House Judiciary Committee reviewing the Computer Fraud and Abuse Act

Earlier in January, I reported that Congresswoman Lofgren has proposed amending the Computer Fraud and Abuse Act ("CFAA") in response to the prosecution and subsequent suicide of Aaron Swartz and the JSTOR academic documents hacking, and in response to criticism that the preexisting law is both vague and outdated. 

According to Professor Orin Kerr, the bill currently pending before the House Judiciary Committee  is "mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011."  Also, I tip my hat to both Paul Rosenzweig and Peter Toren for providing analysis (on their respective blogs) on the proposed bill (which saved me a great deal of time in comparing the extant bill and the proposed bill line-by-line).

The proposed bill would, among other things:

• . . . increase maximum statutory penalties (both imprisonment and fines).  The difficulty with this is that it is illusory: Under the current CFAA, there are reportedly no cases where a judge has sentenced a defendant to the maximum statutory sentence. Moreover, defendants in the federal courts are sentenced pursuant to the Federal Sentencing Guidelines, which take into account a variety of discretionary factors.  Some commentators believe either Congress is unaware of the current sentencing practices under the CFAA, or it is considering increasing the statutory maximum merely to send the message that it takes computer crime seriously.  An alternative view is that increasing the maximum sentencing lowers the cost of prosecution by providing the prosecution with a stronger lever in plea bargaining. See Frank Easterbrook, Criminal Procedure as a Market System, Journal of Legal Studies 12 (1983).

 

• . . .  make a felony any violation of 18 U.S.C. § 1030(a)(2) ("exceed[ing] authorized access, and thereby obtain . . . information from any protected computer”).  Presently, Section 1030(a)(2) is a felony crime only where (1) “the offense was committed for purposes of commercial advantage or private financial gain,” (2) “the offense was committed in furtherance of any criminal or tortuous act,”or (3) “the value of the information obtained exceeds $5,000."  This is significant because federal prosecutors almost never charge misdemeanors, which they see as minor crimes. Rather, they charge felonies, perceived as "real" crimes. Therefore,  making a 18 U.S.C. 1030(a)(2) violation a 3-year felony is likely to result in a marked increase CFAA prosecutions. One legal scholar opined, "by making conduct that previously only could be prosecuted as a misdemeanor crime into a felony crime, the draft bill would create a far greater incentive to charge a defendant with a “garden variety” CFAA crime."

 

• . . . amend 18 U.S.C. § 1030(a)(2) to “exceed[ed] authorized access” and obtained information and the offense: (1) “involves information that exceeds $5,000 in value; (2) was committed for purposes of obtaining “sensitive or non-public information of an entity or another individual,” including “medical records, wills, diaries, private correspondence … photographs of a sensitive and private nature, trade secrets, or sensitive or non-public commercial business information;” (3) was committed in furtherance of any federal or state crime or; (4) involves information obtained from a computer used by or for a government entity.
  • Currently, the wrongful taking of trade secrets, for example, does not, by itself, fit within "damage" or "loss" under the CFAA. See, e.g., Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108, 8 (M.D. Fla. Aug. 1, 2006).   The CFAA currently defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information[.]" 18 U.S.C. § 1030(e)(8). The CFAA defines "loss" as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C.S. § 1030(e)(11).
  • The inclusion of “trade secrets or non-public commercial business information” in the definition of covered information may cause problems. Neither term is defined in the draft, but “non-public commercial business information”is much broader than “trade secrets,” which is well-defined under the Uniform Trade Secrets Act, inter alia.   Under the draft bill, the Government would be able to charge a felony for obtaining “non-public commercial business information” although the information does not rise to the level of a trade secret. Prosecutors would be able to charge a felony for theft of trade secrets without having to prove intent to convert the trade secret, as currently required by the Economic Espionage Act.
  • Several scholars have taken exception regarding the description of what type of acts would constitute “exceeding authorized access.”  The bill would criminalize obtaining information from a computer where the offense “involves information that exceeds $5,000 in value.” [Emphasis added], whereas the current version of §1030(a)(2) concerns obtaining information where “the value of the information obtained exceeds $5,000.”  It is not clear whether the use of word “Involves,” rather than “obtained” in the draft bill was intentional, but it is likely to lead to statutory construction problems since it is unclear what it means for an offense to “involve” a type of information.
  • The definition of the phrase “exceed authorized access” is not limited by the draft bill, whereas the CFAA currently defines this phrase as “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” the ambiguity of which has led to a Circuit split over what it means for an employee to access an employer’s computer system in excess of authorization. The 1st, 5th,  7th, and 11th Circuits have concluded that an employee or former employee accessing an employer’s computer with the intent to misappropriate the information exceeds  authorization even if the employee had the right to access the information at the time, whereas the 4th and 9th Circuits have concluded that the statute is violated only when initial access or access of certain information is not authorized ab initio, and the statute was enacted to penalize unauthorized procurement or alteration of information rather than misuse.  This draft should is the perfect opportunity to resolve this ambiguity.

