The set of laws that has allowed federal prosecutors to bring down traditional organized crime gangs should be applied to international cyber crime rings, a top Department of Justice official told a congressional committee on Nov. 15. The recommendation was one of several DoJ Deputy Section Chief Richard Downing recommended be made to the Computer Fraud and Abuse Act (CFAA) during a House Judiciary Subcommittee on Crime, Terrorism and Homeland Security hearing on cyber security’s new frontiers. The committee is considering updating the law. Downing said the CFAA should be modified to allow offenses to be subject to Racketeering Influenced and Corrupt Organizations Act (RICO) statutes. RICO extends penalties for crimes performed by organizations and allows the leaders of organized crime groups to be tried for the crimes they order subordinates to do. The move, said Downing, is needed because advancing computer technology has become a substantial tool for organized crime. Downing said “criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cyber crimes.” The organizations, he added, are closely tied to traditional Asian and Eastern European crime organizations. Downing said RICO has been used successfully over the years to bring down “mob bosses to Hells Angels to insider traders” and would be effective in the fight against organized cyber criminals. Downing also recommended the CFAA’s complex sentencing provisions be streamlined and simplified and some maximum sentences be increased to reflect the severity of some cyber crimes. Prosecutors should also be given more latitude in pursuing the theft of passwords, user names and login credentials. Downing proposed that CFAA not only cover password theft, but other authentication methods, including those that confirm a user’s identity, using biometric data, single-use passcodes or smart cards. It should also cover login credentials used to access to any “protected” computer (defined in the statute quite broadly), not just government systems or computers at financial institutions, he said.