Published by The Lawfare Institute
in Cooperation With
The New York Post recently reported on a hacker who claimed to have gained access to CIA Director John Brennan’s personal email account. The hacker then bragged to Wired magazine about how he did it. According to his account, he first did a reverse lookup of Brennan’s mobile phone number (he does not say how he obtained this) and determined that it was a Verizon number. Then, posing as a Verizon employee and using a fabricated employee code, he obtained details on Brennan’s account from Verizon. After learning Brennan’s AOL email account, the hacker used the personal information obtained from Verizon to dupe AOL (which is now owned by Verizon) into granting him access.
While there may be keen embarrassment in having it revealed that in 2015, one is still using an AOL account, at least for now, there do not appear to be any Clinton-type issues about Brennan’s using private email for government business. Nor do any of the emails appear to contain classified information. The sensitive information disclosed to date all seems to be derived from Brennan’s security clearance application. There does not appear to be anything unusual or improper about sending that from a private email account.
There are a number of potential legal issues about this hacking attack, but we will briefly raise three: (1) criminal liability for the hacker; (2) civil liability for Verizon or AOL; and (3) the need for greater protection for federal officials.
What Potential Crimes Might the Alleged Hacker Have Committed?
If the hacker’s claims are true, he has likely violated a number of criminal laws. In a similar fact pattern, David Kernell was charged with wire fraud, computer fraud, identity theft, and obstruction of justice (for attempting to destroy evidence of the hack) after hacking Sarah Palin’s email account. A jury convicted him on the lesser-included computer fraud charge and obstruction charge, acquitted him of wire fraud, and hung on the identity theft charge. He was sentenced to one year and one day imprisonment.
Here the government may similarly have a difficult time proving wire fraud under 18 U.S.C. §1343. There is no indication that the Brennan hacker was attempting to defraud or obtain money or property.
On the computer fraud charge, however, the Brennan hacker may be in bigger trouble than the Palin hacker. Kernell was convicted under 18 U.S.C. §1030(a)(2)(C), which prohibits accessing and obtaining information from a protected computer without authorization. This is a misdemeanor. But there are several other provisions of §1030, which carry much stiffer penalties, that could apply here.
Depending on what information was obtained from Brennan’s account, the U.S. government (USG) could seek an indictment under §1030(a)(1), which carries a maximum penalty of ten years. Prosecutors would have to show, among other things, that (1) the information required protection under executive order or statute for national defense or foreign relations; (2) there was reason to believe the information could injure the United States; and (3) the suspect willfully communicated that information to a person not entitled to receive it, or retained the information and failed to deliver it to the U.S. officer entitled to receive it.
Based on the information publicly available right now, it is impossible to say whether this statute would apply. The government would first have to determine that whatever was obtained was national security information.
On the “injury to the United States” prong, the Brennan hack was aimed at the director of the CIA and was allegedly done to injure him in order to impact or protest against U.S. Middle East policies. It seems likely that this could satisfy the “injury” element. The final element here probably requires the hacker to publish or transmit the information to someone else, since simply “withholding” it from Brennan would not itself injure the United States. He seems to have already done this by sending the material to Wikileaks.
The government would most likely seek an indictment under §1030(a)(5)(B), which carries a punishment of up to five years. The statute makes it a crime to “intentionally [access] a protected computer without authorization and, as a result of such conduct, recklessly causes damage.” The term “damage” is defined broadly to include “any impairment of the integrity or availability of data.” As a technical term of art, the integrity of information probably refers to actually changing the data itself, which it does not appear was done. However, the hacker himself noted that he had locked Brennan out of his account several times. There is a good case this is an impairment of the availability of data.
Finally, prosecutors could also try to charge the hacker under §1030(a)(7), which prohibits a person, with intent to extort, from transmitting in interstate or foreign commerce any communication “containing any threat…to impair the confidentiality of information obtained from a protected computer without authorization.” The hacker certainly threatened to impair the confidentiality of information from a protected computer. But it is unclear whether he was trying to extort from Brennan anything of value. Based on what we know, is unlikely there was actual intent to obtain $2 trillion dollars (the hacker said this was a joke), so the question is whether a change in U.S. foreign policy counts as a “thing of value.” If convicted under this provision, the hacker could face imprisonment of up to five years.
If he is found to have violated any of these laws, the hacker may also be liable for identity fraud under 18 U.S.C. §1028(a)(7), which prohibits the unlawful use of a means of identification with intent to commit any violation of federal law. The hacker may have violated this at least twice: first when he used a fake Verizon employee number and then when he used Brennan’s personal information to reset his AOL account. Each offense under §1028(a)(7) can carry a five year prison sentence.
Section 111 of Title 18 might also be floated by the USG as an option, but this would be a difficult conviction. That statute states:
Whoever…forcibly assaults, resists, opposes, impedes, intimidates, or interferes with [a federal official] … while engaged in or on account of the performance of official duties … shall, where the acts in violation of this section constitute only simple assault, be fined under this title or imprisoned not more than one year, or both, and where such acts involve physical contact with the victim of that assault or the intent to commit another felony, be fined under this title or imprisoned not more than 8 years, or both.
The courts have generally held that to be guilty under this statute, a person must “forcibly” assault, impede, interfere, etc., with a government official on account of her public duties. Several circuit courts as well as DOJ have interpreted this to require actual, or threat of actual, bodily harm. Most likely, the digital intimidation or interference here would not qualify.
Could Brennan Hold Verizon or AOL Liable for Failing to Safeguard his Information?
When individuals’ sensitive information is revealed, there may be state tort liability for the provider, though success in such cases is rare. In order to have standing, a plaintiff will usually need to show actual harm, not merely a potential harm. And even if a plaintiff can get into court, she would still need to show that the provider was negligent in giving over the information, or that its security procedures fell below industry standards. So whether Brennan could sue Verizon or AOL would depend on the facts regarding how they were duped by the hacker and what security protocols they put into place.
Are Greater Federal Protections Needed?
There are a number of federal statutes already protecting federal officials and their families from attack. In addition to Section 111 of Title 18, discussed above, Section 115(a)(1) of Title 18 makes it a Federal crime to assault, kidnap, or murder a family member of certain Federal officials. It also covers attempts to kidnap or murder and threats to assault, kidnap or murder such family members. Such violent acts must be done “with the intent to impede, intimidate, or interfere with” such Federal official “while engaged in the performance of official duties, or with intent to retaliate against” such Federal official. The statutes comes with strong penalties (providing for prison terms of 1-30 years, depending on the nature of the offense).
Perhaps this incident will spur a conversation about whether this statute and or Section 111 should be updated and extended to include attack on an official’s property, data or privacy. The imperative for doing so seems particularly strong in regard to those officials (high ranking and otherwise) in the national defense, diplomatic and intelligence spheres.