Handbook of Information Security Management:Law, Investigation, and Ethics

Previous Table of Contents Next


Section 3601 of the recently passed Senate Crime Bill would replace the existing 18 U.S.C. § 1030(a)(5) with a provision that makes it a felony for anyone to knowingly cause the transmission of a program, information, code, or command to a computer or computer system if:

  The person causing the transmission intends that such transmission will damage a computer, computer system, network, information, data, or program or without or deny, or cause the withholding or denial, of the use of a computer, computer services, system, or network, information, data, or program.
  The transmission of the harmful component of the program, information, code or command occurred without the knowledge and authorization of the persons or entities who own or are responsible for the computer system receiving the program, information code, or command and causes loss or damage to one or more other persons of $1,000 or more during any one-year period or modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals.

Additionally, if the actor does not intend to cause damage but acts with reckless disregard of a substantial and unjustifiable risk that the transmission will cause such damage, the offense is a misdemeanor subject to up to one-year imprisonment.

This provision, if it becomes law, will address insider conduct. On the other hand, individuals who deliberately break into computer systems and negligently cause damage will no longer be subject to criminal sanction as under existing law. (According to 18 U.S.C. § 1030(a)(5), no mental state is required for the damage element; the only intent requirement is that the defendant intend to access a federal interest computer without authority.)

Under existing law, individuals who are convicted of violating 18 U.S.C. § 1030 are sentenced pursuant to sentencing guideline 2F1.1, a provision also under reconsideration. Under 2F1.1, the most important factor used to determine the appropriate sentencing range is the amount of loss caused to the victim (2F1.1 provides an exhaustive loss table; the higher the loss, the stiffer the sentence). With the exception of 18 U.S.C. § 1030(a)(4) and (a)(6), however, § 1030 protects against harms that cannot be adequately quantified by examining dollar losses. For example, the Department of Justice has investigated numerous cases in which hackers have accessed credit reporting agency computers and copied credit reports of unsuspecting individuals. Although the market value of these credit reports is practically nil, such conduct is a serious intrusion into the privacy rights of those individuals whose credit reports are compromised. In other cases, hackers have manipulated phone company computers to disrupt normal phone service. Although this disruption may cause some economic harm to the phone company or a subscriber, this economic loss does not measure the true impact of interfering with normal phone service.

To address these issues, the Sentencing Commission recently published for public comment a proposal to change the way computer criminals are sentenced. Under the new sentencing scheme, 2F1.1 would be used in cases involving fraud, but defendants in nonfraud cases would be sentenced under guidelines that more accurately reflect the defendant’s conduct. Additionally, the guidelines would allow the court to consider harms relating to privacy and loss of data integrity when imposing sentence.

Although the Computer Fraud and Abuse Act is the statute best suited for prosecuting computer crime cases, other federal laws may also be charged. They include wire fraud, the new copyright law (which elevates software copyright violations to felonies if they consist of the reproduction or distribution, during any 180-day period, of at least 10 copies of one or more copyright works with a retail value of more than $2,500), and the Electronic Communications Privacy Act of 1986. This last statute has several provisions relevant to computer crime cases (particularly when hackers engage in wiretapping over voice and data networks and have frequently accessed E-mail) to determine if authorized users of the network have discovered their unauthorized presence in the system. Pursuant to 18 U.S.C. § 2511, it is illegal to intercept a wire or electronic communication while it is in transit. (A wire communication is a communication audible to the human ear. An electronic communication covers any transfer of signs, signal, or data and thus covers computer-to-computer communications.) Violation of this section is a felony. Additionally, under 18 U.S.C. § 2701, it is illegal to access without authority, a facility through which an electronic communication service is provided or to exceed authorization to access that facility and thereby obtain, alter, or prevent authorized access to a wire or electronic communication in electronic storage in such a system.

STATE COMPUTER CRIME LAWS

Each state can choose to address computer crime in a different fashion. Consequently, there are a tremendous variety of approaches to what are fundamentally similar concerns, affording observers a unique opportunity to gauge the effectiveness of both a number of statutory schemes and certain novel and unique approaches. Moreover, while Congress has maintained its current protective scheme since 1986, the states continue to visit and revisit their respective computer crime laws on a more regular basis.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.