The CFAA and SCOTUS Cases Changing Cybersecurity

WarGames, Poker Cheating and a Desperate Cop: The CFAA and the SCOTUS Case That May Forever Change Cybersecurity

The Supreme Court of the United States (SCOTUS) recently heard arguments in the case VanBuren v. The United States.  The crux of the case is the Computer Fraud and Abuse Act of 1986, also known as the CFAA.  The history of the CFAA is fascinating, with at least one case involving cheating on poker software, and origins in Hollywood.  But the facts of the VanBuren case are interesting enough themselves, with significant ramifications for the future of computer security and what does or does not constitute hacking.  The case has also drawn the attention of groups like the Electronic Frontier Foundation (EFF) that have written amicus briefs supporting their positions on the case.  

First a little history

1984 was a memorable year for Matthew Broderick and cinema in general.  Broderick was a rising star, and landed the lead role in a movie that focused on the new world of hacking.  Previously the purview of geeks and nerds, hacking was going mainstream, in this case due to the national security issues that arise in the film WarGames. In the movie Broderick is a ne’er do well high school student in Seattle that goes from changing grades (to impress Ally Sheedy, no less) to interacting with a computer system that controls the US nuclear arsenal, W.O.P.R.

W.O.P.R. was created because humans might flinch in a mutually assured destruction situation, ensuring a victory for the USSR over the USA and…well…there was a lot to unpack.  The gist is that a computer programmer named Falken had built the simulation required to run W.O.P.R., amongst a host of other games.  Broderick’s character hacks into those games, and then eventually sets off several close calls with the nukes, which scares the military men and politicians enough to do something about it.  In the end nuclear war is avoided, with the aid of Dabney Coleman and some quick thinking.

So, what the heck does this have to do with federal law.  Well, a number of members of Congress had seen WarGames and were shaken to the core.  More importantly they foresaw that hacking would become a larger problem over time.  As part of a larger discussion around crime there was discussion about what to do about hacking, and what would constitute a crime in the context of hacking.  Ultimately the CFAA was passed, and though it has been amended over the years as technology has evolved it has remained in place and hacking can very much be both a crime and a civil matter for the courts.

One of the most famous cases was United States v. Kane, which involved a question about what was a protected computer under the law.  In the facts a man named John Kane discovered a software bug that could be triggered to produce jackpots in poker hands via a video poker game.  He and associate won a number of prizes, exploiting the bug and winning hands with tough odds.  One such hand had 820-1 odds, catching the eye of Nevada gaming officials.  Ultimately it was determined that they accessed the machine lawfully and a motion to dismiss charges was granted.  

The Blackbaud Breach – Queen Data’s Revenge

Related: The Blackbaud Breach – Queen Data’s Revenge

So what about this case

In VanBuren the question is about terms of use.  Basically a person with authorization and authority to use a system did so, but outside of an official function.  Here a police officer, Nathan VanBuren, was in a dire situation and needed cash.  He chose to reach out to Andrew Albo, a local to Cumming, Georgia where VanBuren was an officer.  Mr. Ablo was well known to local police and the local sheriff’s department, and was also well known in the local area to work in the local prostitution racket.  When he heard from VanBuren he reached out to his old friends at the local sheriff’s department and let them know what was happening.

Albo then became part of a sting operation, where he would offer VanBuren help, in the amount of $6,000 dollars, in exchange for a simple favor.  All VanBuren had to do was look up a license plate number to see if the owner, who was known as a stripper, was also an undercover officer.  The FBI was now involved because of the use of the internet.  VanBuren had proper access, in his role as an officer, to look up license plates to gain information.  But he was limited to doing so in cases that were related to official work.  When VanBuren performed the search he was arrested for computer fraud under the CFAA, convicted, and sentenced to serve eighteen months in federal prison.  

At issue on appeal is the term of the CFAA that pertains to the specific language of the law about “exceeds authorized access” that applies to VanBuren, who had legal access to the Georgia Crime Information Center (GCIC) site, but went outside his bounds, or may did, depending on how SCOTUS rules.  There has been a split in various circuits about the clause, and in this case, while sympathetic to VanBuren, the Eleventh Circuit upheld their precedent that this clause meant VanBuren had committed a felony. 

So what does this SCOTUS case mean?

There are a number or reasons why the case has drawn attention.  First, there are some salacious details, not the least of which are the implications of hacking.  But also there have been arguments for and against the stance taken by the Eleventh Circuit, which continues the long split between courts.  One issue is the potential effect on trade secrets.  But when it comes to security there is a distinct issue.

As argued by the EFF, limiting use of computers and software to specific terms would create two pretty flagrant security issues.  The first is giving private companies in tech the control over who to prosecute and who not to prosecute, which would vastly expand their rights and limit the rights of the users.  Secondly this creates a near impossibility for pen testers and other security assessors, who often have authority from the owners of a package to hack, but attempts may be violative of the use of the software.  In that case it can create a huge new strain on security professionals. 

Either way this is a major case settling a split between court circuits, and the results are not receiving nearly the publicity they should.  Imagine an employee of a company working after hours and using software to look something up that they shouldn’t.  Now they face potential criminal liability, civil liability, and could even be facing prison time.  If it was an innocent mistake it could be devastating.

More importantly, in a time when we have pen testers being arrested, this adds a new layer of analysis and may put companies in the United States in a more vulnerable position.  We are reliant upon a SCOTUS that is far from tech literate and has to make a ruling with results well outside the case.  The conclusion is that this is a case to watch closely. For legal geeks we already were, but now this means so much more.  For anyone that wants to chat about this I’d love to connect.  

cybersecurity assessment

More Reading

feature image read more
The Best Cybersecurity Conferences to Attend in 2023
Continuing education is an important part of any career. It provides the opportunity to learn new skills, discuss upcoming trends and...
feature image read more
The Beginnings of BitLyft Cybersecurity
Twenty years ago. I can’t believe it, but that’s when I first started in the tech industry. It was actually 1996, just before the Y2K...
feature image read more
BC-ware: Protecting Your Business from Business Email Compromise (BEC)
Imagine this, you are the finance manager at a Fortune 500 company. You’re getting ready to head out for lunch and you receive an urgent...