Cyber-crime, once the domain of disaffected genius teenagers as portrayed in the movies “War Games” and “Hackers,” has grown into a mature and sophisticated threat to the open nature of the Internet. “Cyber-criminals,” like their non-virtual traditional criminal counterparts, seek opportunity and are attracted to vacuums in law enforcement. The news media is filled with reports of debilitating denial of service attacks, defaced web sites, and new computer viruses worming their way through the nation’s computers. However, there are countless other cyber-crimes that are not made public due to private industry’s reluctance to publicize its vulnerability and the government’s concern for security.1
Along with the phenomenal growth of the Internet has come the growth of cyber-crime opportunities.2 As a result of rapid adoption of the Internet globally, computer crimes include not only hacking and cracking, but now also include extortion, child pornography, money laundering, fraud, software pirating, and corporate espionage, to name a few.3 Law enforcement officials have been frustrated by the inability of legislators to keep cyber-crime legislation ahead of the fast-moving technological curve.4 At the same time, legislators face the need to balance the competing interests between individual rights, such as privacy and free speech, and the need to protect the integrity of the world’s public and private networks.5
Further complicating cyber-crime enforcement is the area of legal jurisdiction.6 Like pollution control legislation, one country can not by itself effectively enact laws that comprehensively address the problem of Internet crimes without cooperation from other nations. While the major international organizations, like the OECD and the G-8, are seriously discussing cooperative schemes, many countries do not share the urgency to combat cyber-crime for many reasons, including different values concerning piracy and espionage or the need to address more pressing social problems. These countries, inadvertently or not, present the cyber-criminal with a safe haven to operate. Never before has it been so easy to commit a crime in one jurisdiction while hiding behind the jurisdiction of another.
In section II of this article, we begin by providing an overview of cyber-crimes, the state of the law, and cyber-crime perpetrators and their motivations. Then, in section III we discuss in detail three major computer crimes and analyze how the different statutory subsections are applied depending upon the technical details of the crime itself. Just as a murder prosecution is dependent on how the crime was committed, different hacking techniques trigger different federal anti-computer crime subsections. We begin with a discussion of the various denial of service attacks and the applicable statutes. Next we discuss the technical details of several hacking techniques and apply the relevant statutory subsections to the specific techniques. Finally, we explore the various types of computer viruses and how viral “payloads” and the class of the targeted computer will determine which federal subsection can be applied to the crime. In section IV, we discuss proposed legislative changes to the Computer Fraud and Abuse Act and related privacy concerns. Finally, we conclude this paper with a brief statement on the importance of tying together the technical elements of a cyber-crime and the application of the appropriate criminal subsection.
What is a cyber-crime? Law enforcement experts and legal commentators are divided. Some experts believe that computer crime is nothing more than ordinary crime committed by high-tech computers and that current criminal laws on the books should be applied to the various laws broken, such as trespass, larceny, and conspiracy. Others view cyber-crime as a new category of crime requiring a comprehensive new legal framework to address the unique nature of the emerging technologies and the unique set of challenges that traditional crimes do not deal with; such as jurisdiction, international cooperation,7 intent, and the difficulty of identifying the perpetrator. Another source of confusion is the meaning of “hacker” and “cracker” and the distinction behind their motivations. The following section will elaborate on the differences between the two and their relevance to federal criminal statutes.
A. The State of the Law
Congress has approached computer crime as both traditional crime committed by new methods and as crime unique in character requiring new legal framework. For example, Congress has amended the Securities Act of 19338 to include crimes committed by a computer. However, Congress has also enacted a comprehensive new computer fraud and abuse section that can easily be amended to reflect changes in technology and computer use by criminals. In fact, the U.S. Congress has enacted statutes that widen the scope of traditional crimes to specifically include crimes involving computers, or categorize them as entirely separate offenses. For example, the main federal statutory framework for many computer crimes is the Computer Fraud and Abuse Act (“CFAA”).9 The statute is structured with an eye to the future so that it can be easily amended to reflect changes in technology and criminal techniques. The statute has already been amended several times to close unintended loopholes created by judicial interpretation. In its current form, the statute is very broad in scope, reflecting the government’s resolve to combat cyber-crime at every level.
