Sen. Patrick Leahy (D-Vt.) said he will not support an Obama administration proposal to impose a mandatory minimum three-year prison sentence on hackers found guilty of damaging a critical infrastructure computer.

During a Sept. 7 hearing of the Senate Judiciary Committee, which he chairs, Leahy said he wants "strong penalties, but a mandatory minimum is something that I worry can be abused." A cybersecurity bill to be introduced by Leahy will lack a mandatory minimum; Leahy also said such a provision would have a difficult time gaining acceptance in the House of Representatives.

The mandatory minimum language is part of a larger administration cybersecurity proposal sent by the White House to Congress earlier this year.

James Baker, an associate deputy attorney general, defended the provision during the hearing, characterizing it as a "judicious use of the mandatory minimum concept."

The White House proposal also seeks to increase the severity of existing penalties under the Computer Fraud and Abuse Act, a worrying point for critics who maintain the CFAA potentially criminalizes acts such as violating terms of service or computer use policy.

In his written testimony, Baker said the department is concerned that restrictions of the "exceeds authorized access" clause of the CFAA would inhibit its ability to prosecute insider threats.

"I think that if you look at our whole record with respect to how we've enforced the act over time, I think we've done it in a responsible way," he told senators.

The White House proposal would also amend the password trafficking provision of the CFAA, "expanding it to include other means of access to computers," Baker said. The provision needs broadening to keep up with potential advances in technology, he added, preventing the case against a future defendant from being dismissed on the technicality that he had not trafficked in a "password."

Baker also reiterated Justice support for adding CFAA violations to offenses prosecutable under the Racketeering Influenced and Corrupt Organization Act. Doing so would, among other things, allow Justice to make civil forfeitures against hackers. A lack of civil forfeiture has "forced federal prosecutors to use criminal forfeiture authorities in instances where civil forfeiture would be more appropriate or efficient," Baker said.

For more:
- go to the hearing webpage (prepared testimonies and webcast available)
- download a CRS report on the criminal provisions of the Obama administration's cybersecurity proposal from the Federation of American Scientists' website (.pdf)

Related Articles:
Obama administration not against cybersecurity liability protection, says McConnell
White House cybersecurity proposal would create disincentives, says industry group head
House subcommittee criticizes White House cybersecurity proposal