In 2007, when the Estonian government removed a statute commemorating Russia's role in World War II, the entire governmental system in Estonia came under sustained attack from Russian patriotic hackers using DDoS tactics. Because Estonia had built an economy and a governmental system that was highly dependent on Internet access (Estonia is often said to be the first fully wired country in the world), the three-week effort was very debilitating.1 Perhaps, this was a cyber war—but no shots were fired. The activists had no goal of bringing down the Estonian government. Though classification is, always, fraught with difficulty, this particular attack was as much a criminal act of intimidation as anything else.
Cyber war, if it ever comes about, will be a grave threat to national security. Our security interests may also be challenged by nonstate actors like Anonymous who are insurgents or hacktivists. But, most observers think that cybercrime is the most significant challenge facing us in cyberspace. Certainly, in terms of real-world effects on a day-to-day basis, far more users of the Internet are affected by cybercrime than have ever yet been injured in a cyber war or had their website hacked by an insurgent. The reason has, naturally, to do with the nature of cyberspace—and in particular the problems of anonymity, asymmetry, and action at a distance.
The application of criminal law to cybercrimes raises issues of substantive law, procedure, and forensics. While in the real world distinguishing a crime from an accident is relatively straightforward, the exercise is much less easy in cyberspace. In the end, this unique characteristic makes prosecuting cybercrime particularly difficult.
Substantively, though the law is still evolving, we have, for the most part, developed an adequate set of laws for offenses involving unauthorized intrusions into cyber systems. These intrusions diverge from traditional crime but can be readily analogized to more old-fashioned common law concepts like trespass. Steadily, laws have adapted to make clear that hacking intrusions are crimes in and of themselves, as is trespass, and we are now building an adequate legal system to deal with situations similar to the concerted denial of service attack on Estonian systems. If that event had occurred in the United States, it likely would have been criminal under the Computer Fraud and Abuse Act (CFAA).2 As we shall see, there are some reasons to think that the CFAA is overbroad and criminalizes innocent behavior, but we cannot say that we lack criminal laws to deal with illegal activity.
Criminal law has also adapted fairly readily to situations in which computer systems are not the object of the crime but are used as tools to commit crimes of a more traditional nature. Using computers to commit fraud or access child pornography does not involve any legally relevant distinctions from the use of note paper or the mails to commit the same offenses. In general, criminal law focuses on the illegal conduct itself and is suitably neutral as to the means by which the crime is committed. Some legislatures have perhaps gone too far beyond this construct and made it a crime to commit a particular offense (e.g., theft) using a computer, but in general that response seems unnecessary (in contrast, for example, to offenses that are rendered more serious through the use of a weapon). Still, this expansion, while unnecessary, is little more than a distraction from the generally appropriate structure of criminal law.
To these substantive challenges of criminal law, one must add another piece—the significant forensic challenges of actually solving the crime. In the real world, proximity is frequently a necessity for a successful crime. Much traditional crime requires the physical presence of the criminal and is done face-to-face and one-on-one. Not so with cybercrime, which can be done at a distance and (as anyone who has received a Nigerian fraud solicitation knows) in bulk on a one-to-many scale. And, because the physical presence requirement helps to delimit physical criminality, it also makes capture easier—a factor whose absence makes identifying and prosecuting cybercrime a significant challenge.
Thus, today we face a vexing situation, where high-profit criminality can occur with low risk of capture. This turns our deterrence model of law enforcement on its head. Deterrence only works when there is a credible threat of response and punishment (the degree of punishment mattering less than the degree of certainty of being caught). But, deterrence cannot work without attribution and the nature of cyberspace makes attribution viciously difficult.
Finally, there is a cultural dissonance between the public's view of traditional crime and the dynamics of cyberspace. Law enforcement professionals generally focus on solving crimes. Despite changes occasioned by the response to September 11, they continue to do less work on prevention. Likewise, the public tends to leave prevention to the professionals. What little prevention we do is generally defensive in nature (e.g., putting locks on doors) and leaves offensive investigative function to others. Thus, the dynamic is for the public to take relatively little responsibility for its own protection—again, an understandable policy when the neighborhood police patrol can be effective, but not the best posture when the criminal neighborhood is global. In effect, every computer is a border point—between countries or for entering a home. We have yet to fully come to grips with that reality.
