Ibrahimshah Shahulhameed was found guilty, in federal court, of “violating 18 U.S. Code §
1030(a)(5)(A), which makes it unlawful to knowingly cause the transmission of a
program, information, code, or command, and as a result of such conduct,
intentionally cause damage without authorization, to a protected computer”. U.S. v. Shahulhameed, 2014 WL 1513143 (U.S. District Court for the Eastern District of Kentucky 2014). He then filed a motion for “acquittal pursuant to Rule 29 of theFederal Rules of Criminal Procedure” or, in the alternative, for “a new trial”
pursuant to Rule 33 of the Federal Rules of Criminal Procedure. U.S. v.
Shahulhameed, supra.
The U.S. District Court Judge who has the case began her opinion by noting that
[d]uring a trial that lasted approximately one week, the
United States presented evidence that [Shahulhameed] was terminated from his
position at Toyota Engineering & Manufacturing North America -- where he
worked as a subcontractor -- on August 23, 2012. Following his termination, [Shahulameed] used his remote access to Toyota's computer system to make a series of
programming changes to Toyota's servers that caused extensive damage.
U.S. v. Shahulhameed, supra. The news
stories you can find here offers an account of how the prosecution allegedly
arose, and you can find the Criminal Complaint that was filed in the case here.
This press release from the U.S.
Attorney whose office had the case also provides some additional details.
Under Rule
29(a) of the Federal Rules of Criminal Procedure, “the court on the defendant's
motion must enter a judgment of acquittal of any offense for which the evidence
is insufficient to sustain a conviction.”
Since the U.S. federal government, like the U.S. states,
requires that a criminal defendant’s guilt be proven beyond a reasonable doubt,
the court must determine whether the evidence presented proves each element of
the crime(s) charged beyond a reasonable doubt in deciding whether or not to
grand a motion for a judgment of acquittal.
The
federal judge who has this case began her analysis of Shahulhameed’s motion by
noting that
[w]hen addressing a motion for judgment of acquittal, the
Court must view the evidence in the light most favorable to the prosecution and
determine whether there was sufficient evidence offered at trial to convince a
rational trier of fact beyond a reasonable doubt that all of the elements of
the charged crimes have been established. U.S. v. Graham, 622 F.3d
445 (U.S. Court of Appeals for the 6th Circuit 2010).
The Court is precluded from weighing the evidence, considering witness credibility, or substituting its judgment for that of the jury. U.S. v. Chavis, 296 F.3d 450 (U.S. Court of Appeals for the 6th Circuit 2002). The court gives the government `the benefit of all inferences which can reasonably be drawn from the evidence, even if the evidence is circumstantial.’ U.S. v. Carter, 355 F.3d 920 (U.S. Court of Appeals for the 6th Circuit 2004).
The Court is precluded from weighing the evidence, considering witness credibility, or substituting its judgment for that of the jury. U.S. v. Chavis, 296 F.3d 450 (U.S. Court of Appeals for the 6th Circuit 2002). The court gives the government `the benefit of all inferences which can reasonably be drawn from the evidence, even if the evidence is circumstantial.’ U.S. v. Carter, 355 F.3d 920 (U.S. Court of Appeals for the 6th Circuit 2004).
U.S. v. Shahulhameed, supra.
She also
noted that Shahulhameed could be found guilty of violating 18 U.S. Code §
1030(a)(5)(A) “only if” these facts were proved beyond a reasonable doubt at
his trial:
(1) the defendant knowingly caused the transmission of a
program, information, code, or command to a protected computer;
(2) the
defendant, as a result of such conduct, intentionally caused damage to a
protected computer without authorization; and
(3) the damage resulted in losses of more than $5,000 during
a one-year period.
U.S. v. Shahulhameed, supra.
Shahulhameed
“present[ed] three reasons as to why he is entitled to acquittal under Rule 29”. U.S. v.
Shahulhameed, supra.
First, he contends that insufficient evidence was presented
to prove that the defendant's actions caused more than $5,000 in damage.
