Future Tense

The Feds Love to Stack Charges When It Comes to Cybercrime

The many indictments of former CIA employee Joshua Schulte aren’t just about leaking information.

Stack of criminal charges.
Photo illustration by Slate. Photo by Thinkstock.

Earlier this week, the Justice Department announced that a grand jury had indicted former CIA employee Joshua Schulte for leaking classified information in 2016. While the indictment does not specify which leaks Schulte is tied to, several news organizations have reported that he provided the WikiLeaks Vault 7 documents, which comprised thousands of pages of classified material detailing the CIA’s cyber operations and digital surveillance efforts. Among other revelations, the documents showed the U.S. intelligence community making widespread use of existing or repurposed techniques and computer programs to carry out its own operations. Unfortunately, the indictment offers frustratingly few clues as to how the government believes Schulte, a 29-year-old former member of the CIA’s Engineering Development Group, carried out these leaks two years ago and how he was caught.

Vault 7, which was released by WikiLeaks beginning in 2017, included detailed descriptions of the CIA’s attempts to compromise iPhones, vehicle-control systems, Google’s Android operating system, Cisco routers, and other popular devices and software programs. Arguably, the most damaging element of these leaks, however, was the extent to which they showed the CIA relying on vulnerabilities purchased (or borrowed) from outside hackers to undertake these endeavors. This suggested both that the agency was failing to notify software and hardware vendors of many exploitable vulnerabilities available on the market and also that the CIA itself was not necessarily very technologically advanced and was instead forced to turn to outside sources for its hacking tools.

The process of bringing charges against him has been a lengthy one. Schulte was first arrested in 2017 on child pornography charges following a search of his New York apartment by federal authorities, who apparently believed he was leaking classified information. That search apparently failed to turn up sufficient evidence to charge him with that, but they did find a cache of child pornography on a server that Schulte maintains was accessed by many other people, although he did set it up initially in order to share movies and other files. The search of his devices also revealed that Schulte used Tor, the online anonymity routing service, but the investigators could not conclusively link his Tor activity to leaking classified information.

While Schulte was held on the child-pornography charges (to which he pleaded not guilty), investigators apparently made some headway in tying him to the Vault 7 leaks, paving the way for the more recent indictment, which lists 10 other charges against Schulte beyond the three for receipt, possession, and transport of child pornography.

This stacking of multiple different charges around computer-based crimes is not unique to Schulte’s case. In fact, it’s a feature of many cybercrime cases because of how complicated and subjective it can be to determine what constitutes one count of illegally accessing a computer without authorization or transmitting code. Aaron Swartz, for instance, was charged with 13 counts of criminal activity in the 2012 indictment filed against him following his downloading of millions of JSTOR articles through the MIT network.

The charges against Schulte are more varied—and less exclusively computer-based—than those brought against Swartz, but they tell a similar story about how easily charges can be piled on top of each other when government officials really want to throw the book at someone. For instance, the first three charges brought against Schulte in the indictment are illegal gathering of national-defense information, illegal transmission of lawfully possessed national-defense information, and illegal transmission of unlawfully possessed national-defense information. It’s telling that the same language is repeated over and over again in the indictment to describe these charges, especially the latter two.

The fourth count against Schulte moves into the realm of cybercrime with a charge of unauthorized access to a computer to obtain classified information (though, indeed, all of the previous charges presumably involved computers as well). A fifth count charges him with theft of government property, while a sixth charges him with unauthorized access of a computer to obtain information from a department or agency of the United States. A seventh alleges he caused the transmission of a harmful computer program, information, code, or command. The eighth and ninth counts focus on making false statements and obstruction of justice, respectively, while the 10th through 12th deal with the child pornography charges, and the 13th alleges criminal copyright infringement. That one stems from the server with copyright-infringing files of movies, TV shows, and music—something that seems almost laughable in the context of the much more serious charges.

To be clear, if Schulte was in fact behind the Vault 7 leaks, he most likely did all of these things (though the child pornography seems entirely unrelated to the leaks). But there’s still something a little unsettling about the way they’re enumerated as charges in this indictment, particularly the way the computer-based charges expand his alleged criminal activity. Why does leaking classified government information using a computer constitute more crimes than leaking classified government information on paper? Why bother listing as two separate crimes that Schulte committed an act of unauthorized computer access to obtain classified information (something that he could presumably only obtain from a government computer in the first place) and also committed an act of unauthorized computer access to obtain information from a department or agency of the U.S. government?

Even more confusing is the charge against Schulte for transmitting a “harmful computer program, information, code, or command.” As described in the indictment, that charge does not pertain to Schulte’s transmitting leaked materials detailing such programs or code, but rather to what he did to the computers he used to access the information he allegedly went on to leak. The indictment alleges that Schulte “altered a computer system operated by the U.S. Intelligence Agency for the purpose of granting himself access to the system, deleting records of his activities, and denying others access to the system.”

There’s an understandable inclination on the part of the government to want to punish Schulte, and other leakers, as severely as possible by piling as many crimes on his shoulders as they can think of. But that tendency is dangerous. Stacking cybercrime charges in redundant and overly aggressive ways serves only to detract from more serious criminal activity by turning the largely tangential computer use into a central focus of the indictment.