B. The Perpetrators—Hackers and Crackers
“Hacker”10 is a term commonly applied to a “computer user who intends to gain unauthorized access to a computer system.”11 Hackers are skilled computer users who penetrate computer systems to gain knowledge about computer systems and how they work.12 The traditional hacker does not have authorized access to the system.13 Hacking purists do not condone damage to the systems that are hacked.14 According to The Jargon Dictionary, the term “hacker” seems to have been first adopted as a badge in the 1960s by the hacker culture surrounding The Tech Model Railroad Club (“TMRC”) at Massachusetts Institute of Technology when members of the group began to work with computers.15 The TMRC resents the application of the term “hacker” to mean the committing of illegal acts, maintaining that words such as “thieves,” “password crackers,” or “computer vandals” are better descriptions.16
In the hacking “community,” it is considered better to be described as a “hacker” by others than to describe oneself as a “hacker.”17 Hackers consider themselves members of an elite meritocracy based on ability and trade hacker techniques and “war stories” amongst themselves in Usenet forums, local or regional clubs, and national conferences, such as the annual Def Con Computer Underground Convention held in Las Vegas.18
A “cracker” is a hacker with criminal intent.19 According to The Jargon Dictionary,20 the term began to appear in 1985 as a way to distinguish “benign” hackers from hackers who maliciously cause damage to targeted computers. Crackers21 maliciously sabotage computers, steal information located on secure computers, and cause disruption to the networks for personal or political motives.22
Estimates made in the mid-1990’s by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, put “the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. A group of 250-1,000 are in the so-called hacker ‘elite’, skilled enough to penetrate corporate systems and to unnerve corporate security.”23
In the eyes of the law, hacking and cracking are not always treated the same way. Depending upon the method of intrusion, the type of computer that was broken into, the hacker’s intent, and the type and amount of damage, different statutes and penalties will apply.24 There are many ways to approach a discussion on hacking. In this article, we will structure the discussion on hacking techniques within the framework of the statutory elements to provide an understanding of how the different techniques trigger different statutes and penalties. We begin with an overview of hacking and an explanation of several common hacking techniques. Then, we discuss the relevant criminal code that can be applied depending on the nature of the hack.
C. Why People Hack
In recent years, according to the Department of Justice’s National Infrastructure Protection Center, there has been a rise in what has been dubbed “hacktivism.” Hacktivists launch politically motivated attacks on public web pages or e-mail servers. The hacking groups and individuals, or Hacktivists, overload e-mail servers by sending massive amounts of e-mail to one address and hack into web sites to send a political message.25 In 1999, for example, the homepages for the White House, the U.S. Department of the Interior, White Pride, the United States Senate, Greenpeace, and the Klu Klux Klan were attacked by political activists protesting the site’s politics.26One such group is called the “Electronic Disturbance Theater,” which promotes civil disobedience on-line to raise awareness for its political agenda regarding the Zapatista movement in Mexico and other issues.27 Also, during the 1999 NATO conflict in Yugoslavia, hackers attacked web sites in NATO countries, including the United States, using virus-infected e-mail and other hacking techniques.28 On February 7, 2000, the official web site of the Austrian Freedom Party was hacked to protest the inclusion of Jörg Haider and his party into a coalition Austrian government.29
According to a study conducted in 1999 by Michael G. Kessler & Associates Ltd., disgruntled employees are the greatest threat to a computer’s security.30 Employees that steal confidential information and trade secrets account for thirty-five percent of the theft of proprietary information.31 In fact, data suggests that serious economic losses linked to computer abuse have been and continue to be attributed to current and former employees of the victimized organization rather than to outside hackers with modems.32Internet Security Systems’ Chris Klaus estimates that over eighty percent of the attacks on computer systems are committed by employees.33
According to recent FBI assessments, disgruntled insiders are a principal source of computer crimes.34 Insiders do not need a great deal of knowledge about their target computers, because their inside knowledge of the victim’s system allows them unrestricted access to cause damage to the system or to steal system data.35 A Computer Security Institute/FBI report notes that fifty-five percent of survey respondents reported malicious activity by insiders.36 Employees who exceed their authorized use and intentionally cause damage are just a liable as an outside hacker who intentionally causes damage.37 However, § 1030(a)(5) of the CFAA does not criminalize damage caused by authorized persons and company insiders that was reckless or negligent.38 Only outside non-authorized hackers are liable for any damage caused, whether it was negligent, reckless, or intentional.39
3. Recreational Hackers
“Recreational hackers” break into computer networks for the thrill of the challenge or for bragging rights in the hacking community.40 While hacking once required a fair amount of skill or computer knowledge, the recreational hacker today can now download attack scripts and protocols from the Internet and launch them against victim sites with little knowledge of the systems they are attacking.41 There are countless web sites on the Internet that provide “newbies” (inexperienced hackers, or “wannabes”) with detailed instructions on hacking techniques and downloadable, do-it-yourself hacking tools.42 In recent years, the hacker’s attack tools have become more sophisticated and easier to use.43For example, in 1999 hackers defaced the Anniston Army Depot, Lloyd’s of London, the U.S. Senate and Yahoo home pages to demonstrate to the hacking community their ability to hack into third-party servers and to highlight the servers’ vulnerabilities.44
