Cybersecurity and Criminal Law

Using this week’s required resources as a general conceptual starting point, reconstruct an existing cybersecurity-related law or policy to better protect the general public from cybercrime.  As you do so, please be sure to apply the underlying facts, procedures (legal, ethical and/or technical), and concepts that you believe are relevant to your reconstruction idea.    

Example:  Use as example only!

Hello Class,

The law I find to be most relevant to discuss this week is the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. §1030).  When it comes to cybercrime, CFAA is what can be used to prosecute individuals that commit cybercrimes. The law covers down on most cyber threats in a broad since. What I mean is the law leaves open the possibility to prosecute individuals for the resulting act and not necessarily the tool or technique used. This is not a bad thing because it helps the law stay applicable when cybercrime methods adapt overtime.

When it comes to the level of punishment that an individual might face under CFAA, I would say it is acceptable, but I would make sure that a level of additional monitoring on the charged individual is in effect on their computer usage. This might seem to be a breach of privacy, but it would be a part of their sentence. Similar to how individuals have tracking monitors on them when they are placed on house arrest, the tracking monitoring would be placed on their computers. To deter individuals from just going to an internet cafe or library, I would make it where if they do not report their usage of network accessible devices prior to usage with their IP address and Mac Address then they could face additional penalties or lose access to any computer device (Findlaw’s Team, 2019).

I believe the eight categories that CFAA charges can fall in are an accurate level of ranging high to low threats committed or attempted. The charges and outcomes should be based on the level of category that is committed. For example, the apprehension of Nation Security information should be seen as the most threatening of the bunch and should result in the highest penalties. This seems to be the case due to the level of misconduct being based on the amount of harm caused, which is determined by the Federal sentencing guidelines (Litvak, 2022).

If I could alter CFAA in any way, it would be to alter the level of power the law has under civil offenses. It seems that it has become a tool to threaten individuals that might have had goodwill intensions of helping individuals know they have issues with their coding and security. For example, Mike Lynn who discovered security vulnerabilities in Cisco’s IOS software. This vulnerability acted as a backdoor to Cisco’s products and could affect their customers which had implemented this IOS. Due to Cisco being afraid this might get released to the public and result in new cyber threats, they attempted to use the CFAA is a tool to threaten him from releasing his findings. This issue with CFAA in civil offenses is it does not require the same level of proof and damning evidence to try to charge individuals with it. I think the law is good in a general sense, but it needs to provide a level of protection to individuals like Mike Lynn which ultimately got bullied into not releasing his research. Now, I understand his finding could have been harmful to Cisco, but it could have been handled better without involving the CFAA. It might be a tricky addition to the law and possibly outside of its general purpose, but I would add penalizing guidelines to individuals that attempt to use the CFAA in civil cases without plausible cause.

Thank you for reading my post, everyone. Have a good rest of the week!

V/R 

Brian Allum

References:

Findlaw’s Team (Ed.). (2019, May 2). Hacking laws and punishments. Findlaw. Retrieved November 30, 2022, from https://www.findlaw.com/criminal/criminal-charges/hacking-laws-and-punishments.html

H.R.4718 – 99th Congress (1985-1986): Computer Fraud and Abuse Act of 1986. (1986, October 16). https://www.congress.gov/bill/99th-congress/house-bill/4718

Litvak, I. (2022, November 1). What are the laws against cybercrime? The Litvak Law Firm. Retrieved November 30, 2022, from https://nyccrimelawyer.com/what-are-the-laws-against-cybercrime/

Parikh, D. (2017, March). Organized cybercrime and the state of user privacy – IJIRST. http://www.ijirst.org/. Retrieved December 1, 2022, from http://ijirst.org/articles/SALLTNCSP035.pdf