Page 263 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 263
circumstances, state laws can be more restrictive than federal laws
and impose harsher penalties.
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) was the first major piece
of cybercrime-specific legislation in the United States. Congress had
earlier enacted computer crime law as part of the Comprehensive
Crime Control Act (CCCA) of 1984, but CFAA was carefully written to
exclusively cover computer crimes that crossed state boundaries to
avoid infringing on states’ rights and treading on thin constitutional
ice. The major provisions of the original CCCA made it a crime to
perform the following:
Access classified information or financial information in a federal
system without authorization or in excess of authorized privileges
Access a computer used exclusively by the federal government
without authorization
Use a federal computer to perpetrate a fraud (unless the only object
of the fraud was to gain use of the computer itself)
Cause malicious damage to a federal computer system in excess of
$1,000
Modify medical records in a computer when doing so impairs or
may impair the examination, diagnosis, treatment, or medical care
of an individual
Traffic in computer passwords if the trafficking affects interstate
commerce or involves a federal computer system
When Congress passed the CFAA, it raised the threshold of damage
from $1,000 to $5,000 but also dramatically altered the scope of the
regulation. Instead of merely covering federal computers that
processed sensitive information, the act was changed to cover all
“federal interest” computers. This widened the coverage of the act to
include the following:
Any computer used exclusively by the U.S. government
