Testimony: Senators Seek Protections from Attacks Aimed at Computers

28 March 2000

Senators Seek Protections from Attacks Aimed at Computers

Washington -- Computer attacks on some of the most well-known sites on the Worldwide Web in February made a dramatic statement about the potential vulnerability of the electronic infrastructure that has become so important in the U.S. economy. The U.S. Senate Judiciary Committee is looking at strategies that may create greater security and stronger response in the event of a cyber attack.

Republican Senator Jon Kyl from Arizona chaired a hearing on the issue March 28, calling the February attacks a "wake-up call about the need to protect our critical computer networks."

"Law enforcement must be equipped with the resources and authorities necessary to swiftly trace a cyber attack back to its source and appropriately prosecute them," Kyl said, asserting that punishment of attackers will serve as a deterrent to others.

Senator Kyl has introduced legislation to strengthen the power of law enforcement working to apprehend and prosecute a computer hacker. His bill would:

Further, Senator Kyl advocates a far-reaching awareness of the society's vulnerability to cyber attack. "We need to encourage or mandate individuals and systems' administrators to tap into the resources available to ensure their own security, and that of others connected to the Internet."

Following is the text of the statement as prepared for delivery:

(begin text)

Statement by U.S. Senator Jon Kyl (R-Arizona)
Chairman, Senate Judiciary Subcommittee on
Technology, Terrorism and Government Information

March 28, 2000

"Cyber Attack: Roadblocks to Investigation and Information Sharing"

The subcommittee will please come to order. Let me first welcome everyone to this hearing of the Subcommittee on Technology, Terrorism, and Government Information. Today, we will examine various roadblocks to the protection of our information systems from cyber attack. Using the recent denial of service attacks as a backdrop, we will discuss some of the things that inhibit swift investigation and prosecution of cyber crimes, and the sharing of vulnerability and threat information among the private sector and with organizations affiliated with the federal government. This is the sixth public hearing we have held in the past three years on the critical issue of securing our nation's information infrastructure, although the issue has received a great deal of attention recently.

The latest attacks on 8 well-known Internet sites like eBay, Yahoo, and CNN raised public awareness, and hopefully will serve as a wake-up call about the need to protect our critical computer networks. Uncertainty caused by the attacks contributed to a 258 point drop in the Dow Jones Industrial Average and halted a string of 3 days of consecutive record-high closes of the technology-laden Nasdaq Composite Index. As the New York Times noted in an editorial, "Just when Americans have begun to get accustomed to the pervasive influence of the Internet, a wave of anonymous assaults on Web Sites has roiled the stability of the newly emerging cyberworld." Although disruption to these sites was substantial, the damage did not even approach what it could have been, based on the Internet's known vulnerabilities.

Catching and punishing those who commit cyber crimes is essential for deterring future attacks. When a cyber attack occurs, it is not initially apparent whether the perpetrator is a mischievous teenager, a professional hacker, a terrorist group, or a hostile nation. Law enforcement must be equipped with the resources and authorities necessary to swiftly trace a cyber attack back to its source and appropriately prosecute them. Today, we will discuss some impediments to law enforcement in cyber space, and how the bill I recently introduced with Sen. Shumer would remove some of these impediments. In particular, this bill would: modify trap and trace authority so law enforcement will no longer need to obtain a warrant in every jurisdiction through which a cyber attack traveled; remove the current $5000 minimum in damages for a case to be considered for federal prosecution; remove the current 6 month minimum sentence for cyber crimes that has led to lesser serious attacks not being prosecuted; and allows youths 15 or older to be considered for federal prosecution for committing serious computer crimes.

These recent attacks also illustrated one crucial point that must be understood when dealing with securing the information infrastructure: We are only as strong as our weakest link. If only one sector of society heeds warnings and fixes computer vulnerabilities, that is not enough. The cyber criminal, terrorist, or enemy nation will search for another sector that has ignored warnings and not used proper computer security. The February denial of service attackers first infected university computers with programs that then launched massive amounts of invalid inquiries to the victims, shutting them down to legitimate customers. Computer capacity is increasing so rapidly that individuals with personal computers at home and work can now be used for similar types of attacks. We must examine the best way to secure all parts of our information infrastructure from attack. In order to do that, all individuals, businesses, and agencies with computers must get serious about security.

Last Fall, Carnegie Mellon University's Computer Emergency Response Team posted warnings about these types of denial of service attacks. The FBI's National Infrastructure Protection Center (NIPC) also posted warnings, and even provided a tool for anyone to download to check if their system was infected with the attack program. Many people heeded those warnings and used the tool, but not enough to prevent the attacks from occurring. We need to encourage or mandate individuals and systems administrators to tap into the resources available to ensure their own security, and that of others connected to the Internet.

Finally, overall protection from attack necessitates that information about cyber vulnerabilities, threats, and attacks be communicated among companies, and with government agencies. Cooperation among competitors, while adhering to anti-trust laws must be considered when trying to create Information Sharing and Analysis Centers (ISACs) in each portion of the private sector. Additionally, the Freedom of Information Act may need to be updated to encourage companies to share information with the federal government. Communication is crucial for protection, and these roadblocks must be removed.

Our witnesses are well suited to address these issues. Mr. Louis Freeh, Director of the FBI, will discuss limitations to effective investigation and prosecution of cyber crimes under current law. He will explain how the Shumer-Kyl Bill brings some provisions of current law into the Computer Age. On our second panel, Mr. Rich Pethia, Director of the Computer Emergency Response Team (CERT) at Carnegie-Mellon University will testify about CERT's role in analysis of computer vulnerabilities and better ways of "getting the word out" and ensuring warnings are heeded. Mr. Harris Miller, President of the Information Technology Association of America, will present industry's perspective on impediments to information sharing of threats and vulnerabilities among private sector companies and government agencies.

(end text)