Cyber Crime: Modernizing Our Legal Framework
Good afternoon, Chairman [Lindsey] Graham, Ranking Member [Sheldon] Whitehouse and members of the subcommittee. Thank you for the opportunity to be here today to discuss legislative proposals that will enhance our ability to combat cybercrime and protect the privacy and security of the American people. In particular, I would like to thank the chair and ranking member for their continued leadership on these important issues.
As the Attorney General has emphasized, fighting cybercrime is one of the Justice Department’s highest priorities. Every day, our society becomes more reliant on computer networks and electronic devices in almost every aspect of our lives. At the same time, individual hackers, organized criminal groups and nation states are becoming more sophisticated at using those networks and devices against us – stealing from our bank accounts, compromising sensitive and private information and even spying on innocent citizens through their webcams.
These invasions of privacy make us feel vulnerable and unsafe, and rightly so. And the effects of these crimes are only compounded when we realize that cyber criminals often sell the stolen data to other criminals, or even use it to extort and terrorize their victims.
The department’s prosecutors and our law enforcement partners strive to protect our citizens and businesses and vindicate their privacy rights. But our laws have not always kept pace with global realities and advances in technology.
That is why, earlier this year, the President announced legislative proposals designed to protect the online privacy and security of American citizens and companies. Among those proposals were targeted updates to the criminal laws that govern cybercrime.
I would like to specifically discuss two of those proposals today. The first one addresses the “insider threat” – the threat to privacy and security caused by computer users who are authorized to access computers and networks, but exceed that authority. As you know, the Computer Fraud and Abuse Act (CFAA) is the primary statute that we use to charge computer crime cases. It applies to hackers located on the other side of the world who have no right to access your data, but it is also the statute we use to prosecute individuals – such as government or corporate employees – who knowingly abuse their access to misappropriate sensitive data.
For example, we have used this provision of the CFAA to charge corrupt police officers who were entitled to access law enforcement databases for official police purposes but who instead obtained confidential information from the databases for personal reasons, or so that they could sell it for profit. The same provision would also apply to corporate employees whose employers grant them specialized access to valuable information so that they can do their jobs – but who then access that information contrary to that authorization.
Unfortunately, recent judicial decisions have imposed obstacles to the government’s ability to prosecute cases like this in large parts of the country. As a result, corrupt insiders may be effectively immune from punishment under the CFAA – even where they intentionally exceed the bounds of their legitimate access and steal their employers’ intellectual property or invade the privacy of the people whose data is improperly accessed.
These judicial decisions stemmed from the concern that the relevant provision of the CFAA could potentially make relatively trivial conduct a federal crime – such as checking the baseball scores during lunch, in violation of an employer’s strict Internet use policy. The department has no interest in prosecuting such harmless acts. That’s why we have proposed amendments to the CFAA that would address this concern – while also making sure that the law applies to those who commit serious security violations and invasions of privacy. We look forward to discussing these proposals further with the subcommittee.
The second legislative proposal that I would like to highlight would enhance our ability to combat botnets. As you know, botnets are networks of victim computers surreptitiously infected with malware. Criminals can use botnets to steal personal information from the infected computers – or hold that information for ransom. Criminals can also use botnets to commit distributed denial of service attacks or to conceal their locations and identities while committing other crimes, like exploiting children online.
One powerful tool that the department has used to disrupt botnets and free victim computers is the civil injunction. For example, civil injunctions were instrumental in our successful operations against the Coreflood and Gameover Zeus botnets, which liberated hundreds of thousands of compromised computers from the criminals who controlled them. The problem is that current law only permits courts to consider injunctions for limited categories of crimes – such as certain financial frauds. Botnets, however, can be used for other kinds of illegal conduct as well. The administration has therefore proposed clarifying that injunctions are available for the full range of crimes that botnets are used to commit.
In my written statement, I describe several other legislative proposals that address problems such as spyware and the sale of our financial information abroad.
We look forward to working with this committee to address all of these issues. In order to effectively protect the privacy and security of our citizens and businesses, our cybercrime laws must continue to evolve to counter these cyber threats.