Arron’s Law Introduced in House and Senate

Last month legislation known as Arron’s Law was introduced separately in both the House and Senate. The House bill, HR 1918, was introduced by Rep. Lofgren (D,CA) and the Senate bill , S 1030, was introduced by Sen. Wyden (D,OR). The two bills attempt to clarify the meaning of ‘access without authorization’ as used in 18 USC 1030, Fraud and related activity in connection with computers.

Identical bills were introduced in the 113^th Congress (HR 2454 and S 1196). I described the provisions of those bills in a blog post about HR 2454, so I won’t repeat that process here. Neither of those bills saw any activity in the 113^th Congress, though similar provisions made their way into other ‘comprehensive’ cybersecurity legislation in the Senate. None of those bills make it to the floor of the Senate either.

Unintended Consequences

(This is one section of that earlier blog post that I will include here because of its potential implications for industrial control systems.)

As I mentioned earlier, this bill is intended to lower the consequences of hacking that is done purely for reasons of social or political activism such as defacing a web site. Unfortunately it appears that there may be some unintended consequences to the proposed changes.

Currently, the only language in 18 USC 1030 that can be used to define as criminal an attack on an industrial control system is found in two subparagraphs of §1030(a)(5). They are:

“(B) intentionally accesses a protected computer without authorization, and as a result of

such conduct, recklessly causes damage; or

“(C) intentionally accesses a protected computer without authorization, and as a result of

such conduct, causes damage and loss.”

The current language of §1030 does not define ‘accesses without authorization’ so there is certain amount of leeway that the courts have in interpreting that term. The definition provided in this bill, however, specifically requires that the access must be made “to obtain information on a protected computer” {§1030(e)(6)(A)}. Thus it appears that changing the programing of an ICS system or device would no longer be a federal offense under §1030, even if the attack resulted in ‘damage or loss’ intended or otherwise.

Moving Forward

Since neither Lofgren or Wyden are members of their respective Judiciary Committee’s it is unlikely that either of these bills will be considered in the 114^th Congress. I would not be surprised, however to see similar provisions being added to other cybersecurity legislation further down the road.

Bills Introduced – 04-21-15

Yesterday there were 59 bills introduced in the House and Senate. It was a big day for cybersecurity legislation with four bills introduced:

HR 1918 To amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Rep. Lofgren, Zoe [D-CA-19]

S 1023 A bill to amend the Internal Revenue Code to provide a refundable credit for costs associated with Information Sharing and Analysis Organizations. Sen. Moran, Jerry [R-KS]

S 1027 A bill to require notification of information security breaches and to enhance penalties for cyber criminals, and for other purposes. Sen. Kirk, Mark Steven [R-IL]

S 1030 A bill to amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Sen. Wyden, Ron [D-OR]

HR 1918 and S 1030 are the latest iterations of Aaron’s Law in memory of Aaron Schwartz. They would decriminalize some grey area hacking.

S 1023 would probably have some fairly limited application, but it should encourage cybersecurity information sharing every bit as much as current legislation specifically targeting that sharing. This is likely the last mention of this bill in this blog.

S 1027 is another breach notification bill that probably only affects IT system breaches. Unless there is specific mention of control systems in this bill this is the last time that I will mention this bill.