Malware

Fundamentals of Criminal Law by Adam J. McKee

Malware, short for malicious software, is a category of software specifically designed to disrupt, damage, or gain unauthorized access to computer systems or networks. Malware can take many forms, including viruses, worms, ransomware, spyware, and Trojan horses, all of which have the potential to cause significant harm to individuals, businesses, and governments. The distribution and use of malware are illegal under various state and federal laws, particularly when the intent is to steal data, disrupt services, or commit other forms of cybercrime.

Malware is frequently used to carry out a range of criminal activities, including data theft, financial fraud, and cyber espionage. As with other forms of cybercrime, malware offenses involve the two essential elements of criminal law: actus reus (the criminal act) and mens rea (the criminal intent). The actus reus in malware cases typically involves the creation, distribution, or use of malicious software, while the mens rea centers on the offender’s intent to cause harm, steal information, or otherwise engage in illegal activities.

Types of Malware

Malware comes in many different forms, each designed to exploit vulnerabilities in computer systems. Some of the most common types of malware include:

  • Viruses: Malware that attaches itself to a legitimate program or file and spreads to other programs or files when executed. Viruses often disrupt the normal functioning of the infected computer.
  • Worms: Self-replicating malware that spreads independently from computer to computer without needing a host program. Worms often exploit network vulnerabilities to proliferate.
  • Ransomware: Malware that encrypts a victim’s files, rendering them inaccessible until a ransom is paid. Ransomware attacks have become increasingly common and target individuals, businesses, and even government agencies.
  • Spyware: Malware that secretly gathers information from a computer system, often tracking a user’s keystrokes, passwords, or personal information.
  • Trojans: Malware disguised as legitimate software that, once installed, can provide unauthorized access to the victim’s system or deliver other types of malicious software.

Federal Statutes Governing Malware

Several federal laws are used to prosecute the creation, distribution, and use of malware. The most important is the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030), which criminalizes unauthorized access to computer systems and the intentional causing of damage to protected computers. Under the CFAA, it is illegal to intentionally transmit a program, code, or command that causes harm to a computer system, making it a powerful tool for prosecuting malware-related offenses.

The CFAA defines a “protected computer” as any computer used in or affecting interstate or foreign commerce, which effectively covers most computers connected to the internet. This broad definition allows the law to apply to a wide range of malware cases, including those involving personal computers, corporate networks, and government systems. Section 1030(a)(5) of the CFAA specifically addresses the transmission of malware, making it a crime to intentionally cause damage to a protected computer without authorization.

Another relevant federal law is the Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2510-2522), which prohibits the interception of electronic communications. Malware that spies on a user’s activities, such as keyloggers or spyware, can violate this statute if it captures personal communications without the user’s knowledge or consent.

Additionally, the Federal Trade Commission (FTC) has authority under the FTC Act to pursue civil penalties against companies or individuals that distribute malware or fail to protect consumers from malware attacks. The FTC often steps in when malware affects consumer privacy or involves deceptive practices, such as in cases where malware is bundled with legitimate software.

State Statutes on Malware

In addition to federal laws, many states have their own statutes criminalizing the creation and distribution of malware. For example, California’s Comprehensive Computer Data Access and Fraud Act (Penal Code Section 502) makes it illegal to knowingly introduce malware into computer systems. Similar statutes exist in other states, complementing federal law by allowing state authorities to prosecute malware-related offenses within their jurisdictions.

State statutes often target specific types of malware or particular behaviors, such as unauthorized access to computers, data breaches, or the use of ransomware. Some states have passed laws specifically addressing ransomware attacks, making it a crime to demand payment in exchange for decrypting a victim’s data.

Actus Reus and Mens Rea in Malware Cases

The actus reus in malware cases involves the development, distribution, or use of malicious software. This can include writing the malware, sending it via email or through a website, or using it to infiltrate a victim’s computer system. For example, sending a ransomware-infected email to a company’s employees, causing their systems to lock and demand a ransom, constitutes the actus reus of a malware offense. In many cases, the act of transmitting the malware alone is sufficient to establish the actus reus for prosecution.

The mens rea in malware cases is typically the intent to cause harm, steal information, or gain unauthorized access to a computer system. Prosecutors must demonstrate that the defendant acted knowingly and willfully in developing or distributing malware, with the goal of causing damage or achieving illegal objectives. In ransomware cases, for instance, the intent to extort money from the victim by threatening to withhold access to their files demonstrates clear mens rea.

In some cases, malware developers may argue that they did not intend for their software to cause harm, particularly if the malware was designed for educational purposes or to test system vulnerabilities. However, courts have generally held that the harmful effects of malware—such as data breaches, system disruptions, or financial losses—can be sufficient to demonstrate mens rea if the developer or distributor knew that such harm was likely to occur.

