Application security, Breach, Compliance Management, Threat Management, Data Security, Incident Response, Malware, Phishing, Privacy, TDR

Cybercrime bill passes U.S. Senate

A bipartisan bill that would impose harsher restrictions on cyberattacks and permit identity theft victims to seek financial restitution in federal court is on its way to the U.S. House of Representatives after speedily passing through the Senate Thursday night in a unanimous vote.


The Identity Theft Enforcement and Restitution Act of 2007, which was combined earlier this month with portions of the Cyber Crime Act of 2007, received cross-party blessing and is expected to be introduced in the House after members return from the Thanksgiving break, Tim Bennett, president of the Cyber Security Industry Alliance, told today.


“This is a political winner for all parties,” he said. “I'm confident the House will find this bill equally compelling, that this is good public policy.”


This bill allows ID theft victims to recoup costs associated with the loss of time and money spent restoring their credit standing, according to a statement by Sen. Patrick Leahy, D-Vt., who co-sponsored the bill with Sen. Arlen Specter, R-Pa.


The law also lowers the bar for what is prosecutable as a felony. The bill eliminates the requirement that sensitive information must have been stolen through a computer through interstate or foreign communications, meaning criminals can be more easily prosecuted if they hack a computer in the same state.


The bill also would make it a felony to use spyware or keyloggers to damage 10 or more computers, regardless of the amount of destruction caused. It would eliminate a requirement that attacks resulting in less than $5,000 worth of damage are classified as misdemeanors. This component of the legislation would speak to the growing problem of bots, or zombie computers, that are remotely controlled to send spam and deliver malware.


Under the law, the definition of cybercrime also would be expanded to include cyberextortion cases, where malware is removed or DDoS attacks halted in return for a ransom.


Bennett said the legislation is three years in the making and, if passed, could spur on other IT security-related legislation, such as a federal breach notification bill.


“It strengthens the law enforcement fabric with respect to cybercrime,” he said.


Larry Clinton, president of the nonprofit Internet Security Alliance, said he applauds the bill's passage, but noted that tougher laws are only one deterrent to cybercrime.


“We're all for strengthening the law and enforcement, but the real answer is an overall new approach to hardening information security systems,” he told today. “This is a 21st century issue and, so far, we are pursuing it with 18th century models.”


Clinton said the government needs to encourage system owners and operators to implement better safeguards, with programs such as tax and insurance incentives.


If approved, the Leahy-Specter bill would be the first cybercrime legislation to emerge from Congress in years, Bennett said. Many similar bills have stalled or failed in the past because of a lack of broad awareness on the need for cybersecurity, lack of support from a number of committees, or because lawmakers were consumed with other matters.


Senate committees on commerce, banking and judiciary all have hands in this bill, he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.