Unauthorized Access to Computers

1
Unauthorized Access to Computers

• Sean B. Hoar
• sean.hoar_at_usdoj.gov
• 541-465-6792 (voice)
• 541-465-6840 (fax)

2
Readings . . .

• United States v. Morris, 928 F.2d 504 (2nd Cir.),
  cert. denied, 502 U.S. 817, 112 S.Ct. 72 (1991)
• United States v. Sablan, 92 F.3d 865 (9th Cir.
  1996)
• International Airports Centers L.L.C. v. Citrin,
  2005 U.S. Dist. Lexis 3905, 2005 WL 241463

3
United States Sentencing Guidelines

• Offense Level
• Base Offense Level
• Specific Offense Characteristics
• Cross References
• Aggravating/Mitigating Factors
• Acceptance of Responsibility
• Departures
• Total Offense Level
• Criminal History Category
• Applicable Advisory Sentencing Guideline Range

4
Prosecution guidelines (District of Oregon) for
fraud and other economic offenses

• Prosecution may be authorized where all of the
  elements of a federal criminal offense are
  present and there is a loss (or intended loss) of
  40,000 or more or other aggravating factors
  exist. The following aggravating factors may
  justify prosecution when the loss is less than
  40,000
• The defendant has a prior criminal record
• The offense involved more than one victim
• The offense was committed through mass marketing
• The offense involved misrepresentation that the
  defendant was acting on behalf of a charitable,
  educational, religious, or political organization
  or a government agency or
• The subject matter of the case involves a
  specific federal interest such as fraud against
  an Indian Tribe, health care fraud, bankruptcy
  fraud, fraud involving protected computers, or
  fraud against a federally-insured financial
  institution.
• The above aggravating factors need not all be
  present and there may be other factors which
  justify prosecution on a case-by-case basis.

5
Text of 18 U.S.C. 1030(a)(1) -- Obtaining
information by computer injurious to USA

• (a) Whoever--
• (1) having knowingly accessed a computer without
  authorization or exceeding authorized access, and
  by means of such conduct having obtained
  information that has been determined by the
  United States Government pursuant to an Executive
  order or statute to require protection against
  unauthorized disclosure for reasons of national
  defense or foreign relations, or any restricted
  data, as defined in . . . the Atomic Energy Act
  of 1954, with reason to believe that such
  information so obtained could be used to the
  injury of the United States, or to the advantage
  of any foreign nation willfully communicates,
  delivers, transmits, or causes to be
  communicated, delivered, or transmitted, or
  attempts to communicate, deliver, transmit or
  cause to be communicated, delivered, or
  transmitted the same to any person not entitled
  to receive it, or willfully retains the same and
  fails to deliver it to the officer or employee of
  the United States entitled to receive it
• Shall be punished as provided in subsection (c)
  of this section.

6
Statutory penalties for 18 U.S.C. 1030(a)(1)
Obtaining information by computer --
injurious to USA

• a fine of 250,000 or imprisonment for not more
  than ten years, or both, in the case of a first
  offense under section 1030
• a fine of 250,000 or imprisonment for not more
  than twenty years, or both, in the case of an
  offense that occurs after a prior conviction
  under section 1030.

7
Elements of 18 U.S.C. 1030(a)(1) Obtaining
information by computer -- injurious to USA

• First, the defendant knowingly accessed without
  authorization exceeded authorized access to a
  computer
• Second, by accessing without authorization
  exceeding authorized access to a computer, the
  defendant obtained information that had been
  determined by the United States Government to
  require protection against disclosure for reasons
  of national defense or foreign relations data
  regarding the design, manufacture or use of
  atomic weapons

8
Elements of 18 U.S.C. 1030(a)(1) Obtaining
information by computer -- injurious to USA

• Third, the defendant acted with the intent or
  reason to believe that the information or data
  obtained could be used to the injury of the
  United States or to the benefit of a foreign
  nation and
• Fourth, the defendant willfully caused to be
  communicated delivered transmitted to any
  person not entitled to receive it retained and
  failed to deliver to an officer or employee of
  the United States entitled to receive it such
  information or data.

