Non-Lawyers Summary
This post explains the main federal anti-hacking law in plain English. The key modern question is whether someone broke into a part of a computer system they were not allowed to enter, not just whether they misused information they could already see. It also shows why federal cyber cases usually include extra charges beyond the CFAA.
The Law That Became a Weapon
Just before dawn, the alerts started firing. A network administrator at a Fortune 500 company watched her SIEM dashboard light up — unauthorized connections, lateral movement, exfiltrated gigabytes vanishing into an overseas server. By morning, the FBI was on the phone. And somewhere in a federal prosecutor's office, someone was already reaching for a statute that had been sitting on the books since 1986.
The Computer Fraud and Abuse Act. 18 U.S.C. § 1030.
It was drafted when a "hacker" was still a fringe concept, when personal computers ran on floppy disks, when "the internet" didn't exist in any form most people would recognize. And yet, four decades later, it remains the federal government's primary anti-hacking weapon — stretched, amended, litigated, and feared.
But here's what they don't tell you: prosecutors rarely charge CFAA alone. When the DOJ comes for a hacker, it comes with a toolkit. Wire fraud. Aggravated identity theft. Sometimes RICO. The CFAA is the door. What's behind it is far worse.
Understanding how these statutes layer together — and where the CFAA's limits fell after Van Buren — is essential for anyone litigating, advising on, or drafting legislation around cybercrime. Because in federal court, the charge stack is the sentence.
Key Concepts
What Is "Unauthorized Access" — And Why the Answer Changed Everything
Technical reality: A system has authentication controls — passwords, tokens, API keys. A hacker bypasses or abuses those controls to enter a system they have no right to access. That much seems obvious.
What the law said for thirty years: The CFAA made it a federal crime to "exceed authorized access" — but what that phrase meant was bitterly contested. Prosecutors argued it meant anyone who accessed a system for a purpose the owner didn't intend. Defenders argued that reading would make millions of Americans into federal criminals for checking their work email from a personal laptop.
What the Supreme Court finally said in 2021: Van Buren v. United States established that "exceeds authorized access" covers accessing a prohibited area of a computer system — a section the person was not permitted to access at all. It does not cover someone who had legitimate access to a system area but used data from that area in an unauthorized way (e.g., an employee who was allowed to access a database but misused the data for personal gain).
Why this matters: A security researcher who probes a public-facing API with valid credentials likely does not "exceed authorized access" under CFAA even if the vendor's terms of service prohibit automated access. A hacker who uses stolen credentials to enter a system the owner never authorized them to enter does. The line is technical, not moral — and it runs right through the middle of thousands of potential prosecutions.
What Is a "Protected Computer" — Spoiler: It's Almost Everything
Under 18 U.S.C. § 1030(e)(2), a "protected computer" includes any computer "used in or affecting interstate or foreign commerce or communication." In practice, this is any device connected to the internet — your phone, your smart TV, a hospital's radiology machine, a power plant's control terminal. The federal CFAA's jurisdictional reach is, for all practical purposes, unlimited.
What Is "Loss" — And Why Lawyers Fight Over It
CFAA's civil cause of action requires a showing of "damage or loss." "Loss" has a specific statutory definition and has been litigated in hundreds of cases. It generally includes investigation and response costs — the forensics bills, the IR team, the overtime. Whether it extends to reputational harm, regulatory exposure, or lost business is where courts diverge, and where the real money fights happen.
Statutory Framework
18 U.S.C. § 1030 — Computer Fraud and Abuse Act (CFAA)
Seven subsections. Seven different ways to fall.
| Provision | What it covers | Notes |
|---|---|---|
| § 1030(a)(1) | Accessing classified information | National security focus |
| § 1030(a)(2) | Unauthorized access to obtain financial/government/protected computer info | Common in corporate hack cases |
| § 1030(a)(3) | Accessing U.S. government computers | Government-specific |
| § 1030(a)(4) | Unauthorized access with intent to defraud | Requires proof of fraud intent |
| § 1030(a)(5) | Intentional damage to protected computers | Covers malware, ransomware, wiper attacks |
| § 1030(a)(6) | Trafficking in access credentials (passwords) | Credential marketplaces, dark web sales |
| § 1030(a)(7) | Threats to damage computers for extortion | Ransomware extortion component |
| § 1030(g) | Civil action | Private plaintiff can sue for qualifying "damage or loss" |
Penalties: Maximum imprisonment ranges from 1 year for less serious misdemeanor intrusions up to 20 years for recidivists or aggravated intrusions involving critical infrastructure. And that's before the stacking begins.
The Federal Toolkit — How They Add Up the Years
This is where federal prosecutors become architects. Each charge is a floor, not a ceiling. Stack them correctly and a single intrusion becomes a sentence measured in decades.
18 U.S.C. § 1343 — Wire Fraud
Every email, every packet crossing state lines, every login request traversing the internet is a "wire." If the hack was part of a scheme to defraud — and they almost always are — prosecutors pile on wire fraud counts. One per transmission. One per day. One per victim.
- Penalty: Up to 20 years' imprisonment per count (higher in aggravated circumstances involving financial institutions or disaster/emergency)
- Why it's useful: Broader than CFAA — covers deceptive schemes even where pure "unauthorized access" is ambiguous. Also enables forfeiture. The government can take everything.
18 U.S.C. § 1028A — Aggravated Identity Theft
Three words that change everything: mandatory. consecutive. two years.
