A bipartisan bill introduced by Senator Mike Rounds (R-SD) and Senator Kirsten Gillibrand (D-NY) aims to increase punishment for cybercrimes. This bill, the Cyber Conspiracy Modernization Act (CCMA), seeks to modify the Computer Fraud and Abuse Act (CFAA) in order to enact a penalty for conspiracy and strengthen penalties for offenders. This bill was introduced in as a set, joined by the Providing Individuals Various Opportunities for Technical Training to Build a Skills-Based Cyber Workforce Act of 2025 (Cyber PIVOTT Act), which would offer scholarships for students and professionals in cyber-related fields. 

What would this law look like in practice? Casey Ellis, Founder at Bugcrowd, has insights to share. 

Ellis shares, “The Cyber Conspiracy Modernization Act (CCMA) would increase the penalties under the Computer Fraud and Abuse Act (CFAA) and add a specific penalty for conspiracy to commit computer crime.

“While it’s important to be able to prosecute bad actors, broad and ambiguous anti-hacking laws, such as the CFAA (which was written in 1986 and last amended in 2008) create a chilling effect for security researchers operating in good faith. These helpful hackers form a vital part of the defensive cybersecurity workforce and, in many ways, act as ‘The Internet’s Immune System.’

“If the past 15 years have demonstrated anything, it’s that cyber attackers (especially those in other countries) are largely undeterred by these laws. Adding conspiracy provisions broadens these already ambiguous laws, and increasing the penalties adds more weight to the chilling effect, which ultimately decreases the availability and willingness of those best positioned to help. It’s worth noting that the CCMA was released alongside the Cyber PIVOTT Act, which is explicitly designed to bolster the talent pipeline for cyber defense.

“Put that all together, and you’ve got proposed legislation that returns a known-bad outcome for the good guys and their ability to help protect the Internet, in exchange for a deterrent effect on the bad guys that is speculative at best.

“I understand what Senator Rounds and Senator Gillibrand are trying to do here — deterrence and the ability to prosecute actual cybercriminals are important components of the cyber policy ecosystem.

“Here’s the good news: The opportunity here lies in the fact that modernizing the CFAA itself is long overdue. It would be amazing to see this legislative proposal expanded to include carve-outs for security research conducted in good faith and in the interest of a more resilient Internet — along the lines of the DOJ charging rule guidelines, the SCOTUS Van Buren ruling, and/or Aaron’s Law. There is plenty of established legal language that can make the CFAA more powerful against actual criminals and enemies of the state while removing existing doubts about who the bad guys really are.

“My recommendations:

1. “Contact your Senator. 
2. Let them know your concerns about this Bill.
3. Tell them how you use your skills to make the Internet safer for everyone, including them and their constituents.
4. Recommend the inclusion of carve-outs for good faith security research into the CFAA as a part of the Cyber Conspiracy Modernization Act.”

“Meanwhile, Bugcrowd and the Hacking Policy Council stand ready to partner with Senator Rounds and Senator Gillibrand to find safe and effective ways to establish a bright line between virtuous research and criminal activity.”

https://www.securitymagazine.com/articles/101383-cyber-conspiracy-modernization-act-proposed-cyber-expert-weighs-in