9
Statutory penalties for 18 U.S.C. 1030(a)(1)
Obtaining information by computer -- injurious to
USA

• a fine of 250,000 or imprisonment for not more
  than ten years, or both, in the case of an
  offense under subsection (a)(1) which is a first
  offense under section 1030
• a fine of 250,000 or imprisonment for not more
  than twenty years, or both, if the offense under
  subsection (a)(1) occurs after a prior conviction
  for an offense under section 1030.

10
Sentencing guidelines for 18 U.S.C. 1030(a)(1)

• 2M3.2. Gathering National Defense Information
• (a) Base Offense Level
• (1) 35, if top secret information was gathered
  or
• (2) 30, otherwise.

11
Text of 18 U.S.C. 1030(a)(2) Obtaining
information by computer from financial
institution or government computer

• (a) Whoever
• (2) intentionally accesses a computer without
  authorization or exceeds authorized access, and
  thereby obtains--
• (A) information contained in a financial record
  of a (federally insured) financial institution,
  or of a card issuer as defined in section 1602(n)
  of title 15, or contained in a file of a consumer
  reporting agency on a consumer, as such terms are
  defined in the Fair Credit Reporting Act (15
  U.S.C. 1681 et seq.)
• (B) information from any department or agency of
  the United States or
• (C) information from any protected computer if
  the conduct involved an interstate or foreign
  communication
• Shall be punished as provided in subsection (c)
  of this section.

12
Definition of protected computer

• 18 U.S.C. 1030(e)(2) the term "protected
  computer" means a computer-
• (A) exclusively for the use of a federally
  insured financial institution or the United
  States government, or, in the case of a computer
  not exclusively for such use, used by or for a
  federally insured financial institution or the
  United States government and the conduct
  constituting the offense affects that use by or
  for the financial institution or the government
  or
• (B) which is used in interstate or foreign
  commerce or communication, including a computer
  located outside the United States that is used in
  a manner that affects interstate or foreign
  commerce or communication of the United States

13
Statutory penalties for 18 U.S.C. 1030(a)(2)
Obtaining information by computer --

• a fine of 250,000 or imprisonment for not more
  than one year, or both, in the case of an offense
  under subsection (a)(2) which is a first offense
  section 1030
• a fine of 250,000 or imprisonment for not more
  than 5 years, or both, in the case of an offense
  under subsection (a)(2), or an attempt to commit
  an offense punishable under this subparagraph,
  if
• (i) the offense was committed for purposes of
  commercial advantage or private financial gain
• (ii) the offense was committed in furtherance of
  any criminal or tortious act in violation of the
  Constitution or laws of the United States or of
  any State or
• (iii) the value of the information obtained
  exceeds 5,000
• a fine of 250,000 or imprisonment for not more
  than ten years, or both, in the case of an
  offense under subsection (a)(2), which occurs
  after a prior conviction under section 1030.

14
Elements of 18 U.S.C. 1030(a)(2)(A) (B)
Obtaining information by computer from
financial institution or government computer

• First, the defendant intentionally accessed
  without authorization or exceeded authorized
  access to a computer and
• Second, by accessing without authorization or
  exceeding authorized access to a computer, the
  defendant obtained information (1) contained in a
  record of a federally insured financial
  institution or credit card issuer or (2)
  contained in a file of consumer reporting agency
  on a consumer or (3) from any department or
  agency of the United States.

15
Elements of 18 U.S.C. 1030(a)(2)(C) Obtaining
information by computer from protected computer

• First, the defendant intentionally accessed
  without authorization exceeded authorized
  access to a computer
• Second, the defendants access of that computer
  involved an interstate or foreign communication
  and
• Third, by accessing without authorization
  exceeding authorized access to a computer, the
  defendant obtained information from a computer
  exclusively for the use of a federally insured
  financial institution or the United States
  Government not exclusively for the use of a
  federally insured financial institution or the
  United States Government, but the defendants
  conduct affected the computers use by or for the
  financial institution or government used in
  interstate or foreign commerce or communication.

