COLUMBUS, Ohio (WJW) — State Representative Brian Baldridge's bill overhauls computer crimes for the State of Ohio. It moves a number of currently prohibited activities to a new section and creates additional crimes that can be charged. Many of the penalties of these crimes are currently listed as 3rd degree felonies and are geared for black hats and cracking in general.
Black hats are individuals who break into systems seeking personal gain; white hats do so to expose weaknesses in order to notify and benefit system owners.
The bill received its second hearing in the Ohio House of Representatives Thursday.
Cory Fleming, with the Ohio Credit Union League, testified in favor of the bill explaining to lawmakers on the committee that it would help prosecutors charge bad actors with crimes and protect Ohioans data.
Fleming used an example of how one of the credit unions in his association was the victim of a cyber attack that was allegedly traced back to a former employee of that business.
When they were told there was nothing that could be done about the attack, because it failed, they reached out to Baldridge to see what he could do about things like that. His bill stemmed from there.
Currently, the bill does not have the support of the Ohio Prosecuting Attorneys Association. It may in the future, but for now, they neither support or oppose it.
"I think it is an area of the law where technology has probably outpaced the revised code, so I think we feel like an update is probably warranted," said Lou Tobin, executive director of the Ohio Prosecuting Attorneys Association. "But we have questions about the enforceability of it and I think the proportionality of some of the penalties to the harm."
Part of the problem with enforcing the bill is cracking can be done from anywhere in the world.
"If you've got a Russian hacker attacking an Ohio financial institution there is probably not much a county prosecutor is gonna be able to do, but it's still helpful to have a tool for the situation where the person is sitting in Ohio," said Tobin.
While the bill was originally designed to benefit financial institutions, the way it was written also covers personal computers in residential homes.
However, the same problems apply. The source of attacks on residential computers are not usually from down the street or even the next town over.
Phishing scams, malware granting backdoor access, trojan horses, worms, all of these things can originate outside of Ohio's borders making this bill useless in going after those individuals.
Even if the attack comes from within the United States, Tobin isn't sure a county would want to pay to extradite an individual here to Ohio to face charges.
Which brings me to his other concern; penalties.
Should simply breaking into a system be treated the same as taking something when you are there?
That is the root of the question lawmakers will have to wrestle with as the bill currently treats most crimes as 3rd degree felonies; which in an of themselves are no joke, carrying mandatory prison time.
Add to that the difficulty of proving intent, which is something prosecutors will have to do with the crimes outlined in this bill, and you have another concern from Tobin.
The bill has just begun its legislative journey and has a long way to go before it reaches the Governor's desk.