Obama administration seeking tougher penalties for cybercrimes like hacking

The Obama administration is seeking tougher sentences for people who are found guilty of hacking or other digital offenses, two officials said Wednesday.  

Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez said the maximum sentences for cyber crimes have failed to keep pace with the severity of the threats. 

Martinez said hackers are often members of sophisticated criminal networks.  

ADVERTISEMENT
"Secret Service investigations have shown that complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," Martinez said.

"Online criminals organize in networks, often with defined roles for participants, in order to manage and perpetuate ongoing criminal enterprises dedicated to stealing commercial data and selling it for profit," he said.

Baker and Martinez appeared before the Senate Judiciary Committee to discuss the portion of the White House's cybersecurity legislative proposal that calls for stiffer penalties for cyber crimes as part of an update to the Computer Fraud and Abuse Act (CFAA).

The administration argues the Racketeering Influenced and Corrupt Organizations Act should be updated to make CFAA offenses subject to its terms. That law is used to prosecute organized crime. 

Baker said hacking has increasingly become a tool of choice for crimes like identity theft, extortion and corporate espionage.

"As computer technology has evolved, it has become a key tool of organized crime," Baker said. "Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations."

The administration's proposal also calls for a national data breach standard to replace the current patchwork of state laws. Sen. Al Franken (D-Minn.) expressed concern that the proposed 60-day window for companies to notify customers their data has been breached would be too long, but Baker said the administration is willing to work with Congress on the issue.

Sen. Richard Blumenthal (D-Conn.) shifted the conversation to the portion of the White House plan dealing with protecting critical private sector networks from outside attacks.

Baker said the White House plan does not include any criminal or civil provisions for forcing companies to comply with Department of Homeland Security cyber security standards.

"The idea was to create a lighter touch ... to build incentives into the system," Baker said.

Experts have warned that without some sort of enforcement mechanism companies will not take the necessary security precautions. Blumenthal echoed that stance, suggesting the administration "consider some kind of stick as well as a carrot."

Industry has argued that resources are the main limitation and argued for incentives such as liability protection for firms that experience attacks. 

But Baker expressed agreement with Blumenthal and said the current range of incentives built into the system, such as the loss of investor trust, stock market value and privileged corporate data has not been enough to convince companies to take adequate security measures.

—Updated at 2:19 p.m.