Statement of Senator Patrick Leahy
Ranking Member, Senate Committee on the Judiciary Subcommittee on
Technology, Terrorism and Government Information
Hearing on "Cyber Attacks: Removing Roadblocks to Investigation and
Information Sharing"
March 28, 2000
As we head into the twenty-first century, computer-related crime is
one of the greatest challenges facing law enforcement. Many of our
critical infrastructures and our government depend upon the
reliability and security of complex computer systems. We need to make
sure that these essential systems are protected from all forms of
attack.
Whether we work in the private sector or in government, we negotiate
daily through a variety of security checkpoints designed to protect
ourselves from being victimized by crime or targeted by terrorists.
For instance, Congressional buildings like this one use cement pillars
placed at entrances, photo identification cards, metal detectors,
x-ray scanners and security guards to protect the physical space.
These security steps and others have become ubiquitous in the private
sector as well.
Yet all these physical barriers can be circumvented using the wires
that run into every building to support the computers and computer
networks that are the mainstay of how we communicate and do business.
This plain fact was amply demonstrated by the recent hacker attacks on
E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet
sites. These attacks raise serious questions about Internet security -
questions that we need to answer to ensure the long-term stability of
electronic commerce. More importantly, a well-focused and more malign
cyber-attack on computer networks that support telecommunications,
transportation, water supply, banking, electrical power and other
critical infrastructure systems could wreak havoc on our national
economy or even jeopardize our national defense. We have learned that
even law enforcement is not immune. Last month we learned of a denial
of service attack successfully perpetrated against a FBI web site,
shutting down that site for several hours.
The cyber crime problem is growing. The reports of the CERT
Coordination Center (formerly called the "Computer Emergency Response
Team"), which was established in 1988 to help the Internet community
detect and resolve computer security incidents, provide chilling
statistics on the vulnerabilities of the Internet and the scope of the
problem. Over the last decade, the number of reported computer
security incidents grew from 6 in 1988 to more than 8,000 in 1999. But
that alone does not reveal the scope of the problem. According to
CERT's most recent annual report, more than four million computer
hosts were affected by computer security incidents in 1999 alone by
damaging computer viruses, with names like "Melissa," "Chernobyl,"
"ExploreZip," and by other ways that remote intruders have found to
exploit system vulnerabilities. Even before the recent
headline-grabbing "denial-of-service" attacks, CERT documented that
such incidents "grew at a rate around 50% per year" which was "greater
than the rate of growth of Internet hosts."
CERT has tracked recent trends in severe hacking incidents on the
Internet and made the following observations. First, hacking
techniques are getting more sophisticated. That means law enforcement
is going to have to get smarter too, and we need to give them the
resources to do this. Second, hackers have "become increasingly
difficult to locate and identify." These criminals are operating in
many different locations and are using techniques that allow them to
operate in "nearly total obscurity."
I commend the FBI Director for establishing the Pittsburgh High Tech
Computer Crimes Task Force to take advantage of the technical
expertise at CERT to both solve and prevent newly emerging forms of
computer network attacks. Senator Hatch and I are working together on
legislation that would encourage the development of such regional task
forces.
Cyber crime is not a new problem. We have been aware of the
vulnerabilities to terrorist attacks of our computer networks for more
than a decade. It became clear to me, when I chaired a series of
hearings in 1988 and 1989 by the Subcommittee on Technology and the
Law in the Senate Judiciary Committee on the subject of high-tech
terrorism and the threat of computer viruses, that merely "hardening"
our physical space from potential attack would only prompt committed
criminals and terrorists to switch tactics and use new technologies to
reach vulnerable softer targets, such as our computer systems and
other critical infrastructures. The government has a responsibility to
work with those in the private sector to assess those vulnerabilities
and defend them. That means making sure our law enforcement agencies
have the tools they need, but also that the government does not stand
in the way of smart technical solutions to defend our computer
systems.
Encryption helps prevent cyber crime. That is why, for years, I have
advocated and sponsored legislation to encourage the widespread use of
strong encryption. Encryption is an important tool in our arsenal to
protect the security of our computer information and networks. The
Administration made enormous progress when it issued new regulations
relaxing export controls on strong encryption. Of course, encryption
technology cannot be the sole source of protection for our critical
computer networks and computer-based infrastructure, but we need to
make sure the government is encouraging -- and not restraining -- the
use of strong encryption and other technical solutions to protecting
our computer systems.
The private sector must assume primary responsibility for protecting
its computer systems. Targeting cyber crime with up-to-date criminal
laws and tougher law enforcement is only part of the solution. While
criminal penalties may deter some computer criminals, these laws
usually come into play too late, after the crime has been committed
and the injury inflicted. We should keep in mind the adage that the
best defense is a good offense. Americans and American firms must be
encouraged to take preventive measures to protect their computer
information and systems. Just recently, internet providers and
companies such as Yahoo! and Amazon.com Inc., and computer hardware
companies such as Cisco Systems Inc., proved successful at stemming
attacks within hours thereby limiting losses.
