30 March 2000
Source:
http://www.usia.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=00032902.glt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
29 March 2000
(Advocates stronger weapons to fight computer crime)(2170) Convinced that attacks against important computer systems are bound to increase, Democratic Senator Patrick Leahy from Vermont is urging his fellow lawmakers to take effective action to enhance laws against computer crime. Speaking at a Senate Judiciary Committee hearing on cyber attacks March 28, Leahy said, "Computer-related crime is one of the greatest challenges facing law enforcement." Citing statistics compiled by the Computer Emergency Response Team (CERT) Coordination Center, an agency focused on computer security issues, Leahy said "four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses." Leahy and other senators present at the hearing also cited the well-publicized February attacks on popular Worldwide Web sites such as Yahoo, eBay, Amazon.com and others. The Vermont Democrat has introduced legislation that would apply a number of strategies to cyber crime: -- improve education and training for law enforcement working for prosecution of computer crimes; -- expand investigative jurisdiction for agencies pursuing a cyber criminal; -- impose forfeiture provisions so cyber criminals would be forced to relinquish their equipment. At the same time he urged action in this arena, Senator Leahy cautioned his colleagues about passing legislation that "would do more harm than good." He continued, "We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights." Following is the text as prepared for delivery: (begin text) Statement of Senator Patrick Leahy Ranking Member, Senate Committee on the Judiciary Subcommittee on Technology, Terrorism and Government Information Hearing on "Cyber Attacks: Removing Roadblocks to Investigation and Information Sharing" March 28, 2000 As we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack. Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, Congressional buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners and security guards to protect the physical space. These security steps and others have become ubiquitous in the private sector as well. Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the recent hacker attacks on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security - questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense. We have learned that even law enforcement is not immune. Last month we learned of a denial of service attack successfully perpetrated against a FBI web site, shutting down that site for several hours. The cyber crime problem is growing. The reports of the CERT Coordination Center (formerly called the "Computer Emergency Response Team"), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses, with names like "Melissa," "Chernobyl," "ExploreZip," and by other ways that remote intruders have found to exploit system vulnerabilities. Even before the recent headline-grabbing "denial-of-service" attacks, CERT documented that such incidents "grew at a rate around 50% per year" which was "greater than the rate of growth of Internet hosts." CERT has tracked recent trends in severe hacking incidents on the Internet and made the following observations. First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have "become increasingly difficult to locate and identify." These criminals are operating in many different locations and are using techniques that allow them to operate in "nearly total obscurity." I commend the FBI Director for establishing the Pittsburgh High Tech Computer Crimes Task Force to take advantage of the technical expertise at CERT to both solve and prevent newly emerging forms of computer network attacks. Senator Hatch and I are working together on legislation that would encourage the development of such regional task forces. Cyber crime is not a new problem. We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely "hardening" our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems. Encryption helps prevent cyber crime. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems. The private sector must assume primary responsibility for protecting its computer systems. Targeting cyber crime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such as Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses. Prior legislative efforts were designed to deter cyber crime. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, as well as the legislation that Senator Hatch and I are crafting, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime. Our computer crime laws must be kept up-to-date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens. Such legislation should make it more efficient for law enforcement to use tools that are already available - such as pen registers and trap and trace devices - to track down computer criminals expeditiously. It should ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It should implement criminal forfeiture provisions to ensure that hackers are forced to relinquish the tools of their trade upon conviction. It should also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, such legislation should assist state and local police departments in their parallel efforts to combat cyber crime, in recognition of the fact that this fight is not just at the federal level. I have been working with Senator Hatch on legislation to accomplish all of these goals and look forward to discussing these proposals with law enforcement and industry leaders. Civil Fraud Laws May Also Need Strengthening. There is no question that fraud is one of the most pressing problems facing the Internet. According to the Director of the FBI, frauds have tainted Internet sales of merchandise, auctions, sweepstakes and business opportunities and the North American Securities Administrators Association estimates that Internet-related stock fraud alone results in billions of dollars of loss to investors each year. I understand that the FBI and the National White Collar Crime Center are jointly sponsoring the Internet Fraud Complaint Center, which will help assist in the investigation of fraudulent schemes on the Internet and will compile data on cyber-frauds. I applaud this endeavor. In looking for ways to combat Internet fraud, we should consider whether the Justice Department's authority to use civil enforcement mechanisms against those engaged in frauds on the Internet should be enhanced. Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights. Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era. I thank Senators Kyl, Feinstein and Schumer for their attention to this important issue. (end text)
29 March 2000
