Cybercrime, whether domestic or international in origin, has fully entered the public consciousness. The virtually countless individuals[i] who have been victimized by hacked credit card information have found common cause with businesses that have lost literally countless sums of money invested in research and development,[ii] and politicians[iii] whose emails have been hacked, much to the embarrassment of officials and the outrage of the public. As the instances and consequences of cybercrime increase, the lack of effective solutions offered by the federal government becomes increasingly apparent, and woeful.
The United States has made little progress in forming international cybercrime treaties. A number of explanations provide rationales for this, but the most likely reason is that other nations have used cyberattacks in an attempt to level economic and informational playing fields with the much wealthier United States, and thereby have little to gain from entering into a cybercrime convention with America.[iv] As the nation with the most powerful cyber-arsenal, it makes little sense for the United States to negotiate away strengths in return for promises that will be nearly impossible to enforce. In short, parties on both sides do not have incentives to come to the negotiating table.
It is a fair debate question to ask whether adding international laws would even effectively remediate cybercrimes at all. Nations violate international treaties frequently, with little regard if the treaty stands in the way of a national self-interest.[v] The United States should look at unilateral options first.
The United States has a cybercrime framework, the Computer Fraud and Abuse Act[vi] (CFAA). Though domestic in nature, it has the potential to be amended to become a tool in the fight against international cyberattacks. Rather than invest efforts in international negotiations, a wiser first step would be for Congress to revise and strengthen the CFAA to make it more effective, more efficient, and to give American companies some redress for international cyberattacks that cause losses of money, information, and competitive advantage. Congress should revise the “access terms” in the CFAA to incentive businesses to more securely protect information[vii], decouple the civil causes of action in the CFAA from the criminal law, and provide for foreign bank accounts to be frozen if foreign nationals commit cyberattacks against American companies.
Revising the CFAA in the manner proposed in this article will protect American interests more effectively than an international convention will. The first goal is to prevent information theft, and these revisions promote better protection by the owners and custodians of intellectual property, and raise the costs of perpetrating cybercrime by imposing financial penalties on hackers. By approaching cybercrime from both directions, the CFAA can reduce the total volume of cyber-theft. Further, in the absence of an effective international cybercrime treaty, the most viable option for American companies to bring international cybercriminals to heel is to provide the ability to seek redress under American law in American courts.
The CFAA’s role in domestic and international cybercrime and suggested amendments
The CFAA is a dual-use statute, meaning victims of cybercrime may pursue defendants by way of criminal prosecution through the United States Attorney’s Office or may bring a civil suit against the perpetrators of the hacks. The CFAA has been used multiple times as a basis for criminal prosecution against domestic cybercriminals. In May 2014, federal prosecutors for the Western District of Pennsylvania indicted members of the Chinese People’s Liberation Army’s cyber unit for committing cybercrimes against Pittsburgh-based businesses.[viii] The problem with the indictments is that the defendants will almost certainly never stand trial, as the United States does not have an extradition treaty with China. Thus, the indictments are a grand but ineffective gesture that the United States will not allow its companies to be victimized by foreign hackers without recourse, while practically demonstrating to foreign nationals and governments that they may commit cybercrimes without consequence. But within that indictment is the idea that Congress could amend the CFAA to make it a primary tool in the fight against international cybercrime. The following paragraphs lay out the amendments that would enable this purpose.
- A. Incentivize better self-protection by changing the access terms in the CFAA and decoupling civil and criminal statutes.
The dual-use nature of the CFAA has created a split amongst the federal Circuit Courts of Appeals. The divide originates from the necessity of using criminal rules of statutory interpretation in civil cases because the same statute is used, and statutory interpretation of terms must be consistent. The result has been, predictably yet contrary to the rule’s intention, inconsistent interpretation of the statute in both types of cases. Though beyond the scope of this article, the divide generally occurs around the “access status” elements of the CFAA, which requires plaintiffs and prosecutors to prove that a defendant accessed the material either “without authorization” (usually an outside hacker) or by “exceeding authorized access,” which usually means a current or former employee with valid login credentials that would allow information to be accessed.
