Cybercrime and Computer Fraud Under U.S. Federal Law

Federal cybercrime statutes criminalize a broad range of conduct involving computers, networks, and electronic data — from unauthorized system access to coordinated ransomware campaigns targeting critical infrastructure. The primary statutory framework is the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, supplemented by identity theft, wire fraud, and electronic surveillance statutes. Understanding how these laws define prohibited conduct, allocate jurisdictional authority, and interact with federal criminal procedure is essential for anyone analyzing criminal exposure in digital environments.

Definition and Scope

Cybercrime under U.S. federal law is not a single offense but a category of conduct defined by the involvement of a "protected computer" — a term given statutory meaning by the CFAA. Under 18 U.S.C. § 1030(e)(2), a protected computer includes any computer used in or affecting interstate or foreign commerce, which in practice encompasses virtually any internet-connected device in the United States.

The CFAA, enacted in 1986 and amended substantively in 1994, 1996, 2001, and 2008, establishes 7 distinct offense categories under § 1030(a), ranging from unauthorized access to classified government information to trafficking in computer passwords. These categories carry penalties ranging from misdemeanor-level fines to imprisonment of up to 20 years for aggravated offenses involving critical infrastructure or prior convictions (18 U.S.C. § 1030(c)).

Beyond the CFAA, federal cybercrime prosecution draws on:

The Department of Justice's Computer Crime and Intellectual Property Section (CCIPS) is the primary federal unit responsible for developing cybercrime policy and supporting prosecution across U.S. Attorneys' offices.

How It Works

Federal cybercrime cases proceed through the same elements of a crime framework applied to all federal offenses: the government must prove actus reus (the prohibited act), mens rea (the required mental state), and, for CFAA offenses, specific harm thresholds that trigger felony-level liability.

The CFAA's § 1030(a) structure creates a tiered framework:

  1. Unauthorized access to classified data (§ 1030(a)(1)) — requires proof that the defendant knowingly accessed a computer without authorization and obtained classified national security information with intent to injure the United States
  2. Unauthorized access to financial records or government computers (§ 1030(a)(2)) — requires intentional unauthorized access that obtains information from a financial institution, U.S. government computer, or any protected computer in interstate commerce
  3. Unauthorized access with intent to defraud (§ 1030(a)(4)) — requires proof of specific fraudulent intent and obtaining something of value exceeding $5,000 in a one-year period
  4. Damage to a protected computer (§ 1030(a)(5)) — divided into three subsections addressing knowing transmission of code causing damage, intentional unauthorized access causing damage, and reckless transmission causing damage
  5. Trafficking in passwords (§ 1030(a)(6)) — requires knowing trafficking with intent to defraud
  6. Extortion via computer threat (§ 1030(a)(7)) — covers threats to damage a computer or release confidential information in exchange for payment

The mens rea requirement — whether a defendant acted "knowingly," "intentionally," or "recklessly" — is frequently contested and determines both offense level and available criminal defenses.

The FBI's Cyber Division and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) serve as the primary investigative bodies, with authority to pursue cases involving critical infrastructure, ransomware, and foreign state-sponsored intrusions.

Common Scenarios

Prosecutors applying federal cybercrime statutes most frequently encounter the following fact patterns:

Unauthorized System Access (Hacking)
Gaining entry to a network or system without permission — or exceeding authorized access — is the core CFAA offense. The phrase "exceeds authorized access" has generated significant litigation; the Supreme Court addressed its scope in Van Buren v. United States, 593 U.S. 374 (2021), holding that the phrase applies to accessing areas of a computer that the defendant was not permitted to access, not to misuse of data the defendant was otherwise authorized to retrieve.

Ransomware and Extortion
Deploying malicious software that encrypts victim data and demands payment is prosecuted under § 1030(a)(5) (damage) and § 1030(a)(7) (extortion), often combined with wire fraud charges. The FBI's Internet Crime Complaint Center (IC3) recorded losses exceeding $59.6 million from ransomware complaints in its 2023 Internet Crime Report.

Phishing and Credential Theft
Email-based schemes designed to harvest login credentials are charged under wire fraud (§ 1343) and identity theft (§ 1028), frequently alongside CFAA § 1030(a)(2) counts for the subsequent unauthorized system access those credentials enable.

Distributed Denial-of-Service (DDoS) Attacks
Flooding a target network with traffic to render it unavailable constitutes "damage" under § 1030(a)(5). Cases involving damage exceeding $5,000 within a one-year period qualify as felonies.

Insider Threats
Employees who exfiltrate proprietary data or sabotage systems are prosecuted under "exceeds authorized access" theories — the most contested application of the CFAA following Van Buren. These cases intersect with white-collar crime frameworks when financial gain motivates the conduct.

Botnet Operation
Coordinating networks of compromised machines to send spam, conduct DDoS attacks, or distribute malware implicates § 1030(a)(5) for the compromised machines and CAN-SPAM Act provisions (15 U.S.C. § 7704) for the spam component.

Decision Boundaries

CFAA vs. State Computer Crime Statutes
All 50 states maintain independent computer crime statutes. Federal jurisdiction under the CFAA typically activates when: (1) the computer is used in interstate or foreign commerce, (2) the conduct crosses state lines, or (3) the victim is a federal agency or financial institution. State charges may run concurrently; federal vs. state criminal jurisdiction principles determine which forum prosecutes, though dual prosecution is constitutionally permissible under the separate sovereigns doctrine.

Felony vs. Misdemeanor Thresholds
The CFAA classifies offenses as misdemeanors when the conduct involves only simple unauthorized access with no damage, no classified data, and no fraudulent intent. Felony classification requires one of: damage exceeding $5,000 in a one-year period, modification or impairment of medical records, physical injury, a threat to public safety, damage to a government computer, or a second conviction under the statute (18 U.S.C. § 1030(c)).

"Authorization" as the Central Boundary
The CFAA's entire structure pivots on whether access was "authorized." Courts have developed two interpretive approaches: the "code-based" view (access is unauthorized when it circumvents technical access controls) and the "contract-based" view (access is unauthorized when it violates terms of service or employer policy). Van Buren (2021) constrained the contract-based reading, limiting CFAA exposure for policy violations that do not involve accessing technically restricted data areas.

Aggregation of Harm
Damage to

References

Related resources on this site:

📜 13 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Attorney Fee Estimator