Electronic Communications |
|
29 March 2000 Senator Leahy Advocates stronger weapons to fight computer crimeConvinced that attacks against important computer systems are bound to increase, Democratic Senator Patrick Leahy from Vermont is urging his fellow lawmakers to take effective action to enhance laws against computer crime. Speaking at a Senate Judiciary Committee hearing on cyber attacks March 28, Leahy said, "Computer-related crime is one of the greatest challenges facing law enforcement." Citing statistics compiled by the Computer Emergency Response Team (CERT) Coordination Center, an agency focused on computer security issues, Leahy said "four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses." Leahy and other senators present at the hearing also cited the well-publicized February attacks on popular Worldwide Web sites such as Yahoo, eBay, Amazon.com and others. The Vermont Democrat has introduced legislation that would apply a number of strategies to cyber crime:
Statement of Senator Patrick Leahy Ranking Member Senate Committee on the Judiciary Subcommittee on Technology, Terrorism and Government Information "Cyber Attacks: Removing Roadblocks to Investigation and Information Sharing" March 28, 2000 As we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack. Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, Congressional buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners and security guards to protect the physical space. These security steps and others have become ubiquitous in the private sector as well. Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the recent hacker attacks on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security - questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense. We have learned that even law enforcement is not immune. Last month we learned of a denial of service attack successfully perpetrated against a FBI web site, shutting down that site for several hours. The cyber crime problem is growing. The reports of the CERT Coordination Center (formerly called the "Computer Emergency Response Team"), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses, with names like "Melissa," "Chernobyl," "ExploreZip," and by other ways that remote intruders have found to exploit system vulnerabilities. Even before the recent headline-grabbing "denial-of-service" attacks, CERT documented that such incidents "grew at a rate around 50% per year" which was "greater than the rate of growth of Internet hosts." CERT has tracked recent trends in severe hacking incidents on the Internet and made the following observations. First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have "become increasingly difficult to locate and identify." These criminals are operating in many different locations and are using techniques that allow them to operate in "nearly total obscurity." I commend the FBI Director for establishing the Pittsburgh High Tech Computer Crimes Task Force to take advantage of the technical expertise at CERT to both solve and prevent newly emerging forms of computer network attacks. Senator Hatch and I are working together on legislation that would encourage the development of such regional task forces. Cyber crime is not a new problem. We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely "hardening" our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems. Encryption helps prevent cyber crime. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems. The private sector must assume primary responsibility for protecting its computer systems. Targeting cyber crime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such as Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses. Prior legislative efforts were designed to deter cyber crime. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, as well as the legislation that Senator Hatch and I are crafting, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime. Our computer crime laws must be kept up-to-date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens. Such legislation should make it more efficient for law enforcement to use tools that are already available - such as pen registers and trap and trace devices - to track down computer criminals expeditiously. It should ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It should implement criminal forfeiture provisions to ensure that hackers are forced to relinquish the tools of their trade upon conviction. It should also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, such legislation should assist state and local police departments in their parallel efforts to combat cyber crime, in recognition of the fact that this fight is not just at the federal level. I have been working with Senator Hatch on legislation to accomplish all of these goals and look forward to discussing these proposals with law enforcement and industry leaders. Civil Fraud Laws May Also Need Strengthening. There is no question that fraud is one of the most pressing problems facing the Internet. According to the Director of the FBI, frauds have tainted Internet sales of merchandise, auctions, sweepstakes and business opportunities and the North American Securities Administrators Association estimates that Internet-related stock fraud alone results in billions of dollars of loss to investors each year. I understand that the FBI and the National White Collar Crime Center are jointly sponsoring the Internet Fraud Complaint Center, which will help assist in the investigation of fraudulent schemes on the Internet and will compile data on cyber-frauds. I applaud this endeavor. In looking for ways to combat Internet fraud, we should consider whether the Justice Department's authority to use civil enforcement mechanisms against those engaged in frauds on the Internet should be enhanced. Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights. Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era. I thank Senators Kyl, Feinstein and Schumer for their attention to this important issue. (end text) |
|
This site is produced and maintained by the U.S. Department of State. Links to other Internet sites should not be construed as an endorsement of the views contained therein. 
|
 IIP Home | Global Issues |