Prior legislative efforts were designed to deter cyber crime. Congress
has responded again and again to help our law enforcement agencies
keep up with the challenges of new crimes being executed over computer
networks. In 1984, we passed the Computer Fraud and Abuse Act, and its
amendments, to criminalize conduct when carried out by means of
unauthorized access to a computer. In 1986, we passed the Electronic
Communications Privacy Act (ECPA), which I was proud to sponsor, to
criminalize tampering with electronic mail systems and remote data
processing systems and to protect the privacy of computer users. In
the 104th Congress, Senators Kyl, Grassley and I worked together to
enact the National Information Infrastructure Protection Act to
increase protection under federal criminal law for both government and
private computers, and to address an emerging problem of computer-age
blackmail in which a criminal threatens to harm or shut down a
computer system unless their extortion demands are met.
In this Congress, I have introduced a bill with Senator DeWine, the
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant
program within the U.S. Department of Justice for states to tap for
improved education, training, enforcement and prosecution of computer
crimes. All 50 states have now enacted tough computer crime control
laws. These state laws establish a firm groundwork for electronic
commerce and Internet security. Unfortunately, too many state and
local law enforcement agencies are struggling to afford the high cost
of training and equipment necessary for effective enforcement of their
state computer crime statutes. Our legislation, the Computer Crime
Enforcement Act, as well as the legislation that Senator Hatch and I
are crafting, would help state and local law enforcement join the
fight to combat the worsening threats we face from computer crime.
Our computer crime laws must be kept up-to-date as an important
backstop and deterrent. I believe that our current computer crime laws
can be enhanced and that the time to act is now. We should pass
legislation designed to improve our law enforcement efforts while at
the same time protecting the privacy rights of American citizens. Such
legislation should make it more efficient for law enforcement to use
tools that are already available - such as pen registers and trap and
trace devices - to track down computer criminals expeditiously. It
should ensure that law enforcement can investigate and prosecute
hacker attacks even when perpetrators use foreign-based computers to
facilitate their crimes. It should implement criminal forfeiture
provisions to ensure that hackers are forced to relinquish the tools
of their trade upon conviction. It should also close a current
loophole in our wiretap laws that prevents a law enforcement officer
from monitoring an innocent-host computer with the consent of the
computer's owner and without a wiretap order to track down the source
of denial-of-service attacks. Finally, such legislation should assist
state and local police departments in their parallel efforts to combat
cyber crime, in recognition of the fact that this fight is not just at
the federal level.
I have been working with Senator Hatch on legislation to accomplish
all of these goals and look forward to discussing these proposals with
law enforcement and industry leaders.
Civil Fraud Laws May Also Need Strengthening. There is no question
that fraud is one of the most pressing problems facing the Internet.
According to the Director of the FBI, frauds have tainted Internet
sales of merchandise, auctions, sweepstakes and business opportunities
and the North American Securities Administrators Association estimates
that Internet-related stock fraud alone results in billions of dollars
of loss to investors each year. I understand that the FBI and the
National White Collar Crime Center are jointly sponsoring the Internet
Fraud Complaint Center, which will help assist in the investigation of
fraudulent schemes on the Internet and will compile data on
cyber-frauds. I applaud this endeavor.
In looking for ways to combat Internet fraud, we should consider
whether the Justice Department's authority to use civil enforcement
mechanisms against those engaged in frauds on the Internet should be
enhanced.
Legislation must be balanced to protect our privacy and other
constitutional rights. I am a strong proponent of the Internet and a
defender of our constitutional rights to speak freely and to keep
private our confidential affairs from either private sector snoops or
unreasonable government searches. These principles can be respected at
the same time we hold accountable those malicious mischief makers and
digital graffiti sprayers, who use computers to damage or destroy the
property of others. I have seen Congress react reflexively in the past
to address concerns over anti-social behavior on the Internet with
legislative proposals that would do more harm than good. A good
example of this is the Communications Decency Act, which the Supreme
Court declared unconstitutional. We must make sure that our
legislative efforts are precisely targeted on stopping destructive
acts and that we avoid scattershot proposals that would threaten,
rather than foster, electronic commerce and sacrifice, rather than
promote, our constitutional rights.
Technology has ushered in a new age filled with unlimited potential
for commerce and communications. But the Internet age has also ushered
in new challenges for federal, state and local law enforcement
officials. Congress and the Administration need to work together to
meet these new challenges while preserving the benefits of our new
era.
I thank Senators Kyl, Feinstein and Schumer for thei