Getting Tough with Cybercriminals

Legislation Doesn't Differentiate Between Online, Offline Crimes
Getting Tough with Cybercriminals
The Obama administration wants to get tough on cybercriminals.

In testimony before the Senate Judiciary Committee Wednesday, Associate Deputy Attorney General James Baker outlined an administration legislative initiative, first unveiled in May (see White House Unveils Cybersecurity Legislative Agenda), to increase the maximum penalties for cybercrimes. "Such modifications are appropriate in light of the scale and scope of our nation's current cybercrime problem," Baker said in his prepared remarks.

Baker cited several disparities between conventional and cybercrime punishments:

  • Computer hacking for the furtherance of fraud carries a maximum sentence of five years, but the most analogous conventional statute, one that involves mail or wire fraud, imposes a maximum penalty of 20 years. "Penalties for fraud committed using a telephone should not differ, for example, from penalties for fraud committed by computer hacking," he said.

  • A politician convicted of hiring a hacker to break into the e-mail account of an opponent to steal strategy documents carries a one-year maximum sentence. Under the administration's proposal, a judge could impose a stiffer sentence.

"All of these changes will empower federal judges to appropriately punish offenders who commit extremely serious crimes, ones that result in widespread damage," Baker said.

One of the reasons the administration seeks tougher penalties for hackers is the changing nature of illicit cyber intrusions. "Where 10 years ago hackers were more commonly motivated by curiosity or seeking notoriety, most criminal hackers today are motivated by greed," Baker said. "Federal law needs to more effectively deter this spreading criminality."

Law Keeping Pace with Technology

Baker also said the administration's legislative proposal would address the problem of changing technology that sometimes makes laws antiquated.

The quarter-century-old Computer Fraud and Abuse Act prevents prosecutors from fully taking action against criminals who steal login credentials, such as user names, passwords or secure login devices. Baker said the administration plan addresses these shortcomings by proposing the scope of the offense for trafficking in passwords in the CFAA should also cover other methods of authenticating a user's identity, such as biometric data, single-use passcodes or smart cards.

Keeping laws such as the Computer Fraud and Abuse Act up-to-date with changing technology will help in prosecuting cyber offenders. "If in 10 years iris scans have taken the place of passwords as the main method for managing credentials to computer systems," Baker said, "Congress will not have to act because the administration's proposal would have made the CFAA technology-neutral, allowing it to adapt to technological change."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.