The above-captioned hearing was held before the House Committee on the Judiciary, Subcommittee on Crime, Terrorism, Homeland Security, and Investigation on March 13, 2013.
Members in attendance included: Jim Sensenbrenner (R-WI, Chairman), Louie Gohmert (R-TX, Vice Chairman), Howard Coble (R-NC), Randy Forbes (R-VA), Trent Franks (R-AZ), Jason Chaffetz (R-UT), Trey Gowdy (R-SC), Bob Goodlatte (R-VA), Robert Scott (D-VA), Suzan Delbene (D-WA), Judy Chu (D-CA), Cedric Richmond (D-LA), and John Conyers (D-MI). Witenesses included Jenny Durkan (U.S. Attorney, W.D. Wash), John Boles (Deputy Ass't Director, FBI Cyber Division), Robert Holleyman (President and CEO, BSA, The Software Alliance), and Prof. Orin Kerr, (George Washington University School of Law).
Entirety of the statements and witness testimony is located here.
Read more after the bump.
Subcommittee Chairman Sensenbrenner: The U.S. has been the subject of the most sustained computer attacks the world has ever seen. Spying between governments has always been a problem, but in the computer age it is even harder to guard against. The Chinese have stolen trade secrets and proprietary information from U.S. businesses, such as in the case of the American Superconductor Corporation. The Obama Administration has increased pressure on Chinese cyber spying. The Chinese need to put a stop to these activities. We must do more when a country tries to advance its economy by stealing our intellectual property. The Congress has amended the Computer Fraud and Abuse Act "CFAA" eight times since its enactment. We need to combat international criminal enterprises. As the threats change, so must the CFAA. Today we will look at criminal laws and how we can better combat and deter the attacks we are enduring. We will discuss what steps the committee can take to help protect intellectual property.
Subcommittee Ranking Member Scott: We must examine the cyber threats we face as we increasingly rely on computers and the Internet. Congress must update its laws in changing circumstances—but we must be careful as to what it is we are looking to change. This committee has also focused on the issue of federalism: does criminal cyber activity affect all of us at the federal level? The criminals targets computers and cyber networks and we must protect against cyber intrusions. The president’s executive order will increase the best practices to protect the government and businesses.
Full committee Chairman Goodlatte: The president yesterday acknowledged the hacking of personal data is a serious problem as many of his top officials, and even the first lady, were subjects of hacking attacks. Cyber intrusions are just the tip of the iceberg. Industrial secrets and intellectual property attacks compromise $4B. Earlier this year the administration gave a cybersecurity executive order. Congress can and must do more. The Judiciary Committee has a great challenge to create a legal structure that will deter such attacks.
Subcommittee Chairman Emeritus Conyers: I am reintroducing a bill from 2012: the Cyber Privacy Fortification Act. It will create a strong standard for data breach notification, which doesn’t exist now. It requires a data breach activity to be sent to individuals. Cyber-attacks have increased by 44% according to the NSA. Criminals perpetrate many of these attacks, intent on stealing our intellectual property, operating beyond our national boundaries. They compromise our critical infrastructure. I will look into the increasing connection between the government and private sector, but not at the privacy of individual citizens. The government must not be granted access to private communications.
Ms. Durkan: I see the full range of threats to our communities and our nation. Few things are as sobering as the daily cyber briefings I receive. The good guys are not the only innovators; we have seen growth in the number of bad actors exploiting technology. Criminal groups develop tools to disrupt computer systems. There is a desire to steal data, trade secrets, and intellectual property. The national security landscape has evolved dramatically over the last few years. Cyber threat actors pose a significant threat to our national security and economic interests. Criminal prosecution plays a critical role.
Mr. Boles: The number of cyber threats has increased dramatically in recent years and are expected to continue. We are losing data, money, innovation, and ideas to a wide range of attackers. We are strengthening our cyber capability much like we did our national security in the wake of 9/11. Attribution is no longer the standard for success in cyber-attacks. The question now becomes: what are we going to do about this? The perpetrators are often overseas. The next step without a question is private sector outreach. We are sharing information rapidly.
Mr. Holleyman: There are more than 400M strains of malicious computer code in the world today. Many are targeted at the U.S. The losses are mounting. The BSA has outlined three principles to address cyber-attacks. We must promote real-time information sharing. We must strengthen law-enforcement tools and resources. We must increase cybersecurity research and development. Technology innovation is the best tool to combat long-term cyber threats. We know we will never be completely risk-free.
