House Subcommittee Debates Reforming CFAA, Role of Diplomacy in Combating Cyberthreats
Whether the Justice Department needs the Computer Fraud and Abuse Act (CFAA) to go after cybercriminals when unauthorized access is the only crime is ripe for debate, House Crime Subcommittee Chairman Jim Sensenbrenner, R-Wis., said during a subcommittee hearing Wednesday. Sensenbrenner pointed to a hypothetical situation where someone accessed a computer without authorization but did not take any information. “Shouldn’t the Justice Department have a tool to be able to do something about that even though no other crime was committed?” he asked. The CFAA was used to prosecute Internet activist Aaron Swartz -- who committed suicide in January before his trial -- for downloading a massive archive of subscription academic articles, though Swartz’s name didn’t come up in the hearing and CFAA reform was already a priority for civil liberties groups.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Situations like Sensenbrenner’s could be handled under other laws, Orin Kerr, professor at the George Washington University Law School, told the subcommittee. For instance, the spy that hacked into a company’s network but didn’t steal anything could be charged for attempted theft, he said. “It’s not a computer-related offense. It just so happens that that offense involves computer-related conduct."
Hacking sentences should carry mandatory minimums, Sensenbrenner said. “Does the administration oppose mandatory minimums as a matter of principle or don’t they think that the crimes that we're trying to describe here deserve mandatory minimums?” he asked. Jenny Durkan, U.S. attorney for the Western District of Washington, said the administration opposes mandatory minimums and prefers to leave discretion to the judge, in addition to Justice’s recommended sentences. “But we'll be happy to work with your staff” on the issue, she said. “I think that we're going to be talking about this issue a lot more as legislation is developed,” Sensenbrenner said.
The U.S. can’t rely on diplomacy to combat cyberthreats, as President Barack Obama has done, Sensenbrenner said. “The administration’s strongest rebuke has been to ask that Beijing take serious steps to investigate” claims that U.S. companies have suffered cyberattacks from Chinese state-run entities. “We applaud the administration for its efforts, but it remains to be seen whether these steps will actually work,” he said. “I think that were going to have to put increased emphasis on our diplomacy,” said Judiciary Committee Ranking Member John Conyers, D-Mich. “The sooner … that we begin to look at this part of the problem, the better off we'll be in terms of getting as much cooperation as we can.” Sensenbrenner said he agrees that diplomacy is important.
Conyers said he would reintroduce his Cyber Privacy Fortification Act, which he sponsored last year. The bill would “create a strong standard for data breach and notification, which doesn’t exist now,” he said. While law enforcement agencies need the flexibility to pursue cybercriminals, it cannot be “at the expense of the privacy of innocent citizens,” he continued. “We must not toss aside existing privacy restrictions to grant the government and law enforcement unwarranted access to communications.” When companies share information about their users with the government, the companies should ensure that the information is stripped of all identifying information about users that is not related to the investigation, he said.
Subcommittee Vice Chairman Louie Gohmert, R-Texas, contemplated reforming the CFAA to allow computer users to counterhack, or defend themselves from a cyberattack by hacking the computer of the hacker. Gohmert compared this potential reform to a self-defense rationalization used in cases of physical assault. Kerr said an exception such as the one proposed by Gohmert should be written narrowly, because hacking victims cannot always be aware of who is hacking them or how much damage counter-hacking would cause. Gohmert said the identity of the hacker or the amount of damage that could be caused should not affect a victim’s ability to defend himself. “I'm not sure that I would care that it destroyed a hacker’s computer completely,” he said. Kerr also encouraged the subcommittee to clarify whether a violation of a website’s terms of service is a criminal offense, as courts have ruled differently on the issue. The issue could be taken to the Supreme Court, “or Congress could act and actually clarify which interpretation of the statute is the right one,” he said.
Law enforcement agencies should treat national security threats and commercial threats differently, said Rep. Trent Franks, R-Ariz., asking Deputy Assistant Director John Boles of the FBI’s Cyber Division how the agency treats the two differently. “One should identify whether it is a national security threat or simply a commercial threat,” Franks said. Boles replied that the agency has “kind of melded the two protocols together,” allowing it to better respond to threats that may be difficult to immediately identify as either commercial or national security related. That approach “makes us a much more nimble law enforcement community,” he said.
Franks said he is concerned that “intentional electromagnetic interference … may be our ultimate cybersecurity threat.” “I would hope that we would have that on the radar,” he said to Boles. “I realize that’s a little ways down the road, but perhaps not as far as it should be,” he continued.
The government should do more to encourage cybersecurity education and research and reform laws to facilitate the real-time sharing of threat information between companies and the government, said Robert Holleyman, CEO of BSA-The Software Alliance. Under existing laws, “you can only do something about it after the fact,” he said. Responding to a question from Rep. Cedric Richmond, D-La., Holleyman was hesitant to comment on whether the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act should be reintroduced. “The president’s executive order has tried to address many of the elements that would have been outlined in the PRECISE Act,” Holleyman said.