NO INTERNET DOES NOT MEAN NO PROTECTION UNDER THE CFAA: WHY VOTING MACHINES SHOULD BE COVERED UNDER 18 U.S.C. s. 1030.

Author:Dahm, Jack
 
FREE EXCERPT

[T]hese [cyberattacks] are persistent, they are pervasive, and they are meant to undermine America's democracy on a daily basis, regardless of whether it is election time or not. Russian actors and others are exploring vulnerabilities in our critical infrastructure as well.... The warning signs are there, the system is blinking, and that is why I believe we are at a critical point. --Dan Coats, Director of U.S. National Intelligence, July 13, 2018 (1) INTRODUCTION

The threat of cyberattacks to America's networks is ever increasing. (2) Dan Coats, the Director of U.S. National Intelligence, addressed this problem in a speech before the Hudson Institute (3) on July 13, 2018. (4) Coats recalled the months before September 2001, when then-current CIA Director George Tenet said, "the system was blinking red." (5) Coats then alerted the Hudson Institute, "I'm here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack." (6) Coats identified Russia as being "the most aggressive foreign actor--no question." (7) Russia has become a global force in cyber warfare. (8) So far, the biggest target of their attacks has been the 2016 U.S. election. (9)

Largely in response to Russia's cyberattacks and continued cyberthreats, the U.S. Attorney General established a Cyber-Digital Task Force within the Department of Justice (DOJ) in February 2018. (10) This newly created task force released its first public report on July 19, 2018. (11) Then-Attorney General Jeff Sessions announced the release of the report, while promising that "[a]t the Department of Justice, we take these threats seriously." (12) The report was designed to answer the following question: "How is the Department [of Justice] responding to cyber threats?" (13) The report begins by discussing the threat of foreign influence operations, described by the Task Force as "one of the most pressing cyber-enabled threats our Nation faces." (14) Specifically, the Task Force focuses on the dangerous threat of Russia to U.S. elections. (15)

After detailing the scope of this and other threats, the Task Force outlines the key prosecutorial tools available to the DOJ in combating cyberattacks. (16) The first tool, which this Note will discuss at length, is the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. [section] 1030. (17) The CFAA falls at the top of the Task Force's list because, as it mentions, "[the CFAA] remains the... principal tool for prosecuting computer crimes." (18) Many other scholars have described the CFAA as the cornerstone of computer fraud litigation. (19) The Task Force provides a simple definition of the CFAA, explaining how it "gives the owners of computers the right to control who may access their computers, take information from them, change how the computers work, or delete information on them." (20)

Later in the report, after emphasizing Russian interference with elections as the principal cyberthreat and the CFAA as the principal prosecution tool, the Task Force asserts that "[the CFAA] currently does not prohibit the act of hacking a voting machine in many common situations." (21) The Task Force plainly states that "the CFAA only prohibits hacking computers that are connected to the Internet (or that meet other narrow criteria for protection)." (22) However, the text of the CFAA does not explicitly require that hacked computers be connected to the internet, nor have the courts interpreted this as a requirement of the CFAA. (23) Though most of Russia's known cyberthreats have not been aimed directly at the voting machine devices themselves, the Task Force's assertion still raises a big question: Does the CFAA only apply to internet-connected devices?

This Note seeks to answer that question, ultimately concluding that internet connection is not required for a computer to reach protected status under the CFAA. Part I of this Note describes the background of the CFAA, specifically detailing the types of crime it was meant to punish, its definition of "computer," and its definition of "protected computer" (which builds on the definition of "computer" by providing the jurisdictional hook). Part II moves away from the Act's legislative history and discusses how courts have interpreted the CFAA over time. Part III applies the CFAA to the hacking of a voting machine (assumed to be without internet). Here, a voting machine is used as the vehicle for the analysis but much of the reasoning could apply to other non-internet-connected devices. Part III argues that the hacking of a voting machine is certainly within the current-day scope of crimes meant to be punished by the CFAA, that voting machines fall within the Act's definition of "computer," and that voting machines probably fall within the definition of "protected computer." From there, the Conclusion explains why an amendment to expressly add voting machines to the definition of the CFAA would not be the best solution (especially since they are likely already protected). The Conclusion then analyzes the risks of the continuing expansion of the CFAA's scope and addresses the relative potential of Russia's cyber-threats to voting machines compared to their other election-related cyberthreats.

