Patriot Act of 2001, a sweeping law which, among other things, said those who break into other peoples' computers could be considered terrorists, and prosecuted as such.
In the months since the act was signed, several lower-profile bills have been proposed in Congress--all of which are either overreaching in scope or simply flawed. One of these is H.R. 3482, the Cyber Security Enhancement Act of 2002 (CSEA).
The CSEA dictates some pretty tough penalties for cybercriminals, largely as a result of proposals made by House Crime Subcommittee Chairman Lamar Smith of Texas
. He believes the U.S. Sentencing Commission should take into account the sophistication of the attack when doling out punishments. Specifically, he would like to see some forms of computer intrusion be made punishable by life imprisonment.
Smith further proposes that Internet Service Providers (ISPs) freely share information obtained from their customers' e-mails with authorities. Currently ISPs cannot share such information without a warrant.
The Bush administration has supported Smith's ideas. Deputy Assistant Attorney General John G. Malcolm proposed additional language that would broaden the legislation to include computer intruders who act with reckless disregard for death or serious injury. Last week, the subcommittee unanimously approved these additions to H.R. 3482.
The problem with this legislation is that it's often very difficult to determine who is responsible for any given cybercrime. Let's say someone hacks into the local power grid and, as a result, a hospital loses power to its critical patient care units. Who is responsible? Is it the hospital, which should have had a power backup? Is it the power utility, which should have maintained better computer security? Or is it the thrill-seeking 13-year-old, who probably had no idea what he or she was doing?
I'd say all of the above are negligent, yet the proposed legislation would punish only the "reckless disregard" of the 13-year-old. I'd say most computer intruders are curious, not malicious. On the other hand, I do not accept the defense of intruders who say they are doing good by finding weaknesses in large computer systems.
In response to the revised H.R. 3482, the Electronic Privacy Information Center (EPIC) posted several of its concerns and asked that they be placed on record with the bill. While EPIC supports increased penalties for computer intrusion by taking into account the sophistication of the violation, it would also like to see parallel laws extending to the software vendors and information technology providers who are guilty of weak security.
The EPIC agrees that ISPs should not be penalized for releasing their customers' e-mails and other private data when warranted. However, the center calls for greater government accountability of that process. In addition, the center questions whether life imprisonment is a proper sentence for hack attacks, given that recklessness is "not usually treated as rising to a sufficient criminal level of intent" in crimes not committed via a computer.
H.R. 3482 does propose some worthwhile actions. It awards $57 million to the NIPC, and broadens the center's concerns to include physical security as well as cybersecurity. But overall, the bill represents just another overreaching feel-good response to a horrible situation. HR 3482 won't stop cybercrime. It will, however, increase the number of non-violent criminals behind bars.