For most people, the most significant criminal threat in cyberspace is the prospect of fraud or identity theft. Here, the law has developed in ways that make sense, but the actors who commit the crimes are so far removed from American jurisdiction (or for that matter, the jurisdiction of any Western nation) that the prospects for using the criminal law effectively are minimal.
Consider, for example, the by now too-familiar case of Nigerian scam artists—known as 419 fraudsters after the section of the Nigerian criminal code that prohibits fraud. This is just the modern day computer version of an old time fraud known as “an advance fee scheme.” Under the advanced fee scheme, the dupe is offered an opportunity to share in a percentage of millions of dollars that are available, if only the recipient will help the criminal—who often poses as a corrupt government official—transfer the money illegally out of Nigeria. The intended victim is scammed—either by sending information to the criminal that allows the crook to steal his identity (e.g., blank letterhead stationery, bank name and account numbers, and other identifying information) or by having the victim provide some advance fee money to the official to be used for transaction costs and bribes.
In the later variation, the victim is asked to send money to the criminal in Nigeria in several installments of increasing amounts for a variety of reasons. Of course, the millions of dollars do not exist, and the victim eventually ends up with nothing but loss. For obvious reasons, the Nigerian government is not sympathetic to the victims of these schemes. After all, they are theoretically complicit in a scheme to remove funds from Nigeria in a manner that is contrary to Nigerian law.
What makes this scam so effective is two-fold: First, the anonymity of the Internet makes the scammer practically invulnerable to effective identification and, even if identified, to extradition. Second, the borderless and near-costless nature of the Internet makes it possible for the scammer to send out tens of thousands, if not hundreds of thousands or millions, of fake solicitation e-mails. Even if the massive majority of recipients properly recognize the scam, a few trusting innocent souls (or, less sympathetically, a few corrupt souls seeking illegal gain) will always respond.
Which actually raises an interesting question that is worth pausing to briefly consider—why are the Nigerian scams so blatant? After all, they come with so many clues that they are scams (misspelled words and transparent come-ons) that we tend to think that only a really naïve person would respond. It turns out that's exactly the point. A recent sociology study suggested that the Nigerian scams (and other blatant scams like it) are bad on purpose. The scammers are actually trolling for the naïve and the uninformed. The idea is that sending a spam load costs the scammers nothing, but what costs them a lot is spending time cultivating a mark for the con.
So they want to identify easy marks early on, and the best way to do that is to be so silly and blatant and overt that only an easy mark will respond. That way they invest their time in fish they are likely to reel in and not in ones that will be hard to catch. The best part is that they actually make the victims do the work. By deleting their e-mails and not responding, we are self-selecting out of the pool; those who answer are advertising their gullibility.
Unlike the Nigerian scammers, who are traditional fraudsters using new tools that give them greater range and scope, the Russian Business Network (known as the RBN) is truly a child of the Internet; it couldn't really exist without it.3
The RBN was an Internet service provider, run by criminals for criminals. Its founding date is unclear, but it may go back as far as 2004. The RBN was allegedly created by Flyman, a 20-something programmer who is said to be the nephew of a well-connected Russian politician. Though its initial activity appears to have been legal, it quickly morphed into something more. It provided domain names, dedicated servers, and software for criminals—a one-stop shopping center for those who want to be active on the Internet. The RBN is sometimes called a bullet proof network because, in effect, users are capable of hiding their criminal activity and are bullet proof against prosecution or discovery in their country of origin.
To a large degree, the RBN was just another business: it offered access to bulletproof servers for $600/month and highly effective malware (price $380 per 1,000 targets) and rented out botnets at the bargain basement price of $200 per bot. All this came with free technical support, patches, updates, and fixes.4 In its heyday, the RBN was responsible for some of the largest criminal hacks to date. One example would be the infamous Rockfish incident, in which users were tricked into entering personal banking information on the web, resulting in losses in excess of $150 million.5 In another incident, a keystroke logger program (one that records keystrokes input on a keyboard—like a password entry) was introduced on the computers of most of the customers of the Bank of India. The RBN is also said to have provided some support for Russia during the Georgian and Estonian conflicts.