4. Web Site Administrators and Web Pages
It is usually considered a passive and harmless exercise to visit a web site. The user requests information and the server responds to the request by sending out packets of requested data back to the user’s computer. However, web sites can also access a lot of hidden background information from the user. For example, Privacy.net has a web site that will show users all of the information that can be taken from their individual computer.45 The remote web site can determine the following information about a visitor:
(a) the IP address the user is accessing the web site from;
(b) the number of prior visits to the web site, and the dates;
(d) the user’s browser type and operating system and version;
(e) the user’s screen resolution;
(g) how many web pages the user has visited in the current session;
(h) the local time and date; and
(i) FTP username and password, if there is one.46
Privacy advocates have pressured web browser developers to address security concerns by enabling users to significantly enhance their privacy by adjusting the security level on their browsers. The extent of information that a web site can retrieve from a visitor without violating the CFAA47 is still uncertain. Section 1030(a)(2)(C) proscribes the intentional access of a computer without, or in excess of authority to obtain information. When a person visits a web site, how much information has that person reasonably “authorized” the web site to obtain? This question may be answered by a court inone of the cases filed against RealNetworks over its gathering of user data.48
III. Types of Computer Crime
In this section, we begin by providing an overview of cyber-crime and criminal techniques used to penetrate protected computer networks. We then discuss in detail the CFAA, how it is applied, and how it has changed over the past decade. Then we will look at other laws that are on the books that the federal government uses to control computer crimes. Due to the international nature of cyber-crimes, we discuss briefly some of the international cooperative developments.
A computer can be the target of the offense, the tool used in the offense, or may contain evidence of the offense.51 An understanding of the different uses of a computer will provide the foundation of the application of the criminal statutes.
The computer is an indispensable tool for almost all cyber-crimes. However, as more devices are enabled to communicate with the Internet, the hackers arsenal of tools is likely to multiply.52
When a computer is the target of the offense, the criminal’s goal is to steal information from, or cause damage to, a computer, computer system, or computer network.53 Hacking, cracking, espionage, cyber-warfare, and malicious computer code viruses are common forms of crimes that target the computer. The perpetrators range from teenage “cyber-joyriders” to organized crime operations and international terrorists. According to a survey conducted by Michael G. Kessler & Associates Ltd., a New York security firm, computer theft of proprietary information is committed by discontented employees (35%), outside hackers (28%), other U.S. companies (18%), foreign corporations (11%), foreign governments (8%), and miscellaneous (10%).54
The computer may also be a tool of the offense. The criminal uses the computer to commit a traditional crime, such as counterfeiting. For example, a counterfeiter that used to engrave plates to create the counterfeit currency can now use sophisticated graphic computers with advanced color printers. An example of a computer used to perpetrate a traditional crime is the extortion attempt by George Matos Rocha from North Carolina.55 Mr. Rocha was charged with bombing three home improvement stores and subsequently threatened the retail chain to continue the bombings unless he received $250,000.56Using the Internet, Mr. Rocha set up a bank account in Latvia and instructed the company to wire the extortion money to his Latvian account.57 The FBI was able to identify the account and trace its origin back to the United States with the help of his Internet Service Provider. Mr. Rocha pleaded guilty in December to explosives charges and extortion. He could have faced life in prison.58
Computers can also be incidental to the offense, but are nevertheless important because they contain the evidence of a crime. Money launderers, for example, may use a computer to store details of their laundering operation instead of relying on paper accounting records. Child pornographers’ computers are often seized as the key evidence59 that the defendant produced, possessed, received, and/or distributed child pornography.60
A. Denial of Service
A Denial of Service (“DoS”) attack is a rather primitive technique that overwhelms the resources of the target computer which results in the denial of server access to other computers. There are several different techniques that hackers use to “bring down” a server. As the network administrators learn how to limit the damage of one technique, hackers often create more powerful and more sophisticated techniques that force system administrators to continually react against assaults. In order to understand how to apply the law to these attacks, a basic understanding of the anatomy of the attacks is necessary.61
There are basically three main network exploits that are used to overwhelm a system’s server: SYN Flood Attacks, UDP Flood Attacks and ICMP Flood Attacks. Each technique exploits a weakness in the way computers communicate amongst each other over the Internet. A basic understanding of the TCP/IP Internet protocols is helpful to differentiate between the techniques.
