Introducing United States v. Jo Tiernee

Written By Multiple Authors

Fact Summary

By Nicholas Cotter & Christian Cotter
Case Committee Co-Chairs

Introduction

“BALLISTIC MISSILE THREAT INBOUND TO EMPIRION. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” At 12:12 p.m. on January 14, 2020, residents all across the island of Empirion looked at their phones in horror to see this message on their screens. Within seconds, statewide panic erupted. Empirions fled from work and school, searching anywhere for shelter. The highways looked more like parking lots, with cars bumper to bumper. The island’s sirens, intended for hurricane warnings, blared, adding to the chaos. Empirion residents and tourists alike held their breath, wondering if these next minutes would be their last.

But there was no missile. There was no danger at all.

38 minutes later, every phone screen on the island lit up once again: “There is no missile threat or danger to the State of Empirion. Repeat. False Alarm.”

State officials reported that at no time was there any indication that a nuclear attack had been launched on the United States. The Federal Bureau of Investigation’s Cybercrime Division announced that it had begun “a full investigation into the false missile alert in Empirion.”

The community’s emotions quickly turned from terror and confusion to anger and outrage. As the citizens of Empirion reflected on what had just happened, the federal government began an investigation to determine what had gone wrong. 

The FBI discovered that the Empirion State Department had contracted with local tech company EmpiCode to develop a state-wide emergency broadcasting system. But the false alarm was not sent from a government office. It was sent from EmpiCode headquarters. And company records show that there was an employee who was not in the office, but was logged in at the time of the breach. The employee: Jo Tiernee.

In the following days, Jo Tiernee was fired from EmpiCode and arrested by the FBI. A federal grand jury was empaneled and returned indictments alleging violations of the Computer Fraud and Abuse Act.

The Government’s Case: Tiernee’s Computer, Tiernee’s Crime 

Tiernee worked as an Application Developer at EmpiCode, a small tech start-up located in Empirion’s capital city, Pasquale. In 2019, EmpiCode was awarded a contract with the Empirion State Department to develop a state-wide emergency broadcasting system. The goal was to give state officials a way to send instant alerts to everyone on the island through their phones.

But while perfecting its software for the State Department, EmpiCode had neglected its internal network security, which was quickly becoming obsolete. As a result, many of the features on the website were not as secure as other modern systems. The age and obsolescence of the program became a common frustration for many employees, including Tiernee.

Tiernee knew about all of the problems with the company’s network, and knew they could be exploited. Through experimentation, Tiernee learned that by altering the numbers, letters, and words at the end of the company webpage’s URL, they could access the company’s internal network without entering a username or password. And Tiernee didn’t try to hide their knowledge – other employees at the company report that Tiernee showed them how to manipulate the web addresses to access different pages on the company’s internal online system.

The company’s computer network wasn’t Tiernee’s only frustration with EmpiCode. After years as a loyal employee, Tiernee aspired to become promoted to the role of Project Manager. But Tiernee’s promotion never came. As time passed, Tiernee’s tolerance and patience with company leadership was running short. In December 2019, Tiernee made one last effort and applied for the Project Manager position. The board rejected them again. Within minutes of receiving the news, Tiernee yelled at their superior, “this is the last bad decision you’ll ever make. You’re undervaluing your greatest asset. I’ll make you regret this.” They also complained to a friend, “They’re going to wish they went in a different direction when I’m finished there.” 

Just weeks after Tiernee’s failed attempt to secure a promotion, the company’s network was breached, resulting in the statewide emergency alert. In the aftermath of the panic, the FBI Cybercrimes Unit opened an investigation to determine whether the false alert was the result of foul play. Using IP address source tracing, agents found that the emergency alert command was sent from a location consistent with Tiernee’s – off the EmpiCode premises. And Tiernee’s work laptop was connected to the company VPN at the time the alert was issued.

The United States Attorneys for the District of Empirion are confident that they can prove their case to the jury through eyewitness testimony, the defendant’s admissions, computer forensic evidence, and a timely tip that identified Tiernee as a likely cause of the false alarm. After all, how can a defendant respond to such seemingly indisputable evidence?

Tiernee’s Defense: Flawed Infrastructure, Faulty Investigation, or Foreign Interference? 

Tiernee’s defense team has a different view. Tiernee has entered a plea of not guilty, maintained their innocence, and eschewed any notions of negotiating a plea. Now, Tiernee asserts their right to a speedy and public jury trial. And Tiernee isn’t going down without a fight.

First, the false alert may not have been issued with fraudulent intent. That’s because EmpiCode’s outdated security system brought with it an antiquated interface susceptible to both exploitation and error. Employees at EmpiCode often experienced issues with the network even while accessing it for routine, work-related tasks. Any given mistake in EmpiCode’s network was just as likely the result of user error as it was user abuse.

Second, the government’s investigation was narrow and incomprehensive. The defense criticizes the FBI for looking for someone to blame for this tragedy. But does the motive even make sense? For example, during Tiernee’s tenure with EmpiCode, they were the most vocal advocate of strengthening the internal network’s security. What’s more, Tiernee is a proud native and longtime resident of Empirion. Would Tiernee really try to cause harm to their home state?

Third, there are questions about who actually issued the false missile alert. To compound EmpiCode’s security issues unknown actors – both domestic and foreign – have been attempting to hack American assets, including networks and infrastructure systems. Due to its location in the Atlantic, Empirion was a prime target for hackers. Empirion entities, both public and private, were subjected to malware attacks and hacking attempts. EmpiCode’s placement in Empirion’s capital, Pasquale, in combination with its poor network security and relationship with the state government, rendered the hacking almost inevitable.

Why Computer Crime?

As part of Empire’s mission to educate, connect and empower, we select case topics that are unique, topical, and socially relevant. This year is no different. With United States v. Tiernee, Empire ventures into uncharted territory. This case represents our first excursion into computer crime law – a field that is becoming increasingly relevant (in fact, ubiquitous) in the 21st Century.

The English Common Law, from which American law is derived, is obsessed with the tangible, physical world. But the speed with which computers and the internet were (and are) developing poses obstacles for the rigid traditions of the legal system. How do we apply centuries-old criminal law principles to a digital platform? How do we prosecute crimes where the “act” does not occur in the real world? The internet has become an indispensable resource, for both personal and professional purposes, and current Empire competitors have interacted with the internet more in their education than any prior generation. This case demonstrates that the internet is a double-edged sword. In one sense, it is a tool; the internet provides widespread access to information and knowledge. But at the same time, the internet makes public what many wish to keep private. Actions taken in the intangible “cloud” can have consequences in the tangible world. 

We selected the Computer Fraud and Abuse Act as the subject of this year’s case because it presents issues that are at the cutting edge of criminal law today. The government sought to regulate the internet by enacting the CFAA precisely because the law has struggled to apply traditional principles when trying to resolve issues involving modern technology. Nonetheless, the internet’s development continues to outpace that of the law. We challenge students to think critically about the role the internet plays in society today, the role that the law should have in regulating it, and whether the law achieves its intended goals. 

We hope you enjoy United States v. Tiernee!

Nicholas Cotter & Christian Cotter
2022 Case Committee Co-Chairs

Registered teams will have access to the case TOMORROW! If you haven’t applied for the 2022 Empire season yet, we’re still accepting applications. Apply for Empire Eclipse or for the Empire Baltimore and Empire Chicago waitlists before spots fill up!

Multiple Authors
Previous

Our Forever Spirit of Empire

Next

Evolving Together: Bringing Technology to the Courtroom