Congress Considers Increasing Penalties, Adding Mandatory Minimum Sentences to the Computer Fraud and Abuse Act

I have blogged a lot about the Computer Fraud and Abuse Act, 18 U.S.C. 1030, the federal criminal statute designed to punish computer hacking. As I have explained, the big problem with the statute is that no one actually knows what it prohibits: the statute is so vague and so broad that the federal government has recently tried prosecuting individuals for anything from violating Terms of Use boilerplate language on websites to employee breaching of an employer’s computer use policies. This is all pretty far removed from computer hacking. Given that no one actually knows what the statute covers, you would think that Congress would have a hearing on what the law should punish and whether Congress wants to punish the routine computer use of millions of Americans.

Instead, the House Judiciary Committee is having a hearing tomorrow on cybersecurity, in which I believe one of the issues covered will be proposed legislation backed by the White House to raise penalties under Section 1030 and add a new aggravated offense statute, 18 U.S.C. 1030A that would trigger a 3-year mandatory minimum sentence for some kinds of 1030 violations. To my mind, the idea of raising penalties and adding a mandatory minimum sentence for violations of a statute no one understands is rather bizarre. The proper response to vagueness and uncertainty is not to raise the stakes of whatever is vague and uncertain. But I assume the real purpose of the proposed new Section 1030A is to create the impression that Congress is taking cybersecurity seriously. In Washington, nothing says “we tried to help” like a new criminal statute with enhanced penalties.

Based on my initial read, it seems that the statute would make two basic changes to Section 1030. First, it would jack up the statutory maximum penalties — the maximum penalty above which a sentence following conviction cannot go — almost across the board. Perhaps most importantly, virtually all Section 1030 crimes would become felonies. The very basic 1030(a)(2) crime — which involves any type of unauthorized conduct involving any computer anywhere in the world — would go from a misdemeanor to a 3-year maximum penalty felony. Violations of 1030(a)(2) that involve attempts to make money would go from a 5 year max to a 10 year max. 1030(a)(4) violations would jump from 5 years to 20 years. Violations of 1030(a)(5)(A), which involve denial of service attacks and anything that intentionally causes $5,000 of damage, would go from a 10 year max to a 20 year max.

Second, the statute would add a new crime, 1030A:

(1) Whoever, during and in relation to a felony violation of section 1030 of this title knowingly causes or attempts to cause damage to a critical infrastructure computer, and such damage results in (or, in the case of an attempted offense, would, if completed have resulted in) the substantial impairment—
(A) of the operation of the critical infrastructure computer; or
(B) of the critical infrastructure associated with such computer,
shall, in addition to the term of punishment provided for such felony, be sentenced to a term of imprisonment of 3 years.

(2) the term ―”critical infrastructure computer” means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including gas and oil production, storage, and delivery systems; water supply systems; telecommunication networks; electrical power delivery systems; finance and banking systems; emergency services; transportation systems and services; and government operations that provide essential services to the public.

If you’ve followed the historical development of Section 1030, you’ll note that the basic idea is to take the current sentencing enhancement for damage to critical infrastructure computers in Section 2B1.1 and make it a new offense with a mandatory minimum. So instead of making the punishment for “substantial” disruption to a “critical infrastructure computer” a question to be fought over at sentencing, with pretty serious enhancements, the new statute would instead have a flat-rule of a mandatory minimum sentence. But here’s the rub: Because the basic unauthorized access would go from a misdemeanor to a felony, it seems to me that the three-year mandatory minimum sentence could be triggered by an underlying crime of only a basic 1030(a)(2) unauthorized access, which DOJ seems to think involves violating any Terms of Use anywhere on the Internet — and the Ninth Circuit recently held covers any breach of employer computer use restrictions.

On the merits, these proposals strike me as a bad idea. First, I have written about how Section 1030 is the “ever expanding” statute that has “swallowed the Internet.” Expanding the statute even further by making it even more punitive strikes me as exactly the wrong way to go. I think it’s particularly bad to make the basic 1030(a)(2) crime a felony: That’s the basic unauthorized access offense that no one understands, and I don’t know why Congress would want to make an inkblot misdemeanor into a felony.

Second, it’s a bit odd to add mandatory minimums to Section 1030 in light of the statute’s history. Congress put in mandatories for Section 1030 crimes in the 1990s, and it proved to be a failure: Even DOJ wanted them taken out in 2001. I was at DOJ at the time, and the problem was that prosecutors didn’t want to charge 1030 offenses knowing there would be a mandatory minimum. The minimum (for all 1030(a)(4) and felony (a)(5) violations) was only six months, but prosecutors would creatively charge cases to avoid the minimums because relatively few cases seemed to justify it. Given that the number of 1030 prosecutions involving critical infrastructure computers is very low — I imagine that some years it is is actually zero — and given that there are already sentencing enhancements for this in the current guidelines, it seems unwise to add a new crime to punish this with a 3-year mandatory minimum sentence.