Plan to ease ISPs ability to report cybercrime

A proposal to relax the liability of Internet service providers (ISPs) when reporting potential terrorism threats could be the...

A proposal to relax the liability of Internet service providers (ISPs) when reporting potential terrorism threats could be the first of a raft of anti-terror bills to make its way to through Congress to become US law.

The Cyber Security and Enhancement Act of 2001, introduced in December by Texas Republican Representative Lamar Smith, also calls for more severe penalties for cybercrime and increased funding for a government-run centre to detect security threats.

The bill is one of a handful of congressional initiatives designed to fortify information security, including the Cyber Security Research and Development Act, which was approved by the US House of Representatives last week, and the Cybersecurity Preparedness Act of 2002 and the Cybersecurity Research and Education Act of 2002, both introduced into the Senate in January.

Representative Smith, chairman of the House Judiciary Committee's Subcommittee on Crime, held a hearing on Tuesday (12 February) regarding his proposed legislation. The bill is scheduled for markup, or review, in the crime subcommittee today.

The bill builds on the USA Patriot Act signed by President George Bush last October that included a number of antiterrorism measures.

The Cyber Security and Enhancement Act of 2001 proposes that the US Sentencing Commission strengthen penalties related to cybercrime so that they better reflect the seriousness of the crime. It also allots $58m (£41m) in funding to the US Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC), which could serve as a national focal point for coordinating threat assessments and responses.

It also would provide liability protection to ISPs that report to officials suspected cybercrime, such as an e-mail bomb threat that crosses an ISP's network. While the Patriot Act authorised such reporting, ISPs have to show reasonable belief of immediate risk of death or personal injury, according to Clint Smith, president of the US Internet Service Providers Association, who testified at Tuesday's hearing and who supports the bill. Showing reasonable belief of immediate risk puts a burden on ISPs and might prevent them from reporting a suspected threat to officials, Smith said.

The Cyber Security and Enhancement Act of 2001 would remove the "immediate" condition of the Patriot Act and replace "reasonable" belief with "good faith" belief of a threat, Smith said. The bill also explicitly grants ISPs immunity from liability when they act in good faith, he said.

But an official with the Center for Democracy and Technology (CDT), an Internet civil liberties public interest group, said the bill would threaten the privacy of communication.

"As drafted, (the bill) would allow many more disclosures of sensitive communications without any court oversight or notice to subscribers," read the written testimony of Alan Davidson, associate director of CDT, who also spoke at Tuesday's hearing.

The bill has loopholes, Davidson said, because it expands ISP disclosure to not just law enforcement officials, but any government entity. Because the bill removes the requirement that a suspected threat be immediate, ISPs could disclose communications describing an event far in the future, or even a hypothetical one, he said. And without the requirement to prove reasonable belief of risk, ISPs could report communications without ramification.

Safeguards such as requiring notice to a subscriber that their communication was reported to officials should be put in place, Davidson added.

Read more on IT risk management