Steven M. Witzel and Michael A. Kleinman ()
The final week of 2016 overflowed with news about cybersecurity: The Obama administration announced sanctions, expulsions, and other actions against Russian intelligence services and operatives for cyberoperations involving the 2016 elections and thefts from e-commerce companies; the U.S. Attorney’s Office for the Southern District of New York unsealed indictments charging several Chinese nationals with cyberhacking crimes involving the use of stolen law firm passwords to access and profit from material, nonpublic information about corporate acquisitions; the New York Department of Financial Services delayed the January 2017 implementation of new rules that would require financial services companies to establish safeguards against cyberattacks; the Trump transition team tapped Thomas Bossert, a veteran of the Bush 43 administration, to serve as President-elect Donald Trump’s main adviser on cybersecurity with an elevated title equivalent to the national security adviser; and President-elect Trump vowed to make cybertheft a “priority” and stated on New Year’s Eve that “no computer is safe.”
With just weeks until the Presidential inauguration, this column considers how a Trump Administration might approach cybersecurity issues, particularly criminal prosecutions and regulatory oversight. Trump prognosticators have typically read the tea leaves to be business flavored—how will Trump, the businessman, view a particular issue? The cyberecosystem, however, presents a dynamic mix of issues involving risk assessment, politics, and foreign policy, which sets it apart from other typical business-related activities.
Notably, Trump the businessman has been touched by at least one instance of cybercrime. Although its security systems were hacked in 2014 and again in 2015, the Trump organization walked away relatively unscathed. In September 2016, Trump International Hotels Management entered into a settlement with the New York Attorney General for its failure to expediently notify customers of the two data breaches, which resulted in the release of over 70,000 credit card numbers and other personal information. As part of the settlement, Trump Hotels agreed to pay a $50,000 fine and strengthen the security of its computer systems and implement employee training.1
So, it bears asking WWDTD? After his inauguration, President Trump will have to deal with two high profile and related cybercrime issues. First, President Barack Obama has asked intelligence officials to review election-related hacking, and announced he would share a report of the findings before Trump’s inauguration. Second, President Obama’s end of 2016 sanctions against the Russians will require President Trump to have to decide whether or not to lift the sanctions when he takes office. Trump initially responded to the announcement of sanctions by reiterating a call to “move on to bigger and better things,” but later pledged to meet with U.S. intelligence officials about the alleged election hacking.
What tools would the Trump administration have should it seek to follow through on the President-elect’s pledge to make prosecution of cybercriminals a “priority”? The most direct route for federal prosecution of cybercriminals is via the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (the CFAA). Generally, the CFAA criminalizes accessing a computer without authorization and either obtaining information or causing damage to the subject computer. Subsections of the CFAA specifically cover espionage, stealing financial records, and extortion, and have been construed broadly to cover theft of other information such as personal or business data and passwords. The CFAA provides for criminal fines as well as imprisonment of varying terms up to life (if a CFAA violation causes death).2
Actual prosecution of cybercriminals, however, remains a relatively rare occurrence at federal and state levels.3 Cybercrimes that have been prosecuted pursuant to the CFAA typically involve improper access of personal information and smaller-scale identity theft crimes.4 With the noted exception of the “Newswire” indictments brought by federal prosecutors in Brooklyn and New Jersey in 2015 against international hackers who stole corporate news releases and used the information to make over $100 million in insider-trading profits, large-scale international cybercrimes for the most part have not been prosecuted.5
A key reason that the large and publicized international cybercrimes have not resulted in more prosecutions is the sophisticated and complicated nature of the offenses. Trying to unravel the nexus and responsibility of the criminal organizations takes time and skill, and a core component in all international prosecutions—cooperation between the DOJ and foreign prosecutors—is lacking, especially with regard to alleged Russian and Chinese hacking. Many of the cybercrimes that have attracted the recent headlines and biggest losses—such as the Target and eBay data breaches—have resulted in zero prosecutions of those responsible for the hacking.6
Although individual U.S. Attorney Offices are developing cyberunits and expertise, the DOJ division dedicated to prosecution of cybercriminals—the Computer Crime and Intellectual Property Section—appears to be seriously short-staffed; as of October 2016, the section was comprised of just 40 attorneys and nine digital investigative analysts.7 In this environment, the cybercriminal has the clear advantage. As noted in President Obama’s Cybersecurity Commission report released in December 2016:
Some threats against organizations today are from teams composed of highly skilled attackers that can spend months, if not years, planning and carrying out an intrusion. These teams may be sponsored by nation-states or criminal organizations, hacktivist groups, and others. Less skilled malicious actors can easily purchase attack toolkits, often with technical support, enabling them to readily participate in criminal activities … .8
In light of this, the anticipated election hacking report and intelligence debriefings may animate the new administration’s approach to cybercriminal prosecution, and could reinforce the need to make it a “priority.” After his inauguration, there may be a unique political opportunity for President Trump to leverage the events to foster needed cybercrime cooperation with foreign governments.