When a hacker uses a stolen identity — credentials, Social Security numbers, financial account data — in connection with an enumerated predicate felony (which includes § 1030 felony violations and wire fraud), § 1028A imposes a mandatory consecutive 2-year prison term. It runs after any sentence for the underlying felony. It cannot be suspended. It cannot run concurrently. It cannot be bargained away without the government's explicit agreement.
Why it matters to defendants: Even if you plead guilty to everything else and walk away with a lenient sentence, the § 1028A exposure is still there. Prosecutors use it as a hammer in every plea negotiation.
18 U.S.C. §§ 1961–1964 — RICO
The Racketeer Influenced and Corrupt Organizations Act was built to dismantle the mob. Then came the ransomware syndicates — with coders, money mules, negotiators, customer service departments, and affiliate programs. The organizational structure was indistinguishable from an enterprise. So prosecutors used an enterprise statute.
- Criminal penalties (§ 1963): Up to 20 years' imprisonment per RICO count; forfeiture of all proceeds and interests in the enterprise
- Civil RICO (§ 1964(c)): Private plaintiffs can sue for treble damages and attorneys' fees
- When prosecutors use it: Nation-state-linked hacking syndicates, organized ransomware groups, long-running credential theft operations where the division of labor is clear enough to prove an enterprise
15 U.S.C. § 45 — FTC Act Section 5 (The Law That Comes for the Victim)
Here is the most unsettling part of the federal toolkit: a law that doesn't come for the hacker. It comes for the company that got hacked.
The FTC's authority to police "unfair or deceptive acts or practices" is used against companies that fail to maintain reasonable data security. The breach victim can become the defendant. Get hacked badly enough, and the FTC may decide your security was so inadequate that you committed an unfair practice against your own customers. The agency cannot imprison anyone — but it can impose crippling consent decrees, monitoring requirements, and fines.
The Van Buren Ruling — The Day the Law Changed
The Setup
A police officer named Nathan Van Buren had access to a law enforcement database — he was authorized to use it as part of his job. He ran a license plate check in exchange for money. The government argued this "exceeded authorized access" because he was using his authorized access for an unauthorized purpose.
If the government won that argument, the implications were staggering. Every employee who ever checked a personal email on a work computer. Every person who shared a Netflix password. Anyone who violated terms of service while logged in. All of them, potentially, federal criminals under the CFAA.
The Ruling
Van Buren v. United States, 141 S. Ct. 1648 (2021).
The Supreme Court rejected the government's interpretation. "Exceeds authorized access" covers accessing a part of a computer system that the person was not permitted to access at all — not merely misusing data from an area of the system the person was allowed to access.
The "gates up or down" framing: The Court built a metaphor around gates. CFAA prohibits walking through a gate that is "down" — closed to you. It does not prohibit walking through a gate that is "up" — open to you — and then doing something prohibited once inside. The gate controls whether you can be there at all. What you do once you're in is a different question, governed by different laws.
Practical implications for lawyers:
| Scenario | Post-Van Buren CFAA status |
|---|---|
| Hacker uses stolen credentials to access account they have no right to access | CFAA violation — gate was down for them |
| Employee accesses authorized HR database to steal trade secrets | May NOT be CFAA — they had authorized access to that area |
| Security researcher accesses public API with valid tokens against ToS | Likely NOT CFAA — gate was up; ToS violation ≠ CFAA |
| Contractor accesses files outside their authorized scope on a shared system | Likely CFAA — specific file area was gated/prohibited |
| Web scraper accesses publicly available data without authentication | Likely NOT CFAA post-Van Buren and hiQ/LinkedIn (9th Cir.) |
How They Got Caught — The Enforcement Architecture
Federal cybercrime prosecutions are led by DOJ with specialized components including the Computer Crime and Intellectual Property Section (CCIPS), with investigations typically run by the FBI. Charges are typically unsealed when a defendant is arrested — or when law enforcement wants to send a message, even if the defendant is abroad and custody is nowhere near immediate.
What a major hack-and-extort charge stack looks like in practice:
- CFAA (§ 1030(a)(5) — damage; § 1030(a)(7) — extortion threat)
- Wire fraud (§ 1343)
- Aggravated identity theft (§ 1028A) — mandatory +2 years regardless of everything else
- Money laundering (18 U.S.C. § 1956) — covers cryptocurrency conversion, which they always find
- Forfeiture allegations — cryptocurrency wallets, servers, proceeds, anything they can reach
The hacker who thought they were protected by an ocean and a hostile extradition environment discovers, eventually, that the indictment was already waiting. The only question was when they'd make the mistake of landing in the wrong airport.
Practitioner Takeaways
- When advising a breach victim on whether to cooperate with federal investigators, the CFAA civil action is largely secondary to criminal enforcement — but preserving forensic evidence and cost documentation early is critical for both tracks.
- When defending a CFAA accusation, Van Buren is your first analytical tool. If the defendant had valid access to the relevant system area, the "exceeds authorized access" theory may fail.
- When prosecuting or pleading, the § 1028A mandatory consecutive term is a key sentencing lever. It cannot be negotiated away without the government's agreement to not charge it.
- RICO is available in organized cybercrime cases but requires proof of enterprise and pattern — do not assume every multi-defendant hack case meets RICO's threshold.
- The FTC Act is regulatory, not criminal — but FTC enforcement against the breached company can run in parallel with DOJ prosecution of the hacker.
Quiz
See: artifacts/quizzes/quiz-01a.md
Test your knowledge
Ready to check what stuck?
10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.