U.S. Congress Wants to Make Hacking Government Networks a Felony

Congressional lawmakers are revisiting the request in the White House cyber-security proposal which would make hacking government Websites a felony.

Recent high-profile attacks, including attacks on the CIA, the International Monetary Fund, a public network for the United States Senate and defense contractors may be spurring the government into pushing cyber-security legislation through Congress.

If the Obama administration gets its way, the maximum prison sentence for those convicted of breaking into government computer networks or potentially endangering the country's national security would become 20 years. The White House made the request in its cyber-security proposal in May. Recent attacks on government Websites have refocused attention on that part of the proposal, Reuters reported June 20.

Talks on changes to the cyber-security bill have been ongoing for more than a year. Congress introduced some bills in June 2010, and the White House recently provided its feedback on what it would like to see in a cyber-security law.

The "emphasis on cyber-security by the Administration and Congress is commendable," but progress has been practically non-existent, as the country hasn't really moved forward towards enacting a comprehensive cyber-security law, said Major General John Casciano, an adviser on government security issues to security software producer RedSeal Systems. "We are not further along solving the problem than we were 20 or 25 years ago," Casciano said.

The United States is not the only country looking to impose criminal penalties for cyber-acts. The Japanese parliament passed a series of laws on June 17 that made the act of writing or deliberately distributing malware illegal, subject to a fine of approximately $6,000 and up to three years in prison. Up until recently, authors could be prosecuted only if their malware actually caused damage.

It's no easy task to track down skilled hackers as they are intent on keeping their anonymity, Carole Theriault, a senior security consultant at Sophos, wrote on the Naked Security blog. They could be based anywhere on the globe and using multiple compromised machines to mask their true location and identity.

Theriault questioned the necessity of the government spending "huge amounts of resources" to locate and identify hacktivists such as LulzSec who brought down the CIA Website for fun, or "lulz." No matter how disruptive a denial of service attack can be on a site, it is not necessarily on the same level of seriousness as someone "intent on threatening national security by stealing highly sensitive information," Theriault said.

There is a "big difference" between criminals after confidential information and those who are trying to show off, are bored, or looking for praise from their peers, Theriault said. And those cyber-pranksters are not likely to be deterred by an increase of criminal penalties, she said.

"Consider the current hacking mayhem as a wake up call," Theriault said, recommending that organizations be proactive about protecting their own networks and Websites. LulzSec has demonstrated how weak Websites belonging to most organizations are, despite all the posturing about being security-conscious.

The proposed penalties are also more relevant as cyber-prankster LulzSec and hacktivist collective Anonymous has announced its joint "Operation Anti-Security" venture in which they will attack government Websites and other big corporations. LulzSec claimed it will go after confidential documents in a move reminiscent of WikiLeaks.