Risk
9/9/2011
08:46 AM
50%
50%

Treat Hackers As Organized Criminals, Says Government

Obama administration seeks tougher penalties for cybercrime, but legal experts warn that current, imprecise proposals could be too widely applied.

The Obama administration on Wednesday appealed to the Senate Judiciary Committee to increase penalties for hacking, and to update current laws against organized crime for use against hackers.

The Obama Administration had first floated wide-ranging changes to the 1986 Computer Fraud and Abuse Act (CFAA) law in May, including a minimum three-year sentence for anyone who attacks critical infrastructure.

During the Senate hearing into updating CFAA, James A. Baker, associate deputy attorney general, reiterated that proposal. "In light of the grave risk posed by those who might compromise our critical infrastructure, even an unsuccessful attempt at damaging our nation's critical infrastructure merits actual imprisonment of a term not less than three years--not probation, intermittent confinement, community confinement, or home detention," he said.

But committee chairman Senator Patrick Leahy (D-Vt.) dismissed that request, saying he would not bring it before the committee, in part over wider concerns that changes to the hacking law might turn all computer-related crimes into federal offenses.

The committee, however, was much more receptive to the administration's proposal to make hacking subject to the Racketeering Influenced and Corrupt Organizations (RICO) Act, which targets organized crime. "RICO has been used for over 40 years to prosecute organized criminals ranging from mob bosses to Hells Angels to insider traders, and its legality has been consistently upheld by the courts," said Baker. "Just as it has proven to be an effective tool to prosecute the leaders of these organizations who may not have been directly involved in committing the underlying crimes and to dismantle whole organizations, so too can it be an effective tool to fight criminal organizations who use online means to commit their crimes."

The Obama administration is also calling for updating prison sentences for hacking to bring them in line with current sentencing guidelines. For example, Baker said, according to current guidelines, the maximum penalty (jail time) for fraud-related hacking is five years, compared to the 20-year maximum currently in place for committing mail or wire fraud. Likewise, if someone stole "a massive database of credit cards," he said, the maximum penalty would be five years, even though in a non-hacking context, federal sentencing guidelines would call for a longer period of incarceration.

Only two witnesses were called to the hearing: Baker, as well as Pablo A. Martinez, deputy special agent in charge of the criminal investigative division of the Secret Service, which investigates credit and debit card fraud, and often works with other agencies to investigate identity theft, computer fraud, and bank fraud.

But on Tuesday, in advance of the hearing, a letter signed by members of various non-governmental organizations and universities from across the political spectrum appealed to the committee to address a big-picture concern with CFAA: imprecise language.

"The CFAA imposes civil and criminal liability for accessing a protected computer 'without' or 'in excess of' authorization, but fails to define 'authorization.' This makes the definition of the precise activities that are punishable unavoidably vague," according to the letter. "As a result of this lack of clarity, several courts have used companies' network terms of use, which lay out contractual constraints on users' use of those networks, to also define what constitutes criminal behavior on those networks. The consequence is that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies."

But in his testimony Wednesday, Baker said that the Obama administration would resist any attempts to restrict the CFAA's use of "exceeds authorized access" as a benchmark for determining when a crime had been committed, especially when malicious insiders were involved. "The plain meaning of the term 'exceeds authorized access,' as used in the CFAA, prohibits insiders from using their otherwise legitimate access to a computer system to engage in improper and often malicious activities," he said.

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4632
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

CVE-2014-7287
Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

CVE-2014-7288
Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

CVE-2014-8266
Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

CVE-2014-8267
Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.