The Internet is a network of computers that are connected so they can exchange information amongst each other. The computer that is asking for information from another computer is the “client” and the computer that is receiving the request is the “server.” When the client wants to receive information that is located on the server, it sends a request for the information. However, the computers must establish a connection before data can be exchanged. The server needs to know who it is going to send the information to and needs to make sure the client computer is ready to receive the information. This is considered a “3-way handshake.” The first part of the handshake occurs when the client computer sends a message to the server with a “SYN flag” that tells the server how to identify it.62 Second, upon receiving the request, the server will send out its own identification number, called an Initial Sequence Number (“ISN”) in a SYN for this request and an acknowledgement (“ACK”) of the client’s request. In the third part of this “handshake,” the client computer receives the SYN and ACK from the server and sends back the ACK with the server’s numbers, like a secret code the two of them share so the server can keep track of multiple clients. Now the data transfer can take place. In summary, the client sends a message to the server, the server sends back a message to the client that the server is “awake” and ready to process the requests, then the client sends back an acknowledgement that they are ready. This may seem redundant, but the need to establish the connection on both sides is very important because the data is broken up into small pieces by the server and sent out over the Internet to the client. The client needs to know how to organize the data puzzle as the packets arrive and the client also needs to know if any packets are missing. As each piece of the puzzle arrives, the client lets the server know the piece has been received, so the server knows if it has to re-send it.
TCP/IP stands for Transmission Control Protocol and Internet Protocol.63 Basically, the TCP is the workhorse of the communication on both sides. If a file is requested by the client, the server locates the file on its computer and breaks the file into tiny pieces. The tiny pieces are called datagrams. Each datagram is “wrapped” in a bundle of instructions that tells it where to go. These little bundles are called “packets.” The TCP assigns a sequence number to every byte transferred so it can track what it has sent and eliminate the need to duplicate sending the same piece twice unless the piece is lost somewhere along the line to the client. The “packet header,” contains the sequence numbers that also tells the client the next sequence number to expect after each packet, so the client can start arranging the packets and conduct a rolling inventory. The TCP acts as a digital shipping and receiving department.
The job of the Internet Protocol (“IP”) is easier. The IP’s job is to route the packets across the Internet to the client. Each computer on the Internet has an IP address that tells the computers where the other is located. The IP address is very similar to a zip code. For example, a zip code that begins with a 9, belongs to an address located on the west coast of the United States. If the next number is a 4, the location is in the San Francisco area, and so on until the precise region is located. However, to parallel the IP addresses, each house in the zip code area would be assigned a number, instead of an address. So when a client or server sends a packet out over the Internet, the packet is “routed” through many other servers to reach its final destination. The IP tacks on the numerical address and ships it out, hoping the packet arrives where it is supposed to go. If the server does not receive a response that the packet was received on the other end, the IP can send an error message to the client, called an Internet Control Message Protocol, or ICMP, letting the client know that the packet did not get there. It is this system of trust and cooperation between the computers that is exploited by a denial of service attack.
1. SYN Flood Attacks
One of the weaknesses in the system is the amount of SYN requests the TCP can handle. When the TCP receives more requests than it is programmed to handle, it puts the other incoming SYN requests in a queue. When the queue is filled to capacity, there is no more room to put the other incoming SYN requests and they are turned back. Hence, they are “denied service.”