The potential for large downshifts in the corporate regulatory environment is high on everyone’s prediction list as the incoming Trump administration has signaled that it is looking to change the way that American companies do business. Cybersecurity issues, however, may be an exception to the anticipated rule.
On the campaign trail, Trump made a point of highlighting recent large corporate thefts, such as the stealing of “73 million emails” from JP Morgan Chase,9 150 million passwords from eBay, and 40 million credit card numbers from Target. Further, notwithstanding a lack of specifics, Trump’s campaign website promised to create a “Cyber Review Team of individuals from the military, law enforcement, and the private sector” to immediately review all “U.S. cyber defenses and vulnerabilities,” and his appointment of cyberczar Thomas Bossert may portend an emphasis on cybersecurity issues. And in a speech following the election, President-elect Trump stated that “cybertheft is the fastest growing crime in the United States by far.” These are encouraging signs that the new administration believes that combating cyberwarfare through strengthening our systems should be a paramount priority.
On the other hand, a Trump administration would appear less likely to promulgate or enhance business regulations on cybersecurity issues. Deregulation and moratoriums on new government oversight of business activity plainly appear to be part of the President-elect’s agenda. One initiative in particular that a Trump administration may decline to adopt is a set of regulations proposed by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation entitled “Enhanced Cyber Risk Management Standards.” The regulations would apply to banking and other entities under the supervision of those three agencies with $50 billion or more in assets, and to third-party vendors of those institutions. As proposed, the regulations cover, among other things, the setting of individualized, organizational cyberrisk parameters and tolerance levels; monitoring and managing those risks; establishing strategies for business continuity in the event of a disruption; and the required establishment of cyberrisk government procedures.
Trump’s view on cybersecurity issues may also be colored by his reported lack of technological savvy. Despite his frequent tweeting, much has been made about the President-elect’s preference for old fashioned communication. At the 2017 New Year’s Eve party at his Palm Beach Mar-a-Lago club, when President-elect Trump told reporters that “no computer is safe,” he suggested that important messages should be delivered “the old-fashioned way … by courier.” It has been reported that he does not use a personal computer, a fact he confirmed in a recent deposition. His seeming lack of facility with computers and cybersecurity has been lampooned by the media and criticized by cybersecurity experts. Among other things, commentators poked fun at his use of “the Cyber” as a noun in the first Presidential debate.
If the proposed federal cybersecurity regulations are blocked by a Trump administration, companies may nonetheless chose to adopt them in whole or in part as a formulation of industry-wide best practices going forward. Cyberinnovation and encryption technology are driven relentlessly by market forces, not by legislation. Companies will still need to prioritize cyberrisk issues in order to avoid financial losses, civil liability, and to comply with various privacy requirements. Even if the incoming Trump administration takes a hands-off approach to cybersecurity regulation, other state and foreign cybersecurity regulatory frameworks will remain in place.10
Cybersecurity is getting more and more attention each passing week. Government accountability and direction on cybersecurity issues are important ways to strengthen the protection of our personal security, infrastructure, and the U.S. economy. It is equally imperative to aggressively prosecute the individuals and groups that steal personal and financial information or ideas from businesses. The clear advantage international cybercriminals currently maintain needs to be reversed through increased cross-border prosecutions, and President-elect Trump should use his political capital to break the logjam on international cooperation issues.
A Trump administration may be disinclined to increase cybersecurity regulations on businesses; however, it should assist businesses in monitoring active cyberthreats, and make concerted efforts to bring destructive cybercriminals to justice. In the words of the President-elect, anything less would be a “disaster.”
1. A putative class action against Trump Hotels arising out of the data breaches was voluntarily dismissed without prejudice in December 2015. See Driscoll v. Trump Int’l Hotels Mgmt, Case No. 15-cv-01089-DRH-SCW (S.D. Ill. 2015).
2. Originally enacted in 1986, the CFAA was an important gap filler that targeted what was then a new mode of crime enabled by technological advances and the increasingly ubiquitous use of computer technology by the government, financial institutions, and other businesses engaged in interstate commerce.
