|
STATEMENT OF
JOHN G. MALCOLM
DEPUTY ASSISTANT ATTORNEY GENERAL
UNITED STATES DEPARTMENT OF JUSTICE
BEFORE THE SUBCOMMITTEE ON CRIME
OF THE HOUSE COMMITTEE ON THE JUDICIARY
ON
H.R. 3482, THE CYBER SECURITY ENHANCEMENT ACT OF 2001
Tuesday, February 12, 2002
Mr. Chairman and Members of the Subcommittee, thank you for giving me
this opportunity to testify on behalf of the Criminal Division of the
Department of Justice regarding Title I of H.R. 3482, the Cyber Security
Enhancement Act of 2001. Mr. Chairman, I commend you for sponsoring a
bill addressing the issue of computer crime, an issue that is of the utmost
importance to our national defense and security, to the strength and vitality
of our economy, to the health and safety of our citizens, and to the privacy
of every individual.
Working with our partners in state and federal law enforcement, the Department
of Justice has made great strides in recent years in investigating and
prosecuting computer crime. Through the Department’s Computer Crime
and Intellectual Property Section, we have trained scores of federal prosecutors
and developed a strong network of computer crime coordinators that extends
to every United States Attorney’s office. We have expanded the Computer
Crime and Intellectual Property Section and have established Computer
Hacking and Intellectual Property units in key districts. Not only have
these prosecutors addressed computer hacking violations and intellectual
property theft, but they have provided expertise critical to the ongoing
terrorism investigation.
Despite these important achievements, Internet crimes are on the rise.
A recent Washington Post article reported that one Internet security firm
documented more than 128,000 unauthorized accesses to its clients’
systems between July and December last year. The Computer Security Institute
estimates that the economic loss resulting from such crimes has more than
doubled in the last five years. These crimes also pose a grave threat
to the security, safety, and privacy of all Americans. Just last year,
federal law enforcement officers captured two Russian hackers who had
infiltrated American banks and businesses, stolen private data, including
credit card numbers, and extorted those companies by threatening to destroy
their computers or release their customers’ private information.
Had these criminals not been apprehended, the damage they could have done
to credit card holders would have been difficult to overstate.
Title I of H.R. 3482 strengthens the deterrent effect of current laws
by increasing penalties and closing loopholes. The Department strongly
supports these amendments. The Department recommends, however, that the
Subcommittee consider two changes to Title I. The first change would modify
section 106 to address the increasing threat of death or serious bodily
injury that computer hackers might recklessly cause. The second change
would provide a more structured mandate to the Sentencing Commission,
directing it to tailor the Sentencing Guidelines to address the burgeoning
problem of computer crime in the United States.
I. Punishment of Criminals Who Recklessly Cause Death or Serious Bodily
Injury Through Computer Hacking
Section 106 institutes a welcome increase in the penalty for crimes
committed in the cyber world when the criminal knows that death or serious
bodily injury will result in the flesh-and-blood world. Because we rely
so heavily on computer systems to provide basic services such as electric
power, telecommunications, and medical care, disruption of those systems
can have a catastrophic effect. Current federal law does not adequately
punish those who damage computers resulting in death or serious bodily
injury. Although statutes severely punish foreign terrorists who commit
such acts, there is no parallel provision for domestic actors. Section
106 would close that loophole.
To protect Americans against the risk that damage to a critical computer
system might threaten their health or safety, however, the Committee may
want to consider broadening slightly the scope of Section 106 so that
it covers not only hackers who damage a computer system knowing that death
or serious injury will result, but also hackers who damage a computer
system with reckless disregard for whether death or serious injury will
result.
In an era in which computer systems play an integral role in our critical
infrastructures, it is not difficult to imagine an assault on such a system
that recklessly causes death or serious injury. Consider, for example,
a hacker who infiltrates a hospital’s medical database to erase records
that reveal the diagnosis of his sexually transmitted disease. In the
course of erasing his record, he also erases other patients’ records,
thereby preventing them from receiving vital medication or treatment.
Although the hacker has not intentionally or knowingly harmed those other
patients, his reckless conduct has clearly put them at risk of death or
serious injury. If such reckless criminal conduct were to cause someone
to die or to be permanently injured, the appropriate penalty might well
exceed the ten-year maximum currently imposed by the statute.
