New criminal indictments against 13 alleged Anonymous members reflect the administration’s hard-line stance on cybercrimes.
Despite the fact that most of the federal government is on an unplanned furlough due to the shutdown, the United States Department of Justice announced Thursday that a grand jury at the U.S. District Court in Alexandria, Va. has brought criminal indictments against 13 alleged members of the hacktivist group Anonymous. The 13 are being charged with allegedly attacking governmental, banking and lobbying websites in a file-sharing campaign.
The 13 are being accused of participating in Operation Payback, a retaliatory strike against efforts to shut down the Pirate Bay, a peer-to-peer (P2P) torrent hosting site, in which users can download the metadata and networking locations of other users’ files, which can be used to retrieve the file from a ‘swarm’ of hosting users’ computers simultaneously. While the Pirate Bay itself does not host copyrighted material, it does facilitate the transfer of potentially copyrighted material — which has earned it the ire of major digital rights management groups, such as the Motion Pictures Association of America and the Recording Industry Association of America.
Operation Payback launched distributed denial-of-service attacks — when a large cluster of computer users intentionally, or more likely via malware, continuously request a HTTP connection onto an Internet server, which would overwhelm the number of available “slots” for connections and would render the service incapable of broadcast — against the MPAA, the Library of Congress, Bank of America, Visa and MasterCard.
This indictment comes at a time when the shutdown has rendered the United States Attorney’s Office, while technically functional, in an acute state of disarray. Federal prosecutors are considered essential personnel and are therefore exempt from furloughing. Administrative and support staff such as paralegals, clerks and office secretaries, however, are not. “From our perspective, it’s a mess,” said Lorin Reisner, chief of the Criminal Division at the Manhattan U.S. Attorney’s Office. “We have 10 trials going on in the Criminal Division, and I spent half of yesterday making sure the paralegals who are working on those cases can continue working on those cases, or that we have others who can assist with those trials. It’s been quite a mess from an administrative and support staff perspective.”
Pushing through these cybercrimes cases at a time the government is ill-suited to fight them properly reflects the high priority of these cases within the Justice Department. The Obama administration has taken a stronger position against computer fraud, hacking allegations, network intrusions, cyberbullying and intellectual property rights infringement than any other presidential administration before it. Many worry that the government’s “tunnel vision” approach to cybercrimes is reducing the nation’s focus on other areas of crime, such as financial fraud and human trafficking.
Calls for vigilance
“Cybercrime is one of the greatest threats facing our country, and has enormous implications for our national security, economic prosperity, and public safety,” wrote Jenny Durkan, the U.S. Attorney for the Western District of Washington and Chair of the Cybercrime and Intellectual Property Enforcement Subcommittee of the Attorney General’s Advisory Committee. “Attorney General Eric Holder has made it one of the Department of Justice’s top priorities. The range of threats and the challenges they present for law enforcement expand just as rapidly as technology evolves.
“Success in containing the threats presented by cybercrime will require sustained collaborative efforts by private industry, consumers, and all levels of government. It will require new laws, better technology, and smart prosecutions. U.S. Attorneys play a pivotal role in the prosecution of cybercrime and outreach on cyber issues. As we hire, train, and equip our prosecutors to meet the challenges this complex threat presents, we will set the framework for a new era in law enforcement.”
Some would argue that the United States has no choice but to be headstrong in regard to cybercrime prosecution. Since President Obama entered the White House, the number of cybercrime offenses per year has risen. An example of this came in January, when a Russian, a Latvian and a Romanian allegedly were involved with the creation of a computer virus — the Gozi virus — which infected more than 40,000 computers, stealing bank account data and other personally identifiable information. An unspecified amount of money was stolen, believed to be in excess of millions of dollars.
The same virus was also used to go after accounts in a Manhattan-based “big bank,” to hack the email and web history of 190 NASA computers and to raid accounts in European banks.
In May, the U.S. Attorney for the Southern District of New York announced that members of a worldwide gang of criminals have stolen more than $45 million in just a few hours by hacking prepaid debit card databases and draining ATMs throughout the world with fraudulent cards made from the stolen information. The unsealed indictment accused American cell ringleader Alberto Yusi Lajud-Penaa and seven other in his New York-based group of stealing $2.8 million in less than a day.
“We are seeing an unprecedented number of cyberscams that include phishing for financial data, viruses, credit card fraud and others,” said Marcin Skowronek, an investigator at Europol’s European Cybercrime Center in The Hague. “In Europe, we are generally quite well protected against some types of fraud because of the chip and pin technology we use, but there are still shops and machines around the world who still take cards without chips. And the most popular destinations for this type of fraud are the United States and the Dominican Republic.”
