Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!
The Impact of the USA Patriot Act on Network Security Practice
By Bill Reilly
SAN FRANCISCO, Nov. 15, 2001 --
The USA Patriot Act ("Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism"), which was signed by President Bush on October 25, 2001, contains some of the most substantial changes to U.S. federal cybercrime laws since the last major revisions of 1996. Many of these changes will have a direct impact on the way networked firms prepare and react to cybercrime incidents. The USA Patriot Act was rushed through Congress as a response to pleas from the Justice Department to enhance the investigatory and prosecutorial powers of those pursuing the potential terrorists in the wake of September 11th. While the USA Patriot Act expanded federal surveillance and search powers, enacted trade sanctions against countries that harbor terrorists, increased interagency cooperation, and tightened oversight of monetary transactions and U.S. borders, the changes made to the Computer Fraud and Abuse Act (CFAA) are the most relevant to network administrators and incident handlers.
The Relevant Changes Made to the Computer Fraud and Abuse Act:
The main federal cybercrime statue, 18 USC Sec. 1030(a), provides civil and criminal liability for acts exceeding the authority to access "protected computers." The statute has been used to prosecute malicious code authors, employees who exceed their authorization to access their firm?s networks, "outside" hackers who penetrate computers, steal information and/or cause damage to the system, and people who use computers to commit fraud. The statute has also been used in civil litigation to punish spammers and commercial firms who gather information from third party computers. Over the years, as various court holdings highlighted certain weaknesses in the CFAA, Congress reacted by amending the Act to tighten the screws on cybercrime. The USA Patriot Act has amended the CFAA in several critical, and controversial, areas.
1. The Anti-hacking Provisions:
The main subsection of the CFAA used to prosecute cybercriminals is 18 USC Section 1030(a)(5). The subsection punishes three different levels of activity. The most serious level is intentionally causing damage to a protected computer by "knowingly" causing the transmission of code, a program, etc?. This subsection creates felony criminal liability of up to 5 years in prison for a first time offense if the person had no authorization to access the system, or exceeded his authorization, with the intent of causing damage by knowingly a the harmful transmission. Interestingly, there is no requirement that he has the intent to access the computer. Congress wanted to severely punish any intentional damage. For example, if an employee wants to get back at an employer by erasing files or changes access passwords, he knowingly typed the commands and intended the consequence.
Another serious felony subsection punishes damage that was recklessly caused by a person who intentionally accessed the protected computer without authorization. Importantly, this subsection does not apply to "insiders" who have exceeded their authorization to the system, but it does create serious liability for "outsiders" who don?t intend to damage the system, but recklessly do so. This subsection was meant to deter curious "hackers" who poke around systems and recklessly cause damage with a maximum of 5 years in prison. For example, if a hacker is snooping around a server and plants some code on the system that causes it to crash, that might be considered to be a reckless act.
The last subsection under Section 1030(a)(5) is a catchall misdemeanor. It targets "outside" hackers who intentionally access a protected computer and cause any sort of damage. The hacker doesn?t have to intend to cause any damage. But the difference with this subsection and the one above is that the hacker?s actions here are not considered "reckless." For example, if a hacker exploits a Sendmail bug and negligently erases a file in the process, he would be liable under this subsection.
A. Changes to the 1030(a)(5) Definitions:
One of the most confusing definitions under the CFAA was the term "damage." The old version of the CFAA defined "damage" as a loss aggregating at least $5,000 in value during any one-year period to one or more individuals. There were several confusing terms in that definition. First, what constituted a loss? Does it include just wages and downtime? Or did it also include lost business profits and enhanced security costs? Second, what if a hacker caused $1,000 to five computers? Could those different losses be aggregated to reach the $5,000 threshold? And finally, there was debate whether the loss had to be to an "individual," as the statute required. Was a company an "individual"? Network administrators were constantly confused about which hacking incidents actually invoked the CFAA. Without the $5,000 threshold, the FBI didn?t have the jurisdiction to investigate, and the company may not be able to recover costs in civil actions provided under the CFAA.
