Obama administration officials spoke about the need for increased penalties for computer crimes in light of increased data breaches and hacking activity. The increase in computer crime, ranging from Anonymous-led distributed denial-of-service attacks, Website attacks where data is stolen and general online mayhem, has led the White House to call for an increase in criminal penalties for computer crimes.
Online attacks have become more serious as attackers target sensitive personal data and corporate secrets and undermine infrastructure security. However, the penalties under the Computer Fraud and Abuse Act don’t match the seriousness or complexity of cyber-crime, Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge, Criminal Investigative Division, Pablo Martinez said Sept. 7 in a hearing before the Senate Judiciary Committee. The proposal was based on the White House’s cyber-security plan unveiled in May.
The administration is also asking for updates to the Computer Fraud and Abuse Act so that cyber-crimes can be investigated and prosecuted as organized crime as defined under the Racketeering Influenced and Corrupt Organizations Act. CFAA should be technology-neutral so that it remains viable as technology evolves and new tactics emerge.
“As computer technology has evolved, it has become a key tool of organized crime,” Baker said, with many groups having ties to traditional criminal organizations in Asia and Eastern Europe. “The fight against organized crime is far from over; rather, much of the focus has moved online,” Baker added.
Complex and sophisticated electronic crimes are rarely perpetrated by a lone individual, Martinez said. Online criminals often have “defined roles” within a criminal enterprise “dedicated to stealing commercial data and selling it for profit,” Martinez said.
Under the proposed law, hackers who endanger national security would be put in prison for up to 20 years. The proposal would also double current prison times and increase fines in each category of computer crimes.
The sentencing guidelines under CFAA make “no sense,” Baker said, noting that being convicted of wire fraud can result in a sentence of 20 years, but if convicted under CFAA, the maximum is only five years.
Tougher sentencing penalties may deter people from joining in on attacks against various Websites, according to the Obama administration. Shortly after arresting 16 individuals who had taken part in Anonymous-led DDoS attacks on various Websites, including PayPal, in July, the FBI revealed it intended to ask the courts for maximum penalties. Anonymous retaliated with more attacks, claiming that people taking part in a “civil protest” by launching DDoS attacks should not be treated the same as other types of attackers.
Concerns About Proposal
Sens. Patrick Leahy, D-Vt., and Al Franken, D-Minn., expressed some concerns about the proposal, suggesting the administration may be expanding the definition too much. “We can’t ignore these threats,” said Leahy as the chairman of the committee, but added that law enforcement agencies shouldn’t get distracted by smaller issues.
Changing the definition could wind up turning violations of Website terms of service or employer policies into serious crimes, Leahy said. The Department of Justice should be able to use discretion when applying the law.
“We want you to concentrate on the real cyber-crimes, and not the minor things,” Leahy told Baker.
As the proposed law currently stands, employees could be charged with a crime if they violate the company’s computer use policy, Franken said. Various civil liberties groups have also suggested the proposal would impose civil and criminal penalties for people who access protected computers within the company without proper authorization. Violations of terms of service or computer use policies are not computer crimes, the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation and Americans for Tax Reform wrote in a letter to the Judiciary Committee.
“Our primary concern-that this will lead to overbroad application of the law-is far from hypothetical,” the groups wrote.
While Baker acknowledged the concerns, he pointed out that tightening the definitions could result in “a significant loophole” that would allow workers at federal agencies or private companies to steal the personal information or other sensitive data.
“This insider case, where somebody violates the rules of their employer in misusing a computer, is a very challenging thing to address,” Baker said.
The administration also requested minimum sentences for anyone convicted of attacks or attempted attacks on critical infrastructure.
“In light of the grave risk posed by those who might compromise our critical infrastructure, even an unsuccessful attempt at damaging our nation’s critical infrastructure merits actual imprisonment of a term not less than three years-not probation, intermittent confinement, community confinement or home detention,” Baker said.
Leahy said he would not recommend including minimum sentences in the cyber-security bill currently circulating in the Judiciary Committee.