Cyber attacks have been occurring for a number of years, but the recent turmoil with Sony Pictures has brought to the forefront the major impact of such attacks not just on private companies and their profit margins, but also the national security of the United States.  The threat of online security is no longer just a concern of large corporations, but as demonstrated last week, federal agencies and military units are also vulnerable to cyber attacks.  As a result, the Executive is stepping up its efforts to combat cyber crimes by advocating for more stringent laws, and it is highly anticipated that cyber security will be a focal point of President Obama’s State of the Union Address on Tuesday night.

While I think most can agree that the damage caused by cyber crime is certainly a growing threat to the private and public sectors, there is an important distinction between implementing effective legal avenues for investigations and prosecution, while simultaneously ensuring that the privacy and Internet use of average persons are not implicated in the crosshairs. That is precisely the overarching concern that has been posed since President Obama’s announcement that cyber crime is next on his to-do list.  Indeed, the proposed measures, as written, are being criticized for their impacts on personal privacy, as well as imposing harsher penalties on digital activist groups and others for seemingly innocent conduct. Although the White House has stated that the measures would not target “insignificant conduct,” it does little to address the practical impact of the proposed measures if they are passed into law.

The two areas of primary concern are the information sharing provisions, which would encourage private companies to share information regarding data breaches with federal agencies, and the revisions to existing laws that provide the groundwork for prosecution of cyber crimes, mainly the Racketeering Influenced and Corrupt Organizations Act (“RICO”), 18 U.S.C. § 1961 et seq., and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The privacy concerns stem from the fact that the proposed measures will provide a type of immunity for private corporations for sharing information related to cyber attacks with federal agencies. The dissemination of personal information, which will be shared with federal agencies and Sharing and Analysis Organizations, raises questions as to whether adequate steps will be taken to ensure that personal information does not become vulnerable as part of the information sharing process. Further, the “modernization” of RICO and the CFAA more or less translates to a broadening of the existing laws. Thus, more conduct will fall under the scope of prosecutable offenses under the two existing bodies of criminal law.

From a criminal defense perspective, the existing laws provide sufficient legal authorities to prosecute cyber criminals. As such, the expansion of RICO and the CFAA could lead to unwarranted prosecutions of ordinary U.S. citizens and digital activist groups. Practically speaking, expanding the scope of criminalized conduct will not solve the underlying issue, which seems to be inadequate preventative measures against these attacks. Arguably, the increased information sharing is intended to address this side of the coin, but again, therein lies the concerns of infringement on personal privacy.

So the question remains, are the new measures intended to decrease privacy rights and criminalize a broader set of conduct, or are they intended to create more efficient procedures to prevent and uncover the actors behind these crimes? President Obama is sure to shed some light on these issues during his State of the Union Address, but only time will tell as to the effectiveness of the proposed measures.

The author of this blog is Margaret S. Ververis, an Associate with Ferrari & Associates, P.C. focusing on federal crimes in the landscape of modern technology.  For more information regarding this post, please contact her at (202) 440-2581 or ververis@ferrariassociatespc.com.