DOJ Falters on Prosecution of Cybercrimes Due to Unequal … – IPWatchdog.com

admin on June 26, 2023 Leave a Comment

Without prior Congressional review or a legislative amendment, the DOJs selective enforcement of a key Federal statute neither provides risk mitigation to the industry facing billions of dollars of losses nor deters industrial espionage and cyber theft, which are rampant.

Recent policy announcements by the U.S. Department of Justice (DOJ) regarding the selective prosecution under the Computer Fraud and Abuse Act of 1986 (CFAA) has had the unintended consequence of alerting cyber criminals that the DOJ cannot walk and chew gum at the same time.

The CFAA, a landmark 1986 legislation, prohibits accessing a computer without authorization or in excess of authorization. Enacted in the aftermath of press coverage of high-profile criminal hacking incidents, heightened national security threats from rogue foreign actors, and a finding that traditional theft and trespass statutes were ill-suited to address cybercrimes, the CFAA imposed criminal penalties, including fines and imprisonment, granting the FBI and the Justice Department the authority to investigate and prosecute. The CFAA further provides private civil causes of action for individuals or entities harmed by the perpetrators unauthorized access.

Since then, the CFAA has been amended by Congress multiple times, including via the USA Patriot Act, and each time the law expanded its definition of criminalized computer acts and broadened its jurisdiction to include any internet-enabled electronic device, including computers and cell phones, due to the interstate nature of most Internet communication.

The CFAA prohibitions broadly apply to hacking for malicious purposes (i.e., breaking in with stolen passwords to steal data or encrypted files), to insider threats where employees who have authorized access to a certain portion of their employers computer gain unauthorized access to other portions of the same computer, and to former employees who gain access to their work computers after access is revoked upon termination of employment.

TheU.S.SupremeCourtinVanBurenv. UnitedStates, 14 S.Ct 1648 (2021) ended the decades long split in federal circuit courts rulings on the definition of unauthorized access and access in excess of authorization with a finding that the burden of authorized access or access in excess of authorization rests on the employer to restrict access and establish security protocols to regulate access; an employee exercising permissible access does not lose access if the purpose of that access is not as intended by the employer. However, the enforceability of unauthorized access or access in excess of authorization is strengthened by the Supreme Court decision where access had been definitively terminated or restricted by the employer.

Contrary to the extensive statutory guidelines and case law precedents, the DOJ has recently announced that the Department will not charge defendants in certain types of exceeds authorization cases based on the theory that a defendants authorization to access a particular file, database, folder, or user account was conditioned by a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders or user accounts on a computer in all circumstances. The DOJ further states that defendants will not be charged where authorization to access a computer, or a particular area on a computer, was automatically withdrawn under the terms of a contract or other written document once the user did something, or some other particular condition was met.

The DOJs prosecutorial discretion, exercised in this policy directive, appears to be overbroad and vague. Without prior Congressional review or a legislative amendment, the DOJs selective enforcement of a key Federal statute neither provides risk mitigation to the industry facing billions of dollars of losses nor deters industrial espionage and cyber theft, which are rampant. Twin cases, one in the real estate industry (CREXi) and a second in the entertainment industry (Ticketmaster), conspicuously illustrate the DOJs unequal application of the CAs mandate despite their similarity in fact pattern.

In both cases, the fact pattern conforms to the type of without authorization cases that the DOJ has specifically identified for prosecution in its policy directive: Unlike the exceeds authorization cases, which the DOJ has directed it will only prosecute for the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances, the DOJ has provided no such limiting guidance for without authorization cases. Inexplicably, the DOJ chose to bring criminal charges in one case (Ticketmaster), while the other case (CREXi) has languished in court for three years.

CoStarGroupetal.v.CommercialReal EstateExchange,Inc. is a civil case pending in the Central District Court of California Court in Los Angeles for alleged theft of intellectual property for the purpose of developing a competing business. The complaint alleges that defendant Commercial Real Estate Exchange, Inc. (CREXi} employees accessed CoStars subscription database without permission; CREXis former account executives hacked into CoStars password protected database by using passwords issued to CoStar customers, and then downloaded CoStars broker directories to build a clone directory on CREXi, using the stolen data to generate customer leads. The complaint specifies that at least one of theCREXi executives involved, the head of its New York office, used credentials to which he had never had any entitlement. According to the complaint, two of the other executives used a former employers credentials after they left to work for CREXi.

