Opinion
Case No. 17-CR-0090(1) (PJS/DTS)
02-08-2018
UNITED STATES OF AMERICA, Plaintiff, v. CHRISTOPHER VICTOR GRUPE, Defendant.
Aaron R. Cooper, UNITED STATES DEPARTMENT OF JUSTICE; Timothy C. Rank, UNITED STATES ATTORNEY'S OFFICE, for plaintiff. Tor Ekeland, Frederic B. Jennings, and Amanda Grannis, TOR EKELAND LAW, PLLC; and Daniel Mohs, for defendant.
ORDER Aaron R. Cooper, UNITED STATES DEPARTMENT OF JUSTICE; Timothy C. Rank, UNITED STATES ATTORNEY'S OFFICE, for plaintiff. Tor Ekeland, Frederic B. Jennings, and Amanda Grannis, TOR EKELAND LAW, PLLC; and Daniel Mohs, for defendant.
Defendant Christopher Grupe was convicted by a jury of one count of intentional damage to a protected computer in violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i). This matter is before the Court on Grupe's motion for acquittal or, in the alternative, a new trial. For the reasons that follow, the motion is denied.
I. BACKGROUND
From September 2013 to December 2015, Grupe was a senior network design engineer for Canadian Pacific Railway ("CP"). Trial Tr. ("TT") 16-17. In early December 2015, Grupe was working on a network upgrade at CP's Nahant Yard, a major diesel servicing yard in Davenport, Iowa. TT 19-20, 27. The cutover to the new system (which required taking down the existing system) was scheduled to take place during a "change window" starting at 8:00 pm on December 3. TT 20-23. Grupe had requested that the change window be moved to December 2, but senior management denied his request. TT 31.
Grupe nevertheless decided on his own to proceed with the upgrade on December 2. In so doing, Grupe caused an unexpected outage that Grupe's supervisor, Ernest Seguin, had to rectify. TT 19, 26-27, 31-32. After restoring service, Seguin instructed Grupe that the two of them would upgrade the system together during the scheduled change window on December 3 and that Grupe should not proceed by himself. TT 34-35. Seguin was concerned that there was an underlying problem in the system and believed that the upgrade might not be successful. Seguin wanted to work with Grupe so that, in the event of a problem, Seguin could quickly restore the existing service. TT 34-35. Seguin also reminded Grupe that making changes outside of the scheduled change window would be cause for termination. TT 34-35.
Despite that warning, Grupe again disregarded Seguin's instructions and again tried to upgrade the system on his own. TT 37-40. As Seguin had anticipated, the upgrade caused problems. TT 38. After Grupe ignored Seguin's multiple attempts to contact him (including through the on-site project manager), Seguin told the on-site project manager that he was going to have Grupe escorted from the property by CP police. TT 40-45. That got Grupe's attention. Grupe finally called Seguin and was verbally abusive to Seguin on the phone. TT 45-46 ("And then he broke into a state of profanities and started literally yelling and screaming on the phone about unrelated things like you Canadians don't know how to run a railway. It went on for quite awhile, very loud, very profane.").
At the end of the call, Seguin suspended Grupe, although the two continued to work with other CP employees to complete the upgrade. TT 47, 51, 54-56. Seguin later told Grupe to stay off CP property during his suspension. TT 61. Seguin also took steps to suspend Grupe's computer accounts and building access. TT 63-64. Yet again, Grupe disregarded Seguin's instructions, this time by showing up on CP property and communicating with on-site CP staff. TT 70-71.
On December 15, CP informed Grupe that he was being terminated. TT 75-78. CP instructed Grupe to return all company property, including his laptop and building-access cards. TT 79-80, 82. On December 17, shortly before returning his laptop, Grupe used the laptop to log in to two of CP's network switches. These switches— located in Calgary, Alberta, and referred to as the "Ogden switches"—function as "the central nerve center for all data and voice traffic through" CP's computer network. TT 93; see also TT 11, 91. CP network engineers use administrative-level accounts to access the switches to reconfigure them to accommodate new applications, diagnose and fix problems with the network, and perform other tasks. TT 100. Grupe deleted two administrative-level accounts (including an account that he had created for himself without authorization) and changed the password for the main administrative ("admin") account that CP employees use to access and administer the switches. TT 127, 131-35, 170-71, 174, 183, 332-43.
At Grupe's request, CP allowed him to characterize his termination as a resignation. TT 80.
