Criminal Elements and Definitions for ‘exceed authorized access’ CFAA 18 USC 1030(a)(1)

Criminal Elements and Definitions for ‘exceed authorized access’ CFAA 18 USC 1030(a)(1) | US v Pfc. Manning

posted July 2, 2013

The Uniform Code of Military Justice (U.C.M.J.) is the law applicable to all military members and is passed by Congress. Article 134 is reserved for crimes that do not exist under the regular punitive Articles of the U.C.M.J. and which involve “disorders and neglects to the prejudice of good order and discipline in the armed forces”; or “conduct of a nature to bring discredit upon the armed forces”; and/or finally, include violations of federal law, which in the Manning case are two alleged violations of 18 U.S.C. 1030(a)(1) a part of the Computer Fraud and Abuse Act for “exceeding authorized access”.

Manning pled to the lesser included offense (L.I.O.) with substituted dates for the two violations of 18 U.S.C. 1030(a)(1). Manning’s plea to the L.I.O. strips out the espionage act language from the Computer Fraud and Abuse Act offense and substitutes “exceeded authorized access” with “knowingly accessed”.

On May 21, 2013, the U.S. Government informed the Court that it would accept Manning’s plea to the L.I.O for Specification 14 of Charge II and would not move forward at trial on the greater offense concerning a classified Department of State cable entitled Reykjavik 13. Military prosecutor are moving forward at trial for the greater offense of Specification 13 concerning more that 75 [to be exact 116] classified U.S. Department of State cables.

A 18 U.S.C. 1030(a)(1) offense carries a maximum punishment of 10 years. Each L.I.O. carrys a maximum punishment of 2 years.

For information on the U.S. Government’s charge dates versus Manning’s plea dates, go here.

Elements

In order to find Manning guilty of a 1030(a)(1) offense for the 116 U.S. Department of Satte cables the presiding military judge (Manning elected to be tried by military judge alone) must be convinced by legal and competent evidence beyond a reasonable doubt:

Element (1) That at or near Contingency Operating Station Hammer, Iraq: Specification 13, between on or about 28 March 2010 and on or about 27 May 2010…the accused knowingly accessed a computer exceeding authorized access on a Secret Internet Protocol Router Network.

Element (2) That the accused obtained information that has been determined by the United States government by Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations to wit: Specification 13, more than 75 classified United States Department of State cables.

Element (3) The accused had reason to believe the information obtained could be used to the injury of the United States or the advantage of any foreign nation; and,

Element (4) That the accused communicated, delivered, transmitted, or caused to be communicated, delivered, or transmitted the information to a person not authorized to receive it.

Element (5) That the accused acted willfully; and,

Element (6) That under the circumstances the conduct of the accused was to the prejudice of good order and discipline in the armed forces or was of a nature to bring discredit upon the armed forces.

Definitions

The military judge outlined the definitions she will use for the 1030(a)(1) offense as follows:

Willfully

An act is done willfully if it is done voluntarily and intentionally with specific intent to do something the law forbids– that is with a bad purpose to disobey or disregard the law.

Knowingly

An act is done knowingly if it is done voluntarily and intentionally and not because of a mistake or accident or other innocent reason.

Computer

The term computer means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical or arithmetic or storage function and includes any data storage facility or communications facility directly related to or operating in conjunction with such device. But such term does not include an automated typewriter or typesetter or any portable handheld calculator or other similar device.

Exceeds Authorized Access (Narrow Interpretation)

The term exceeds authorized access means that the accused accessed a computer with authorization and used such access to obtain or alter information in the computer that the accused is not entitled to so obtain or alter. It is the knowing use of the computer by exceeding authorized access which is being proscribed not the unauthorized possession of, access to, or control over the protected information itself.

