Risk
3/27/2013
12:52 PM
50%
50%

Tougher Computer Crime Penalties Sought By U.S. Legislators

Draft version of Computer Fraud and Abuse Act includes amendments largely recycled from 2011 DOJ proposals -- and running counter to leading legal experts' demands to narrow anti-hacking laws, critics say.

Legal experts and privacy activists are crying foul after the House Judiciary Committee began circulating a draft bill that would amend the Computer Fraud and Abuse Act (CFAA) to impose tougher penalties for many types of computer crimes.

The 22-page draft "cyber-security" legislation is currently being circulated among committee members. A House Judiciary Committee aide told The Hill that the draft is still in its early stages, and feedback is still being gathered from multiple stakeholders.

But multiple legal and privacy experts have already criticized the proposed changes, with George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, saying that the bill's revised language appears to have been recycled from legislation proposed by Sen. Patrick Leahy (D-Vt.) in 2011, which he developed with the Department of Justice.

"This is a step backward, not a step forward," said Kerr in a blog post analyzing the draft bill. "This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it."

[ What changes should be made to current privacy and cyber abuse legislation? Read Hacking, Privacy Laws: Time To Reboot. ]

Indeed, the proposed changes would impose tougher penalties for many types of computer crimes, including making some computer crimes a form of racketeering. In addition, CFAA could be used to punish "whoever conspires to commit ... as provided for the completed offense," meaning that someone who discussed committing a computer crime could be charged with having committed the crime, reported Techdirt.

Numerous legal experts have been calling on Congress to amend the CFAA, following the death of Internet activist Aaron Swartz. He committed suicide while facing up to $1 million in fines and 35 years in prison after he used the Massachusetts Institute of Technology's network to download millions of articles from the JSTOR academic database as part of his quest to promote open access to research that had been funded by the federal government.

Ultimately, Swartz issued an apology and returned the files, and JSTOR requested that the civil matter be closed. But using the CFAA, federal prosecutors continued to press charges against Swartz. Seeing a pattern of behavior, meanwhile, critics have slammed the CFAA for being overly broad and enabling Justice Department prosecutors to treat minor crimes as major felonies.

The House Judiciary Committee's so-called cyber-security bill contains a hodgepodge of other recommendations, including in some cases classifying violations of a company's terms of service as being a felony charge. It would give the government greater leeway in pursuing criminal forfeiture, and assess penalties for anyone who intentionally damages "critical infrastructure" computers -- of which the vast majority are owned, secured and controlled by private businesses.

It would also create a federal data breach notification law that would supersede the patchwork of regulations now in effect in virtually every state. The law would require any "covered entity" that suffered a "major security breach" -- involving "means of identification" pertaining to 10,000 or more people -- to notify the FBI or Secret Service within 72 hours and inform affected customers within 14 days, or else risk a fine of up to $500,000, which could be raised to $1 million for intentional violations.

The draft legislation does propose setting a new threshold for the charge of "exceeding authorized access," saying that it would be a crime only if the value of information compromised exceeded $5,000.

But how much thought has been put into these amendments? Interestingly, the text of the bill says that "the Attorney General is authorized to establish the National Cyber Investigative Joint Task Force, which shall be charged with coordinating, integrating, and sharing information related to all domestic cyber threat investigations."

In fact, the FBI-led National Cyber Investigative Joint Task Force -- created in 2008 when President Obama established the Comprehensive National Cybersecurity Initiative -- is already coordinating intelligence and investigations into national cybersecurity intrusions across 18 intelligence and law enforcement agencies.

A House Judiciary Committee spokeswoman wasn't immediately able to discuss the apparent discrepancy by phone. But the draft bill's outdated language suggests that more than one facet of the cyber-security bill, including the proposed CFAA amendments, remain -- at best -- half-baked.

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
4/3/2013 | 7:03:43 PM
re: Tougher Computer Crime Penalties Sought By U.S. Legislators
While the prospect of harsher punishments may help deter certain hackers, the real focus for legislators should first be on reforming the scope of many of these cybersecurity laws. Reform laws like the CFAA so that they are clearer and more reasonable before placing an even more onerous burden on individuals who have violated those laws.
ANON1242159798500
50%
50%
ANON1242159798500,
User Rank: Apprentice
4/2/2013 | 5:24:04 PM
re: Tougher Computer Crime Penalties Sought By U.S. Legislators
Hackers value being unseen, and unheard. As a result uncaught.

If you catch them give them what they want.

Make them disappear and never heard from again. Being unseen, and unheard ultimately they would be at their zenith of value, and be in a place where we can really use them.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
3/27/2013 | 9:04:17 PM
re: Tougher Computer Crime Penalties Sought By U.S. Legislators
I do think prosecutors have gone overboard regarding some recent cases, including that of Aaron Swartz. And turning the violation of Terms of Service into a felony? That sounds like overkill. This certainly bears watching.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.