DOJ logo
OF 1995
                 AUGUST 27, 1996.--ORDERED TO BE PRINTED

    The Committee on the Judiciary, to which was referred the bill (S. 982) to amend the Computer Fraud and Abuse Act, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass.

I.       Purpose
II.      Legislative history
III.     Committee action
IV.     Section-by-section analysis
V.      Regulatory impact statement
VI.    Cost estimate
VII.   Changes in existing law

The amendment is as follows:

Strike all after the enacting clause and insert the following:


    This Act may be cited as the "National Information Infrastructure Protection Act of 1996''.

   Section 1030 of title 18, United States Code, is amended--

   (1) in subsection (a)--

        (A) in paragraph (1)--

        (B) in paragraph (2)--         (C) in paragraph (3)--         (D) in paragraph (4)--         (E) by striking paragraph (5) and inserting the following:         (F) by inserting after paragraph (6) the following new paragraph:     (2) in subsection (c)--

        (A) in paragraph (1), by striking "such subsection'' each place that term appears and inserting "this section'';
        (B) in paragraph (2)--

        (C) in paragraph (3)--         (D) by striking paragraph (4);

    (3) in subsection (d), by inserting "subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of'' before "this section.'';

    (4) in subsection (e)--

        (A) in paragraph (2)--

        (B) in paragraph (6), by striking ``and'' at the end;

        (C) in paragraph (7), by striking the period at the end and inserting"; and''; and
        (D) by adding at the end the following new paragraphs:


      The Leahy-Kyl-Grassley amendment to the National Information Infrastructure (NII) Protection Act, S. 982, would strengthen the Computer Fraud and Abuse Act, 18 U.S.C. 1030, by closing gaps in the law to protect better the confidentiality, integrity, and security of computer data and networks.


      The Computer Fraud and Abuse Act was originally enacted in 1984 to provide a clear statement of proscribed activity concerning computers to the law enforcement community, those who own and operate computers and those tempted to commit crimes by unauthorized access to computers. Rather than having to ``boot-strap'' enforcement efforts against computer crime by relying on statutory restrictions designed for other offenses, the Computer Fraud and Abuse statute, 18 U.S.C. 1030, set forth in a single statute computer-related offenses. This first Federal computer crime statute made it a felony to access classified information in a computer without authorization and a misdemeanor to access financial records or credit histories in financial institutions or to trespass into a Government computer.

      In succeeding years, the statute has been significantly amended only twice, in 1986 and 1994. In its current form, this statute generally prohibits the unauthorized use of computers to obtain classified or private financial record information, to trespass in Federal Government computers, to commit frauds, or to transmit harmful computer viruses. It also prohibits fraudulent trafficking in computer access passwords. Gaps in coverage remain under this statutory scheme. Specifically, the law provides criminal penalties for persons who, without or in excess of authorization, access any computer to obtain classified information or financial record information from a financial institution or consumer reporting agency, or who access a "Federal interest computer'' to further an intended fraud. A "Federal interest computer'' is defined to include Federal Government and financial institution computers and computers located in different States that are "used in committing the offense.''

      The privacy protection coverage of the statute has two significant gaps. First, omitted from the statute's coverage is information on any civilian or State and local government computers, since the prohibition on unauthorized computer access to obtain nonclassified information extends only to computers used by financial institutions or by the Federal Government when the perpetrator is an outsider. The second gap is the significant limitation on the privacy protection given to information held on Federal Government computers. Specifically, the prohibition only applies to outsiders who gain unauthorized access to Federal Government computers, and not to Government employees who abuse their computer access privileges to obtain Government information that may be sensitive and confidential.

      Likewise, omitted from the fraud protection coverage of the statute is protection for the loss of computer time resulting from computer trespasses. The 1986 amendments to the statute created the "computer use'' exception to section 1030(a)(4), even though this Committee "agree[d] that lost computer time resulting form repeated or sustained trespasses can reach a level of seriousness sufficient to warrant Federal prosecution.'' Senate Judiciary Committee report No. 99 432, 99th Cong., 2d sess., at p. 10 (1986). At the time of the 1986 amendments, such fraudulent computer usage was considered prosecutable under another section 1030(a)(5), when the lost computer time resulted from intentional damage to the computer.

      The current statute also penalizes any person who uses a computer in interstate commerce or communications to cause the transmission of a computer virus or other harmful computer program. Omitted from the coverage of this "computer damage'' provision are Government and financial institution computers not used in interstate communications, such as intrastate local area networks used by Government agencies that contain sensitive and confidential information. Also omitted are computers used in foreign communications or commerce, despite the fact that hackers are often foreign-based. For example, the 1994 intrusion into the Rome Laboratory at Grifess Air Force Base in New York, was perpetrated by a 16-year-old hacker in the United Kingdom. More recently, in March 1996, the Justice Department tracked down a young Argentinean man who had broken into Harvard University's computers from Buenos Aires and used those computers as a staging ground to hack into many other computer sites, including the Defense Department and NASA.

      On June 29, 1995, Senators Kyl, Leahy, and Grassley introduced the NII Protection Act, S. 982. At hearings in both the House of Representatives and the Senate, representatives from Federal law enforcement agencies expressed the need for, and their support of, this bill. Specifically, Attorney General Janet Reno discussed the provisions of S. 982 in her October 30, 1995, responses to written questions in connection with the June 27, 1995, Judiciary Committee oversight hearing of the Department of Justice; Federal Bureau of Investigation Director Louis Freeh testified about S. 982 during the February 28, 1996, joint hearing with the Select Committee on Intelligence and the Judiciary Committee on economic espionage; and U.S. Secret Service Deputy Assistant Director of Investigations Robert Rasor testified about S. 982 during the October 11, 1995, hearing of the House Committee on Banking and Financial Services Subcommittee on domestic and International Monetary Policy.

