Original URL: https://www.theregister.com/2004/02/10/the_first_fallout_from_cybergate/

The first fallout from Cybergate

Was a crime committed?

By Mark Rasch

Posted in Security, 10th February 2004 10:38 GMT

Did Republican staffers commit a crime by clicking on the "My Network Places" icon to access Democratic memos, asks SecurityFocus columnist Mark Rasch.

Politics is dirty business, and rarely so much as in the area of patronage: appointments to sought-after federal jobs in general, and to the federal bench in particular. So it should be little surprise that, with so much at stake, one political party would want to use the insecurity inherent in computerized databases to its political advantage.

What is surprising, however, is that, caught with their hand in the cookie jar, Senate Republicans employed the tactic of blaming the victim: they said, in essence, It's your fault that we got and used your information. If successful, this tactic does not bode well for the government's ability to prosecute computer crimes, and to protect critical infrastructures.

With the resignation last Thursday of Senate staffer Manuel Miranda as the first victim of what I might call "cybergate," we may learn whether this tactic will be pursued and whether it will be ultimately successful.

The scandal itself revolves around the process by which federal judges are appointed, and more importantly, how such appointments are blocked by the opposing party. When President George W. Bush came to office, he sought to make numerous appointments to the federal bench -- some to positions that conservative Republicans had deliberately left vacant for years of Democratic administrations.

The Democrats, at the time a majority in the Senate, sought to use tactics similar to those they criticized Republicans for in preventing such nominations from reaching a vote on the floor of the Senate. The key Senate Committee responsible for such appointments was the Judiciary Committee.

Democratic staffers wrote and transmitted confidential memoranda describing the means they would use to block such nominations in general, and the nomination of conservative Republican Miguel Estrada in particular. A year ago, in February 2003, columnist Robert Novak -- the same columnist responsible for revealing the name of a CIA operative on a leak from government officials -- published information from these Democratic strategy memos. Novak reported that the information came from "internal Senate sources" but refused to identify these sources when questioned by Boston Globe reporter Charlie Savage.

It now appears that the memos were stored on a computer server that also served the Judiciary Committee. When the Republicans regained control of the Senate, they regained control of the Judiciary Committee as well. Eager young staffers apparently discovered that access to the Democratic strategy memos was not password-protected, and was located on the shared server, where they could access it by clicking on the "My Network Places" icon on their own desktops.

There is some dispute over what happened next -- though in my opinion it makes no difference. The Republicans argued that a computer technician told the Democrats about the configuration problem in the summer of 2002, and the Democrats claim they knew nothing about it until November of 2003. In either event, it's clear that Republican staffers, learning of the lack of protection to the documents, used the opportunity to take, read and leak the contents of the memos.

The 'They Deserved It' Defense

When the source and method of the leaks became apparent, the Senate Sergeant at Arms launched an investigation. Former Republican Senate Judiciary Committee Staffer Manuel Miranda came under suspicion, as he was one of the committee's point people on judicial appointments, and had since left the Judiciary committee to work for Senate Majority Leader Bill Frist.

What is amazing is what comes next. When interviewed by the Boston Globe about the incident, Miranda reportedly claimed that the only wrongdoing was on the part of the Democrats, both for the content of their memos, and for their negligence in placing them where they could be seen.

"There appears to have been no hacking, no stealing, and no violation of any Senate rule," the Globe quoted Miranda as saying. "Stealing assumes a property right and there is no property right to a government document. . . . These documents are not covered under the Senate disclosure rule because they are not official business and, to the extent they were disclosed, they were disclosed inadvertently by negligent [Democratic] staff."

So, Miranda claims it isn't stealing because you can't steal government documents, and it's not a violation of the rules because they aren't government documents. Or something like that. He also seems to argue that the password misconfiguration made the documents fair game.

There was a time when that would have been true.

When the federal computer crime law passed was passed by Congress in 1986, the statute only made it illegal to access certain computers (deemed "federal interest computers") without authorization, and made no provision for those who exceeded the scope of authorized access. This was not an oversight, but a deliberate limitation on the scope of the statute, and it was cited by courts in, for example, dismissing computer crime charges against Boston IRS employee Richard Czubinski who repeatedly violated rules and searched IRS databases for information about friends, relatives and political enemies. Congress specifically indicated that people who were authorized users of a computer system, and who used that access to look at individual files they were not supposed to see, should not be covered by the law.

But in one of the many amendments to the federal computer crime statute, Congress changed the wording, and explicitly criminalized the act of exceeding the scope of authorized access to a system. Doing this to federal computers is outlawed by Title 18 U.S.C. 1030(a)(2), which makes it a crime to intentionally access a computer without authorization or to exceed authorized access, and thereby obtain "information from any department or agency of the United States."

So, did the Republican Judiciary Committee staffers violate the law?

What I love about being a lawyer is that the answer to any question is always the same: "It depends." The law requires proof that the unauthorized access, or the exceeding of authorized access, was done intentionally.

With no passwords, and no lines of demarcation, it is possible to argue that the Republicans' access to the Democratic strategy documents was not deliberate, or that it was not exceeding the scope of authorization, because all of the documents were on a single, unprotected server.

This, of course, defies common sense, but the law often defies common sense. Similarly, the federal law requires proof that the information obtained be obtained from "an agency or Department of the United States." It seems that Miranda is arguing that, when the Democratic staffers act in a political capacity, their documents no longer relate to an Agency or Department - it's just politics. Finally, Miranda seems to argue that there is no proprietary right to government documents. While he is correct that government documents are not entitled to copyright protection, this does not imply that it is therefore okay to break into a computer database and take them.

The investigation continues, and Miranda, while continuing to proclaim his innocence, is so far the only casualty. But if his argument that failures of security excuse the taking of documents is accepted, truth, justice and information security may be the next casualties of political warfare.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.