Legal Sidebari Red Army Equifax Hackers Indicted March 10 2020 A federal grand jury has indicted four members of the Chinese People’s Liberation Army PLA for hacking into the Equifax computer system and stealing the personal identifying information of “nearly 150 million Americans ” The indictments charge offenses under federal wire fraud computer intrusion economic espionage and conspiracy laws Attorney General Barr’s statement announcing the indictment noted that 80% of federal economic espionage prosecutions have implicated the Chinese government The indictment presents a partial view of the criminal law consequences that may attend a mass data breach but the indictment is likely designed for purposes other than eventual prosecution Background Equifax conducts credit checks on behalf of financial institutions and other business entities The indictment and an earlier House committee majority staff report allege that the four defendants accessed an Equifax server in Georgia through a system backdoor Once in they spent several weeks sweeping the system for the names addresses birth dates social security numbers and driver’s license numbers of millions of individuals Equifax eventually discovered the breach patched the hole and notified authorities and the public Equifax has agreed to pay more than $5 75 million to settle claims relating to the data breach Statutes The indictment charges violations of four of the criminal laws designed to protect against computer intrusions alternatively known as hacking or unauthorized access and other forms of data breach the Computer Fraud and Abuse Act CFAA the Economic Espionage Act the Wire Fraud Act and the conspiracy statute For a discussion of these and other statutes that protect against such intrusions CRS Report R45631 The CFAA outlaws seven computer hacking offenses ranging from simple trespassing to espionage CRS Report 97-1025 One offense covers intrusions that involve stealing information from a protected computer system “Protected computer” means any computer connected to the Internet “computer … which is used in or affecting interstate or foreign commerce or communication” The offense is a fiveyear felony if the information is worth $5 000 or more or if the intrusion is committed with an eye to another state or federal crime The Chinese army defendants allegedly acted as accomplices for colleagues who hacked into an Equifax computer and bundled up masses of personal information worth more than $5 000 to support an economic espionage operation Accomplices aiders and abettors share liability equally with those who actually commit the crime CRS Report R43769 The indictment also Congressional Research Service https crsreports congress gov LSB10417 CRS Legal Sidebar Prepared for Members and Committees of Congress Congressional Research Service 2 calls for the confiscation upon conviction of any equipment or other property used to commit the violation of the Computer Fraud and Abuse Act A CFAA second offense covers damaging a computer system during unauthorized access “Damage” includes “any impairment to the integrity … of data … or a computer system” The accompanying sanctions correspond to those for the theft of information under the statute The indictment charges the defendants with acting as accomplices in the damage resulting from the intrusion into the Equifax system and the massive harvesting of its data Under the Economic Espionage Act economic espionage occurs when an individual surreptitiously downloads someone else’s trade secrets for the benefit of a foreign government or entity CRS Report R42681 Offenders face the prospect of up to 15 years in prison a fine of up to $5 million and the confiscation of any equipment or other property used to commit the crime The Red Army defendants stand accused of downloading Equifax’s trade secret data for the benefit of the Chinese government It is hard to engage in computer intrusion or economic espionage without also coming within reach of the wire fraud statute Wire fraud consists of the use of the telephone email the Internet or some other form of wire communications as part of a scheme to cheat someone out of their tangible or intangible property CRS Report R41930 The penalties are severe – up to 20 years in prison and a fine of up to twice the profit or loss associated with the crime or $250 000 whichever is more The indictment alleges that the defendants acted as accomplices for confederates who used deception to gain wire access to the Equifax computer system In doing so they purportedly deprived the company of exclusive control of personal identifying information relating to individuals who in total make up almost half of the population of the United States The indictment lists as separate offenses the defendants’ conspiracies to violate the CFAA the Economic Espionage Act and the Wire Fraud Act Conspiracy is the agreement of two or more to commit a crime CRS Report R41223 Conspiracies to violate the Economic Espionage Act or the Wire Act come with the same penalties as the underlying offenses imprisonment for up to 15 years and 20 years respectively Conspiracy to violate the CFAA falls under the general conspiracy statute which carries a prison term of up to five years Chances of a Trial The Justice Department likely sought the indictments for reasons other than prosecution In fact prosecution of the Red Army defendants seems improbable Federal prosecution of defendants located outside the U S ordinarily depends on extradition under a treaty CRS Report 98-958 The U S does not have an extradition treaty with China The indictment however might limit the defendants’ future travel Once found in the country with whom the U S has an extradition treaty the defendants would face possible extradition The U S has extradition treaties with most countries in this hemisphere with most European nations and with many African and Southeast Asian countries Even with a treaty however extradition can be problematic in computer hacking cases Extradition treaties describe extraditable offenses in one of two ways The older agreements identify a list of specific extraditable offenses The newer treaties make extraditable any crime punishable under the laws of both the prosecuting country and the country where the accused is located The crimes detailed in the indictment may not fit neatly in either category Moreover in the context of a particular treaty economic espionage may fall within the pure political offense exception that renders treason sedition and espionage non-extraditable offenses All of which may explain why the Red Army members indicted on similar charges in 2014 remain at large Congressional Activity Congressional Research Service 3 Much of the recent legislative activity related to the Equifax intrusion has focused on non-criminal matters A few proposals however have suggested adjustments to the Computer Fraud and Abuse Act or the Economic Espionage Act For example the proposed Active Cyber Defense Certainty Act H R 3270 Representative Graves would amend the CFAA to exempt from CFAA’s prohibitions certain acknowledged computer defense activities Similarly the DEFEND Act S 1865 Senator Harris would enlarge the overseas reach of the Economic Espionage Act EEA and further encourage private enforcement of the EEA Author Information Charles Doyle Senior Specialist in American Public Law Disclaimer This document was prepared by the Congressional Research Service CRS CRS serves as nonpartisan shared staff to congressional committees and Members of Congress It operates solely at the behest of and under the direction of Congress Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role CRS Reports as a work of the United States Government are not subject to copyright protection in the United States Any CRS Report may be reproduced and distributed in its entirety without permission from CRS However as a CRS Report may include copyrighted images or material from a third party you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material LSB10417 · VERSION 2 · NEW