In written testimony for a Senate subcommittee hearing held on August 21, 2018, Department of Justice (“DOJ”) Associate Deputy Attorney General Sujit Raman said, among other things, that reform is needed for the Computer Fraud and Abuse Act (“CFAA”), to make it easier to prosecute not only hackers who gain access to victim computers without any authorization, but also individuals who have some authorization to access a computer, referred to as “insiders.” 

According to Mr. Raman’s testimony, recent judicial decisions have limited the government’s ability to prosecute cases against insider attacks by preventing insiders from being charged under the CFAA.  Mr. Raman stated that this is contrary to the intent of the CFAA, which was meant to apply both to insiders as well as outside hackers.

Mr. Raman highlighted the seriousness of cybersecurity threats from insiders by quoting recent survey findings:  “As a recent survey of 472 cybersecurity professionals indicated, 90% percent of organizations feel vulnerable to insider attacks, and 53% have confirmed insider attacks against their organization in the previous 12 months.  The survey also found that the type of data most vulnerable to insider attacks is confidential business information, and that a plurality of those surveyed estimated that the potential cost/loss of an insider attack was between $100,000 and $500,000.”

Mr. Raman noted that the issue is a narrow judicial interpretation of the phrase “exceeds authorized access” under the CFAA.  He acknowledged that one of the concerns supporting the narrow judicial interpretation is a “theoretical threat of prosecution faced by an employee who uses the Internet to check baseball scores at lunchtime in violation of his employer’s strict business-only Internet use policy.”  However, Mr. Raman stated that the DOJ has no interest in prosecuting harmless violations of use restrictions; the narrow application of “exceeds authorized access” makes it difficult to prosecute insiders that use their access privileges to exceed the bounds of their legitimate access to confidential information and cause significant harm to either their employers or individuals.

Mr. Raman proposed a reform of the CFAA that would clarify the definition of “exceeds authorized access” to include situations where a person accesses a computer for a purpose that he or she knows is not authorized.

The hearing, titled “Cyber Threats To Our Nation’s Critical Infrastructure,” was held by the Senate Subcommittee on Crime and Terrorism.  Other witnesses testifying at the hearing were U.S. Senators James Lankford (R-OK) and Richard Blumenthal (D-CT); Michael J. Moss, Deputy Director of the Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence; Robert Kolasky, Director, National Risk Management Center, National Protection and Programs Directorate, United States Department of Homeland Security; Thomas A. Fanning, Chairman, President and CEO of Southern Company; and James A. Lewis, Senior Vice President, Center for Strategic and International Studies.

Additional information on the hearing and the witnesses’ testimony is available by clicking here.