      As intended when the law was originally enacted, the Computer Fraud and Abuse statute facilitates addressing in a single statute the problem of computer crime, rather than identifying and amending every potentially applicable statute affected by advances in computer technology. As computers continue to proliferate in businesses and homes, and new forms of computer crimes emerge, Congress must remain vigilant to ensure that the Computer Fraud and Abuse statute is up-to-date and provides law enforcement with the necessary legal framework to fight computer crime. The NII Protection Act will likely not represent the last amendment to this statute, but is necessary and constructive legislation to deal with the current increase in computer crime.


      On June 13, 1996, the Committee on the Judiciary first considered the NII Protection Act, S. 982, as an amendment made by Senators Leahy, Kyl, and Grassley to H.R. 1533, a bill to amend title 18, United States Code, to increase the penalty for escaping from a Federal prison. At that time, with a quorum present, by voice vote, the Committee unanimously accepted the Leahy-Kyl-Grassley amendment to H.R. 1533, and unanimously ordered H.R. 1533, so amended, favorably reported.

      On August 1, 1996, the Committee on the Judiciary, with a quorum present, again accepted an amendment in the nature of a substitute to S. 982 offered by Senator Leahy, on behalf of himself and Senators Kyl and Grassley. The amendment included the provisions in the S. 982, as introduced, with one modification. As discussed in more detail below, the amendment inserted the word ``nonpublic'' before ``computer of a department or agency'' in section 2(1)(C)(I) of the bill. The Leahy-Kyl-Grassley amendment was accepted by voice vote, and the Committee, also by voice vote, then unanimously ordered S. 982, as amended, favorably reported.



      The bill amends five of the prohibited acts in, and adds a new prohibited act to, 18 U.S.C. 1030(a). Each of the amended provisions is discussed below.

           (1) Amendments and addition to prohibited acts

      The proposed subsection 1030(a)(2)(C) is intended to protect against the interstate or foreign theft of information by computer. This information, stored electronically, is intangible, and it has been held that the theft of such information cannot be charged under more traditional criminal statutes such as Interstate Transportation of Stolen Property, 18 U.S.C. 2314. See United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991). This subsection would ensure that the theft of intangible information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected. In instances where the information stolen is also copyrighted, the theft may implicate certain rights under the copyright laws. The crux of the offense under subsection 1030(a)(2)(C), however, is the abuse of a computer to obtain the information.

      The seriousness of a breach in confidentiality depends, in considerable part, on the value of the information taken, or on what is planned for the information after it is obtained. Thus, the statutory penalties are structured to provide that obtaining information of minimal value is only a misdemeanor, but obtaining valuable information, or misusing information in other more serious ways, is a felony.

      The sentencing scheme for section 1030(a)(2) is part of a broader effort to ensure that sentences for section 1030 violations adequately reflect the nature of the offense. Thus, under the bill, the harshest penalties are reserved for those who obtain classified information that could be used to injure the United States or assist a foreign state. Those who improperly use computers to obtain other types of information--such as financial records, nonclassified Government    information, and information of nominal value from private individuals or companies--face only misdemeanor penalties, unless the information is used for commercial advantage, private financial gain or to commit any criminal or tortious act.

      For example, individuals who intentionally break into, or abuse their authority to use, a computer and thereby obtain information of minimal value of $5,000 or less, would be subject to a misdemeanor penalty. The crime becomes a felony if the offense was committed for purposes of commercial advantage or private financial gain, for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State, or if the value of the information obtained exceeds $5,000.

      The terms "for purposes of commercial advantage or private financial gain'' and ``for the purpose of committing any criminal or tortious act'' are taken from the copyright statute (17 U.S.C. 506(a)) and the wiretap statute (18 U.S.C. 2511(1)(d)), respectively, and are intended to have the same meaning as in those statutes.

      Some conduct may violate more than one subsection of section 1030(a)(2). For example, a particular Government computer might be covered by both sections 1030(a)(2)(B) and (a)(2)(C). This overlap serves to eliminate legal issues that may arise if the provisions were mutually exclusive. Conceivably, in a given case, it may not be clear whether information taken from a Government contractor's computer constitutes "information from any department or agency of the United States'' under section 1030(a)(2)(B), but the offense might still be chargeable under section 1030(a)(2)(C) if the elements of that subsection are satisfied. Similarly, there may be some overlap between section 1030(a)(2) and 18 U.S.C. 641 (relating to the theft and conversion of public money, records or property), but the former does not preempt the latter.


      Pursuant to paragraph 11(b), rule XXVI of the Standing Rules of the Senate, the Committee, after due consideration, concludes that Senate bill 982 will not have direct regulatory impact.


       U.S. Congress,

       Congressional Budget Office,

       Washington, DC, August 6, 1996.

          Hon.  Orin G. Hatch,
          Chairman, Committee on the Judiciary,
          U.S. Senate, Washington, DC.

                                                                                                [By fiscal year, in millions of dollars]
Change in outlays
Change in receipts

      In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, the changes in existing law made by the bill, as reported by the committee, are shown as follows (existing law proposed to be omitted is enclosed in bold brackets, new matter is printed in italic, and existing law with no changes is printed in roman):


         * * * * * * *


         * * * * * * *


         * * * * * * *

1030. Fraud and related activity in connection with computers

   (a) Whoever--

Go to . . .CCIPS home page ||  Justice Department home page

Last updated 05/15/00