Senators: Don't make a federal case out of all cyber crimes

Leaders of the Senate Judiciary Committee say Obama administration proposals to update the Cyber Fraud and Abuse Act might go too far.

Leaders of the Senate Judiciary Committee agree that the Cyber Fraud and Abuse Act must be brought into line with evolving online threats, but they expressed concerns during a Sept. 7 hearing that the administration might be overreaching in criminalizing some online behavior.

“We can’t ignore these threats,” Chairman Patrick Leahy (D-Vt.) said in his opening remarks. But he cautioned later that “we want to concentrate on the real cyber crimes” and not turn minor violations of service agreements into federal crimes.

Leahy and ranking Republican Chuck Grassley of Iowa also were uneasy about a legislative proposal that would impose minimum sentences for anyone convicted of attacks or attempted attacks on critical infrastructure. Leahy said he would not recommend including minimum sentences in a cybersecurity bill now before his committee.


Related coverage:

Under cybersecurity plan, agencies would answer to DHS


The hearing focused on proposed cybersecurity legislation offered by the Obama administration in May that also would update the Cyber Fraud and Abuse Act that now covers many online crimes. The goals of the proposal are to keep CFAA technology-neutral so it would remain viable as technology evolves and to bring federal law dealing with online crime into line with laws covering crime in the physical world.

The proposed legislation would make it clear that the Racketeering Influenced and Corrupt Organization Act, a major law enforcement tool against organized crime, applies to CFAA offenses.

“The fight against organized crime is far from over; rather, much of the focus has moved online,” Associate Deputy Attorney General James Baker told the committee.

Some penalties for CFAA violations also would be increased. For instance, currently wire fraud can carry a sentence of 20 years, while a similar crime prosecuted under CFAA carries only a five-year sentence. “This discrepancy makes no sense,” Baker said.

Senators did not object to this but were concerned that attacks on critical infrastructure would be treated differently from other crimes, requiring a three-year minimum sentence.

Baker defended the proposal, saying “In light of the grave risk posed by those who might compromise our critical infrastructure, even an unsuccessful attempt at damaging our nation’s critical infrastructure merits actual imprisonment of a term not less than three years — not probation, intermittent confinement, community confinement or home detention.”

Another bone of contention was the interpretation of laws against exceeding authorized access to online devices and resources. Although the law usually is enforced against hackers who break into another person’s computer, it also could be interpreted as criminalizing any breach of a service agreement between a consumer and a service provider, or between an employee and employer.

“Some have argued that the definition of ‘exceeds authorized access’ in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider,” Baker said. “We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution.”

Without this authority, federal authorities could be powerless to prosecute some employees for stealing confidential information in the workplace, Baker said.

Sen. Sheldon Whitehouse (D-R.I.) said the Justice Department needed to make a clear statement that it was not department policy to prosecute violations of service agreements.

“I don’t think that there has ever been a society so bedeviled by fine print in contracts as America is now,” Whitehouse said, adding that the specter of federal enforcement of fine print could only make this worse.

Baker said the department had used the “authorized access” law responsibly and is willing to rely on the committee’s oversight to help define how it should be used. “What we’re trying to do is address these concerns and at the same time not let somebody off the hook.”

One other issue of concern, which Whitehouse called “the elephant in the room,” was the ability to enforce any new cyber crime legislation when law enforcement resources already are stretched thin.

Both the Justice Department and the Secret Service, which also pursues online crime, are beefing up their capabilities. Pablo Martinez, deputy special agent in charge of the service’s Criminal Investigative Division, said 1,400 special agents have received in-depth computer crime training as part of the Electronic Crimes Special Agent Program, and that all incoming agents now go through a two to three-week course of cyber training in the service’s academy.

Baker said the Justice Department now has 230 prosecutors dedicated to cyber crimes and a classified number of investigators also working in that field.

“We can always use more resources,” he said. The department asked for an additional 160 people in its 2011 budget request.

 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.