US Federal Laws Governing Criminal Computer Hacking

Prosecuting computer hacking in the United States relies on a robust framework of federal statutes designed to address unauthorized access, data theft, and system disruption. This article explores the primary laws used by federal prosecutors to combat cybercrime, including the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and other key statutes that form the backbone of U.S. cybersecurity legislation.

The Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030

The Computer Fraud and Abuse Act (CFAA) is the primary federal statute used to prosecute computer hacking. Originally enacted in 1986, the CFAA has been amended multiple times to keep pace with technological advancements.

The law criminalizes accessing a “protected computer” without authorization or exceeding authorized access. Under the statute, a “protected computer” includes virtually any computer connected to the internet, including mobile devices and servers. The CFAA prohibits several specific activities:

• Damaging Computers or Information: Knowingly causing the transmission of a program, information, code, or command that intentionally causes damage to a protected computer.
• Computer Extortion: Threatening to damage a protected computer or obtain/release confidential information unless money or property is paid (commonly charged in ransomware cases).
• Trafficking in Passwords: Trafficking in passwords or similar information through which a computer may be accessed without authorization.
• Accessing to Defraud: Accessing a protected computer without authorization with the intent to defraud and obtain anything of value.

The Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act of 1986 protects wire, oral, and electronic communications while they are being made, are in transit, and when they are stored on computers. In hacking prosecutions, two components of the ECPA are frequently utilized:

The Wiretap Act (18 U.S.C. §§ 2510-2522)

This act makes it illegal to intentionally intercept, endeavor to intercept, or procure another person to intercept any wire, oral, or electronic communication. Prosecutors use this against hackers who install spyware, packet sniffers, or other interception tools to capture data in transit.

The Stored Communications Act (SCA) (18 U.S.C. §§ 2701-2712)

The SCA prohibits unauthorized access to wire or electronic communications held in electronic storage. This is the primary tool used to prosecute hackers who break into email servers, cloud storage accounts, or social media databases to steal private messages and data.

Identity Theft and Aggravated Identity Theft

Hacking frequently involves the theft of personally identifiable information (PII). Prosecutors utilize specific identity theft statutes to increase penalties for hackers:

• Identity Theft (18 U.S.C. § 1028): Criminalizes the knowing transfer, possession, or use of another person’s means of identification with the intent to commit unlawful activity.
• Aggravated Identity Theft (18 U.S.C. § 1028A): Applies when a defendant commits identity theft in connection with specific felony violations, including wire fraud and CFAA violations. This statute imposes a mandatory, consecutive two-year prison sentence in addition to the punishment for the underlying crime.

The Economic Espionage Act (EEA) - 18 U.S.C. §§ 1831-1832

When computer hacking involves the theft of proprietary business information, prosecutors turn to the Economic Espionage Act. The EEA contains two main provisions:

• Economic Espionage (18 U.S.C. § 1831): Criminalizes the theft of trade secrets to benefit foreign powers, foreign instrumentalities, or foreign agents. This is commonly applied in state-sponsored cyber espionage cases.
• Theft of Trade Secrets (18 U.S.C. § 1832): Criminalizes the theft of trade secrets for commercial or economic purposes, regardless of foreign government involvement. This targets corporate espionage and insider threats.

Wire Fraud and Conspiracy

Because cybercriminals often operate in groups and use the internet to commit financial fraud, prosecutors frequently utilize general federal criminal statutes:

• Wire Fraud (18 U.S.C. § 1343): Broadly prohibits any scheme to defraud that involves the transmission of signals, writings, or data by wire in interstate or foreign commerce. Since hacking relies on internet-based transmissions, wire fraud is a common charge in financial hacking schemes.
• Conspiracy (18 U.S.C. § 371): Criminalizes agreements between two or more people to commit a federal offense, allowing prosecutors to target entire hacking groups, including those who write malware but do not execute the attacks themselves.