Authored By: Nomfundo Mtungwa
Abstract
In the US, cybercrimes have caused losses of billions of dollars and unstable economic security. Rapid technical development and greater digital connectivity have led to an increase in the complexity and scope of cyberthreats. Since the victims are now numerous and include people from governments, businesses, and schools, it has become concerning. Ransomware attacks are a common, dangerous type of cybercrime, because of the lucrative targets (such as healthcare and critical infrastructure), vulnerable legacy systems, widespread use of RDP, high potential for profit, and sophisticated, easily accessible tools that lower the barrier for criminals.
In an era of fast technical advancement, this article ends with recommendations for reforms to bolster cybercrime law.
Introduction
Due to sophisticated threats from criminal syndicates and state actors as well as digital interconnectivity, cybercrime has become a national security requirement in the United States. The FBI’s Internet Crime Complaint Centre (IC3) published an annual report in 2024 that described a record-breaking year for cyber-enabled crime in the US. According to the report, over 859,000 complaints resulted in claimed losses of USD 16.6 billion, a 33% increase over 2023.
The growing stakes are demonstrated by notable events, such as the 1988 Morris Worm, which infected 10% of computers with internet access, and the 2024 Change Healthcare ransomware, which exposed the data of 190 million Americans.
In response, the US adopted a number of federal laws and created enforcement strategies to fight cybercrime. Despite these initiatives, problems still exist because of jurisdictional complexity, antiquated laws, and the rapidly changing nature of technology.
This article analyses at the present state of cybercrime laws in the US, evaluates significant court rulings that have influenced enforcement, pointed out important legal protection gaps, and suggested changes that are required to build an effective legal framework for thwarting cyberthreats in the digital era.
Research Methodology
This article examines the legal framework governing cybercrime in the United States using a doctrinal and analytical research approach. This qualitative research examines main and secondary legal sources to analyze court interpretation, enforcement issues, and cybercrime laws.
The primary sources are federal statutes such as the Computer Fraud and Abuse Act (1986) and related laws including the Identity Theft and Assumption Deterrence Act, Electronic Communications Privacy Act, and Economic Espionage Act, as well as Fourth Amendment cases on digital searches to define constitutional limits in cybercrime investigations. The judicial rulings examined range from the Supreme Court’s Van Buren v. United States (2021) to federal circuit and district court decisions, highlighting legal interpretations, circuit divisions and practical prosecutorial issues. Executive Order 14028, DOJ and DHS policy guidelines, as well as threat assessments from the Cybersecurity and Infrastructure Security Agency that outline enforcement objectives are among the executive items that were reviewed. Secondary sources include government reports from the Congressional Research Service, GAO, along with the FBI’s Internet Crime Complaint Centre that provide concrete information, academic law review articles on cybercrime and privacy, along with business cybersecurity reports that offer technical and financial context on threats and attacks.
Main body
Legal framework
The Computer Fraud and Abuse Act (CFAA) of 1986, which made unauthorized access to computer systems illegal, is the primary component of legislation for addressing cybercrime in the United States. The CFAA was originally established to safeguard government and financial organizations, but it has subsequently grown to include a wide variety of activities, such as spreading harmful software, acquiring information, and exceeding authorized access.
Numerous interpretation disputes have resulted from the CFAA’s expansive language. For instance, it makes breaching a website’s terms of service or hacking into a computer system illegal, which raises worries about overcriminalization and its potential suppress free expression and legitimate research. Its reach has been expanded over time by amendments like the 1996 and 2008 adjustments, but fundamental concerns remain unresolved.
The Identity Theft and Assumption Deterrence Act (1998), which targets identity theft and fraudulent use of personal information, along with the Electronic Communications Privacy Act (ECPA) of 1986, which regulates access as well as interception of electronic communications, are two other pertinent laws. Cross-border law enforcement cooperation is made easier by the U.S. Constitution’s Commerce Clause, which establishes federal jurisdiction over interstate and international cybercrimes.
Furthermore, by highlighting the gravity of some crimes and directing the authority of the courts, the Federal Sentencing Guidelines have an impact on the prosecution and sentencing of cybercriminals.
Judicial interpretation
The manner in which cybercrime laws are applied in the US has been greatly influenced by judicial interpretation.Van Buren v. United States (2021), in which the Supreme Court limited the meaning of “exceeds authorized access” under the CFAA, is one of the most important cases. The Court ruled that the CFAA is not always violated by people who have authorized access to a system but misuse it for unlawful purposes. This ruling defined the Act’s parameters and restricted prosecution overreach.
