IDG News Service - Congress may need to create stiffer penalties for criminal computer hacking to deter the growing number of attacks on U.S. government agencies and businesses, some lawmakers said Wednesday.
Congress may revisit the Computer Fraud and Abuse Act (CFAA), the oft-amended law first passed in 1984, in an effort to counter widespread cyberattacks on U.S. computers, said Rep. Jim Sensenbrenner, a Wisconsin Republican and chairman of the House Judiciary Committee's crime subcommittee.
Congress needs to respond to the recent reports of attacks from China and other countries, Sensenbrenner said during a subcommittee hearing.
"The United States has been the subject of the most coordinated and sustained computer attacks the world has ever seen," he said. "The systematic and strategic theft of intellectual property by foreign governments threatens one of America's most valuable commodities: our innovation and hard work."
Lawmakers didn't provide concrete ideas at the hearing on how they would update the CFAA. Several indicated they will work on cybersecurity legislation in the coming months.
While some lawmakers called for stronger computer hacking laws, others questioned whether there's a need. Hearing participants didn't mention the controversial Massachusetts prosecution of activist hacker Aaron Swartz, who committed suicide earlier this year, but some lawmakers' questions and witness statements seemed to refer indirectly to the case.
The CFAA is "remarkably vague," said Orin Kerr, a professor at the George Washington University Law School in Washington. Some courts have ruled that an employee who violates his employer's computer-use policy violates the law, and the U.S. Department of Justice has suggested that an Internet user who violates a website's terms of use is also acting illegally, he said.
"The lower courts are deeply divided on the statute's scope, with some courts concluding that the law is remarkably broad," he said. "As a result of this confusion, the meaning of the law presently varies depending on which part of the country you happen to be in. This situation is intolerable."
Kerr called on Congress to step in and clarify the CFAA. "The law should both punish what should be punished and ensure that innocent conduct is not criminalized," he added.
Robert Holleyman, president and CEO of BSA, a software trade group, called for updates to the law and for appropriate prosecutions. "It is important for laws and law enforcement to be strengthened in appropriate proportions, so that innocent and minor infractions are not over-penalized, but serious crimes are effectively deterred," he said.
Holleyman also called for more congressional focus on cybersecurity research and development, for legislation to make cyberthreat information-sharing easier and for a national data breach notification law.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