Under severe pressure from the Russian government, which was deeply embarrassed by some of the RBN's activities, the RBN officially closed its doors in 2008—though many suspect that rather than closing, they simply moved offices to another location. Still, it is encouraging to see that some forms of international cybercrime cooperation are possible.
It is even possible, though very difficult, to actually take steps to cut off a criminal network at the knees and kill it. The effort requires a great deal of time and the investment of significant resources, but it can be done.
The United States has begun a program of using in rem actions to prevent servers from continuing to host botnets used for distributed network attacks. In rem is a legal Latin term that means “against the thing.” Most lawsuits are against a person. This less frequent legal action is against a thing, like the servers controlling a botnet. The virtue of an in rem action is that one does not need to know who owns, or controls the thing. You just need to know where the thing itself is.
This new program was first deployed in April 2011 against the Coreflood botnet. The Coreflood botnet infected more than two million computers around the world. Its operators used the system to steal more than 500 gigabytes of sensitive banking information, resulting in untold financial losses to corporations and individuals.6 To combat this threat, the federal government used a unique legal tool, filing a civil complaint, authorizing it to have identified Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers for instructions—as they were programmed to do periodically—the ISC servers would reply with commands telling the bot program to quit.
No American law enforcement agency had ever before sought such authority. It required the application of several novel theories of law, both relating to the jurisdiction of the court and to the court's authority to order equitable relief of the sort needed to destroy the botnet. Most notably, the government sought (and received) authority to send software commands to computers owned by private individuals that had, unknowingly, been infected. As support for this action, the government relied on two statutes that broadly spoke to its authority to enjoin fraudulent activity but did not specifically speak to the applicability of the law to computer networks.7 Though nothing is ever certain in cyberspace, reports suggest that the government's efforts to disrupt Coreflood have been successful.8
A reasonable review of the Coreflood effort suggests that the legal foundations of the action are, at a minimum, debatable. Certainly, some service providers who might seek to resist the types of orders entered in the Coreflood case will have an argument that the in rem seizure is beyond existing authority; the procedure has never been used before and has not been tested in an adversarial proceeding in court. For those who think that in rem proceedings are worthy of replication, the ambiguity in the law does counsel consideration of confirmatory legislative action.
The government has also used in rem proceedings to fight online piracy (that is, the illegal download of movies or music in violation of the rights of the copyright holder). For example, in Operation In Our Sites v. 2.0, coordinated seizure orders were executed against 82 domain names of commercial websites allegedly engaged in the illegal sale and distribution of counterfeit goods and copyrighted works. This is controversial.
Even more controversial are recent legislative proposals to combat piracy by requiring ISPs to divert internet traffic away from domain names that are identified as trafficking in pirated content. Critics say that the effort won't work (it is a web after all) and that it is inconsistent with projects to secure the web, like DNSSEC. (These are the bills that generated the Internet protest we noted earlier—the ones with an air of insurgency about them.) Proponents say (accurately) that piracy is rampant on the web and that something needs to be done.
Despite the success with using international pressure to disrupt the RBN (if it is, indeed, a success), severe procedural difficulties limit the effectiveness of criminal law in addressing transnational cybercrime. Most American procedural criminal law requirements are premised on the assumption that the crimes to be investigated and prosecuted have occurred within the geographic boundaries of the United States. In the rare cases where cybercrimes are geographically limited in this way, these procedural requirements are suitable. But, the reality is that cybercrime is predominantly (and almost exclusively) transnational in character.
In many ways, the situation is much like the challenge facing state law enforcement officials prosecuting Depression-era bank robberies. The perpetrators could escape investigation and prosecution simply by changing jurisdictions and hiding behind differing laws. The problem is best exemplified by Clyde Barrow's famous fan letter to the Ford automobile company, thanking it for providing the means by which he and Bonnie escaped justice.9
The solution, of course, was to federalize the crime of bank robbery and, effectively, eliminate the boundary problem. But, what the U.S. government could do with the stroke of a federal legislative pen takes, in the international context, years and years of work. Today, we are just at the beginning of constructing a transnational set of procedural rules for cybercrime. For the most part, information sharing across national boundaries is slow and limited—far slower and more limited than the nimbleness with which criminals can change their tactics. Substantive convergence of the law is even further in the future and may well prove impossible.
