Fall 2022

In Practice

From Pizzagate to Private Practice: Navigating Cybercrimes and Cybersecurity

By James Weir

Demian Ahn, ’03
Demian Ahn, ’03

For most news consumers, the Pizzagate conspiracy theory was unconvincing from the start—there was no credible evidence to support the idea that a Washington, DC, pizzeria was the hub of a child sex-trafficking ring. Nevertheless, the allegations gained traction in certain online circles and spread across major social platforms like Twitter and Facebook as well as lesser-known sites like 4chan. 

Months after the conspiracy theory first appeared online, a young man traveled to the restaurant to “investigate” for himself. He entered the restaurant carrying a sidearm and an assault rifle—causing the patrons and staff to flee—and eventually fired the AR-15 into the lock of a door behind which he believed the trafficked children were being held (it was a storage closet). No one was physically harmed in the incident, and the man was arrested on the scene and later sentenced to four years in prison. 

Demian Ahn, ’03, an assistant US attorney at the time, served as the lead prosecutor on the Pizzagate case. The intersection of radicalized online spaces and violent behavior in the real world was a natural fit for Ahn, who prosecuted violent crimes at the Department of Justice (DOJ) for five years before joining its newly established cybercrime section in 2015. 

Breaking new ground

Working in an emerging area of law meant that Ahn and his colleagues were often navigating uncharted territory and prosecuting cases with little in the way of established case law. To Ahn, this was part of the appeal.

“There was opportunity for more innovation in both the investigative side and the legal side, but certainly there’s risk if the court doesn’t like your theory,” he says. “To explore new areas and have room for creative problem solving was what made cyber in the US Attorney’s Office really great at an intellectual level.”

Ahn found satisfaction in “blazing a new path” and helping to establish precedent for future cyber prosecutions. One notable national security case involved former members of the US intelligence community who had gone on to work for a foreign government’s hacking operation. 

The defendants in the case had been providing defense contracting services overseas without the relevant State Department licenses, and they were involved in the creation and deployment of sophisticated hacking tools used by the foreign government’s intelligence-gathering operation. The regime not only tracked terrorists and other risk groups but also journalists who reported unfavorably on the government, human rights activists, and political dissidents. 

These hacking tools were able to illegally obtain access to devices in the United States and online accounts controlled by US companies—a violation of the Computer Fraud and Abuse Act (CFAA). The DOJ brought charges, and the case was resolved with a deferred prosecution agreement that included a seven-figure fine and limitations on the defendants’ future activities and employment.

“The important part for US policy was to establish that if you’re an American citizen and you want to go act as a mercenary hacker for foreign governments, you’re still subject to the law,” Ahn says. “That type of conduct is subject to export control laws and regulations, and the case established that you can also be charged under the CFAA.”

Precedent is particularly important in cybercrime cases because many of the statutes and regulations that apply to online behavior were written long before the internet developed into what it is today. These include the CFAA and the Electronic Communications Privacy Act, both of which were enacted in 1986. 

An evolving investigatory landscape

The nature of the internet has changed considerably in the intervening years—to put it mildly—and the laws weren’t written with a modern understanding of how individuals use the internet in their daily lives, how entities use it to conduct business, and how law enforcement uses it to investigate crimes. This leads to uncertainty around how the laws apply (or don’t) to certain activities. For law enforcement, that uncertainty can be difficult to navigate.

“The Department of Justice usually approaches evidence collection around these new areas in a pretty risk-averse fashion, but the same laws apply to all of the thousands of state and local law enforcement agencies around the country, and not all of them are approaching things in the same way,” Ahn says. “So the government is operating at its own peril because they’re doing what they think is okay under the law, but a court can say otherwise and then the investigation could be in trouble.” 

Similarly, federal export control laws—which seek to protect national security and aspects of international trade by regulating certain services and the transfer of some technologies overseas—can impose onerous restrictions on private enterprise. The laws lack a clear distinction between offensive and defensive hacking, for example, which can limit what companies can and cannot do with respect to some proprietary software and other tools they create.

“In the information security community, companies hire penetration testers and security professionals to hack their own networks to identify security vulnerabilities,” Ahn says. “To support that process, many of them create tools that help them do legitimate, legal hacking, and those tools are something that some companies would like to sell.” 

Clarity in this area could help innovative technology companies grow their business without having to worry that they are inadvertently violating the law. Ahn says that although the relevant laws have held up relatively well, new legislation would be helpful for law enforcement, the technology industry, and society at large. 

“Any new legislation needs to balance the interests of civil liberties and the need for effective law enforcement that can react quickly and collect evidence. And from the industry’s perspective, they want to know what the rules are so they can plan around them,” Ahn says. “This is an area of substance that is not ideological. Could Congress come up with something that would help? I think so, but we’ll have to wait and see.”

Advising on ever-shifting regulations

After nearly 12 years as a federal prosecutor, Ahn left the DOJ earlier this year to become of counsel in the Washington, DC, office of Wilson Sonsini Goodrich & Rosati, known for representing leading technology clients. Ahn’s practice will focus on helping companies understand and adjust to evolving cybersecurity laws and regulations, including federal and state regulations in the United States, as well as European Union and other international laws.

“For me, it was an opportune time to go to the private sector because there are some laws on the books with respect to cybersecurity, but more are coming, and regulators are becoming more aggressive with enforcement actions,” he says. “So companies who want to prepare themselves are well advised to seek counsel, as are information security professionals and other cybersecurity experts who want to make sure their activities are up to snuff.” 

The same principle applies to technology more generally, Ahn says. “Whether you are a tech firm or a traditional business that relies on internet- or cloud-based services, your privacy and security practices are more likely than ever to face regulatory scrutiny.”

After years of long-term investigations and working to gather evidence in support of successful prosecutions in the courtroom, Ahn notes that his new role has a different set of objectives. “The goal is keeping everybody out of the courthouse,” he says, “allowing them to focus on growing their companies and not having to worry about regulators.”