SAN FRANCISCO (CN) - A network engineer who locked administrators out of San Francisco's computer system for 12 days was properly ordered to pay $1.4 million in restitution, an appeals court ruled.
Prosecutors showed that Terry Childs hijacked the San Francisco FiberWAN network for 12 days in 2008 after years of contention between the city and its engineer. Concerns over possible layoffs, coupled with the discovery that Childs lied about his criminal background when he applied, led Childs to abscond with both network passwords and the backup configurations.
While no network service outages occurred during the 12 days Childs had locked the city out, no one could access the network to administer it, either. At the time, more than 65 city departments used the FiberWAN network.
In the end, Childs gave the network passwords and backups to then-mayor Gavin Newsom personally. San Francisco spent four months and $866,000 to recover the network, leading police to add a property loss enhancement to the charges against Childs.
At trial, prosecution witnesses underscored the city's folly in giving one man what Childs himself had called "the keys to the kingdom." Testifying in his defense, Childs admitted to hijacking the system but said he did so because he believed the city's tech department was too lax about security.
A jury convicted Childs of a single count of disrupting or denying computer services to an authorized user in April 2010. He was sentenced him to four years in prison and ordered to pay nearly $1.5 million in restitution.
Although Childs left prison in 2011 - having served much of his sentence prior to the conviction - he challenged both the judgment and the $1,485,791 restitution order. On appeal, Childs claimed that the disrupting or denying computer services charge applies only to hackers and not authorized employees.
Writing for a three-judge panel of the First Appellate District, Judge Timothy Reardon noted that, while several of California's computer crime laws require unpermitted access as an element, Childs' crime does not.
"The Legislature expressly stated its intent to protect against 'tampering, interference, damage, and unauthorized access to computers," Reardon wrote, citing the penal code. "Disrupting or denying computer services to an authorized user could reasonably be read to fall within 'interference' with computers, even without a showing of unauthorized access."
He continued: "When the Legislature defined the 'scope of employment' defense in 1999, this was intended to '[close] a loophole that allows disaffected employees to maliciously tamper with a company's database' and to discourage 'a malicious employee's victimization of an employer.' These legislative sources make clear that one effect of the 1999 amendments to the employment defense now set out in the law was to broaden its application beyond external hacking and to encompass employee misconduct. Since the amendments took effect in 2000, the scope of employment defense no longer shields employees from prosecution for acts that were not reasonably necessary to the performance of the employee's work assignment. This conclusion is also supported by the Legislature's 2000 expansion of the definition of 'injury' to a computer network to include the denial of access to a legitimate user."
The 68-page opinion notes that, while some courts have held against "making annoying or spiteful acts criminal offenses whenever a computer is used to accomplish them," Childs' case "involves employee computer misconduct that is anything but routine."
"The cited principle cannot reasonably be read to decriminalize the acts of a system administrator who used his computer expertise to lock out every other potential user and to wipe out system data if anyone other than him attempted to access his employer's computer system," Reardon wrote.
Childs argued that terms in the statute that led to his conviction - "without permission" and "disrupts or denies" - are unconstitutionally vague. In the case of the former, Childs had fair warning that his actions were without permission when city officials demanded the passwords and he refused to turn them over, the panel found.
"He refused the direct instruction of his supervisor to divulge information that his employer owned and had the right to know," Reardon wrote. "No reasonable person would have believed that Childs had the city's permission to refuse to provide officials with administrative access to the system it was responsible for running."
And Childs' refusals to let San Francisco back into its computer system "constituted multiple denials or disruptions," the panel added.
"The city had no ability to assign a new system administrator for the network. It could not remove Childs from ongoing access to the network," the opinion states. "It could not make administrative changes to the network, add new city departments or monitor its integrity from July 9 to July 21. In each of these ways, Childs denied computer services to the city within the meaning of the law."
Childs conceded that he might owe $380,000 for costs the city incurred during his 12-day lockout, but that the $1.1 million San Francisco spent afterward on new security systems were unrelated to his criminal conduct. The panel disagreed.
"Childs disputes that his conduct created a security breach requiring expensive redesign and remediation work," Reardon wrote. "He argues that when he was the system administrator, FiberWAN security was high, suggesting that no improved security was required after his removal. His argument ignores the obvious - that once he was no longer the system administrator, the risk that Childs himself might make what would then have become an unauthorized intrusion into the computer network was a risk that the city was reasonably required to assess, detect, and prevent in order to protect the integrity of the FiberWAN databases. The city was entitled to recover the expense of preserving the integrity of its network after Childs's criminal act highlighted the risks he posed to that network."
Despite the jury's conviction of Childs, one of its members placed equal blame on the city-county of San Francisco.
"We had a lot of sympathy for him," juror Jason Chilton, also a network engineer, told the San Francisco Chronicle after the conviction. "He was put in a position he should not have been put in. Management did everything they possibly could wrong. There was ineffective management, ineffective communication. I think that if they put the city on trial, they would be guilty, too."
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.