Header graphic for print
Steptoe Cyberblog

The CFAA and the Insider Threat

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

Last week Rep. Zoe Lofgren introduced “Aaron’s Law,” legislation that would significantly amend the Computer Fraud and Abuse Act (CFAA). The proposed bill, drafted by Rep. Lofgren and Sen. Ron Wyden, is named in honor of the late Aaron Swartz, who took his own life earlier this year while under indictment for CFAA charges. The bill seeks to narrow a broadly written provision of the CFAA that criminalizes “exceed[ing] authorized access” to a computer system. But however well-intentioned the bill might be, it would essentially gut the provisions of the CFAA that are used for “insider” computer attacks and would make it effectively impossible to use the CFAA to prosecute, or to bring civil suits based on, insider thefts of intellectual property or other proprietary business information.

The bill is intended to, in Rep. Lofgren and Sen. Wyden’s words, “establish[] a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.” That’s a laudable goal, to be sure. The problem is that in attempting to carve common online activities out of the CFAA, the bill uses a chainsaw when what is needed is a scalpel.

The CFAA has been used for years by the federal government to prosecute cyber attacks by hackers and other outsiders, as well as cyber-thefts by insiders.  It has also been used by employers to go after rogue employees that steal company information to benefit themselves or a competitor.  The “outsider” attackers are typically charged with accessing the victim company’s computer network “without authorization,” while “insider” cyber-thieves are typically charged, or sued, under a provision of the CFAA that criminalizes “exceed[ing] authorized access” to the company’s system. In the typical insider case, the employee has authorization to access the company’s network in order to do his or her job, but exploits that access and uses the acquired information for an unlawful or improper purpose, such as stealing confidential information for the benefit of a competitor.

Over the past year, the provision of the CFAA that prohibits “exceed[ing] authorized access” has come under attack by both commentators and the courts. The commentators complain that the statute is written broadly enough to criminalize violations of a website’s terms of service or an employer’s policies governing the use of office computers for personal purposes. They say that under the CFAA as written, someone who lies about his age on a dating website or who uses his work computer to check fantasy football scores can be prosecuted for a federal crime.

The courts have recently joined the chorus, with a panel of the Fourth Circuit and the en banc Ninth Circuit both observing last year that a broad construction of the “exceeds authorized access” provision would criminalize normal online activity that happens to violate an employer’s computer use policy or a provider’s terms of service. In both cases — WEC Carolina Energy Solutions, LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) – the courts narrowly construed “exceeds authorized access” under the CFAA, holding that the statute does not cover employees who made improper use of information that they otherwise had permission to access. The effect of these decisions is that, at least in the Fourth and Ninth Circuits, the CFAA cannot be used to pursue insiders who use their access to their employer’s network to steal company secrets. With three other circuits taking a contrary view, the split is one that will require resolution by the Supreme Court, or by Congress.

That brings us to Aaron’s Law. The bill provides that violating a website’s terms of service or a company’s computer use policies or employment contracts does not, by itself, constitute a violation of the CFAA. But it goes even further, eliminating altogether the provision of the CFAA that outlaws “exceed[ing] authorized access” and restricting prosecutions and civil suits for any cyber attacks to those that involve gaining unauthorized access to information by circumventing technological or physical controls, such as encryption, passwords, or locked office doors.

The effect of this bill, if adopted, would be essentially to eliminate the use of the CFAA to prosecute or sue insider cyber-thieves and to impose additional restrictions on prosecutions and suits against outsider cyber attacks. Indeed, the bill would create the odd, and inexplicable, result that an insider who provides his log-in credentials to an outsider so the outsider can use those credentials to steal company data would be covered by the statute, while the insider who uses his own log-in credentials to steal the same data and then provides that data to the outsider would not.

There is no question that the CFAA is not going to win any prizes for great legislative drafting. And those who argue that it could be read broadly enough to cover innocuous online activity are, as a technical matter, correct. But it’s worth noting that the federal court dockets are not exactly filled with cases involving checking fantasy football scores (I’m personally relieved about that), or checking personal email on work computers, or lying on dating sites – in fact, those who raise such concerns can’t point to actual cases of that type, only hypothetical ones. Indeed, even Miller and Nosal were not about “normal online activity”; on the contrary, both involved employees who exploited their authorization to access their employer’s computer system to steal information for the benefit of a competitor.

Having said that, there are clearly changes that could be made to the CFAA to eliminate any possibility of “normal online activity” cases while preserving the statute’s use in prosecuting insider thefts of intellectual property and other types of confidential business information. While at DOJ, I helped draft several proposals to do just that, but Congress has, up to now, failed to act on them.

Unfortunately, Congress has thus far done little to help companies deal with outsider cyber threats, by failing to pass legislation that will foster the sharing of real-time information about cyber threats while also protecting privacy. Now, these proposed changes to the CFAA would make it infinitely harder to pursue insider threats, either criminally or civilly. Given the nation’s focus on cybersecurity and IP protection and their importance to our economic and national security, it would be unfortunate if Congress actually weakened the remedies available to go after insiders who use their access to their employers’ networks to steal IP and other confidential information.

At Steptoe we talk to companies all the time about steps they can take to mitigate their risk of cyber attacks and to best protect themselves against the enforcement proceedings and litigation that often follow such attacks. With all of the focus in the media on cyber attacks by hackers and state actors, companies need to be increasingly mindful of insider threats and should carefully follow developments in the courts and Congress that impact their ability to protect against those threats. Indeed, a recent report by Kroll Advisory Solutions indicates that more than two-thirds of all cases of cyber-related IP theft involve company insiders. The introduction of Aaron’s Law is a good time for companies to evaluate the measures they have in place to mitigate the risk of insider theft of IP or other valuable data. Company policies restricting the use of confidential information are certainly helpful, but other measures, such as tighter restrictions on access to sensitive data, are increasingly critical to protecting that data and to preserving the ability to go after those responsible if a theft occurs.