Reintroduced International Cybercrime Prevention Act Would Create New Cybercrime Violations, Increase Forfeiture and Injunctive Relief

On June 17, a bipartisan coalition of U.S. Senators, including Thom Tillis (R-NC), Sheldon Whitehouse (D-RI), Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) reintroduced the International Cybercrime Prevention Act for consideration by the upper house of Congress. If passed, the bill would enact provisions giving additional power to law enforcement for seizing devices used for cyber attacks as well as create new criminal violations for individuals who knowingly engage in cyber attacks on critical national infrastructure.

Increased Cybercrime During COVID-19 Pandemic Encourages Reintroduction of the Act

The International Cybercrime Prevention Act was originally introduced into Congress back in July 2018 by Senator Graham, at which time it was referred to the Senate Committee on the Judiciary, where no further action was taken on the bill. Today, however, there are several factors which are doubtlessly behind the renewed push for cybercrime legislation, not the least of which includes a spate of high-profile attacks on critical networks that have either put sensitive government data at risk of interception or shut down massive portions of America’s infrastructure. Throughout 2020, hackers took advantage of network vulnerabilities at IT management firm SolarWinds to install malware exposing sensitive government data held by the U.S. Department of Homeland Security and the U.S. Department of the Treasury. In late April, a ransomware attack on Colonial Pipeline shut down gas supplies throughout the southeastern United States for more than a week. Similar cyber attacks have been seen in recent weeks at JBS, the world’s largest meat supplier, and New York City’s Metropolitan Transportation Authority.

As the press release from Senator Tillis’ office on the cybercrime bill notes, these individual attacks are part of a larger wave of cybercrime that has been on the rise thanks in large part to the COVID-19 pandemic, which has forced much of the world of government and private business to rely on remote access technologies where network vulnerabilities can easily develop. At least in the case of the Colonial Pipeline attack, the use of virtual private networks for remote employee access contributed to hackers’ ability to infiltrate the company’s larger computer network. Last August, the head of the United Nations’ counterterrorism department gave public remarks indicating that phishing attacks, or the use of fraudulent emails purporting to be from a trusted company in order to obtain sensitive personal information, increased by 350 percent during the first quarter of 2020 with many attacks targeting hospitals and other critical targets within the healthcare system. More recently, the Federal Bureau of Investigation’s Internet Crime Complaint Center issued an Internet Crime Report 2020 showing that the FBI’s division for receiving cybercrime complaints received 791,790 such complaints last year, a 69 percent increase in the total complaints received during 2019.

Act Would Increase RICO Predicate Offenses, Create Injunctive Relief Against Botnets

A section-by-section analysis of the International Cybercrime Prevention Act shows that, by and large, the bill much resembles the legislation proposed by Senator Graham in 2018. Section 2 of the bill, covering predicate offenses, would make violations of the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized computer access, a predicate offense for purposes of the Racketeer Influenced and Corrupt Organizations (RICO) Act, a statute that gives authority to law enforcement officials to prosecute activities tied to criminal organizations. Federal prosecutions for cybercrime activity already proceed under RICO, as is evidenced by the U.S. Department of Justice’s announcement in early May that four Eastern European nationals pled guilty this spring to RICO charges regarding that group’s provision of hosting services for malware distribution. By adding CFAA violations to the category of predicate offenses for RICO prosecution, the International Cybercrime Prevention Act would enable law enforcement to bring racketeering charges for trespassing government computers, trafficking in passwords, threatening to damage a computer or fraudulently accessing a computer to obtain anything of value.

Other sections of the International Cybercrime Prevention Act would create new criminal violations prohibiting certain online behaviors that federal prosecutors currently cannot litigate. Section 5 of the act creates a violation for aggravated damage to a critical infrastructure computer, or knowingly causing damage to computers controlling critical infrastructure like dams, hospitals, power plants and election infrastructure. Section 6 would close a loophole in criminal law by prohibiting individuals from selling means of access to a compromised computer if the seller knows or has reason to know the buyer intends computer damage, wire fraud or criminal spam. This particular provision is meant to address the use of compromised computers within a botnet, or a network of computers infected with malicious software and controlled by cybercriminals without the computer owner’s knowledge.

Finally, the bill would also create new tools that law enforcement can use to disrupt or prevent malicious online activity targeting network vulnerabilities. Section 3 of the International Cybercrime Prevention Act would authorize the forfeiture of property used to violate data privacy statutes, including illegal interception devices, as well as sales from the proceeds of spyware. Section 4 would create injunctive relief against botnets engaging in activities illegal under the CFAA, including data destruction and denial of service (DoS) attacks, expanding current authority which limits injunctive relief to instances of fraud or illegal wiretapping.

The recent cyberattacks on JBS and Colonial Pipeline are major factors driving support for the International Cybercrime Prevention Act as it runs the gauntlet on Capitol Hill. A recent post on The Hill discussed several legislative efforts currently being drafted by various U.S. Senators, including separate bills addressing ransomware attacks from the leadership of both the Senate Homeland Security Committee and the Senate Intelligence Committee. Ransomware, which encrypts sensitive data and prevents it from being accessed by a computer user until a ransom is paid, was the malware of choice for hackers perpetrating both the JBS and the Colonial Pipeline breaches. Recent news reports indicate that JBS had to pay its hackers $11 million worth of bitcoin in order to bring its meat packaging plants back online, and on June 7, the U.S. Department of Justice announced that it had recovered $2.3 million in cryptocurrency of a total $4.4 million ransom paid by Colonial Pipeline to hackers in the criminal group DarkSide

 

Image Source: Deposit Photos
Author: stevanovicigor
Image ID: 68350515