Would increasing CFAA penalties via the CISA Amendment really even help? I don’t think so.

As the Cybersecurity Information Sharing Act (CISA) is making its way through the Senate, it has stirred up more controversy with Senator Sheldon Whitehouse’s proposed amendment to the Computer Fraud and Abuse Act (CFAA), that he argues, would give law enforcement more tools to fight hackers. The Amendment would provide for increased sentences (up to 20 years) of those who harm computers connected to “critical infrastructure.”

The substantial anti-CFAA contingent, obviously, does not like this proposal, nor would anyone really expect that they would. I am not part of that club, nonetheless, I do find myself aligned with them in agreement that this is not the right approach.

Earlier this year in his State of the Union Address, President Obama proposed amending the CFAA and, one of his key proposals was also to increase penalties. This was not what was needed then and it is not what is needed now.

I explained my reasoning in Will Changes to the CFAA Deter Hackers?, which was published by Norse. In this post, I offer three explanations for why I believe that stiffer penalties are not the answer:

  1. The Authorities Do Not Have The Resources to Pursue Most of These Cases
  2. Without Attribution, There is No CFAA Case
  3. Without Getting the Cybercriminal Before a US Court, There is No CFAA Case

Read the article and give this some thought for yourself. While I am generally supportive of the CFAA, I see no need to alter it — or any other law — if doing so will not accomplish the stated objective — especially when it means increasing penalties. In this case, that is how I see it. I just do not believe that increasing the penalties under the CFAA is the answer. What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.