S 2139 Introduced - International Cybercrime Prevention
Last month Sen Whitehouse (D,RI) introduced S 2139, the International Cybercrime Prevention Act. The bill would make several changes to 18 USC to provide additional legal tools to combat international cybercrime. It includes adding a new 18 USC 1030A, Aggravated Damage to a Critical Infrastructure Computer. A nearly identical bill (S 3288) was introduced by Sen Graham in the 115th Congress with no action taken.
Aggravated Damage to a Critical Infrastructure Computer
Section 5 of the bill adds a new §1030A to 18 USC, Aggravated damage to a critical infrastructure computer. The new section would add an additional crime for violations of 18 USC 1030 that cause or attempt to cause damage to a critical infrastructure computer where there is substantial impairment of:
The operation of the critical infrastructure computer, or
The critical infrastructure associated with such computer.
The new §1030A(c) adds a requirement for consecutive sentences and prohibits anyone convicted under §1030A from being placed on probation.
The definition of the term ‘computer’ is taken from §1030. The definition of the term ‘critical infrastructure’ is the typical expansive (and overly broad) used in homeland security fields except that it specifically adds “voter registration databases, voting machines, and other communications systems that manage the election process or report and display results on behalf of State and local governments.”
Other Provisions
Section 2(1) amends 18 USC 1956(c)(7)(D) adds §2512 (relating to the manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices) to the list of offenses considered to be a ‘specified unlawful activity’ as used in the description of the crime of money laundering under §1956(a)(1).
Section 2(2) amends the definition of ‘racketeering activity’ in 18 USC 1961(1) as that term is used in 18 USC Chapter 96, Racketeer Influenced And Corrupt Organizations, to include felonious activity under 18 USC 1030 in that definition.
Section 3 adds a new § 2513, Confiscation of wire, oral, or electronic communication intercepting devices and other property, to 18 USC. It would authorize both criminal and civil forfeiture for violations of §2511, Interception and disclosure of wire, oral, or electronic communications prohibited, and §2512, Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited.
Section 4 amends 18 USC 1345, adding §1030(a)(5) as one of the offenses for which the Attorney General is authorized to seek a court order to take control of ‘protected computers’ on which someone placed ‘malicious software’.
Section 6 amends §1030(a), adding a new offense in paragraph (8), intentionally traffics in the means of access to a protected computer where that access would be used to damage a protected computer or violate 18 USC 1037, Fraud and related activity in connection with electronic mail, or 18 USC 1343, Fraud by wire, radio, or television. The amendment also includes criminal or civil forfeiture provisions.
Moving Forward
Whitehouse is a subcommittee chair in the Senate Judiciary Committee to which this bill was assigned for consideration and his three cosponsors {Sen Graham (R,SC), Sen Tillis (R,NC), Sen Blumenthal (D,CT)} are also members of the Committee. This should mean that there is adequate influence to see this bill considered in Committee. It is hard to predict what sort of opposition this bill would draw. I would expect that this would draw some opposition from folks that oppose the current wording of §1030 as it expands rather than restricts the types of offenses under that section.
Graham introduced similar bills in the 115th, and 114th Congresses. Neither saw any action taken in the Judiciary Committee. It would be easy to assume that similar inaction would be expected in this Congress, but the leadership has changed and Whitehouse introducing the bill could mean a significant political change in the prospects for the bill. We will just have to wait and see.
Commentary
The title of this bill is very misleading. There is nothing here that would target international cyber crime and the only prevention activity is the prosecution of individuals used as a deterrent, a fairly ineffective prevention activity.
I did a fairly lengthy discussion of the potential impact on industrial control system attacks when I wrote about the 114th Congress (S 2931) version of this bill. That discussion is still applicable to this bill. There is one provision of the bill that I overlooked. The new §1030A(a) provides that:
(a) Offense.—It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment—
(1) of the operation of the critical infrastructure computer; or
(2) of the critical infrastructure associated with such computer.
If an attack used a ‘protected’ IT computer as a route into a control system, the provisions of §1030A(a)(2) would allow a prosecutor to bring charges under the new section.