On January 6, 2016, a CP employee tried and failed to log in to the switches using the admin account. TT 90, 95, 101-02, 312. The issue escalated up the chain of command until it became an "all hands on deck" situation. TT 499, 556-57. CP employees investigated whether someone had changed the password and whether there was another way to log in to the switches. TT 100-02. As part of the investigation, Thomas Gurney, another network design engineer, called Grupe to ask if he knew of any previous passwords that would get them into the switch. They talked for about a half an hour, trying various combinations of passwords, none of which worked. TT 322-23. Grupe did not tell Gurney that he had changed the password for the admin account—nor, of course, did Grupe give the new password to Gurney. TT 358.
Eventually, CP determined that its only option was to manually power off and reboot the switches in the hope that the admin password would reset itself. TT 103. The following evening (January 7), CP rebooted each of the two switches, a process that took approximately 45 to 60 minutes. TT 115, 153, 178, 197. The reboot was successful, and CP regained administrative access to the switches. TT 115.
In the wake of this incident, CP retained CrowdStrike, an information-security firm, to investigate. TT 246, 249, 557, 664. CP was already using a CrowdStrike product called FalconHost to monitor the computers used by CP employees. TT 248-49. CP's and CrowdStrike's investigation identified Grupe as the likely culprit.
II. ANALYSIS
A. Motion for Acquittal
Under Fed. R. Crim. P. 29, "the court on the defendant's motion must enter a judgment of acquittal of any offense for which the evidence is insufficient to sustain a conviction." In considering a Rule 29 motion for acquittal, the court must view the evidence in the light most favorable to the government, resolve all evidentiary conflicts in the government's favor, and accept all reasonable inferences drawn from the evidence that support the jury's verdict. United States v. Cook, 603 F.3d 434, 437 (8th Cir. 2010). The motion should be granted only if no reasonable jury could have found the defendant guilty. Id.
Grupe was charged with causing intentional damage to a protected computer in violation of the CFAA, 18 U.S.C. § 1030(a)(5)(A) and (c)(4)(B)(i). As the Court instructed the jury, the elements of this offense are as follows: (1) the defendant knowingly caused the transmission of a program, code, or command to a protected computer; (2) the defendant acted without authorization; (3) the transmission caused damage to the protected computer; and (4) the defendant intended to damage the protected computer. ECF No. 61 at 6. After finding Grupe guilty, the jury further found that Grupe's offense caused a "loss to 1 or more persons . . . aggregating at least $5,000 in value," as is necessary for a felony-level offense. See 18 U.S.C. § 1030(c)(4)(B)(i) (incorporating § 1030(c)(4)(A)(i)(I), which imposes a $5,000 loss requirement).
Grupe argues that there is insufficient evidence to support his conviction. Specifically, Grupe argues that there is insufficient evidence to prove that he either caused or intended to cause "damage" within the meaning of the CFAA; that the network switches are "computers" within the meaning of the CFAA; or that his offense caused at least $5,000 in loss. The Court considers each argument in turn.
1. Damage
Under 18 U.S.C. § 1030(e)(8), "'damage' means any impairment to the integrity or availability of data, a program, a system, or information[.]" Under the plain meaning of the statute, CP's inability to log in to the switches from December 17, 2015 until January 7, 2016 constituted "damage." Cf. United States v. Millot, 433 F.3d 1057 (8th Cir. 2006) (affirming conviction under the CFAA where defendant deleted a manager's account that was eventually restored).
Grupe nevertheless argues that no rational jury could have concluded that he caused damage because CP was able to reboot the switches and regain administrative access. As the government notes, however, the definition does not require the permanent destruction of data or denial of access; instead, the definition includes "any impairment to the . . . availability of data, a program, a system, or information[.]" (Emphasis added.) Without doubt, Grupe impaired the availability of data, a program, a system, or information.
Grupe cites to cases in which courts have held that merely accessing confidential information is not "damage" under this definition. See, e.g., Farmers Ins. Exch. v. Auto Club Grp., 823 F. Supp. 2d 847, 852-53 (N.D. Ill. 2011). These cases are inapposite, though, as Grupe did far more than merely access information. Grupe deleted two accounts and changed the password for a third.
