Part 1 of 2: Combating Cyberthreats

TRESPASS AND burglary used to involve acts of physical invasion. However, our networked world now offers an entirely new medium for these old crimes.

Today, hackers use electronic "port sweeps," wireless "wardriving," "snooping" and "sniffing" to detect vulnerable computer systems over the Internet or through the airwaves, often from distant countries. They then gain access and perpetrate further crimes, leaving only minimal clues. Some hackers launch Distributed Denial of Service ("DDoS") attacks against Internet servers, overwhelming them with billions of "pings" and requests for data. Others release worms, viruses and other malicious software ("malware") that are sometimes so damaging that they crash computers worldwide. Still others commit identity theft over the Internet, which, although it is an old crime in a new bottle, can now be perpetrated on a massive scale.

To combat these problems, users have begun to employ a variety of technical safeguards. Also, lawmakers, concerned about security and privacy issues, have enacted data security and privacy laws and regulations in recent years.

Technology's Hidden Cost

Although security can significantly hike the expense of installing and maintaining computer systems, the cost of ignoring vulnerabilities can be much higher. Cyberattacks cause billions of dollars in damage each year; in the United States alone, businesses have spent approximately $40 billion in remediating cyberattacks during just the past three years.

Historically, government agencies were the most common targets of hacking, but today corporations and individuals are becoming more frequent victims. The following is a sampling of cyberattacks that have occurred during the past few years:

2003 United States: Identity thieves obtained over $7 million in federal tax refunds from the IRS by using stolen Social Security numbers of individuals, some of whom were not owed any refund and some of whom were deceased.

2003 Worldwide: In a period of just 10 minutes, a worm called "sapphire," "slammer" and "SQ hell" inundated systems around the world with as much as 125 megabytes of data per second per system, bringing down five of the Internet's 13 root servers. These root servers direct all traffic on the Internet between its 600 million users and its 160 million server computers.

2002 Australia: A hacker hijacked the central control system of a sewage and water treatment plant, and pumped one million liters of sludge into parks and river systems, and onto hotel grounds. This was the first known case of a hacker successfully causing harm to physical infrastructure.

2002 New York: A disgruntled system administrator planted logic bombs on 1,000 of his company's networked computers, causing them to fail shortly after he resigned. The company suffered $3 million in damages.

2002 United States: Identity thieves posted a total of $2.7 million in charges to 30,000 credit card accounts. In a separate incident, thieves posted $5.07 in charges to each of 140,000 credit card accounts.

2002 Worldwide: Powerful DDoS attacks were launched at the Internet's 13 root servers, nine of which were crippled for one hour, causing a dramatic slowdown of service around the world.

2002 Worldwide: The "Klez" and "Bugbear" worms broke through firewalls and anti-virus protections, in some cases gathering data from hard drives and logging users' keystrokes.

2001 United States: Thousands of customers of an online bank received an e-mail message, purportedly from the bank, indicating that some of their account information had been lost due to an archive problem. The customers were requested to re-register their information at a hacker's shadow Web site. Over 250,000 people unwittingly disclosed their information.

2001 Worldwide: The "Code Red" worm infected over 250,000 servers within hours of its activation.

2000 Worldwide: The "Love Bug" worm caused an estimated $8.7 billion in damage to forty million computers.

2000 United States: Massive DDoS attacks were launched against Yahoo!, Amazon.com, CNN and eBay, causing over $1 billion in damage.

2000 Worldwide: A hacker known as "Curador" attacked multiple e-commerce Web sites in the United States, Canada, Thailand, Japan and the United Kingdom, stealing 28,000 credit card numbers and causing $3.5 million in damage.

1999 Worldwide: The "Melissa" virus was the first virus to spread by e-mail through Outlook address books, causing an estimated $1.2 billion in damage.

These attacks prophesy more numerous and more damaging attacks in the future.

Fitting Offline Legal Concepts to Online Crimes

The federal government and all states have enacted criminal legislation prohibiting unauthorized access, malware distribution, DDoS attacks and other forms of hacking. These laws generally cast traditional legal concepts in terms of modern technology.

