A last-minute addition to a proposal for a Department of Homeland Security could punish malicious computer hackers with life in prison.
The U.S. House of Representatives on Wednesday evening voted 299 to 121 to approve the bill, which would reshape large portions of the federal bureaucracy into a new department combining parts of 22 existing federal agencies, including the Secret Service, the Coast Guard, and the FBI's National Infrastructure Protection Center.
During closed-door negotiations before the debate began, the House Republican leadership inserted the 16-page Cyber Security Enhancement Act (CSEA) into the Homeland Security bill. CSEA expands the ability of police to conduct Internet or telephone eavesdropping without first obtaining a court order, and offers Internet providers more latitude to disclose information to police.
In July, the full House approved CSEA by a 385-to-3 vote, but it died in the Senate. By inserting CSEA into the Homeland Security bill, the measure's backers are hoping for a second chance before Congress adjourns for the holidays.
"Defending against terrorists who can strike any time with any method requires a change in our approach to the problem," CSEA sponsor Rep. Lamar Smith said in a statement. "We need a new government structure with a clear focus and clear mission to protect Americans and increase public safety. The new Department of Homeland Security will fulfill that vital role."
Earlier this year, Smith said: "Until we secure our cyberinfrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives. A mouse can be just as dangerous as a bullet or a bomb." Smith heads a subcommittee on crime, which held hearings that drew endorsements of CSEA from a top Justice Department official and executives from Microsoft and WorldCom.
Citing privacy concerns, civil liberties groups have objected to portions of CSEA.
"There are a lot of different things to be concerned about, but preserving Fourth Amendment and wiretap standards continues to be a critical test of Congress' commitment of civil liberties," Marc Rotenberg, director of the Electronic Privacy Information Center, said Wednesday.
Rotenberg said that CSEA makes "ISPs more closely aligned with law enforcement interests than customer confidentiality interests. It may not be surprising, but it's not good news."
Democratic members of Congress said during Wednesday evening's floor debate that the Department of Homeland Security bill had been rushed to the floor without everyone having a chance to read it. They did not complain specifically about CSEA, which has already been approved near-unanimously by the House.
"We were given a massive new bill this morning that is being rushed through the House with no opportunity for debate," said Rep. Henry Waxman, D-Calif. "I doubt more than 10 people in Congress know (what's) in the bill."
House Majority Leader Dick Armey, R-Texas, replied by saying: "There seems to be a concern that the bill is being rushed to the floor...This was not rushed to the floor. We worked hard on it. We worked together on it."
What CSEA does
If approved by the Senate and signed by the president, who has called for a Department of Homeland Security, the law would:
• Promise up to life terms for computer intrusions that "recklessly" put others' lives at risk. A committee report accompanying the legislation predicts: "A terrorist or criminal cyberattack could further harm our economy and critical infrastructure. It is imperative that the penalties and law enforcement capabilities are adequate to prevent and deter such attacks."
• Permit limited surveillance without a court order when there is an "ongoing attack" on an Internet-connected computer or "an immediate threat to a national security interest." That kind of surveillance would, however, be limited to obtaining a suspect's telephone number, IP address, URLs or e-mail header information--not the contents of online communications or telephone calls. Under federal law, such taps can take place when there's a threat of "serious bodily injury to any person" or activity involving organized crime.
• Change current law, which says it's illegal for an Internet provider to "knowingly divulge" what users do except in some specific circumstances, such as when it's troubleshooting glitches, receiving a court order or tipping off police that a crime is in progress. CSEA expands that list to include when "an emergency involving danger of death or serious physical injury to any person requires disclosure of the information without delay."
• Specify that an existing ban on the "advertisement" of any device that is used primarily for surreptitious electronic surveillance applies to online ads. The prohibition now covers only a "newspaper, magazine, handbill or other publication."