As computers play an ever-greater role in our lives and cybercrime becomes both more commonplace and more devastating, the need for robust criminal enforcement of effective computer crime laws will only become more important. As we’ve said in public remarks last year, we urgently need targeted updates to the Computer Fraud and Abuse Act that will help the department protect our privacy and security online. A number of recent prosecutions have demonstrated our commitment and success in bringing significant prosecutions under these vital statutes. Prosecutors in U.S. Attorney’s Offices across the country, in conjunction with the Computer Crime and Intellectual Property Section (CCIPS) in Washington, have brought cases against hackers and carders like Roman Seleznev and Marcel Lazar and cyberstalkers and sextortionists like Ryan Vallee and Michael Ford, and have conducted challenging and cutting-edge cybercrime operations, such as the takedown of the Darkode hacking forum last year.
It is, of course, not enough to have effective laws; those laws must also be enforced responsibly and consistently. It is also important that the public understand how the department applies the law in this context. In order to further that goal, the Criminal Division, primarily through CCIPS, has been sharing its knowledge about cybercrime and the laws that impact cybersecurity for two decades. We have convened public-private partnership events, published public manuals, testified numerous times before Congress on threats such as ransomware, participated in and recently hosted symposia and released Best Practices for Victim Response and Reporting of Cyber Incidents. Many of these materials as well as press releases related to computer crime and intellectual property prosecutions are available at cybercrime.gov.
In the course of recent litigation, the department yesterday shared the policy under which we choose whether to bring charges under the Computer Fraud and Abuse Act: the 2014 Intake and Charging Policy for Computer Crime Matters. This document guides federal prosecutors in determining when to open an investigation or charge an offense under the Computer Fraud and Abuse Act.
As set forth in the memorandum, prosecutors must consider a number of factors in order to ensure that charges are brought only in cases that serve a substantial federal interest. Among the factors that are considered are the following:
- The sensitivity of the affected computer system or the information transmitted by or stored on it and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;
- The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations or other considerations having a broad or significant impact on national or economic interests;
- The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;
- The impact of the crime and prosecution on the victim or other third parties;
- Whether the criminal conduct is based upon exceeding authorized access consistent with several policy considerations, including whether the defendant knowingly violated restrictions on his authority to obtain or alter information stored on a computer, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it;
- The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or abuse of a position of trust or otherwise sensitive level of access; or because the conduct is particularly egregious or malicious;
- The nature of the impact that the criminal conduct has on a particular district or community; and
- Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.
In addition, the policy requires prosecutors to conduct certain types of consultation to assure consistent practice across the department’s many offices. In particular, prosecutors must consult with CCIPS before bringing charges under the Computer Fraud and Abuse Act.
We are proud of the work we have done to protect the privacy and security of Americans online. Through this policy, the department continues to take very seriously our responsibility to seek justice for the victims of cybercrime and to do so in a fair and responsible manner.