In mid-May, the Obama administration called on Congress to expand the definition of computer crime and to stiffen federal penalties for hacking into computer systems, doubling the maximum prison sentences for first-time offenses.
The proposals were timely. They came soon after high-profile data breaches at Sony and the network-security firm RSA, and a month before less serious but embarrassing attacks upon the websites of the CIA and the U.S. Senate.
But security and legal experts say the White House suggestions, which would in part update the Computer Fraud and Abuse Act, are both too broad and fundamentally ineffective.
They argue that it's time for a wholesale overhaul of federal law pertaining to computer crime, which has changed radically since the Computer Fraud and Abuse Act was first drafted in 1986.
Tougher penalties
Right now, the act states that unauthorized intrusion into a government computer system, however trivial, merits a maximum sentence of one year; theft of more than $5,000 using a computer, five years; a first-time offense of jeopardizing national security via hacking, 10 years; multiple offenses, 20 years.
The White House would raise the maximum sentence for each first-time offense. Breaking into a government computer would go from one to three years, theft of more than $5,000 could get you 10 years and the maximum for a first-time jeopardizing of national security would be 20 years.
The Obama proposals also would add a stand-alone sentence of three years for anyone caught damaging a " critical infrastructure " computer, such as one involved in the electrical, water, financial or transport systems.
They would expand the RICO statutes, originally used against the Mafia, to cover online criminal activity and extend drug-money forfeiture laws to enable property seizure from those convicted of cybercrimes.
Congress has yet to incorporate the recommended measures into any cybersecurity-related bill.
Amateurs vs. professionals
John W. Dozier Jr. of Dozier Internet Law, a Virginia-based firm, notes that the existing act doesn't account for different kinds of hacking.
"It fails to adequately distinguish between relatively minimal intrusions and intrusions that can affect the economy," Dozier said.
On one hand, there are pranksters, protesters and vandals such as LulzSec or Anonymous, who garner lots of publicity but cause little damage.
On the other, there are professional cybercriminals, who traffic in passwords and credit-card information for profit, and online spies, who quietly steal secrets from American corporations and government agencies. Neither of the latter groups is likely to be swayed by tougher measures.
Many of the serious offenders are outside the U.S., Dozier notes, in countries with weak or nonexistent extradition treaties.
Blunt instrument or bargaining tool?
Marcia Hofmann, an attorney at the Electronic Frontier Foundation in San Francisco, agreed that the Computer Fraud and Abuse Act as written is a bit of a blunt instrument.
Hofmann said the MySpace suicide case of 2008 was said to fall under the act, though a federal judge rejected that interpretation. (The case involved a Missouri 13-year-old girl who hanged herself after being rejected by a boy she met online — a fictitious boy created by the mother of a neighboring teenager.)
But the case did show how the act could be interpreted as overly broad, in addition to the debate over whether stiffer penalties will make any difference.
One issue for the law and its enforcement is how likely it is that anyone will be caught.
Alex Muentz, a lecturer at Temple University on computer crime, says the odds of catching criminals are often low.
Many online gangs, Muentz points out, use botnets, in which thousands of personal and workplace computers are hijacked to silently send out spam, host bogus ads or take part in cyberattacks.
The owners of the computers will have no idea they are facilitating cybercrime — and the real culprits, hiding behind proxy servers and encrypted connections, will be difficult or impossible to track.
For prosecutors, the real leverage comes from getting defendants to name other people involved.
"Longer sentences do give more power to prosecutors to coerce apprehended defendants into both assisting law enforcement in locating other defendants and favorable testimony at trial," Muentz said.
Different approaches
Muentz suggested encouraging the companies that get attacked to pay more attention to security, perhaps using the laws covering negligence.
In Sony's case, for example, the company was found to have outmoded systems and weak firewalls, with sensitive customer data posted on open websites, all of which could be seen as a breach of responsibility on Sony's part.
But the idea of holding a breached company accountable for the loss of customer data, Muentz said, doesn't seem to have much traction in the U.S.
Both Hofmann and Dozier agree that what is necessary is a better set of definitions. Violating an end-user license agreement probably should not fall under the statute, nor should any sort of unauthorized access to a system.
Dozier says that industrial espionage — stealing a competitor's information from a server, for example – would fall under the law as a criminal act. But civil courts have traditionally dealt with that kind of activity.
Meanwhile, the federal government does have other competing priorities, so it isn't clear how far the White House suggested proposals will go.
"The government is busy, so they'll make more threatening noises once they catch a defendant — it's 'doing something,'" Dozier said.