The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag. But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.
In fact, for the eleventh time since it was adopted in the 1980s. We've seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated. But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”
Justice’s latest proposals fit squarely into this mold. Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years. It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes. It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.
Well, you might ask, why not get tough with hackers? Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security. That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them. Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.
(photo credit: Hal Dick)