Bill with tougher penalties on cybercriminals passes House

Computerworld - The U.S. House of Representatives yesterday voted overwhelmingly in favor of a bill that would significantly broaden the government's ability to go after and prosecute cybercriminals.
The Cyber Security Enhancement Act of 2002, among other things, would impose stiffer penalties on malicious hackers and give greater authority to government agencies to eavesdrop on electronic communications without first obtaining a court order.
Under the bill, malicious hackers who knowingly perform cyberattacks that result in bodily injury or death could draw sentences ranging from 20 years to life in prison.
The bill would also make it easier for Internet service providers to disclose e-mail messages and other personal subscriber information to law enforcement agencies and other governmental authorities in any emergency situation that poses the risk of death or serious injury to others.
The bill, which passed the House by a vote of 385-3, is aimed at strengthening federal laws against computer crimes and cyberattacks. It now moves to the Senate.
The provisions that call for stronger penalties against malicious hackers are long overdue, said Pete Lindstrom, an analyst at Framingham, Mass.-based Hurwitz Group Inc.
"Hackers are idolized. We've gotten to a point where we're treating this whole thing like a volleyball game between hackers and security professionals," Lindstrom said. "We've got to treat this more like a cops vs. robbers situation. These are people who are breaking the law."
The bill, which was in the works prior to Sept. 11, would join others in considerably broadening the government's ability and authority to go after cybercriminals.
For instance, before Sept. 11, Internet service providers were prohibited by federal law from revealing the content of stored e-mail and other electronic communications to the government without proper legal orders based on "probable cause."
The USA Patriot Act, which was passed after Sept. 11, amended this rule to allow Internet service providers to disclose such information to law enforcement officials, but only where there was a reasonable belief that a dangerous situation was imminent.
With the cybersecurity act, Internet service providers would turn over such information to any governmental entity -- not only law enforcement -- on a "good faith" standard. Law enforcement authorities would also be permitted to use pen registers and other "trap and trace" electronic surveillance tools in any situation perceived as posing a risk to national security.
The bill would also direct the U.S. Sentencing Commission to review and amend federal sentencing guidelines where appropriate for computer crimes involving fraud and access to protected or restricted data. Such guidelines would reflect the need for a deterrent and would require consideration of any resulting losses and violations or disruptions of privacy, national security, public health or safety.
The bill would also formalize the role of the National Infrastructure Protection Center as the primary governmental authority for threat assessment, warning, investigation and response to attacks on the U.S.'s critical infrastructure.