Ransomware attacks on the United States, state and local governments since 2013 and are increasing at an alarming rate. Research ransomware attacks on three federal or state jurisdictions, with one of them being the City of Baltimore.
For this assignment, you are to describe ransomware, what impact did these attacks have on the three jurisdictions in terms of cost and lost revenue, did these municipalities pay the ransom amount demanded or did they try and recover from the attack without paying the ransom. If so, how much did the data recovery cost the municipality, and lastly, what would you do if you were the governor or mayor of this ransomware attack…pay or not pay.
This paper should be at least three pages long, double spaced, with your name, date, and title included as a header, page numbering in the footer in the form of page x of y, and have references cited per APA formatting guidelines. You must use a minimum of five references and none of them can be Wikipedia.
Computer Fraud and Abuse Act of 1986 Computer Fraud and Abuse Act of 1986 and other computer crime statutes 1 Legislative history Signed into law in order to clarify definitions of criminal fraud and abuse for federal computer crimes, and to remove the legal ambiguities and obstacles associated with prosecuting these crimes. 2 Legislative history -2- Established two new felony offenses for the unauthorized access of "federal interest" computers and a misdemeanor for unauthorized trafficking in computer passwords. Has been amended to reflect growing technology In 1996 “federal interest” computers were replaced by “protected” computers Amended by the USA PATRIOT Act Last amendment 2008 - botnets 3 What it does Protects against theft of computer records from financial institutions, credit card issuers and consumer credit agencies Prohibits dissemination of computer viruses 4 What it does Punishes trafficking in passwords Prohibits mere attempts Authorizes some private causes of action for damages 5 Prohibits 7 types of activities (National Security Info) Knowing access without authorization or by use of excess of authorization of federal government computers to obtain classified information. 18 U.S.C. § 1030(a)(1) “without authorization” is not defined in the Act. “exceeds authorized access” is defined: 18 U.S.C. §1030(e)(6). 6 Legislative history indicates that Congress expected persons who exceed authorized access are likely insiders, and persons who act without authorization are likely outsiders. The statute restricts criminal liability for insiders – users with authorized access – to situations where they intend to cause damage to the computer, not for recklessly or negligently causing damage. Contrast outsider intruders, who can be punished for any intentional, reckless or other damage. Prohibits 7 types of activities (Compromising Confidentiality) Intentional access without authorization or by use of excess of authorization of a computer to obtain information from a financial institution, the federal government, or any protected computer involved in interstate or foreign communications. 18 U.S.C § 1030(a)(2) 8 Prohibits 7 types of activities (Trespassing in a government computer) Intentional and unauthorized access of federal government computers or computers used by or for the federal government when the access affects the government’s use of that computer. 18 U.S.C § 1030(a)(3) 9 Prohibits 7 types of activities (Accessing to defraud and obtain value) Knowing access without authorization or by use of excess of authorization of a protected computer, with intent to defraud. 18 U.S.C § 1030(a)(4) 10 Prohibits 7 types of activities (Damaging a computer or information) Knowingly causing the transmission of a program, information, code or command and as a result of that conduct intentionally causing damage without authorization of a protected computer. 18 U.S.C § 1030(a)(5) 11 Prohibits 7 types of activities (Trafficking in passwords) Knowing trafficking of computer passwords with the intent to defraud. 18 U.S.C § 1030(a)(6) 12 Prohibits 7 types of activities (Threatening to damage a computer) Transmitting communications containing threats to cause damage to a protected computer. 18 U.S.C § 1030(a)(7) 13 Protected computer (2) the term "protected computer" means a computer-- 14 Protected computer (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or 15 Protected computer (B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; 16 Penalties (increased by the PATRIOT Act) Enhanced punishment for violations involving any damage to a government computer involved in criminal justice or the military; included damage to foreign computers involved in US interstate commerce; 17 Penalties (increased by the PATRIOT Act) raised the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense; 18 Penalties (increased by the PATRIOT Act) included state law offenses as prior offenses for sentencing; and expanded the definition of loss to expressly include time spent investigating and responding for damage assessment and for restoration. 19 2008 changes 2008 – amended by the Identity Theft Enforcement and Restitution Act Eliminated requirement in Sec 1030(a)(5) that the illegal activity caused at least $5,000 in damages before the US can bring charges for unauthorized access to a computer. Amended Sec 1030(c)(4) to make it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution. (Botnets) 2008 changes Allows prosecution when the cybercriminal and the victim live in the same state. Under prior law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim's PC. Expands the definition of cyber-extortion. Other cybercrime statutes Criminal copyright offenses 17 USC § 506 – criminal infringement 18 USC § 2319 – punishment for criminal infringement 18 USC § 2318 – counterfeits 22 Other cybercrime statutes Copyright management offenses 17 USC § 1201 – circumvention of copyright protection systems 17 USC § 1202 - integrity of copyright management information 17 USC § 1204 - Criminal offenses and penalties 23 Economic Espionage Act of 1996 The first federal statute specifically making criminal the theft of trade secrets. 