By Luke O'Brien
WASHINGTON -- Federal lawmakers confronting a plague of botnet
infections, denial-of-service extortion schemes and spyware are going on
the counter-offensive with two new bills that would make it easier for
federal prosecutors to charge cybercriminals, while bringing computer
intrusion under the ambit of the mob-busting RICO Act.
Together, the Cyber-Security Enhancement Act and the Internet Spyware
(I-SPY) Prevention Act would represent one of the more significant
updates to federal computer-crime law in the last two decades.
Around 30 percent of malicious internet activity took place or
originated in the United States in the second half of last year,
according to information from Symantec. China was second at 10 percent.
Prominent among today's threats are bots -- a type of malicious software
that secretly puts a vulnerable PC under the control of an attacker, who
can direct thousands of computers at once. Organized cybercriminals
routinely use networks of bots to launder spam, steal passwords for
online banking and launch denial-of-service attacks like those that
recently plagued the small European nation of Estonia after it angered
"You're looking at a new species of criminal conduct," says Roma Theus,
a white-collar crime expert at the Defense Research Institute and a
former federal prosecutor. "We have to look beyond where we are today
and think about where we might be ten years from today."
The Cyber-Security Enhancement Act, introduced by Rep. Adam Schiff
(D-California), would do just that, stiffening penalties and sentencing
times for cybercriminals by classifying computer-fraud offenses as a
predicate offense for the Racketeer Influenced and Corrupt
Organizations, or RICO, law. Authorities could also seize any ill-gotten
gains a crook may have obtained through online rackets.
The measure also adjusts the damage threshold that qualifies a
cybercrime receive FBI attention. Currently, a financial loss of $5,000
spread out among victims makes an intrusion into a federal case; under
the bill, damaging 10 or more computers in a year would automatically
qualify, even with no financial harm.
This bill has cheered many advocates for tougher laws on cybercrime. "In
our discussions with law enforcement, that $5,000 limit is a major
sticking point in terms of not being able to go after these criminals,"
says Rob Tai, the manager of cybercrime prevention for the Business
Software Alliance, which represents the commercial software industry and
supports both bills.
The I-SPY Act, introduced by Rep. Zoe Lofgren (D-California), amends the
same federal computer crimes statute by setting a five-year sentence
and/or fines for anyone caught using subversive software "in
furtherance" of a federal criminal offense. Scam artists who distribute
software coded with keystroke loggers or other covert functions, and who
use it to steal Social Security numbers, credit card numbers, passwords
or any personal identification information could face new charges. So
could hoods using spyware to "impair" a computer's security system while
trying to defraud another person, although the prison time for that
offense drops to two years.
The bill is a nice step forward but only part of a much-needed
collection of tools to combat spyware violations, according to David
Sohn, senior policy counsel at the Center for Democracy and Technology.
"It's adding an additional enforcement arrow to the quiver," Sohn said.
Both measures modify the Computer Fraud and Abuse Act, the federal
anti-hacking bill enacted in 1986. Originally intended to protect only
federal government computers and financial institutions, the CFAA has
been amended several times since then, most recently in 2001, when the
Patriot Act raised the maximum penalties, among other tweaks.
Not everyone thinks the latest crop of bills is the correct response to
shifting cyberthreats. "I'm not sure it's completely necessary," says
Andy Serwin, a noted cyberspace lawyer and the author of a book on
information security and privacy laws. "How much burden do you put on
The Federal Trade Commission already enforces cyberfraud, and state and
federal laws cover more than enough ground to allow for prosecution,
Serwin argues. Increased legislation might wind up criminalizing
legitimate software, such as Microsoft's updater, which automatically
installs programs on computers and might technically be spyware under
the new legislation, he says.
Besides, Serwin adds, "The guy who's going to do the really malicious
stuff is going to do it anyway. And he may do it offshore, so there's no
way to get at him."
Theus disagrees. He says that the government could extradite wrongdoers,
or even seize them, ala Manuel Noriega. "If someone is under the
misapprehension that they can be outside the U.S. and commit a crime
that has effects inside the U.S. (and avoid sanctions), that person is
going to be terribly surprised."
So far such extraditions are virtually unheard of. In the U.K., Gary
McKinnon, a 41-year-old man accused of penetrating over 90 unclassified
U.S. military computers in 2001 and 2002, has delayed extradition for
years, even while admitting to the hacking spree. In April he lost a
court challenge to an extradition order, and is now on a final appeal to
the U.K. Parliament's Law Lords.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com