In a second case with a similar fact pattern, which was before the Eastern District of New York, in Brooklyn, the DOJ intervened with criminal charges against the defendant, Ticketmaster, because its employees repeatedly - and illegally accessed a competitors computers without authorization using stolen passwords to unlawfully collect business intelligence. Ticketmaster agreed to pay a criminal penalty of $10 million in exchange for deferred prosecution and a compliance and ethics program designed to prevent and detect violations of the Computer Fraud and Abuse Act and other applicable laws, and to prevent the unauthorized and unlawful acquisition of confidential information belonging to its competitors.

According to William Sweeney, FBI Assistant Director-in-Charge assigned to the Ticketmaster case; When employees walk out of one company and into another, its illegal for them to take proprietary information with them. Ticketmaster used stolen information to gain an advantage over its competition, and then promoted the employees who broke the law. This investigation is a perfect example of why these laws exist to protect consumers from being cheated in what should be a fair marketplace. Should the same standard not apply to the CoStarcase?

EvenundertheDOJsnewandundulyrestrictivepolicy,the alleged accesstoCoStarsdatabase by theheadof CREXisNewYork office was reportedly never authorizedunder any circumstances. Indeed, even the two CREXi executives who purportedly used credentials issued to their former employers pose a problem, as said credentials would have been revoked upon their separation from the company. And, arguably, even that point need not be reached as no authorization existed for any CREXi employee in the first place.

In any event, given the lack of prosecution for this seemingly plain lack of authorization for CREXIs New York office heads database access, it is clear that the DOJs new unduly restrictive approach to exceeds authorization cases is having a chilling effect on prosecutions of the other type cases where no authorization existed at all. In short, the pernicious impact of the DOJs new policy regarding selective prosecutions under the Computer Fraud and Abuse Act of 1986 (CFAA) appears to be stymieing even those prosecutions that on their face fall outside its overly narrow restrictions.

In mid-May, the DOJ announced criminal charges including export violations, smuggling, and theft of trade secrets, in connection with the Disruptive Technology Strike Force, which it co-leads with the Department of Commerce, to counterefforts by hostile nation-states such as Russia and China to illicitly acquiring sensitive U.S. technology. Once again, the DOJs prosecutorial discretion, exercised in this policy directive involving rogue foreign actors, appears to be overbroad and vague, and with an unequal application of CFAA mandates in cases with a similar fact pattern.

The DOJ, in two of the five criminal cases, charged former software engineers for stealing software and hardware source code from U.S. tech companies to sell to China. In the Central District of California, a senior software engineer wasarrested and charged with theft of trade secrets for allegedly stealing source code used in meteorology software, used insmart automotive manufacturing equipment, which the defendant then allegedly marketed to multiple Chinesecompanies. In the Northern District of California, a citizen of the Peoples Republic of China (PRC) and former Apple engineer is charged with allegedly stealing thousands of documents containing the source code for software and hardware.

In the CREXi case, which similarly involves theft of an American companys intellectual property and trade secrets by offshore agents in India, the DOJ has failed to consider intervening with criminal charges against the defendant, CREXi. According to the CoStar complaint, CREXi not only has substantial financial backing from venture capital firms, including Industry Ventures, Jackson Square Ventures, Freestyle Capital, and TenOneTen Ventures, but the company has also used its Indian vendors to steal CoStars intellectual property. Three of its vendor companies are facing court proceedings in India.

Duringa timeof escalating cybersecurity threats,both domesticand foreign, theDOJsfailure to fullyenforce the mandates of theCFAA as intended byCongress anddecided bycase law precedent weakens thelaws broad legal protections against industrial espionage and cyber theft of intellectualproperty and trade secrets.

Image Source: Deposit PhotosImage ID: 68350515Author: stevanovicigor

View original post here:
DOJ Falters on Prosecution of Cybercrimes Due to Unequal ... - IPWatchdog.com

Related Posts
Posted in Internet Security

Comments are closed.