28.6: Criminal Liability for Intentional Attacks¶

Supply chain attacks are not merely security incidents—they are often serious federal crimes carrying substantial penalties. When attackers compromise a build system, inject malicious code into a trusted package, or backdoor a widely-used library, they potentially violate multiple criminal statutes at the federal and state level. The SolarWinds attackers didn't just cause cybersecurity harm; they committed criminal acts prosecutable under U.S. law. Understanding the criminal legal framework helps organizations recognize when incidents warrant law enforcement involvement and how to cooperate effectively when they do.

For security leaders and incident responders, criminal considerations add complexity to incident response. Decisions about evidence preservation, disclosure timing, and law enforcement engagement have legal implications that may affect both the organization and any eventual prosecution. Balancing operational recovery with potential criminal proceedings requires advance planning and appropriate legal guidance.

Criminal Statutes Applicable to Supply Chain Attacks¶

Federal criminal statutes:

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, provides the primary federal criminal framework for computer crimes. CFAA provisions applicable to supply chain attacks include:

• § 1030(a)(2): Obtaining information from protected computers without authorization—applicable when attackers exfiltrate data through compromised software
• § 1030(a)(5)(A): Knowingly causing transmission of programs or code resulting in damage—directly applicable to malware injection into supply chains
• § 1030(a)(5)(B): Intentionally accessing computers and recklessly causing damage—covers attacks with foreseeable harm
• § 1030(a)(5)(C): Intentionally accessing computers and causing damage—applies to intrusions causing measurable harm
• § 1030(a)(7): Extortion involving threats related to computer access—applicable when supply chain compromise enables ransomware

CFAA penalties escalate based on factors including: - Prior offenses (significantly enhanced penalties for repeat violations) - Damage amounts (felony threshold at $5,000 aggregate loss) - Impact on critical infrastructure - Commercial advantage or private financial gain motive

Additional federal statutes:

Beyond CFAA, supply chain attacks may violate:

• Wire Fraud (18 U.S.C. § 1343): Using wire communications to defraud—applicable when attacks involve deception for financial gain
• Identity Theft (18 U.S.C. § 1028A): Aggravated identity theft adds mandatory 2-year consecutive sentences when attacks involve stolen credentials
• Economic Espionage Act (18 U.S.C. §§ 1831-1839): Applicable when attacks target trade secrets, particularly for foreign government benefit
• Conspiracy (18 U.S.C. § 371): Conspiracy to commit computer fraud—enables prosecution of attack planners and facilitators

State-sponsored attacks may additionally implicate:

• Espionage statutes (18 U.S.C. § 793-798): When classified information is targeted
• Foreign agent statutes: When attackers act on behalf of foreign governments

State criminal laws:

Most states have enacted computer crime statutes paralleling federal law. State prosecution may occur when:

• Federal prosecutors decline the case
• State-specific harm warrants local prosecution
• State laws provide advantages not available federally

State variations include different damage thresholds, penalty structures, and definitions of unauthorized access. In some cases, state laws are broader than CFAA, providing additional prosecution options.

International Criminal Frameworks¶

Supply chain attacks frequently cross international boundaries, with attackers, infrastructure, and victims spanning multiple jurisdictions. International frameworks enable—but also complicate—prosecution.

The Budapest Convention:

The Council of Europe Convention on Cybercrime (Budapest Convention) provides the primary international framework for cybercrime cooperation. As of 2025, 81+ countries have ratified the convention, committing to:

• Adopting substantive criminal law provisions for computer crimes
• Establishing procedural powers for investigation
• Enabling international cooperation and mutual legal assistance

The Convention facilitates evidence sharing and extradition between signatory nations, though cooperation remains slower and more complex than domestic investigation.

Mutual Legal Assistance Treaties (MLATs):

MLATs enable formal evidence sharing between countries. When evidence of supply chain attacks resides in foreign countries, prosecutors must typically use MLAT processes to obtain it—a process that can take months or years.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) streamlines some international data requests, particularly with countries holding executive agreements with the United States. However, most supply chain attacks involve evidence in countries without such agreements, requiring traditional MLAT procedures.

Attribution challenges:

International attacks present attribution challenges:

• Attackers use infrastructure in multiple countries
• Technical attribution may identify tools but not individuals
• State-sponsored attacks complicate diplomatic considerations
• Extradition may be unavailable from non-cooperative nations

Major supply chain attacks attributed to nation-state actors (SolarWinds to Russia, various attacks to North Korea and China) result in indictments that may never lead to arrests if defendants remain in countries without extradition arrangements.

Jurisdictional Challenges¶

Supply chain attacks create complex jurisdictional puzzles affecting both investigation and prosecution.

Multi-district impact:

A single supply chain attack may affect victims in every federal judicial district simultaneously. The compromised npm package is downloaded by developers in all 50 states; the backdoored enterprise software runs in data centers across the country. Determining which U.S. Attorney's Office leads prosecution involves considerations of:

• Location of significant victims
• Location of attack infrastructure
• Investigative equities of different FBI field offices
• Prosecutorial resources and expertise

International dimensions:

When attackers operate from foreign countries:

• U.S. law applies to attacks affecting U.S. computers and victims
• Prosecution can proceed even without defendant in custody (sealed indictments)
• Evidence gathering requires international cooperation
• Trial requires either extradition or defendant's voluntary appearance

As a practical matter, many international supply chain attackers—particularly those with state protection—face indictment but not arrest or trial.