Mr. Kerr: CFAA is the primary computer crime statute. The courts widely interpreted the CFAA, and I warned against the wide interpretation. The law should punish serious computer crimes; the law should not punish small crimes that individuals commit because they don’t know what they’re doing. A lot has changed in the last 18 months since that last hearing. This committee has two choices: do nothing and let the SCOTUS figure it out or Congress can act and clarify which interpretation of the act is correct. I think Congress needs to act. The statute is meant to criminalize the act of breaking into a computer. We aren’t worried about employees checking Facebook while on the job. We are looking at attacks on our critical infrastructure. Congress needs to adopt a narrow view.
Q & A
Rep. Franks: Given that some types of commercial criminal intrusion carry with it some concerns, and national security carries with it a different set of concerns, is there a difference in protection?
Mr. Boles: Crimes are essentially without borders. It’s often difficult to tell at the outset is if it is criminal or an act against our critical infrastructure. Nation-state actors stealing trade secrets: is that criminal or national security? I’d say it’s both.
Rep. Franks: Is there a different set of criteria to deal with each or are they treated the same?
Mr. Boles: By having both sets of tools, we’ve sort of put both toolboxes together.
Rep. Scott: Will the administration have a recommendation on the split of interpretations of the CFAA?
Ms. Durkan: We need clarification regarding “authorized access” in the law. We do not have a specific legislative recommendation but are willing to work with your staff.
Rep. Scott: Anything else that needs additional clarification?
Ms. Durkan: The difference between felonies and misdemeanors needs to be addressed. The threat is evolving. We can’t create greater gaps in the law.
Rep. Scott: Will there be mandatory minimums in a recommendation?
Ms. Durkan: We will not recommend any minimum sentences in the CFAA.
Rep. Scott: Does the fact that these crimes are committed overseas create jurisdictional problems?
Ms. Durkan: International cooperation is key. We are trying to form the most robust system possible to take down all actors in criminal activity.
Rep. Conyers: Can any of you discuss how we can better identify, stop, and prosecute these attacks?
Ms. Durkan: We have a lot of home-grow cyber actors. We look forward to working with you and your staff in reviewing your legislation. We need to hold accountable the bad actors.
Mr. Holleyman: It will take a complement of many laws to do what you ask. The government and private sector can both do more.
Mr. Kerr: The substantive law, CFAA, covers the world. It covers every computer the government can regulate in the world under the constitution. The difficulty is always having a foreign government cooperating with us.
Rep. Gohmert: My understanding is that by 18 U.S.C. 1030 to “take control” for any instance of time is illegal. Is that correct?
Mr. Kerr: It depends what you mean by “take control” but if you shouldn’t normally be looking to use the computer then yes, it is illegal.
Rep. Gohmert: If we take over a hacker’s computer, which is illegal under the U.S.C. should we amend the code to allow for a sort of “self defense?” Is there a problem in amending the criminal code?
Mr. Kerr: There is a limited necessity defense. You have a certain amount of ability to stop a crime if you are attacked. The idea of the ability to counteract is a sound idea. There are a lot of questions associated with that. The difficulty is, in opening the door, keeping actions narrow.
Rep. Gohmert: Are you trying to protect the hacker with a narrow interpretation?
Mr. Kerr: No, the difficulty is just in trying to identify the hacker.
Rep. Richmond: How do we create a robust R&D system? Tax credits or something else?
Mr. Holleyman: We need to train more students to learn about these issues. We need the right cooperative agreements between the government and private sector. Government research needs to be properly funded.
Rep. Richmond: What is the level of interaction between the FBI, CIA, DOJ?
Mr. Holleyman: The nature of that is critical. We all have very good relationships. We need to share real-time threat information. We think Congress can supplement this.
Rep. Chu: I want to ask about intellectual and economic espionage. What is the overall cost to the corporations you represent?
Mr. Holleyman: The figure of $100M for Symantec is what they’re citing from their website. The information is made public.
Rep. Chu: What is the private sector doing to protect against these intrusions?
Mr. Holleyman: There is a major discussion with the Attorney General to build best practices and secure our companies. We are talking about faster and more effective ways to share information about the intrusions.
Rep. Chu: How frequently is a case involving IP prosecuted?
Ms. Durkan: We have specially trained prosecutors. We will always take more resources.
Mr. Boles: We currently have about 1,100 cases on-going in the FBI involving IP theft.
Rep. Sensenbrenner: What changed the administration’s mind about mandatory minimum sentences?
Ms. Durkan: We need to look at our priorities in addressing the statute. The threat is evolving. We are going to hold people accountable.
Rep. Sensenbrenner: Does the administration oppose mandatory minimums on principle?
Ms. Durkan: We support prosecuting these bad actors. We are always going to recommend the proper sanction. The judge needs to have the authority to impose a proper sanction.