To date, the only effort to develop a unitary procedural approach to cybercrime is the Convention on Cybercrime developed by the Council of Europe.10 It aspires to create a single set of cyber laws and procedures internationally in order to insure that there is no safe harbor for cybercriminals. But, the process is slow—only 36 countries have ratified the Treaty in 11 years. Significant cultural and legal hurdles (e.g., differing American and European approaches to “hate” speech) have further slowed convergence. Thus, in the criminal domain, the single most significant question is one of extraterritoriality and engendering cooperation from international partners.
The signatories to the treaty (notably, they do not include Russia and China) have agreed to pass common laws criminalizing cybercrime and to cooperate in the transborder investigation of cyber incidents. The transborder efforts have, however, been hampered by adherence to outdated modes of cooperation. Countries sharing cyber information must still proceed through Mutual Legal Assistance Treaties (MLATs) and Letters Rogatory—processes first developed in the 1800s.
The growing consensus, therefore, is that the Convention on Cybercrime doesn't work on at least two levels—operationally and strategically. Operationally, the Convention's procedures are widely regarded as ineffective, slow, and cumbersome. What is necessary, in the first instance, is an effort through the Council of Europe to adopt more rapid response mechanisms that work in real-time. The technology for such an effort is readily available in the current interconnected environment.
Reopening the treaty for modifications of this sort is likely to be a challenge—but one with a potentially significant long-term benefit. If that course was deemed inexpedient, perhaps a better option would be to act on a bilateral basis. Failing an effort to revise the Convention, the United States can, and should, negotiate bilaterally to achieve the same effect with a coalition of the willing.
Strategically, the absence of China and Russia from the Convention makes it a bit of a paper tiger. If they refuse to bind themselves to assist in the prosecution of cybercriminals, they become, in effect, a safe haven. The international community needs to move beyond the current structure to a naming and shaming campaign modeled on that developed to combat money laundering by the Financial Action Task Force (FATF).
The FATF was created based on the recommendation of the G-7 back in 1989 and brought together a task force of experts in banking and law enforcement to create a set of recommendations for best practices in defending against illegal financial activity. The FATF has moved beyond recommendations to a routine system of self-inspection. More importantly, the FATF uses the same standards to publicly identify high-risk and noncooperative jurisdictions that do not implement adequate safeguard. Creating a similar Cybercrime Action Task Force should be a top priority for identifying and combating countries that serve as havens for bad actors.
Despite our overall success domestically with updating American criminal law to account for cybercrime, we still have a few substantial issues to deal with. One problem facing the criminal law is the difficulty in actually defining some of the terms—especially with regard to a second form of criminal activity—intrusion into a computer system without the authorization of the owner of the computer. Conceptually, this makes great sense. It is an unobjectionable premise that it ought to be a crime to hack into someone else's computer without their permission.
The problem is that the CFAA's definition of this type of crime is overbroad. The problem begins with the language of the CFAA (18 U.S.C. § 1030), which makes it a crime to access a computer “without” or “in excess” of “authorization.” In some ways, both of these make sense, especially if you substitute the word “permission” for the legal term “authorization.” If an intruder hasn't been given permission to use a computer at all or if he has only been given it by you for a limited purpose, and violates that limitation by rooting around in other cyberfiles, that's an act that clearly ought to be punished.
But, how do we determine what the limits of your authorization are? Since the term is not defined in the law, the courts have looked to contractual agreements that govern the use of a computer or Internet system. These agreements are known as the Terms of Service or ToS. They are those long, detailed legal terms that everyone clicks on to “accept” before they sign up for, say, a Facebook account. But, this means that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.
