via Security News Daily
In mid-May, the Obama administration called on Congress to expand the definition of computer crime and to stiffen federal penalties for hacking into computer systems, doubling the maximum prison sentences for first-time offenses.
The proposals were timely. They came soon after high-profile data breaches at Sony and the network-security firm RSA, and a month before less serious but embarrassing attacks upon the websites of the CIA and the U.S. Senate.
But security and legal experts say the White House suggestions, which would in part update the Computer Fraud and Abuse Act, are both too broad and fundamentally ineffective.
They argue that it’s time for a wholesale overhaul of federal law pertaining to computer crime, which has changed radically since the Computer Fraud and Abuse Act was first drafted in 1986.
Right now, the act states that unauthorized intrusion into a government computer system, however trivial, merits a maximum sentence of one year; theft of more than $5,000 using a computer, five years; a first-time offense of jeopardizing national security via hacking, 10 years; multiple offenses, 20 years.
The White House would raise the maximum sentence for each first-time offense. Breaking into a government computer would go from one to three years, theft of more than $5,000 could get you 10 years and the maximum for a first-time jeopardizing of national security would be 20 years.
The Obama proposals also would add a stand-alone sentence of three years for anyone caught damaging a “critical infrastructure” computer, such as one involved in the electrical, water, financial or transport systems.
They would expand the RICO statutes, originally used against the Mafia, to cover online criminal activity and extend drug-money forfeiture laws to enable property seizure from those convicted of cybercrimes.
Congress has yet to incorporate the recommended measures into any cybersecurity-related bill.
Amateurs vs. professionals
John W. Dozier Jr. of Dozier Internet Law, a Virginia-based firm, notes that the existing act doesn’t account for different kinds of hacking.
“It fails to adequately distinguish between relatively minimal intrusions and intrusions that can affect the economy,” Dozier said.
On one hand, there are pranksters, protesters and vandals such as LulzSec or Anonymous, who garner lots of publicity but cause little damage.
On the other, there are professional cybercriminals, who traffic in passwords and credit-card information for profit, and online spies, who quietly steal secrets from American corporations and government agencies. Neither of the latter groups is likely to be swayed by tougher measures.