The military judge had ruled in June 2012 that the Court would “adopt a narrow meaning of ‘exceeds authorized access’ under the Computer Fraud and Abuse Act and will instruct the fact finder [since Manning opted for trial by military judge alone, meaning herself] that the term ‘exceeds authorized access’ is limited to violations of restrictions on access to information and not restrictions on its use.” This means is that the U.S. Government has to prove a ~~technical~~ breach occurred to obtain the information– more on that later.

Reason to Believe

Reason to believe means the accused knew facts from which he concluded or reasonably should have concluded that the information could be used for the prohibitive purposes. In considering whether the accused had reason to believe that the information could be used to the injury of the United States or the advantage of any foreign country, [the military judge] may consider the nature of the information involved. [The military judge] need not determine that the accused had reason to believe that the information would be used against the United States only that it could be used. Additionally, the likelihood of the information being used to the injury of the United States of the advantage of any foreign nation must not be to remote, hypothetical, speculative, far fetched or fanciful.

To the Injury of the United States or the Advantage of Any Foreign Nation

The government is not required to prove that the information obtained by the accused was in fact used to the injury of the United States or the advantage of any foreign nation. The government does not have to prove that the accused had reason to believe his act could both injure the United States and be to the advantage of any foreign nation. Also, the country whose advantage the information could be use, need not necessarily be an enemy of the United States. The statute does not distinguish between friend and enemy.

Whether the Person Who Received the Information is Entitled to Receive

In determining whether the person who had received the information was entitled to receive it, [the military judge] may consider all the evidence introduced at trial including any evidence concerning the classification status of the information; and evidence relating to law and regulations governing the classification and declassification of the national security information; its handling, use, and distribution as well as any evidence related to the regulations governing the handling, use, and distribution obtained from classification systems.

Person

The term person means any individual, firm, corporation, education institution, financial institution, government entity, or legal or other entity.

Manning’s L.I.O. Pleas

Manning pled to the lesser included offense substituted dates for two violations of 18 U.S.C. 1030(a)(1) for ‘knowingly accessing’ (not ‘exceeding authorized access’) both a U.S. State Department cable, 10 Reykjavik 13, and more than 75 U.S. State Department Cables.

Military prosecutors announced on May 21 that they would accept Manning’s plea for ‘knowingly accessing’ a U.S. State Department cable, 10 Reykjavik 13, but would move forward with the U.S. Government’s case for the greater offense of “exceeding authorized access” for more than 75 U.S. State Department Cables.

Manning’s guilty plea to L.I.O. with substituted admits the following elements for the 1030(a)(1) offense for more than 75 U.S. State Department cables:

Element (1). That the accused knowingly accessed a Secret Internet Protocol Router Network computer. The government still has to prove that the accused exceeded authorized access. So element one is kind of bifurcated. The accused admit part of it and the government still has to prove part of it.

Element (2) That the accused obtained information that has been determined by the United States government by Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations to wit: more than seventy five classified United States Department of State cables for Specification 13.

Element (5) That the accused willfully communicated the above material to a person not entitled to receive it.

Element (6) that under the circumstances of the accused conduct was to the prejudice of good order and discipline in the armed forces or of a nature to bring discredit upon the armed forces.

Remaining Elements

There remain two elements and an additional element in part that military prosecutors would have to prove beyond a reasonable doubt to find Manning guilty of the greater offense, in violation of 18 United States Code Section 1030(a)(1), for more than 75 U.S. State Department cables. Those elements are:

Partial of Element (1) The government would have to prove that the accused knowingly exceeded authorized access. More on that later.

Element (3) That the accused had reason to believe the information obtained could be used to the injury of the United States or the advantage of any foreign nation; and,

Element (6) at the time 18 United States Code Section 1030(a)(1) was in existence on the dates alleged in specification. Once the Court takes judicial notice that the statute 18 U.S.C. 1030(a)(1) was in effect at the time of the charged offenses, the government doesn’t have to present any further proof to establish its existence.

That leaves partial element of (1) and element (3) for Specification 13 of Charge II for the more than 75 U.S. Department of State Cables.

