Cyber Security

18 U. S. C. § 1030 and the Applicable Guidelines

Note: This information about 18 U. S. C. § 1030 and the Applicable Guidelines is based on an United States Sentencing Commission report to the Congress on penalties for cyber security offenses. Section 1030 of title 18, United States Code, proscribes a wide range of criminal conduct involving computers. There are nine different offenses codified in section 1030, and they have statutory maximum penalties ranging from one year to life imprisonment. Section 1030(a) violations are referred to four sentencing guidelines: §2B1. 1 (Larceny, Embezzlement, and Other Forms of Theft; Offenses Involving Stolen Property; Property Damage or Destruction; Fraud and Deceit; Forgery; Offenses Involving Altered or Counterfeit Instruments Other than Counterfeit Bearer Obligations of the United States); §2B2. 3 (Trespass); §2B3. 2 (Extortion by Force or Threat of Injury or Serious Damage) and §2M3. 2 (Gathering National Defense Information). Convictions under sections 1030(a)(2) (unauthorized access to a computer to obtain information from a financial institution, the United States government or a protected computer); 1030(a)(4) (unauthorized access to a protected computer in furtherance of fraud); 1030(a)(5) (transmission of a program or code or unauthorized access resulting in damage); and 1030(a)(6) (trafficking in computer passwords) are all referenced to §2B1. 1. Convictions under section 1030(a)(1) (accessing and disseminating national defense or restricted information with reason to believe it could be used to the injury of the United States) are referred to §2M3. 2; convictions under section 1030(a)(3) (misdemeanor trespass on a government computer) are referenced to §2B2. 3; and convictions of section 1030(a)(7) (extortionate demand to damage protected computer) are referenced to §2B3. 2. Finally, convictions under 18 U. S. C. § 1030(b) (attempts to commit violations of section 1030(a)) are referenced to §2X1. 1 (Attempt, Solicitation, or Conspiracy).

Commercial Advantage and Private Financial Benefit of Cyber Security

Note: This information about Commercial Advantage and Private Financial Benefit is based on an United States Sentencing Commission report to the Congress on penalties for cyber security offenses. In this case, the content of this section deals with the implementation of the Homeland Security Act Directive in relation to Commercial Advantage and Private Financial Benefit. This factor is related to statutory sentencing enhancements for offenses under 18 U. S. C. § 1030(a)(2), which prohibits the unauthorized access to a computer to obtain information from a financial institution, the government, or a “protected computer,” and 18 U. S. C. § 2701, which prohibits the unauthorized access to stored electronic communications. Both of these offenses are referenced to §2B1. 1. Violations of both statutes are misdemeanors (other than subsequent offenses) unless committed with one of the statutory aggravating purposes. Among the aggravated purposes for § 1030(a)(2) violations are commercial advantage and private financial gain. See 18 U. S. C. § 1030(c)(2)(B)(i). Among the aggravated purposes for violations of section 2701 are commercial advantage and private commercial gain. See 18 U. S. C. § 2701(b)(1). Commercial advantage and private financial benefit are typical motivations in offenses sentenced under §2B1. 1, the principal economic crime guideline, and the structure of the guideline takes this into account. An offender's intended or realized financial gain or commercial advantage typically will be addressed by proportional enhancements in the loss table. See §2B1. 1(b)(1). The United States Sentencing Commission's data showed that of the 104 18 U. S. C. § 1030 cases sentenced under §2B1. 1 (or a guideline consolidated with §2B1. 1) in fiscal years 2001 and 2002, financial gain and/or commercial advantage was a motivation in 49 percent (51), and 78. 4 percent (40) of those received an enhancement for loss. The eleven remaining cases either did not result in loss or involved minimal loss amounts insufficient to trigger an enhancement.