Combatting Cyber Attacks: Will Congress Adopt Obama’s Plans?
America is dealing with a hacking crisis. It seems that every other day we are bombarded with the latest hacking stories from both the private and public sectors. We are told to be cautious with all of our online activity and to remember all uploaded material remains in cyberspace forever. Almost all of us personally know someone who has dealt with identity theft and all the hassles that ensue. Some of the biggest companies in the world with the means to access the most anti-hacking software available aren’t immune to the problem. Even the national government recently made headlines concerning Chinese cyber attacks. So what can be done? In his 2015 State of the Union, President Obama addressed cybercrime. The Obama administration proposed new legislation and amendments to the Computer Fraud and Abuse Act. Will these proposals better protect Americans from hackers?
Case Study: Ashley Madison
Just last week, a new team of hackers were at it again. People are already discreet about dating websites and apps. A level of anonymity is essential for a high volume of users. This is even truer when a dating website revolves around married men and women cheating. Ashley Madison’s slogan is “Life is short. Have an affair.” Some may chalk it up to karma, but the invasion of privacy for these members is real.
The hackers call themselves “The Impact Team.” According to Brian Krebs, the blogger who initially reported the hack, they threatened to release stolen information unless the website shut down entirely. Apparently, the team gathered users’ nude photos, sexual fantasies, names, and credit card information. It also claims to have addresses from credit card transactions.
Members of the website can post basic information and use limited features without charge. The company rakes in money when members exchange messages, photographs, and gifts. The website even offers a feature to “collect gifts” for women to send and men to pay for later. The website also has a $19 deactivation fee. This happens to be one of the major qualms of the hacker team, who claim that information is never truly deleted from the website. The hackers’ manifesto published by Krebs stated, “Full Delete netted $1.7 million in revenue in 2014. It’s also a complete lie…Users almost always pay with credit card; their purchase details are not removed as promised, and include real names and address, which is of course the most important information the users want removed.”
Ashley Madison boasts over 37 million members, making it the second largest dating website in the world, second to Match.com. Ashley Madison’s parent company, Avid Life Media, values itself at $1 billion and was looking to go public on the London market this year. Ashley Madison has done away with the deactivation fee, but has yet to comment on whether or not it will shut down.
Although the majority of people aren’t online dating in order to have an affair, the hack embodies everything scary about online interactions. Personal information and discreet activities on websites or social media applications can be made public in the blink of an eye. Just this past March, 3.5 million AdultFriendFinder users were hacked. The hackers exposed email addresses, usernames and passwords, birthdays, zip codes, and sexual preferences. Overall, the trend doesn’t look good.
Verizon Data Breach Investigations Report
Verizon conducts an annual Data Breach Investigations Report (DBIR). The latest report shows that 96 percent of online security incidents fall into nine patterns: “miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; denial-of-service attacks; cyberespionage; point-of-sale intrusions; and payment card skimmers.” The 2015 report investigates more than 2,100 data breaches and roughly 80,000 reported security incidents. Over 70 organizations around the world help contribute to the report.
The 2015 DBIA reports a $400 million loss from approximately 700 million compromised records in 61 countries. The report shows that in 70 percent of the cases where the hacker’s motivation is known, there is a secondary victim. This is exemplified in the Ashley Madison case. Although the hackers are targeting the owners of the company, the users are violated as well. And in 60 percent of cases, hackers are able to infiltrate a company in a matter of minutes. The time of discovery falls significantly below that level.
The method of tricking people into divulging their information, like credit card numbers, is still around but is a much less effective method. Now, phishing campaigns are a primary source of attacks. A hacker usually phishes by sending an email with malware, usually included as an attachment. Today 23 percent of recipients open these types of email and 11 percent open the attachments. For over two years, more than two-thirds of cyber-espionage included phishing.
In more uplifting news, malware on cellphones doesn’t even account for 1 percent of the problem. Mobile devices are not the preferred medium for data breaches. Only about 0.03 percent of cell phones contained malicious materials.
U.S. Companies Hacked
According to a study conducted by the Ponemon Institute, the financial loss by cybercrime doubled from 2013 to 2014. Retailers lost approximately $8.6 billion in 2014 due to cyber crime. Furthermore, successful cyber attacks resulted in a $20.8 million loss in financial services, $14.5 million loss in the technology sector, and $12.7 million loss in the communications industries.
