Friday, November 11, 2011

The Fired Employee, the Firewall and “Loss”

This post examines a very short, recent opinion from the U.S. Court of Appeals for the 11th Circuit. The opinion examines a woman’s appeal from her conviction for violating the general federal computer crime statute, 18 U.S. Code § 1030.

More precisely, it examines Patricia Marie Fowler’s argument that her conviction for “intentionally causing damage to a protected computer” should be reversed because “the United States failed to prove that her offense involved a protected computer or cause a loss that exceeded $5,000.” U.S. v. Fowler, 2011 WL 5119520 (U.S. Court of Appeals for the 11th Circuit 2011).

As I’ll note in a minute, the opinion briefly reviews the evidence presented at her trial, but an FBI press release helps to fill in the details of what happened:

Fowler had been fired by [Suncoast Community Health Centers (SCHC)] on March 13, 2009, for insubordination and failing to follow the orders of her supervisors. On March 17, SCHC employees discovered that a computer intrusion had occurred and that damage had been done to the SCHC computer system.

From March 17, 2009 through April 1, 2009 numerous unauthorized intrusions were made into the SCHC computer system which resulted in the deletion and movement of files from the computers of SCHC executives, changing of administrative account names and passwords, removing access to infrastructure systems, changing pay and accrued leave rates on the employee payroll system, and the compromise and lockout of the firewall used to secure the SCHC network.

(The press release also notes that SCHC is “a non-profit federally qualified community health center providing medical services to patients without access to primary healthcare and without regard to their ability to pay.”)

This is how the Court of Appeals’ opinion summarizes the evidence presented at trial:

Fowler admitted to a federal agent that, after she was fired from her position as a system administrator for Suncoast Community Health Centers, she changed the password for the firewall. At trial, Bill Windham, a network system operator at Suncoast, testified that, without access to the firewall, Suncoast could not control `activity inward’ to their systems.

Two officers of Suncoast, Brantz Roszel and Tom Brown, testified that Fowler also disabled all the administrator accounts, obstructed access to the domain controllers, disconnected backup systems, reformatted a hard drive on Roszel's computer, and transferred eight years of reports from Brown's computer into an obscure subdirectory on the company server.

Fowler's interference with the computer system left Suncoast employees unable to exchange email or check email remotely. Fowler's misconduct also interrupted employees' ability to access patients' health records, verify patients' eligibility for Medicaid, or communicate with laboratories and outside healthcare agencies through the internet.

U.S. v. Fowler, supra.

As the FBI press release notes, on December 7, 2010,

U.S. District Judge Susan C. Bucklew sentenced Patricia Marie Fowler (age 30, of Palmetto), the former information technology (IT) technician for the Suncoast Community Health Centers (SCHC) located in Ruskin, Florida, to 18 months in federal prison for committing computer intrusions causing damage of at least $17,000. The court also ordered Fowler to pay restitution of $17,243.01 and to be placed on supervised release for three years after serving her sentence of confinement.

In ruling on Fowler’s appeal, the 11th Circuit found that “[s]ubstantial evidence” supported the jury’s finding that she “`knowingly caused the transmission of a program, information, code, or command’ that `intentionally cause[d] damage without authorization[ ] to a protected computer’” in violation of 18 U.S. Code § 1030(a)(5)(A). U.S. v. Fowler, supra. Before we go any further, I need to parse that observation and the charge it concerns.

As I noted in a post I did several years ago, the § 1030(a)(5)(A) crime, unlike the §§ 1030(a)(5)(B) and 1030(a)(5)(C) crimes, isn’t a “hacking” crime, i.e., isn’t a crime that involves gaining “access” to a computer. The § 1030(a)(5)(A) crime is an “outsider” crime, that it, it encompasses things like Distributed Denial of Service attacks or infecting a computer system with malware.

Now, the malware, once installed, may be used to “access” the computer, but that’s a different process and a different crime. My point is that it seems it would have been more logical to charge Fowler with violating 18 U.S. Code § 1030(a)(5)(B) or § 1030(A)(5)(C) by accessing the system without being authorized to do so and causing damage (which § 1030(e)(8) defines as impairing the integrity or availability of “data, a program, a system or information”).

Anyway, she was charged with the § 1030(a)(5)(A) crime and argued on appeal, first, that the prosecution didn’t prove “her offense involved a protected computer.” U.S. v. Fowler, supra. As I noted in a post I did about five years ago, § 1030 originally applied only to “federal interest computers”, i.e., computers used by the federal government, but in 1996 Congress changed that to “protected computer.” The purpose was to allow the statute to be used more broadly, i.e., to prosecute purely federal cybercrimes and what would otherwise be state cybercrimes.

Section 1030(e)(2) defines a “protected computer,” in part, as a computer that “is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”.

The 11th Circuit didn’t spend a lot of time on Fowler’s argument that the prosecution didn’t prove that her conduct affected a protected computer. U.S. v. Fowler, supra. The only response I can find to that argument in this concededly short opinion is the court’s statement that Fowler’s “Fowler's misconduct . . . interrupted employees' ability to access patients' health records, verify patients' eligibility for Medicaid, or communicate with laboratories and outside healthcare agencies through the internet, which `is an instrumentality of interstate commerce’”. U.S. v. Fowler, supra quoting U.S. v. Hornaday, 392 F.3d 1306 (11th Cir. 2004)). So since Fowler’s activity affected computers that use cyberspace to interact with other computers, that was enough to establish that her “misconduct” affected a protected computer (or protected computers).

(If you’d like to read a little more about how the Supreme Court approaches this approach to parsing “interstate commerce”, check out Wikipedia’s entry on the Court’s decision in U.S. v. Lopez.)

Finally, the Court of Appeals addressed Fowler’s argument that the prosecution didn’t prove she caused “loss” that exceeded $5,000. U.S. v. Fowler, supra. (If you check out § 1030(c)(4)(B)(i), you’ll see that the $5,000 loss element is a component of sentencing.)

Section 1030(e)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”. The Court of Appeals found that “[s]ubstantial evidence also” supported the jury’s finding that Fowler’s activity caused the $5,000 loss required by 18 U.S. Code § 1030(c)(4)(B)(i):

Suncoast expended over $6,000 for Roszel, Brown, and Windham to `respond[ ] to [Fowler's] offense, conduct[ ] a damage assessment, and restor[e] the data, program, system, or information to its condition prior to the offense.’ § 1030(e)(11). Roszel, Brown, and Windham testified that they were required to access and reconfigure the administrator account, restore email and other normal computer functions for employees, assess and later replace the firewall, and recover administrative files.

Suncoast also had further `cost[s] incurred’ in paying Health Choice Network $3,941.27 to repair the computer system. Victor Rodriguez, the director of technology operations at Health Choice, testified that he reset the administrator password for the Suncoast network, reconfigured its services to match the password, and investigated the interference with the Suncoast system.

During his investigation, Rodriguez discovered that Fowler had established an employee account under the name `Peggie Davis’ that contained full administrative rights and that Fowler could use after she was fired to access the Suncoast computer system.

U.S. v. Fowler, supra. The 11th Circuit therefore affirmed Fowler’s conviction. U.S. v. Fowler, supra.

No comments: