Friday, July 11, 2014

Hacking, "Loss" and Fishnet

This post is a follow-up to a post I did last October:  The Computer Science Student, Authorization and the University.  It examined the opinion in which the U.S.District Court Judge who was assigned the prosecution of Daniel Stratman for violating the Computer Fraud and Abuse Act (CFAA) rejected his motion to dismiss two of the counts against him.  U.S. v. Stratman, 2013 WL 5676874 (U.S. District Court for the Northern District of Nebraska 2013) (“U.S. v. Stratman #1”). 
The counts charged Stratman with violating 18 U.S. Code § 1030(a)(5)(A), which makes it a federal crime to knowingly cause transmission of a program, code or command and thereby cause damage to a protected computer.  U.S. v. Stratman #1, supra. The judge denied the motion to dismiss because authorization and access are not elements of the 18 U.S. Code § 1030(a)(5)(A) crime. U.S. v. Stratman #1, supra.  You can read more about the facts in the case here.
That brings us to the opinion the judge recently issued in the same case.  He begins by explaining that the case was before him with regard to the
loss calculation for purposes of sentencing. [Stratman] pleaded guilty to one count of violating . . .18 U.S. Code § 1030(a)(5)(A) . . .  based on an intrusion into a protected computer system or systems that began in approximately May 2012. As directed by the Court . . ., the parties submitted a statement of uncontroverted facts . . .  and a hearing was held at which evidence was adduced and submitted of losses allegedly incurred by the two primary victims in this case: the University of Nebraska and the Nebraska State College System.
U.S. v. Stratman, 2014 WL 3109805 (U.S. District Court for the District of Nebraska 2014) (“U.S. v. Stratman, #2”). You can read about how Stratman came to plead guilty here
The judge explained that the loss calculation at issue in this case has
two primary purposes. First, in determining the offense conduct, the offense level is increased based on the amount of the loss. U.S.S.G. § 2B1.1(b)(1). Second, in the case of an identifiable victim, the Court shall enter a restitution order for the full amount of the victim's loss. U.S.S.G. § 5E1.1; see also 18 U.S.C. § 3663A(a)(1) and (c)(1)(B). The Court recognizes that although the gross amounts of loss for sentencing purposes and loss for restitution purposes are often calculated in the same manner, the two determinations serve different purposes and thus may differ depending on the relevant facts. U.S. v. Lange, 592 F.3d 902 (U.S. Court of Appeals for the 8th Circuit 2010). But as will be explained below, the Court finds that the loss that has been proven in this case is the same for both purposes.
U.S. v. Stratman, #2, supra.  The “U.S.S.G.” references are to provisions of the U.S. Sentencing Guidelines, which control sentencing in the federal criminal justice system.  And 18 U.S.Code § 3663A is the federal statute that addresses mandatory restitution to victims of federal crimes. The document you can find here explains the purpose of and the process of imposing mandatory restitution in federal criminal cases.
The judge goes on to explain that the burden is on the government to prove the factual
basis for a sentencing enhancement by a preponderance of the evidence. U.S. v. Peroceski, 520 F.3d 886 (U.S. Court of Appeals for the 8th Circuit 2008). For purposes of [U.S.S.G.] § 2B1.1(b), loss is calculated as the greater of the actual or intended loss. Actual loss is defined as the `reasonably foreseeable pecuniary harm that resulted from the offense.’ § 2B1.1 cmt. n. 3(A)(i). And `reasonably foreseeable pecuniary harm’ is further defined as that harm the defendant knew, or under the circumstances, reasonably should have known, was a potential result of the offense. Id. cmt. n. 3(A)(iv). Intended loss, by comparison, includes any `pecuniary harm that was intended to result from the offense,’ including harm that was `impossible or unlikely to occur.’ Id. cmt. n. 3(A)(ii). Ultimately, this Court needs to make a `reasonable estimate of the loss.’ Id. cmt. n. 3(C); U.S. v. Rice, 699 F.3d 1043 (U.S. Court of Appeals for the 8th Circuit 2012).

The government also has the burden to demonstrate the amount of loss for purposes of restitution by a preponderance of the evidence. 18 U.S. Code § 3664(e). Restitution is compensatory, not punitive, and in a fraud case, it is limited to the actual loss directly caused by the defendant's criminal conduct in the course of the scheme alleged in the indictment. U.S. v. Chaika, 695 F .3d 741 (U.S. Court of Appeals for the 8th Circuit 2012). The amount of restitution cannot exceed the actual, provable loss realized by the victims. U.S. v. Martinez, 690 F.3d 1083 (U.S. Court of Appeals for the 8th Circuit 2012). Restitution may only be awarded for the loss caused by the specific conduct that is the basis of the offense of the conviction. U.S. v. DeRosier, 501 F.3d 888 (U.S. Court of Appeals for the 8th Circuit 2007). And the causal connection between the defendant's acts and the victim's losses must not be unreasonably extended. U.S. v. Spencer, 700 F.3d 317 (U.S. Court of Appeals for the 8th Circuit 2012).

But for violations of the CFAA, the victim's `loss’ may include `any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]’ 18 U.S. Code § 1030(e)(11).
U.S. v. Stratman, #2, supra. 
He then took up the issues in this case, explaining the losses at issue involve the
costs of investigating [Stratman’s] intrusion into the victims' computer systems. There is . . . no evidence  the victims incurred meaningful costs repairing damage to their systems. Instead, the evidence relates to the substantial time and expense that the victims incurred investigating the breach after it was discovered, and in attempting to ascertain the scope of their exposure.

The bulk of the costs are in four categories: hours worked by University information technology (IT) department workers in response to the breach; similar hours worked by State Colleges IT workers; the cost of investigative services provided by Fishnet Services, Inc., a third-party IT consultant hired by the University; and the cost of investigative services provided by Kroll Advisory Solutions, a third-party consultant hired by the State Colleges' insurance company.
U.S. v. Stratman, #2, supra (emphasis in the original).
The judge also noted that the costs incurred 
must be reasonable. . . . The CFAA defines `loss’ in terms of `reasonable cost,’ and it cannot be said that unreasonable expenses are either caused by the offense of conviction for purposes of restitution . . .  or reasonably foreseeable within the meaning of § 2B1.1. The Court agrees with [Stratman] that part of the government's burden of proving loss for purposes of sentencing and restitution is showing that the costs incurred by the victims were reasonably incurred.
U.S. v. Stratman, #2, supra (emphasis in the original).
The judge then began his analysis of the costs at issue in this case
with the easy part: [Stratman] has not objected to the University's Fishnet bills, with the exception of some reservations about whether some of those bills involved double counting. The Court has reviewed Fishnet's invoices (Exhibits 13 to 19) carefully and found that each line item was unique, and that the total matched that represented by the University in Exhibit 7. The Court therefore finds the Fishnet bills represent losses for purposes of sentencing and restitution, totaling $107,722.58.
U.S. v. Stratman, #2, supra. 
He then explained, however, that the
same cannot be said of the Kroll invoices. The government's witnesses -- primarily University employees -- were clear about why Fishnet was hired and what Fishnet's services eventually produced for the University. Kroll was initially retained to help the State Colleges, but soon they and their insurer agreed to share the Fishnet forensic analysis with the University. The lion's share of Kroll's billing -- over $308,000 . . . -- is attributed to notification services, i.e., informing people whose personal information might have been compromised. But the Court cannot determine why that was so expensive for the State Colleges, or how it was determined that approximately 185,000 people needed to be notified.

The government has provided affidavits from two Kroll employees, and one employee of the insurer that hired Kroll, which generally describe the contents of Kroll's invoices and conclude that the services and expenses were fair and reasonable.  But the Court does not find those conclusory opinions persuasive.

Kroll's forensic analysis (which was presumably cut short when Fishnet became the primary investigator) essentially concludes there was no evidence of exfiltration or access to personal information from the PeopleSoft database, but it was hard to be sure. See Exhibit 28. The only apparent source for the number of people to be notified, 185,000+, is also in Exhibit 28 -- an `audit’ that was conducted by Kroll `to re-mail any records that mailed in error.’ (Whatever that means.) The import of the audit, as the Court understands it after puzzling over it for a bit, seems to be that some of the 185,000+ client records were duplicated, and only 117,845 were actually unique.

So in Exhibit 31, Kroll's employee witness talks about Kroll's services including `the facilitation of mailing letters to each of approximately 185,000 potential victims of the breach,’ but the only substantiation in the record for that number is an audit that contradicts it. In sum, the Court is left with considerable uncertainty about how many people the State Colleges actually needed to notify, how many actually were notified, and how the costs for doing so were determined. Given that uncertainty, the Court finds that the reasonability of those expenses has not been proven.
U.S. v. Stratman, #2, supra. 
He had “similar questions” about the employee hours devoted to the
intrusion by employees of the University and the State Colleges. No doubt an appropriate response was necessary -- and in the immediate wake of the breach, `all hands on deck’ might well have been warranted. But at some point, after [Stratman] was locked out (and quickly indicted), the actual depth of the intrusion would have been clear, and an all-out effort would no longer have been necessary. . . .

The record . . . does not permit the Court to determine what the victims knew and when they knew it, nor does it permit the Court to compare the victims' knowledge with the intensity of their ongoing efforts related to the breach. The record also contains very little from which the Court could determine the victims' employees performed with reasonable efficiency and were compensated at a reasonable rate. The victims' calculations for costs attributed to employee hours consist of the time spent on tasks associated with the breach, multiplied by that employee's hourly wage.

But, for instance, if the Court was awarding attorney fees, the Court would have to ask what tasks were performed, whether the number of hours spent on each task was appropriate, and whether the attorney's billing rate for performing the task was fair and reasonable. The Court does not see why similar questions should not be asked under these circumstances -- and . . . cannot find the answer in the record.
U.S. v. Stratman, #2, supra. 
The judge also pointed out that it “is also not entirely clear” whether
all those hours are attributable to the defendant for purposes of sentencing and restitution. For instance, the University's former information security officer testified that some of that time was spent implementing recommendations from the Fishnet report, and `cleaning up some of the incidents.’ He did testify that all the activities reflected in the government's evidence were `related to’ [Stratman’s] intrusion. But that may or may not be the same as `caused by’ [his] intrusion.

A simple example will illustrate the point. A homeowner has a broken lock on her front door. A thief finds out and uses the vulnerability to enter the home and steal property. The losses from that crime include the value of the stolen property. They might even include investigating the crime. But they would not include repairing the lock, which was broken before the thief ever came along. The repair might be `related to’ the theft, because the theft called attention to the vulnerability. But the thief didn't break the lock, and wouldn't have to pay to fix it.
U.S. v. Stratman, #2, supra (emphasis in the original).
He went on to explain that, “[s]imilarly,” the victims in this case
no doubt learned, from [Stratman’s] intrusion, about vulnerabilities in their computer systems. But [he] is not responsible for creating those vulnerabilities, and isn't liable for the cost of fixing them—or, more to the point, those costs are not the result of the offense of conviction. It is hard for the Court to conclude, on the evidence presented, that over 3,600 hours of employee time was a foreseeable consequence of the crime.

And from the evidence presented, the Court cannot parse out how much time the victims' employees spent securing the system from [Stratman] specifically, and how much time they spent addressing the vulnerabilities he had called to their attention. The victims' exhibits reflect dozens of employees spending thousands of hours on tasks that are mostly unclear from the record. The only evidence to connect most of those hours to [Stratman] is that they were recorded with a project billing code that was created in response to the breach, and that the employees were verbally instructed to use for `anything related’ to [his] intrusion.

For instance, one of the government's primary witnesses -- the University's former information security officer -- was listed in the government's exhibits as having spent 351 hours on the project initiated by [Stratman’s] breach. But he was unable to say specifically how long he continued to log time on the project, other than that his `best guess’ was that he was working on the project through October.

And there is even less evidence with respect to other employees and how they were spending their time -- the summaries provided by the victims, and adduced by the government, simply total the hours worked by each employee between May 20, 2012, and June 4, 2013. The breach was detected by the University on May 23–24, 2012, and even if the Court was willing to presume the hours spent on the project in the immediate wake of the breach were sufficiently connected to [Stratman’s] crime . . ., there is no way for the Court to determine . . . how many hours were worked during that timeframe. That, the Court finds, is insufficient evidence to prove which hours represent losses that can be causally connected to [his] crime for purposes of sentencing and restitution. The Court has no basis to estimate, or even guess, at how many hours would be attributable to the defendant—any attempt to pick a number would be unsatisfactorily arbitrary.

Finally, there is some evidence of other expenses -- for example, the EnCase forensic analysis tool the University purchased to help investigate the breach. While the Court has no particular reason to doubt those expenses, there is also little to establish that they were reasonable or necessary. It is also unclear whether the victims' purchases are of ongoing utility to them, which would preclude characterizing the entirety of those costs as `losses’ for purposes of sentencing and restitution.
U.S. v. Stratman, #2, supra (emphasis in the original).
He concluded the opinion by summing up his findings and conclusions:
[T]he Court finds that except for the Fishnet invoices, the evidence is not sufficient to prove the victims' costs were `losses’ for purposes of sentencing and restitution. The Court also finds that inquiring further into restitution would . . . prolong the sentencing process to a degree that the need to provide restitution is outweighed by the burden on the sentencing process. See, 18 U.S.C. § 3663A(c)(3)(B); U.S. v. Martinez, supra. The Court therefore exercises its discretion pursuant to § 3663A(c)(3)(B) and declines to award further restitution.

The Court's experience with this case convinces it . . . that the issues presented by loss calculation have already complicated and prolonged the sentencing process. Were it not for the unavoidable need to make some reasonable approximation of the loss for purposes of the Sentencing Guidelines, the Court would not have ventured as far into the weeds as it already has.

But at this point, [Stratman’s] sentencing has been repeatedly continued at the request of the parties, the sentencing schedule has been repeatedly rescheduled at the request of the parties (and is about to be again on the Court's own motion), and the parties have been required to participate in a discovery process unusual for a criminal sentencing. The Court is convinced the record as it stands is as much as can be expected from a criminal case, and that the complex issues of fact discussed above are too complicated to warrant further delay. See U.S. v. Martinez, supra.  
U.S. v. Stratman, #2, supra.

The judge therefore held that “based on the evidence before the Court, the appropriate loss calculation figure, for purposes of sentencing and restitution, is $107,722.58.”  U.S. v. Stratman, #2, supra.

No comments: