CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros
From WarGames, to Aaron Swartz, to bug bounties, to Van Buren, here's what cybersecurity researchers should know about the US's primary anti-hacking law before it gets its day in the Supreme Court.

If a person is authorized to access data for one purpose, is it a crime for them to access that data for an "improper" purpose? That question lies at the heart of a case the United States Supreme Court will hear next month—the first time that it will ever hear oral arguments on the Computer Fraud and Abuse Act (CFAA). The case could have serious implications for cybersecurity researchers. Here's what you should know about the CFAA, as it works today.




(image by Rawf8, via Adobe Stock)



What is the CFAA?


The Computer Fraud and Abuse Act (also known as 18 US Code 1030) is the preeminent anti-hacking law in the United States. The CFAA was first signed into law by President Ronald Reagan in 1986, (three years after the movie WarGames spooked the White House). Since then, the CFAA—an update to 1984's Comprehensive Crime Control Act—has been amended eight times to address newer cybersecurity threats.


As of today, the CFAA can apply to criminal as well as civil lawsuits; it covers all federal computer systems and all privately owned computers used in interstate or international commerce.


Prison sentences under the CFAA vary, ranging from one year for "trafficking in passwords" to 10 years for "ob ..

Support the originator by clicking the read the rest link below.