Current laws addressing cyber crime aren’t adequate to address growing attacks on the government and businesses, a representative of U.S. President Barack Obama’s administration said Tuesday.
But when a U.S. senator questioned what additional laws the Obama administration needed, James Baker, associate deputy attorney general at the U.S. Department of Justice, said he wasn’t sure yet.
“Are all of you, or any of you, satisfied with the existing legal structure under which you are operating?” Senator Sheldon Whitehouse, a Rhode Island Democrat, asked a panel of four government officials working on cybersecurity.
“Senator, that’s a complicated question,” Baker answered during a hearing before a subcommittee of the Senate Judiciary Committee. “I think the answer to it is no.”
Whitehouse asked if the Obama administration planned to offer proposals for changes in laws or new laws to address cybersecurity concerns.
The DOJ is “debating these kinds of issues … with a view toward deciding whether we should propose changes, and if so, how,” Baker said. “We do not want to mess up, to put it bluntly, the existing authorities that we have that provide a huge amount of capability to collect both law enforcement information and foreign intelligence information.”
The Obama administration does not want to make mistakes, “because this area is so complicated,” Baker added.
Senators heard conflicting views on what kind of new laws are needed. The U.S. Congress should not pass laws, as some lawmakers have suggested, mandating cybersecurity efforts at private businesses, said Larry Clinton, president of the Internet Security Alliance, a cybersecurity advocacy group.
Market-based incentives should be able to improve cybersecurity, while government mandates could harm the Internet, he said.
“Federally mandated cybersecurity standards not only would not work, but they would be seriously counterproductive to our national economic interests and our national security interests,” Clinton said.
But Larry Wortzel, vice chairman of government advisory group the U.S.-China Economic and Security Review Commission, said some mandates may be necessary for private companies associated with national security.
There is some good news, another DOJ employee, Steven Chabinsky, told senators, as U.S. law enforcement officials have brought charges against two large cyber-criminal rings in recent weeks. Chabinsky, deputy assistant director of the Cyber Division at the U.S. Federal Bureau of Investigation, said the agency’s work with foreign law-enforcement groups and private organizations has led to “increased and repeatable successes” in fighting cyber crime.
Catching cyber thieves is important, but the U.S. government needs to do a better job of preventing attacks, suggested Senator Benjamin Cardin, a Maryland Democrat. “The good news is we’ve brought indictments against those who were able to rob us,” Cardin said. “The bad news is they were able to rob us. Every day, as I understand it, there is money being stolen through cyberspace.”
The subcommittee hearing was supposed to be partly focused on preventing terrorist attacks in cyberspace, but Chabinsky told senators the FBI has not yet seen a “high level” of sophistication necessary for terrorism groups to attack the U.S. cyber infrastructure. The agency, however, is tracking people sympathetic to al-Qaida who’ve expressed interest in developing the skills necessary, he said.
Other nations and potentially some cyber-criminal groups do have significant capabilities, Chabinsky added. These groups have the ability to alter software, conduct remote intrusions, reroute and monitor wireless communications, and “position employees within our private sector and government organizations as insider threats, awaiting further instruction,” he said.