16
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and
  Other Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

17
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

18
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics -- multiple victim enhancement
• (2) (Apply the greater) If the offense
• (A)(i) involved more than 10, but less than 50,
  victims or (ii) was committed through
  mass-marketing, increase by 2 levels or
• (B) involved 50 or more victims, increase by 4
  levels
• (C) involved 250 or more victims, increase by 6
  levels.
• Victim means any person who sustained any part
  of the actual loss. Person includes
  individuals, corporations, companies, etc.

19
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• U.S.S.G. 2B1.1(b)(12) (Apply the greater) If
• (A) the defendant derived more than 1,000,000 in
  gross receipts from one or more financial
  institutions as a result of the offense, increase
  by 2 levels or
• (B) the offense substantially jeopardized the
  safety and soundness of a financial institution,
  increase by 4 levels.
• If the resulting offense level determined under
  subdivision (A) or (B) is less than level 24,
  increase to level 24.

20
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• (13) (A) (Apply the greatest) If the defendant
  was convicted of an offense under
• (i) 18 U.S.C.  1030, and the offense involved
  (I) a computer system used to maintain or operate
  a critical infrastructure, or used by or for a
  government entity in furtherance of the
  administration of justice, national defense, or
  national security or (II) an intent to obtain
  personal information, increase by 2 levels.
• (ii) 18 U.S.C.  1030(a)(5)(A)(i), increase by 4
  levels.
• (iii) 18 U.S.C. 1030, and the offense caused a
  substantial disruption of a critical
  infrastructure, increase by 6 levels.
• (B) If subdivision (A)(iii) applies, and the
  offense level is less than level 24, increase to
  level 24.

21
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• 3B1.1. Aggravating Role -- Based on the
  defendants role in the offense, increase the
  offense level as follows
• (a) If the defendant was an organizer or leader
  of a criminal activity that involved five or more
  participants or was otherwise extensive, increase
  by 4 levels.
• (b) If the defendant was a manager or supervisor
  (but not an organizer or leader) and the criminal
  activity involved five or more participants or
  was otherwise extensive, increase by 3 levels.
• (c) If the defendant was an organizer, leader,
  manager, or supervisor in any criminal activity
  other than described in (a) or (b), increase by 2
  levels.

22
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• 3B1.2. Mitigating Role -- Based on the
  defendants role in the offense, decrease the
  offense level as follows
• (a) If the defendant was a minimal participant in
  any criminal activity, decrease by 4 levels.
• (b) If the defendant was a minor participant in
  any criminal activity, decrease by 2 levels.
• In cases falling between (a) and (b), decrease by
  3 levels.

23
Sentencing guidelines for 18 U.S.C. 1030(a)(2)
Obtaining information by computer

• 3B1.3. Abuse of Position of Trust or Use of
  Special Skill --
• If the defendant abused a position of public or
  private trust, or used a special skill, in a
  manner that significantly facilitated the
  commission or concealment of the offense,
  increase by 2 levels. This adjustment may not be
  employed if an abuse of trust or skill is
  included in the base offense level or specific
  offense characteristic. If this adjustment is
  based upon an abuse of a position of trust, it
  may be employed in addition to an adjustment
  under 3B1.1 (Aggravating Role) if this
  adjustment is based solely on the use of a
  special skill, it may not be employed in addition
  to an adjustment under 3B1.1 (Aggravating Role).

24
Text of 18 U.S.C. 1030(a)(3) Unlawfully
accessing non-public computer used by the
government

• (a) Whoever
• (3) intentionally, without authorization to
  access any nonpublic computer of a department or
  agency of the United States, accesses such a
  computer of that department or agency that is
  exclusively for the use of the Government of the
  United States or, in the case of a computer not
  exclusively for such use, is used by or for the
  Government of the United States and such conduct
  affects that use by or for the Government of the
  United States
• Shall be punished as provided in subsection (c)
  of this section.

25
Penalties for 18 U.S.C. 1030(a)(3) Unlawfully
accessing non-public computer used by the
government

• a 250,000 fine or imprisonment for not more than
  one year, or both, in the case of an offense
  under subsection (a)(3) which is a first offense
  under section 1030
• a 250,000 fine or imprisonment for not more than
  ten years, or both, in the case of an offense
  under subsection (a)(3) which occurs after a
  prior conviction under section 1030.

