Senators reintroduce legislation that would strengthen penalties for cyberattacks

The bill would also allow law enforcement officials to seize computers used for criminal hacking and proceeds from the sale of spyware. In addition, it would let the Department of Justice ask courts for permission to shut down botnets used for a variety of criminal activities, including denial-of-service attacks. Under current law, the DOJ can seek court permission to shut down only those botnets used in fraud or illegal wiretapping.

“It is time for Congress to ensure our cyber defense can withstand these attacks in the future,” Sen. Thom Tillis, a co-sponsor of the bill, said in a statement.

In early 2020, hackers believed to be tied to the Russian government compromised the SolarWinds Orion IT monitoring and management software package, affecting about 100 companies and nine U.S. agencies. The hack was finally reported in December by an affected company.

In addition, Colonial Pipeline, a major oil and gas pipeline company serving the East Coast, and JBS, the world’s biggest meat-packing company, were hit with ransomware attacks in recent months. The attack on Colonial Pipeline caused it to shut down for six days, leading to gasoline shortages in several states.

Some cybersecurity experts see momentum for new cybercrime legislation after these and other recent attacks.

“The public felt the effects firsthand of the Colonial Pipeline hack,” said Andrew Howard, CEO at Kudelski Security, a managed cybersecurity provider. “It is inevitable that new regulations will follow to address cybercrime activities that create disruption in our daily lives, impact our economy, and ultimately affect our national security.”

Still, legislation isn’t enough, Howard told the Washington Examiner. “Deterring criminal activity is just one part of a solution,” he said. “Operators of critical infrastructure must also mature their own cybersecurity programs and systems to minimize the impact of cybercriminal activity.”

Some cybersecurity professionals praised the bill for its comprehensive focus on cybercrime, its expanded penalties, its emphasis on botnets, and its tying of some hacking crimes to money laundering charges.

With the bill, cybercrime and cyberterrorism will face higher criminal penalties, “expressing America’s opposition to criminal activities that threaten our economy and our citizens,” said Anurag Gurtu, chief product officer at StrikeReady, vendor of an automated cybersecurity response system.

The “exponentially expanding threat landscape” is creating pressure on Congress to act, he told the Washington Examiner.

“As these attacks have such profound effects on a global scale, I believe the legislation will pass with no opposition,” he added. “There is an urgent need for harsher punishment for cybercriminals, specifically those who commit ransomware attacks. And seeing that the government is considering tougher penalties for those foreign-based threat actors is encouraging.”

While some other cybersecurity bills focus on defense, information-sharing, and other cybersecurity issues, this bill is targeted at criminal hackers, noted Eric Noonan, CEO of CyberSheath, a vendor of cybersecurity and compliance services.

“This piece of legislation is focused on enforcing penalties on bad actors and, in that way, is different from many other bills,” he told the Washington Examiner. “It would provide additional tools for law enforcement and should be viewed as one piece of the many required to modernize America’s ability to defend itself against cyberthreats.”

Still, many companies in the defense industry and other government-related services have ignored regulations requiring two-factor authentication of users, he said. “We need mandatory minimums for cybersecurity that are validated by a government agency,” he said.