Case Example: United States v. Morris (1991)

One of the earliest and most significant malware cases prosecuted under the CFAA was United States v. Morris (1991), which involved the creation and release of one of the first internet worms. Robert T. Morris, a graduate student at Cornell University, created a self-replicating worm that exploited security vulnerabilities in Unix-based systems. Although Morris claimed that the worm was intended to test the limits of computer networks, it quickly spread to thousands of systems, causing widespread disruption.

Morris was charged under the CFAA for knowingly transmitting a program that caused unauthorized damage to computer systems. The court found that Morris had acted with the requisite mens rea because he knew that his worm could cause harm, even if he did not intend for it to spread as widely as it did. This case set a precedent for prosecuting malware offenses under the CFAA, demonstrating that even experimental or “benign” malware can lead to criminal liability if it results in unintended damage.

Ransomware Attacks and Prosecution

Ransomware has become one of the most prevalent forms of malware in recent years, targeting businesses, hospitals, schools, and government agencies. In a ransomware attack, the malware encrypts the victim’s files, rendering them inaccessible until a ransom is paid (usually in cryptocurrency). Ransomware attacks can cripple critical infrastructure and cause significant financial losses for victims.

A prominent example of a ransomware attack is the Colonial Pipeline Ransomware Attack (2021). In this case, a group of cybercriminals used ransomware to shut down Colonial Pipeline, a major fuel pipeline operator in the United States, causing widespread fuel shortages along the East Coast. The attackers demanded a ransom in Bitcoin in exchange for decrypting the pipeline’s systems. Colonial Pipeline ultimately paid the ransom, though law enforcement was later able to recover part of the payment.

The actus reus in ransomware cases involves the transmission of the malware and the encryption of the victim’s files, while the mens rea is the intent to extort money by holding the victim’s data hostage. Prosecutors in ransomware cases typically use the CFAA to charge offenders with causing damage to a protected computer system and extortion under other federal laws. In the Colonial Pipeline case, the FBI led the investigation, and the perpetrators were charged under various federal statutes related to cybercrime and extortion.

Spyware and Privacy Violations

Spyware is another common type of malware that invades a user’s privacy by secretly monitoring their activities or collecting personal information. Spyware can track a victim’s keystrokes, record passwords, capture screenshots, or even activate a device’s camera or microphone without the user’s consent.

Federal laws like the Electronic Communications Privacy Act (ECPA) are often used to prosecute individuals who deploy spyware to intercept private communications. For instance, if spyware is used to capture a victim’s emails, text messages, or internet browsing history, the offender may face charges under the ECPA for illegally intercepting electronic communications. The actus reus in spyware cases is the act of installing and using the spyware to collect information, while the mens rea is the intent to monitor or steal personal data without the victim’s consent.

Challenges in Prosecuting Malware Cases

Prosecuting malware cases can be challenging due to the international nature of many cybercrimes. Malware attacks are often carried out by individuals or groups located in different countries, making it difficult for law enforcement to track down offenders or bring them to justice. Jurisdictional issues can also complicate matters, as different countries may have varying laws regarding cybercrime.

Additionally, malware developers often use sophisticated techniques to conceal their identities, such as using encryption, anonymous communication networks, or cryptocurrencies. This makes it harder for law enforcement to identify the individuals responsible for developing or distributing the malware.

Despite these challenges, international cooperation between law enforcement agencies has improved in recent years, with organizations like Europol and Interpol working together to investigate and dismantle cybercrime networks. The Council of Europe’s Convention on Cybercrime (also known as the Budapest Convention) has also played a key role in fostering international cooperation on cybercrime investigations.

Conclusion

Malware is a serious and evolving threat in the digital world, used to steal data, disrupt services, and extort victims. Federal laws like the Computer Fraud and Abuse Act (CFAA) and the Electronic Communications Privacy Act (ECPA) provide strong legal frameworks for prosecuting malware-related offenses, while state statutes complement these laws by addressing specific types of malware and behavior. Proving actus reus—the act of transmitting or using malware—and mens rea—the intent to cause harm or steal information—is central to successfully prosecuting malware cases. As malware continues to evolve, law enforcement and the legal system must remain vigilant in addressing these threats and holding offenders accountable.


Key Terms

 


References and Further Reading

 

 

Modification History

File Created:  07/17/2018

Last Modified:  08/04/2018

[ Back | Content | Next]


This work is licensed under an Open Educational Resource-Quality Master Source (OER-QMS) License.

Open Education Resource--Quality Master Source License

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.