26
Elements of of 18 U.S.C. 1030(a)(3) Unlawfully
accessing non-public computer used by the
government

• First, the defendant intentionally accessed any
  nonpublic computer of department or agency of
  the United States
• Second, the defendant lacked authorization to
  access any nonpublic computer of that department
  or agency and
• Third, the computer accessed by the defendant
  was exclusively for the use of the Government of
  the United States was used non-exclusively by
  or for the Government of the United States, but
  the defendants conduct affected that computers
  use by or for the Government of the United
  States.

27
Sentencing guidelines for 18 U.S.C. 1030(a)(3)
Unlawfully accessing non-public computer used by
the government

• 2B2.3. Trespass
• (a) Base Offense Level 4
• (b) Specific Offense Characteristics
• (1) If the trespass occurred (A) at a secured
  government facility (B) at a nuclear energy
  facility (C) on a vessel or aircraft of the
  United States (D) in a secured area of an
  airport or (E) at a residence, increase by 2
  levels.
• (2) If a dangerous weapon (including a firearm)
  was possessed, increase by 2 levels.
• (3) If (A) the offense involved invasion of a
  protected computer and (B) the loss resulting
  from the invasion (i) exceeded 2,000 but did not
  exceed 5,000, increase by 1 level or (ii)
  exceeded 5,000, increase by the number of levels
  from the table in 2B1.1 (Theft, Property
  Destruction, and Fraud) corresponding to that
  amount.
• (c) Cross Reference
• (1) If the offense was committed with the intent
  to commit a felony offense, apply 2X1.1
  (Attempt, Solicitation, or Conspiracy) in respect
  to that felony offense, if the resulting offense
  level is greater than that determined above.

28
Sentencing guidelines for 18 U.S.C. 1030(a)(3)
Unlawfully accessing non-public computer used by
the government

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

29
Text of 18 U.S.C. 1030(a)(4) Computer fraud
use of protected computer

• (a) Whoever
• (4) knowingly and with intent to defraud,
  accesses a protected computer without
  authorization, or exceeds authorized access, and
  by means of such conduct furthers the intended
  fraud and obtains anything of value, unless the
  object of the fraud and the thing obtained
  consists only of the use of the computer and the
  value of such use is not more than 5,000 in any
  1-year period
• Shall be punished as provided in subsection (c)
  of this section.

30
Penalties for18 U.S.C. 1030(a)(4) Computer fraud
use of protected computer

• a 250,000 fine or imprisonment for not more than
  five years, or both, in the case of an offense
  under subsection (a)(4) which is a first offense
  under section 1030
• a 250,000 fine or imprisonment for not more than
  ten years, or both, in the case of an offense
  under subsection (a)(4) which occurs after a
  prior conviction under section 1030.

31
Elements of 18 U.S.C. 1030(a)(4) Computer fraud
use of protected computer

• First, the defendant knowingly accessed without
  authorization exceeded authorized access to a
  computer that was exclusively for the use of a
  federally insured financial institution or the
  United States Government that was not
  exclusively used by a federally insured financial
  institution or the United States Government, but
  the defendants conduct affected the computers
  use by or for the financial institution or
  government used in interstate or foreign
  commerce or communication
• Second, the defendant did so with the intent to
  defraud
• Third, by accessing the computer without
  authorization exceeding authorized access to
  the computer the defendant furthered the fraud
  and
• Fourth, the defendant by accessing the computer
  without authorization exceeding authorized
  access to the computer obtained anything of
  value.

32
Sentencing guidelines for 18 U.S.C. 1030(a)(4)
Computer fraud use of a protected computer

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and Other
  Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

33
Sentencing guidelines for 18 U.S.C. 1030(a)(4)
Computer fraud use of a protected computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

34
Sentencing guidelines for 18 U.S.C. 1030(a)(4)
Computer fraud use of a protected computer

• (13) (A) (Apply the greatest) If the defendant
  was convicted of an offense under
• (i) 18 U.S.C.  1030, and the offense involved
  (I) a computer system used to maintain or operate
  a critical infrastructure, or used by or for a
  government entity in furtherance of the
  administration of justice, national defense, or
  national security or (II) an intent to obtain
  personal information, increase by 2 levels.
• (ii) 18 U.S.C.  1030(a)(5)(A)(i), increase by 4
  levels.
• (iii) 18 U.S.C. 1030, and the offense caused a
  substantial disruption of a critical
  infrastructure, increase by 6 levels.
• (B) If subdivision (A)(iii) applies, and the
  offense level is less than level 24, increase to
  level 24.

