Security

The Business Software Alliance (BSA) recognizes the importance of maintaining confidence in the Internet and e-commerce. Unfortunately, online confidence is compromised by increasingly sophisticated and organized criminal elements that continue to steal identities, defraud users, and commit online extortion. Identity thieves and cyber criminals are taking advantage of blind spots in current criminal statutes relating to cyber crime.

BSA strongly supports legislation that fills gaps in the criminal code and gives law enforcement the tools necessary to effectively find and prosecute cyber criminals. Such legislation should address:

Criminalizing malicious botnet attacks: Increasingly, cyber criminals are accessing and controlling protected computers remotely and without authorization. The compromised computers thus become “botnets” — a robot network that can consist of several hundred thousand machines. These machines can be used to attack other machines, perpetrate identity theft, spread spyware, or disrupt Internet functions. Identifying, stopping, and prosecuting cyber criminals are critical for all users.
To greatly aid prosecutions of cyber criminals, 18 USC Sec. 1030(a)(2) can be modified to explicitly cover botnet attacks. 18 USC Sec. 1030(a)(5) also can be modified to criminalize causing damage to ten or more protected computers in any one-year period, without having to necessarily prove at least $5000 damage to any one protected computer.
Increasing funding for law enforcement to fight cyber crime: The need for more dedicated law enforcement personnel and advanced forensic tools to investigate and assist in the prosecution of computer crimes is greater than ever. Identity thieves and other cyber criminals continuously evolve their schemes and frauds to deceive users, outmaneuver authorities, and even compete with each other. It is essential that law enforcement has the resources necessary to hire and train additional law enforcement officers dedicated to investigating crimes committed through the use of computers and other information technology, including the Internet, and for the procurement of advanced tools of forensic science to investigate and study such crimes.
Eliminating interstate communications requirement for cyber crime: Today, federal criminal law only covers unauthorized access to a computer that takes place across state or international borders. This allows criminals who operate within a state’s boundaries to escape federal prosecution. Eliminating the interstate and foreign access provision will expand federal jurisdiction to include intrastate cyber crime so long as the offense has an impact on interstate or foreign commerce. This will effectively close the current loophole that criminals exploit and provide uniform application of the law.
Covering cyber racketeering through the addition of RICO predicates: RICO predicate offenses should be updated to give US law enforcement the legal ability to effectively investigate and prosecute organized crime syndicates. Organized crime syndicates from Eastern Europe, Africa, Asia, and other regions have been identified as significant culprits behind phishing scams, identity theft, online extortion, and other cyber crime activities. Action should be taken to update the predicate offenses to support a racketeering criminal charge.
Covering cyber extortion: While cyber criminals often threaten online businesses with cyber attacks for the purposes of extorting money, cyber extorters often harass and attack without explicit demands for things of value. Rather some extorters may seek to cripple a competitor’s online services or carry through on a vendetta. Updating criminal statutes to address this type of cyber extortion is vital to the protection of law-abiding citizens.
Including conspiracy to commit cyber crime: As organized crime becomes more involved in cyber crime, focusing the penalty structure on illegal group behavior becomes more important. Adding an explicit conspiracy charge rather than relying upon the general criminal conspiracy statute would not only subject conspiracy recidivists to enhanced penalties, but also treat conspiracies to commit such offenses similarly to attempts.
Forfeiting property used to commit cyber crime: Property—both real and personal—that is derived from proceeds traceable to a violation is currently subject to both criminal and civil forfeiture. We believe that forfeiture should include computers, equipment, and other personal property used to violate the CFAA, as well as real and personal property derived from the proceeds of computer crime.
Expanding sentencing guidelines: Currently, sentences for violations are determined by calculating actual economic loss, which is often difficult to determine in the computer crime context. Defendants convicted of computer crimes often serve no term of imprisonment, resulting in the absence of any deterrent effect arising from criminal prosecution and making computer crimes less likely to be prosecuted in the future. The US Sentencing Commission should be directed, in determining its guidance on the appropriate sentence for computer crime, to consider a number of highly relevant factors in order to create an effective deterrent to computer crime.