National Information Infrastructure Protection Act (NIIPA) of 1996

views updated

NATIONAL INFORMATION INFRASTRUCTURE PROTECTION ACT (NIIPA) OF 1996

The National Information Infrastructure Protection Act (NIIPA), signed into law in October 1996, was a significant revision of U.S. computer crime law. It provides federal criminal liability for theft of trade secrets and for "anyone who intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage." The NIIPA is one of a number of laws enacted by the U.S. government to address the array of new cybercrimes that have emerged with the ongoing expansion and development of the Internet. The NIIPA represents the most ambitious amendments to the Computer Fraud and Abuse Act of 1984, which had previously been modified in 1986 and 1994.

The U.S. national information infrastructure (NII) is composed of computer networks, data storage and generating equipment, the connections between these components, and the networks that support them: the Internet and public switched telephone (PSTN), satellite communication, and private networks. With the commercialization of the Internet in the early 1990s, use of these systems burgeoned and led to the creation of the NII. Many industries and private users, as well as the government, increasingly rely on the NII to conduct their business.

However, the NII's dependence on public telecommunications lines and its myriad points of access also render it vulnerable. Thus, in the 1990s the U.S. government had to determine how to reinforce NII security while retaining its availability to the public and to the business sector. Particularly critical areas in need of added protection were identified as telecommunications, energy, transportation, essential human services, and especially national defense. These areas, while still susceptible to traditional forms of physical attack—such as foreign or domestic entities exploiting weaknesses in the electronic infrastructure—were thought to require new modes of security. Many involved in reviewing NII security, both in government and in the private sector, believe successful protection of the NII requires the cooperation of the government, the public, and industry.

Two types of threats menace the NII—traditional physical threats and newer, electronic threats. The former encompass the damage inflicted to the NII via conventional or unconventional weapons, while the latter stem from electronic, radio-frequency or computer-based attacks on the information or communications components that control critical infrastructures.

The NIIPA contains several major subsections, each targeting a separate offense. First, it criminalizes unauthorized access of computer files that results in transmission of classified government information. Second, it prohibits the extraction of information from financial institutions, the U.S. government, or private-sector computers that are used in interstate commerce. Third, it disallows the intentional and unauthorized access of non-public computers in U.S. governmental departments or agencies. Fourth, it bans accessing protected computers without permission for the purposes of defrauding or obtaining material of value, unless a defendant can prove the resulting damages amounted to less than $5,000.

Another section of NIIPA concerns hacking. It outlaws the intentional transmission of any program, code, or command that could result in damage to a protected computer, regardless of whether or not access to that computer was authorized. This stipulation permits prosecution of authorized company, department, or agency users who might inflict harm on a computer system. Furthermore, any damage caused recklessly or negligently is also liable to prosecution, thus facilitating prosecution of hackers who may transfer malevolent software without intending any specific harm.

Elsewhere, NIIPA forbids the knowledgeable trafficking of passwords with intent to defraud, where such conduct would enable someone to access a protected computer without permission. Finally, the law also criminalizes the interstate or foreign transmission of threats to damage a protected computer so that something of value is extorted. This provision addresses, among other things, the possibility of hackers threatening to disable a system unless they were accorded system access.

NIIPA distinguishes actions that constitute improper access or a threat to privacy from those in which the defendant uses access for pernicious purposes. It does so by making such conduct a felony, rather than a misdemeanor, if it is committed for financial gain, to further a criminal or civil infraction, or if it results in the gathering of information worth more than $5,000.

In addition, NIIPA encourages victims to report cyber offenses by permitting them to claim civil remedies for intentional computer crimes. It punishes attempted crimes to the same extent as completed offenses. Finally, the act extends the right to investigate to the U.S. Secret Service, along with all other authorized agencies.

NIIPA cut off many arguments that defendants could claim under prior legislation. For example, earlier law required that the computer affected be of "federal interest;" hence, one could not be charged under federal law for accessing private-sector, non-financial computers to commit intrastate fraud. However, defendants may still argue under NIIPA that they did not obtain anything of value or that their actions did not create damage in excess of $5,000.

Finally, NIIPA also modified the sentencing guidelines of earlier laws, which only permitted repeat offenders to receive enhanced sentences if they were convicted of exactly duplicating a previous violation. NIIPA permits those who violate any of its subsections to be treated as recidivists.

Among the agencies responsible for overseeing the NII are the Department of Defense; the National Telecommunications and Information Administration at the Commerce Department, which coordinates aspects of NII policy that don't involve national security concerns; and the National Security Telecommunications and Information Systems Security Committee, which supervises all activities involving the NII which affect national security.