A panel of conservative legal experts criticized plans to enhance penalties behind the Computer Fraud and Abuse Act at a Federalist Society symposium on the administration’s proposed reforms to cybersecurity law Tuesday.
While panelists seemed to approve of the administration’s efforts to shore up the economic and national security imperiled by cybercrime, they expressed serious concerns about potential infringements on civil liberties caused by the broad language of prosecutorial statutes.
“It’s actually a considerable extension of liability on a statute that nobody understands,” said Orin S. Kerr, a professor of computer crime law at George Washington University. “I think it’s a tremendously disturbing development in the law.”
The CFAA was proposed as a way for prosecutors to hold hackers responsible for information theft in the 1980s by making unauthorized access to computer networks a misdemeanor.
But the statute’s ban on “unauthorized” access to or use of a computer network worries Kerr, he said, because it’s not clear what counts as unauthorized use in the 21st century – particularly when it comes to employees using computer systems owned by their employers.
“Let’s say … you go to ESPN.com and check a sports score,” Kerr said. “Are you using the employer’s network in an unauthorized way?”
In some cases, so long as there’s an understanding that an employee should not use a network for certain activities, they could be held liable under the statute’s vague wording, Kerr said.
“Courts are currently struggling as to whether that is the same as hacking into a network,” he added. “We have a law that clearly covers hackers … but then might cover disloyal employees, might cover someone who breaks a contract on the Internet, and from there things get pretty uncertain.”
And the administration’s proposal to raise CFAA violation penalties from a misdemeanor to a felony will raise the likelihood of prosecutions, Kerr said.
“Prosecutors are not going to charge misdemeanors,” he said. “But if you can make it a felony, on the other hand, prosecutors are going to be interested.”
Michael Vatis, a lawyer at Steptoe & Johnson LLP and founding director of the FBI’s National Infrastructure Protection Center, said the statute’s broad wording and private right of action might help private companies hold individuals accountable for security breaches and other cybercrime.
“They need some help,” Vatis said. “And in some ways this is at least going to provide a venue for those companies to get that help.”
Companies don’t have much recourse under current law, Vatis said, which gives the government the sole authority to strike back at cybercriminals.
“Companies have a difficult time putting their hands on the real perpetrators,” added John Smith, counsel for the defense technology group Raytheon Co.
Marc Rotenberg, president of the Electronic Privacy Information Center, agreed with Kerr’s concerns, but said he was grateful for the administration’s openness about the proposed changes.
“This has been largely a public process,” Rotenberg said. “I mean, we can look at the government’s proposal. We don’t have to submit a FOIA for it.”
And even amid their objections, the experts praised the administration for recognizing the increasing importance of cybersecurity.
“It is really the first effort to come out of any of the last three administrations that tries to begin to take on this problem of protecting our critical infrastructures,” Vatis said.