Another technique is to slow down the TCP process by making the TCP wait for all of the ACKs it sent out to be acknowledged by the client. When the attacker sends a message to the server requesting data, the server sends out a SYN and an ACK and waits to hear back from the attacker’s client, as part of the third part of the 3-way handshaking. However, the attacker has “spoofed” his return address so that the server sends a “self-addressed and stamped” envelope to an address that is either false or belongs to a computer that is not responding. If enough of these “spoofed” SYN messages are sent, the server is paralyzed by its wait for non-existent confirmations. “SYNK” is a common SYN flood program that is widely downloadable on the Internet.64
2. UDP Flood Attacks
User Datagram Protocol (“UDP”) flood attacks work in very much the same manner as the SYN Flood attacks. In a server, the UDP provides information about the server to other computers, such as the server’s local time, echo, chargen, etc.65 When the server is hit with multiple requests for information about itself, the server can be quickly overwhelmed by its inability to process so many UDP packets. The result is total consumption of the server’s processing power and bandwidth, thereby “denying service” to others who are trying to access the server. The problem is multiplied when a hacker connects one computer’s chargen port with another’s echo port. The result is the generation of a massive amount of packets that overwhelm the system and render it useless.66
3. ICMP Flood Attack
The Internet Control Message Protocol (“ICMP”) flood attack is also similar to the above flood attacks. The ICMP is used to handle errors and “pings.” Pings are small “feelers” that are sent out to other computers to see if they are turned on and connected to the same network.67 Ping is also used to determine if there is network congestion and other network transport problems. When a ping packet is sent to an IP broadcast address from a computer outside of the remote computer’s network, it is broadcast to all machines on the target network.
The ICMP attack begins when a large number of forged ping requests are sent to a broadcast address on a third-party’s server. These packets contain the return address of the intended victim. The flood of ping requests causes the targeted server to answer with a flood of responses which can cause both the target site and third-party sites to crash.68
A variation on the ICMP attack is the “Ping of Death.” The Ping of Death is a large ICMP packet that is sent to the target server. The target receives the ping in fragments and starts to re-assemble the packets as they arrive. However, the completed size of the packet is larger than the buffer, or than the room the computer has allocated to such packets, and the computer is overwhelmed, often resulting in the server shutting down or freezing up.69
4. New Generation Attacks
a. Smurf Attacks
These techniques are named after the programs that launch the attacks. In a Smurf attack, the hacker sends out an ICMP echo request packet, or “ping” command to a computer network with the return IP address of the targeted victim. The network’s server broadcasts the “ping” through the system’s network and the computers send a reply back. If the network is large enough, those packets will swamp the victim’s computer and possibly bring the computer down.70
The Fraggle attacks are similar to the Smurf attacks, except they use UDP echo packets to overwhelm a network computer.
Papasmurf combines Smurf and Fraggle by launching ping requests with ICMP echo packets and UDP echo packets. This program’s two-headed assault makes it more difficult for administrators to defend themselves.
5. Distributed Denial of Service Attacks
Distributed Denial of Service attacks (“DDoS”) are a natural development in the search for more effective and debilitating denial of service attacks. Instead of using just one computer to launch an attack, the hacker enlists numerous computers to attack the target computer from numerous launch points.71 Prior to an attack, the hacker places a daemon, or a small computer program, on an innocent third-party computer. These third-party computers are often referred to as “zombies” or “soldiers.” The “slave” daemons are remotely controlled by the “master” program to launch attacks against certain servers. By distributing the source of attacks across a wider array of zombie computers, the attacker has made it more difficult for the target server to block off the attack routes.
a. Trinoo (June 1999)
On August 17, 1999, a Trinoo network of at least 227 systems was used to flood a single server at the University of Minnesota, including more than 100 compromised computers at the University of Washington.72 The attack rendered the system inoperable for two days.
