US Plans Stricter Laws For Government Network Hacks

Recent high-profile attacks, including attacks on the CIA, the International Monetary Fund, a public network for the United States Senate and defence contractors may be spurring the US government into pushing cyber-security legislation through Congress.

While the UK government and the EU push border protection, the Obama administration is considering making the act of hacking government networks a felony.This will make the maximum prison sentence for those convicted of breaking into government computers and potentially endangering the country’s national security would become 20 years.

Actions Demand More Than Words

The White House made the request in its cyber-security proposal in May but recent attacks on government Websites have refocused attention on that part of the proposal, Reuters reported June 20.

Talks on changes to the cyber-security bill have been ongoing for more than a year. Congress introduced some bills in June 2010, and the White House recently provided its feedback on what it would like to see in a cyber-security law.

The “emphasis on cyber-security by the Administration and Congress is commendable,” but progress has been practically non-existent, as the country has not really moved forward towards enacting a comprehensive cyber-security law, said Major General John Casciano, an adviser on government security issues to security software producer RedSeal Systems. “We are not further along solving the problem than we were 20 or 25 years ago,” Casciano said.

The United States is not the only country looking to impose criminal penalties for cyber-acts. The Japanese parliament passed a series of laws on June 17 that made the act of writing or deliberately distributing malware illegal, subject to a fine of approximately $6,000 and up to three years in prison. Up until recently, authors could be prosecuted only if their malware actually caused damage.

It is no easy task to track down skilled hackers as they are intent on keeping their anonymity, Carole Theriault, a senior security consultant at Sophos, wrote on the Naked Security blog. They could be based anywhere on the globe and using multiple compromised machines to mask their true location and identity.

Theriault questioned the necessity of the government spending “huge amounts of resources” to locate and identify hacktivists such as LulzSec who brought down the CIA Website for fun, or “lulz”. No matter how disruptive a denial of service attack can be on a site, it is not necessarily on the same level of seriousness as someone “intent on threatening national security by stealing highly sensitive information,” Theriault said.

There is a “big difference” between criminals after confidential information and those who are trying to show off, are bored, or looking for praise from their peers, Theriault said. And those cyber-pranksters are not likely to be deterred by an increase of criminal penalties, she said.

“Consider the current hacking mayhem as a wake up call,” Theriault said, recommending that organisations be proactive about protecting their own networks and Websites. LulzSec has demonstrated how weak Websites belonging to most organisations are, despite all the posturing about being security-conscious.

The proposed penalties are also more relevant as cyber-prankster LulzSec and hacktivist collective Anonymous has announced its joint “Operation Anti-Security” venture in which they will attack government Websites and other big corporations. LulzSec claimed it will go after confidential documents in a move reminiscent of WikiLeaks.