Grupe also cites to three cases in which former employees deleted emails or other data, but the court nevertheless found no damage. All three of these cases are distinguishable, however. In Instant Technology, LLC v. Defazio, the district court found, as a factual matter after a bench trial, that there was no damage because the emails that the defendant had deleted were readily accessible in the system's trash folder and on the plaintiff's server. 40 F. Supp. 3d 989, 1019 (N.D. Ill. 2014), aff'd, 793 F.3d 748 (7th Cir. 2015). In other words, Instant Technology relied on the fact that, although the location of the emails had changed, the emails remained readily accessible at all times. Here, by contrast, CP could not access the switches until after it performed a complex and risky reboot procedure.
The Seventh Circuit affirmed the district court's judgment, but it did not mention the deleted emails nor discuss the CFAA's definition of "damage."
The second case, Devon Energy Corp. v. Westacott, is even less relevant. In that case, the defendant claimed that he intended to delete only his personal files, that any deletion of other files was accidental, and that he thought that his employer had backup copies of his work product. No. 09-1689, 2011 WL 1157334, at *11 (S.D. Tex. Mar. 24, 2011). The court simply found that there was a dispute of fact concerning the defendant's intent and noted, in passing, that the plaintiff did not dispute that there would be no damage if the files were in fact "easily accessible" on its network. Id.
Finally, in Cheney v. IPD Analytics, L.L.C., the district court dismissed a CFAA claim because, although the plaintiff had alleged that the defendant had deleted computer files, the plaintiff failed to allege that the deleted data was unavailable through other means. No. 08-23188, 2009 WL 1298405, at *6 (S.D. Fla. Apr. 16, 2009), report and recommendation adopted, 2009 WL 2096236 (S.D. Fla. May 8, 2009). Here, the government proved that the data, programs, systems, and information on the switches were unavailable to CP through other means. Setting that aside, to the extent that Cheney can be read to require the permanent deletion of data, the Court does not find it persuasive as such an interpretation would conflict with the plain language of the statute.
Grupe also argues that CP was never actually locked out of the switches because there were other administrative accounts through which CP could have accessed the switches. Grupe contends that it was CP's own fault that it could not access the switches because it did not maintain a centralized list of administrative accounts. The jury could rationally have found, however, that there were no such accounts. After CP discovered that it could not access the switches through the admin account, CP quickly escalated its response up through several levels of management. It was an "all hands on deck" situation and multiple employees attempted to find a way to log in to the switches—including by contacting Grupe, who hid the fact that he had changed the password to the admin account. CP clearly wanted to avoid rebooting the switches because of the risk that it would lose crucial data. A reasonable jury could have concluded that, had there been some other account through which CP could have accessed the switches, CP would have discovered it before it concluded that its only option was to reboot the switches.
Grupe cites evidence of an alternative, functioning "cp admin" account, see ECF No. 78 at 9 (citing TT 232-35, which discusses a "cp admin" account), but there was also evidence that Grupe himself deleted a "cp admin" account, see TT 332-43.
Setting that aside, even if there had been an account that could have been used to gain access to the switches if only CP had known about it, that does not mean that Grupe did not cause damage. The account for which Grupe deleted the password was the main administrative account through which CP administered the switches, and a reasonable jury could have found that CP did everything it could to gain access to the switches before undertaking the reboot procedure. As a factual matter, the availability of the data, programs, networks, and information on the switches was clearly impaired by Grupe's actions, and the jury was reasonable in so finding.
2. Intent
Grupe argues that no reasonable jury could have found that he intended to cause damage. This argument appears to depend on Grupe's claim that he did not in fact cause any damage, a claim that the Court has already rejected. As a result, Grupe's argument about intent boils down to a claim that, because he could have caused worse damage, he lacked the intent to cause any damage. This is obviously a non-sequitur. The jury could and did rationally conclude that Grupe intended to cause the damage that he caused—that is, the impairment of the availability of data, programs, systems, and information. And as the government notes, it is clear that Grupe did not act accidentally; he executed a series of commands to deliberately delete accounts and change a password. Moreover, there is ample evidence that Grupe was a hothead who was angry about his termination and thus had a motive to harm CP. Finally, there was evidence that Grupe attempted to cover his tracks. A reasonable jury could easily have found that Grupe intended to cause damage.
3. Computer
The CFAA defines a "computer" as follows:
[T]he term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device[.]18 U.S.C. § 1030(e)(1). This is an "exceedingly broad" definition that "captures any device that makes use of a[n] electronic data processor, examples of which are legion." United States v. Kramer, 631 F.3d 900, 902 (8th Cir. 2011) (holding that a cellular phone is a "computer" within the meaning of the CFAA).
