Increasing CFAA Penalties Won't Deter Foreign "Cybersecurity" Threats

In the last three months alone, the House has released three different cybersecurity bills and has held over seven hearings on the issue. In addition, the House Judiciary Committee floated changes to the Computer Fraud and Abuse Act (CFAA)—the draconian anti-hacking statute that came to public prominence after the death of activist and Internet pioneer Aaron Swartz. Politicians tout this legislation as necessary to protect against foreign threats every single time they introduce a bill with “cyber” somewhere in the text. And it comes as no surprise that every hearing has opened up with a recap of computer security attacks faced by the US from China, Iran, and other foreign countries.

For many politicians "cybersecurity" is also synonymous with increasing penalties for computer crimes. The CFAA proposal floated last week expands the already broad scope of the CFAA, increases the prison time for violations, and criminalizes new actions. Politicians from both parties believe—despite research saying otherwise—that increasing penalties will serve as a deterrent to foreign crimes. Just last year, President Obama, Senator Leahy, and House Republicans all proposed expanding the reach of the CFAA by increasing its penalties. With your help these attempts were defeated when we killed the cybersecurity bill in the Senate.

Why Increases Won't Deter Foreign Threats

Increasing penalties in the CFAA won't serve as a deterrent to foreign threats. Many foreign hacks—like the ones revealed in the recently released Mandiant report—are not private individuals, but are state or quasi-state sponsored citizens. In talks, politicians often cite the recent hack of a Saudi oil Company called Saudi Aramco. But the hack is thought to be from a quasi-state sponsored Iranian group. And the US will find it hard, if not impossible, to extradite Chinese or Iranian state-sponsored computer hackers.

The US would also have a hard time prosecuting civilian foreign citizens. In recent memory there have been only a handful of CFAA extradition cases. In one potential case—the infamous "ILOVEYOU" virus—the FBI said that suspects are generally prosecuted in the country they're found. This means that the CFAA wouldn't be used. The larger Department of Justice manual concerning extraditions lists factors leading to an extradition, but warns prosecutors:  "appeals and delays are common." In general, there have been very few successful extradition cases based solely on the CFAA.

Just last year, the US tried to extradite Gary McKinnon under the CFAA for allegedly accessing US military computers. The US government labeled McKinnon as one of the "world's most dangerous hackers," yet it was unable to persuade one of its closest allies, England, to extradite him. McKinnon's case is just one recent example of the difficulties the US government faces when trying to prosecute foreign online threats with US domestic law.

In 2011, Michael Chertoff, the former secretary of the Department of Homeland Security, made these same exact points. While discussing the CFAA and foreign cybersecurity threats, Chertoff noted:

The problem is a lot of the activity is overseas, and we are not going to find the people who do this stuff because they are never coming over to the United States. And, frankly, in some countries there is not a lo