This is the third post in a multi-part series. You can read the first and second parts here.
A second major aspect of the current National Cyber Security call for action considers the legal authority to investigate and prosecute cyber-crimes. We also need to agree what would be the appropriate role for law enforcement authorities. There are differing views on whether the Computer Fraud and Abuse Act of 1986 (CFAA) needs to be expanded, curtailed, refined, or recreated.
Currently, the CFAA governs most cyber-crime prosecutions. Some feel the broad wording of this statute have enabled overreach like prosecuting people under CFAA for violating click-through terms of service pages on web services and software. Hobbyists tuning cars or even repairing their own farm equipment may violate both CFAA and copyright law. While such tinkering is widespread and often ignored, there remains the possibility that in case of an accident caused by a tuned car, prosecutors would add computer crime to manslaughter charges. And there are others argue that CFAA has not proven to be a deterrent to criminals and that additional laws and harsher penalties need to be enacted.
Looking forward, we should arguably change the law to address the most extreme scenarios. When a graffiti artist typically pays a fine and performs some community service, defacing a website shouldn’t result in multiple years in jail. Proportionality with, and understanding of, physical analogs is important.
Intent is important, actions are critical.
What people do must be appropriately punished. Our worst punishments should be reserved not for those who develop tools, but for those who mis-use them in illegal and inappropriate ways. But research and modifying your own property should not be illegal. Even so, hobbyists and researchers should still learn the lesson of the Morris Worm and conduct practice and research on private networks and systems.
We could argue that almost anything done with a computer already has a crime and punishment on the books. Kill one, or several people, and statutes for murder or manslaughter apply, whether or not a computer was involved. Copying a file is still stealing–even if the copy and the original are indistinguishable. Breaking into a company’s computer is just as illegal as breaking into their buildings. No special law is needed.
Outlawing tools and unsafe behaviors would further eliminate a major source of the skills we need to protect systems. This is an area where physical analogs break down. We don’t train everyone to be a soldier, and we don’t let just anyone have the tools of war. But we do allow people access to many kinds of weapons, and we allow private training. However, the odds of physical attacks on US systems are much lower than the odds of cyber attack. And while the government has proven adept at protecting us from most physical threats, it's quite clear that the government can barely protect its own systems. We now know that the government has been seeking an apparently unsuccessful public-private partnership to protect commercial interests since the late 90’s under President Clinton.
Fundamentally, we need better tools to protect systems and provide accountability for the misuse of systems. One of our biggest challenges is simply assigning responsibility for attacks. While five Chinese military personnel have been charged with computer crimes, there are ongoing questions about who’s really behind the attacks on Sony. New evidence suggest Russian involvement.
Our understanding of computer misuse and abuse has changed significantly since the law was enacted. The crimes, the criminals, the motivations, and the computers and networks have also changed. And we have literally hundreds of prosecutions from which we can learn about both the impact on criminals, and the unintended consequences of those prosecutions. While there are extremes, for the most part, the law has been well used to prosecute people who have enriched themselves and damaged others through computers and networks.
However, as we consider changes to the law, we should also consider the changing role of computers in our lives. And we should be thinking about the future – our children and their children. Today, motivation is the primary difference between the state-sponsored legal “spy”, the university researcher, the hobbyist at home, and cyber criminals. The hobbyist-developed tool at home can become the tool for wreaking havoc inside a power grid, or an oil processing facility. University research can provide the basis for espionage or improved security.
New laws, and the update of existing laws should focus on what we as a society have learned since CFAA was enacted, and on how our use of computers, has changed. When almost everything from our cameras, cars, music players, printers to TV’s, data storage, and soon our clothes are governed by code and computers, we need a more nuanced view. We need laws that recognize human rights, the quest for knowledge, and enable the punishment of clearly illegal activities.