There certainly has been no shortage of cyber crime in 2014. You need look no further than the myriad problems outlined by Joseph Demarest, the FBI's assistant director, Cyber Division touched on during testimony before a Senate Committee on Banking, Housing, and Urban Affairs hearing on cyber security today.
"The FBI is engaged in a host of efforts to combat cyber threats, from efforts focused on threat identification and sharing inside and outside of government, to our internal emphasis on developing and retaining new talent and changing the way we operate to evolve with the cyber threat," Demarest said.
Demarest suggested three ways Congress could help evolve with that cyber threat. In particular:
- Update the Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act (CFAA) constitutes the primary federal law against hacking, protecting the public against criminals who hack into computers to steal information, install malicious software, and delete files. The CFAA was first enacted in 1986, at a time when the problem of cyber crime was still in its infancy. Over the years, a series of measured, modest changes have been made to the CFAA to reflect new technologies and means of committing crimes and to equip law enforcement with the tools to respond to changing threats. The CFAA has not been amended since 2008, however, and the intervening years have again created the need for the enactment of modest, incremental changes. The Administration has proposed several such revisions to keep federal criminal law uptodate with rapidlyevolving technologies. Cyber threats adapt and evolve at the speed of light, and we need laws on the books that reflect the most current means by which cyber actors are committing crimes. Updating the CFAA to reflect these changes would help strengthen our ability to punish, and therefore to deter, the crimes we seek to prevent.
- Data Breach Notifications. We believe there is a strong need for a uniform federal standard holding certain types of businesses accountable for data breaches and theft of electronic personally identifiable information. Businesses should, for example, be required to provide prompt notice to consumers in the wake of a certain cyber attacks. Such a standard would not only hold businesses accountable for breaches, but would also assist in FBI and other law enforcement efforts to identify, pursue, and defeat the perpetrators of cyber attacks.
- Information Sharing. Although the government and the private sector already share cyber threat information on a daily basis, legislation can enhance the value and benefit of these information sharing relationships. The government and the private sector both have critical and unique insights into the cyber threats we face, and sharing these insights is necessary to enhance our mutual understanding of the threat. Similarly, the operational collaboration required to identify cyber threat indicators and to mitigate intrusions requires the exact type of sharing we seek in the first place. As such, the FBI supports legislation that would establish a clear framework for sharing and reduce risk in the process, in addition to providing strong and straightforward safeguards for the privacy and civil liberties of Americans. U.S. citizens must have confidence that threat information is being shared appropriately, and we in the law enforcement and intelligence communities must be as transparent as possible. We also want to ensure that all the relevant federal partners receive the information in real time.
Sign up for Computerworld eNewsletters.