US Senate Approves Bill to Fight Cyber-Crime

NEW LAW : US Senate Approves Bill to Fight Cyber-Crime

By Brian Krebs

July 31, 2008

Washington Post Blog

http://blog.washingtonpost.com/securityfix/2008/07/senate_approves_bill_to_fight.html

The Senate on Wednesday passed legislation to modernize the nation's computer crime laws and give prosecutors more leeway in pursuing cyber crooks.

Under current federal cyber-crime laws prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. Under the bill approved today, that threshold would be eliminated.

Instead, the legislation would make it a felony to install spyware or keystroke-monitoring programs on 10 or more computers regardless of the amount of damage caused.

This change is important because most of today's cyber criminals break into thousands of computers at a time, but seldom inflict $5,000 worth of damages on any one individual. Moreover, while most commit their crimes by tunneling their connections through hacked computers, the crooks may never damage the PCs they are using as a proxy or try to steal personal and financial data from victims.

The real damage to cyber-crime victims -- the loss of privacy and the time and effort it takes to clean up a compromised machine and/or stolen identity -- is extremely hard to quantify monetarily. Nevertheless, one section of the measure would give identity theft victims the ability to seek restitution for the loss of time and money spent restoring credit.

The bill also would allow federal courts to prosecute attackers who go after computers located in the same state in which they live. Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim's PC.

Another new provision covers cyber extortion. Under existing law, the government can prosecute cyber extortionists who threaten to delete a victim's data or to crash a computer. But there is no specific statute that addresses cyber crooks who try to extort companies by, say, publishing or releasing stolen information. This bill would criminalize that activity.

This reminds me of the attack against CD Universe in 2000, when a hacker broke into the online music store's redit card database and threatened to publish the information online unless it paid $100,000. CD Universe refused, and the hacker went ahead and posted the data on the Web.

These new provisions will be added to a bill known as The Former Vice President Protection Act (H.R. 5938). The original Senate cyber-crime bill from November, 2007, was stalled in the House of Representatives, so lawmakers have tacked on these new cyber-crime-fighting measures to legislation that the House already approved. The measure now heads back to the House for reconsideration.