Following a cyberattack at a local healthcare facility, Rhode Island Sen. Sheldon Whitehouse introduced legislation to deal with such cybercrime.
According to NBC News, a ransomware attack compromised the personal healthcare information of 14,000 New Englanders. Whitehouse claimed, in an interview with NBC, that the hack happened “just last month.” However, HealthITSecurity wrote that the actual breach occurred between September 23, 2014 to August 28, 2015.
Whitehouse’s legislation, called the Botnet Prevention Act, was introduced to end this type of cybercrime in America.
During the interview, Whitehouse described botnets as an army of malicious computers, working towards the same goal. “You can do things like have every single one of those computers go hit a website, or go overload traffic to a hospital,” Whitehouse said.
Senator Lindsey Graham, the initial sponsor of the bill, explained the Botnet Prevention Act (BPA) would benefit the Justice Department. The DoJ would have expanded civil injunction authority to tear down these malicious networks, Graham explained at a Senate hearing. New criminal charges would be implemented for those who sell or rent out botnets. Similarly, the penalties for cybercrimes against critical infrastructure would be raised.
The new bill proposes changes that go far beyond the scope of the current Computer Fraud and Abuse Act. Under the Computer Fraud and Abuse Act, the DoJ may only issue civil injunctions for specific botnet crimes. Graham explains that the current law lacks language related to modern botnet infrastructure and usage. Renting or selling botnets currently resides in a legal grey area and the BPA would change this.
Whitehouse claimed that the DoJ knows where these botnets are being built but are legally under-equipped.
“There is no such thing as a good botnet, and so we should be about the business of taking them all down,” Whitehouse said.
“It has a lot of bipartisan support, as far as I’m concerned there’s no such thing as ‘too soon,’” Whitehouse said. The legislation, according to Congress, has one Republican sponsor and two Democrat co-sponsors. Whitehouse believes this support could push the legislation to pass by the end of the year.
In October 2015, Whitehouse pushed another amendment to the Computer Fraud and Abuse Act. The proposed legislation was controversially pulled due to vague and ambiguous phrasing that potentially violated internet privacy. He later spoke angrily about the rejection of his changes.
C-Span has the entire event recorded online with an automated transcription. Referring to the flaws in the current Computer Fraud and Abuse Act, Whitehouse says:
THAT’S A LOOPHOLE THAT HARMS AMERICANS THAT THIS BILL WOULD CLOSE. I CAN’T BELIEVE THERE’S ONE MEMBER OF THIS INSTITUTION WHO WOULD OPPOSE CLOSING A LOOPHOLE THAT ALLOWS FOREIGN CRIMINALS ACCESS TO AMERICANS’ FINANCIAL INFORMATION FOR FRAUDULENT PURPOSES BUT PUTS THEM BEYOND THE REACH OF OUR CRIMINAL LAW. THAT’S ONE PART OF WHAT OUR BILL DOES. THE SECOND IS IT RAISES PENALTIES FOR PEOPLE WHO INTRUDE ON CRITICAL INFRASTRUCTURE.
Privacy advocates have already voiced concerns for the BPA. The EFF and ACLU are among several who publicly signed a letter to Congress regarding the bill.
“What we need is reform that reigns in the CFAA, not a measure that makes things worse,” the letter said.