Last year was plagued by cyber attacks. In January, Target announced 70 million customers had contact information compromised, while 40 million customers had credit and debit card information compromised. In the same month, Neiman Marcus announced that 350,000 customers had credit card information stolen, resulting in fraudulent charges on 9,000 customers’ credits cards. In April, an AT&T worker hacked the system for two weeks and accessed personal information including social security numbers. In May, EBay asked all its customers to switch their passwords after a cyber attack accessed over 233 million EBay customers’ personal information. In August, over 60 UPS stores around the country were hacked, compromising financial data. The list continues…
The Computer Fraud and Abuse Act
In order to combat these cyber attacks, Congress passed the 1986 Computer Fraud and Abuse Act (CFAA). The act made accessing a protected computer a federal crime. Although it was initially established to protect government organizations and a few financial institutions, over the course of time, it eventually broadened. It was first amended in 1994 to allow private citizens to file civil suits against cyber attacks that resulted in loss or damages. It was again broadened in 1996 to encompass any computer used in interstate commerce. After 9/11, the Patriot Act amended the CFAA to permit the search and seizure of records from any Internet Service Providers (ISPs). Later in 2008, the CFAA was again amended to allow companies to file suits when the loss and/or damages did not surpass $5,000.
The CFAA has been subject to its fair share of criticism. Many believe the act to be too broad in scope. Opponents argue that computer policies are often “vague, confusing and arbitrary,” and breaking these policies shouldn’t be a federal violation. Institutions, like the Center for Democracy & Technology, Americans for Tax Reform, the Competitive Enterprise Institute, and the American Civil Liberties Union all have advocate against the CFFA.
The Ninth Circuit Court of Appeals agreed. In a 2012 case, United States vs. Nosal, the court ruled that “a person who violates an employer’s computer use policy is not criminally liable for federal penalties under the Act.” The court argued that the law was not enacted to federally punish smaller crimes. However, a strong dissent left the issue controversial, if not unresolved. The definition of “exceeds authorized access” left ample room for a Supreme Court review. The crime only becomes a felony if it is executed for profit, the gained information is worth over $5,000, and/or the act is committed to further a state or federal crime.
The White House’s New Proposals
The Cyber Security Legislative Proposals aim to enhance cybersecurity information sharing between the private sector and government, modernize law enforcement authorities to combat cyber crime with the appropriate tools and training, and streamline national data breach reporting requirements. Last December President Obama announced,
In this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector. Now, our first order of business is making sure that we do everything to harden sites and prevent those kinds of attacks from taking place…But even as we get better, the hackers are going to get better, too. Some of them are going to be state actors; some of them are going to be non-state actors. All of them are going to be sophisticated and many of them can do some damage.
A main target of the proposal is a number of amendments to the already-controversial CFAA. First, the proposal would increase the penalty for “circumventing technical access barriers,” i.e. hacking into a computer by sidestepping security or guessing another’s password. Violators under the current law risk a misdemeanor to a three-year felony. The proposal advocates punishment to start as a three-year felony and maximize as a ten-year felony.
Second, for contract-based crimes, the proposal would officially end the aforementioned circuit split. It states that breaking written policies would be a federal crime and officially defines “exceeds authorized access.” A person would exceed authorized access if he or she accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” Technically, this would include using a work computer for personal activities like Facebook; however, the government would limit criminal liability by requiring the violation fall under one of three conditions: the breach happened on a government computer, the breach results in over $5,000 worth of information, or “if the user violated the written condition in furtherance of a state or federal felony crime.” These changes, along with a variety of others, make up the administration’s proposal.
Whether these proposals will pass through Congress remains to be seen. Broadening the scope of hacking to allow more crimes to fall under federal jurisdiction has traditionally lacked support from the body. The proposals are controversial, with a lot of personal information and accessibility at stake. It will be interesting to see the reaction from the public if these proposals are enacted. Cyber crime is an ongoing problem that affects all citizens, regardless of demographics, and only seems to be exploding. If this isn’t the answer, then what is?