35
Sentencing guidelines for 18 U.S.C. 1030(a)(4)
Computer fraud use of a protected computer

• Other specific offense characteristics?
• Multiple victim enhancement?
• Sophisticated means enhancement?
• Any role adjustments?
• Abuse of trust?

36
Text of 18 U.S.C. 1030(a)(5) Damage to a
protected computer

• (a) Whoever
• (5)(A)
• (i) knowingly causes the transmission of a
  program, information, code, or command, and as a
  result of such conduct, intentionally causes
  damage without authorization, to a protected
  computer
• (ii) intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, recklessly causes damage or
• (iii) intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, causes damage and

37
Text of 18 U.S.C. 1030(a)(5) Damage to a
protected computer

• (B) by conduct described in clause (i), (ii), or
  (iii) of subparagraph (A), caused (or, in the
  case of an attempted offense, would, if
  completed, have caused)--
• (i) loss to 1 or more persons during any 1-year
  period (and, for purposes of an investigation,
  prosecution, or other proceeding brought by the
  United States only, loss resulting from a related
  course of conduct affecting 1 or more other
  protected computers) aggregating at least 5,000
  in value
• (ii) the modification or impairment, or potential
  modification or impairment, of the medical
  examination, diagnosis, treatment, or care of 1
  or more individuals
• (iii) physical injury to any person
• (iv) a threat to public health or safety or
• (v) damage affecting a computer system used by or
  for a government entity in furtherance of the
  administration of justice, national defense, or
  national security
• Shall be punished as provided in subsection (c)
  of this section.

38
Definition of damage and loss

• 18 U.S.C. 1030(e)(8) provides that the term
  damage means any impairment to the integrity or
  availability of data, a program, a system, or
  information
• 18 U.S.C. 1030(e)(11) provides that the term
  "loss" means any reasonable cost to any victim,
  including the cost of responding to an offense,
  conducting a damage assessment, and restoring the
  data, program, system, or information to its
  condition prior to the offense, and any revenue
  lost, cost incurred, or other consequential
  damages incurred because of interruption of
  service

39
Text of 18 U.S.C. 1030(a)(5)(A)(i) Intentional
damage to a protected computer

• (a) Whoever
• (5)(A)
• (i) knowingly causes the transmission of a
  program, information, code, or command, and as a
  result of such conduct, intentionally causes
  damage without authorization, to a protected
  computer
• Shall be punished as provided in subsection (c)
  of this section.

40
Penalties for 18 U.S.C. 1030(a)(5)(A)(i)
Intentional damage to a protected computer

• a 250,000 fine, imprisonment for not more than
  10 years, or both, in the case of an offense
  under subsection (a)(5)(A)(i) which is a first
  offense under section 1030
• a 250,000 fine, imprisonment for not more than
  20 years, or both, in the case of an offense
  under subsection (a)(5)(A)(i) which occurs after
  a prior conviction under section 1030.

41
Penalties for 18 U.S.C. 1030(a)(5)(A)(i)
Intentional damage to a protected computer

• (c)(5)(A) -- if the offender knowingly or
  recklessly causes or attempts to cause serious
  bodily injury from conduct in violation of
  subsection (a)(5)(A)(i), a fine under this title
  or imprisonment for not more than 20 years, or
  both and
• (c)(5)(B) -- if the offender knowingly or
  recklessly causes or attempts to cause death from
  conduct in violation of subsection (a)(5)(A)(i),
  a fine under this title or imprisonment for any
  term of years or for life, or both.

