Cyber attacks on private American companies continue “unabated” and represent the “greatest unwilling transfer of wealth in history,” U.S. Cyber Commander Gen. Keith Alexander said during a House Armed Services Committee hearing today.
While Cyber Command has “some confidence in our ability to deter major state-on-state attacks in cyberspace,” he said, it has not yet been able to stem the tide of private-data breaches.
The tools available to civilian law enforcers, meanwhile, are yielding no better progress. In a separate hearing before a House Judiciary subcommittee Wednesday, officials from the FBI and the Department of Justice said cyber-crime laws are outdated and vague in scope.
Seattle U.S. Attorney Jenny Durkan told lawmakers that the primary legal tool against cyber criminals, the Computer Fraud and Abuse Act, mainly prohibits unauthorized access to a computer — a limited, imprecise and increasingly outdated legal standard.
Durkan, chair of the Attorney General’s cyber crime enforcement advisory panel, was testifying before the House Judiciary crime, terrorism and homeland security subcommittee. The other witnesses were John Boles, deputy assistant director of the FBI’s Cyber Division; Robert Holleyman, CEO of BSA, The Software Alliance; and Orin Kerr, a George Washington University Law School professor who specializes in criminal procedure and computer crime law.
Each of the witnesses suggested the legal system is no match for increasingly sophisticated cybersecurity threats.
The CFAA, the main statute used to prosecute hacking crimes, was passed in 1984; it’s been amended several times over the years, most recently in 2008, but the witnesses exhorted Congress to come up with a new, comprehensive law that better reflects modern cyber threats.
Kerr noted that the law has caused a circuit split on the meaning of “authorized access.” The Ninth Circuit last year ruled that the law narrowly applies to breaking into a machine (not, for instance, an employee sharing information or misusing company computers), while the Eleventh Circuit interpreted the law more broadly in its assessment that an employee was not authorized to use his employer’s computers for personal reasons.
“Everyone agrees that the law should punish serious computer crimes,” Kerr said. But, he argued, it shouldn’t punish people who, for instance, violate the terms of service on a website.
Essentially, he said, lawmakers have two choices: they could wait until the Circuit split is settled by the Supreme Court, or “Congress could act and actually clarify which interpretation of the statute is the right one.”
Kerr added: “I think it’s essential that Congress narrow the statute…and not just wait for the Supreme Court.”
Cyber intrusions that fall outside the Ninth Circuit’s basic definition of hacking, he said, could be prosecuted using existing laws and statutes; an employee selling or leaking proprietary information, for instance, would be violating the federal statute barring federal theft of trade secrets, regardless of whether he used a computer to access that information.
Holleyman, meanwhile, stressed that any cyber legislation Congress passes should include legal immunity for businesses sharing information with the government. Last year’s Senate bill foundered in part on business concerns over the lack of liability and antitrust protections.
Durkan recommended Congress update the Racketeer Influenced and Corrupt Organizations Act to include CFAA offenses, since organized criminals now frequently exploit computer technology to commit crimes.
Durkan’s written testimony referenced a proposal she made to the committee last year to update the sentencing provisions of the CFAA in order to “eliminate overly complex, confusing provisions; simplify the sentencing scheme; and enhance penalties in certain areas where the statutory maximums no longer reflect the severity of these crimes.” She went on to point out that fraud by hacking currently carries a maximum penalty of five years in prison while other federal fraud could carry up to 20 years.
Subcommittee Chairman Jim Sensenbrenner (R-Wisc.) challenged Durkan on why the Obama administration dropped its support for minimum sentences in cybercrime cases this year. A 2011 White House proposal included mandatory sentences for some violations. Durkan dismissed Sensenbrenner’s suggestion that the administration was saying cyber crimes are not serious enough for mandatory minimums, instead emphasizing judicial discretion.
Reflecting growing concerns over Chinese involvement in several recent high-profile hackings, Rep. John Conyers (D-Mich.) repeatedly emphasized working with other countries to cut down on attacks before they start.
“The internet has made the world a smaller place,” he said, “and because cyber attacks are often launched outside our borders, now, more than ever, we need a diplomatic [strategy].”
Sensenbrenner criticized the White House for failing to take harsher action with China.
“We must do more than simply ask Beijing to investigate,” he said.
Sensenbrenner praised President Barack Obama for last month’s executive order directing agencies to come up with a set of best practices to protect “critical infrastructure” from cyber attacks and encouraging government and the private sector to share threat information with one another.
But “it remains to be seen” whether the order is effective, he added.
Next week the House Armed Services Committee will have its first quarterly closed-door cyber-operations briefing.