The Obama administration is eying an extensive overhaul of the Computer Fraud and Abuse Act.
The Act currently stipulates a maximum 10-year prison sentence for breaking into a U.S. government computer and threatening national security, five years for stealing data and one year for extracting non-critical password or defacing a website.
However, a recent White House proposal would effectively double the 10-year maximum sentence to 20, while bumping a five-year sentence for computer thefts up to 10.
Similarly, the one year maximum for defacing a government computer or downloading a non-critical file could become a three-year sentence.
“It’s [certainly] been a busy month,” James Lewis, of the Center for Strategic and International Studies (CSIS) think tank told Reuters.
“[Lulz Security made] a big mistake [going after the FBI and CIA]. That bumps it up immediately. [This] could make it a grudge match.”
But Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute, cautioned that “smoking keyboards” are hard to find.
“Anonymity of cyberspace, the lack of being able to do 100 percent attribution makes it difficult from a national security standpoint,” he explained.
“Obviously, if you don’t know who is behind the clickety clack of the keyboard, or even if you do, you don’t have 100 percent confidence.”
Sophos Security analyst Carole Theriault expressed similar sentiments and noted that hacktivists who expose firms’ security weaknesses or embarrass companies for the “lulz” are not likely to be deterred by an increase in criminal penalties.
“Does the US really want to spend huge amounts of resources to locate and identify a cyber prankster who wants his or her 15 minutes in the spotlight? No matter how disruptive it is to DDoS or pwn a site, should they be given the same focus as someone who is intent on threatening national security by stealing highly sensitive information?
“It seems to me that there was a big difference between attacks like those perpetrated by hacktivists which brought down the CIA website, and serious organized infiltration of networks to steal confidential information. The motivation for hacktivists may be to gain some kudos from their peers on the Internet, or to show off to rival groups, or simply a case of being bored and committing a cybercrime ‘because they can.’”