Amendments attached to the proposed Cybersecurity Information Sharing Act (CISA) make an "already awful cybersecurity bill" worse by making worrying changes to the years-old Computer Fraud and Abuse Act, the Electronic Frontier Foundation warned recently.
Sen. Sheldon Whitehouse introduced amendments to CISA, which, if approved, would make sweeping changes to the CFAA. Instead of helping harden computer systems or protect people from malicious actors, the new provisions would give prosecutors "more power to threaten more people with more prison time," Cindy Cohn, EFF's executive director, warned in a recent blog post. CISA, with 20-odd amendments, is on the docket for a full vote in the Senate this year.
CFAA is the government's primary tool for going after malicious hackers and cyber criminals, but many in the security industry are wary of the law's numerous loopholes and poorly worded clauses. For example, the law does not define what it means to access computers without authorization, but includes provisions for exceeding authorized access. CFAA was initially enacted in 1986 and has been modified several times as hordes of people started using computers and the Internet became mainstream.
One of the problems lies in the way overzealous prosecutors could take advantage of the way the law is worded to stack on violations. Potential jail time for nonviolent computer crimes can exceed that of some violent crimes.
For a while, there was a growing sense across both parties in Congress that the CFAA needed to be fixed to stop this kind of stacking, Cohn wrote. This past spring, Rep. Zoe Lofgren, Sen. Ron Wyden, and Sen. Rand Paul reintroduced a draft bill named Aaron's Law, after Aaron Swartz, who committed suicide after months of overzealous prosecution under CFAA by the Justice Department. The proposed bill was written to ensure individuals won't face criminal liability for violating a terms of service agreement and rein in out-of-control prosecutors.
However, recent headlines of data breaches and attacks against the government may have redirected Congress's attention away from reforming the law and toward expanding the government's powers to catch and prosecute perpetrators. The Whitehouse amendment would increase criminal penalties by 20 years for persons convicted of existing CFAA felonies that cause or would result in "aggravated damage to a critical infrastructure computer," the EFF said. The group called the "aggravated damage" provision "appallingly vague." The language doesn't specify what constitutes a critical infrastructure computer and, as written, could be read to mean almost any system.
"We cannot stress enough that these changes will not help us against actual cyber crime," the EFF said.
Sen. Whitehouse's amendment also changes how the CFAA views the person's intent, as it changes the mental state from "knowingly and with intent to defraud" to merely whether the person knew "such conduct to be wrongful," the EFF said. It's extremely vague, but more important, it's a broader rule, making it easier to prosecute nearly anyone.
Talk to CFAA critics, and they will complain about how the law lets prosecutors stack charges to increase penalties to several years. But a member of the Department of Justice told Black Hat attendees in August that doesn't actually happen. The average sentence for a case based on CFAA was 23 months, said Leonard Bailey, special counsel for national security at the Department of Justice's Computer Crime and Intellectual Property Section. Jail time for CFAA offenses "routinely have been below the minimum sentence recommended," Bailey said.
Prosecutors are supposed to consider the potential harm to national security and public safety, the sensitivity of the data, and the context of the activities before deciding to use CFAA. Bailey doesn't think prosecutors have shown a tendency to "throw the book" at CFAA violators, based on the fact that the DOJ used the CFAA to prosecute only 194 cases last year, out of the more than 56,000 cases filed.
It's just as possible that overzealous prosecutors still stack charges as a scare tactic to pressure individuals into accepting plea bargains. That way, the case is closed without having to bother with the time and expense of going to trial.
Congress is considering a number of cyber security bills this year, but it is not clear if any of them will come up for a vote over the next few months, considering the already packed legislative calendar. Senate Intelligence Chairman Richard Burr told The Hill he doesn't expect any action on the cyber security legislation until October at the earliest. There is also some question as to whether there are enough votes for the bills to pass, especially in the face of fierce opposition by privacy and civil liberties groups, as well as tech companies.
Congress needs to do more to protect government networks, personal data, and company assets, but despite years of hearings, there is still no consensus on the right approach.