Computerworld

US anti-hacking bill gets approval, but with changes

A new bill clarifies US federal authority's power to prosecute hackers and other computer criminals and allocates more money to agencies investigating cybercrimes.

The US Senate Judiciary Committee has approved a bill that clarifies federal law enforcement authority's power to prosecute hackers and other computer criminals and allocates more federal money to agencies that investigate cybercrimes.

The Internet Integrity and Critical Infrastructure Protection Act was approved late last week. However, many of its tougher provisions were amended or deleted at the behest of Vermont senator Patrick Leahy, the ranking Democrat on the committee, who said, in its original form, the bill would have over-federalised minor computer abuses.

One of the provisions that was amended deals with current federal law's $US5,000 damage threshold for cybercrimes. Current law says a crime that causes less than $US5,000 does not fall under federal jurisdiction unless the crime causes injury to a person, a threat to public safety or in some way hampers medical treatment. The original bill would have eliminated the $US5,000 threshold, raising a variety of minor computer crimes to the level of a federal offense.

The bill as amended retains the $US5,000 threshold for federal jurisdiction over hacker attacks, the release of viruses and other common computer crimes, but it clarifies how the $US5,000 in damage is calculated and limits civil damage actions to exclude negligent design or manufacture of computer hardware, software and firmware. Firmware is the programmable software content in integrated circuits.

The original bill also would have made certain unauthorised access to a personal computer a federal crime. For example, a curious college student who accidentally deleted a file while searching a professor's unattended computer could have been prosecuted under federal law.

Leahy says that those provisions were overkill. Each of the 50 states has its own computer crime laws, and federal laws only need to reach the offenses for which federal jurisdiction is appropriate, Leahy says.

"Our federal laws do not need to reach each and every minor, inadvertent and harmless computer abuse."

The committee also eliminated a proposed change that would have extended a provision of federal law on computer fraud and abuse to government employees. Leahy says the proposal was an Ill-considered change that would have made it a federal crime if a federal employee who played a computer game at work accidentally allowed a virus into the system.

In addition, the amended bill dropped the original bill's attempt to strengthen the prosecution of juvenile computer crime offenders. For example, it would permit federal prosecutors to try juveniles in federal court for only the most serious felony computer crimes. The original bill would have authorised such prosecutions against juveniles for any felony computer crime.

The amended bill eliminated a provision that would have prevented a defendant convicted of committing a computer crime from receiving federal money for college. It also retains a six-month mandatory prison sentence for anyone convicted of the computer crime law, but only for serious felonies. Sentences will be left up to judges in cases that involve misdemeanor and non-serious felonies.

The bill is the first federal legislation aimed at the hackers, says Michael Harden, president of CyberGuardian, who tracked the legislation on behalf of his Fairfax, Viginia-based security service company.

"More than half the states have enacted something on hacking," Harden says. "This is the first time the federal government has taken action on it."

Harden says it was not likely the bill would pass before Congress adjourns, but it would probably come up again in the next session.

The money provisions of the bill would authorise $US100 million for the establishment of a National Cyber Crime Technical Support Center and 10 regional computer forensic laboratories. This new authorisation would complement a bill Leahy and Senator Mike DeWine, a Republican from Ohio, have introduced to authorise $US25 million for forensic computer training for state and local law enforcement agencies. That bill was approved by the Senate Judiciary Committee on September 21.

Additionally, the Internet Integrity and Critical Infrastructure Protection Act would set aside $US5 million for the US Department of Justice's Computer Crime and Intellectual Property (CCIP) division and raise the profile of the head of the CCIP by making him or her a deputy assistant attorney general.

The Internet Integrity and Critical Infrastructure Protection Act has no companion bill in the House. There has been speculation that the bill might be added to the Leahy-DeWine measure to establish a National Cyber Crime Technical Support Center, but that has not yet occurred, a spokeswoman for Leahy says.