42
Elements of 18 U.S.C. 1030(a)(5)(A)(i)
Intentional damage to a protected computer

• First, the defendant knowingly caused the
  transmission of a program a code a command
  information to a computer without
  authorization
• Second, as a result of the transmission, the
  defendant intentionally impaired the integrity
  availability of data a program a system
  information
• Third, the impairment of the data program
  system information resulted in losses to one
  or more individuals totaling at least 5,000 in
  value at any time during a one-year period
  modification or impairment or potential
  modification or impairment of one or more
  individual's medical examination, diagnosis,
  treatment or care physical injury to any
  person a threat to public health or safety
  and
• Fourth, the computer damaged was used
  exclusively by a financial institution or the
  United States government used in interstate or
  foreign commerce or communication not used
  exclusively by a financial institution or the
  United States government, but the defendant's
  transmission affected the computer's use by or
  for a financial institution or the United States
  government.

43
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(i) Intentional damage to a
protected computer

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and Other
  Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

44
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(i) Intentional damage to a
protected computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

45
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(i) Intentional damage to a
protected computer

• (13) (A) (Apply the greatest) If the defendant
  was convicted of an offense under
• (i) 18 U.S.C.  1030, and the offense involved
  (I) a computer system used to maintain or operate
  a critical infrastructure, or used by or for a
  government entity in furtherance of the
  administration of justice, national defense, or
  national security or (II) an intent to obtain
  personal information, increase by 2 levels.
• (ii) 18 U.S.C.  1030(a)(5)(A)(i), increase by 4
  levels.
• (iii) 18 U.S.C. 1030, and the offense caused a
  substantial disruption of a critical
  infrastructure, increase by 6 levels.
• (B) If subdivision (A)(iii) applies, and the
  offense level is less than level 24, increase to
  level 24.

46
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(i) Intentional damage to a
protected computer

• Other specific offense characteristics?
• Multiple victim enhancement?
• Sophisticated means enhancement?
• Any role adjustments?
• Abuse of trust?

47
Text of 18 U.S.C. 1030(a)(5)(A)(ii) Reckless
damage to a protected computer

• (a) Whoever
• (5)(A)
• (ii) intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, recklessly causes damage
• Shall be punished as provided in subsection (c)
  of this section.

48
Penalties for 18 U.S.C. 1030(a)(5)(A)(ii)
Reckless damage to a protected computer

• a 250,000 fine, imprisonment for not more than 5
  years, or both, in the case of an offense under
  subsection (a)(5)(A)(ii) which is a first offense
  under section 1030
• a 250,000 fine, imprisonment for not more than
  20 years, or both, in the case of an offense
  under subsection (a)(5)(A)(ii) which occurs after
  a prior conviction under section 1030.

49
Elements of 18 U.S.C. 1030(a)(5)(A)(ii) Reckless
damage to a protected computer

• First, the defendant intentionally accessed a
  computer without authorization
• Second, as a result of the defendant's access,
  the defendant recklessly impaired the integrity
  availability of data program a system
  information
• Third, the impairment of the data program
  system information resulted in losses to one
  or more individuals totaling at least 5,000 in
  value at any time during a one-year period
  modification or impairment or potential
  modification or impairment of one or more
  individual's medical examination, diagnosis,
  treatment or care physical injury to any
  person a threat to public health or safety
  and
• Fourth, the computer damaged was used
  exclusively by a financial institution or the
  United States government used in interstate or
  foreign commerce or communication not used
  exclusively by a financial institution or the
  United States government, but the defendant's
  access affected the computer's use by or for a
  financial institution or the United States
  government.

50
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(ii) Reckless damage to a protected
computer

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and Other
  Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

51
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(ii) Reckless damage to a protected
computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

52
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(ii) Reckless damage to a protected
computer

• Other specific offense characteristics?
• Multiple victim enhancement?
• Sophisticated means enhancement?
• 1030 enhancement?
• Any role adjustments?
• Abuse of trust?

53
Text of 18 U.S.C. 1030(a)(5)(A)(iii) Negligent
or accidental damage to a protected computer

• (a) Whoever
• (5)(A)
• (iii) intentionally accesses a protected computer
  without authorization, and as a result of such
  conduct, causes damage
• Shall be punished as provided in subsection (c)
  of this section.