The USA Patriot Act radically changed the structure of the CFAA by adding an entire new subsection that clarifies the above issues. First, the Act now specifies that a "loss" is "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." The result of this is that it will be difficult to show that an incident does not meet the $5,000 threshold. The definition is very open-ended by including all costs and consequential damages, as well as lost revenue.
Second, under the new CFAA, the federal government may now aggregate "loss resulting from related course of conduct affecting one or more protected computers." This means that if the hacking incident involves several computers and those losses are related to the same "conduct," then the losses can be lumped together to meet the $5,000 threshold. So if the hacker uses a proxy machine to launch an attack on another machine, the loss from both machines can be combined.
Finally, the Act codifies an earlier court holding that an "individual" means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity."
The network administrator can now be assured that most incidents will involve the CFAA because of the broad range of losses that are now calculated to meet the $5,000, the ability to aggregate several different incidents to other networks and that almost any entity can be affected.
2. The Change in a Hacker?s Intent to Cause a Specified Loss:
An interesting addition to the CFAA is the change in the level of a hacker?s intent to cause damage. Under the old CFAA, in order to violate subsection 1030(a)(5)(A), an offender had to "intentionally [cause] damage without authorization." There was confusion whether the "hacker" had to intend to specifically cause the $5,000 damage that resulted, or whether he intended to cause damage to the protected computer, and $5,000 in damages occurred as a result. This isn?t as semantic as it appears. For example, a hacker gains unauthorized root access to a protected computer, plants a sniffer and erases his log tracks, and as an unintended consequence, he damages the server. Did he intentionally damage the computer?
The Act restructures the statute to make it clear that an individual need only intend to damage the computer, or information on it, and not a specific dollar amount of the loss or harm. This has the effect of making it easier for network administrators and incident handlers to determine whether the incident was a federal offense.
3. The Implication for Computers Located Outside the U.S.:
The changes to the CFAA could have a dramatic impact on foreign (non-U.S.) owners of networked computers. For example, if a Danish e-commerce firm was hacked by a U.S. hacker, it wasn?t clear whether the firm would have any civil recourse under the previous version of the CFAA. The statute covered "protected computers," which was defined as computers "used in interstate or foreign commerce or communication." (Note: the Act also covered specific-use computers, such as U.S. government and financial computers). It was unclear whether the Danish server was used for "foreign commerce" because the relevant "foreign" nation it was conducting business with was the U.S., which under the statue, wasn?t a "foreign" jurisdiction.
The USA Patriot Act clears up this confusion and specifically includes computers located "outside the United States" that are used in a "manner that affects interstate or foreign commerce or communication of the United States." This broad definition would include nearly all networked computers around the world. By clarifying the fact that a domestic crime exists when a foreign computer is hacked from the U.S., the government can now use speedier domestic procedures to join in international hacking investigations. Also, the hacker could be tried and sentenced in the U.S. for an attack on foreign computers.
European network administrators can now look to the Council of Europe?s Cybercrime Treaty to determine the seriousness of an incident originating from Europe, and apply the CFAA to incidents originating, or involving, U.S. computers.
Importantly, it is unclear whether the CFAA can be used for an attack that originates in one country, passes through U.S.-based routers or servers, and affects a computer in a third country. The CFAA applies to protected computers that sustain the requisite losses. The U.S.-based computer likely didn?t suffer any losses in this scenario. So in effect, the law would be applied by a person for losses sustained in country A against a person in country B, with neither of them present in a U.S. jurisdiction or directly affecting a U.S. interest. One could argue that country A could use the CFAA against country B. Under the old CFAA, if a foreign hacker attacked a protected computer in the U.S., he would be liable under the CFAA. If the definition of protected computer includes computer located outside of the U.S., the only thing that has changed is the scope of the coverage. Therefore, the same hacker could be liable for an attack on a protected computer, which now happens to be located overseas.