3. According to statistics maintained by the Department of Justice, from fiscal years 2010 through 2015, there have been only 1,027 criminal cases filed initiating prosecutions for computer fraud (an average of 171 per year). Nearly every state has its own version of the CFAA. According to the New York Division of Criminal Justice Services annual Criminal Justice Statistical Reports, from 2010 through 2015, a mere 63 computer fraud felony prosecutions were initiated—an average of just under 11 per year.
4. A Westlaw search of prosecutions brought under the CFAA since 2008—the last time the CFAA was significantly amended—turned up a mere 101 cases. Of those cases, the most common fact pattern (17 of the cases surveyed) is one in which a state, federal, or agency employee exceeds his or her access to a database that houses personal information (e.g., the National Crime Information Center Database), and uses employer-provided login credentials to access that information for a “non-business purpose.” Examples include a Customs agent using access to the Treasury Enforcement Communications Systems database to assist drug smugglers, see, e.g., United States v. Moran-Toala, 726 F.3d 334 (2d Cir. 2013), Reyeros v. United States, 443 F. App’x 504 (D. N.J. Oct. 24, 2011), or an IRS employee searching for her daughter’s tax returns, see United States v. Perez, 2008 WL 2724884 (E.D. Cal. July 11, 2008). Other common scenarios involve a single, disgruntled former employee who wreaks havoc on a former employer’s website or server, see, e.g., United States v. Prugar, 2016 WL 2851857 (M.D. Pa. May 16, 2016) (defendant logged in to former employer’s system rendering it “inoperable” after he was fired); United States v. Shahulhameed, 629 F. App’x 685 (6th Cir. 2015) (defendant launched cyberattacks against former employer’s servers), and small-scale identity theft schemes, see, e.g., United States v. Tolliver, 451 F. App’x 97 (3d Cir. 2011) (defendant bank employee used her access to customer accounts as part of a fraudulent check-cashing scheme), Frederick Eugene Wood v. United States, 2010 WL 3339508 (W.D. Wash. July 28, 2010) (defendant used a file-sharing program to steal tax returns and other sensitive documents in check fraud and identity theft scheme), each of which accounted for approximately 15 of the cases reviewed. This CFAA review does not pick up cyberprosecutions using non-CFAA statutes, such as the JP Morgan data breach, for example, discussed infra note 9.
5. Matthew Goldstein and Alexandra Stevenson, “Nine Charged in Insider Trading Case Tied to Hackers,” N.Y. Times (Aug. 11, 2015), available at http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html?_r=0. Only two CFAA cases involved a large group of hackers. See, e.g., United States v. Collins, 2012 WL 3537814 (N.D. Cal. March 16, 2012) (members of Anonymous charged with launching distributed denial of service attacks against PayPal’s website in retaliation for their having deleted WikiLeaks’ donation page). A mere five cases included an international element. See, e.g., United States v. Xiafen Chan, 2015 WL 1020330 (S.D. Ohio March 9, 2015) (defendant accused of using her credentials to log in to the National Oceanic and Atmospheric Administration servers to download confidential information to share with China’s Water Institute).
6. The Target breach reportedly cost the company more than $291 million through fiscal year 2015. See 2015 Annual Report at 49.
7. See Press Release, Department of Justice Office of Public Affairs, Criminal Division’s Computer Crime and Intellectual Property Section Celebrates 20 Years (Oct. 31, 2016), available at https://www.justice.gov/opa/pr/criminal-division-s-computer-crime-and-intellectual-property-section-celebrates-20-years.
8. Commission on Enhancing National Cybersecurity, “Report on Securing and Growing the Digital Economy” (Dec. 1, 2016), at 7, available at https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf.
9. The JP Morgan data breach appears to have been perpetrated by three co-conspirators. Two of the three were extradited to the United States from Israel, and the third waived extradition and asylum in Russia, before returning to the United States, where he was arrested. They face a number of charges pending in the Southern District of New York, including wire fraud and securities fraud.
10. In September 2016, the New York State Department of Financial Services proposed 23 N.Y.C.R.R. 500, entitled “Cybersecurity Requirements for Financial Services Companies,” which would require New York-licensed companies in the insurance, banking, and financial services industries to establish and maintain cybersecurity programs to ensure confidentiality and integrity of their information systems. The law was supposed to go into effect on Jan. 1, 2017, and as noted in the opening paragraph of this column, has been delayed at least 60 days. It will require, among other things, the appointment of a Chief Information Security Officer within 180 days. Similarly, in the European Union, the recently approved General Data Protection Regulation (Regulation (EU) 2016/679), which is set to go into effect in May 2018, will require covered organizations to implement accountability programs, data minimization measures, and the designation of a Data Protection Officer.