Overview

Diplomatic Security Service (DSS) at the Department of State was responsible for handling forensic analysis of the hard drives that arrived from Iraq on June 10, 2010.

Despite Army Criminal Investigative Command’s (CID) September 2010 preservation request for other hard drives from the T-SCIF at F.O.B. Hammer, Iraq, and the defense’s own preservation request for the same in September 2011, the Government notified the Court and defense that of the 181 drives identified belonging to the 2nd Brigade Combat Team, 10th Mountain Division, only the computers with a user profile for Manning were preserved. The other computers, the Government told the Court, the unit was free to discard and ‘DX’ post deployment in September 2010.

The Government was able to identify by serial number only 14 other computers from the T-SCIF post deployment. Of those 14 drives, two drives were completely inoperable, seven drives were wiped, and one drive was partially wiped.

The other hard drives are relevant to Manning’s defense against the greater offense of ‘exceeding authorized access’, to obtain more than 75 U.S. State Department cables under 18 U.S.C. 1030(a)(1) and two additional Specifications under Article 92 for ‘adding unauthorized software’– namely a free software program called Wget that retrieves content from Web servers and which Manning admittedly used to download the U.S. Department of State cables as well as the charged Guantanamo detainee assessments.

According to the Court’s narrow interpretation of the Computer Fraud and Abuse Act, military prosecutors must prove that Manning “without authorization or exceeding authorized access” the 75 U.S. Department of State Cables, in other words, military prosecutors must prove a ‘breach’.

The U.S.G.’s theory of the 1030(a)(1) offense for more than 75 Department of State cables is based on:

an Acceptable Use Policy (A.U.P.)–which they cannot produce;
seven signed Non Disclosure Agreements;
the Terms of Service for Manning’s two SIRPnet user accounts
and that Manning placed Wget ontwo separate SIPRnet systems.

In the the prosecution’s opening statement, Captain Joe Morrow, said: “These were massive– massive downloads aided by PFC Manning’s mastery of an unauthorized software program called Wget– packaged and out the door to WikiLeaks in less than a few hours in some cases.” Morrow also said that the “evidence will show that WGet and programs like it were prohibited by the acceptable use policy signed by every service member who has access to a government information system.”

Yet, Captain Thomas Cherepko, Assistant S6 and the Information Assurance Security Officer for the 2nd BCT, 10 MTN at F.O.B. Hammer, Iraq– who himself received a counseling letter from General Robert Caslen for his own failure to ensure brigade T-SCIF was properly certified– testified that the basis for the prohibition on Wget was an A.U.P. that Manning allegedly signed, but that he could not find.

Captain Hunter Whyte (Prosecution): And what documents do soldiers sign that prohibits them from using unauthorized executable files?

Captain Thomas Cherepko: An acceptable use policy.

When law enforcement asked for the A.U.P. in the early days of the investigation at F.O.B. Hammer, Iraq, Cherepko could not find Manning’s or even his own. Further, not only are military prosecutors unable to produce Manning’s signed A.U.P., they aren’t able to produced a single signed A.U.P. of any member of the 2nd BCT, 10 MTN at F.O.B. Hammer, because the A.U.P.’s were destroyed post-deployment.

The A.U.P.’s are the basis of 14 maximum years confinement for for three charges. Said Coombs, “If the government is going to premise criminal liability based upon an A.U.P., they ought to be able to produce the AUP. I understand maybe they can’t produce PFC Manning’s. But we’re talking about a whole bridged. Surely at least one AUP can be found from the brigade.”

Coombs asked Cherepko:

Coombs: So if the AUP wasn’t secured at that point, that was, that was because no one I guess asked for it?

Cherepko: Or it didn’t exist, yes, sir.

Coombs: But somebody did come around looking for it [Coombs means law enforcement in May 2010 referring to the early investigation at FOB Hammer, Iraq] from you, correct?

Cherepko: Yes, sir.

