Jail time is not the answer to cybercrime
="" href="http://www.house.gov/judiciary/hr2975terrorismbill.pdf" target="_blank">Patriot Act of 2001, a sweeping law which, among other things, said those who break into other peoples' computers could be considered terrorists, and prosecuted as such.
In the months since the act was signed, several lower-profile bills have been proposed in Congress--all of which are either overreaching in scope or simply flawed. One of these is H.R. 3482, the Cyber Security Enhancement Act of 2002 (CSEA).
THE CSEA dictates some pretty tough penalties for cybercriminals, largely as a result of proposals made by House Crime Subcommittee Chairman Lamar Smith of Texas. He believes the U.S. Sentencing Commission should take into account the sophistication of the attack when doling out punishments. Specifically, he would like to see some forms of computer intrusion be made punishable by life imprisonment.
Smith further proposes that Internet Service Providers (ISPs) freely share information obtained from their customers' e-mails with authorities. Currently ISPs cannot share such information without a warrant.
The Bush administration has supported Smith's ideas. Deputy Assistant Attorney General John G. Malcolm proposed additional language that would broaden the legislation to include computer intruders who act with reckless disregard for death or serious injury. Last week, the subcommittee unanimously approved these additions to H.R. 3482.
THE PROBLEM WITH this legislation is that it's often very difficult to determine who is responsible for any given cybercrime. Let's say someone hacks into the local power grid and, as a result, a hospital loses power to its critical patient care units. Who is responsible? Is it the hospital, which should have had a power backup? Is it the power utility, which should have maintained better computer security? Or is it the thrill-seeking 13-year-old, who probably had no idea what he or she was doing?
I'd say all of the above are negligent, yet the proposed legislation would punish only the "reckless disregard" of the 13-year-old. I'd say most computer intruders are curious, not malicious. On the other hand, I do not accept the defense of intruders who say they are doing good by finding weaknesses in large computer systems.
What do you think of the cybercrime legislation in Congress? Is it necessary or useless? How would you change it? Post your comments in the AnchorDesk TalkBack area.