Protected computer

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Protected computers is a term used in Title 18, Section 1030 of the United States Code, (the Computer Fraud and Abuse Act) which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers". The statute, as amended by the National Information Infrastructure Protection Act of 1996, defines "protected computers" (formerly known as "federal interest computers") as:

a computer—

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

The law prohibits unauthorized obtaining of "information from any protected computer if the conduct involved an interstate or foreign communication," and makes it a felony to intentionally transmit malware to a protected computer if more than $5000 in damage (such as to the integrity of data) were to result.

Scope

The U. S. Justice Department explains:

In the 1994 amendments (of the National Information Infrastructure Act), the reach of this subsection (E. Subsection 1030(a)(5)) was broadened by replacing the term "federal interest computer" with the term "computer used in interstate commerce or communications." The latter term is broader because the old definition of "federal interest computer" in 18 U.S.C. § 1030(e)(2)(B) covered a computer "which is one of two or more computers used in committing the offense, not all of which are located in the same State." This meant that a hacker who attacked other computers in the same state was not subject to federal jurisdiction, even when these actions may have severely affected interstate or foreign commerce. For example, individuals who attack telephone switches may disrupt interstate and foreign calls. The 1994 change remedied that defect.

However, the definition of federal interest computer actually covered more than simply interstate activity. More specifically, 18 U.S.C. § 1030(e)(2)(A) covered, generically, computers belonging to the United States Government or financial institutions, or those used by such entities on a non-exclusive basis if the conduct constituting the offense affected the Government's operation or the financial institution's operation of such computer. By changing § 1030(a)(5) from "federal interest computer" to "computer used in interstate commerce or communications," Congress may have inadvertently eliminated federal protection for those government and financial institution computers not used in interstate communications. For example, the integrity and availability of classified information contained in an intrastate local area network may not have been protected under the 1994 version of 18 U.S.C. § 1030(a)(5), although its confidentiality continued to be protected under 18 U.S.C. § 1030(a)(1). To remedy this situation in the 1996 Act, 18 U.S.C. § 1030(a)(5) was redrafted to cover any "protected computer," a new term defined in § 1030(e)(2) and used throughout the new statute--in § 1030(a)(5), as well as in §§ 1030(a)(2), (a)(4), and the new (a)(7). The definition of "protected computer" includes government computers, financial institution computers, and any computer "which is used in interstate or foreign commerce or communications."

This broad definition addresses the original concerns regarding intrastate "phone phreakers" (i.e., hackers who penetrate telecommunications computers). It also specifically includes those computers used in "foreign" communications. With the continually expanding global information infrastructure, with numerous instances of international hacking, and with the growing possibility of increased global industrial espionage, it is important that the United States have jurisdiction over international computer crime cases. Arguably, the old definition of "federal interest computer" contained in 18 U.S.C. § 1030(e)(2) conferred such jurisdiction because the requirement that the computers used in committing the offense not all be located in the same state might be satisfied if one computer were located overseas. As a general rule, however, Congress's laws have been presumed to be domestic in scope only, absent a specific grant of extraterritorial jurisdiction. E.E.O.C. v. Arabian American Oil Co., 499 U.S. 244 (1991). To ensure clarity, the statute was amended to reference international communications explicitly.

See also

External links