WASHINGTON (Reuters) - Even before a loosely organized group of hackers broke into the CIA’s and Senate’s public websites, the White House asked for stiffer sentences for breaking into government and private computer networks.
Last month the Obama administration pressed Congress to pass stronger cybersecurity measures, including a doubling of the maximum sentence for potentially endangering national security to 20 years in prison.
While it remains to be seen if the proposal will become law, the question of how to fight cyber-crime has risen to the fore in recent weeks with a spate of high-profile, and sometimes, sophisticated, attacks.
The computer break-ins have targeted multinational companies and institutions, including Sony Corp, Citigroup and the International Monetary Fund. Sony faces dozens of lawsuits related to the theft of consumer data from its Playstation network.
Also, in the latest flurry of hack-ins, the loosely organized group Lulz Security said it broke into the Senate’s and CIA’s public websites, as well as Sony and other targets.
“It’s been a busy month,” said James Lewis, of the Center for Strategic and International Studies think tank.
Lewis said “hacktivists,” who often break into websites to make a political point or generate publicity, made “a big mistake” in going after the public websites of the FBI and the CIA. “That bumps it up immediately,” he said. “That could make it a grudge match.”
But tackling cybercrime — as well as other kinds of cyberattacks — has often been complicated by the difficulty of determining who is responsible.
“Smoking keyboards are hard to find,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute.
“Anonymity of cyberspace, the lack of being able to do 100 percent attribution makes it difficult from a national security standpoint, obviously, if you don’t know who is behind the clickety clack of the keyboard, or even if you do, you don’t have 100 percent confidence,” he said.
Under current law, for first-time offenders, the Computer Fraud and Abuse Act sets a maximum of 10-year prison sentences for breaking into a U.S. government computer if national security is at stake, a maximum of five years for breaking into a computer in order to steal, and one year for stealing a password to a financial institution or accessing a government computer, for example to deface it.
Under the White House proposal, the 10-year maximum sentence for potentially endangering national security would become a 20-year maximum, the five-year sentence for computer thefts up to $5,000 would become a 10-year sentence and the one year maximum for accessing a government computer — either to deface it or download an unimportant file — could become a three-year sentence.
At this point, none of the cybersecurity legislation introduced or circulating in Congress have included those tougher sentences.
And Stephen Ryan, a former prosecutor, said that if the goal is deterring cybercrime, lengthy sentences won’t do the trick as well as actual arrests and prosecutions.
“There may be people who fully deserve a sentence that’s more than five years. The key to deterrence is prosecution and conviction,” said Ryan, now a partner at McDermott, Will & Emery.
Catching sophisticated hackers is notoriously difficult, which often means the sloppy and the stupid will end up being prosecuted — as well as a few who just have bad luck.
“There’s also the question of resources,” said a cyber expert who asked not to be named “So when you’re talking about nuisances — like the Senate and CIA — a lot of this comes across as childish vandalism. In those cases you have to question whether you devote the resources and prosecute that.”
But the sentences can get longer if other crimes are involved. Alberto Gonzalez was sentenced to 20 years in prison in 2010 for hack attacks into major U.S. companies that led to the theft of more than 40 million credit and debit card numbers.
Additional reporting by Jeremy Pelofsky. Editing by Warren Strobel and Xavier Briand