Sunday, November 15, 2015
Today, I’d like to talk about the Justice Department’s perspective on the Computer Fraud and Abuse Act (CFAA): how we use it to fight cybercrime and to protect privacy, and how we propose to improve it. Whether and how to improve the CFAA has generated many interesting academic ideas over the last few years, and will be the subject of some of the discussion here later. For our part, the administration has proposed several targeted updates that we believe will help law enforcement keep up with evolving cyber threats, and consequently benefit computer users and those whose information is stored on computers.
I hope that my remarks will both set the stage for the panels to come, and also elucidate how federal prosecutors have applied the CFAA to prosecute serious financial crimes and invasions of privacy. Equally, I know that I speak for my colleagues on the panels and in the audience when I say that we look forward to a robust discussion of the statute, its use and its appropriate reach.
The CFAA was drafted and enacted in the early 1980s. At that time, the computer age in America was rapidly dawning. The amount of information stored digitally was growing equally quickly, feeding a growing public concern about the victimization of citizens and businesses through computer systems. A decade later, we would call that victimization “cybercrime.”
In response to that public concern, Congress included provisions in the Comprehensive Crime Control Act of 1984 to address the unauthorized access to and use of computers and computer networks and created a new statute—Title 18, U.S. Code, Section 1030. The legislative history indicates that Congress intended these provisions to provide “a clearer statement of proscribed activity” to “the law enforcement community, those who own and operate computers, as well as those who may be tempted to commit crimes by unauthorized access.” Two years later the statute was amended and renamed the Computer Fraud and Abuse Act.
At its core, the CFAA reflects a basic expectation that computer owners and operators are entitled to control access to their computer systems and networks. And it reflects the need for rules of the road in cyberspace just like in physical space, so that computer users can expect that information stored there remains safe. Computers in 2015 may not look much like computers in 1984, but the statute’s authors envisioned that technology would evolve and complex relationships would emerge among computer owners, operators and users—and worked to establish and refine legal definitions that would accurately capture the most salient aspects of those complexities in describing criminal conduct.
Additionally, over the years, as new types of cybercrime—like cyber extortion and distributed denial-of-service (DDOS) attacks using botnets—have arisen, and as courts and Congress have gained experience with the statute, the CFAA has been updated several times to reflect these emerging trends in criminal conduct.
And, throughout, we have debated how prosecutors should most effectively hold cyber criminals accountable, prevent and punish financial crimes, and vindicate the privacy rights of our citizens—while protecting free expression, encouraging development of new technologies, and fostering essential computer security research. Sometimes these interests point in the same direction; sometimes they compete with one another and a balance has to be struck. In some cases, those debates have played out in legislative hearings, in popular media or in academic settings such as this. Often, the department has engaged with key constituencies, such as computer security researchers, to better understand their concerns.
In making decisions about whether to bring federal charges in cybercrime cases, prosecutors look to the Principles of Federal Prosecution, as they do in all cases. Those principles direct us to the general factors that affect all charging decisions—like the losses experienced by the victim of the crime and the deterrent effect of prosecution. But we also go a step further and consider factors specific to cybercrimes. These factors include the sensitivity of information that has been obtained and disclosed, whether damage to a computer system affects public safety, market integrity or critical infrastructure, and whether the activity is related to a larger criminal endeavor. Department prosecutors take charging decisions very seriously. These decision are part of pursuing the department’s overall mission to protect Americans’ privacy and security and to seek justice for victims.
One point that is not always recognized is that many of the most robust and thoughtful discussions on these topics have taken place wholly within the Department of Justice. We have these discussions internally on a daily basis, as prosecutors carefully weigh the appropriateness and possible long-term consequences of our charging decisions. And, of course, we cannot always talk about those decisions. But that is one of the reasons why I am happy that we have both current and former federal prosecutors here today, who can share some of what we’ve learned from our deliberations.
Continuing to examine this important balancing process is crucial, as the concept of cyberspace constantly evolves. Computers are now ubiquitous in our lives—at home and at work. Just about everyone in this room probably has one in front of you, in your hands, in your pocket or on your wrist. Some of you probably have two or three. We use computers to manage just about every aspect of our lives—our finances; our health. And, increasingly, we use computers to control our cars, our refrigerators, lightbulbs and thermostats. Our reliance on computer networks and electronic devices will only keep growing. One study predicts that the Internet economy of G-20 countries will grow to $4.2 trillion by 2016, which means that if it were a country it would rank among the top five economies in the world—it would be Germany.
The same trends will also mean, however, that individual hackers, organized criminal networks and nation states will find even more ways to victimize American citizens and businesses in cyberspace.