Courts that follow strict rules of interpretation have taken a two-step approach that has effectively obviated the latter term.[ix] First, the rule of lenity requires a strict statutory construction of terms, and therefore ambiguously drafted terms must be interpreted in the criminal defendant’s favor.[x] Second, statutes must be consistently interpreted, and therefore, because of the dual-use nature, those terms that are interpreted in the favor of criminal defendants must be interpreted the same way in favor of civil defendants. Applying strict constructionist rules to “exceeding authorized access,” if a person had functioning access credentials to access the information, then no matter how the information was subsequently used, the “exceeding authorized access” prong will not be available to victimized businesses. Companies domiciled within these circuits have little judicial recourse when insider theft of intellectual property occurs.
Conversely, courts that elevate property rights over strict construction will examine the use of the information after the access, and whether that use was against the company’s interest. If so, the court will impose civil liability upon defendants despite the clear language that the judicial inquiry should focus upon the access status of the actor at the time of the information’s removal.[xi]
Businesses that seek criminal sanctions under the CFAA will be incentivized to protect information behind layers of digital, code-based, protection, and through explicit employment agreements. This will secure the information and prevent losses in the process.
Decoupling the criminal law and civil law serves multiple purposes. First, criminal law will be more precise, only allowing outside hackers and employees who “embezzle” corporate information to be charged for crimes. Second, civil liability, which requires a lower burden of proof, correspondingly requires less serious acts for redress. Criminal law is reserved for the worst actors, and civil law is properly used to redress financial injury. Third, rules of interpretation in criminal law that are necessary to protect citizens’ civil liberties will not prejudice plaintiffs in civil suits.
Decoupling the statutes and providing for a separate civil statute allows for the provision of an exclusive civil remedy, the freezing of foreign bank accounts. The next section will propose a way to freeze foreign bank accounts as a means of recourse in civil cases for victims of cybercrime.
- B. Attach equitable remedy for civil CFAA cases to freeze bank accounts
Intellectual property is frequently the corpus delecti of cybercrime. Foreign nationals often face no serious civil or criminal recourse for their theft. Congress could change that by following precedent set in other intellectual property law. The Lanham Act[xii] provides that companies that have had their trademarks stolen, usually through counterfeited production, can freeze the counterfeiters’ bank accounts.[xiii] This not only prevents the defendant from transferring money and leaving themselves “judgment proof”[xiv], but also would work to bring foreign defendants in front of the court. In Gucci America, Inc. v. Li[xv], high fashion houses sued a Chinese counterfeiter who had been selling counterfeit goods bearing the houses’ trademarked labels. The plaintiffs sought access to the counterfeiter’s financial records and to freeze his bank accounts to prevent the illicit proceeds from being irretrievably transferred out of the United States. The plaintiffs received a temporary restraining order, and then a preliminary injunction, against the Bank of China[xvi] granted by the United States District Court for the Southern District of New York that froze the counterfeiters’ foreign bank accounts.
The Second Circuit Court of Appeals vacated and remanded the decision in 2014. The Second Circuit held that the District Court had the authority to issue the injunction to freeze the accounts, but that the court could not enforce the injunction unless it found the court had specific jurisdiction over the bank and the freeze was within the rules of comity.[xvii] Though courts will ultimately decide whether this is a viable option for redress for American IP owners against foreign thieves, Congress should move forward with legislation providing this remedy for computer crimes while awaiting a definitive answer from the courts.
The possibility of this remedy applied in a cybercrime context is not novel. In 2013, members of both houses of Congress introduced H.R. 2281, the Cyber Economic Espionage Accountability Act.[xviii] This bill attempted to use the 1977 International Economic Emergency Powers Act[xix] to freeze the assets of people identified to be responsible for the cyber espionage of American intellectual property.[xx] The bill was never voted upon by either house of Congress.