24 Economic Espionage Act of 1996 18 U.S.C. § 1831, deals only with the theft or other misappropriation of a trade secret that benefits a foreign government, foreign instrumentality or foreign agent. 18 U.S.C. § 1832, penalizes the theft of commercial trade secrets if anyone other than the owner will benefit. 25 Defend Trade Secrets Act (2016) 18 USC Sec 1836 Permits an owner of a trade secret to sue in federal court for misappropriation of a trade secret. Expanded the EEA to permit private civil suits Whistleblower protection 26 Lori Drew and MySpace No Missouri law under which Drew could be charged First use of Computer Fraud and Abuse Act in a social networking case Indictment in Los Angeles, where the MySpace servers are located Indicted for conspiracy and 3 counts of “accessing protected computers without authorization to obtain information to inflict emotional distress" MySpace's user agreement requires registrants to provide factual information about themselves and to refrain from soliciting personal information from minors or using information obtained from MySpace services to harass or harm other people. Prosecution claimed that by allegedly violating that click-through contract, Drew committed the same crime as a hacker – accessing protected computers without authorization Criticism of use of CFAA for indictment: it sets a dangerous precedent that could potentially criminalize any violation of the terms of service of any website terms-of-service agreements sometimes contain onerous provisions Companies often unilaterally change terms-of Service agreements Users rarely read the agreements Drew’s attorney filed 3 motions to dismiss: Prosecutors were vague in their charges, Prosecutors overstepped their authority by improperly delegating prosecutorial powers, and Prosecutors failed to state an offense and facts in support of allegations that Drew intended to violate the terms of service Judge rejected motions Issues Is the CFAA an appropriate statute for charging? Prosecution states that the CFAA “was intended to serve as the principal statute to address computer-related crimes and was designed to be flexible enough to address changing circumstances" as new technologies and methods for abusing them arise. CFAA originally was passed in 1984 – “cyberbullying” didn’t exist. Is it a crime to violate a TOS? 3 of the 4 counts against Drew were for unauthorized access based on violation of MySpace’s TOS. Do people read the TOS? Outcome Trial - Nov. 26, 2008 – Drew found guilty on 3 misdemeanor counts (reduced by jury from felonies) of accessing protected computers without authorization to obtain information to inflict emotional distress Jury deadlocked on the one count of criminal conspiracy August 31, 2009 – district court judge grants Drew’s motion for dismissal Constitutional argument – vagueness? Discusses the meaning of “unauthorized access” "Treating a violation of a website's terms of service, without more …would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.” Is “disloyal” computer use a crime/actionable civil claim under 18 usc 1030? Circuit Splits Are employees who use their workplace computers contrary to the interests of their employers committing crimes under the Computer Fraud and Abuse Act? Circuits are split Ninth Circuit Seventh Circuit Nosal (9th Cir.) Brekka (9th Cir.) International Airport Centers v Citrin (7th Cir.) IAC v Citrin (7th Circuit) International Airport Centers, L.L.C. v. Citrin (2006) Citrin was employed by IAC, a real estate company, to identify potential acquisitions and record relevant data about them. IAC provided a company laptop to Citrin to use while he was employed by IAC. Citin breached his employment agreement with IAC and became self-employed. IAC v Citrin (7th Circuit) Before he returned the laptop, he deleted data using secure erasure software that rendered the data unrecoverable. The data included information he had collected for IAC as well as other information that indicated improper workplace conduct. IAC did not have backup files and could not recover the deleted data IAC v Citrin (7th Circuit) IAC sued Citrin under the CFAA - 18 U.S.C. § 1030(a)(5)(A)(i), whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer,” Is the use of the secure erasure software a “transmission”? Citrin moved to dismiss the suit, claiming that using the software was not a transmission IAC v Citrin (7th Circuit) Holding: the precise method of transmission does not have to be known or disclosed in order to survive a motion to dismiss for failure to state a claim. Any evidence of a transmission, regardless of the precise type, is sufficient to withstand a motion to dismiss a CFAA, 18 U.S.C. § 1030, claim. Here, permanent file deletion is “damage” for purposes of civil suit LRVC Holdings v Brekka 9th Circuit (2009) LRVC operated a treatment center in Nevada When it hired Brekka, Brekka owned two consulting businesses that provided referrals of potential patients to rehabilitation facilities. LRVC knew of these businesses at the time of the hire. Brekka commuted between Florida and Nevada LRVC Holdings v Brekka He was assigned a computer at LRVC’s site in Nevada He emailed documents he obtained or created for his work at LVRC to his own personal computer in Florida. LVRC and Brekka had no written employment agreement. LVRC had no internal policy that prohibited transfer of LVRC documents to personal computers. In June 2003, he emailed the administrative password for the LVRC's email system to his personal account. LRVC Holdings v Brekka In August 2003, Brekka and LVRC began discussions regarding the possibilities of Brekka investing in an ownership interest in LVRC At the end of August, Brekka emailed documents to his wife and himself that included a financial statement for the company, LVRC's marketing budget, and admission reports for patients. On September 4, 2003, he