Hackers are already able to steal the financial information of millions of victims from a computer halfway around the world—we should expect to see them turning toward other types of information stored on networks, so long as it can be monetized or exploited.
Cyber criminals can already orchestrate massive disruptions of businesses and spirit away trade secrets in seconds—we should expect them to aim disruptions at new targets of opportunity or of political interest, and to steal from developing industries.
And, of course, every day we have threats that come from within, such as the disgruntled IT manager, the soon-to-be ex-employee and other company insiders who steal, delete or otherwise compromise company or private, personally identifiable information—there is little reason to expect this phenomenon will change, except that the criminally-inclined insider can now wreak ever-more damage with ever-less effort.
This past year alone we saw a series of extraordinarily invasive and damaging data breaches that victimized some of our nation’s largest businesses, as well as the federal government itself, with tens of millions of personal and consumer records being stolen or compromised at a time. All types of businesses were victimized, from banks to retailers, to mom and pop financial firms, to entertainment companies, to restaurant chains, to health care providers. Sadly, according to data from a recent report, there are twelve new victims of online crime every second—which means there will be more than 20,000 additional victims by the time I’m done speaking.
The cost of cybercrime is staggering. One study last summer estimated the annual loss to the global economy due to cybercrime at as much as $400 billion. But the financial effects can never capture the unquantifiable harms—the invasion of privacy, the trauma of sextortion, the personal strain of identity theft—that cybercrime causes its victims.
So, what has the Justice Department been doing about these cyber threats? The Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS), along with prosecutors in U.S. Attorneys’ Offices around the country, have been successfully using the CFAA to combat cybercrime, and vindicate the privacy rights of victims for over two decades. They work closely with agents from the FBI, the U.S. Secret Service and other law enforcement agencies. And they also work in conjunction with attorneys from the National Security Division, who are responsible for cyber cases involving terrorism or nation-state actors. CCIPS is the linchpin of the department’s anti-cybercrime efforts, and has been involved in one capacity or another in practically every significant cybercrime case involving the CFAA.
CCIPS and the U.S. Attorneys’ Offices represent the front line of our cybercrime prosecution efforts, and work closely with law enforcement agencies on complex and often long-term investigations against many of the world’s worst computer criminals. Computer crime investigations can literally span the globe, and successfully building a prosecution can involve collecting evidence from multiple victims in different countries, over months and years. But we have succeeded at unplugging some of the worst offenders, whether by successfully prosecuting them, working with international partners to ensure that they are charged in other countries, or disrupting the technical and financial infrastructure upon which they depend.
Let me now discuss the department’s recent use of the CFAA in two types of cases: to combat botnets—networks of victim computers surreptitiously infected with malicious malware—and to prosecute corrupt insiders—a serious threat to cybersecurity. These types of cases have vindicated the rights of victims when hackers invade their privacy by stealing confidential information. Additionally, I will describe how the administration’s targeted updates to the CFAA would empower law enforcement to better address these evolving threats.
Botnets threaten our privacy on a magnitude previously unimaginable. Individual hackers and organized criminal groups are using state-of-the-art techniques to infect hundreds of thousands—sometimes millions—of computers and cause massive financial losses, all while becoming increasingly difficult to detect.
As you probably know, when a computer becomes part of a botnet, it can be remotely controlled from another computer and used as infrastructure for a variety of illicit activities. Sometimes called “bot-masters” or “bot-herders,” cyber criminals who control botnets take control of the victim computers, or “bots.” They can then command those victim computers to steal financial information, personally identifiable information, login credentials and other information from victims who often do not realize their computers have been compromised.
The threat from botnets has increased dramatically over the past several years. Because utilizing botnets can be so lucrative, their designers use sophisticated code, often located on servers in foreign countries, and employ the latest in encryption methods—all designed to frustrate personal and corporate cybersecurity efforts, and to prevent law enforcement from responding effectively. Indeed, recent cases demonstrate that botnets are used by criminals halfway around the world to commit crimes of a scope and sophistication that was difficult to imagine only a few years ago.