Second, [Shahulhameed] argues that the evidence does not support a finding that
he was `without authorization’ at the time the programming changes occurred.
Third, [he] argues that the evidence did not establish beyond a reasonable
doubt that he was the individual who issued the programming changes that caused
the damage.
U.S. v. Shahulhameed, supra.
The judge
addressed his arguments in order, beginning with the issue of “damage”:
The United States must prove the damage caused by the
defendant resulted in losses of $5,000 or more within a one-year period.
Under . . . § 1030(a)(5)(A), a `loss’ includes `the cost of responding to
an offense, conducting a damage assessment, and restoring the data, program,
system, or information to its condition prior to the offense.’ 18 U.S.
Code § 1030(e)(11). Losses can include the cost of time spent by a salaried
employee of the victim in responding to the damage. See U.S. v. Millot,
433 F.3d 1057 (U.S. Court of Appeals for the 8th Circuit 2006). Thus, the
cost of Toyota's remedial efforts in responding to the defendant's cyber-attack
is properly considered a loss under § 1030(a)(5)(A).
To prove [Shahulhameed]
caused at least $5,000 in damage to the affected computers, the United States
relied on the testimony and reports by a number of witnesses. Deva Veerasamy,
an information systems employee at Toyota, testified he spent a significant
amount of hours diagnosing and repairing the problems caused by [his] actions.
Tom Cantrell, a supervisor at Toyota, testified to the hundreds of hours employees
within his department worked to repair the damage. Although these witnesses did
not quantify the exact cost of the many hours of labor expended, the United
States introduced Exhibit 6 to make such a quantification. Exhibit 6 provided a
summary of the hours and costs incurred by Cincinnati Bell Technology Solutions
(CBTS) and Toyota.
It did so by displaying the number of hours employees spent
working on the problems alongside of each employee's hourly rate. According to
this exhibit, the damage caused to Toyota between August 24, 2012 and October
30, 2012 was at least $187,070, far greater than the $5,000 minimum
requirement. Moreover, testimony by Toyota employees during trial indicated
that Toyota continued to incur costs after October 30, though quantification of
these costs was unnecessary given the amount of damage already established at
trial.
[Shahulhameed] contends this evidence is insufficient for a
rational trier of fact to conclude that the $5,000 threshold was met. He points
to the fact that the government failed to introduce `certified business
records’ and the fact that Exhibit 6 did `not show what was supposedly worked
on, the damage that existed, how said damage was fixed, any description of the
work performed or any other illuminating information.’ . . .
While it might be
true that the government could have provided even more evidence to establish
the damage at issue, the evidence presented at trial is sufficient on its own
for a rational trier of fact to find that the losses exceeded $5,000.
Considering the testimony of the various witnesses in conjunction with the summary
exhibit of Toyota's costs, and viewing it all in the light most favorable to
the government, the evidence was more than sufficient to establish the minimum
amount of damage required.
U.S. v. Shahulhameed, supra.
The judge
then took up Shahulhameed’s second argument – that the
evidence does not support a finding that he was `without
authorization’ when the programming changes were made because witnesses for the
United States testified that his access to Toyota's computer system was revoked
sometime between 6:32 a.m. and 7:00 a.m. the morning after the cyber-attack.
That is to say, [Shahulhameed] contends he could not have been `without
authorization’ if his access had not yet been revoked.
U.S. v. Shahulhameed, supra.
Again, the
judge did not agree. She found that Shahulhameed
glosses over the testimony by Andrew Sell, [his] supervisor
at the employment agency for whom he worked. Sell testified that [Shahulhameed]
was terminated from his position at Toyota on the evening of August 23, 2012 at
approximately 11:00 p.m. The cyber-attack did not take place until after that
termination occurred. [Shahulhameed] dismisses Sell's testimony, calling it
`sketchy at best,’ but offers no reason to doubt it.