In one of the first cybercrime cases, United States v. Morris (1991), the court upheld the defendant’s conviction for releasing a computer worm that tampered with internet operations. This case established an example for criminalizing the spread of malicious code by individuals.
In general, courts have taken a careful stance, striking a balance between defending civil rights, especially the right to privacy and freedom of expression, and enforcing cybersecurity regulations.
Critical Analysis: Challenges in combating cybercrime
The Computer Fraud and Abuse Act (CFAA) of 1986 is a major tool used by the US to fight cybercrime, although its impact is compromised by ongoing flaws. The ambiguity of “unauthorized access,” which results in uneven court decisions, the possibility of overcriminalization, and discussions of constitutional vagueness are important concerns. Deepfakes, supply chain hacks, and ransomware are examples of how quickly technology is evolving, outpacing updates and leaving gaps in the law. Despite international agreements, issues are complicated by jurisdictional disputes between states, federal levels, and boundaries.
Enforcement yields uneven results: many offences avoid prosecution because of offender expertise, privacy, and cross-border difficulties, while large hacker achievements require tremendous resources. Due to liability concerns, broad CFAA interpretations restrict cybersecurity research and discourage vulnerability reporting.
The ambiguity of the U.S. model makes it less clear for courts and enforcement than South Africa’s Cybercrimes Act, which uses explicit wording to specify offences including cyber harassment and data breaches.
The CLOUD Act enabling cross-border data access, the National Cybersecurity Strategy for public-private collaboration and funding, as well as membership in the Budapest Convention are examples of reforms. However, a thorough CFAA revision is delayed, resulting in problems unsolved. Definitional vagueness—such as unclear interpretations of “unauthorized access” under the CFAA—as well as jurisdictional complexity in cross-border crimes and inefficiencies in technology when rapid advances, such as AI-driven attacks, exceed statutory restrictions, plague US cybercrime legislation. Clearer definitions, strengthening capacities for enforcement agencies, and worldwide cooperation are all important reforms. South Africa’s Cybercrimes Act of 2020 is an example of precision, with tailored legislation to address such situations.
Recent Developments
Whilst comprehensive reform of the Computer Fraud and Abuse Act (CFAA) is still unobtainable, the past two years have witnessed increased legislative, executive, and law enforcement activity addressing increasing cybercrime risks in the United States. The ongoing application of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a significant regulatory development. Official laws requiring covered critical infrastructure firms to report severe cyber events within 72 hours are expected to be published by the Cybersecurity and Infrastructure Security Agency (CISA) by late 2025. Notwithstanding the delays, this system signifies a major change towards centralized government control of cyber events and mandated openness.
Numerous legislative proposals have been driven by the growth of cybercrime enabled by artificial intelligence. Signed into law in May 2025, the TAKE IT DOWN Act creates national criminal liability for the harmful dissemination of non-consensual intimate photos, including deepfakes created by artificial intelligence. In addition, the nonpartisan NO FAKES Act (2024) offers civil consequences for unauthorized use and federal protection of people’s rights over their voice and likeness. Additional requirements for openness and criminal penalties for deepfake content used to deceive or injure people will be imposed by the proposed DEEPFAKES Accountability Act.
State legislators have addressed AI-related risks at a faster pace. By the beginning of 2024, more than 400 bills pertaining to AI had been submitted in more than forty states. Ten states prohibited deepfakes in political campaigns, while fourteen states established legislation making non-consensual sexual deepfakes illegal. The establishment of extensive protections against AI-generated impersonation by Tennessee’s ELVIS Act was a major milestone.
A significant part has also been played by executive action. The Department of Homeland Security was instructed to synchronize cybersecurity standards across federal agencies by April 2025 by National Security Memorandum-22 (April 2024), which addressed recurring concerns about redundant and contradictory compliance requirements. Although implementation is still ongoing, prior DHS proposals from September 2023 were intended to simplify cyber event reporting. Additionally, by creating the Cyber Safety Review Board and establishing baseline security standards for federal software, Executive Order 14028 made cybersecurity a top national security priority. Technology firms were further pushed to include security into product development under CISA’s Secure by Design initiative (2024).