Grupe argues that the government failed to introduce sufficient evidence that the switches meet this definition. The Court disagrees. The jury heard a great deal of testimony from which they could have rationally concluded that the switches are "high speed data processing device[s]" that perform "logical, arithmetic, or storage functions." At the very least, the jury could rationally have concluded that the switches are a "data storage facility or communications facility directly related to or operating in conjunction with" such a device. See TT 8 (a switch is a "key part of a computer network," "the traffic handler for all the network traffic from the user's workstation to the servers and back," and "directs the data flows"); TT 92 (the switches are the "nerve center of the data center"); TT 93 (the switch is a "very large, very fast computer—that basically is the central nerve center for all data and voice traffic through the CP environment"and "basically connects all of the servers, all of the applications through which those servers work, and all the telecommunications gear to all of the sites within the network"); TT 100 (the switches are "the nerve center of all the data and phone communication for Canadian Pacific Railway"); TT 116-17 (the switches are the "center of all the data for the Canadian Pacific Railway" and if they logged everything they did, it would be crippling); TT 291 (switches are the hub through which data is disbursed across the network).
Grupe contends that the switches are more like "an automated typewriter or typesetter, a portable hand held calculator, or other similar device," which are carved out from the definition of "computer." The Court thinks not. The switches control the flow of data across a vast computer network; they are nothing like automated typewriters or hand-held calculators. There was sufficient evidence for the jury to have concluded that the switches met the CFAA's definition of "computer."
4. Loss
To be convicted of a felony-level offense, Grupe had to have caused at least $5,000 in "loss." 18 U.S.C. § 1030(c)(4)(A)(i)(I).
"[L]oss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]18 U.S.C. § 1030(e)(11). Grupe argues that a cost cannot count as a "loss" unless it was "incurred because of interruption of service." He further argues that, even if a loss need not be the result of an interruption of service, there was insufficient evidence from which the jury could have concluded that there was at least $5,000 in loss. The Court considers each argument in turn.
a. Interruption in Service
Grupe argues that the qualifier "incurred because of interruption of service" applies to the entire definition of "loss." The Court disagrees, as does every federal appellate court that has addressed the issue. See Brown Jordan Int'l, Inc. v. Carmicle, 846 F.3d 1167, 1173-74 (11th Cir. 2017); Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014); see also Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066 (9th Cir. 2016) (finding that plaintiff suffered "loss" in a case involving no interruption in service); A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009) (holding that costs of investigation were recoverable in case in which there was no interruption in service); Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App'x 559, 562 (2d Cir. 2006) ("As the district court correctly recognized, the plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an 'interruption in service.'").
As the Eleventh Circuit explained,
The plain language of the statutory definition includes two separate types of loss: (1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program[,] system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. See 18 U.S.C. § 1030(e)(11). The statute is written in the disjunctive, making the first type of loss independent of an interruption of service. Yoder, 774 F.3d at 1073. Contrary to the assertion of the court in Continental Group, this interpretation does not reduce "interruption of service" to surplusage. See Cont'l Grp., 622 F. Supp. 2d at 1371. "Loss" includes the direct costs of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second. Thus, under a plain reading of the statute, [plaintiff]'s loss from [defendant]'s violation of the CFAA does not need to be related to an interruption of service in order to be compensable.Brown Jordan Int'l, Inc., 846 F.3d at 1174. The Court agrees with this analysis, and accordingly rejects Grupe's argument that there can be no "loss" without an interruption in service.
Grupe nevertheless argues that, because some lower courts have agreed with his interpretation, the definition of "loss" is necessarily ambiguous and the Court is therefore obligated to interpret it narrowly under the rule of lenity. As the Supreme Court has explained, though, "this argument misconstrues the doctrine." Moskal v. United States, 498 U.S. 103, 107-08 (1990) ("[W]e have declined to deem a statute 'ambiguous' for purposes of lenity merely because it was possible to articulate a construction more narrow than that urged by the Government. . . . Nor have we deemed a division of judicial authority automatically sufficient to trigger lenity."). It is possible to parse the definition of "loss" to favor Grupe's interpretation, but the far more natural and far better reading is that the phrase "incurred because of interruption of service" applies to only the consequential-damages clause. The Court therefore holds that costs incurred by CP to investigate and respond to Grupe's offense constitute "loss" under the CFAA.
