A Quick Overview of the Computer Fraud and Abuse Act

Transcript

1. Computer Fraud and Abuse Act Adam Chiaravalle February 9, 2015

2. The CFAA was enacted in 1986. It was designed to

   more clearly define computer fraud law and became the foundation for many amendments and other computer security legislation.

3. It was an amendment to the Comprehensive Crime Control Act

   of 1984. Unauthorized access to computer systems is a violation of the CFAA. In the 1986 CFAA, the phrase “federal interest computer” was replaced with “protected computer.”

4. The CFAA prohibits unauthorized access to protected computers ”with a

   compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.”

5. This definition can be expanded upon to encompass most devices

   in most scenarios, because data “is interstate in nature.”

6. Since 1986, several amendments have been made.

7. In 1994, it was made possible to form civil suits

   for a violation of the CFAA.

8. In U.S. v. Middleton, a case just before the 2001

   USA PATRIOT Act, there was no definition of loss in the CFAA. The outcome of this case defined loss in the USA PATRIOT Act.

9. Loss is “any reasonable cost to any victim, including the

   cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

10. A 2008 amendment did away with a need for the

    loss to be above $5,000.

11. The first person to be indicted under the CFAA was

    Robert Tappan Morris in 1989. He created the Morris Worm, widely recognized as the first malware on the Internet. He was sentenced to probation, community service, and payment of fines.

12. A more recent case of a CFAA conviction was that

    of Andrew Auernheimer, also known as ‘weev.’ In 2010, he, alongside a partner noticed a security hole in a public API within AT&T’s system that revealed personal information of ~114,000 3G iPad users. Conflicting stories, but he claims to have given AT&T a fair warning before releasing the information to the press.
13. None

14. President Obama has recently proposed modernization of the CFAA.

15. “...the proposal modernizes the Computer Fraud and Abuse Act by

    ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.” More laws proposed whitehouse.gov

16. Questions?

17. References “First Indictment Under Computer Fraud and Abuse Act.” World

    History Project. Web. 9 Feb. 2015. Foresman, Chris. "Goatse Security Trolls Were after "max Lols" in AT&T IPad Hack." Ars Technica. Web. 9 Feb. 2015. "Computer Fraud and Abuse Act." Electronic Frontier Foundation. Web. 9 Feb. 2015.

18. References (continued) Daniel, Michael. "What You Need to Know About

    President Obama's New Steps on Cybersecurity." The White House. The White House, 14 Jan. 2015. Web. 9 Feb. 2015. All images obtained from pixabay under the CC0 Public Domain license; no attribution required