54
Penalties for 18 U.S.C. 1030(a)(5)(A)(iii)
Negligent or accidental damage to a protected
computer

• a 250,000 fine or imprisonment for not more than
  one year, or both, in the case of an offense
  under subsection (a)(5)(A)(iii), if the offense
  is a first offense under section 1030
• a 250,000 fine or imprisonment for not more than
  ten years, or both, in the case of an offense
  under subsection (a)(5)(A)(iii) which occurs
  after a prior conviction under section 1030.

55
Elements of 18 U.S.C. 1030(a)(5)(A)(iii)
Negligent or accidental damage to a protected
computer

• First, the defendant intentionally accessed a
  computer without authorization
• Second, as a result of the defendant's access,
  the defendant caused the impairment of the
  integrity availability of data program a
  systeminformation
• Third, the impairment of the data program
  system information resulted in losses to one
  or more individuals totaling at least 5,000 in
  value at any time during a one-year period
  modification or impairment or potential
  modification or impairment of one or more
  individual's medical examination, diagnosis,
  treatment or care physical injury to any
  person a threat to public health or safety
  and
• Fourth, the computer damaged was used
  exclusively by a financial institution or the
  United States government used in interstate or
  foreign commerce or communication not used
  exclusively by a financial institution or the
  United States government, but the defendant's
  access affected the computer's use by or for a
  financial institution or the United States
  government.

56
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(iii) Negligent or accidental damage
to a protected computer

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and Other
  Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

57
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(iii) Negligent or accidental damage
to a protected computer

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

58
Sentencing guidelines for 18 U.S.C.
1030(a)(5)(A)(iii) Negligent or accidental damage
to a protected computer

• Other specific offense characteristics?
• Multiple victim enhancement?
• Sophisticated means enhancement?
• 1030 enhancement?
• Any role adjustments?
• Abuse of trust?

59
Text of 18 U.S.C. 1030(a)(6)(A) (B)
Trafficking in passwords

• (a) Whoever
• (6) knowingly and with intent to defraud traffics
  (as defined in section 1029) in any password or
  similar information through which a computer may
  be accessed without authorization, if--
• (A) such trafficking affects interstate or
  foreign commerce or
• (B) such computer is used by or for the
  Government of the United States
• Shall be punished as provided in subsection (c)
  of this section.

60
Penalties for 18 U.S.C. 1030(a)(6)(A) (B)
Trafficking in passwords

• a 250,000 fine or imprisonment for not more than
  one year, or both, in the case of an offense
  under subsection (a)(6), if the offense is a
  first offense under section 1030
• a 250,000 fine or imprisonment for not more than
  ten years, or both, in the case of an offense
  under subsection (a)(6) which occurs after a
  prior conviction under section 1030.

61
Elements of 18 U.S.C. 1030(a)(6)(A) (B)
Trafficking in passwords

• First, the defendant knowingly transferred to
  another disposed of to another and/or
  obtained control of with intent to transfer or
  dispose of a passwords or similar
  information through which a computer may be
  accessed without authorization
• Second, the defendant acted with the intent to
  defraud and
• Third, the defendant's conduct in some way
  affected commerce between one state and another
  states or between a state or the United States
  and a foreign country or the computer was
  used by or for the government of the United
  States.

62
Sentencing guidelines for 18 U.S.C. 1030(a)(6)(A)
(B) Trafficking in passwords

• U.S.S.G. 2B1.1. Larceny, Embezzlement, and Other
  Forms of Theft Offenses Involving Stolen
  Property Property Damage or Destruction Fraud
  and Deceit Forgery Offenses Involving Altered
  or Counterfeit Instruments Other than Counterfeit
  Bearer Obligations of the United States
• (a)(2) Base Offense Level 6

63
Sentencing guidelines for 18 U.S.C. 1030(a)(6)(A)
(B) Trafficking in passwords

• U.S.S.G. 2B1.1(b) Specific Offense
  Characteristics
• (1) If the loss exceeded 5,000, increase the
  offense level as follows
• Loss (Apply the Greatest) Increase in Level
• (A) 5,000 or less no increase
• (B) More than 5,000 add 2
• (C) More than 10,000 add 4
• (D) More than 30,000 add 6
• (E) More than 70,000 add 8
• (F) More than 120,000 add 10
  
• (G) More than 200,000 add 12
• (H) More than 400,000 add 14
• (I) More than 1,000,000 add 16
• (J) More than 2,500,000 add 18
• (K) More than 7,000,000 add 20
• (L) More than 20,000,000 add 22
• (M) More than 50,000,000 add 24
• (N) More than 100,000,000 add 26.

