The need for vigorous criminal enforcement of cybercrime laws will only become more important as networked computers and the criminals who target them grow.
That was how the Department of Justice started a blog post this week that defined how it decides whether or not to prosecute a federal computer-related crime.
+More on Network World: Gartner: Artificial intelligence, algorithms and smart software at the heart of big network changes+
Specifically, the DoJ said “with recent prosecutions against cyber-criminals such as Roman Seleznev and Marcel Lazar and cyberstalkers and sextortionists like Ryan Vallee and Michael Ford, the DoJ detailed the policy under which it chooses whether to bring charges under the Computer Fraud and Abuse Act: the 2014 Intake and Charging Policy for Computer Crime Matters.”
This document guides federal prosecutors in determining when to open an investigation or charge an offense under the Computer Fraud and Abuse Act, the DoJ stated.
Prosecutors must consider a number of factors in order to ensure that charges are brought only in cases that serve a substantial federal interest, the DoJ stated. Among the chief factors that are considered are the following:
- The sensitivity of the affected computer system or the information transmitted by or stored on it and the likelihood and extent of harm associated with damage or unauthorized access to the computer system or related disclosure and use of information;
- The degree to which damage or access to the computer system or the information transmitted by or stored on it raises concerns pertaining to national security, critical infrastructure, public health and safety, market integrity, international relations or other considerations having a broad or significant impact on national or economic interests;
- The extent to which the activity was in furtherance of a larger criminal endeavor or posed a risk of bodily harm or a threat to national security;
- The impact of the crime and prosecution on the victim or other third parties;
- Whether the criminal conduct is based upon exceeding authorized access consistent with several policy considerations, including whether the defendant knowingly violated restrictions on his authority to obtain or alter information stored on a computer, and not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it;
- The deterrent value of an investigation or prosecution, including whether the need for deterrence is increased because the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or abuse of a position of trust or otherwise sensitive level of access; or because the conduct is particularly egregious or malicious;
- The nature of the impact that the criminal conduct has on a particular district or community; and
- Whether any other jurisdiction is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution.
The DoJ continues to push for some “targeted updates” to the Computer Fraud and Abuse Act that will help the department protect online privacy and security.
More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2016 (so far!)+
The first, would be the clarification of the definition of “exceeds authorized access” which includes the situation where the person accesses the computer for a purpose that he knows is not authorized by the computer owner. This clarification is necessary to permit the prosecution of, for example, a law enforcement officer who is permitted access to criminal records databases, but only for official business purposes, the DoJ stated.
Second, at the same time, the proposal adds new requirements that the government must meet to make clear that trivial conduct does not constitute an offense. In order to constitute a crime under the new wording, not only must an offender access a protected computer in excess of authorization and obtain information, but the information must be worth $5,000 or more, the access must be in furtherance of a separate felony offense, or the information must be stored on a government computer, the DoJ stated.
Check out these other hot stories: