Abstract
Ransomware gangs drain billions from victims and put lives at risk by targeting hospitals and health care more than any other sector. Most of those groups operate from the countries of the former Soviet Union, well beyond the reach of U.S. law enforcement. However, the most significant ransomware attack on an American target was not against a hospital, but against the Colonial Pipeline, the gasoline pipeline supplying most of the U.S. East Coast in May 2021. A flurry of federal action followed the Colonial Pipeline incident, but oddly, Congress made no change to the single federal statute criminalizing computer fraud and abuse.
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, predates the modern internet and lacks effective means to punish conspiracies or coordinated ransomware attack groups. Even if a Colonial Pipeline attacker had been convicted under the CFAA, the maximum punishment likely would not have exceeded ten years. If charged under the CFAA, a cybercriminal causing global disruption faces no more time in prison than a felon caught with a single bullet. That disparity in the potential degree of harm versus punishment is worthy of reformulation.
This article examines the origin of the Computer Fraud and Abuse Act, born from a question President Ronald Reagan posed after watching the movie WarGames, through its general stagnation as the internet, computers, and online criminal activity exploded in scope. After looking at why section 1030 is difficult to apply in criminal prosecutions, this article then analyzes other statutes criminalizing online enterprises. These examples have the potential to inform policymaking decisions. The article surveys the current state of ransomware activity, including substitute charges used against actors, before concluding with a draft new subsection for the CFAA aimed at enterprise actors who continue to exact a toll on victims worldwide.