Earlier this month Sen. Graham (R,SC) introduced
S 2923,
the Botnet Prevention Act of 2016. The bill would make amendments to two
sections of the criminal code (18 USC) dealing with botnets and add another
section addressing attacks against critical infrastructure computers.
Botnets
Section 2 of the bill amends
18
USC 1345 dealing with the administration of injunctions against acts of
fraud. It would change the title of §1345
to ‘Injunctions against fraud and abuse’. It would add a new sub-paragraph to
that section that would allow the Attorney General to commence a civil action in
any Federal court to enjoin a violation of
18
USC 1030(a)(5) instead of just the bank fraud or healthcare fraud covered
in the current section.
Section
4 of the bill amends
18
USC 1030 dealing with computer fraud. It adds a new sub-paragraph that adds
trafficking in access to computers to the list of computer fraud offenses
covered in this section.
Critical Infrastructure Computers
Section 3 of the bill would add §1030A to 18 USC. It would make it a felony to “to
knowingly cause or attempt to cause damage to a critical infrastructure
computer, if such damage results in (or, in the case of an attempted offense,
would, if completed, have resulted in) the substantial impairment” {new §1030A(a)} of the
operation of a critical infrastructure computer or the associated critical
infrastructure.
The bill would punish violations of the new §1030A by up to 20 years
in prison and would prohibit judges from making prison sentences under this
section run concurrently “with any term of imprisonment imposed on the person
under any other provision of law” {new §1030A(c)(2)}.
Moving Forward
Graham is a senior member of the Senate Judiciary Committee
and his two Democrat co-sponsors are also members of that Committee. It is very
likely that between the three of them that they could get the Committee to
consider this bill.
The wording of this bill is almost identical with the
wording of an amendment (
SA
2713) that Sen. Whitehouse (D,RI) proposed
during
the consideration of S 754, but it was never brought up for a vote during
those proceedings. Getting Graham to sponsor this bill makes it much more
likely that the bill will be considered.
Commentary
The critical infrastructure provisions of the bill look, at
first glance, like they should apply to industrial control systems at critical
infrastructure facilities. Unfortunately, the definitions used in the proposed
language means that control systems are specifically not covered. The new §1030A specifically uses
the definitions of ‘computer’ and ‘damage’ that come from §1030. Those definitions
are:
The term ‘computer’ “means an
electronic, magnetic, optical, electrochemical, or other high speed data processing device
[emphasis added] performing logical, arithmetic, or storage functions, and
includes any data storage facility or communications facility directly related
to or operating in conjunction with such device” {§1030(e)(1)}.
The term ‘damage’ “means any impairment
to the integrity or availability of data, a program, a system, or information” {§1030(e)(8)}.
In addition, the felony activity under §1030A is only covered if
it is only felonious when conducted “during and in relation to a felony
violation of section 1030” {new §1030A(a)}.
In essence, what this bill does is to make an otherwise covered violation of
1030 a more heinous act when it is conducted against a covered IT computer at a
critical infrastructure facility. An attack against an industrial control
system (even at a major power distribution facility) would not be covered
unless it also affected billing or record keeping computers at the facility.
To make this effective in prosecuting attacks on control
systems at critical infrastructure facilities an amendment would have to be
made to §1030.
First there would have to be a paragraph added that would make it a crime to
attack a control system. For example add:
§1030(a)(8) knowingly causes the transmission of a
program, information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to an industrial control
system.
Additionally, we would have to add a definition of ‘an
industrial control system’. To write that most broadly we would add:
§1030(e)(13) the term “industrial control system”
means any network of computers, communications devices or networks, sensors, or
actuators that is designed to detect and effect operations of physical devices.
The term includes systems that are used to control the operation of manufacturing
facilities, energy production and distribution facilities, building controls, vehicles,
and medical devices.
Then the new §1030A(a)
would have to be amended to read:
(a) OFFENSE.—It shall be unlawful,
during and in relation to a felony violation of section 1030, to knowingly cause
or attempt to cause damage to a critical infrastructure computer or
industrial control system, if such damage results in (or, in the case of
an attempted offense, would, if completed, have resulted in) the substantial
impairment—
(1) of the operation of the
critical infrastructure computer or industrial control system; or
(2) of the critical infrastructure
associated with such computer or industrial control system.
And finally
the new §1030A(d)(1) would have to be amended to read:
(d) DEFINITIONS.—In this section—
(1) the terms ‘computer’, ‘damage’ and ‘industrial control system’
have the meanings given the terms in section 1030; and
I think that these changes (or something similar, I am not
particularly attached to my words) would make the legislation achieve its
intended action of making cyber-attacks on critical infrastructure a felony
under federal law. And that is certainly needed before such an attack actually
takes place on US soil.