64
Sentencing guidelines for 18 U.S.C. 1030(a)(6)(A)
(B) Trafficking in passwords

• Other specific offense characteristics?
• Multiple victim enhancement?
• Sophisticated means enhancement?
• 1030 enhancement?
• Any role adjustments?
• Abuse of trust?

65
Text of 18 U.S.C. 1030(a)(7) Threatening to
damage a computer

• (a) Whoever
• (7) with intent to extort from any person any
  money or other thing of value, transmits in
  interstate or foreign commerce any communication
  containing any threat to cause damage to a
  protected computer
• shall be punished as provided in subsection (c)
  of this section.

66
Penalties for 18 U.S.C. 1030(a)(7) Threatening
to damage a computer

• a 250,000 fine or imprisonment for not more than
  five (5) years, or both, in the case of an
  offense under subsection (a)(7), if the offense
  is a first offense under section 1030
• a 250,000 fine or imprisonment for not more than
  ten years, or both, in the case of an offense
  under subsection (a)(7) which occurs after a
  prior conviction under section 1030.

67
Elements of 18 U.S.C. 1030(a)(7) Threatening to
damage a computer

• First, the defendant transmitted in interstate or
  foreign commerce a communication containing any
  threat to cause damage to a computer
• Second, the defendant threatened to damage a
  computer that was used exclusively by a
  financial institution or the United States
  government used in interstate or foreign
  commerce or communication not used exclusively
  by a financial institution or the United States
  government, but the defendant's transmission
  affected the computer's use by or for a financial
  institution or the United States government and
• Third, the defendant acted with intent to extort
  money or any other thing of value from any
  person, firm, association, educational
  institution, financial institution, government
  entity or other legal entity.

68
Sentencing guidelines for 18 U.S.C. 1030(a)(7)
Threatening to damage a computer

• 2B3.2. Extortion by Force or Threat of Injury or
  Serious Damage
• (a) Base Offense Level 18
• (b) Specific Offense Characteristics
• (1) If the offense involved an express or implied
  threat of death, bodily injury, or kidnapping,
  increase by 2 levels.
• (2) If the greater of the amount demanded or the
  loss to the victim exceeded 10,000, increase by
  the corresponding number of levels from the table
  in 2B3.1(b)(7).

69
Sentencing guidelines for 18 U.S.C. 1030(a)(7)
Threatening to damage a computer

• U.S.S.G. 2B3.2 (b)(3)(B) If (i) the offense
  involved preparation to carry out a threat of (I)
  death (II) serious bodily injury (III)
  kidnapping (IV) product tampering or (V) damage
  to a computer system used to maintain or operate
  a critical infrastructure, or by or for a
  government entity in furtherance of the
  administration of justice, national defense, or
  national security or (ii) the participant(s)
  otherwise demonstrated the ability to carry out a
  threat described in any of subdivisions (i)(I)
  through (i)(V), increase by 3 levels.

70
18 U.S.C. 1030 Attempt provision

• (b) Whoever attempts to commit an offense under
  subsection (a) of this section shall be punished
  as provided in subsection (c) of this section.

71
Forfeiture for 18 U.S.C. 1030 offenses

• 18 U.S.C. 982 provides that in imposing a
  sentence on a person conviction of a 1030
  offense, the court shall order that the person
  forfeit to the United States any property
  constituting, or derived from, proceeds the
  person obtained directly or indirectly, as the
  result of such an offense.

72
Questions?
73
Unauthorized Access to Computers

• Sean B. Hoar
• sean.hoar_at_usdoj.gov
• 541-465-6792 (voice)
• 541-465-6840 (fax)