There has been speculation that Trinoo was one of the programs that brought down Yahoo and other major Internet sites in February 2000.73 Trinoo is used to create distributed denial of service UDP flood attacks. There is concern that Trinoo could enlist common desktop computers in a DDoS attack by loading a daemon on the local computer through an e-mail attachment.74 According to one estimate, Trinoo networks are “being set up on hundreds, perhaps thousands, of systems that are being compromised by remote buffer overrun exploitation.”75
After the attacker has placed the daemons on the intermediary computers, master programs are set up on other computers to act as commanders to call “the troops” into action. The attacker only needs to access the master programs, via telnet, to launch the massive, coordinated attacks.76 Both the slave and master programs are password controlled to prevent system administrators from taking control of the Trinoo network. Once the attacker has accessed the master, he only needs to enter the IP address of the targeted server in a “dos IP” command to wake up the daemon “zombies” that begin launching their massive queries at the target. The attacker is also able to launch attacks against multiple targets using the “mdos” command.77 Finally, the attacker can set a time limit for the DoS attack.78
b. Tribe Flood Network (August 1999)
Tribe Flood Network, (“TFN”), is a DDoS program written by a German hacker that is capable of launching ICMP, SYN Flood, UDP Flood and Smurf attacks.79 In late August, 1999, DDoS attackers began to shift from Trinoo to TFN. Using TFN, a single attacker can launch an attack from dozens of computers on which the attacker has surreptitiously placed the TFN daemon.80 The attacker remotely controls the TFN client network using a variety of connection methods, including telnet TCP connections.81 Unlike various versions of Trinoo, TFN clients do not require a password to be activated, although the client sends commands to the daemon in an ICMP packet. However, there is no telnet TCP or UDP-based communication between the client and the daemon, making detection of the client’s call to action more difficult to detect on the client, or master, system.82
c. Tribe Floodnet 2k (January 2000)
Tribe Floodnet 2k (“TFN2K”) is an updated version of the TFN DDoS attack tool. According to Mixter, the German hacker who wrote the program, TFN2K still contains the popular features of the original TFN, including the client/server functionality, stealth, and encryption techniques. However, Mixter added several new features that make the system more robust and deadly, including remote one-way command instructions to the distributed servers who go on to launch the attacks. Also, TFN2K boasts stronger encryption between the client and the server.83
d. Stacheldraht (October 1999)
The most recent advance in DDoS attacks has come in the form of Stacheldraht, a German word for “Barbed Wire.” Stacheldraht has the ability to automatically update the daemon programs, reducing the attacker’s risk of intrusion.84 Stacheldraht was based on the source code from Tribe Flood Network, with at least two significant new features. The communication between the attacker and the Stacheldraht masters are encrypted and the daemons can be automatically updated by the masters. One of the weaknesses of TFN was the attacker’s connection to the master program located on the remote computers.
Stacheldraht combines Trinoo’s master/daemon control features with TFN’s ICMP flood, SYN flood, UDP flood, and Smurf attacks.85 The attackers control the master computers through encrypted clients, and each master can control up to 1000 daemons that are installed on innocent third-party computers.86 The attack begins in the preparation stage, called the “mass-intrusion phase,” where large numbers of computers are compromised.87 The attacker places the Stacheldraht daemons on the compromised systems and the daemons lie in wait for the command to attack. The third-party computers are also victims in these attacks because the systems have been compromised and they use up bandwidth and processing power.
6. Tracking Down the Attackers
The Federal Bureau of Investigation (“FBI”) has had a very difficult time locating the origin of the attackers because of the networked nature of the Internet, the spoofing of the DoS packets, and the procedural difficulty of organizing an investigation that involves countless jurisdictions. One method used to track the attacker is to start from the targeted server and locate the immediate server that sent the packet.88 However, because the packet was carrying “false identification,” each subsequent router along the network could lead the investigator astray.89
Because the packet’s “false papers” hide the true origin of the packet, it is difficult to reconstruct the origin of the spoofed packets after the fact. In order to determine where the packet came from, the investigators must set up a filer, or “trace and trap,” before they arrive at that particular router. This is complicated by fact that the packet could cross as many as thirty different routers owned by ten different companies in several different legal jurisdictions.90 In the February, 2000 attacks on the major Internet sites, the authorities have identified several university computers that were compromised and used to attack the targeted servers.91
The actual technique of spoofing can be complicated. For example, a traditional method of spoofing was to initiate a DoS attack on Computer B, the computer that one eventually wants to spoof. When Computer B is overwhelmed, it is not able to respond to requests from Computer C that it is requesting ACKs, or confirmation -- trying to confirm they are who they said they are. The TCP tags each datagram with a sequential number. If Computer C receives a packet that is out of sequence, it will discard the packet or hold, depending on how close the packet is to the number it is looking for. The hacker, using Computer A, estimates the number that Computer C is looking for and pretends to be sending packets from Computer B by using Computer B’s information or identification. Computer B is unable to stop this use of his identification because he is spending all of his time answering the false packets from another computer that the hacker has set up to send the packets.