4. Expansion of Civil Damages:
Congress did not dramatically expand the right to recover losses under a civil action. However, they have limited other actions. (see next section). Under older versions of the CFAA, civil actions could be brought for all violations of the CFAA. The statute provided that "any person who suffers damage or loss by reason of a violation of this section may maintain a civil actin against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages were limited to "economic damages." In other words, economic damages, or actual costs, were only available for losses that made up the $5,000 threshold. Non-economic damages were available under the statute, but only in cases that allege violations of involving impairment of medical treatment, physical injury and threats to public health or safety.
Under the USA Patriot Act, non-economic civil damages are only available for impairment of medical treatment, physical injury and threats to public health or safety and damage to computers used for the administration of justice, national defense and national security. Only economic damages are available for the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
5. Protection of Hardware, Software and Firmware Companies
In an interesting, and often unnoticed part of the USA Patriot Act, Congress prevented civil actions against computer hardware, software and firmware designers and manufacturers for losses occurring from the negligent design or manufacture of their products. Because this limitation was placed in the CFAA, one must assume that Congress wanted to prevent actions against equipment and software that negligently causes damage to protected computers, obtains sensitive information or creates losses for companies that use their product. No where in the Department of Justice?s Field Guidance on New Authorities Enacted in the 2001 Anti-Terrorism Legislation, the Electronic Freedom Foundation?s exhaustive analysis of the Act or any press article resulting from a Lexis search is there any justification or explanation for this unusual technology industry protection. It would be wise to keep an eye on how technology designers and manufacturers use this subsection.
There are many other areas that the USA Patriot Act where significant changes were made to the CFAA, such as enhanced minimum prison terms for all offenses, state convictions counting for prior offenses for determining recidivist sentencing and special new protections for computers used for national security and criminal justice. However, from the perspective of the network administrator, they are not as relevant as the changes discussed above.
The USA Patriot Act makes the job of classifying incidents easier for the network administrators and incident handlers. The administrator can pick up the phone and dial federal investigators with greater confidence that most incidents will meet the $5,000 threshold. Also, administrators located outside of the U.S. have a new potential legal tool to use against hackers and others who cause losses to their systems. Several nations do not provide for a civil cause of action, so the use of the CFAA may be advantageous in recouping losses.
What is interesting is what was not included in the USA Patriot Act. There is no mention of adding violations of the CFAA to the list of specifically enumerated federal crimes that the Attorney General can use to prosecute juveniles. There is also no mention of the confiscation of equipment used to commit cybercrimes. But there is likely to be tremendous controversy over the expanded surveillance powers to federal authorities by the Act. However, such a discussion is beyond the scope of this article because it does not directly impact the responsibilities of network administrators or incident handler. Network administrators would be wise to understand how the USA Patriot Act will affect their companies over the next few years because, unlike other provisions of the Act, the changes to the CFAA will not expire on December 31, 2005.
Bill Reilly is a California-based network security lawyer and a GIAC-certified Advanced Incident Handler. Bill Reilly can be contacted at firstname.lastname@example.org or (415) 771-3463.
Copyright(c) 2001 Bill Reilly. All rights reserved.
This article does not in any way offer legal advice of any kind. Rather, the article is meant as an analysis of a statute and may not be taken for specific legal advice.
There are so many arenas for the United States to expand their influence over - evidently, cyber-space now lies within that jurisdiction as well. An interesting article. How much more abstract is 'cyber-space' than a thing like a 'border'? The precident here is rather disturbing...I may simply be reading it wrong...but the article seems to indicate that the United States feels that it has the authority to 'investigate' in any country, regardless of allegiance, if a crime effecting United States 'commerce' occurs in relation to that country. And when the quasi-religious work of the United States seems to be to develope the world into a unified economy...where would the boundary of US commerce end and begin? It is interesting at the very least.
You cannot start new topics / You cannot reply to topics HTML is disabled / BBCode is enabled
Moderator: Lana, trendal, automan 1,319 topic views. 1 members, 6 guests and 1 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]