ARGUMENT: Strengthening cybersecurityThe Van Buren Decision Is Good News for Cybersecurity

Published 9 August 2021

In June, after years of uncertainty, the Supreme Court finally shed some light on the meaning of a notoriously vague law, the Computer Fraud and Abuse Act (CFAA). Timothy Edgar writes that one problem with CFAA was that some courts had interpreted the CFAA’s language so broadly. Justice Amy Coney Barrett’s technically informed opinion, which narrowed the scope of CFAA, was a win for civil liberties — and also a victory — not a loss — for cybersecurity. Moreover, Barrett’s opinion “offers a model for how to interpret computer crime laws.”

In June, after years of uncertainty, the Supreme Court finally shed some light on the meaning of a notoriously vague law, the Computer Fraud and Abuse Act (CFAA). Timothy Edgar writes in Lawfare that the CFAA is an important tool for deterring and punishing cybercrime, but that, unfortunately, some courts had interpreted the CFAA’s language so broadly that even small violations of a computer use policy—for example, using a work computer for personal messages—might have landed you in jail.

Edgar writes that in Van Buren v. United States, the Supreme Court adopted a narrower view of the CFAA which is more closely related to the law’s basic purpose: criminalizing malicious hacking into computer systems.

Van Buren was a win for civil liberties organizations and some legal scholars in a long-standing debate over the sweep of federal criminal law in cyberspace. 

Van Buren was also a victory—not a loss—for cybersecurity. One reason is that an overbroad interpretation of the CFAA inhibits security research; any narrowing of the CFAA encourages “white hat” hackers to find flaws they might be reluctant to tackle if they fear a lawsuit or prosecution for their efforts. Another reason is that Justice Amy Coney Barrett’s technically informed opinion offers a model for how to interpret computer crime laws. Her “gates-up-or-down” approach will prod cybersecurity professionals to step up their game when it comes to safeguarding sensitive data.

Edgar concludes:

In the wake of Van Buren, Congress may face calls to expand the CFAA to make it easier to prosecute insiders for misusing their data privileges, even if they do not exceed their access privileges.  This would be a mistake.  

Barrett’s opinion in Van Burenoffers an approach to the CFAA that is grounded in sound cybersecurity principles. While the CFAA is far from perfect, Barrett’s approach will give some comfort to security researchers, while encouraging organizations to set clear boundaries for who has access to sensitive data in their computers.  Van Buren is a step forward for cybersecurity.