Sign up to our newsletter
President Barack Obama intends to persuade Congress to increase the sentence for hackers, as well as widen the definition of what hacking means, according to Ars Technica.
Under the changes, pure hacking sentences (such as circumventing a technological barrier) would double from five to 10 years.
“We want cybercriminals to feel the full force of American justice, because they are doing as much damage — if not more, these days — as folks who are involved in more conventional crime,” Obama said on Tuesday.
The increased prison sentences would be part of wider proposed changes to the Computer Fraud and Abuse Act, first passed 21 years ago, which would seek to redefine what ‘hacking’ means, in an attempt to crack down on the wave of high-profile cybercrimes the world has seen in the last year, including the theft of private celebrity photos, the Sony Pictures hack and the various stores hit by Point-of-Sale malware.
The expanded definition of hacking would ensure that “exceeds authorized access” would now encompass accessing information “for a purpose that the accesser knows is not authorized by the computer owner.” However, opinions are divided with Forbes highlighting that this would make anyone clicking on a link to leaked data – including journalists – breaking the new law.
“We will have to wait and see what the specific changes add up to,” says ESET security researcher Stephen Cobb. He is hopeful that the administration “gets” that the fight against serious cybercrime is undermined by the prosecution of trivial “technical fouls” of the kind epitomized by the cases against Andrew Auernheimer and Aaron Swartz.
Cobb notes that President Obama has advocated modernizing the Computer Fraud and Abuse Act “by ensuring that insignificant conduct does not fall within the scope of the statute.” As Forbes points out, the CFAA may be amended so that “only those who illegally obtained information worth more than $5,000 could be prosecuted.”
This latest news from the President follows hot on the heels of other announcements regarding proposed cybersecurity legislation, including a mandatory 30-day data breach notification law for companies and the criminalization of botnets. All the evidence seems to be pointing to a cybersecurity-heavy State of the Union address, next week.
(UPDATE 1/20/2015: The is more from WLS on the growing debate about cybercrime deterrence here.)
Author Alan Martin, ESET