Most troubling of all, in September, computer security firm Symantec Corp identified “Hidden Lynx” as one of the “most technically advanced of several dozen believed to be running cyber espionage operations out of China.” “Hidden Lynx” and other Chinese hacker groups are responsible for a multitude of recent attacks on American companies, such as the attack on computer graphics software firm Adobe, in which the personal identification and financial information of millions of customers were stolen.
“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Brad Arkin, chief security officer at Adobe. “We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.”
Adobe believes that in addition to consumer information, the thieves were looking for trade secrets, such as the source code for Adobe’s products.
Symantec pointed out that “Hidden Lynx” was most likely behind the 2010 Operation Aurora, when hackers infiltrated Google, Adobe and dozens other companies in an attempt to change the source codes of the security protections of these companies’ services to, for example, allow the group to read private Gmail messages and receive copies of customer records. Symantec stopped short of saying that the Chinese government sponsored these attacks, but other firms have suggested that the possibility is likely.
Cyber-security firm CrowdStrike believes the group works solely for the Chinese government and state-owned enterprises. “Whether they are formally a military unit or a defense contractor, that is unknown,” said Dmitri Alperovitch, chief technology officer of CyberStrike, who discovered and named Operation Aurora in 2010.
A heavy hand
While no one would deny the importance of the federal government’s pursuit of these cases, questions arise around the government’s “one-interpretation-fits-all” approach to the Computer Fraud and Abuse Act, which establishes that accessing a computer or computer network without permission, outside of the permission given or “in excess of authorization,” is a civilly and criminally punishable offense. The act does not clearly define the demarcation between acceptable and unacceptable access. For example, the law does not say what “without authorization” or “in excess of authorization” mean, so it is possible that a person who had assumed commonly recognized privilege to a computer system could be accused of trespassing due to not having approved, explicit access to the system from the system’s owner, such as the situation of Aaron Swartz.
“Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren’t really about hacking a computer, but instead target other behavior prosecutors dislike,” wrote the Electronic Frontier Foundation. “For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn’t be the case. Compounding this problem is the CFAA’s disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient “authorization” can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government’s case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were ‘unauthorized’ access claims.”
United States v. Drew is the case of a Missouri woman, Lori Drew, who — thinking that hurtful rumors were being spread about her daughter — went on MySpace, posing as a 16-year-old boy to entrap the girl the woman suspected of being behind the rumors. The situation led to cyberbullying against 16-year-old Megan Meier and her eventual suicide. Prosecutors used the CFAA to go after Drew when no other avenue of prosecution made itself available, alleging that Drew’s violation of MySpace’s terms of service constituted “excess of authorized use.”
On appeal of the single charge Drew was charged with, the presiding judge ruled that the CFAA’s definition of a crime is so vague that without a significant effort toward public education of acceptable online behavior, every Internet user could be susceptible to being accused of violating the CFAA. Drew was acquitted of all charges.
United States v. Nosal is a case in which the Justice Department argued that the violation of company-based computer-use rule — in this case, the unauthorized downloading of proprietary information — constitutes a crime under CFAA. The U.S. Ninth Circuit’s Court of Appeals ruled that violation of a company’s use policy is not a criminal infraction.
This “freedom to interpret” turns the CFAA into a dangerous weapon — a catch-all for any and all computer-based threats the government cannot deal with traditionally. This creates a Machiavellian overreach of authority — basically, the U.S. Attorney’s office is using the CFAA in ways beyond its original intent — to empower the government to take on major threats to the nation’s computer infrastructure; that it’s okay to stretch the law if it means that the “bad guys” are imprisoned.
This type of thinking is dangerous. If the government recognizes all computer crimes as being equally dangerous, then it is willing to go after the small crimes with the same fervor as the big ones. If that’s the case, then proactive measures to screen for possible violations and threats, such as surveilling on electronic communiques, become defendable.
The federal government’s “tunnel vision” on electronic security has created a situation in which not only is the federal government distrusted abroad, it’s distrusted at home, too. The heaping of prosecutorial energy on cases such as that of Jeremy Hammond — who is charged with allegedly hacking private intelligence contractor Stratfor in political protest — and of Aaron Swartz — who, after his suicide due to the stress of the government’s prosecution, everyone who had pressed charges against Swartz, from the U.S. Attorney’ office to the Massachusetts Institute of Technology, went to extraordinary efforts to distance themselves from what is now being seen as a case of prosecutorial overreach — have given many the opinion that the government is slanted in its prosecutions toward corporate interests.
To what extent this is true may never be known. However, the longer the nation waits before asking the question, the more complicated and painful the answer will turn out to be.