us 15 bailey take a hacker to work day how federal prosecutors use the cfaa

7/25/2019 Us 15 Bailey Take a Hacker to Work Day How Federal Prosecutors Use the CFAA

1/23


2/23

Frequency and nature of CFAAprosecutions.

How DOJ makes CFAA charging dec

Sentencing under the CFAA.

Context intended to encouragelegitimate security research.Ob

jectives


3/23

Fed

eralism


4/23

C

omputerFra

ud&AbuseA

ct


5/23

Crimin

alCases

Investigation Prosecution Sente


6/23

Prosecution

Based on data from the Executive Officer of U.S. Attorneys Annual Statistical ReportFY 2014


7/23

ChargingCo

nsideration

s

Victim

ResultingHarm Sensitivityof Data

Deterrence

Harm to

National

Security &

Public

Safety

Prosecutors are directed to consider whether or not a substan

interest would be served by prosecution of a CFAA case in whic

evidence is expected to be sufficient to sustain a convict


8/23

Charging decisions for CFAA violat

are guided by DOJ prosecution poIn comparison to other federal criCFAA offenses are not chargedfrequently -- and prosecuting somengaged computer security reseaextraordinarily rare.

So

What?


9/23


10/23

Sen

tencing

Sentence

Max

Min


11/23

Sentence

Max

Min

Upward

Departure

Downward

DepartureSen

tencing


12/23

Sen

tencing

Federal

Sentencing

Guidelines


13/23

Sen

tencing

+ +

Seriousness

of Crime

Specific offense

Conduct

Adjustments

Criminal

History

6 categories

based on

criminal record.

Aggravating

orMitigating

Factors

Additional facts

increasing or

decreasing

seriousness.


14/23

Sen

tencing -

$50,000 Loss

18 U.S.C

(Inform

x 3


15/23

Sen

tencing -

$50,000 Loss

18 U.S.C

(Inform

x 3


16/23

Sentencing

+ +

Offense Level

Level 6

Offense

Characteristics

+ 6 ($50,000 loss)

+2 (access device)

+2 (sophisticated

means)

Adjustments -2 (Acceptance of

responsibility)

-1 (Timely notice)

Role in Offense

+2 (Organizer)

Defendants CriminalHistory

0 (Prior

misdemeanors)

Multiple Counts are

grouped, so the fact

that the hackhappened 3 times

does not result in

triple the sentence.

15 Final OffenseLevel = 18-24

Months

Upward/ Downward

Departure

Substantial

assistance

(reduction)


17/23

SentencingTrends

84

36

48

2

63

30

41

0

10

20

30

40

50

60

70

80

90

Securities Healthcare ID Theft Com

Average Guidelines Minimum and Average Sent

Average Guidelines Minimum Average Sentence


18/23

SentencingTrends

Since 200

sentences

1030 viol

routinely

the m

Guideline

that cimp

Category 1

50.6%

WithinGuidelines

Range

47.1 Below

Guidelines

Range

2.3% Above

Category 1

49.2%

WithinGuidelines

Range

49.3 Below

Guidelines

Range

1.5% Above

2012

All Federal

Cases

2012

Computer-

Related Cases


19/23

The average sentence for a CFAA

violation is about 23 months.Sentences for CFAA offenses routhave been below the minimum se

recommended by the Guidelines.So

What?


20/23

Does this mean concerns ab

chilling security research shbe disregarded?

So

What?

No.


21/23

Inve

stigation


22/23

Security

Researche

rs

z

Vulnerability

Scanning

MassScanning

Threats &

Disclosure

Critical

Infrastructure

Authorization

PII


23/23

BlackHat

SoundBytes

Computer security research isimportant we get it, really.

DOJ is not at war with researcher We are open toand have propo

amendments to the CFAA to avoicriminalizing trivial conduct.

Taking some common senseprecautions will go a long way toavoiding hassles with law enforce

us 15 bailey take a hacker to work day how federal prosecutors use the cfaa

Documents