7. The CFAA92 and Denial of Service
In any criminal law analysis, the specifics of the crime will determine which statutory section can be successfully applied. For example, the exact definition of an “intrusion” can determine whether inserting a debit card into a exterior cash machine constitutes burglary. The individual characteristics of a Denial of Service attack may also change which computer crime statutes can be applied to the attack. For example, in the above TFN2K example where the attacker used Computer A to plant “servers” on Computers B, C, and D to attack Computer F, will a traditional hacking statute be applicable for the attack on Computer F? Under 18 U.S.C. § 1030(a)(5)(B) and (C), the statute prohibits “access” of a protected computer.93 However, are these anti-hacking statutes applicable to an attacker whose intent was to “deny access” to, rather than to merely access, the computer?
The CFAA is the primary federal anti-hacking statute, and contains seven main sections. The first section, § 1030(a)(1), protects against the knowing access of government computers to obtain classified information. This section is not applicable.
The second section, § 1030(a)(2), proscribes the intentional access of a computer without, or in excess of authorization, to thereby obtain information from a financial institution, the federal government, or any protected computer involved in interstate or foreign communications—essentially any computer connected to the Internet.94 This section is concerned with the protection of information. The point of all of the DoS attacks is not to obtain information, but rather to bring the system down.
The third section, § 1030(a)(3), is concerned with the intentional and unauthorized access of government computers or computers used by the government. In a standard DoS attack where only one computer is used to attack another, this section is unlikely to be invoked unless the attacker targeted a computer that “is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States.”95 However, in a DDoS attack, there is a better chance that this section may be relevant if the attacker placed an attack daemon on a § 1030(a)(3) protected computer. Many university computers, for example, are used by the federal government. Even slight activity by the daemon on the university computer could “affect” the government’s use of the computer.
The fourth section, § 1030(a)(4), addresses the access and fraudulent use of a protected computer and is triggered if the value of the use obtained exceeds $5,000. Congress intended this subsection to apply, for example, to use by hackers who take over a supercomputer to run a password-breaking program. The “zombie” computers who were infected by the daemon and enlisted into the attack suffered a loss of processor power and bandwidth. This subsection could be applied against the attacker for each computer the hacker enlisted in the assault. With the subsection providing for a jail term for up to five years per instance, a hacker who plants hundreds of daemons could be liable for an extensive prison sentence.
One of the critiques of this subsection is the $5,000 damage threshold. Prosecutors have found that the $5,000 damage requirement is often both difficult to establish and an impediment to investigation. It is sometimes speculative to assess $5,000 damages if the attacker only used the computer to launch attacks. In United States v. Middleton,96 the defendant challenged the government’s theory of calculating the $5,000 in damages to Slip.net, an Internet Service Provider (“ISP”). The court held that the government’s theory of loss “will be that the damage caused by defendant to the Slip.net computers caused Slip.net employees to expend time to investigate, identify, and correct the damage caused by Middleton, and take other security related steps.”97 The court agreed with the government “that the time the employees expended can be fairly valued at a figure of at least their hourly wage or salary, plus the value of benefits and overhead” provided adequate explanation of the government’s theory.98
In addition to the uncertainty concerning the factors used to calculate the $5,000, federal authorities currently have to wait for a damage assessment to determine if there is federal jurisdiction, delaying time-sensitive investigations. For example, if a DoS attack is launched on a California web site, but the attack originated in New York, was routed through a server in New Jersey, and bounced off a computer in Wisconsin on its way to California, investigators may be required to petition the court in each jurisdiction for an order to place a trace on the activity.99 Under a new legislative proposal by Senators Charles Schumer and Jon Kyl, the federal government would unambiguously permit federal jurisdiction as soon as the attack occurs, rather than waiting for the damage assessment.100 Also, damage estimates below $5,000 will be treated as a misdemeanor, while damage above $5,000 will still be treated as a felony. Finally, proposed legislation specifies that the costs of responding to the attack, damage assessment costs, repair to the system and lost revenue from the interruption of service will be counted toward the $5,000 damage amount.101 Under the present statute, the damage calculation method is unclear and there has been little judicial precedent to provide guidance for allowable damage factors.102
The fifth section, § 1030(a)(5), is the main anti-hacking subsection. Subsection 1030(a)(5)(A) applies to whomever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”103 The DoS and DDoS attacker would be liable under this subsection both to the “zombie” systems and the targeted systems. The attacker causes the transmission of a program on the “zombie” system and intentionally causes damage. The attacker also causes the transmission of information, the packets, and code, the datagrams that intentionally cause damage. This subsection provides serious sentencing guidelines. A first-time conviction can subject the attacker to up to five years in prison for each occurrence. According to United States Sentencing Commission, “[i]f the defendant is convicted under 18 U.S.C. Section 1030(a)(4) or (5), the minimum guideline sentence, notwithstanding any other adjustment, shall be six months’ imprisonment.”104
Section 1030(a)(5)(B) prohibits unauthorized access that recklessly causes damage to a protected computer.105 Violation of this subsection is also a felony. However, the standard of reckless disregard is below the intentional damage provided under § 1030(a)(5)(A). If the prosecutor can show that the damage was intentional, as all DoS and DDoS attacks are, then the reckless disregard is unnecessary.
