Monday, November 29, 2010

The Threat from Within - US v Fowler, SDFL 2010

The security vendor-phobe at the head of the conference bangs on the podium with his shoe declaring that “The greatest threat comes from within! (buy our product for your network’s salvation).”

Fear as a marketing strategy can never be underestimated. Particular when the fear is of the misunderstood. Media helps stoke the flames of fear-marketing with stories of fired or disgruntled IT staff who reportedly effectuate their revenge on former employers by bricking systems.

When hyperbolized threats-from-within transform into actual damage, the victim can be left helpless, unable to access crucial IT and unable to have continuity of operation. In today’s case, after being fired, Defendant allegedly changed the passwords of her former employer’s employee’s accounts and changed the password of the firewall. The scorned company contacted an external IT contractor who was able to hack in and open up the employee accounts. The firewall, however, had pretty much become a big expensive paperweight that had to be replaced.

The Defendant was convicted under the Computer Fraud and Abuse Act. Count One, the conviction challenged in this case, was pursuant to 18 U.S.C. § 1030(a)(5)(A):

Whoever... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer... shall be punished...

The Defendant challenges her conviction and raises two questions of law: (1) Is a computer on the Internet a ‘protected computer’ pursuant to the Computer Fraud and Abuse Act; and (2) can the salaries of employees that rebuild the system be counted as a part of ‘damages.’

What is a ‘protected computer’ under the CFAA? Is it a computer with good virus protection or behind a firewall (even if the firewall has been Bricked?). According to 18 USC § 1030(e)(2)(B),

“the term “protected computer” means a computer— which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

In other words, a computer on the Internet is a “Protected Computer.” Lots of Courts agree on this point: US v Trotter, No 05-4202 (8th Cir. Feb. 23, 2007) (Non-profit's computers are engaged in interstate communications connect to Internet); U.S. v. Walters, 182 Fed. Appx. 944, 945 (11th Cir. 2006) (stating that the internet is an instrumentality of interstate commerce); US v. Fowler, Case No. 8:10-cr-65-T-24 AEP (MDFL Oct. 25, 2010) (computer connected to Internet is 'protected computer'); Multiven, Inc. v. Cisco Systems, Inc., 2010 WL 2889262, at *3 (N.D. Cal. July 20, 2010) (finding that a computer connected to the internet was a protected computer); National City Bank, N.A. v. Prime Lending, Inc., 2010 WL 2854247, at *4 n.2 (E.D. Wash. July 19, 2010) (stating that "any computer connected to the internet is a protected computer"); Expert Janitorial, LLC v. Williams, 2010 WL 908740, at *8 (E.D. Tenn. Mar. 12, 2010); Dedalus Foundation v. Banach, 2009 WL 3398595, at *2 (S.D.N.Y. Oct. 16, 2009) (noting that courts have "found that computers that access the Internet through programs such as email qualify as protected computers"); Continental Group, Inc. v. KW Property Management, LLC, 622 F. Supp.2d 1357, 1370 (S.D. Fla. 2009) (noting that a connection to the internet affects interstate commerce or communication).

Second, in order to be convicted under this provision, a defendant must have inflicted at least $5000 worth of damage (this was a notorious problem for Clifford Stoll’s who detected a $0.75 accounting discrepancy, and thus could not garner federal attention, even thought the hacker’s breadcrumbs indicated international espionage of highly sensitive military information. See Clifford Stoll, The Cuckoo’s Egg (Pocket 1990) (a great beach vacation read)). According to the Court, the Defendant managed to inflict $27K in damages, which included $11K for the salaries of all of the company’s staff and all of the company’s contractors who had to put the network back together again. The Court noted the following accounting:

  • $3,941.27 amount paid to IT Contractor for responding to and correcting the damage to the computers
  • $2,501.20 amount attributed to CEO's time spent responding to and correcting the damage to the computers
  • $2404 amount attributed to [employee A’s] time spent responding to and correcting the damage to the computers
  • $1,590.68 amount attributed to [employee B’s] time spent responding to and correcting the damage to the computers
  • $730.72 amount attributed to CFO's time spent responding to and correcting the damage to the computers
  • $11,167.87 TOTAL

The Court rejected Defendant’s argument that time spent by salaried employees cannot be considered a loss under the statute, noting substantial precedent to the contrary:

NCMIC Finance Corp. v. Artino, 638 F. Supp.2d 1042, 1065 (S.D. Iowa 2009) (finding that the company's chief information officer's time spent investigating the matter was appropriately considered a loss under the statute); U.S. v. Larsen, 190 Fed. Appx. 552, 553 (9th Cir. 2006)(stating that losses "include[] the time that the victim's salaried employees spend responding to the unauthorized intrusion"); U.S. v. Millot, 433 F.3d 1057, 1061 (8th Cir. 2006)(recognizing that hours spent by employees responding to an intrusion constitute losses under the statute, because their time could have been spent on other duties); U.S. v. Middleton, 231 F.3d 1207, 1214 (9th Cir. 2000)(finding that a salaried employee's time spent responding to an intrusion is a loss under the statute, because "[t]here is no basis to believe that Congress intended the element of `damage' to depend on a victim's choice whether to use hourly employees, outside contractors, or salaried employees to repair the . . . harm to a protected computer").”
Engaging in some simple math, the Court notes that $11,000 damages alleged is greater than the $5000 threshhold required, and therefore denied Defendants Motion to Acquittal.

US v. Fowler, Dist. Court, MD Florida 2010

Wheel of Morality Turn, Turn, Turn; Tell us what lesson we should learn: Humpty Dumpty was Pushed!

[DISCLAIMER]

Post a Comment