Abstract
The U.S. Attorney General established a Cyber-Digital Task Force within the Department of Justice (DOJ) in February 2018. This newly created task force released its first public report on July 19, 2018. Then–Attorney General Jeff Sessions announced the release of the report, while promising that “[a]t the Department of Justice, we take these threats seriously.” The report was designed to answer the following question: “How is the Department [of Justice] responding to cyber threats?” The report begins by discussing the threat of foreign influence operations, described by the Task Force as “one of the most pressing cyber-enabled threats our Nation faces.” Specifically, the Task Force focuses on the dangerous threat of Russia to U.S. elections.
After detailing the scope of this and other threats, the Task Force outlines the key prosecutorial tools available to the DOJ in combating cyberattacks. The first tool, which this Note will discuss at length, is the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. The CFAA falls at the top of the Task Force’s list because, as it mentions, “[the CFAA] remains the . . . principal tool for prosecuting computer crimes.” Many other scholars have described the CFAA as the cornerstone of computer fraud litigation. The Task Force provides a simple definition of the CFAA, explaining how it “gives the owners of computers the right to control who may access their computers, take information from them, change how the computers work, or delete information on them.”
Later in the report, after emphasizing Russian interference with elections as the principal cyberthreat and the CFAA as the principal prosecution tool, the Task Force asserts that “[the CFAA] currently does not prohibit the act of hacking a voting machine in many common situations.” The Task Force plainly states that “the CFAA only prohibits hacking computers that are connected to the Internet (or that meet other narrow criteria for protection).” However, the text of the CFAA does not explicitly require that hacked computers be connected to the internet, nor have the courts interpreted this as a requirement of the CFAA. Though most of Russia’s known cyberthreats have not been aimed directly at the voting machine devices themselves, the Task Force’s assertion still raises a big question: Does the CFAA only apply to internet-connected devices?
This Note seeks to answer that question, ultimately concluding that internet connection is not required for a computer to reach protected status under the CFAA. Part I of this Note describes the background of the CFAA, specifically detailing the types of crime it was meant to punish, its definition of “computer,” and its definition of “protected computer” (which builds on the definition of “computer” by providing the jurisdictional hook). Part II moves away from the Act’s legislative history and discusses how courts have interpreted the CFAA over time. Part III applies the CFAA to the hacking of a voting machine (assumed to be without internet). Here, a voting machine is used as the vehicle for the analysis but much of the reasoning could apply to other non-internet-connected devices. Part III argues that the hacking of a voting machine is certainly within the current-day scope of crimes meant to be punished by the CFAA, that voting machines fall within the Act’s definition of “computer,” and that voting machines probably fall within the definition of “protected computer.” From there, the Conclusion explains why an amendment to expressly add voting machines to the definition of the CFAA would not be the best solution (especially since they are likely already protected). The Conclusion then analyzes the risks of the continuing expansion of the CFAA’s scope and addresses the relative potential of Russia’s cyberthreats to voting machines compared to their other election-related cyberthreats.
Recommended Citation
Jack Dahm,
No Internet Does Not Mean No Protection Under the CFAA: Why Voting Machines Should Be Covered Under 18 U.S.C. § 1030,
94
Notre Dame L. Rev.
1775
(2019).
Available at:
https://scholarship.law.nd.edu/ndlr/vol94/iss4/10