"They really have to juice up the sentencing a lot," says Assistant U.S. Attorney V. Grady O'Malley, who prosecuted the first federal criminal case of computer sabotage. "We need to make sure we're not giving these guys a slap on the wrist. Somebody who's thinking of doing this needs to think twice."
The Cyber Security Enhancement Act, HR 3482, received unanimous support from the House Judiciary Committee this week. The bill, which was introduced by Congressman Lamar Smith (R-Texas), now moves on to a vote on the full House floor. That vote is expected to come next month.
Under current law, the punishments for computer crime largely are based on the financial damage it causes.
Tim Lloyd, a former network administrator for Omega Engineering Inc., destroyed the company's computer network and the global manufacturer's ability to manufacture in the summer of 1996. The attack, according to O'Malley who prosecuted the case in the spring of 2000, caused the company $12 million in losses and cost 80 employees their jobs. Lloyd received 41 months in jail or about three and a half years -- just short of the five-year max that he faced. He also was ordered to pay more than $2 million in restitution.
"The damage that was done to Omega, in my opinion, warranted much more severe penalties," says O'Malley. "Putting Lloyd in for three and a half years was a tremendous step in the right direction. People need to see that it's not just a fine. It's not house arrest."
Smith's bill would direct the U.S. Sentencing Commission to take several factors into account. Potential, as well as actual loss, would be taken into consideration, along with the level of planning, whether the crime was committed to for commercial or private advantage, and malicious intent.
Computer criminals, according to the bill, would face life in prison if they put human lives in jeopardy.
"America must protect our national security, critical infrastructure and economic base from attack, including the growing threat of cyber attacks," says Smith in a written statement. "Penalties and law enforcement capabilities must be adequate to prevent and deter such attacks."
Smith testified before the House Judiciary Committee that computer crime costs American businesses billions of dollars a year. A recent survey by the Computer Security Institute in conjunction with the FBI showed that 90% of companies surveyed reported security breaches in the past 12 months.
Privacy Concerns Raised
"If we ever start seeing strong sentences, then maybe this will be a good deterrent," says Paul Robertson, director of risk assessment at Herndon, Va.-based TruSecure Corp. "The magnitude of harm that you can do today is significantly more than it was even five years ago. More and more systems are interconnected and an increasing amount of attack tools are more available."
But one part of the Cyber Security bill is raising privacy concerns among some industry analysts.
The bill, if passed by the full House, would allow ISPs to hand over user information to law enforcement without a warrant and to report suspicious activity -- all without fear of a lawsuit. Today, law requires that ISPs only turn over information on user activity without a warrant if it poses an immediate risk of injury or death, according to James Dempsey, deputy director of the Center for Democracy and Technology in Washington, D.C. Current law also allows users to sue if they believe their privacy has been violated.
"Really, this is a huge unlimited loophole in what had been a very firm rule that the government can't get your email without a court order," says Dempsey. "When the government taps your phone in an emergency, they have to go to a judge for after-the-fact approval. If there isn't, they have to destroy the tapes and notify the person of what's happened."
Dempsey says his online privacy group raised these concerns with lawmakers but his concerns have gone unanswered.