(Senators seek protections from attacks aimed at computers)(1190) Computer attacks on some of the most well-known sites on the Worldwide Web in February made a dramatic statement about the potential vulnerability of the electronic infrastructure that has become so important in the U.S. economy. The U.S. Senate Judiciary Committee is looking at strategies that may create greater security and stronger response in the event of a cyber attack. Republican Senator Jon Kyl from Arizona chaired a hearing on the issue March 28, calling the February attacks a "wake-up call about the need to protect our critical computer networks." "Law enforcement must be equipped with the resources and authorities necessary to swiftly trace a cyber attack back to its source and appropriately prosecute them," Kyl said, asserting that punishment of attackers will serve as a deterrent to others. Senator Kyl has introduced legislation to strengthen the power of law enforcement working to apprehend and prosecute a computer hacker. His bill would: -- increase police powers to follow the trail of a computer attacker; -- lower the threshold of damages for federal prosecution of a particular cyber attack; -- allows youths 15 or older to be tried as adults for computer-related crime. Further, Senator Kyl advocates a far-reaching awareness of the society's vulnerability to cyber attack. "We need to encourage or mandate individuals and systems' administrators to tap into the resources available to ensure their own security, and that of others connected to the Internet." Following is the text of the statement as prepared for delivery: (begin text) Statement by U.S. Senator Jon Kyl (R-Arizona) Chairman, Senate Judiciary Subcommittee on Technology, Terrorism and Government Information March 28, 2000 "Cyber Attack: Roadblocks to Investigation and Information Sharing" The subcommittee will please come to order. Let me first welcome everyone to this hearing of the Subcommittee on Technology, Terrorism, and Government Information. Today, we will examine various roadblocks to the protection of our information systems from cyber attack. Using the recent denial of service attacks as a backdrop, we will discuss some of the things that inhibit swift investigation and prosecution of cyber crimes, and the sharing of vulnerability and threat information among the private sector and with organizations affiliated with the federal government. This is the sixth public hearing we have held in the past three years on the critical issue of securing our nation's information infrastructure, although the issue has received a great deal of attention recently. The latest attacks on 8 well-known Internet sites like eBay, Yahoo, and CNN raised public awareness, and hopefully will serve as a wake-up call about the need to protect our critical computer networks. Uncertainty caused by the attacks contributed to a 258 point drop in the Dow Jones Industrial Average and halted a string of 3 days of consecutive record-high closes of the technology-laden Nasdaq Composite Index. As the New York Times noted in an editorial, "Just when Americans have begun to get accustomed to the pervasive influence of the Internet, a wave of anonymous assaults on Web Sites has roiled the stability of the newly emerging cyberworld." Although disruption to these sites was substantial, the damage did not even approach what it could have been, based on the Internet's known vulnerabilities. Catching and punishing those who commit cyber crimes is essential for deterring future attacks. When a cyber attack occurs, it is not initially apparent whether the perpetrator is a mischievous teenager, a professional hacker, a terrorist group, or a hostile nation. Law enforcement must be equipped with the resources and authorities necessary to swiftly trace a cyber attack back to its source and appropriately prosecute them. Today, we will discuss some impediments to law enforcement in cyber space, and how the bill I recently introduced with Sen. Shumer would remove some of these impediments. In particular, this bill would: modify trap and trace authority so law enforcement will no longer need to obtain a warrant in every jurisdiction through which a cyber attack traveled; remove the current $5000 minimum in damages for a case to be considered for federal prosecution; remove the current 6 month minimum sentence for cyber crimes that has led to lesser serious attacks not being prosecuted; and allows youths 15 or older to be considered for federal prosecution for committing serious computer crimes. These recent attacks also illustrated one crucial point that must be understood when dealing with securing the information infrastructure: We are only as strong as our weakest link. If only one sector of society heeds warnings and fixes computer vulnerabilities, that is not enough. The cyber criminal, terrorist, or enemy nation will search for another sector that has ignored warnings and not used proper computer security. The February denial of service attackers first infected university computers with programs that then launched massive amounts of invalid inquiries to the victims, shutting them down to legitimate customers. Computer capacity is increasing so rapidly that individuals with personal computers at home and work can now be used for similar types of attacks. We must examine the best way to secure all parts of our information infrastructure from attack. In order to do that, all individuals, businesses, and agencies with computers must get serious about security. Last Fall, Carnegie Mellon University's Computer Emergency Response Team posted warnings about these types of denial of service attacks. The FBI's National Infrastructure Protection Center (NIPC) also posted warnings, and even provided a tool for anyone to download to check if their system was infected with the attack program. Many people heeded those warnings and used the tool, but not enough to prevent the attacks from occurring. We need to encourage or mandate individuals and systems administrators to tap into the resources available to ensure their own security, and that of others connected to the Internet. Finally, overall protection from attack necessitates that information about cyber vulnerabilities, threats, and attacks be communicated among companies, and with government agencies. Cooperation among competitors, while adhering to anti-trust laws must be considered when trying to create Information Sharing and Analysis Centers (ISACs) in each portion of the private sector. Additionally, the Freedom of Information Act may need to be updated to encourage companies to share information with the federal government. Communication is crucial for protection, and these roadblocks must be removed. Our witnesses are well suited to address these issues. Mr. Louis Freeh, Director of the FBI, will discuss limitations to effective investigation and prosecution of cyber crimes under current law. He will explain how the Shumer-Kyl Bill brings some provisions of current law into the Computer Age. On our second panel, Mr. Rich Pethia, Director of the Computer Emergency Response Team (CERT) at Carnegie-Mellon University will testify about CERT's role in analysis of computer vulnerabilities and better ways of "getting the word out" and ensuring warnings are heeded. Mr. Harris Miller, President of the Information Technology Association of America, will present industry's perspective on impediments to information sharing of threats and vulnerabilities among private sector companies and government agencies. (end text)