Despite the scale and complexity, however, the department has had success in combatting botnets. One of the most effective methods has been to prosecute those responsible for the creation of the botnets using the CFAA. For example, a couple of months ago, pursuant to a DOJ request, our foreign law enforcement partners in Cyprus arrested Andrey Ghinkul, a Moldovan national. Mr. Ghinkul was allegedly responsible for creating the botnet known as “Bugat” or “Dridex,” which infected computers worldwide and was used by criminals to steal banking credentials and, ultimately, millions of dollars from victims. It was specifically designed to defeat antivirus and other defensive measures employed by victims. The FBI estimates that the Bugat/Dridex botnet is responsible for at least $10 million in U.S. losses. Mr. Ghinkul was indicted under the CFAA and the department is seeking his extradition to the United States
In addition, the department seeks to disrupt and dismantle botnets, through the use of seizures, forfeitures, restraining orders, and other civil and legal processes. We did that with respect to Bugat/Dridex, obtaining a civil restraining order to disrupt its operation, following a similar action taken by British law enforcement. And last year, we did the same with respect to the notorious Gameover Zeus botnet—a sophisticated type of malware that created a global network of between 500,000 and one million infected victim computers. Criminals used this botnet to steal about $100 million from consumers and businesses.
The Gameover Zeus botnet also was used to infect computers with Cryptolocker—a form of malware that would encrypt the files on a victim’s computer until they paid a ransom. One estimate indicated that victims paid more than $27 million in ransom in just the first two months after Cryptolocker emerged. Last May, using various civil and criminal legal processes, the department, with judicial authorization and oversight, wrested domains and servers from cyber criminals’ control, prevented infected computers from communicating with the criminals’ command and control infrastructure, and liberated hundreds of thousands of computers.
So far, so good. But as I mentioned before, criminals can be incredibly creative in the way in which they victimize innocent computer users—and the Internet can be a powerful tool that enables them to do so. And while the department has enjoyed success against botnets and, accordingly, vindicating victims’ privacy rights, our cases have revealed shortcomings in the CFAA which limit our ability to disrupt botnets and prosecute the criminals behind the keyboards.
First, although botnets can rely on extremely sophisticated programming, cross-border infrastructure, and the latest in encrypted communications technology, you don’t need to be an expert to use one. You can go online, for example to a dark market on the Tor network, and buy one. Or you can rent one—investigations have revealed botnets advertised for rent for about $300 to $500 a day, or even less for a short-term DDOS attack. Criminals can then use the infected computers to commit various offenses—including stealing personal or financial information from U.S. citizens and businesses—while distancing themselves from the conduct by which the thousands, or more, computers were initially hacked.
Unfortunately, the CFAA currently poses obstacles to our ability to prosecute botnet trafficking, because it does not expressly cover buying or selling access to botnets. Instead, it only expressly prohibits the sale or transfer of “passwords and other information.” This loophole has already prevented the department from prosecuting clearly wrongful conduct. In one case, an undercover officer discovered that a criminal was offering to sell a botnet consisting of thousands of victim computers. The officer accordingly did an undercover purchase of the botnet from the criminal and notified the victims that their computers were infected. The operation, however, did not result in a prosecutable U.S. offense because there was no evidence that the seller had created the botnet in question, and accordingly the seller was free to continue his activity. This loophole will prevent federal prosecutors from being able to prosecute other individuals for selling access to infected computers.
The provision for the trafficking in “passwords or other information” also poses an obstacle, because it currently requires proving that the defendant had an intent to defraud. But such intent is often difficult—if not impossible—to prove in botnet trafficking cases because the traffickers often have a wrongful purpose other than the commission of fraud. This can be the case when botnets are rented to conduct DDOS attacks. DDOS attacks may be committed out of malice, as ideological warfare against those with whom they disagree, or even as a paid service to other criminals. But such attacks are not always committed with an intent to defraud.
Alternatively, criminals may rent botnets as a proxy to conceal their identity while committing other crimes, such as drug dealing and the sexual exploitation of children. While the botnets in such circumstances are being used to further criminal activity, the CFAA would not apply because there was no intent to defraud.
In response, the administration has proposed an update to the CFAA that would clarify that it is illegal to sell or rent control over infected computers, just like it is already clearly illegal to sell or transfer computer passwords. The proposal would amend the CFAA, to expressly prohibit trafficking in “means of access.” Such language would make clear that the CFAA not only prohibits the sale or transfer of “passwords and other information,” but also prohibits the sale of access to the hacked computers that make up botnets.
The proposal would also update the CFAA by replacing the current requirement that the government prove that the offender had an “intent to defraud” with a requirement to prove that the offender both knew that his conduct was “wrongful,” and also knew or should have known that the means of access would be used to hack or damage a computer. Combined, these amendments would help the CFAA adapt to meet the evolving threat of botnets and ensure that the department has the necessary means to dismantle criminal infrastructure and vindicate the privacy rights of botnet victims.