Similarly, suppose a hacker shuts down a town’s phone service. While
phone technicians race to restore service, no emergency 9-1-1 calls can
go through. It is easy to envision in such a situation that somebody might
die or suffer serious injury as a result of this conduct. Although the
hacker might not have known that his conduct would cause death or serious
bodily injury, such reckless conduct would seem to merit punishment greater
than the ten years permitted by the current statute.
The Internet is a powerful tool. But when the Internet is misused by criminals,
it can turn into a harmful weapon. When criminals intentionally damage
computer systems, recklessly causing severe harm or even death to others,
they must be held fully responsible. Thus, the Department encourages the
Subcommittee to expand the scope of Section 106 to encompass not only
computer criminals who knowingly cause death or serious bodily injury,
but also those who recklessly cause death or serious bodily injury.
II. Sentencing Guidelines
Title I achieves another essential objective in the fight against computer
crime by requiring the Sentencing Commission to re-examine the policy
statements and guidelines that apply to computer crime. To guide the Commission
in this endeavor, the Department recommends that Title I more clearly
articulate its intent that the Commission enhance penalties to reflect
the threat of computer crime. To that end, the Department outlines below
three changes to Section 101 of the Bill.
First, Section 101 could better express the Bill’s intent to raise
penalties by directing the Commission to consider the fact that the USA
PATRIOT Act increased the maximum penalties for many crimes involving
unauthorized access to computers. For example, the USA PATRIOT Act doubled
the maximum penalty for criminals and terrorists who cause damage to protected
computers.
Second, the Bill’s intent to enhance penalties would be emphasized
if Section 101 required the Commission to examine the penalty structures
that pertain to the disruption of computers that control our nation’s
critical infrastructures. Through the Internet, terrorists and criminals
can attack the computer systems that control America’s financial
systems, power plants, health care providers, and transportation networks.
Such attacks have the potential to cause grave economic disruption in
addition to threatening American lives.
Third, we encourage the Subcommittee to impress upon the Commission the
need for increased penalties by requiring it to consider harm to individuals.
The Guidelines should take into account what this Bill already recognizes:
where hackers cause death or bodily injury, they should face appropriately
tough sentences.
In sum, Congress has already recognized the need to enhance penalties
for cyber-crime; Section 101 should clearly express Congress’ intent
that the Sentencing Commission commensurately enhance such penalties.
III. Emerging Issues
With the help of the Chairman and this Subcommittee, Congress has made
great strides to modernize the laws that relate to the investigation and
prosecution of cyber-crime. We look forward to continuing to work with
the Committee to address new issues as they arise in this evolving area
of the law. With that in mind, I would like to share with the Committee
a few issues forming on the horizon.
Concerns have been raised about the Department’s ability under the
current statutory scheme to assist other countries in foreign terrorism
and criminal investigations when there is not an active corresponding
investigation in the United States. Our continuing cooperation with foreign
law enforcement agencies is essential, however, if we expect them to support
our own requests for information and evidence found within their borders.
The Department has also been concerned for some time about the adequacy
of the penalties imposed upon those who violate the privacy of others
by intentionally intercepting their cellular phone calls. Today, such
privacy invasions are treated as a minor infraction punished only by a
fine. As cell phone use becomes more and more prevalent, however, it is
increasingly important to protect the privacy of all wire and electronic
communications without regard to the transmission technology used.
Finally, we are concerned about law enforcement’s ability to respond
to computer attacks in emergencies that involve a threat to a national
security interest or an ongoing cyber-attack on a computer that controls
a national critical infrastructure. Timely use of a pen register or trap
and trace device may be the only way to identify the perpetrator of such
an attack or to prevent the attack from causing further harm. Yet current
law may not allow emergency use of such devices under these circumstances.
IV. Closing
Mr. Chairman, that concludes my prepared statement. I would like to thank
you and the Subcommittee again for soliciting the Department’s views
on these important issues and for allowing me to express them through
my testimony here today. I would be pleased to answer any questions that
you may have on Title I of the Bill.
###
|