Categories
Archives
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- November 2004
Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030. It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.
The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:
First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.
Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period." Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime. In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold. Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.
Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes. Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold. Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine.
The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after. Kudos for giving tools for proactive legal measures against such acts.
The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage. Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way. The new provision covers these and similar situations.
The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."
2 Responses to “Proposed Amendments to Section 1030”
Leave a Reply
Recent Posts
- Virginia Supreme Court Strikes Down State’s Anti-Spam Law
- Travelers’ Laptops May Be Detained At Border
- File Sharing Data Breach
- No download? Maybe no infringement in another Federal District Court
- CAN-SPAM Rules Modified
- CFAA Damages Calculation Includes Cost of Tracking Hacker
- Courts split on whether making a copyrighted song available for download violates copyright law.
- How to Respond to Data Breach
- Border Agents Can Search Laptops
- What is your return address?
- Proposed FRE 502 is good for electronic discovery, but it is not going to drastically reduce the cost of litigation as the authors are hoping.
- British Authorities: Insult to Injury
- Introduction to James Paulick
- TXJ Costs Continue Increasing
- Proposed Amendments to Section 1030
A. Horvath 13November2007
A similar bill (H.R. 2290) was introduced in May in the House of Representatives by Rep. Schiff (CA).
dm 13November2007
The two bills are similar in their essence. Hopefully they will work their way through committees (the House bill is going to the House Subcommittee on Crime, Terrorism, and Homeland Security while the Senate bill is at the Senate Committee on the Judiciary.)