Rather than create an entire act, this article recommends a narrower action to provide this specific remedy. Congress should provide the ability to freeze assets and enjoin using stolen intellectual property as part of the CFAA amendments. This narrower proposal, as part of more comprehensive CFAA reform, has a better chance of passage. The result will be that victimized American companies will have remedies against foreign cybercriminals without waiting for the formation of an international cybercrime treaty that includes Russia, China, and North Korea.
The international community will not reach agreement on a treaty or convention anytime in the near future. The United States has not been able to reach accord with cyberattacking states to form bilateral treaties, and a multinational foreign convention would be exponentially more difficult. Rather than bide time, the United States should strengthen its future diplomatic hand by strengthening its domestic cybercrime laws. Congress should revise the CFAA to incentivize property protection to prevent losses, and provide tough remedies to victims who suffer future economic losses from cybertheft. This action strengthens the ownership rights of intellectual property developers across the nation, and strengthens the United States in the process. If American policymakers want to protect Americans from foreign cyberattacks, strengthening American law is both the most effective and the only practical option.
[i] The Target database breach affected an estimated 61 million people alone. See http://www.npr.org/blogs/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit, last visited March 21, 2015.
[ii] The Center for Strategic and International Studies estimates the annual cost of cybercrime is $445 million. http://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html. McAfee estimates a range of losses of $375 billion to $575 billion annually. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf (Both sites last visited March 21, 2015.)
[iii] The most recent examples of this are the speculated hacking of Secretary of State Hillary Clinton’s private email account and the confirmed hacking of the State Department’s email servers. http://www.cnn.com/2015/03/10/politics/state-department-hack-worst-ever/, last visited March 21, 2015.
[iv] See Lawrence L. Muir, Jr., The Case Against an International Cyber Warfare Convention, 2 WAKE FOREST L. REV. ONLINE 5 (2011), available at http://wakeforestlawreview.com/the-case-against-an-international-cyber-warfare-convention.
[v] See Semotiuk, Andy J. “Cutting Access To Banking and Immigration: Possible New Sanctions For Russian Invasion of Ukraine,” Forbes.com. Arguing for consequences against Russia for violating the UN Charter and Helsinki Accords by invading Ukraine to annex the Crimea. http://www.forbes.com/sites/andyjsemotiuk/2015/02/02/cutting-access-to-banking-and-immigration-possible-new-sanctions-for-russian-invasion-of-ukraine/, last visited March 21, 2015.
[vi] See 18 U.S.C. §1030.
[vii] See Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1644–60 (2003). Professor Orin Kerr first advanced a code-based theory of access in this article. This author agrees with, and borrows from, the rationale behind using code-based liability, but distinguishes his ideas from Professor Kerr by proposing the replacement of the “without authorization” term to specifically criminalize bypassing code-based restrictions, and also by allowing some room for contract-based liability when employees violate specific employment agreements by stealing information.
[viii] Barrett, Devlin and Siobhan Gorham, “U.S. Charges Five in Chinese Army With Hacking,” May 19, 2014, stating this was the first instance of the federal government charging foreign state employees with hacking.
[ix] See Bell Aerospace Services Inc. v. U.S. Aero Services Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010).
[x] See https://www.law.cornell.edu/wex/statutory_construction, which defines the “rule of lenity.”
[xi] See Shurgard Storage Centers,Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000).
[xii] See The Lanham Act, 15 U.S.C. §1051 et. seq.
[xiii] See §15 U.S.C. 1117(a).
[xiv] A defendant who is unable to financially pay court judgments to plaintiffs or the court is “judgment proof.”
[xv] Gucci America, Inc. et. al. v. Li et. al., 2011 WL 6156936 (S.D.N.Y.))
[xvi] The injunction was served upon a New York City branch of the Bank of China.
[xvii] Gucci America, Inc. et al v. Li, et al, 2014 WL 4629049 (C.A.2).
[xviii] See H.R.2281 - Cyber Economic Espionage Accountability Act 113th Congress (2013-2014) and S.1111 - Cyber Economic Espionage Accountability Act 113th Congress (2013-2014).
[xix] See 50 U.S.C. §1701 et seq.
[xx] See HB2281 §§(3)(a), (5) 2013