Second, there is a similar gap in the statute that gives prosecutors the ability to undertake technical disruptions of botnets such as the ones that we deployed against Bugat/Dridex and Gameover Zeus. We were able to do so in those cases because the law gives federal courts authority to issue injunctions to stop the ongoing commission of fraud or illegal wiretapping. But, as I noted, botnets, can be used for other types of illegal activity. To close this gap, we have proposed to change the law to permit the government to seek such a court order in any case where 100 or more victim computers have been hacked.
Another area where the department believes the CFAA needs to be updated concerns the “insider threat”—the threat to privacy and security from those who have limited authorization to access computers and networks, but intentionally exceed that authority to compromise sensitive information. The department believes that the CFAA should protect computer owners against people who intentionally abuse a computer system, even if they have some authorization to access the system under limited circumstances—like company employees authorized to access a sensitive database but only for specified work purposes.
The insider threat to American companies is both diverse and very real. Having written policies between computer owners and those individuals to whom some access must be granted is an important way to secure information because the policies make the limits of authorization explicit.
But insiders nonetheless may violate those rules by intentionally exceeding the limits of authorization they were granted, such as when an insider brings proprietary information to their next employer, exposes a political candidate’s private medical records or simply sells confidential information without any knowledge or concern of what the buyer intends to do with it. Violating these written restrictions harms businesses as well as average Americans, particularly when the information stolen by insiders contains the private information of consumers, such as credit card numbers, banking information or social security numbers.
The CFAA has been a powerful authority in our fight to protect victims of crimes committed by insiders who exceed authorized access to their employers’ computers. The department has used the CFAA, for example, to charge police officers who took advantage of their access to confidential criminal records databases in order to look up sensitive information about a paramour, sell access to those records to others, or even provide confidential law enforcement information to a charged drug trafficker.
We have also used this statute to prosecute an employee of a health insurer who used his access to improperly obtain the names and social security numbers of thousands of current and former employees (as well as information about how much his colleagues were being paid). We have prosecuted a system administrator for reading the emails of a company’s CEO, and for passing those emails on to a competitor. All of these insider hackers had some right to access those computers—their employers had to give them that access so they could do their jobs. Their conduct became a crime under the CFAA only because they intentionally exceeded their employer’s computer access rules.
However, recent judicial decisions have imposed obstacles in much of the country to prosecuting such cases. These decisions imposed a restrictive interpretation of the term “exceeds authorized access” in the CFAA based on a concern that the statute potentially makes relatively trivial conduct a federal crime. For example, federal judges expressed concern that the statute could be construed to permit prosecution of a person who accesses the Internet to check baseball scores at lunchtime in violation of her employer’s strict business-only internet use policy. Or perhaps where someone joins a dating website but lies about his physical fitness in violation of the site’s terms of service that requires users to provide only accurate information.
The department has no interest in prosecuting anyone for such activity. Yet, as a result of these recent decisions, insiders in the affected circuits are effectively immunized from punishment under the CFAA even when they intentionally exceed the bounds of their legitimate access to confidential information and cause significant harm to their employers and to the people—often everyday Americans—whose data is improperly accessed. Essentially legalizing insider hacking ignores the significant threat posed by insiders. Just the other month, the Ninth Circuit overturned CFAA convictions in a case where a private investigator bribed a Los Angeles police officer in exchange for confidential police records and a paid a phone company employee for private commercial information. This is exactly the kind of abuse of privacy that, in DOJ’s view, we should be deterring.
Therefore, the administration has proposed an update to the CFAA that maintains the law’s key privacy-protecting function while ensuring that trivial conduct does not constitute a federal crime. To accomplish this, the proposal does two things.
First, it clarifies that the definition of “exceeds authorized access” includes the situation where the person accesses the computer for a purpose that he knows is not authorized by the computer owner. This clarification is necessary to permit the prosecution of, for example, a law enforcement officer who is permitted access to criminal records databases, but only for official business purposes.
Second, the proposal adds new requirements that the government must meet to make clear that trivial conduct does not constitute an offense. In order to constitute a crime under the proposed language, an offender is considered to have accessed a protected computer in excess of authorization and obtain information if the information so obtained is valued at $5,000 or more, or the access is in furtherance of a separate felony offense, or the access is to a government computer.
The administration’s proposed amendments will empower the department to prosecute and deter significant threats to privacy and security posed by insiders who abuse their access. Simultaneously, the updates ensure that the CFAA does not inadvertently cover trivial conduct that we have no interest in prosecuting.
In closing, over the years, the CFAA has been a critical statute that the department has used to protect the privacy and security of American citizens and businesses. But as cybercrime evolves, our laws must also evolve.