Moreover, [his] supervisor
at Toyota testified that none of the programming changes made by Shahulhameed
were authorized, so even if he retained his access and had not been terminated,
the changes he made were `without authorization.’
As the United States correctly explains, [Shahulhameed’s]
argument improperly conflates `access itself with the authorization
to use access to transmit information, codes, and commands.’ .
. . In doing so, [he] relies on several cases that analyze different provisions
of § 1030 that make it unlawful to access a computer without
authorization.
But Shahulhameed was not charged with unauthorized access. Rather,
[he] was charged under § 1030(a)(5)(A), which makes it unlawful to `cause[
] damage without authorization.’ 18 U.S. Code § 1030(a)(5)(A).
`No one claimed at trial that the Defendant lacked the
ability to access Toyota's computer systems after his termination.’ . . .
Instead, and in accordance with the crime charged, evidence was presented to
demonstrate that [Shahulhameed] used his access to make unauthorized
programming changes that damaged Toyota's computers. Support for this lack of
authorization came in several forms, including Sell's testimony that he had
been terminated from his position at Toyota and Shahulhameed’d former
supervisor who testified that the changes made by [him] were not authorized.
The evidence undoubtedly supports a finding by a rational trier of fact that [Shahulhameed]
caused damage without authorization.
U.S. v. Shahulhameed, supra (emphasis in the original).
The judge
therefore held that
[v]iewing all of the evidence in the light most favorable to
the government, including the testimony by the private forensic investigators
and Agent Keown, along with the server logs and [Shahulhameed’s] own testimony
that he issued some of the programming commands, a rational trier of fact could
reasonably determine that it was Shahulhameed who made these programming
changes, which then caused damage to the Toyota servers. The evidence is
therefore sufficient to sustain the guilty verdict and [his] motion for
acquittal will be denied.
U.S. v. Shahulhameed, supra.
Finally, the
judge noted that Shahulhameed
styles his motion as seeking a new trial in the alternative
to his motion for acquittal. The motion, however, does not present arguments
for a new trial. The Court will therefore construe his motion as arguing for a
new trial on the same grounds as for acquittal: that being the manifest weight
of the evidence does not support the jury's verdict.
U.S. v. Shahulhameed, supra.
She then
explained that the standard for a new trial does
not parallel that for acquittal. When examining a
defendant's motion for a new trial, the court may vacate any judgment and grant
a new trial if the interest of justice so requires.’ Federal Rules of Criminal
Procedure 33(a). `The decision whether to grant a new trial is left to the
sound discretion of the district court.’ U.S. v. Pierce, 62 F.3d
818 (U.S. Court of Appeals for the 6th Circuit 1995).
`A district judge, in considering the weight of the evidence
for purposes of adjudicating a motion for new trial, may act as a thirteenth
juror, assessing the credibility of witnesses and the weight of the evidence.’ U.S.
v. Hughes, 505 F.3d 578 (U.S. Court of Appeals for the 6th Circuit 2007).
. . . Moreover, `it is widely agreed that Rule 33's “interest of justice”
standard allows the grant of a new trial where substantial legal error has occurred.’
U.S. v. Munoz, 605 F.3d 359
(U.S. Court of Appeals for the 6th Circuit 2010).
U.S. v. Shahulhameed, supra.
The judge
then found that
[i]n construing [Shahulhameed’] arguments for acquittal as
also supporting a motion for a new trial, the Court finds them without merit.
Although the Court is permitted to act as the thirteenth
juror and weigh the evidence in order to determine whether a new trial is
necessary, the reasons stated above all support the same conclusion in this
alternative motion. The evidence overwhelmingly supports the findings that the
losses totaled more than $5,000, that Shahulhameed was without authorization in
causing the damage, and that he was the individual behind the cyber-attack. For
all of the reasons stated above, the defendant's alternative motion for a new
trial will be denied.
U.S. v. Shahulhameed, supra.
She
therefore denied his “motion for acquittal, and in the alternative, motion for
a new trial”. U.S. v. Shahulhameed, supra.