Thursday, May 26, 2016

S 2931 Introduced – Cyber Crime

Earlier this month Sen. Graham (R,SC) introduced S 2923, the Botnet Prevention Act of 2016. The bill would make amendments to two sections of the criminal code (18 USC) dealing with botnets and add another section addressing attacks against critical infrastructure computers.


Section 2 of the bill amends 18 USC 1345 dealing with the administration of injunctions against acts of fraud. It would change the title of §1345 to ‘Injunctions against fraud and abuse’. It would add a new sub-paragraph to that section that would allow the Attorney General to commence a civil action in any Federal court to enjoin a violation of 18 USC 1030(a)(5) instead of just the bank fraud or healthcare fraud covered in the current section.

Section 4 of the bill amends 18 USC 1030 dealing with computer fraud. It adds a new sub-paragraph that adds trafficking in access to computers to the list of computer fraud offenses covered in this section.

Critical Infrastructure Computers

Section 3 of the bill would add §1030A to 18 USC. It would make it a felony to “to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment” {new §1030A(a)} of the operation of a critical infrastructure computer or the associated critical infrastructure.

The bill would punish violations of the new §1030A by up to 20 years in prison and would prohibit judges from making prison sentences under this section run concurrently “with any term of imprisonment imposed on the person under any other provision of law” {new §1030A(c)(2)}.

Moving Forward

Graham is a senior member of the Senate Judiciary Committee and his two Democrat co-sponsors are also members of that Committee. It is very likely that between the three of them that they could get the Committee to consider this bill.

The wording of this bill is almost identical with the wording of an amendment (SA 2713) that Sen. Whitehouse (D,RI) proposed during the consideration of S 754, but it was never brought up for a vote during those proceedings. Getting Graham to sponsor this bill makes it much more likely that the bill will be considered.


The critical infrastructure provisions of the bill look, at first glance, like they should apply to industrial control systems at critical infrastructure facilities. Unfortunately, the definitions used in the proposed language means that control systems are specifically not covered. The new §1030A specifically uses the definitions of ‘computer’ and ‘damage’ that come from §1030. Those definitions are:

The term ‘computer’ “means an electronic, magnetic, optical, electrochemical, or other high speed data processing device [emphasis added] performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” {§1030(e)(1)}.

The term ‘damage’ “means any impairment to the integrity or availability of data, a program, a system, or information” {§1030(e)(8)}.

In addition, the felony activity under §1030A is only covered if it is only felonious when conducted “during and in relation to a felony violation of section 1030” {new §1030A(a)}. In essence, what this bill does is to make an otherwise covered violation of 1030 a more heinous act when it is conducted against a covered IT computer at a critical infrastructure facility. An attack against an industrial control system (even at a major power distribution facility) would not be covered unless it also affected billing or record keeping computers at the facility.

To make this effective in prosecuting attacks on control systems at critical infrastructure facilities an amendment would have to be made to §1030. First there would have to be a paragraph added that would make it a crime to attack a control system. For example add:

§1030(a)(8) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to an industrial control system.

Additionally, we would have to add a definition of ‘an industrial control system’. To write that most broadly we would add:

§1030(e)(13) the term “industrial control system” means any network of computers, communications devices or networks, sensors, or actuators that is designed to detect and effect operations of physical devices. The term includes systems that are used to control the operation of manufacturing facilities, energy production and distribution facilities, building controls, vehicles, and medical devices.

Then the new §1030A(a) would have to be amended to read:

(a) OFFENSE.—It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer or industrial control system, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment—

(1) of the operation of the critical infrastructure computer or industrial control system; or

(2) of the critical infrastructure associated with such computer or industrial control system.

And finally the new §1030A(d)(1) would have to be amended to read:

(d) DEFINITIONS.—In this section—

(1) the terms ‘computer’, ‘damage’ and ‘industrial control system’ have the meanings given the terms in section 1030; and

I think that these changes (or something similar, I am not particularly attached to my words) would make the legislation achieve its intended action of making cyber-attacks on critical infrastructure a felony under federal law. And that is certainly needed before such an attack actually takes place on US soil.

No comments:

/* Use this with templates/template-twocol.html */