BREAK IN TRANSCRIPT
Mr. PATRICK J. MURPHY of Pennsylvania. Madam Chair, I'd like to extend my sincere thanks to Chairman Reyes for accepting this amendment and taking an important step toward strengthening our Nation's cyber infrastructure against attack. Madam Chair, the protection of our country's cyber infrastructure is one of today's most pressing--and challenging--national security issues. Computers and Internet device technology have become pervasive in every type of crime and federal agencies are experiencing an increase in cyber-intrusions into our most secure and sensitive government computer networks. This growing threat is extraordinarily difficult to address. The technology used to perpetrate these crimes evolves constantly and rapidly, and it can be exceedingly difficult to track down the perpetrators. It is our duty to ensure that our Intelligence Community and our Nation's law enforcement agencies have every tool necessary in their arsenal to combat cyber criminals and cyber terrorists who seek to access or steal protected information.
To be successful in preventing security breaches, Madam Chair, the agencies tasked with protecting the country from cyber attacks must constantly revise and improve their primary functions of data collection, analysis, and dissemination to keep pace with expanding threats. Experts in the field have pointed to several areas of the law which may need to be reviewed and updated to ensure their effectiveness and to best protect American individuals, businesses, and our national security.
Our proposal would establish the Cybercrime Task Force to analyze the current tools available to the Intelligence Community and law enforcement and provide legislative recommendations on ways to strengthen those resources, reduce our national exposure, and prevent and deter cyber attacks, cyber terrorism, cyber espionage, and cybercrimes.
The goals of the task force include improving attribution to specific criminals, understanding the nontraditional targets of attackers, and strengthening federal computer crime statutes to deter would-be perpetrators.
First, crucial to better deterrence--and the possibility of implementing sanctions--is improving the IC's ability to designate concrete attribution for cyber attacks. Attacks committed with the aid of computer or Internet device technology are often cleared with negative clearance. In order words, the IC is not able to detect and identify hostile foreign actors because of missing data at Internet service providers. The task force shall provide evidence-based recommendations on mandatory data retention requirements that balance the privacy of an individual's data, the technical and financial limitations of companies and Internet service providers, and the need to ensure effective cybercrime investigation.
The task force shall incorporate in their recommendations suggestions to minimize barriers to entry into the service provider industry and to lessen any negative impact on innovation or new start-ups in the industry.
Second, Madam Chair, in light of the rapidly evolving nature of the crimes, we must better understand the likely, but nontraditional, targets to which perpetrators may seek unauthorized access. Cyber attacks are increasingly the preferred method of foreign intelligence services collection of data against the U.S., raising a host of novel training, counterintelligence and investigative issues. To improve these operations in the IC's understanding of the extent to which computer and Internet device technology pervades traditional crimes, the task force shall compile a list of nontraditional targets (i.e., economic or industrial bases) in the U.S. that the IC has not traditionally dealt with as a target for foreign intelligence services.
Finally, Madam Chair, an increasing number of ``terrestrial'' (i.e., physical) crimes are being committed with the aid of a computer or Internet services. The task force shall survey the current federal crime statute for computer fraud and abuse to determine whether it is sufficient in light of the advanced nature of the crimes being committed and to enhance the ability of our law enforcement agencies to identify, detect and apprehend suspects as well as enhance investigative and prosecutorial efforts.
The task force shall survey the current federal crime statute for computer fraud and abuse (as provided in 18 U.S.C. 1030) to determine whether it is sufficient in light of the advanced nature of the crimes being committed. It shall determine the adequacy of the laws for which cybercrime and cyber espionage constitute a predicate offense and provide recommendations for updating those statutes when warranted. The task force shall establish and disseminate guidelines for States to revise their State-level statutes equivalent to 18 U.S.C. 1030 to help ensure they keep pace with Federal changes.
An increase in the prevalence of crimes facilitated through computer fraud and abuse raises novel investigative, prosecutorial and training issues because of the complex and unique attributes of computer and Internet technology. To improve law enforcement's understanding of the extent to which computer technology pervades traditional crimes, the task force shall compile a list of which crimes are most often committed with the aid of computers or Internet devices, determine whether the relevant prosecutorial tools are up to date, and provide specific legislative recommendations on how to update the statute to improve prosecution efforts while simultaneously providing for individual privacy and data security.
The task force shall also advise whether a need exists to outlaw, or more clearly prohibit, certain behavior (i.e., unauthorized access) regardless of intent or resulting damage, whether monetary or to a computer system. The recommendations should take into account the increasing prevalence of individuals using pre-programmed hacking tools to commit a crime without necessarily understanding the full implications or potential consequences of the technology.
The task force shall analyze existing Federal and State data breach notification requirements and advise whether and how current law should be amended to strengthen requirements and improve compliance, including notification of relevant law enforcement authorities as well as any individuals whose personally identifiable information may be at risk from the breach. Currently, forty-three States have enacted breach notification requirements, and they vary widely, resulting in low compliance levels. The task force shall analyze discrepancies among existing State-level statutes, determine barriers to compliance, and provide recommendations for overcoming such barriers (i.e., through Federal legislation, tying a company's obligations to specific jurisdiction and their requirements, or through some other means).
Finally, the task force shall determine whether and how current victim restitution statutes should be amended in order for victims of cyber attacks to be made whole. Currently States have varying forms of recourse for victims of cyber attacks, particularly when a person is hurt because a company's data was breached. The task force shall recommend whether a Federal law is needed to address this and if so, how it should be structured.
Madam Chair, I urge my colleagues to ensure that we stay a step ahead of hackers and cyber terrorists seeking to cause us harm and to pass this important amendment.
BREAK IN TRANSCRIPT