The Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. Section 1030, is one of the U.S. Department of Justice’s most potent weapons in its fight against cybercrimes. It outlines numerous offenses, and it imposes penalties ranging from statutory fines to lifetime federal imprisonment. Thus, it could go without saying that facing charges under Section 1030 is an extremely serious matter.

However, many people have severely flawed assumptions about the risks attendant to facing computer crime charges under the CFAA, and this means that far too many targets and defendants (and their defense lawyers) fail to devote adequate effort and resources to fending off charges under Section 1030.

The CFAA underwent a major overhaul in 1996. As the U.S. Department of Justice (DOJ) explains,

“As amended, section 1030 contains seven separate provisions that create both felonies and misdemeanors. It also punishes attempts to commit these offenses . . . [and] provides for enhanced punishments for any section 1030 offense when the defendant has already been convicted of another offense or attempt covered under the same section. These enhanced penalties and broader jurisdiction reflect the increasing seriousness with which computer-related crime is regarded.”

Now, fast-forward to 2021. Cyberattacks have proliferated to a degree that was unimaginable 25 years ago, and attackers are finding new ways to target companies’ and consumers’ devices at unprecedented rates. Understanding that the DOJ was focused on combating cybercrime in 1996, you can see just how significant it is to be facing charges under 18 U.S.C. Section 1030 today.

“The DOJ aggressively prosecutes cases under the Computer Fraud and Abuse Act. For those facing charges, understanding the specific focus of the government’s case and building a defense strategy that is tailored to the specific allegations at hand is crucial for mitigating unnecessary consequences.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

Understanding the Extraordinary Scope of 18 U.S.C. Section 1030

The CFAA is an extraordinarily broad statute. It covers virtually all types of unauthorized access to electronic devices; and, as noted in the quote from the DOJ’s Criminal Resource Manual above, it facilitates prosecution for attempted computer crimes as well. Section 1030 also expressly allows for prosecution of conspiracy charges against individuals suspected of even tangentially participating in conduct that violates the statute.

The seven main operative provisions of the CFAA appear in 18 U.S.C. Section 1030(a). In summary form, the primary offenses outlined in Section 1030(a) are:

• Accessing a Computer Without Authorization Containing Protected National Defense or Foreign Relations Information – Subsection 1030(a)(1) prohibits transmitting or retaining information, “having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that . . . require[s] protection against unauthorized disclosure for reasons of national defense or foreign relations . . . with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation . . . .”
• Obtaining Financial Records, Government Records or Other Data from a Protected Computer Via Unauthorized Access – Subsection 1030(a)(2) prohibits intentionally accessing a computer without authorization (or exceeding authorized access) in order to obtain, “information contained in a financial record of a financial institution, or of a card issuer . . . or contained in a file of a consumer reporting agency on a consumer . . . information from any department or agency of the United States; or information from any protected computer.”
• Accessing a Federal Government Computer Without Authorization – Subsection 1030(a)(3) prohibits, “intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, access[ing] such a computer . . . that is exclusively for the use of the Government of the United States . . . .”
• Gaining Unauthorized Access With Intent to Defraud – Subsection 1030(a)(4) imposes statutory penalties for anyone who, “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”
• Causing Damage to a Computer Through Unauthorized Access – Subsection 1030(a)(5) prohibits knowingly, “caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer,” as well as intentionally causing damage or loss by accessing a protected computer without authorization.
• Trafficking in Computer Passwords or “Similar Information” – Subsection 1030(a)(6) makes it a federal offense to, “knowingly and with intent to defraud traffic[] (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization,” in interstate commerce or via a U.S. government computer.
• Making Threats or Demands with the Intent to Extort – Subsection 1030(a)(7) provides for prosecution of anyone who, with the intent to extort, transmits any communication in interstate or foreign commerce containing a, “threat to cause damage to a protected computer; threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion.”

As you can see from these abridged versions of the statutory language in 18 U.S.C. Section 1030(a), the CFAA criminalizes conduct ranging from threatening to install malware on consumer devices to stealing information with national security implications from a U.S. government computer. In between, there are numerous other types of offenses that can lead to swift and aggressive prosecution in federal district court.

Defense Strategies for Federal Cases Under 18 U.S.C. Section 1030

Given the breadth of Section 1030(a) and the DOJ’s focus on prosecuting cybercriminals, individuals targeted in CFAA investigations need to defend themselves by all means available. Fortunately, there are a number of possible defense strategies that targets, defendants and their federal defense lawyers can utilize in these cases.

Of course, the specific defenses that are available in any particular case will depend on the specific facts, circumstances and allegations involved. With this caveat in mind, three examples of ways that targets, defendants, and their counsel can defend against cybercrime charges under the CFAA include:

Demonstrating that Access was Authorized

All seven operative provisions of Section 1030(a) involve some element of unauthorized access. Thus, if a target’s or defendant’s access was not unauthorized, demonstrating that this was the case can serve as a complete defense in many cases.

Crucially, Section 1030(a) proscribes not only access that is entirely unauthorized, but also access “in excess of authorization.” As a result, employees, government contractors and others who have authorized access to a computer (or other device) need to be extremely careful when pursuing this defense strategy. Exceeding authorized access in any facet or capacity is sufficient to trigger culpability under the CFAA.

Clearly, in some cases, this defense strategy will not be an option. If a target or defendant is accused of accessing a computer owned by a consumer, company, or government entity with which the target or defendant has no relationship whatsoever, then it will be difficult to argue that the access in question was authorized.

Arguing No Access to a Protected Computer

In some cases, it may also be possible to defend against allegations under the CFAA by arguing that the target or defendant never actually accessed the information in question via a protected computer. If federal prosecutors cannot conclusively establish that the target or defendant was able to access the device in question, then exposing this fatal flaw in the government’s case could be enough to stave off federal charges.

Arguing Lack of Criminal Knowledge or Intent

Subsections 1030(a)(1) through 1030(a)(7) all require evidence of some form of knowledge or intent. Indeed, some subsections require both (i.e. Subsection 1030(a)(4), which requires both knowing access and intent to defraud). Proving these subjective elements is often among the most-difficult tasks federal prosecutors face in criminal cases; and, if the DOJ’s evidence is lacking, then prosecutors should not be able to proceed with seeking an indictment.

Disputing Whether the Computer In Question was “Protected”

Several provisions of the CFAA require access to a protected computer. Subsection 1030(e)(2) defines a “protected computer” as a computer:

• Exclusively for the use of a financial institution or the U.S. government;
• Used by a financial institution or the U.S. government when the alleged unauthorized access affects such use;
• Used in or affecting interstate or foreign commerce or communication;
• That is part of a voting system or used for a federal election; or,
• That “has moved in or otherwise affects interstate or foreign commerce.”

The “interstate or foreign commerce” provisions of subsection 1030(e)(2) will bring the substantial majority of all cases within the scope of the CFAA. However, when facing the potential for years or decades of federal imprisonment, it is worth putting all options on the table. Federal cases under 18 U.S.C. Section 1030 present significant risks, and executing a targeted and strategic defense is essential for mitigating the risk of facing sentencing at trial.