In my last post, I talked about how we tend to overlook the threat from insiders because we have become so focused on the external threat -- break-ins by a hacker. I want to follow up with some observations on an issue that arises with regard to attacks by "insiders," who are usually disgruntled employees.
In the U.S., the federal system and every state make it a crime to gain "unauthorized access" to a computer system. This crime reaches the conduct a noted above: an outsider who is not supposed to be able to access a computer system gains access by compromising the security that was supposed to keep him out.
There is, though, another kind of "unauthorized access," one that is outlawed in many states and, in some forms, at the federal level, as well. This takes the form of an insider's exceeding the access she legitimately has to a computer system. This type of conduct can be problematic for the law because you are dealing with someone who is authorized to access a computer system, at least for certain purposes; the question of criminal liability arises when she either goes beyond the scope of her authorized access or uses her authorized access for illegitimate purposes.
For example, on October 18, 2001, Philadelphia Police Officer Gina McFadden was on patrol with her partner. That day, the computer in McFadden's patrol car, likek the computer in all the other patrol cars, was broadcasting a message about a missing truck containing hazardous materials. For some incomprehensible reason, at 1:00 that afternoon McFadden used the computer in her patrol car to transmit a message that ostensibly came from terrorists; in profane language, the message stated that it was frome people who hated America had "antrhax in the back of our car". (State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)). The investigation launched into this transmission focused on McFadden, who ultimately admitted sending the message.
She was charged with an convicted of "intentionally and without authorization" accessing a computer system. (18 Pa. Cons. Stat. Ann. sec. 3933(a)(2)). McFadden argued that she was improperly convicted because she was authorized to use the computer in her patrol car. The appellate court rejected this argument, explaning that while McFadden was authorized to access the computer for purposes "of official police business, she was not authorized to access the computer for any other purposes. . . . She certainly was not authorized to access the computer for the purpose of distributing a message which implied that a Philadelphia police car had been contaminated with anthrax by terrorists." (State v. McFadden, 850 A.2d 1290 (Pa. Super. Ct. 2004)).
What the court did not explain, of course, is precisely how McFadden knew she was not authorized to do this; common sense tells us that her conduct was beyond the pale, but common sense cannot substitute for legal standards when criminal liability is at issue. McFadden's crime is more accurately described as "exceeding authorized access." This captures the "insider" aspect of the offense. We do not know if she sent the bizarre message because she was angry at the police department that employed her and wanted to strike back, or whether she simply had an unfortunate sense of humor.
There are many "insider" cases, but one from Georgia captures the peculiar difficulties that can arise when a trusted insider goes rogue. Some years ago, Sam Fugarino worked as a computer programmer for a company that designed software for surveyons. (Fugarino v. State, 243 Ga. App. 268, 531 S.E.2d 187 (Ga. App. Ct. 2000)). He had become a "difficult" employee, but went around the bend when the company hired a new worker, in a completely unrelated position.
Sam became visibly upset, telling a co-worker that the "code was his product" and "no one else was going to work on his code". The other employee saw that Sam was deleting massive amounts of files, so that whole pages of code were disappearing before this employee's eyes. The employee ran to the owner of the company, who came to Sam's desk. Sam told the owner that the "code was his" and that the owner would never "get to make any money" from it. The owner managed to convince Sam to leave the premises, but then discovered Sam had added layers of password protection to the computer system, the net effect of which was to lock the owner and other employees out of the program Sam had been designing.
The upshot of all this was that Sam was charged with "computer trespass" under Georgia law. More precisely, he was charged with using a computer system "with knowledge that such use is without authority" and deleting data from that system. (Ga. Code sec. 16-9-93(b)). Sam was tried, convicted and appealed, claiming that his use of the computer system was not "without authority". Sam, of course, had full access to the computer system; and as a programmer whose job was developing software, he was authorized to use his access not only to write code but also to delete code.
The Georgia appellate court upheld Sam's conviction, using a common-sense, "you should have known what you were doing was wrong" approach very similar to that used by the McFadden court. It noted that at trial the owner of the company testified he had not given Sam authority to delete "portions of the company's program" . . . which ignores the fact that Sam clearly did have authority to do precisely this.
The issue is one of degree: Sam was authorized to delete program code as part of his work developing software; the problem is that he clearly went too far, that he was apparently bent on erasing all of the program code. Clearly, the owner had not specifically told Sam that he was not authorized to delete an entire program; the need to do so had probably never occurred to him.
The Fugarino case illustrates a difficult question that arises when "insiders" are prosecuted for "exceeding authorized access." How, precisely, is someone to know when exceeds authorized access? Relying on the common-sense, "you-should-have-known-it-when-you-did-it" approach taken by these courts is, I would argue, quite unsatisfactory. The over-the-top nature of the ocnduct at issue in these cases may make the approach seem reasonable, but in fact it is not.
Every organization has a host of trusted "insiders" who have authorized access, in varying degrees, to the organization's computer system. Like Sam's employer, most organizations seem to assume that insiders understand the scope of their authorized access and will abide by that understanding. This assumption no doubt derives from our experience with physical security. it is relatively easy to deny employees access to physical spaces; physical boundaries are fixed and obvious. Assume Sam had a key to his own office, but not to his employer's office. If Sam had been found in his employer's (formerly) locked office shredding documents, he could not credibly have claimed that his "access" to the office and the files locked inside was "authorized." It would be reasonable to infer from his conduct (somehow breaking into a locked office) that he knew he was not authorized to be there, that he was doing something "wrong."
Virtual boundaries tend to be invisible and mutable. In a literal sense, Sam did nothing he was not authorized to do; he did not (virtually) break into a locked area and attack data shielded inside. He was authorized to delete code and he deleted code.
As a matter of simple fairness, criminal law demands that one be put on notice as to what is, and is not, forbidden. The question raised by cases like these is precisely how we do this for the "insiders" who legitmately have access to our computer systems.