Section 1030(a)(5)(C) covers negligent damage to a protected computer. There is almost no conceivable scenario where this subsection could be used. Congress intended to punish the activity of hackers who do not intend to harm the systems but accidentally cause harm to the computer in the process. To only punish intentional harm would condone hacking into systems as long as no harm was done to the system.106 However, in DoS and DDoS attacks, there could be no other reason a person would plant a daemon on another computer, or launch a DoS attack against another computer. Perhaps it is feasible that a curious computer user would enter a large ping command for another computer without a full understanding of the consequences. However, such conduct would be more reckless than negligent.
The sixth section, § 1030(a)(6), is concerned with the unauthorized trafficking of computer passwords and is not relevant to DoS attacks. Likewise, § 1030(a)(7) covers extortion threats against computer or network owners. This subsection would only be invoked if the attacker threatened to launch a DoS attack against the victim unless the victim pays the attacker “any money or other thing of value.”107
8. DoS Summary
Denial of Service attacks represent a significant threat to the stability of our network infrastructure because of the inherent vulnerability in the TCP/IP 3-handshake reliable protocol. Successful prosecution of the perpetrators should raise the awareness that DoS and DDoS are very serious crimes with serious consequences. Also, system administrators are likely to collaborate in devising plans for rapid network response to thwart the source of the attacks. However, where the system administrator’s carrot may be minimized damage to their systems, the stick may be potential tort liability for allowing their system to be used in an attack against another server.108 The tort standard of negligence could be: would a “reasonably prudent system administrator” have allowed a hacker to place a DDoS daemon on his system, and “but for” his negligence, the targeted server would not have been overloaded without his contribution? If the “zombie” computers were held liable for negligent administration of their servers, this also may help secure the Internet against DDoS attacks. Finally, the CFAA provides for a civil action for those who suffer any damage or loss against someone who violates 18 U.S.C. § 1030(a). The laws are in place to address the issue. Unfortunately, the greatest impediment to prosecuting will continue to be technical difficulty of tracing the route of the attack back to the perpetrator.
B. Web Site Defacing and Malicious Interference: User Level and Root Level Hacks
There are several reasons why a hacker would seek to hack into a web site and change a web page.109 Web site hackers range from teenage pranksters to foreign powers seeking intelligence, and everything in between. Increasingly, there is a divide between the “old school” and “new school” hackers.110 The “old school” hackers are associated more with the “Hacker’s Ethics,” a text that has been available on hacking newsgroups for several years.111 The rift between the two schools is often referred to as the “Black Hats” against the “White Hats.”112 The “old school” hackers complain that the widespread availability of ready-to-hack software does not require the level of sophistication that hacking required ten years ago, creating more opportunities to maliciously hack into systems without an understanding of the impact. They argue that irresponsible hacking has led to a higher profile of the “hobby” and a wave of new criminal laws that punishes both non-malicious intrusions and malicious intrusions. The “new school” hackers assert that many of the “old school” hackers have “sold out” to corporations as security experts.113
For the purposes of our discussion, hacking techniques will be divided into three large areas based on the hacker’s intent. We will primarily address damage caused by non-authorized persons, not insiders who exceed their authorization.114 The first major section is web site defacing and malicious interference with a web site, excluding Denial of Service attacks.115 The second major section is unauthorized access for information and financial gain.