1 / 12

Computer Fraud and Abuse Act

Computer Fraud and Abuse Act. Richard Warner. Liability under the CFAA.

Gabriel
Download Presentation

Computer Fraud and Abuse Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Fraud and Abuse Act Richard Warner

  2. Liability under the CFAA • 1030(a)(2)(C) imposes liability on whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” • Computers used in “interstate or foreign commerce or communication” are “protected.” 1030(e)(2).

  3. Liability under the CFAA • 1030(a)(5) imposes liability on anyone who • (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; • (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or • (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

  4. Damage Defined • 1030 (e)(8): the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that-- • (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals; • (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; • (C) causes physical injury to any person; or • (D) threatens public health or safety

  5. § 1030(e)(8)(A) Aggregation • damages and losses under may only be aggregated across victims and over time for a single act. • The relevant clause states that "the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information that--(A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals."

  6. United States v. Morris • United States v. Morris applies the CFAA. • Morris was a Cornell university computer science doctoral student. • He released a worm over the Internet. • A worm is a self-replicating computer program designed to spread over the Internet without any further human interaction with the program once it is released.

  7. Purpose of the Morris Worm • Morris did not intend his worm to cause any harm. • As the court notes, “The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers.”

  8. The Design of the Worm • Morris designed the worm to copy itself from Internet system to Internet system; however, before it copied itself, the worm first asked the computer if it already had a copy of the worm. • Point: multiple copies would slow the computer down and make the computer owner aware of the worm’s presence. • Morris wanted to show that the worm could spread undetected.

  9. The Design of the Worm • The worm did not copy itself if it got a “yes” answer. • However, Morris also worried that system owners who became aware of the worm would stop its spread by programming their computers to answer “yes.” • So he programmed the worm to copy itself every seventh time it received a “yes” from the same computer.

  10. The Error • Morris greatly underestimated the number of times a computer would be asked if it had the worm. • The worm spread with great rapidity over the Internet causing computer slowdowns and shutdowns and imposing on system owners the cost of removing the worm. • Morris was prosecuted criminally under the Computer Fraud and Abuse Act.

  11. The Issues • The court: “The issues raised are (1) whether the Government must prove not only that the defendant intended to access a federal interest computer, but also that the defendant intended to prevent authorized use of the computer's information and thereby cause loss; and (2) what satisfies the statutory requirement of ‘access without authorization.’”

  12. The Ruling • The court holds that the only intent required is the intent to access the system. • The authorization issue: Morris was authorized to access the computers he initially accessed. • He exceeded the use he was authorized to make. • Is this enough to make his access unauthorized? • The court answers that it is.

More Related