b. Amount of Loss
Grupe next argues that there was insufficient evidence to allow a reasonable jury to find that his offense caused at least $5,000 in loss to CP. The Court disagrees. There was, in fact, ample evidence that CP's loss exceeded $5,000, starting with the fact that CrowdStrike charged CP $12,000 for its incident-response report. TT 463-65; Gov't Ex. 87. Grupe contends that there is no evidence that CP actually paid this amount, but Tim Winn, CP's senior director for network services, testified that the "cost . . . of paying" for the CrowdStrike report was $12,000, TT 463, and that the "payment for CrowdStrike was $12,000." TT 464-65. Winn's testimony provided a sufficient basis for the jury to infer that CP actually paid that amount.
In addition, there was also testimony that the cost to CP of the staff time that it took to investigate the incident and reboot the switches exceeded $5,000. Winn testified that 12 employees spent 125 hours investigating and responding to Grupe's offense. TT 460-61. Winn calculated that this would have amounted to approximately $15,000 Canadian dollars, which he estimated would be around $12,000 in U.S. dollars. TT 461, 464.
Grupe derides this amount as "speculative," but detailed testimony concerning the time and resources that CP devoted to investigating and repairing the damage caused by Grupe fully corroborated Winn's testimony. See, e.g., TT 107, 500 (CP engaged in "much consultation with Cisco," the switch manufacturer, before undertaking the reboot); TT 109-11, 500 (CP staff had to spend time gathering back-up configurations and other information in case of problems during the reboot); TT 111-13 (multiple staff members participated in the reboot procedure); TT 116-17 (after CP regained access, staff had to ascertain the state and condition of the switches' configurations and review extensive log files); TT 175 (CP staff had to check to see if other devices had been tampered with); TT 180-81, 198-99, 200 (indicating that CP's investigation continued for some time after the reboot); TT 458-59 (about a dozen CP employees were involved in efforts to recover access and investigate the incident).
Grupe also argues that "loss" does not include the cost of hiring an expert to assist in litigation. That may be true, but there is no evidence that CP retained CrowdStrike or conducted its own investigation for the purpose of litigation. Rather, all evidence is that CP retained CrowdStrike and conducted its own investigation because it wanted to know how its system had been compromised. Obviously, CrowdStrike's and CP's investigations were useful to the government's case, but that alone cannot remove the associated costs from the definition of "loss." The definition explicitly includes "the cost of responding to an offense [and] conducting a damage assessment." Moreover, the Eighth Circuit has recognized that the imputed cost of an employee's time in responding to a CFAA offense against the employer may be counted as part of "loss." Millot, 433 F.3d at 1061. In short, there was more than sufficient evidence to support the jury's finding that CP incurred at least $5,000 in "loss."
C. Motion for a New Trial
Under Fed. R. Crim. P. 33, "the court may vacate any judgment and grant a new trial if the interest of justice so requires." "In ruling on a motion for a new trial, a district court need not view the evidence in the light most favorable to the verdict; it may weigh the evidence and evaluate for itself the credibility of the witnesses." United States v. Collier, 527 F.3d 695, 701 (8th Cir. 2008). But a motion for a new trial should be granted only where "the evidence preponderates sufficiently heavily against the verdict that a serious miscarriage of justice may have occurred . . . ." Id. (citation and quotations omitted). The court's authority to grant a new trial on the basis that the verdict is against the weight of the evidence must be "exercised sparingly and with caution." Id.
Although Grupe moves in the alternative for a new trial, he does not offer any explicit arguments in favor of his motion. Having presided over the trial, the Court has no doubt that Grupe is guilty of intentionally damaging a protected computer and causing at least $5,000 in loss. Because the evidence does not weigh against the verdict and no miscarriage of justice has occurred, Grupe's motion for a new trial is denied.
Grupe claims that CP failed to properly preserve all relevant electronic evidence, but does not claim that this would entitle him either to acquittal or to a new trial. Even if Grupe had made such a claim, the Court would reject it. The jury heard testimony on this issue and apparently rejected Grupe's argument that CP's alleged mishandling of the evidence rendered it unreliable. --------
ORDER
Based on the foregoing, and on all of the files, records, and proceedings herein, IT IS HEREBY ORDERED THAT defendant's motion for acquittal or, in the alternative, a new trial [ECF No. 71] is DENIED. Dated: February 8, 2018
s/Patrick J. Schiltz
Patrick J. Schiltz
United States District Judge