Sunday, May 3, 2015

Arron’s Law Introduced in House and Senate

Last month legislation known as Arron’s Law was introduced separately in both the House and Senate. The House bill, HR 1918, was introduced by Rep. Lofgren (D,CA) and the Senate bill , S 1030, was introduced by Sen. Wyden (D,OR). The two bills attempt to clarify the meaning of ‘access without authorization’ as used in 18 USC 1030, Fraud and related activity in connection with computers.

Identical bills were introduced in the 113th Congress (HR 2454 and S 1196). I described the provisions of those bills in a blog post about HR 2454, so I won’t repeat that process here. Neither of those bills saw any activity in the 113th Congress, though similar provisions made their way into other ‘comprehensive’ cybersecurity legislation in the Senate. None of those bills make it to the floor of the Senate either.

Unintended Consequences

(This is one section of that earlier blog post that I will include here because of its potential implications for industrial control systems.)

As I mentioned earlier, this bill is intended to lower the consequences of hacking that is done purely for reasons of social or political activism such as defacing a web site. Unfortunately it appears that there may be some unintended consequences to the proposed changes.

Currently, the only language in 18 USC 1030 that can be used to define as criminal an attack on an industrial control system is found in two subparagraphs of §1030(a)(5). They are:

“(B) intentionally accesses a protected computer without authorization, and as a result of
such conduct, recklessly causes damage; or

“(C) intentionally accesses a protected computer without authorization, and as a result of
such conduct, causes damage and loss.”

The current language of §1030 does not define ‘accesses without authorization’ so there is certain amount of leeway that the courts have in interpreting that term. The definition provided in this bill, however, specifically requires that the access must be made “to obtain information on a protected computer” {§1030(e)(6)(A)}. Thus it appears that changing the programing of an ICS system or device would no longer be a federal offense under §1030, even if the attack resulted in ‘damage or loss’ intended or otherwise.

Moving Forward

Since neither Lofgren or Wyden are members of their respective Judiciary Committee’s it is unlikely that either of these bills will be considered in the 114th Congress. I would not be surprised, however to see similar provisions being added to other cybersecurity legislation further down the road.

No comments:

/* Use this with templates/template-twocol.html */