Catch and release: Computer law
Catch and release: Computer law
In November, as Central Intelligence Agency Director John Brennan prepared his remarks for the Global Security Forum, he knew he would revise the speech that he had practiced days earlier.

The event, organized by the Center for Strategic and International Studies, a Washington, D.C.-based think tank, would be attended by academics, security professionals and policymakers. It was just three days after the Paris terror attacks that left more than 130 dead.

Toward the end of his presentation, he bluntly told the audience, “Congress over the past few years has tried, so far without success, to pass laws addressing the need for comprehensive cyber policy, especially on information sharing. The fact is, 20th century laws cannot effectively deal with 21st century threats.”

Brennan's comments point to an interesting question, and certainly one that applies not only to information sharing, as he implied, but to many broader aspects of cybersecurity policy. Is it even possible for legislative developments to keep up with the rate of innovation among hackers?

It is worth asking? Even if legislators passed all of the laws being proposed to stymie cyberthreats from hackers and criminal groups, would hackers simply innovate around the new legislation and continue undeterred?

When discussing ineffective and outdated legislation, the starting point is the Computer Fraud and Abuse Act (CFAA). For the past 20 years, the CFAA has been the primary legislation used to prosecute hacking and related offenses. The federal legislation was enacted in 1986 as an amendment to an earlier computer fraud law that was part of the Comprehensive Crime Control Act of 1984 – before commercial email was available for the general public and prior to the advent of text messaging and downloadable applications.

While the original intent of 18 U.S.C. 1030, the federal law from which CFAA emerged, was to include cases “with a compelling federal interest,” its scope has progressively broadened to include nearly any crime that involves a computer, even as penalties and statutes that define punishments according to monetary damages remain fixed.

The minimum threshold that relegates a CFAA-related offense as a felony has not increased from its original value of $5,000 in damages, says Tor Ekeland, a New York-based defense attorney whose practice represents defendants in high profile computer law cases in federal courts.

Critics say the CFAA's overly broad scope, a legislative culture of fear, plus a poor understanding of the cyber issues among legislators, has led to an overreaching legal environment. Prosecutors target nearly any computer crime under the federal legislation, with outsized punishments including 25-year sentences for felonies.

“If they had been prosecuting computer crimes in the 70s the way they are now, Steve Jobs and Bill Gates would be in jail,” says Ekeland.

“There are routine aspects of system administrators' jobs that are felonies,” he says, adding that he believes legislation and judges deciding cyber cases need to get more input from all sides of the debate. This would include researchers, security professionals and activists – not only those who are inclined by their professional allegiances to advocate for a defensive posture.