Wednesday, April 30, 2014

18 U.S. Code § 1030(a)(5)(A), Toyota and "Damage”

Ibrahimshah Shahulhameed was found guilty, in federal court, of “violating 18 U.S. Code § 1030(a)(5)(A), which makes it unlawful to knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer”.  U.S. v. Shahulhameed, 2014 WL 1513143 (U.S. District Court for the Eastern District of Kentucky 2014).  He then filed a motion for “acquittal pursuant to Rule 29 of theFederal Rules of Criminal Procedure” or, in the alternative, for “a new trial” pursuant to Rule 33 of the Federal Rules of Criminal Procedure.  U.S. v. Shahulhameed, supra.

The U.S. District Court Judge who has the case began her opinion by noting that

[d]uring a trial that lasted approximately one week, the United States presented evidence that [Shahulhameed] was terminated from his position at Toyota Engineering & Manufacturing North America -- where he worked as a subcontractor -- on August 23, 2012. Following his termination, [Shahulameed] used his remote access to Toyota's computer system to make a series of programming changes to Toyota's servers that caused extensive damage.

U.S. v. Shahulhameed, supra.  The news stories you can find here offers an account of how the prosecution allegedly arose, and you can find the Criminal Complaint that was filed in the case here.  This press release from the U.S. Attorney whose office had the case also provides some additional details.

Under Rule 29(a) of the Federal Rules of Criminal Procedure, “the court on the defendant's motion must enter a judgment of acquittal of any offense for which the evidence is insufficient to sustain a conviction.”  Since the U.S. federal government, like the U.S. states, requires that a criminal defendant’s guilt be proven beyond a reasonable doubt, the court must determine whether the evidence presented proves each element of the crime(s) charged beyond a reasonable doubt in deciding whether or not to grand a motion for a judgment of acquittal.  

The federal judge who has this case began her analysis of Shahulhameed’s motion by noting that

[w]hen addressing a motion for judgment of acquittal, the Court must view the evidence in the light most favorable to the prosecution and determine whether there was sufficient evidence offered at trial to convince a rational trier of fact beyond a reasonable doubt that all of the elements of the charged crimes have been established. U.S. v. Graham, 622 F.3d 445 (U.S. Court of Appeals for the 6th Circuit 2010). 

The Court is precluded from weighing the evidence, considering witness credibility, or substituting its judgment for that of the jury. U.S. v. Chavis, 296 F.3d 450 (U.S. Court of Appeals for the 6th Circuit 2002).  The court gives the government `the benefit of all inferences which can reasonably be drawn from the evidence, even if the evidence is circumstantial.’ U.S. v. Carter, 355 F.3d 920 (U.S. Court of Appeals for the 6th Circuit 2004).

U.S. v. Shahulhameed, supra.  

She also noted that Shahulhameed could be found guilty of violating 18 U.S. Code § 1030(a)(5)(A) “only if” these facts were proved beyond a reasonable doubt at his trial:

(1) the defendant knowingly caused the transmission of a program, information, code, or command to a protected computer;

(2) the defendant, as a result of such conduct, intentionally caused damage to a protected computer without authorization; and

(3) the damage resulted in losses of more than $5,000 during a one-year period.

U.S. v. Shahulhameed, supra.  

Shahulhameed “present[ed] three reasons as to why he is entitled to acquittal under Rule 29”.  U.S. v. Shahulhameed, supra.  

First, he contends that insufficient evidence was presented to prove that the defendant's actions caused more than $5,000 in damage. Second, [Shahulhameed] argues that the evidence does not support a finding that he was `without authorization’ at the time the programming changes occurred. Third, [he] argues that the evidence did not establish beyond a reasonable doubt that he was the individual who issued the programming changes that caused the damage.

U.S. v. Shahulhameed, supra.  

The judge addressed his arguments in order, beginning with the issue of “damage”:

The United States must prove the damage caused by the defendant resulted in losses of $5,000 or more within a one-year period. Under . . . § 1030(a)(5)(A), a `loss’ includes `the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense.’ 18 U.S. Code § 1030(e)(11). Losses can include the cost of time spent by a salaried employee of the victim in responding to the damage. See U.S. v. Millot, 433 F.3d 1057 (U.S. Court of Appeals for the 8th Circuit 2006). Thus, the cost of Toyota's remedial efforts in responding to the defendant's cyber-attack is properly considered a loss under § 1030(a)(5)(A).

To prove [Shahulhameed] caused at least $5,000 in damage to the affected computers, the United States relied on the testimony and reports by a number of witnesses. Deva Veerasamy, an information systems employee at Toyota, testified he spent a significant amount of hours diagnosing and repairing the problems caused by [his] actions. Tom Cantrell, a supervisor at Toyota, testified to the hundreds of hours employees within his department worked to repair the damage. Although these witnesses did not quantify the exact cost of the many hours of labor expended, the United States introduced Exhibit 6 to make such a quantification. Exhibit 6 provided a summary of the hours and costs incurred by Cincinnati Bell Technology Solutions (CBTS) and Toyota. 

It did so by displaying the number of hours employees spent working on the problems alongside of each employee's hourly rate. According to this exhibit, the damage caused to Toyota between August 24, 2012 and October 30, 2012 was at least $187,070, far greater than the $5,000 minimum requirement. Moreover, testimony by Toyota employees during trial indicated that Toyota continued to incur costs after October 30, though quantification of these costs was unnecessary given the amount of damage already established at trial.