 

• . . . broaden the type of property subject to criminal or civil forfeiture.

 

• . . . make violations of the CFAA predicate acts for a RICO criminal charge. Thus, if one engages in two or more instances of CFAA violations, he or she may be charged with engaging in a pattern of racketeering, subject to substantial additional criminal penalties.

 

• . . . create a new section that would impose a maximum 30-year sentence without eligibility for probation for one who attempts to cause damage or inflict damage on a computer that powers critical infrastructure.

 

• . . . require companies and other “covered entities” that acquire, store or use personal information to report a security breach to its customers within 14 days, subject to certain law enforcement or national security exceptions. Third parties and service providers would be also required to notify a covered entity about a breach, which would then be required to notify its customers. Also a company must notify federal law enforcement within 72 hours of a “major security breach,” (defined as a security breach in which it is “reasonably believed” that the “means of identification” of 10,000 or more individuals have been obtained. “Means of identification”is defined by reference to 18 U.S.C. § 1028, which defines the phrase as “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual”).  The section provides for a civil penalty of not more than $500,000 for a violation, and a maximum penalty of $1,000,000, where the violation is “intentional.”  It also does not provide for a private cause of action and expressly preempts state law.

 The bill is harshly opposed by EFF (here). Because I prefer to present both sides, I did spend a few minutes conducting Internet searches for supporters of this draft, but haven't found any just yet.

House passes H.R. 624, the “Cyber Intelligence Sharing and Protection Act”

Last week, on April 18, the House passed the Cyber Intelligence Sharing and Protection Act ("CISPA").  The bill, including amendments, is here: http://www.rules.house.gov/Legislation/legislationDetails.aspx?NewsID=1078.

Currently, there is no corresponding Senate bill. The Senate is widely expected, however, to reintroduce information sharing bills similar to those at issue last Congress as part of the Cybersecurity Act and SECURE-IT Act.

Comments period extended for the Patent Assertion Entities/Antitrust workshop

The Dep't of Justice ("DoJ") and Federal Trade Commission ("FTC") have extended the comments period for the Patent Assertion Entities/Antitrust workshop. In December, a joint workshop was held by the DoJ and FTC to discuss Patent Assertion Entity (PAE) behavior, the effects of such behavior and how antitrust laws apply to such behavior. Following the workshop, the FTC and the DOJ was accepting public comments until March 10, 2013, but that public comment period has been extended to April 5, 2013.

Visit  http://www.justice.gov/atr/public/workshops/pae/index.html#comments for more information on submitting comments.

Hat tip to Alycia R. Kirkevold, Esq., for this timely information.

“Investigating and Prosecuting 21st Century Cyber Threats”

The above-captioned hearing was held before the House Committee on the Judiciary, Subcommittee on Crime, Terrorism, Homeland Security, and Investigation on March 13, 2013.

Members in attendance included: Jim Sensenbrenner (R-WI, Chairman), Louie Gohmert (R-TX, Vice Chairman), Howard Coble (R-NC), Randy Forbes (R-VA), Trent Franks (R-AZ), Jason Chaffetz (R-UT), Trey Gowdy (R-SC), Bob Goodlatte (R-VA), Robert Scott (D-VA), Suzan Delbene (D-WA), Judy Chu (D-CA), Cedric Richmond (D-LA), and John Conyers (D-MI). Witenesses included Jenny Durkan (U.S. Attorney, W.D. Wash), John Boles (Deputy Ass't Director, FBI Cyber Division), Robert Holleyman (President and CEO, BSA, The Software Alliance), and Prof. Orin Kerr, (George Washington University School of Law).

Entirety of the statements and witness testimony is located here.

Read more after the bump.

DHS Cybersecurity: Roles and Responsibilities to protect the Nation’s Critical Infrastructure

The above-captioned hearing was before the House Committee on Homeland Security, held March 13, 2013.

Members in attendance included Michael McCaul (R-Texas) Chairman, Peter T. King (R- New York) , Patrick Meehan (R-Pennsylvania), Steven M. Palazzo (R-Mississippi), Chris Stewart (R-Utah), Keith J. Rothfus (R-Pennsylvania), Susan W. Brooks (R-Indiana), Bennie G. Thompson (D-Mississippi) Ranking Member, Loretta Sanchez (D-California), Sheila Jackson Lee (D-Texas), Yvette D. Clarke (D-New York), Ron Barber (D- Arizona), Donald M. Payne, Jr (D- New Jersey), Beto O'Rourke (D-Texas), Steven A. Horsford (D-Nevada), and Eric Swalwell (D-California).   Witnesses included Hon. Jane Holl Lute (Deputy Secretary, Dep't of Homeland Security), Anish B. Bhimani (Chairman, Financial Services Information Sharing and Analysis Center), Gary W. Hayes (Chief Information Officer, Centerpoint Energy), and Michelle Richardson (Legislative Counsel,
American Civil Liberties Union).

The opening statements recognized the "U.S. Federal Cybersecurity Operations Team" as including DOJ/FBI, DHS, and DoD; alleged that China, Iran and Russia are "dangerous offenders" in cyber-attacks against the U.S. and against American financial institutions; and —citing the recent Executive Order— that Cybersecurity should be the highest legislative priority in this Congress.

The entirety of the statements and witness testimony can be found here.

“Information Technology and Cyber Operations: Modernization and Policy Issues to Support the Future Force”

The above-captioned was a hearing before the House Committee on Armed Services Subcommittee on Intelligence, Emerging Threats, and Capabilities, held March 13, 2013.  The entirety of the statements can be found here.

Read more after the bump.

NIST Publishes RFI on CyberSecurity Framework

On February 26, the National Institute of Standards and Technology (NIST) published a request for information ("RFI") on the “Framework for Reducing Cyber Risks to Critical Infrastructure,” as directed by the February 13 Executive Order on Improving Critical Infrastructure Cybersecurity. Submission deadline is April 8, 2013.

Bill, Social Networking Online Protection Act, Reintroduced 2/06/2013

The Social Networking Online Protection Act (SNOPA), "A bill to prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website,"  was reintroduced on February 6th by Representatives Eliot Engel (D-N.Y.), Jan Schakowsky (D-I.L.) and Michael Grimm (R-N.Y.).   The bill would not only ban employers and schools from being able to request or require that employees, job applicants, students, or student applicants provide access to personal password protected digital accounts, but also would protect such persons from being punished for refusing these requests.

Although the bill is welcomed by privacy rights advocates, some contend it may actually protect businesses and schools from legal liability because, without access, constructive custody, or control, it may be more difficult for an employer or school to be held vicariously responsible for digital content authored by an employee or student on a personal account.

Executive Order - Improving Critical Infrastructure Cybersecurity

The above-captioned Executive Order signed yesterday was developed to manage cybersecurity risks to critical infrastructure, and addresses two key issues: information sharing and development of a cybersecurity framework.

Information Sharing
Under this Executive Order, the Government will expand current information sharing responsibilities. These include the development of non-classified reports on threats and efficient dissemination of classified reports to appropriate individuals.

In addition, the process of issuing security clearances to certain personnel will be expedited, and the Secretary of Homeland Security will increase the programs for private sector subject matter experts into Federal service on a temporary basis. This includes the Defense Industrial Base, which will now be open to additional sectors.  The Secretary of Homeland Security will establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. All policies will be reviewed by the privacy office of DHS.

 

Cybersecurity Framework

The National Institute of Standards and Technology (NIST) will lead the development of a Cybersecurity Framework to include standards, methodologies, procedures, and processes to address cyber risk. NIST will engage in an open review and comment process.

DHS and Sector Specific Agencies (see prev. post for explanation) will establish a voluntary program to support the adoption of the Cybersecurity Framework. SSAs will report annually to the President how institutions identified at greatest risk (as determined by DHS with input from SSAs), are complying with the Cybersecurity Framework. Institutions identified at greatest risk will be notified confidentially.

DHS will coordinate and establish incentives to promote participation in the Program.  Agencies with responsibility for regulating the security of critical infrastructure will work with DHS, the Office of Management and Budget (OMB) and National Security Staff to review the preliminary Cybersecurity Program and determine if current requirements are sufficient. The regulatory agencies will provide a report as to their ability to regulate in this space. If current regulatory requirements are deemed insufficient, agencies will propose actions to mitigate cyber risk. Independent regulatory agencies are encouraged to participate in the consultative process.

Deadlines:

• 120 days – Attorney General, Secretary of Homeland Security, and Director of National Intelligence will issue instructions releasing unclassified reports of cyber threats.
• 120 days – Secretary of Homeland Security and Secretary of Defense will establish procedures to expand the Enhanced Cybersecurity Services program.
• 120 days – DHS, Treasury and Commerce shall make recommendations of a set of incentives to encourage participation in the Program.
• 120 days – Department of Defense, General Services Administration and Federal Acquisition Regulatory Council report on feasibility of including security standards into acquisition planning and contract administration.
• 150 days – DHS will identify critical infrastructure at greatest risk.
• 240 days – NIST to provide a preliminary version of the Cybersecurity Framework
  • 90 days of release of preliminary – Regulatory agencies submit a report to the President whether they have authority to establish requirements based on the Framework.
  • 90 days release of final – If current regulatory requirements are deemed insufficient, regulatory agencies shall propose actions to mitigate cyber risk.

