Committee approves watered-down anti-hacker bill

[William Knowles <wk () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/00/10/06/001006hncybercrime.xml

Friday, Oct. 6, 2000
By Margret Johnston

THE U.S. SENATE Judiciary Committee has approved a bill that clarifies
federal law enforcement authority's power to prosecute hackers and
other computer criminals and allocates more federal money to agencies
that investigate cybercrimes.

The Internet Integrity and Critical Infrastructure Protection Act,
introduced in May by Judiciary Committee Chairman Orrin Hatch, R-Utah,
passed the committee Thursday. But many of its tougher provisions were
amended or deleted at the behest of Vermont Senator Patrick Leahy, the
ranking Democrat on the committee, who said, in its original form, the
bill would have over-federalized minor computer abuses.

One of the provisions that was amended deals with current federal
law's $5,000 damage threshold for cybercrimes. Current law says a
crime that causes less than $5,000 does not fall under federal
jurisdiction unless the crime causes injury to a person, is a threat
to public safety, or in some way hampers medical treatment. The
original bill would have eliminated the $5,000 threshold, raising a
variety of minor computer crimes to the level of a federal offense.

The bill as amended retains the $5,000 threshold for federal
jurisdiction over hacker attacks, the release of viruses and other
common computer crimes, but it clarifies how the $5,000 in damage is
calculated and limits civil damage actions to exclude negligent design
or manufacture of computer hardware, software, and firmware. Firmware
is the programmable software content in integrated circuits.

The original bill also would have made certain unauthorized access to
a personal computer a federal crime. For example, a curious college
student who accidentally deleted a file while searching a professor's
unattended computer could have been prosecuted under federal law.

Leahy said in a statement that those provisions were overkill. Each of
the 50 states has its own computer crime laws, and federal laws only
need to reach the offenses for which federal jurisdiction is
appropriate, Leahy said.

"Our federal laws do not need to reach each and every minor,
inadvertent, and harmless computer abuse," Leahy said in the
statement.

The committee also eliminated a proposed change that would have
extended a provision of federal law on computer fraud and abuse to
government employees. Leahy said the proposal was an ill-considered
change that would have made it a federal crime if a federal employee
who played a computer game at work accidentally allowed a virus into
the system.

In addition, the amended bill dropped the original bill's attempt to
strengthen the prosecution of juvenile computer crime offenders. For
example, it would permit federal prosecutors to try juveniles in
federal court for only the most serious felony computer crimes. The
original bill would have authorized such prosecutions against
juveniles for any felony computer crime, Leahy's statement said.

The amended bill eliminated a provision that would have prevented a
defendant convicted of committing a computer crime from receiving
federal money for college. It also retains a 6-month mandatory prison
sentence for anyone convicted of the computer crime law, but only for
serious felonies. Sentences will be left up to judges in cases that
involve misdemeanor and non-serious felonies.

The bill is the first federal legislation aimed at the hackers, said
Michael Harden, president of CyberGuardian, who tracked the
legislation on behalf of his Fairfax, Va.-based security service
company.

"More than half the states have enacted something on hacking," Harden
said. "This is the first time the federal government has taken action
on it."

Harden said it was not likely the bill would pass before Congress
adjourns, but it would probably come up again in the next session.

The money provisions of the bill would authorize $100 million for the
establishment of a National Cyber Crime Technical Support Center and
10 regional computer forensic laboratories. This new authorization
would complement a bill Leahy and Senator Mike DeWine, R-Ohio, have
introduced to authorize $25 million for forensic computer training for
state and local law enforcement agencies. That bill was approved by
the Senate Judiciary Committee on Sept. 21.

Additionally, the Internet Integrity and Critical Infrastructure
Protection Act would set aside $5 million for the U.S. Department of
Justice's Computer Crime and Intellectual Property (CCIP) division and
raise the profile of the head of the CCIP by making him or her a
deputy assistant attorney general.

The Internet Integrity and Critical Infrastructure Protection Act has
no companion bill in the House. There has been speculation that the
bill might be added to the Leahy-DeWine measure to establish a
National Cyber Crime Technical Support Center, but that has not yet
occurred, a spokeswoman for Leahy said.

Margret Johnston is a Washington correspondent at the IDG News
Service, an InfoWorld affiliate.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".