President Obama's cybersecurity plan - Part 1 updates for law enforcement

Filed Under: Data loss, Featured, Law & order, Malware

Prison cell photo courtesy of abardwell's Flickr photostreamLast week President Obama announced his proposal for updates to US cybercrime law. While I am not a lawyer, I have spent a significant amount of time poring over the legal documents to extract their meaning and provide my comments.

The proposed legislation is quite long and detailed, so I will begin with the changes that will impact law enforcement. These changes relate to what items are criminal and the penalties the courts may impose for breaking the law.

In my second post I cover the proposed national Data Breach Notification Act.

  • The Racketeer Influenced and Corrupt Organizations (RICO) Act would be updated to include organized computer criminals. This law was originally designed to target mafia-like crime syndicates and would now include their electronic equivalents.
  • The Computer Fraud and Abuse Act (CFAA) would be modified with new restrictions for judges during sentencing. Attacks against critical infrastructure would have a mandatory minimum sentence of three years.
  • Cyberattackers targeting critical infrastructure would not be eligible for probation or concurrent sentencing (unless it is the same crime) or eligible for a reduction of their sentences for multiple counts of the offense.
  • Maximum sentences would be changed from ten years to 20 for attacking US government systems related to defense, energy or foreign relations.
  • Maximum sentences would be changed from one year to three for unauthorized access to records or systems related to financial services, government systems or foreign/interstate communications. They would change from five years to ten if the purpose is private gain or commercial advantage or if the value of the information exceeds $5000.
  • Maximum sentences would be reduced from five years to one for unauthorized access to non-public government computers.
  • Maximum of 20 years for unauthorized access or exceeding authorization to obtain more than $5000 in a year's time.
  • Maximum of 20 years for someone who "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" resulting in more than $5000 in damages, tampering with medical systems, causing physical injury, causing a threat to public health and safety, interfering with systems related to defense, justice or national security, or ten or more computers in a one year period.
  • A maximum of life imprisonment for incidents that result in someone's death.
  • Maximum of ten years for unauthorized access causing reckless damages.
  • Maximum of one year in prison for unauthorized access causing damages.
  • Maximum of ten years for "knowingly and with intent to defraud [trafficking] in any password or similar information through which a computer may be accessed without authorization." This provision previously applied only to US government systems.
  • Maximum of ten years for extortion using a threat to attack/expose flaws in security.
  • A long list of changes related to the forfeiture of profits and assets in any way related to the aforementioned criminal activity.

The raising of maximum penalties gives American judges more flexibility and sends a very clear message to cybercriminals. However, the requirement for a three year minimum sentence for attacking critical infrastructure raises questions.

There are many shades of grey when it comes to unauthorized access to sensitive systems and mandatory minimums do not account for the edge cases that a judge can take into account.

The adjustments to the RICO statute are a welcome change and by including organized cybercrime provide new tools for law enforcement to treat electronic crimes just like any other.

Hacker Dojo sign courtesy of mightohm's Flickr photostreamThe addition of this statement:

"knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer"

appears to directly address today's malware threat. Facing up to 20 years for what many consider to be mischief sets the record straight. Producing and spreading malware is a serious crime, and under this proposal, if you participate you could face serious penalties.

Creative Commons image of a jail cell courtesy of abardwell's Flickr photostream. Creative Commons image of Hacker Dojo sign courtesy of mightohm's Flickr photostream.

, ,

You might like

7 Responses to President Obama's cybersecurity plan - Part 1 updates for law enforcement

  1. dallmeier · 1191 days ago

    Active obama is no taking serious his duties and making some serious and good decision might be due to the election are soon but this is good step toward there cyber security dallmeier

  2. infosecindia · 1191 days ago

    I think these guys are going to the extreme to protect the US cyberspace, which would eventually lead to nothing more than Internet censorship just like in China...here's my view on the defences stated in the law: http://infosecindia.com/2011/05/18/us-strategy-fo...

  3. Vicki Wood · 1191 days ago

    What is the definition of a "protected computer"?

  4. Bob Smythe · 1191 days ago

    Very interesting approach the U.S. is taking, a much harder stance than other countries. Recently an 18 and 19 year old in England got sentenced to 400 and 360 hours (respectively) of community service for hacking credit card data and running an online business out of business. Evidence was even presented to show the 19 year old laundered electronic revenue from credit cards into his personal bank account.

    We may be looking at extremes here, but I would certainly like to see these pests held accountable.

    Certainly a step in the right direction. Now for the easy part, enforcement. Oh wait, we may have a challenge there........ :-)

  5. I cringe whenever I see the phrase "mandatory minimums". It's a great way to say "we cannot trust judges to interpret the law and dole out punishments accordingly".

  6. Changes like these in sentences may satisfy some perceived need for justice, but it won't have any deterrent effect. Criminals don't commit a crime because they might get 1 year as opposed to 5 in prison, they do it because they think they'll get away with it.

  7. Rascal · 1190 days ago

    While I like these changes they only matter if they catch someone. And then they have to apprehend them. What about North Korea? Or the Russians? I agree with the guy above: they commit crimes because the chances of getting caught are minimal. We have to step up arrests, convictions, and make them nice and public; not on page 8 in the paper. In many state murder will get you life in prison or the death penalty-and that hasn't stopped people from killing each other.

    Also Serenity says: 'I cringe whenever I see the phrase "mandatory minimums". It's a great way to say "we cannot trust judges to interpret the law and dole out punishments accordingly".' I agree but in this case its probably because judges know little to none about computers and crime as so many are way over 55. Older people and computers are a mixed bag of results.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.