  1. BACKGROUND ON THE CFAA

    The CFAA is only thirty-two years old, having been passed in 1986 as an amendment to the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. (24) The legislative history of the CFAA shows that Congress wanted "to provide a clear statement of proscribed activity... to the law enforcement community, those who own and operate computers and those tempted to commit crimes by unauthorized access." (25) Since 1986, Congress has amended the CFAA eight more times. (26) Each of these several amendments has "widened the depth and breadth of the Act by adding substantive offenses, lowering levels of scienter, or increasing penalties." (27) Congress will assuredly continue to amend the CFAA given the rapid increase in technology development. Because there have been so many changes to the CFAA, this Part does not offer a comprehensive review of all of the amendments, but it will highlight a few of the important changes and present the law as it stands today.

    1. The Substantive Crime: 18 U.S.C. [section] 1030(a)

      The CFAA is meant to prevent "fraud and related activity in connection with computers." (28) The requisite mens rea for the crime is "intentionally," (29) thus the Act is meant to punish only the most culpable actors. The actual substance of the crime has evolved with time as Congress has continually amended the Act and technology has substantially changed. (30) The amendment process started with the CFAA itself when it expanded the scope of the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, which was strictly designed to protect information, records, and computers used by the U.S. government. (31) The 1986 amendment did not remove the language of the original statute, but simply expanded its scope. Therefore, portions of the Act still reflect its original, more narrow intent from back in 1984. (32) Today, far beyond preventing only the hacking of computers belonging to the U.S. government, the Act prevents the hacking of "any protected computer," (33) a definition that will be further discussed in Sections II.B and II.C.

      While the Act has broadened to cover the hacking of more types of computers, it has remained fairly consistent in defining what it means to hack a computer (though the courts have interpreted this definition of hacking in different ways). (34) A hacking worthy of punishment under the CFAA involves a person who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information." (35) The key words from this definition, which have triggered much legal argument, are "without authorization or exceeds authorized access." Congress attempted to aid the courts in understanding these words by providing a definition of "exceeds authorized access," which reads: "[T]o access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." (36) However, this definition is rather circular and does not provide additional context beyond the text of the phrase itself. On top of that, Congress has never defined "without authorization." Therefore, it has largely been up to the courts to answer the following questions: What does it mean to access a computer without authorization? What does it mean to exceed authorized access? The courts' answers to these questions bear important weight, as they directly influence the scope of the substantive crime.

      It is worth briefly noting the varying degrees of punishment for offenses committed under the CFAA. Based on the severity of the offense, a criminal defendant might receive a fine under the tide of the Act, a prison sentence ranging from not more than one year to not more than twenty years, or possibly both a fine and prison sentence. (37) The upward bound of twenty years in prison illustrates the gravity of potential offenses committed under the Act. The full punishment scheme is laid out in subsection (c) of the Act. (38) Initially, the CFAA was only a criminal statute, but Congress later expanded it to allow for recovery of civil damages as well. (39)

    2. The Definition of "Computer": 18 U.S.C. [section] 1030(e)(1)

      While the meaning of the phrase "without authorization or exceeds authorized access" greatly influences what actions are considered criminal under the Act, there can be no criminal action under the CFAA without the involvement of a computer. Again, this statute was conceived back in the 1980s, when computers were very different from what they are now. Aside from the enormous advancements with regard to the traditional computer, the breadth of computer-like...

To continue reading

FREE SIGN UP