Getting Tough with CybercriminalsLegislation Doesn't Differentiate Between Online, Offline Crimes
In testimony before the Senate Judiciary Committee Wednesday, Associate Deputy Attorney General James Baker outlined an administration legislative initiative, first unveiled in May (see White House Unveils Cybersecurity Legislative Agenda), to increase the maximum penalties for cybercrimes. "Such modifications are appropriate in light of the scale and scope of our nation's current cybercrime problem," Baker said in his prepared remarks.
Baker cited several disparities between conventional and cybercrime punishments:
- Computer hacking for the furtherance of fraud carries a maximum sentence of five years, but the most analogous conventional statute, one that involves mail or wire fraud, imposes a maximum penalty of 20 years. "Penalties for fraud committed using a telephone should not differ, for example, from penalties for fraud committed by computer hacking," he said.
- A politician convicted of hiring a hacker to break into the e-mail account of an opponent to steal strategy documents carries a one-year maximum sentence. Under the administration's proposal, a judge could impose a stiffer sentence.
"All of these changes will empower federal judges to appropriately punish offenders who commit extremely serious crimes, ones that result in widespread damage," Baker said.
One of the reasons the administration seeks tougher penalties for hackers is the changing nature of illicit cyber intrusions. "Where 10 years ago hackers were more commonly motivated by curiosity or seeking notoriety, most criminal hackers today are motivated by greed," Baker said. "Federal law needs to more effectively deter this spreading criminality."
Law Keeping Pace with Technology
Baker also said the administration's legislative proposal would address the problem of changing technology that sometimes makes laws antiquated.
The quarter-century-old Computer Fraud and Abuse Act prevents prosecutors from fully taking action against criminals who steal login credentials, such as user names, passwords or secure login devices. Baker said the administration plan addresses these shortcomings by proposing the scope of the offense for trafficking in passwords in the CFAA should also cover other methods of authenticating a user's identity, such as biometric data, single-use passcodes or smart cards.
Keeping laws such as the Computer Fraud and Abuse Act up-to-date with changing technology will help in prosecuting cyber offenders. "If in 10 years iris scans have taken the place of passwords as the main method for managing credentials to computer systems," Baker said, "Congress will not have to act because the administration's proposal would have made the CFAA technology-neutral, allowing it to adapt to technological change."