Last month legislation known as Arron’s Law was introduced
separately in both the House and Senate. The House bill, HR 1918,
was introduced by Rep. Lofgren (D,CA) and the Senate bill , S 1030,
was introduced by Sen. Wyden (D,OR). The two bills attempt to clarify the
meaning of ‘access without authorization’ as used in 18
USC 1030, Fraud and related activity in connection with computers.
Identical bills were introduced in the 113th
Congress (HR 2454 and S 1196). I described the provisions of those bills in a blog
post about HR 2454, so I won’t repeat that process here. Neither of those
bills saw any activity in the 113th Congress, though similar
provisions made their way into other ‘comprehensive’ cybersecurity legislation
in the Senate. None of those bills make it to the floor of the Senate either.
Unintended
Consequences
(This is one section of that earlier blog post that I will
include here because of its potential implications for industrial control
systems.)
As I mentioned earlier, this bill is intended to lower the
consequences of hacking that is done purely for reasons of social or political
activism such as defacing a web site. Unfortunately it appears that there may
be some unintended consequences to the proposed changes.
Currently, the only language in 18
USC 1030 that can be used to define as criminal an attack on an industrial
control system is found in two subparagraphs of §1030(a)(5). They are:
“(B) intentionally accesses a
protected computer without authorization, and as a result of
such conduct, recklessly causes damage;
or
“(C) intentionally accesses a
protected computer without authorization, and as a result of
such conduct, causes damage and
loss.”
The current language of §1030 does not define ‘accesses
without authorization’ so there is certain amount of leeway that the courts
have in interpreting that term. The definition provided in this bill, however,
specifically requires that the access must be made “to obtain information on a
protected computer” {§1030(e)(6)(A)}. Thus it appears that changing the
programing of an ICS system or device would no longer be a federal offense
under §1030, even if the attack resulted in ‘damage or loss’ intended or
otherwise.
Moving Forward
Since neither Lofgren or Wyden are members of their
respective Judiciary Committee’s it is unlikely that either of these bills will
be considered in the 114th Congress. I would not be surprised,
however to see similar provisions being added to other cybersecurity
legislation further down the road.
Posts
No comments:
Post a Comment