The Computer Fraud and Abuse Act of 1986

The Computer Fraud and Abuse Act of 1986

The Computer Fraud and Abuse Act or CFAA for short, also known as 18 U.S.C. 1030, is one of the primary laws governing cybersecurity within the U.S. More specifically, the law protects computers “in which there is a federal interest, including federal computers, bank computers, and computers used in or affecting interstate and foreign commerce.” The CFAA shields these computers from and against damage, threats, criminal trespassing, espionage, and corruption from any other forms or instruments of fraud that may be used to illegally access a computer network. The CFAA has been amended several times, including nine amendments between 1988 and 2008, in accordance with the ever-changing world of cybercrime. In its original form, the CFAA outlawed the following actions in relation to computers:

  • The trespassing of a government computer.
  • Computer trespassing that results in exposure to certain financial, governmental, or credit-related information, as well as any other form of information that may be contained within a government computer.
  • Any damage to a government computer, bank computer, or any computer that is used in or has an effect on either interstate or foreign commerce.
  • Fraud that is committed in relation to the unauthorized use or access to a government computer, bank computer, or any computer that is used in or has an effect on either interstate or foreign commerce.
  • Posing the threat of damage to a government computer, bank computer, or any computer that is used in or has an effect on either interstate or foreign commerce.
  • Trafficking online passwords related to a government computer, or when said trafficking affects interstate or foreign commerce.
  • The access of a computer for the purposes of corporate espionage.

Alternatively, amendments that have been made to the CFAA in recent decades include the following expanded coverage in relation to cybercrimes:

  • Protection for computers that are used in financial institutions.
  • The right to bring civil actions under the auspices of the CFAA.
  • Provisions for computer tampering and extortion attempts made by cybercriminals.
  • Provisions for personal information that is stolen or taken from a computer system through cybercrime.
  • Expansion of the types of predicate offenses that can be levied against business entities and individuals found to be in non-compliance with the CFAA, as well as enhanced penalties in relation to these predicate offenses.

How is the term “protected computer” defined under the CFAA?

Under the CFAA, the term “protected computer” is defined as a computer ”that originally included systems that had a substantial federal interest”. While state laws typically cover non-government-related computers, due to expansions of the Commerce Clause of the United States Constitution, any computer within the U.S. is theoretically covered under the CFAA. As a result of this somewhat murky and ambiguous legal framework in regards to the specific types of computers that are covered under the CFAA, there have been various legal situations over the last 20 years that have hinged upon differing interpretations of the law.

To provide an example of such a situation, popular internet router manufacturer Cisco took advantage of the CFAA in a manner contrary to which the law was originally written and passed. In 2005, Cisco levied the threat of a CFAA lawsuit against cybersecurity researcher Mike Lynn, after Lynn discovered a flaw in the Internet Operating System or IOS software used to power Cisco’s routers. Cisco argued that Lynn’s exposure of this cybersecurity weakness to the public would only result in an increase in cybersecurity attacks on the platform. On the contrary, Cisco’s various customers, in addition to other professionals within the field of cybersecurity research, felt that failing to disclose this hole to the public would leave users of Cisco vulnerable to cyber attacks that they could not adequately defend themselves against.

In the end, Lynn agreed to sign a legal injunction stating that he would refrain from disclosing any of his research findings in regards to Cisco, following mounting pressure from both Cisco and Lynn’s employer at the time, Internet Security Systems or ISS. To provide another example of a legal situation involving the CFAA, Matthew Keys, a former social media editor for the international news organization Reuters, was indicted on multiple counts of CFAA violations on the grounds that he provided online hackers with username and password credentials for Tribune company websites in 2010, after being fired from his job at a Tribune-owned company. After an 8-day trial, Keys was found guilty of violating the CFAA and was sentenced to 24 months of imprisonment, as well as 24 months of supervised release. What’s more, he was also ordered to pay restitution in the amount of $249,956. While these two cases involved different accusations and in turn legal outcomes, they both display the varying ways in which the CFAA can be interpreted within a court of law.

What are the penalties for violating the CFAA?

The CFAA follows a three-tier system when enforcing violations of the law. Simple violations of the CFAA are punished as misdemeanors in accordance with state and federal law, and individuals found guilty of simple CFAA violations are subject to imprisonment for no more than a year, as well as a monetary penalty of no more than $100,000 for individuals and 200,000 for organizations. The second tier of the CFAA penalty system carries imprisonment for no more than five years, as well as monetary penalties totaling no more than $250,000 for individuals and $500,000 for organizations.

In the third and most severe tier of CFAA penalties, violators are subject to imprisonment of no more than 10 years, as well as monetary penalties of $250,000 for individuals and $500,000 for organizations. Once again, the cases of Mike Lynn and Matthew Keys showcase how serious CFAA violations can be taken by the U.S. government. Penalties for violating the CFAA can be extremely steep, as it is a law that harshly punishes those who break it. Furthermore, the CFAA is “no more hospitable to the prosecution of juveniles for the intrusion plus information acquisition offenses”, unlike many other federal statutes and state laws that give some level of leniency to juvenile offenders.

While the CFAA is a law that is by no means perfect, it does lay out severe penalties for individuals who commit cyber crimes against U.S. citizens. As the CFAA is a law that continues to grow and change with the development of online technology, it will have to be constantly tweaked to ensure that it both fairly punishes those who violate it, while also preventing potential loopholes that would allow for major corporations to use it as a weaponized tool against individuals who they feel might threaten their business interests or bottom lines. However, the CFAA does ensure that there is a means to punish those people who do legitimately commit cybercrimes on U.S. soil.