Platform jurisdiction:

Attacks targeting package registries or code hosting platforms may involve platform cooperation:

• Platforms may receive and comply with legal process
• Terms of service violations may enable platform action independent of criminal process
• Platform data retention affects evidence availability

Organizations should understand that law enforcement may seek evidence from platforms regarding supply chain incidents, and platforms may provide notification of such requests depending on their policies.

DOJ Prosecution Priorities¶

The Department of Justice prioritizes computer crime prosecution based on multiple factors that affect whether supply chain attacks receive prosecutorial attention.

Priority factors:

• Scale of harm: Attacks affecting many victims or causing significant financial damage receive priority
• Critical infrastructure impact: Attacks on healthcare, energy, financial systems, or government receive elevated attention
• National security implications: State-sponsored attacks are high priority regardless of financial impact
• Attribution confidence: Cases with clear attribution are more likely to proceed
• Deterrence value: Novel attack methods or prominent targets may warrant prosecution for deterrent effect

Cyber unit focus areas:

DOJ's Computer Crime and Intellectual Property Section (CCIPS) and the National Security Division's Cyber Section (NatSec Cyber) focus on:

• Nation-state cyber threats
• Ransomware operations
• Critical infrastructure attacks
• Large-scale data breaches

Supply chain attacks increasingly receive attention given their scale and potential for critical infrastructure impact.

Resource constraints:

Federal prosecutors handle substantial caseloads, and not all reported cyber crimes result in prosecution. Factors affecting case acceptance include:

• Strength of evidence
• Availability of witnesses
• Complexity relative to resources
• Competing priorities
• Likelihood of meaningful outcome

Organizations reporting supply chain attacks should have realistic expectations—even meritorious referrals may not result in prosecution given resource constraints and competing priorities.

Cooperation with Law Enforcement¶

Effective law enforcement cooperation requires balancing organizational interests with investigative needs.

Initial engagement:

When a supply chain attack warrants law enforcement involvement:

1. Notify legal counsel before contacting law enforcement
2. Identify appropriate agency: FBI Cyber Division for most significant incidents; local field office for initial contact
3. Prepare initial briefing: Timeline, known impact, evidence preserved, response status
4. Establish communication channels: Designate organizational contacts for ongoing coordination

Evidence preservation:

Law enforcement investigations require evidence that may conflict with operational recovery:

• System images: Full forensic images of affected systems before remediation
• Log retention: Extended retention of security logs, access logs, network traffic
• Malware samples: Preserved copies of malicious code before deletion
• Chain of custody: Documentation supporting evidentiary use

Discuss evidence preservation requirements with law enforcement early to avoid destroying evidence needed for prosecution while pursuing recovery.

Information sharing considerations:

Cooperation involves sharing sensitive information:

• Confidentiality: Discuss what information may become public through prosecution
• Victim notification timing: Coordinate disclosure timing with investigative needs
• Regulatory obligations: Ensure law enforcement cooperation doesn't conflict with regulatory requirements
• Privilege considerations: Maintain attorney-client privilege for legal advice

Request guidance on what can be publicly disclosed and when, as investigation requirements may affect disclosure timing.

FBI cooperation mechanisms:

The FBI offers structured cooperation through:

• InfraGard: Public-private partnership for infrastructure protection
• Cyber Task Forces: Multi-agency task forces in major metropolitan areas
• CISA coordination: CISA may facilitate FBI engagement for significant incidents
• IC3 reporting: Internet Crime Complaint Center for cyber-enabled crime reporting

Established relationships through these mechanisms facilitate cooperation when incidents occur.

Victim Rights and Participation¶

Organizations victimized by supply chain attacks have rights in criminal proceedings, though participation requires ongoing engagement.

Victim notification:

The Crime Victims' Rights Act (CVRA) provides victims of federal crimes rights including:

• Notification of proceedings and case status
• Opportunity to be heard at public proceedings
• Consultation with prosecutors about case disposition
• Restitution where appropriate

To receive notifications, victims must register with the prosecutor's office or victim-witness coordinator.

Restitution:

Criminal restitution may provide partial recovery for victim losses:

• Courts may order defendants to pay restitution for provable losses
• Restitution is mandatory for certain offenses
• Collection depends on defendant's assets and ability to pay
• Restitution is subordinate to fines and may be uncollectible

As a practical matter, restitution from cybercriminals—particularly international actors—is often uncollectible. Organizations should not depend on criminal restitution for financial recovery.

Criminal referral decision factors:

Organizations should consider criminal referral when:

• Attack scale warrants federal attention
• Evidence supports attribution
• Continued threat exists that law enforcement can address
• Organization can commit resources to cooperation
• Prosecution aligns with organizational interests

Referral may not be appropriate when:

• Incident is minor or self-contained
• Evidence is insufficient for investigation
• Disclosure concerns outweigh prosecution benefits
• Resources are unavailable for extended cooperation

Recommendations¶

We recommend organizations prepare for potential criminal dimensions of supply chain incidents:

1. Establish law enforcement relationships before incidents through InfraGard, Cyber Task Forces, or CISA partnerships

2. Include criminal considerations in incident response plans, addressing evidence preservation and law enforcement notification

3. Engage legal counsel early when incidents may warrant criminal referral

4. Preserve evidence rigorously following forensic best practices to maintain evidentiary value

5. Coordinate disclosure timing with law enforcement when investigations are active

6. Register for victim notification if prosecution proceeds, to maintain awareness of case status

7. Maintain realistic expectations about prosecution likelihood and restitution collectability

8. Document cooperation to demonstrate organizational good faith regardless of prosecution outcome

Criminal prosecution serves both justice and deterrence functions. Organizations that cooperate effectively with law enforcement contribute to ecosystem security even when individual cases don't result in conviction.