Senate Hearing Calls For Changes To Cybercrime Law

  /     /     /  
Publicated : 22/11/2024   Category : security


Senate Hearing Calls For Changes To Cybercrime Law


In the wake of Microsofts seizure of No-IP servers and domains, private and public sector representatives met to discuss what can be done to address the problem of botnets.



Panelists on a Senate Judicial Commitee hearing yesterday called for changes to the Computer Fraud and Abuse Act (CFAA) and other legislation that addresses cybercrime. The hearing, titled
Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks
, was organized in the wake of
Microsofts botnet takedown
that also took down some non-criminal customers of No-IP.
The conversation was about fighting botnets in general -- No-IP itself was never mentioned by name. It was, however, briefly implied by panelist Craig D. Spiezle, executive director and founder of the Online Trust Alliance:
Botnet take-downs and related efforts need to be taken with care and respect to three major considerations: the risk of collateral damage to innocent third parties, errors in identifying targets for mitigation, and respecting users’ privacy. For example, taking down an entire web hoster because they have a handful of bad customers may be an example of unacceptable collateral damage. At the same time hosters and ISPs cannot hide behind bad actors and must take reasonable steps to help prevent the harboring of criminals and enabling cybercrime activity.
The panel also included Richard Domingues Boscovich, assistant general counsel of Microsofts Digital Crimes Unit, which led the seizure of No-IP servers and domains.
Microsoft’s philosophy to fighting botnets is simple. We aim for their wallets, he said. We disrupt botnets by undermining cyber criminals’ ability to profit from malicious attacks.
However, going after their wallets, is not always easy. Security professionals (in tandem with law enforcement) can use technological means to disrupt criminal infrastructure, but when it comes to prosecuting the perpetrators at the center of that black market, the law can fall short.
Therefore, Domingues Boscovich expressed support for some of the law amendments proposed by panelist Leslie Caldwell, assistant attorney general of the US Department of Justices Criminal Division.
One of Caldwells suggestions: Add a piece to the CFAA -- which has not been amended since 2008 -- that directly criminalizes the trafficking of botnets. That way the people selling the botnets for other people to use could also be held accountable for their role in the criminal infrastructure.
Another suggestion was to amend the Access Device Fraud statute. The statute currently allows prosecutors to bring charges against the perpetrators of phishing and credit card fraud schemes if theyre based in the United States, but does not apply to offenders in foreign countries. Caldwell recommends that the overseas sale of stolen US financial information be criminalized.
Another suggestion is to amend the CFAA to eliminate the requirement to prove intent to defraud. As Caldwell explained, Such intent is often difficult -- if not impossible -- to prove because the traffickers of unauthorized access to computers often have a wrongful purpose other than the commission of fraud. Indeed, sometimes they may not know or care why their customers are seeking unauthorized access to other people’s computers.
Any suggestion to remove the need to prove intent, however, gets tricky.
Other elements of the CFAA do not require prosecution to prove a defendants intent to do harm. This is particularly dangerous for security researchers -- web researchers in particular -- because some of their work can be considered
criminal
, punishable by jail time, if they dont have consent to access the property (the servers) of others.
That raises another question: What does access mean? The panelists discussed this as well. Common law that defines words like access and trespass was created centuries ago, far before the Internet or botnets were thought of. The panelists said that common law needs to be updated for the 21st century so that it can prosecute (or
not
prosecute, as the case may be) those people who break cybercrime laws.
Another snag: The Internet is borderless, but laws have many borders. This is one reason international cooperation among law enforcement agencies is so essential to taking down botnets and other cyber criminals.
One factor has harmed our relationships with foreign law enforcement agencies, however, said Caldwell, our inability to rapidly respond to foreign requests for electronic evidence located in the United States. Our capacity to do so simply has not kept up with the demand.
She said the DoJ needs more staff and more training to adequately keep up with that demand.
US Senator Sheldon Whitehouse (D-RI) led the panel. He asked the panel of private sector representatives whether or not private sector litigators could use civil measures to complement the governments efforts to bring criminal suits against perpetrators. The panelists were not enthusiastic about the idea.
Yet there are other measures the private sector can take to address cybercrime -- ones that dont require the law at all.
Paul Vixie, CEO of Farsight Security (and Internet pioneer), was also on the panel, and he went after the fact that the technology industry is pushing products out to market before theyre truly ready.
We would need to somehow address the lack of testing, he said. We have got to test the way the bad guys do. Vixie also recommended retiring the use of some outdated programming languages and possibly using underwriters to enforce testing standards; he does not see underwriting as a government role.
Despite discussions of expanding the ability of both public and private sector entities to take down criminals, No-IPs CEO and founder, Dan Durrer, was pleased with yesterdays hearing:
The legislative process around these issues has been in discussion for months, and it was never meant to be about No-IP getting its name in the lights. We feel the hearing went extremely well, and we believe our customers’ pain from the recent experience was well understood by the influencers present. Our hope is that the government, law enforcement, and private companies can work together in a collaborative manner to develop new legislation and processes for dealing with cybercrime, with protections that limit the potential collateral damage to innocent Internet users. Many of the laws governing this area were, literally, written before the invention of electricity. It is clearly time for an update.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Senate Hearing Calls For Changes To Cybercrime Law