Does the CFAA apply to voting machine hacks?
- By Derek B. Johnson
- Aug 30, 2018
For decades, the Computer Fraud and Abuse Act served as the U.S. government's most powerful tool to prosecute hackers. Over the years, virtually every high-profile cybercrime case in which federal prosecutors brought forth charges – from Aaron Swartz and Marcus Hutchins to Russian and Iranian -backed hacking groups – has used the CFAA as its cornerstone statute.
As the U.S. heads into the 2018 mid-term elections, the government is facing intense political pressure to harden the security around election systems, while the Trump administration has also come under fire for not doing enough to draw bright lines around election infrastructure and signal to foreign nations that interference will come with great consequences.
Recent documents and comments from the Department of Justice indicate that when it comes to prosecuting the most high-profile form of interference – hacking and compromising voting machines – the government may end up going to war without its most potent weapon.
In July, the DOJ cyber digital task force released a report assessing the department's work in the cyber arena. While it calls CFAA the "principal tool" for prosecuting computer-related crimes, buried within the report are several passages expressing skepticism over whether the law would apply to individuals who hack into electronic voting machines.
The CFAA "currently does not prohibit the act of hacking a voting machine in many common situations," the report reads. "In general, the CFAA only prohibits hacking computers that are connected to the Internet (or that meet other narrow criteria for protection). In many conceivable situations, electronic voting machines will not meet those criteria, as they are typically kept off the Internet."
The heart of the CFAA allows the government to prosecute anyone who has "knowingly accessed a computer without authorization or exceeding authorized access." It has been used over the years to prosecute and convict a wide range of digital activities, from hacking into an organization's systems and networks, stealing or altering sensitive data or designing and spreading malware. Controversially, it has also been interpreted and used to criminally charge far less nefarious activities that have opened the law up to criticisms of overreach.
In congressional testimony August 21, Associate Deputy Attorney General Sujit Raman expanded on the department's position, saying that the CFAA draws a substantial portion of its authority from the Commerce Clause, an enumerated power in the U.S. Constitution that gives Congress and the federal government broad jurisdiction over activities that affect intra- and interstate commerce. However, DOJ officials worry that because voting machines are (in theory though not always in practice) disconnected from the Internet, their ability to affect interstate commerce is limited.
"We are concerned that courts might conclude that the Commerce Clause power, alone, does not reach voting machine computers that are not used in a commercial setting, are not used in interstate communication, and are typically never connected to the Internet or to any other network," Raman stated in his written testimony.
The CFAA has come under fire in the past by white hat hackers and digital rights groups for criminalizing activities, such as software vulnerability research , that are considered widely legitimate activities today. The DOJ's position has puzzled some legal experts, particularly those who have in the past criticized the government for relying on overly broad interpretations of the 1986 law's applicability.
Law professor Orin Kerr wrote on Twitter that "it doesn't seem hard to argue that computers, in the aggregate, have an effect on interstate commerce."
Kerr also questioned whether the DOJ's legal interpretation was being influenced by politics. By setting a lower bar for its current legal authorities, it could provide cover for lawmakers to give the appearance of taking action on a hot-button issue.
"It's also possible that this is a fake problem that enables a fake solution: By suggesting the CFAA doesn't apply to voting machines, Congress can 'do something' about election hacking by passing a law that explicitly covers voting machines -- even though the law covers this now," Kerr continued.
Both the DOJ report and Raman note that Congress could conceivably rely on other authorities, such as its constitutional power to regulate federal elections, to criminally prosecute hackers who compromise voting machines, but do not cite any specific laws. Raman pressed lawmakers to update the CFAA, unamended since 2008, in a number of ways, including specifying that electronic voting machines would quality as protected computers.
Sen. Richard Blumenthal (D-Conn.), who recently referred to alleged Russian interference and influence operations during the 2016 presidential election as "an act of war," introduced legislation in July that would include voting machines and other election information systems under the CFAA.
Derek B. Johnson is a former senior staff writer at FCW.