Since the advent of modern day computing and the internet, cybercrime and cyber security have become increasingly important issues.  Cybercrime, which includes unauthorized access of computer networks, theft of documents and information, damage to computer infrastructures, and computer espionage, is borderless and almost always anonymous. 

Today, governments, not individuals, commit most of the world’s cybercrime.  For example, financial institutions and governmental agencies in South Korea were targeted in a damaging cyber-attack on its computer systems on March 20, 2013 which was believed to have been carried out by the North Korean government.  Iran has been a victim of recurring cyber-attacks, including the infamous 2010 Stuxnet virus allegedly created by the United States and Israel, which destroyed several centrifuges used for Iran’s nuclear enrichment program.  And, of course, the United States is a frequent target of Chinese hackers, who are purportedly working out of a government building in one of China’s military compounds.

Within the United States, the Federal Computer Fraud and Abuse Act (“CFAA”), codified as 18 U.S.C. § 1030, governs most all computer related crime, especially as it relates to federal computer systems, national security, business and financial computer systems, and computers used in interstate or foreign commerce. 

Internationally, the Council of Europe’s 2001 Convention on Cybercrime has worked to standardize domestic cybercrime laws among nations and increase international cooperation to prosecute cybercrime. Currently, forty-three countries have signed the treaty and sixteen have ratified it, including the United States in 2006.

With the reality that most cybercrime occurs at the national level, the law attempts to curtail damaging cyber-attacks with extremely harsh punishments, although it is plainly obvious that governments will never admit guilt, let alone turn over the responsible individuals.

Unfortunately then, the scrutiny of laws like the CFAA sometimes falls on individuals whose crimes should not be within their scope, but that fall under no other applicable statute.  The most prominent example of this is the recent Aaron Swartz incident.  Aaron, a computer prodigy and co-creator of the RSS tool, committed suicide this year after he was indicted on multiple counts of wire and computer fraud and faced up to 35 years in prison and $1 million in fines for hacking into the Massachusetts Institute of Technology’s JSTOR database.  Aaron downloaded nearly all of the 4.8 million documents from the subscription-only service which distributes literary and scientific articles.  While what Aaron did was undoubtedly against the law, people have been left wondering if the punishment didn’t seriously outweigh the crime.

In the United States, some, like the Electronic Frontier Foundation, are proposing more lenient sentencing requirements, such as reducing cybercrime from a felony to a misdemeanor and distinguishing cybercrimes that don’t affect federal computer systems or threaten national security from those only affecting commerce.  However, these changes will likely not occur anytime soon as the most recent proposed amendment to the CFAA includes increasing the recommended sentence from 5 to 20 years and broadening the scope of the statute beyond what many already think is overreaching. 

While it is uncontroverted that cyber-attacks pose a serious threat, current domestic and international laws are of no assistance in large scale government organized cyber-attacks and their overinflated punishments such as those of the CFAA can inflict unnecessary suffering on individuals who have no malicious intent, like Aaron Swartz.  The law should be reformed with the reality that the scope of much of the cybercrime we’d like to curtail today is simply outside the boundaries of law where there are no rules of fair play and where cybercrime has become cyber warfare.