During the first six months of 2021, financial services firms throughout the United States raised alarms concerning nearly $600 million of transactions that were flagged as suspected payments to perpetrators of ransomware attacks.1.D. 2023, University of Southern California Gould School of Law. Meanwhile, the U.S. Department of Treasury identified another $5.2 billion of potential ransomware payments that were funneled through bitcoin transactions.2Id. In total, global ransomware attacks were expected to have accounted for about $20 billion of loss in 20213Steve Morgan, Cybercrime to Cost the World $10.5 Trillion Annually by 2025, Cybercrime Mag. (Nov. 13, 2020), http://www.cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021 [http://perma.cc/U266-HWZR]. and are predicted to result in $265 billion of loss by 2031.4David Braue, Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031, Cybercrime Mag. (June 2, 2022), http://www.cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031 [http://perma.cc/CMT4-MCER]. Ransomware is just one of twenty-four different categories of internet crimes identified by the Federal Bureau of Investigation (“FBI”) in its annual Internet Crime Report, and the figures cited in the report represent only a fraction of the total amount lost to cybercrime every year.5Fed. Bureau of Investigation, Internet Crime Report 2021, at 22 (2021) [hereinafter 2021 Internet Crime Report], http://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf [http://perma.cc/3HPR-MCQN]. As the number of cybercriminals and the sophistication of their methods continue to grow and evolve, the true cost of cybercrime worldwide is estimated to reach a disastrous $10.5 trillion by 2025.6Morgan, supra note 3 (noting that the estimated $10.5 trillion loss includes not just monetary payments made directly to ransomware criminals but also costs associated with data destruction and damage, lost productivity, intellectual property theft, fraud, investigations, restoring damaged systems, and harm to reputation).
The scale and scope of cyberattacks have increased dramatically in recent years, spurred by a growing reliance on technology, increased connectivity among users, and the rise in popularity of virtual currency exchanges. Another contributing factor is that the very nature of cybercrime makes it difficult to block these attacks or punish those responsible. For example, cybercriminals frequently rely on a variety of techniques to hide their identities and evade detection by law enforcement, such as by operating out of the dark web or routing their activities through a virtual private network (“VPN”). The increasing use of virtual currencies also contributes to this problem by making it more difficult to trace monetary payments made by victims of cybercrime.
Prosecutions of cyberattacks have been constrained by decades-old statutes that are either inapplicable or insufficient to address rapidly changing social and technological environments that contribute to the proliferation of new cybercrimes. In addition to these challenges, many cybercriminals often reside in or flee to countries that are beyond the jurisdictional reach of the United States. In several widely publicized cases, cyberattacks were also believed to be sponsored by hostile foreign state actors. Unfortunately, many victims of these cybercrime attacks are reluctant to report them, usually due to the fact that while reporting an attack does little to address the harm caused, doing so may draw unwanted publicity or attention. Therefore, if the United States wishes to properly address the rise of cybercrime and its accompanying harm to the global economy, Congress must first pass legislation that would authorize the government to overcome these barriers and increase prosecutorial power over cybercrime.
One proposition that appeared before Congress was to expand the Racketeer Influenced and Corrupt Organizations (“RICO”) Act, codified in 18 U.S.C. §§ 1961–1968. This proposition was included in Section II of the International Cybercrime Prevention Act, which was originally presented in 2018 and was later reintroduced by a bipartisan group in June 2021.7International Cybercrime Prevention Act, S. 2139, 117th Cong. § 2 (2021). After it was referred to the U.S. Senate Committee on the Judiciary, the bill stalled and ultimately failed to pass.8117 Legislative Outlook S. 2139, Lexis+, http://plus.lexis.com/api/permalink/c5af9789-ac9a-4b89-979f-a062c35d96e6 [http://perma.cc/9SEB-ZUV2] (showing the bill’s failure to pass, even in the first committee). The status of the bill reflects the general shortage of political capital when it comes to prioritizing cybercrime despite the FBI’s characterization of “malicious cyber activity” as a threat to “the public’s safety and our national and economic security.”9What We Investigate: Cyber Crime, Fed. Bureau of Investigation, http://www.fbi.gov
/investigate/cyber [http://perma.cc/EL3B-TV9B].
To raise awareness about the threats posed by cybercrimes, this Note will analyze the proposal to expand RICO and, in particular, examine the benefits of making a violation of the Computer Fraud and Abuse Act (“CFAA”) a predicate act for RICO offenses. While a few successful prosecutions of organized cybercrime rings have already been brought under RICO, this Note will evaluate the limitations of those prosecutions when it comes to computer crimes. The Note will conclude that despite the many challenges associated with tackling cybercrime, the constructive application of RICO carries great potential in prosecuting cybercriminals.
Part I of this Note provides the historical context behind RICO and examines its role in the downfall of the American Mafia. It specifically looks at the provisions in RICO that uniquely positioned it for prosecuting organized crime groups as well as legitimate business enterprises that violated state and federal laws. Part II provides an analysis of how RICO applied to traditional organized crime groups and how cybercrime groups can fall under its broad definition of “enterprise.” It also provides further context on the rise of cybercrime and introduces examples of RICO charges that were brought against two cybercrime enterprises. Part III introduces the CFAA and points to key provisions that could be used against cybercrime. It also seeks to address criticisms of the proposal to make violations of the CFAA a predicate act under RICO and evaluates key policy considerations involved in this discussion.