[Shahulhameed] contends this evidence is insufficient for a rational trier of fact to conclude that the $5,000 threshold was met. He points to the fact that the government failed to introduce `certified business records’ and the fact that Exhibit 6 did `not show what was supposedly worked on, the damage that existed, how said damage was fixed, any description of the work performed or any other illuminating information.’ . . . 

While it might be true that the government could have provided even more evidence to establish the damage at issue, the evidence presented at trial is sufficient on its own for a rational trier of fact to find that the losses exceeded $5,000. Considering the testimony of the various witnesses in conjunction with the summary exhibit of Toyota's costs, and viewing it all in the light most favorable to the government, the evidence was more than sufficient to establish the minimum amount of damage required.

U.S. v. Shahulhameed, supra.  

The judge then took up Shahulhameed’s second argument – that the

evidence does not support a finding that he was `without authorization’ when the programming changes were made because witnesses for the United States testified that his access to Toyota's computer system was revoked sometime between 6:32 a.m. and 7:00 a.m. the morning after the cyber-attack. That is to say, [Shahulhameed] contends he could not have been `without authorization’ if his access had not yet been revoked.

U.S. v. Shahulhameed, supra.  

Again, the judge did not agree.  She found that Shahulhameed

glosses over the testimony by Andrew Sell, [his] supervisor at the employment agency for whom he worked. Sell testified that [Shahulhameed] was terminated from his position at Toyota on the evening of August 23, 2012 at approximately 11:00 p.m. The cyber-attack did not take place until after that termination occurred. [Shahulhameed] dismisses Sell's testimony, calling it `sketchy at best,’ but offers no reason to doubt it. 

Moreover, [his] supervisor at Toyota testified that none of the programming changes made by Shahulhameed were authorized, so even if he retained his access and had not been terminated, the changes he made were `without authorization.’

As the United States correctly explains, [Shahulhameed’s] argument improperly conflates `access itself with the authorization to use access to transmit information, codes, and commands.’ . . . In doing so, [he] relies on several cases that analyze different provisions of § 1030 that make it unlawful to access a computer without authorization. 

But Shahulhameed was not charged with unauthorized access. Rather, [he] was charged under § 1030(a)(5)(A), which makes it unlawful to `cause[ ] damage without authorization.’ 18 U.S. Code § 1030(a)(5)(A).

`No one claimed at trial that the Defendant lacked the ability to access Toyota's computer systems after his termination.’ . . . Instead, and in accordance with the crime charged, evidence was presented to demonstrate that [Shahulhameed] used his access to make unauthorized programming changes that damaged Toyota's computers. Support for this lack of authorization came in several forms, including Sell's testimony that he had been terminated from his position at Toyota and Shahulhameed’d former supervisor who testified that the changes made by [him] were not authorized. The evidence undoubtedly supports a finding by a rational trier of fact that [Shahulhameed] caused damage without authorization.

U.S. v. Shahulhameed, supra (emphasis in the original).  

The judge therefore held that

[v]iewing all of the evidence in the light most favorable to the government, including the testimony by the private forensic investigators and Agent Keown, along with the server logs and [Shahulhameed’s] own testimony that he issued some of the programming commands, a rational trier of fact could reasonably determine that it was Shahulhameed who made these programming changes, which then caused damage to the Toyota servers. The evidence is therefore sufficient to sustain the guilty verdict and [his] motion for acquittal will be denied.

U.S. v. Shahulhameed, supra.

Finally, the judge noted that Shahulhameed

styles his motion as seeking a new trial in the alternative to his motion for acquittal. The motion, however, does not present arguments for a new trial. The Court will therefore construe his motion as arguing for a new trial on the same grounds as for acquittal: that being the manifest weight of the evidence does not support the jury's verdict.

U.S. v. Shahulhameed, supra.

She then explained that the standard for a new trial does

not parallel that for acquittal. When examining a defendant's motion for a new trial, the court may vacate any judgment and grant a new trial if the interest of justice so requires.’ Federal Rules of Criminal Procedure 33(a). `The decision whether to grant a new trial is left to the sound discretion of the district court.’ U.S. v. Pierce, 62 F.3d 818 (U.S. Court of Appeals for the 6th Circuit 1995).

`A district judge, in considering the weight of the evidence for purposes of adjudicating a motion for new trial, may act as a thirteenth juror, assessing the credibility of witnesses and the weight of the evidence.’ U.S. v. Hughes, 505 F.3d 578 (U.S. Court of Appeals for the 6th Circuit 2007). . . . Moreover, `it is widely agreed that Rule 33's “interest of justice” standard allows the grant of a new trial where substantial legal error has occurred.’ U.S.  v. Munoz, 605 F.3d 359 (U.S. Court of Appeals for the 6th Circuit 2010).

U.S. v. Shahulhameed, supra.

The judge then found that

[i]n construing [Shahulhameed’] arguments for acquittal as also supporting a motion for a new trial, the Court finds them without merit.

Although the Court is permitted to act as the thirteenth juror and weigh the evidence in order to determine whether a new trial is necessary, the reasons stated above all support the same conclusion in this alternative motion. The evidence overwhelmingly supports the findings that the losses totaled more than $5,000, that Shahulhameed was without authorization in causing the damage, and that he was the individual behind the cyber-attack. For all of the reasons stated above, the defendant's alternative motion for a new trial will be denied.

U.S. v. Shahulhameed, supra.

She therefore denied his “motion for acquittal, and in the alternative, motion for a new trial”.  U.S. v. Shahulhameed, supra.

No comments: