Increasing CFAA Penalties Won't Deter Foreign "Cybersecurity" Threats
In the last three months alone, the House has released three different cybersecurity bills and has held over seven hearings on the issue. In addition, the House Judiciary Committee floated changes to the Computer Fraud and Abuse Act (CFAA)—the draconian anti-hacking statute that came to public prominence after the death of activist and Internet pioneer Aaron Swartz. Politicians tout this legislation as necessary to protect against foreign threats every single time they introduce a bill with “cyber” somewhere in the text. And it comes as no surprise that every hearing has opened up with a recap of computer security attacks faced by the US from China, Iran, and other foreign countries.
For many politicians "cybersecurity" is also synonymous with increasing penalties for computer crimes. The CFAA proposal floated last week expands the already broad scope of the CFAA, increases the prison time for violations, and criminalizes new actions. Politicians from both parties believe—despite research saying otherwise—that increasing penalties will serve as a deterrent to foreign crimes. Just last year, President Obama, Senator Leahy, and House Republicans all proposed expanding the reach of the CFAA by increasing its penalties. With your help these attempts were defeated when we killed the cybersecurity bill in the Senate.
Why Increases Won't Deter Foreign Threats
Increasing penalties in the CFAA won't serve as a deterrent to foreign threats. Many foreign hacks—like the ones revealed in the recently released Mandiant report—are not private individuals, but are state or quasi-state sponsored citizens. In talks, politicians often cite the recent hack of a Saudi oil Company called Saudi Aramco. But the hack is thought to be from a quasi-state sponsored Iranian group. And the US will find it hard, if not impossible, to extradite Chinese or Iranian state-sponsored computer hackers. In the case of China and Russia, there are strong legal prohibitions that bar the government from handing over a citizen to another country.
The US would also have a hard time prosecuting civilian foreign citizens. In recent memory there have been only a handful of CFAA extradition cases. In one potential case—the infamous "ILOVEYOU" virus—the FBI said that suspects are generally prosecuted in the country they're found. This means that the CFAA wouldn't be used. The larger Department of Justice manual concerning extraditions lists factors leading to an extradition, but warns prosecutors: "appeals and delays are common." In general, there have been very few successful extradition cases based solely on the CFAA.
Just last year, the US tried to extradite Gary McKinnon under the CFAA for allegedly accessing US military computers. The US government labeled McKinnon as one of the "world's most dangerous hackers," yet it was unable to persuade one of its closest allies, England, to extradite him. McKinnon's case is just one recent example of the difficulties the US government faces when trying to prosecute foreign online threats with US domestic law.
In 2011, Michael Chertoff, the former secretary of the Department of Homeland Security, made these same exact points. While discussing the CFAA and foreign cybersecurity threats, Chertoff noted:
The problem is a lot of the activity is overseas, and we are not going to find the people who do this stuff because they are never coming over to the United States. And, frankly, in some countries there is not a lot of interest in cooperating with us.
In addition, former Justice Department prosecutor and CFAA expert Orin Kerr wrote last week that Congress and the Justice Department seem to be pushing these changes despite the fact that sentences are already very tough, and without any evidence that judges that preside over computer crimes cases think are necessary:
[H]ave there been any cases in which judges maxed out the current sentences, suggesting that if they had the power to do so they might have wanted to sentence a defendant to a greater punishment? Or is Congress considering increasing the allowed penalties under the CFAA with a complete absence of evidence that any federal judge anywhere has ever found the current statutory maximum penalties too low in any actual case?
The facts are clear: Increasing penalties and expanding the scope of the CFAA won't deter foreign threats—the main reason politicians cite for cybersecurity legislation that increase penalties to the CFAA—and it's unclear if it will deter any threats at all.
Where We Need to Go
This year, in the wake of Aaron's death, advocates fighting to change the status quo have even more reason to enact serious reform. Congress should reform the draconian CFAA by narrowing its scope and reducing its penalties. Rep. Zoe Lofgren has proposed Aaron's law, which seeks to pass language already reflected in judicial decisions and clarifies that violations of a terms of service are not a crime. EFF's own proposal goes beyond this. Our changes aim to protect innovation and decrease the penalties found in the law.
Politicians shouldn't misinterpret reforming the CFAA with being "soft on crime" or with facilitating more foreign attacks. Even domestically speaking, prosecutors have a number of laws to choose from. CFAA reform has been long overdue. Courts like the Fourth and Ninth circuits are already narrowing the law. It's time for Congress to follow their lead. Help support CFAA reform by telling your Representative to support reform.