HR 2454 Introduced – Cybersecurity

As I mentioned last week Rep. Lofgren (D,CA) introduced HR 2454, Aaron’s Law Act of 2013. This bill was introduced in response to the suicide of Aaron Swartz, a noted activist/hacker, who apparently killed himself because of aggressive prosecution by federal authorities for hacking. The bill would revise the language of 18 USC 1030 to effectively change the definition of hacking from ‘exceeds authorized access’ to ‘access without authorization’.

Access Without Authorization

Section 2 of the bill replaces §1030(e)(6), removing the definition of ‘exceeds authorized access’ and adding the definition of ‘access without authorization’. The new term requires three components:

• The access must be made to “obtain information on a protected computer” {§1030(e)(6)(A)};

• The “accesser lacks authorization to obtain” {§1030(e)(6)(B)} access; and

• The access was gained by “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information” {§1030(e)(6)(C)}.

The definition of the original term included language that encompassed either obtaining or altering information. The altering of information is not included in the definition of the new term.

Removes Fraud as an Offense

Section 3 of the bill removes §1030(a)(4). That paragraph made it an offense to “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value”.

There is no substitute fraud wording included in the bill.

Punishment

Section 4 of the bill modifies the language of §1030(c)(2). That paragraph sets for the punishments authorized for violations of the provisions of the section.

Similar wording changes are made in two separate sub-paragraphs {§1030(c)(2)(A) and §1030(c)(2)(C)} in that the bill changes the wording from “after a conviction for another offense” to “after a subsequent offense”. Since an offense cannot occur after a subsequent offense (by definition a ‘subsequent offense’ must occur after the other offense), this wording will have to be modified.

The bill introduces the term “fair market value” in two subparagraphs {§1030(c)(2)(B)(i) and §1030(c)(2)(B)(iii)}. In the first it adds the requirement that the “fair market value of the information obtained exceeds $5,000” for cases where the offense was committed for commercial advantage or personal gain. The second replaces the term ‘value’ in requiring that the value of the information obtained exceeds $5,000.

Unintended Consequences

As I mentioned earlier, this bill is intended to lower the consequences of hacking that is done purely for reasons of social or political activism such as defacing a web site. Unfortunately it appears that there may be some unintended consequences to the proposed changes.

Currently, the only language in 18 USC 1030 that can be used to define as criminal an attack on an industrial control system is found in two subparagraphs of §1030(a)(5). They are:

“(B) intentionally accesses a protected computer without authorization, and as a result of

such conduct, recklessly causes damage; or

“(C) intentionally accesses a protected computer without authorization, and as a result of

such conduct, causes damage and loss.”

The current language of §1030 does not define ‘accesses without authorization’ so there is certain amount of leeway that the courts have in interpreting that term. The definition provided in this bill, however, specifically requires that the access must be made “to obtain information on a protected computer” {§1030(e)(6)(A)}. Thus it appears that changing the programing of an ICS system or device would no longer be a federal offense under §1030, even if the attack resulted in ‘damage or loss’ intended or otherwise.

Moving Forward

I don’t see the House, in the current environment of concern about cybersecurity, taking up any legislation that has the appearance of reducing the seriousness of any kind of cybersecurity attack. The Senate version of this bill {S 1196 introduced by Sen. Wyden (D,OR)} may have an easier time getting considered, but I still don’t see it overcoming general cybersecurity concerns.

Including this in an authorization bill or an appropriations bill is not an option. This changes a criminal statute and thus cannot be included in spending bills according to both House and Senate rules. Including this (with some modifications) in a comprehensive cybersecurity bill would provide the best chance of passage, but no one is seriously pushing such a bill at this time.