Hurdles Remain in Administration’s Cybersecurity Proposal, Say Senate Judiciary Members
Senate Judiciary Committee members gored President Barack Obama’s cybersecurity proposal during a cybercrime hearing Wednesday that featured representatives from the Department of Justice and the Secret Service. Senate Judiciary Chairman Patrick Leahy, D-Vt., said he took issue with the administration’s mandatory minimum sentences for computer crimes, while Ranking Member Chuck Grassley, R-Iowa, said he was worried the proposal would overextend an already bloated government. Sen. Sheldon Whitehouse, D-R.I., said the administration was not doing enough to address the dearth of resources facing cybersecurity enforcement agencies.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Leahy denounced mandatory minimum sentences for cybercrimes and said he would not include them in his own cybersecurity proposal. “I believe that strong penalties with mandatory minimums are something that can be abused,” he said. The committee is scheduled to consider cybersecurity legislation on Thursday when it marks up S-1151 and S-1408, though a spokesman from Leahy’s office said the markup may be delayed until next week.
Grassley had reservations about the administration’s cybersecurity proposal and wants to better understand how “these sweeping policies will be implemented,” he said. Grassley also took a shot at the administration’s hiring of an unspecified U.S. cybercommand official whose qualifications were not fully vetted, he said. “This raises questions about whether the administration is serious about protecting our critical infrastructure.”
Whitehouse was concerned that law enforcement officials do not have enough resources to address the cybersecurity threats facing America. “The rhinoceros in the living room is the resource question,” Whitehouse said. “I continue to believe that we are sorely under-resourced in this area,” he said. “I'm worried we will pass this bill and pat ourselves on the back for doing something good … when in fact we will have overlooked the resource disadvantage.”
It’s important to have adequate resources but “you can’t just throw bodies at the problem,” said James Baker, associate deputy attorney general. “We need to have a long term goal of bringing people in and training them.” It’s equally important that Justice has the correct statutes and penalties to address cybercrimes, said Baker, but “we could always use more resources.” Baker said Justice had recently requested 160 more investigators and an additional $45 million to investigate cybercrimes.
Congress needs to update the Computer Fraud and Abuse Act (CFAA) to account for emerging technologies, enhance civil forfeiture provisions, and to create better deterrence for individuals who commit cybercrimes, Baker said. (See related report in this issue.) It’s important to increase minimum penalties for those who attack critical infrastructure, he said. “Right now acts of wire fraud carry a maximum of 20 years in prison, while the Computer Fraud and Abuse Act carries a maximum sentence of five years,” said Baker. “Such disparity makes no sense.” Baker also advocated enhanced penalties for computer crimes and an update of the Racketeering Influenced and Corrupt Organizations Act (RICO).
The FTC should have rulemaking authority in any cybersecurity legislation, said Pablo Martinez, deputy special agent in charge of the criminal investigative division at the U.S. Secret Service, because the commission “has the expertise in this area.” Martinez hailed the administration’s cybersecurity proposal and said it would help better equip law enforcement agencies. Martinez agreed that computer fraud should be prosecuted as a criminal offense under RICO.
Sen. Amy Klobuchar, D-Minn., asked witnesses if it would be helpful to extend ISP data retention mandates such as those proposed in the Protecting Children from Internet Pornographers Act by Sen. Orrin Hatch, R-Utah. Baker said the administration hadn’t taken a position on the policy but Martinez said data retention mandates would be beneficial to crime investigations because “digital crime scenes evaporate much quicker than regular crime scenes.”
Sen. Al Franken, D-Minn., asked Baker and Martinez about insider threats and whether it was fair to apply federal laws to employees who violate their company’s network service use policies. “It’s conceivable that employees could be liable for federal crimes for checking their email or weather updates,” Franken said. “This insider case is a very challenging thing to address,” said Baker. “The challenge is to address these concerns and at the same time not to create a loophole that allows someone to take information and use it to spy on someone.” Franken also queried the witnesses on details of the administration’s data breach proposal, its 60-day notification requirement, and its definition of personally identifiable information. “It looks like we have a lot of little things to work out,” he said.