This is potentially quite broad a definition—indeed, an overbroad one. Consider this: Three federal circuit courts have agreed that an employee who exceeds an employer's network acceptable use policies can be prosecuted under the CFAA. This means that, for example, an employer's limitation on personal use of the Internet could, in theory, be the ground for a prosecution of an employee who accessed a Fantasy Football league webpage. As of the writing of this chapter, only one federal court has disagreed with this interpretation and the Supreme Court has yet to resolve the issue.
The effect is to create computer crimes for activities that are not crimes in the physical world. If an employee photocopies an employer's document to give to a friend without that employer's permission, there is no federal crime (though there may be, for example, a contractual violation). However, if an employee e-mails that document, there may be a CFAA violation.11 If a person assumes a fictitious identity at a party, there is no federal crime. Yet, if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service—the infamous Lori Drew case, involving a mother whose Internet abuse caused a teenager to commit suicide.12
Revisions to the CFAA are being considered as this book goes to press, for precisely these reasons. As part of the ongoing process of legislative development, the law may be modified to focus on malicious hacking and identity theft and include an exclusion that avoids criminalizing behavior that happens to take place online, in violation of terms of service or an acceptable use policy. Only time, however, will tell.
The CFAA (and other laws) also poses a problem for private sector actors who want to engage in self-help. The failure to develop structures that effectively protect the private sector from cyber intrusion creates a challenge for private sector actors who are obliged to defend their own networks: consider the cyber problem from the perspective of the private sector actor whose systems are subject to an attack. The vulnerability is particularly acute as we come to realize that our adversaries may be planning acts that are designed to target private infrastructure.13 Private sector actors who are contemplating a response to such attacks may well find themselves on the horns of a dilemma—neither able to rely on the government to defend them nor legally authorized to respond themselves.
As with other actors in the cyber domain, those defending private sector networks will frequently be unaware of the identity of their attackers, and they may often be equally unable to distinguish a true attack from a probe or an unlawful intrusion. In such an ill-defined situation, those who act in response to an attack may do so in violation of the law.
First, and foremost, many of the most reasonable actions that a private sector actor would take in defense of their internal network are likely to violate the CFAA. As we have discussed, under the CFAA, it is a crime to intentionally access any protected computer (i.e., one used in or effecting interstate or foreign commerce) without authorization, or in excess of authorized access, and thereby obtain information from the computer.14 But, the most successful defensive measures often involve using beacons or other forms of surveillance inside the malicious actor's computer to identify the source of the attack. Once identified, an effective countermeasure might be to flatline the offending IP address, that is, arrange for it to be taken down. This type of defensive countermeasure (sometimes going by the name “hackback”) is almost certainly a crime in and of itself. Almost invariably, any protective action by a private sector actor will involve accessing a protected computer without the authorization of its owner (who may sometimes even be an innocent intermediary) and obtaining information from it. As a result, virtually every aspect of private sector self-help is, at least theoretically, a violation of the CFAA and therefore a crime. The specter of criminal prosecution may disable or deter private sector self-help and may also have the effect of causing the private sector to outsource protective activities overseas.15
Finally, in closing our discussion of cybercrime, it is useful to think of the rather ambiguous case of economic espionage, that is, spying directed at economic secrets, not national security ones. In such cases, there is no direct threat to America, but the effects are just as real.
And, it isn't just the large corporations who suffer. The story is told (based on a classified source) of an American furniture company that had its furniture designs stolen through a malicious hack from China. Within months, they were seeing their own designs being offered, at lower prices, from a Chinese manufacturer.16
That is just but one example of many. According to the Office of the National Counterintelligence Executive (NCIX), the threat is pervasive. In the recent report, Foreign Spies Stealing US Economic Secrets in Cyberspace,17 the NCIX detailed some of its conclusions: “Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation's prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.”
The NCIX noted, in particular, that
Chinese actors are the world's most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC [Intelligence Community] cannot confirm who was responsible[;] Russia's intelligence services are conducting a range of activities to collect economic information and technology from US targets. Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.18
Plainly, all of this activity is both a cybercrime and, at the extremes, a significant cyber threat to national security. At some point, economic espionage (especially of companies in the Defense Industrial Base) blends into national security espionage, and criminality becomes spying. The line between the two is fuzzy indeed, making cybercrime yet another avenue for the broader cyber conflict.