Leahy Unveils Bill to Fight Cybercrime
The push for greater U.S. cybersecurity got a boost from Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., Wednesday with the introduction of the Cyber Crime Protection Security Act. The legislation differs from the Senate Cybersecurity Act, S-2105 (WID Feb 15 p1), by updating the federal racketeering statute to include cybercrimes and enhancing the penalty structure under the Computer Fraud and Abuse Act (CFAA).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A Judiciary Committee spokeswoman said the bill has no cosponsors and incorporates some aspects of S-1151, the Personal Data Privacy and Security Act. The spokeswoman told us Leahy will “pursue all options to accomplish this, including offering the proposals as amendments to appropriate legislation on the Senate floor.”
"We simply cannot afford to ignore the growing threat of cybercrime,” Leahy said Wednesday. “We must give the dedicated prosecutors and investigators in our government the tools that they need to address criminal activity in cyberspace,” he said.
Leahy said his bill, S-2111, would amend the CFAA to increase penalties and facilitate federal prosecution of organized crime groups that engage in online attacks. The bill further specifies which computer offenses are subject to criminal enforcement and increases penalties to up to 20 years in prison. Violations include computer crimes committed for purposes of private financial gain; cause physical injury to any person; a threat to public health or safety; or impair the furtherance of the administration of justice, national defense, or national security.
The legislation bars the trafficking of passwords used to access protected government or non-government computers and makes it a felony to damage a computer that manages or controls critical infrastructure systems. The bill defines critical infrastructure systems as those that manage assets vital to national defense, national security, national economic security, public health or safety. Examples of critical infrastructure systems named in the bill are those that control gas and oil production, storage, and delivery systems; water supply systems; telecommunication networks; electrical power delivery systems; finance and banking systems; emergency services; transportation systems and services; and government operations that provide essential services to the public.
The bill clarifies that both conspiracy and attempts to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses, and the bill adds new forfeiture tools to help the government recover the proceeds of illegal activity. Leahy said the bill clarifies that “relatively innocuous conduct,” such as violating a terms of use agreement, should not be prosecuted under the CFAA.
The bill doesn’t specifically target groups like Anonymous, a Judiciary spokeswoman told us Wednesday. But the spokeswoman did say that “to the extent that their conduct may be in violation of the Computer Fraud and Abuse Act, and the updates that this bill would make to that Act, sure -- in a purely hypothetical world, if their activity violates the law, it violates the law -- no matter the perpetrator of the violation.”
Federal networks and websites have faced increased threats from online activist groups like Anonymous and LulzSec. The two loosely organized activist groups gained clout for high profile breaches and distributed denial of service attacks against the CIA, FBI, Department of Justice, and Senate websites. Anonymous and LulzSec are also accused of attacking the private sector computer systems of the RIAA, MPAA, HBGary, and InfraGard, among others.