WASHINGTON (CN) – The Senate subcommittee on Crime and Terrorism heard suggestions Wednesday from the cybersecurity industry and Justice Department in a bid to modernize laws used to prosecute cybercrimes in light of new threats from foreign and domestic groups targeting sensitive business and personal information.
The hearing comes one month after the revelation of an attack on the U.S. Office of Personnel Management that potentially compromised the sensitive information of up to 18 million federal employees and applicants.
Sens. Lindsey Graham, R-South Carolina, and Sheldon Whitehouse, D-Rhode Island, who led the hearing, primarily sought feedback on a draft of the bill they are crafting to combat the rising pressures from organizations focused on cybercrime around the world.
The purpose of the hearing was to “get ahead” of a “major drain on our economy and quite frankly, a major threat to our way of life,” Graham said in remarks before the hearing’s first panel.
David Bitkower, Deputy Assistant Attorney General with the Justice Department’s Criminal Division particularly focused his testimony on potential changes to the 1986 Computer Fraud and Abuse Act, which the DOJ uses to prosecute malicious use of computer networks by foreign and domestic sources.
The department relies heavily on the law to fight hackers and organized-crime groups seeking to steal privileged information, but recent court decisions and the age of law have made it more difficult for federal prosecutors to do so.
Bitkower called for changes to the law that would allow the DOJ to prosecute malicious Chinese hackers seeking proprietary business information or intellectual property while preventing the department from chasing “trivial” cases, such as a person who breaches their company’s Internet access policy in order to check baseball scores during his lunch break.
A proposal by the Obama administration would amend the Computer Fraud and Abuse Act to allow the Justice Department to prosecute only if a person knowingly violates a computer network’s authorization, Bitkower said.
Sen. John Cornyn, R-Texas, said he hopes the committee will take up a bill on cybersecurity before the end of the legislative session.
Coupled with legal challenges to the Computer Fraud and Abuse Act, Bitkower said current restrictions on funding for his department’s cybersecurity efforts are a major source of concern.
Bitkower noted the DOJ spent $100 million – or 10 times their allotted budget for such operations – to break up the Gameover Zeus botnet, a network of connected computers that has infected up to 4 million computers since 2011 and defrauded people who used their computers to make online financial transactions, according to cybersecurity firm Symantec.
Whitehouse emphasized the importance of not “kicking the Department of Justice in the face with sequestration” in order to help the agency keep talented officials like Bitkower.
“It’s just a matter of time before we pay a heavy price for short-changing those in charge of defending our country,” Graham added during the hearing.
The second panel shifted the focus from the government’s abilities to prosecute cybercrime to the private sector’s ability to work under the current laws and cooperate with the government in fighting foreign intrusions on business data.
The current law does not offer many protections for researchers trying to identify weak areas in business and government systems – leaving companies and individuals vulnerable to attacks, said Jan Ellis, senior director of community and public affairs for Boston-based IT security and analytics company Rapid7.
Ellis testified about a child’s toy that researchers learned hackers could access and use to communicate with children without their parents’ knowledge. When researchers presented the toy company with their findings, it threatened a lawsuit using the provisions of the Computer Fraud and Abuse Act.
“We are concerned the bill does not threaten the issues confronting security researchers,” Ellis said, calling for clarification in the language of the bill to give researchers more confidence to perform their jobs without the threat of prosecution.
Two other leaders from the tech industry – American Bankers Association senior vice president and chief advisor Dough Johnson and Symantec’s director of government affairs Bill Wright – praised the success of cooperation between the government and private businesses, but warned the increasing complexity of cybercrime means that cooperation alone is not enough to guarantee security.
“Information sharing is a very important piece, a very important element to this, but it is not a panacea,” Wright said.
Instead, Wright suggested efforts to “insert some risk into the risk-reward scenario these cyber criminals are going through” in order to make it more dangerous for hackers to undertake cyberattacks on businesses and government systems.
While the hearing’s four witnesses did not always agree on the specifics of what Congress should do to combat cybercrime, they all emphasized that some action is necessary in the near future.
“If we do nothing, we potentially regress as opposed to progress,” Johnson said.
- L.A. Unlikely to Shake Off Brutality Award
- Robocalls Lead to $230K Fine for Time Warner