President Obama is proposing changes to the Computer Fraud and Abuse Act (CFAA), but will they do more harm than good?
Experts are starting to weigh in on the topic, and the reviews so far are mixed. On one side, the administration has made some concessions, which are useful. Yet, some of the punishments are overly severe and the wording in the proposal is vague in parts.
In his State of the Union address next week, President Obama is going to propose changes to the Computer Fraud and Abuse Act (CFAA). However, some aspects of the proposal have left security experts puzzled.
On Tuesday, President Obama said that his administration wanted "cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime."
Case in point, the proposed changes to the CFAA increases the maximum five-year penalty to 10 years for pure hacking acts, such as circumventing a technological control (e.g. bypassing a firewall or other access control barrier).
Moreover, the proposed changes expanded on the vague definition of "exceeds authorized access" to include a hackers that accessed information "for a purpose that the accesser knows is not authorized by the computer owner."
CFAA expert, Orin Kerr, said in a review of the law's proposed changes, that his views were somewhat mixed, but that he was skeptical of the changes on the whole.
"On the downside, the proposal would make some punishments too severe, and it could expand liability in some undesirable ways. On the upside, there are some notable compromises in the Administration’s position. They’re giving up more than they would have a few years ago, and there are some promising ideas in there," he wrote.
"If the House or Senate Judiciary Committees decides to work with this proposal, there’s room for a more promising approach if some language gets much-needed attention. On the other hand, if Congress does nothing with this proposal and just sits on it, letting the courts struggle with the current language, that wouldn’t necessarily be a bad thing."
Soon after the proposed alterations were made public, Errata Security's Robert Graham, pointed out that – based on his reading of the proposal – the changes to the CFAA would make accessing, or sharing links, to information that one knows to be restricted illegal. In an example, he created a fake link to employee information on the New York Times website.
Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT— Rob Graham (@ErrataRob) January 14, 2015
"In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link," Graham wrote.
Even more, he noted, the proposal also wants to include criminal hacking into the RICO statute, making it a racketeering offence. This, Graham said means that someone could be guilty of being a hacker simply by acting like one.
"Hanging out in an IRC chat room giving advice to people now makes you a member of a 'criminal enterprise' allowing the FBI to sweep in and confiscate all your assets without charging you with a crime."
"Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem. Most hacking is international and anonymous. They can’t catch the perpetrators no matter how much they criminalize the activities," Graham concluded.