The Bush administration had asked Congress to approve the Cyber Security Enhancement Act (CSEA) as a way of responding to electronic intrusions, denial of service attacks and the threat of "cyber-terrorism." The CSEA had been written before the Sept. 11 terrorist attacks last year, but the events spurred legislators toward Monday evening's near-unanimous vote.
CSEA, the most wide-ranging computer crime bill to make its way through Congress in years, now heads to the Senate. It's not expected to encounter any serious opposition, although there's not much time for senators to consider the measure because they take August off and are expected to head home for the year around Oct. 1.
"Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives," sponsor Lamar Smith, R-Tex., said earlier this year. "A mouse can be just as dangerous as a bullet or a bomb."
Smith heads a subcommittee on crime, which held hearings that drew endorsements of CSEA from a top Justice Department official and executives from Microsoft and WorldCom. Citing privacy concerns, civil liberties groups have objected to portions of CSEA.
At the urging of the Justice Department, Smith's subcommittee voted in February to rewrite CSEA. It now promises life terms for computer intrusions that "recklessly" put others' lives at risk.
A committee report accompanying the legislation predicts: "A terrorist or criminal cyber attack could further harm our economy and critical infrastructure. It is imperative that the penalties and law enforcement capabilities are adequate to prevent and deter such attacks."
By rewriting wiretap laws, CSEA would allow limited surveillance without a court order when there is an "ongoing attack" on an Internet-connected computer or "an immediate threat to a national security interest." That kind of surveillance would, however, be limited to obtaining a suspect's telephone number, IP address, URLs or e-mail header information--not the contents of online communications or telephone calls.
Under federal law, such taps can take place when there's a threat of "serious bodily injury to any person" or activity involving organized crime.
Another section of CSEA would permit Internet providers to disclose the contents of e-mail messages and other electronic records to police in cases involving serious crimes.
Currently it's illegal for an Internet provider to "knowingly divulge" what users do except in some specific circumstances, such as when it's troubleshooting glitches, receiving a court order or tipping off police that a crime is in progress. CSEA expands that list to include when "an emergency involving danger of death or serious physical injury to any person requires disclosure of the information without delay."
Clint Smith, the president of the U.S. Internet Service Providers Association, endorsed the concept earlier this year.
Smith testified that CSEA builds on the controversial USA Patriot act, which Congress enacted last fall. He said that this portion of CSEA "will reduce impediments to ISP cooperation with law enforcement."
The Free Congress Foundation, which opposes CSEA, criticized Monday evening's vote.
"Congress should stop chipping away at our civil liberties," said Brad Jansen, an analyst at the conservative group. "A good place to start would be to substantially revise (CSEA) to increase, not diminish, oversight and accountability by the government."
If the Senate also approves CSEA, the new law would also:
Require the U.S. Sentencing Commission to revise sentencing guidelines for computer crimes. The commission would consider whether the offense involved a government computer, the "level of sophistication" shown and whether the person acted maliciously.
Formalize the existence of the National Infrastructure Protection Center. The center, which investigates and responds to both physical and virtual threats and attacks on America's critical infrastructure, was created in 1998 by the Department of Justice, but has not been authorized by an act of Congress. The original version of CSEA set aside $57.5 million for the NIPC; the final version increases the NIPC's funding to $125 million for the 2003 fiscal year.
Specify that an existing ban on the "advertisement" of any device that is used primarily for surreptitious electronic surveillance applies to online ads. The prohibition now covers only a "newspaper, magazine, handbill or other publication."
Most industry associations, including the Business Software Alliance, the Association for Competitive Technology, the Information Technology Association of America, and the Information Technology Industry Council, have endorsed most portions of CSEA.