Cybercrime enabled by cryptocurrencies is the subject of growing law law enforcement initiatives. The National Cryptocurrency Enforcement Team of the Department of Justice has increased its efforts to combat crypto-based money laundering, dark web marketplaces, and ransomware payments. The Office of Foreign Assets Control (OFAC) under the Treasury Department has placed penalties against organizations that support ransomware activities; however, the fraudulent nature of bitcoin systems limits the efficacy of such restrictions.
The state of cyber threats has significantly worsened. From 95 cases in 2023–2024 to 322 in the following year, ransomware attacks against government bodies surged by 235 %. Attacks in the healthcare and education sectors increased by 115% and 26%, respectively, with 672 victims reported. Early in 2024, the average ransom demand was USD 5.2 million; in March, a record USD 75 million payment was announced. The national disruption of prescription services caused by the Change Healthcare attack in February 2024 serves as an example of the systemic threats associated with cyberattacks on key infrastructure. Persistent supply-chain vulnerabilities were highlighted in December 2024 when Chinese state-sponsored actors gained access to the U.S. Treasury Department through a third-party vendor.
The FBI cautions that paying ransoms feeds criminal ecosystems, and federal authorities continue to take a strong stand against doing so. Even so, organizations frequently pay to prevent operational disruption, and this guidance has no legally binding effect. While some jurisdictions, like New York, already require quick reporting of ransom payments, others are looking at complete restrictions.
Strategic Pathways forward
- Legislative reforms
A coordinated approach involving judicial adaptation, legislative reform, and active civil society participation is necessary given the dynamic nature of cybercrime in the United States. A diversified strategy is necessary to protect people, companies, and vital infrastructure while upholding fundamental rights as cyber threats become more sophisticated, therefore the Computer Fraud and Abuse Act (CFAA), should be the top priority for the US Congress. Amendments should provide a precise definition of “unauthorized access,” distinguish between minor and significant infractions, and safeguard security researchers who are acting honestly. To ensure uniform protection and minimize compliance obligations, uniform federal data breach notification rules should take the place of the current individual state patchwork.
The new issues raised by artificial intelligence and cryptocurrencies must also be addressed by legislators. Anti-money laundering requirements and methods for tracking illegal transactions should be included of regulatory frameworks for digital assets. Laws pertaining to AI should take into consideration its dual-use nature and set accountability guidelines to prevent abuse without restricting innovation.
- Judicial role
In order to effectively enforce cybercrime laws and interpret them, the judiciary is essential. To efficiently address complicated digital matters, courts ought to consider about appointing specialized cybercrime benches or trained panels. Judges must consider modern innovations and cultural expectations when interpreting the CFAA and other statutes. To maintain Fourth Amendment rights and ensure fair trials, judges must undergo training in blockchain forensics, digital evidence, and deepfake detection. Additionally, restorative justice methods, such as victim compensation financed by confiscated digital assets, could be investigated by courts.
- Role of civil society
Civil society organizations play an important role in supporting balanced policies. To avoid overreach, privacy advocates must participate in legislative procedures. Educational institutions and nonprofits should broaden cybersecurity awareness initiatives for vulnerable demographics such as the elderly and small enterprises. Professional associations can provide ethical guidelines for security researchers and foster positive communication between technical professionals and policymakers. This type of relationship builds trust, encourages legitimate innovation, and strengthens the cybercrime legal system.
Conclusion
Cybercrime continues to pose a dynamic and diverse danger to the United States. Despite current laws, such as the CFAA, provide as a foundation, ambiguities, jurisdictional problems, and the rapid speed of technical change impede their effectiveness. Judicial interpretations have played a major part in establishing the limits of criminal responsibility, but they also highlight the need for legislative clarity and moderation.
A balanced strategy that incorporates judicial caution, technical investment, civil society involvement, and clear, flexible law is crucial going forth. To combat international cyber threats and safeguard digital rights, international collaboration and aggressive policy changes will be essential. The United States can only successfully fight cybercrime while defending the values of privacy, free speech, and development in the digital era with such an all-encompassing approach.
Reference(S):
• Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1986)
• Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2522 (1986)
• United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)
• Carpenter v. United States, 138 S. Ct. 2206 (2018)
• Cybersecurity Information Sharing Act of 2015, Pub. L. No. 114-113
• Congressional Research Service, “Cybercrime and Cybersecurity: Issues for Congress,” 2020
• Smith, J., Cybercrime Law and Procedure in the United States, Oxford University Press, 2022
• Congressional hearings on ransomware and critical infrastructure, 2024
• Reports from the Department of Homeland Security on cybersecurity trends
