Internet cranks and hackers might think twice about targeting schools, and school administrators might receive quicker notification when service providers learn of internet threats involving schools under terms of proposed legislation discussed at a hearing in the U.S. House of Representatives on Feb. 12.
Stiffer penalties proposed for internet wrongdoers and relief from litigation for prompt notification are the mechanisms that could increase school security, the bill’s supporters indicated. Critics of the measure said the bill could undermine the privacy rights of internet users.
The House bill intended to crack down on computer crimes would shield internet service providers from lawsuits if they share information pertaining to possible life-threatening situations with school officials or other government authorities.
The bill, which also could lead to stiffer penalties for computer hackers, has received support from administration officials and technology executives.
Microsoft lawyer Susan Kelley Koeppen, a former Justice Department prosecutor, said courts should take hackers more seriously.
“Cybercrime will never be effectively curbed if society continues to treat it merely as pranksterism,” she told lawmakers during the hearing.
The government is increasingly concerned about the well-being of government and business computer systems in the face of teen hackers and foreign threats.
“As we increase individuals’ physical safety at our airports, borders, and even sporting events, we should not forget to strengthen cybersecurity as well,” said Rep. Lamar Smith, R-Texas, the bill’s sponsor.
The Cyber Security Enhancement Act of 2001, or H.R. 3482, would give judges greater flexibility in imposing sentences for computer crimes. Current law ties the severity of the crime to the cost of damage done and limits jail terms to 10 years.
Smith’s legislation would require judges to take other factors into account, including the sophistication of the offense, intent, and violations of the victim’s privacy.
If the criminal “knowingly causes or attempts to cause death or serious bodily injury,” the judge could impose up to a life sentence.
The Justice Department, Microsoft, and internet service providers supported the change in testimony to the House Judiciary subcommittee on crime.
John G. Malcolm, of Justice’s criminal division, described a hypothetical situation in which a hacker shut down a town’s phone service, including emergency 911 calls.
“It is easy to envision in such a situation that somebody might die or suffer serious injury as a result of this conduct,” Malcolm said. “Although the hacker might not have known that his conduct would cause death or serious bodily injury, such reckless conduct would seem to merit punishment greater than the 10 years permitted by the current statute.”
Microsoft’s Koeppen suggested that convicted hackers have their computer gear confiscated by the authorities, a practice similar to that used in drug cases.
Another portion of the bill would protect internet providers from lawsuits if, believing someone is in danger of death or serious physical injury, they give records of communications to a government entity.
Koeppen said she believes the term “government entity” could also be applied to firefighters or even school principals.
“We believe that such emergency situations will be rare, but that law enforcement personnel may not always be reachable or even the best prepared to take action,” she said.
Brad Bennett, a spokesman for Rep. Smith, confirmed that the law could recognize school administrators as acceptable government entities, “were the situation something directly related to the school”a threat of imminent danger to students or staff members, for example.
“We’d want to be able to contact the correct authority immediately,” he said. “If there is an immediate threat to a school, then certainly time is of the essence. We’d want the people in the position to handle the situation to have the information they need.”
But Bennett said this situation is highly improbable, and a better example of a government entity that might be alerted to a cyber threat would be an agency such as the Centers for Disease Control and Prevention or the Department of Defense.
Still, the bill is encouraging to Marc Liebman, superintendent of the Marysville Joint Unified School District in California.
As superintendent of a district that has experienced a school shooting, “I will support any legislation that gives us access to information about threats made by students or others that may impact the safety of the students in our district,” he said.
Privacy advocates said the bill’s language is too broad and would encourage internet providers to hand over information too often.
“At the same time that they’re expanding the number of people that can get this information, they’re bringing down the standard in which they can get it,” said Ari Schwartz of the Center for Democracy and Technology.
Schwartz dismissed the ideamentioned by several supportersthat the information sharing would be useful to combat terrorism. Some of the suspected terrorists in the Sept. 11 attacks communicated over the internet.
It’s not as though law enforcement agencies knew about that information and wanted to get it, Schwartz said. “It was not the standards that failed us; it was the intelligence-gathering that failed us.”
Rep. Lamar Smith, R-Texas
House Subcommittee on Crime
U.S. Justice Department
Center for Democracy and Technology