Coombs: And they asked if you could produce it?

Cherepko: Yes, sir.

Coombs: And you said I can’t find PFC Manning’s?

Cherepko: Correct.

Without the other hard drives, it is impossible to have forensic evidence to prove that other soldiers in the 2nd BCT added similar executable programs onto their computers’ desktops. Trial witness testimony, however, has elicited evidence that other soldiers were known to install executable programs onto their desktops. At the pre-trial evidence was elicited that soldiers played music and even played pirated movies on their classified machines, which they had purchased from Iraqi nationals.

According to the trial testimony of the lead Computer Crimes Investigative Unit (C.C.I.U.) forensic examiner, Special Agent David Shaver, Wget was not standard on U.S. Army Windows computers and not found on the “certificate of networthiness, also called a CON”. According to defense pretrial filings, while Wget “was not officially authorized for the individual user, it was authorized for use on the Army Server components of the system.” In her written testimony, the configuration management lead for the DCGS-Army computer program, Florinda White, stated “Wget has never been reviewed by [DCGS-A] program and [she] cannot say whether it would be approved for use or not.”

Since Wget did not require administrative privileges to install, defense argues it was analogous to other executable program– including mIRC, music, and videos likewise not included in the Army Gold Master Collection of programs, but used by military personelle nonetheless. Defense has also tried to establish through USG witnesses that Manning was tasked to work on computers and had installed mIRC chat on co-workers machines.

Shaver also testified that Wget was not a program synonymous with hacking:

Captain Tooman: You would agree with me that WGet is a program that’s used to download web pages?

Special Agent Shaver: Yes, sir.

Tooman: Archive pages?

Shaver: Sure.

Tooman: Download things?

Shaver: Sure.

Tooman: You wouldn’t say that this is a program that’s synonymous with hacking, would you?

Shaver: Correct. it’s just a tool.

Tooman: just a normal program that’s used every day by a lot of different people?

Shaver: Yes, sir.

Military prosecutors have buttressed their argument regarding Wget saying that Manning used automation to harvested information for WikiLeaks. Defense has countered the U.S.G.’s automation argument by eliciting testimony from USG witnesses like the second highest ranked intelligence officer in the 2nd BCT, 10 MTN at F.O.B. Hammer, Captain Casey Fulton, that excel had automated processes for populating excel spreadsheets and that Manning was tasked to populate excel sheets with SigActs.

Defense has also tried to establish that Manning ‘had access’ and that there was no prohibition to surfing SIPRnet:

Coombs: Would you discourage an all source analyst from basically from surfing the SIPRnet on their free time and seeing what’s there as learning information?

Captain Casey Fulton: No, as long as it was in the realm of professional development.

Coombs:

Why would you not discourage an analyst from just surfing the SIPrnet?

Fulton: Because intelligence, you know, and the threat groups are global. So although we have a mission basic enemy that we should focus on, for professional development purposes they could learn about other enemy threat groups.

At the pre-trial Captain Steven Lim, the Brigade S2, gave the analyst a link to Net Centric Diplomacy database via email with no password required in January 2010. Captain Lim testified at the pretrial, “I gave [the intelligence analysts a] link through email. Got from headquarters. They [headquarters] said pass along. Felt at time we were so focused on the ground, and needed bigger picture.”

Next week, defense is expected to file Rules for Court Martial 917 motions to dismiss offenses for lack of evidence. Defense had previously sought to dismiss the 1030(a)(1) offenses during the pre-trial. The crux of the defense argument was that Manning alleged behavior is not offenses under 18 USC 1030(a)(1). The defense has previously argued that the U.S.G. should charge Manning with misappropriation, and not use “turns of phrase” – like “bypass” or “hack” – to mold their theory into 18 USC 1030(a)(1) offene, which they sai is an anti-hacking statute. In other words, Manning, defense has argued, did not ‘hack’ anything. The Judge ruled then on a narrow interpretation.