internal databases
Company spent collectively about 154 hours
repairing damage, bought new software, and
hired a consultant for tech support
Defendant was convicted, 3 years probation,
180 days house arrest, $9,147 in fines, and
appealed, focusing on the amount in
controversy

Court first looks at Congresss intent, note

damage threshold added in 1996 but dont
believe its intent was to limit statute
D argues jury instruction could have
confused jury into thinking the damage
included costs for building a safer, more
secure system
Court says no

D argues govt. failed to prove $5,000 damage

Took hours spent times hourly rate plus software cost $10,092
Prior holding that hours times rate was acceptable
calculation for these purposes
Court finds there was sufficient evidence, rejects Ds arg.

Look to 18 USC 1030(e)(11)

(11) the term loss means any reasonable cost
to any victim, including the cost of responding to
an offense, conducting a damage assessment,
and restoring the data, program, system, or
information to its condition prior to the offense,
and any revenue lost, cost incurred, or other
consequential damages incurred because of
interruption of service

$20K for IBM contractors to investigate

intrusion and verify data
US v. Millot, 433 F.3d 1057 (8th Cir. 2006)

$50,000 for expected lost profits

B&B Microscopes v. Armogida, 532 F. Supp.2d 744
(WD PA 2007)

Executive travel expenses to Germany

Nexans Wires SA v. Sark-USA, Inc., 319 F.Supp/2d
468 (SD NY 2004)

Carlson was an avid Philadelphia Phillies fan

Convicted of violating 1030(a)(5)

Began using Phillies online bulletin boards,

turned into sending thousands of e-mails to
addresses at the Phillies and sports writers
From addresses not his own, such as Special
Prosecutor@fbi.gov
E-mails titled Mariners didnt trade A-Rod and
Sign JASON GIAMBI
Sent THOUSANDS of spoofed e-mails from various
addresses to the Phillies and others
Jury found he intended to cause damage when
sending those e-mails

At trial, Carlson admitted a flood of bad emails would impair ability to find/open good
e-mails (but only a few minutes)
He did not intend flooding spoofed senders
account with auto-replies
Court focused on his significant computer
savvy, said consequences of his actions
could be reasonably foreseen, upheld
conviction

availability of data
Fairly straightforward destruction of data,
encrypting data, taking a computer offline (either
directly or for repairs) DoS attacks, viruses, etc.

integrity of data
Computer security industry focuses on 1) content
and 2) source/authentication (bears on the
accuracy and credibility of the information)
Newspaper example paper prints correct story but
attributes it to the wrong source the CONTENT is
credible, but the SOURCE is incorrect

Sablan left a bar and went to her old job, a

bank, where shed been fired
Used key shed kept to get in
Logged into mainframe, changed several
files, deleted others severely damaged
files
At trial, court rules that intentional
element applied only to the access, not the
damage

Court notes 1030(a)(5) is ambiguous as to

its mens rea requirement
Comma after authorization doesnt resolve
goes back to legislative intent (cites Morris)
Intentional applies only to access element

Court refuses to overturn Morris, rejects

Sablans argument that the mens rea
requirement applies to the damage
element (as opposed to just the access)
upholds conviction

Court also rejects argument that mens rea

must be applied to all elements of a statute
or be found un-Constitutional
Case law says that scienter should apply to each
statutory element which criminalizes otherwise
innocent conduct
But the CFAA here doesnt do that, you must have
the wrongful intent element to be convicted
under this statute (i.e., intentionally accessing a
federal interest computer without authorization)