Presidential Policy Directive on Critical Infrastructure Security and Resilience

Presidential Policy Directive on Critical Infrastructure Security and Resilience

The Presidential Policy Directive, PPD-21, released on February 12 supersedes the 2003 Homeland Security Presidential Directive (PPD-7). The intent of the Directive is to provide an “all hazards” approach to the risks facing critical infrastructure.

PPD-21 directs and encourages the participation of critical infrastructure owners and operators.

Department of Homeland Security (DHS)
The DHS has primary responsible for maintaining national critical infrastructure centers for situational awareness, coordinating Federal Government response to significant cyber or physical incidents and reporting annually on the status.

DHS will coordinate with sector specific agencies to:

• Identify and prioritize critical infrastructure
• Provide analysis, expertise and other technical assistance to critical infrastructure
• Conduct comprehensive assessments of vulnerabilities
• Map and sort critical infrastructure.

DHS will support the law enforcement agencies to investigate and prosecute threats.

In addition, DHS will run two national critical infrastructure centers. One will focus on cyber threats and the other will be on physical threats. They will be integrated and will perform analysis and situational awareness.

Sector Specific Agencies (SSAs)

The following are the SSAs:

• Chemical : Department of Homeland Security
• Commercial Facilities : Department of Homeland Security
• Communications : Department of Homeland Security
• Critical Manufacturing : Department of Homeland Security
• Dams : Department of Homeland Security
• Defense Industrial Base : Department of Defense
• Emergency Services : Department of Homeland Security
• Energy : Department of Energy
• Financial Services : Department of the Treasury
• Food and Agriculture : U.S. Department of Agriculture & Department of Health and Human Services
• Government Facilities : Department of Homeland Security & General Services Administration
• Healthcare and Public Health : Department of Health and Human Services
• Information Technology : Department of Homeland Security
• Nuclear Reactors, Materials, and Waste : Department of Homeland Security
• Transportation Systems : Department of Homeland Security and Department of Transportation
• Water and Wastewater Systems : Environmental Protection Agency

Each SSA has unique responsibilities for its corresponding sector, including:

• Working with owners and operators to implement the directive
• Serve as day-to-day interface for the coordination of sector activities
• Carry out incident management responsibilities
• Provide support or facilitate technical support for the sector
• Annually provide sector-specific critical infrastructure information.
  Additional Responsibilities

In addition, several other federal departments are required to support the functions of critical infrastructure, including:

• Engaging foreign governments (Department of State)
• Counterterrorism and counterintelligence investigations (Department of Justice, including Federal Bureau of Investigation)
• Resilience of national monuments (Department of the Interior)
• Encourage research and development to improve security and technology (Department of Commerce)
• Provide intelligence assessments (Director of National Intelligence)
• Ensure audit rights for government contracts (General Services Administration)
• Oversee protection of nuclear reactors (Nuclear Regulatory Commission)
• Identify, prioritize and respond to vulnerabilities in communications infrastructure (Federal Communications Commission)
• Inform the situation awareness (all Federal departments and agencies)

All agencies are directed to review and continue information sharing with an assurance that privacy requirements are met.

Deadlines:

• 120 days – DHS to develop a description of the functional relationships  within DHS and across the Federal Government
• 150 days – DHS and SSAs evaluate existing public-private partnerships
• 180 days – DHS and SSAs identify baseline data and system requirements for Federal government
• 240 days – DHS develop a near-real time situational awareness capability
• 240 days – DHS update National Infrastructure Protection Plan
• 730 days (2 years) – DHS with OSTP, SSAs and DoC develop a research and development plan

New Cyber Security Bills to be Introduced to the House & Senate

Rep. Mike Rogers (R-Mich.), the chair of the US House Intelligence Committee intends to reintroduce H.R. 3523, the Cyber Intelligence Sharing and Protection Act ("CISPA"), which would provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities. Although this initiative has apparently not yet been reported in the news, I was given the privilege to comment on and supply proposed language for the legislative drafts based on a request by the Representative's office to a trade organization I belong to.

Also, Senators John D. (Jay) Rockefeller IV (Chair of the Senate Commerce, Science, and Transportation Committee), Tom Carper (Chair of the Senate Homeland Security and Governmental Affairs Committee), and Dianne Feinstein (Chair of the Senate Select Committee on Intelligence),  have introduced introduced a new Bill styled the Cybersecurity and American Cyber Competitiveness Act 2013, "To secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses." The press release is here, and the Bill is here.