The U.S. Congress may need to create stiffer penalties for criminal computer hacking to deter the growing number of attacks on U.S. government agencies and businesses, some lawmakers said Wednesday.
Congress may revisit the Computer Fraud and Abuse Act (CFAA), the oft-amended law first passed in 1984, in an effort to counter widespread cyberattacks on U.S. computers, said Representative Jim Sensenbrenner, a Wisconsin Republican and chairman of the House of Representatives Judiciary Committee's crime subcommittee.
Congress needs to respond to the recent reports of attacks from China and other countries, Sensenbrenner said during a subcommittee hearing.
"The United States has been the subject of the most coordinated and sustained computer attacks the world has ever seen," he said. "The systematic and strategic theft of intellectual property by foreign governments threatens one of America's most valuable commodities: our innovation and hard work."
Lawmakers didn't provide concrete ideas at the hearing on how they would update the CFAA. Several indicated they will work on cybersecurity legislation in the coming months.
While some lawmakers called for stronger computer hacking laws, others questioned whether there's a need. Hearing participants didn't mention the controversial Massachusetts prosecution of activist hacker Aaron Swartz, who committed suicide earlier this year, but some lawmakers' questions and witness statements seemed to refer indirectly to the case.
The CFAA is "remarkably vague," said Orin Kerr, a professor at the George Washington University Law School in Washington, D.C. Some courts have ruled that an employee who violates his employer's computer-use policy violates the law, and the U.S. Department of Justice has suggested that an Internet user who violates a website's terms of use is also acting illegally, he said.
"The lower courts are deeply divided on the statute's scope, with some courts concluding that the law is remarkably broad," he said. "As a result of this confusion, the meaning of the law presently varies depending on which part of the country you happen to be in. This situation is intolerable."
Kerr called on Congress to step in and clarify the CFAA. "The law should both punish what should be punished and ensure that innocent conduct is not criminalized," he added.
Robert Holleyman, president and CEO of BSA, a software trade group, called for updates to the law and for appropriate prosecutions. "It is important for laws and law enforcement to be strengthened in appropriate proportions, so that innocent and minor infractions are not over-penalized, but serious crimes are effectively deterred," he said.
Holleyman also called for more congressional focus on cybersecurity research and development, for legislation to make cyberthreat information-sharing easier and for a national data breach notification law.
Representative John Conyers, a Michigan Democrat, introduced a national data breach notification law on Wednesday.
Lawmakers also debated whether there should be mandatory minimum sentences under the CFAA. President Barack Obama's administration is not calling for mandatory minimums as it has in the past. Jenny Durkan, U.S. attorney for the Western District of Washington, didn't explain the reasoning behind the change in policy, other than saying judges need to have sentencing discretion and the administration's priorities lie elsewhere.
Representative Bobby Scott, a Virginia Democrat, said mandatory minimum rules are unnecessary and sometimes "violative of common sense."
Sensenbrenner disagreed. "Does the administration oppose mandatory minimums as a matter of principle, or don't they think that the crimes that we're talking about here deserve a mandatory minimum?" he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.