Also, as will be discussed in Part 2 of this article, a number of statutes and regulations require companies to implement preventive security and privacy measures, particularly in the financial and health care industries, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate personal data.

Federal Criminal Statutes

The Computer Fraud and Abuse Act (CFAA) addresses various new crimes enabled by the proliferation of the Internet, and it is therefore the broadest tool for combating cybercrime. The CFAA covers, among other things, "protected computers" used in interstate and foreign commerce, including computers located outside of the U.S., which essentially includes any computer connected to the Internet. The CFAA imposes fines and criminal penalties, ranging from one year to life imprisonment, on hackers who:

• Access any computer to commit espionage against the U.S.;
• Access a financial, U.S. government or protected computer, and obtain information therefrom;
• Access any U.S. government computer and affect the government's use thereof;
• Access a protected computer to perpetuate a fraud, and obtain a thing of value in excess of $5,000;
• Cause damage to a protected computer by transmitting damaging code - such as transmitting malware or perpetrating DDoS attacks -, or access a protected computer and cause damage;
• Traffic in government or commercial passwords;
• Threaten damage to a protected computer for the purpose of extortion; and
• Attempt any of the foregoing.

In addition, the CFAA, which was amended by the USA PATRIOT Act of 2001 and the Homeland Security Act of 2002, provides a private right of action to permit injured parties to obtain compensatory damages, lost revenues, consequential damages and, in some cases, punitive damages.

The Electronic Communications Privacy Act (ECPA) expanded coverage of the Federal Wiretap Statute to include electronic communications, and established the Stored Communication Act and the Pen Registers and Trap and Trace Devices Act. In general, the ECPA prohibits:

• The interception, disclosure or use of electronic communications while in the course of transmission, for which the ECPA imposes fines and a prison term of up to five years;
• Accessing, altering or preventing access to electronic communications stored by an Internet service provider or other electronic communication service, for which the ECPA imposes fines and a prison term of up to 10 years; and
• The use of a pen register (a device that records outgoing transmissions) or a trap and trace device (incoming transmissions), for which the ECPA imposes fines and a prison term of up to one year.

The ECPA, which was also amended by the USA PATRIOT Act and the Homeland Security Act, contains numerous exceptions, such as to assist law enforcement and to allow individuals to detect the source of hacking. The ECPA also provides a private right of action to permit injured parties to recover compensatory damages, attorney's fees, costs and, in appropriate cases, punitive damages, or to obtain statutory damages, which is the greater of $100 per day or $10,000.

A variety of other federal laws prohibit behavior related to hacking. These statutes include, among others, the No Electronic Theft Act, the National Stolen Property Act, the Economic Espionage Act, the Computer Security Act and the Digital Millennium Copyright Act.

State Criminal Statutes

Reflecting this federal push for increased security legislation, all 50 states have enacted some form of legislation that prohibits unauthorized access or interruption of a computer system, as well as theft, destruction, copying, examination, use or misuse of data and identities. Depending on the damage caused, the benefit to the perpetrator, the perpetrator's mens rea and the means utilized in committing the crime, penalties may include fines of tens of thousands of dollars and decades of imprisonment.

In New Hampshire, a hacker faces up to 15 years' imprisonment for the commission of a "computer crime" under RSA 638:17.¹ Like the CFAA, New Hampshire's statute covers a broad range of cybercrimes. Unlike the CFAA, however, RSA 638:17 requires proof of only "knowing" access or damage, whereas the CFAA often requires a heightened showing of "intentional" misconduct.

Look for Part 2: Corporate Liability and Compliance in a future issue of Bar News.

1 Maine, Massachusetts and Vermont have enacted similar laws. See Me. Rev. Stat. tit. 17-A, §§ 432, 433; Mass. Gen. Laws ch. 266, § 120F; Vt. Stat. tit. 13, §§ 4102-05.

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer