The Internet and Public Safety
Over the last decade, use of computers and the Internet has grown exponentially, and individuals have increasingly come to depend on this use in their daily lives. The Internet has resulted in new and exciting ways for people to communicate, transfer information, engage in commerce, and expand their educational opportunities. These are but a few of the wonderful benefits of this rapidly changing technology. There is no question that the Internet has changed the way we live today. Yet, as people have increasingly used computers for lawful purposes, so too have criminals increasingly exploited computers to commit crimes and to harm the safety, security, and privacy of others.
In just the past few months, for example, legitimate e-commerce has been the target of malicious computer hackers in the form of "denial of service attacks." These unlawful attacks involve the intrusion into an unknown number of computers, which are in turn used to launch attacks on several, target computers, such as Yahoo, eBay, CNN and ZDNET. In these cases, the number of victims can be substantial, as can the collective loss and cost to respond to these attacks. We have also seen the emergence of fast-moving viruses that have caused damages to computer systems around the world and have disrupted the computer systems of consumers, businesses, and governments.
In April 1999, the Melissa virus was released. Through the cooperative efforts of state and federal law enforcement, as well as the contributions of antiviral companies and Internet service providers, the perpetrator of the virus was found within a few days of the virus’ dissemination. He pled guilty in December, admitting that his actions caused over $80 million in damages.
A few weeks ago, the "I Love You" virus began infecting systems around the world. While there is not yet any official assessment of the damages caused by this virus, antiviral companies have estimated that the damages are in the billions. As with the Melissa virus, law enforcement agencies on all levels have been cooperating with the private sector to determine who released this virus. The FBI is now working closely with the National Bureau of Investigation of the Philippines to pursue leads in that country. While I cannot comment directly on that investigation, I will say that the FBI and the Department of Justice will continue to provide whatever technical, investigative, or prosecutorial assistance is needed by the Philippine government.
Frighteningly, the "I Love You" virus was followed almost immediately by copycat variants. At last count, there were almost 30 of these variants that had been identified. They were followed last Thursday by the New Love virus, a virus that self-replicated, mutated in name and size, and destroyed the computer systems affected by it. The FBI, again working with the private sector, is investigating.
The new crop of viruses are becoming more sophisticated and difficult to detect. If we are going to control this epidemic of viruses and denial of service attacks, U.S. law enforcement must continue to work with the private sector and with law enforcement in other countries. As all these cases demonstrate, computer crime is a global problem. In this regard, we are making important progress. Last week, I returned from a meeting in Paris at which the government and industry of the G8 nations, along with representatives of other nations and groups, sat down to discuss how we can work together to identify the source of criminal behavior on the Internet, as well as tracing those responsible for committing crime over the Internet. We are also involved in similar efforts with the Council of Europe. Efforts are underway, which are nearing completion, to develop a cybercrime convention that will create minimum standards for defining crimes committed over computer networks. The convention will also establish minimum standards for international cooperation and domestic law enforcement powers. The draft convention also would further expand the 24/7 point of contact network that was begun by the G8. This network of experienced law enforcement officials capable of dealing with computer crime has been steadily expanding beyond its original eight members, and we are working to further develop the network so that we are better prepared to address crimes committed using computer networks wherever and whenever they occur.
Fostering better international understanding and response to computer crimes has been a priority for over a decade and we are making significant progress. We will continue to build on the successes of the past and capitalize on world-wide attention brought about by the "I Love You" virus to continue working with nations across the globe on this vital issue.
While the denial of service attacks and the recent viruses have received a great deal of attention and are cause for concern, they are but one facet of the criminal activity that occurs online today. Criminals use computers to send child pornography to each other using anonymous, encrypted communications; hackers illegally break into financial computers and steal sensitive, personal information of private consumers, such as name, address, social security number and credit card information; criminals use the Internet’s inexpensive and easy means of communication to commit large-scale fraud on victims all over the globe. Simply put, criminals are exploiting the Internet and victimizing people, worldwide, everyday.
It is important to note, Mr. Chairman, that when law enforcement successfully investigates, apprehends, and prosecutes a criminal who has stolen a citizen’s personal information from a computer system, law enforcement is undeniably working, not just to apprehend the offender, but to protect privacy and deter further privacy violations at the hands of criminals. The same is true when law enforcement apprehends a hacker who compromised the financial records of a bank customer.
Responding to the Challenge of Unlawful Conduct on the Internet
The growing threat of illicit conduct online was made clear in the findings
and conclusions reached in the recently released report of the President’s
Working Group on Unlawful Conduct on the Internet, entitled, "The Electronic
Frontier: The Challenge of Unlawful Conduct Involving the Use of the Internet."
This extensive report highlights in detail the significant challenges facing
law enforcement in cyberspace. As the report states, the needs and
challenges confronting law enforcement, "are neither trivial nor theoretical."
The Report outlines a three-pronged approach for responding to unlawful
activity on the Internet:
2. The needs and challenges of law enforcement posed by the Internet – including the need for resources, up-to-date investigative tools and enhanced multi-jurisdictional cooperation – are significant.
I would encourage anyone with an interest in this important topic to review carefully the report of the Working Group. The report can be found on the Internet by visiting the website of the Department of Justice’s Computer Crime and Intellectual Property Section, located at www.cybercrime.gov. That website also contains a great deal of other information relating to cybercrime and to the laws protecting intellectual property.
The migration of criminality to cyberspace accelerates with each passing day and the threat to public safety is becoming increasingly significant. As Deputy Attorney General Eric Holder told a joint hearing of House and Senate Judiciary Subcommittees in February, this nation’s vulnerability to computer crime is astonishingly high and threatens not only our financial well-being and our privacy, but also this nation’s critical infrastructure.
However, Mr. Chairman, the laws defining computer offenses – and the legal tools needed to investigate criminals using the Internet – have lagged behind technological and social changes, leaving them out of date and, in some instances, ineffective. In short, law enforcement today does not have the tools we need to fully protect the Internet-using public from criminal activity online.
We must confront this problem on two fronts simultaneously. First, we must make certain that the substantive laws defining which conduct is criminal, such as the Computer Fraud and Abuse Act (Title 18 section 1030), are adequately refined and updated. Second, we must look critically at the tools law enforcement uses to investigate and prosecute computer crimes – such as the Electronic Communications Privacy Act and the pen register and trap and trace statutes – to ensure that they are cast in terms that fully account for the rapid advances in technology. Failure to do both will render our efforts meaningless. If we have the appropriate substantive laws, but no means to effectuate them, we will be stymied in our pursuit of online criminals. Conversely, if the conduct in question is not covered by the criminal law, the ability to gather evidence is of no value in protecting the safety and privacy of people who use the Internet. It is not a coincidence, Mr. Chairman, that today marks the fourth time, since February of this year, that the Department of Justice has provided testimony on this issue to Congress. This issue – the safety of the Internet-using public – is and will remain a priority of the Justice Department. I would note, for example, that earlier this month the Attorney General and the Director of the FBI participated in the creation of the Internet Fraud Complaint Center, which gives consumers the ability to go online and file complaints with the Center. This is but one aspect of the approach we are taking to make cyberspace safe for everyone.
Department of Justice views on S. 2448
At this point, I am pleased to offer the preliminary views of the Department of Justice on S. 2448, "The Internet Integrity and Critical Infrastructure Protection Act," that is the subject of today’s hearing.
At the outset, let me say that the proposed legislation appropriately
focuses on several very important public safety goals. As I mentioned
earlier, the ability to fully protect public safety online requires that
the substantive laws utilized to define criminal activity be fine-tuned.
The proposed legislation, S. 2448, offers a number of provisions that address
the substantive laws.
First, the legislation addresses the ability of federal investigators and prosecutors to bring online criminals to justice by removing the $5,000 "damage" threshold for federal jurisdiction. The Department has encountered numerous instances in which computer intruders have gained unauthorized access to computers used in the provision of "critical infrastructure" systems and services, which include, for example, computers that run 9-1-1 emergency services.
Yet, in several investigations, proof of damage in excess of $5000 – the amount presently required to allow federal investigation and prosecution – has not been readily available. Given the risks posed by the initial act of gaining unauthorized access to these vital computers, federal jurisdiction should not be restricted to those instances in which damage of $5,000 or more can be readily demonstrated, under the current definition of "damage". S. 2448 acknowledges and solves this problem by making federal jurisdiction clearly attach at the outset of an unauthorized intrusion into interstate systems, rather than requiring investigators to wait for estimates of damage to confer jurisdiction. While the Justice Department has some concern about treating the newly covered crimes as felonies in every instance, we strongly support this idea, and would like to work with Congress to best determine the appropriate classification of offenses below the $5,000 damage amount. It is, however, vital to our ability to respond to criminal activity that the jurisdictional threshold be removed.
Second, the bill enhances the deterrent effect of the Computer Fraud and Abuse Act – the primary statute used to prosecute computer hackers – by raising the maximum penalties for various categories of violations, such as those that occurred in the recent denial of service attacks discussed earlier. At present, the statutory maximum penalty for these violations is five years. Given the scope and severity of the damage to protected computers that hackers have been doing recently, the current five year maximum does not adequately take into account the seriousness of their crimes.
For example, as I mentioned earlier, David Smith recently pled guilty to violating Title 18, subsection 1030(a)(5)(A), for releasing the "Melissa" virus that caused massive damage to thousands of computers across the Internet. Although Smith agreed, as part of his plea, that his conduct caused over $80,000,000 worth of damage (the maximum dollar figure contained in the Sentencing Guidelines), experts estimate that the actual amount of damage may have been as much as ten times that amount. Depending on the circumstances of the offense, the amount of loss and the criminal history of the offender, the Sentencing Guidelines may call for a sentence of greater than five years. However, such a sentence cannot be imposed at this time. We support the goal of raising penalties for violations of the Computer Fraud and Abuse Act and will work with the Committee to determine the appropriate increase.
S. 2448 also provides for increased punishment for computer criminals that "use" minors to help in the commission of the crime. The Department shares your concern that adults that exploit children to aid in the furtherance of their own criminal activity deserve special condemnation. We might explore whether this provision be applied to all of 18 U.S.C. 1030 and not just subsection (a)(5). The Department points out, however, that the provision only be applicable to adults who use juveniles and not to juvenile co-conspirators, and we look forward to working with you to ensure the provision is tailored appropriately.
Third, S. 2448 takes important steps to provide greater deterrence to would-be juvenile hackers. We are increasingly encountering juveniles committing crimes and creating risks to the public via the Internet. For example, a juvenile was recently charged with the recent "denial of service" attack on CNN. This juvenile, known as "Mafiaboy," is currently being prosecuted in Canada. We have also seen juvenile hackers penetrate numerous sensitive computers, including computers run by the Defense Department, even as military operations were being planned. In addition, in March of 1998, a juvenile hacker interfered with a computer that provided telecommunications of a town in central Massachusetts, including the regional airport. This action cut off telephone service to the airport’s control tower, fire department, and security services.
To address this important problem, the bill provides that juvenile adjudications for violations of the Computer Fraud and Abuse Act count as prior convictions if such juveniles continue to violate section 1030 as adults. Thus, any juvenile who is arrested and adjudicated delinquent for such a crime would face a stiffer penalty if he or she does not reform. The bill also modifies federal law to allow the federal government to investigate and prosecute juveniles who commit certain serious computer offenses. As S. 2448 recognizes, when an individual attacks a federal computer, or when a hacker uses interstate communications or the Internet to compromise the health, safety, or security of the public, it clearly raises substantial federal interests and warrants federal jurisdiction.
Mr. Chairman, we support your efforts to address these issues and assist law enforcement to combat crime effectively and promote public safety online. As mentioned earlier, however, revision of the substantive law is but one much needed part of the response to cybercrime. The balance of my testimony, and the views of the Department of Justice on S. 2448, will focus on the second prong – making certain that law enforcement has the tools necessary to investigate and build cases against online criminals.
B. Updating the Tools Needed to Protect Public Safety Online:
Section 301 of the proposed legislation attempts to solve several important problems relating to the use of pen registers and trap and trace devices in the investigation of computer crime. The Justice Department is concerned, however, that as introduced, this section of the bill does not address several problems in the existing statute that have been caused by changes in telecommunications technology and the telecommunications industry. First, the language of the existing law is obsolete. The definition of "pen register," for example, refers to a "device" that is "attached" to a telephone "line." Telephone companies, however, no longer accomplish these functions using physical hardware attached to an actual telephone line. Moreover, the existing statute refers specifically to telephone "numbers," a concept made out of date by the need to trace communications over the Internet that use other means to identify users’ accounts. The Department strongly recommends that these provisions be amended to clarify that pen/trap orders apply equally to the tracing of communications in the computer network context. Indeed, S.2092, introduced by Senators Schumer and Kyl, would amend the statute in these important ways.
In addition to amending the language of the statute to reflect the technological changes that have and will continue to occur, the Justice Department also recommends that the statute be amended to ensure that federal courts have the authority to order all telecommunications carriers providing service in the United States – whether within a particular judicial jurisdiction or not – to provide law enforcement authorities the information needed to trace both voice and electronic communications to their source. The deregulation of the telecommunications industry has created unprecedented hurdles in tracing multi-provider communications to their ultimate source and destination. Many different companies, located in a variety of judicial districts, may handle a single communication as it crosses the country. Under the existing statute, however, a court can only order the installation of a pen/trap device within the jurisdiction of that court. As a result, investigators often have to apply for multiple court orders in multiple jurisdictions in order to trace a single communication, causing a needless waste of resources and delaying and impeding important investigations. Given that time is of the essence in the vast majority of computer hacking cases, this delay may be fatal to the investigation. S 2092 addresses this problem as well.
Section 302 of the proposed legislation regulates the release of personally identifiable information by providers of satellite television services. Although the protection of the privacy of satellite subscribers’ information is a laudable goal, the manner in which this provision seeks to address this issue creates serious concerns. This provision is drafted in "technology specific" terms. The Justice Department has consistently argued, and does so today, that in order to be effective, statutes must remain technology neutral. By creating a standard exclusively for one form of technology – in this case, satellite television service – the provision restricts the activities of certain companies and individuals based on an arbitrary criterion. If a company chooses to provide its television programming over cable lines or over the Internet, it would not be bound by these restrictions.
The law should not treat companies differently based on the various ways in which they provide the identical service. Further, the Justice Department is concerned about the scope of services – beyond simply providing television service – that would be covered by this provision, thus compounding the disparate treatment noted above. Given the fact that the old distinctions between communications providers and their respective services are rapidly falling away – with each industry crossing over into other areas and offering multiple communications services – technology specific statutes simply become unworkable. We believe that ECPA governs all communication providers without regard to specific technology used to provide the services.
Another portion of S. 2448 which raises significant concerns for the Department of Justice is Title V, regarding International Computer Crime Enforcement. International cooperation in computer crime cases – as highlighted in recent weeks – is extremely important, and strengthening international cooperation mechanisms is a high priority for the Department. As I noted earlier, we are making significant progress in this area and any new proposals have to be fashioned extremely carefully so as not to undermine the valuable avenues of cooperation already in place. The Department is concerned that Title V would not significantly promote international cooperation on computer crime investigations, and it has the potential to damage existing agreements and legal authorities. The Department, therefore, opposes inclusion of this provision in the bill.
Before concluding my testimony, let me make some brief remarks on two issues that have principally been handled by parts of the Administration other than the Department of Justice. Concerning the anti-spamming provision in S. 2448, the Administration agrees that the use of deceptive identification information in connection with unsolicited commercial email raises serious concerns. While the Administration has not endorsed any currently proposed approach to this problem, we support continued examination of this issue and note that comprehensive anti-spamming legislation has been proposed in and is being considered by both the House and the Senate at this time.
Concerning the online collection and dissemination of personally identifiable
information on Internet, I draw you attention to statement on that subject
earlier this week by Secretary of Commerce Daley. Secretary Daley
expressed the hope that we will continue to see improvement in the quantity
and quality of online privacy policies. He stated that, "if we do
not see such progress, then we may eventually need to consider whether
legislation would provide companies with the right incentives to have good
policies and participate in an effective self-regulatory program."
Secretary Daley added that any such legislation, if it becomes necessary
"should recognize and provide incentives for self-regulation, such as by
granting participants in effective self-regulatory programs a "safe harbor"
from regulation. Such incentives are not currently included in S.
2448.
Mr. Chairman, my testimony today is necessarily focused upon the more significant portions of the proposed legislation and is not intended to be all inclusive. It is my sincere hope that through this and other hearings that have been held, those of us who are concerned about public safety and want to see the Internet continue to flourish and thrive, can come together and forge responses to the problems that I have outlined here today. I again want to commend this Committee for its continued leadership on the issues of technology and public safety and pledge to you today that the Department of Justice stands ready to work with all concerned to make the Internet safe for all Americans.
If we fail in our responsibility to respond to criminal conduct online, we will, in effect render cyberspace a safe haven for criminals. If we do not make the Internet safe, people’s confidence in using the Internet and e-commerce will decline, parents will no longer let their children use the Internet for the wonderful learning tool that it is, and people worlds apart will no longer use the Internet to communicate and the flow of information will slow. By failing to ensure the public’s safety online, we are effectively endangering the very benefits born of the Information Age. The Internet Integrity and Critical Infrastructure Protection Act is a positive step in avoiding that unfortunate and unnecessary result and we look forward to working with the Committee and the Congress on this matter in the weeks ahead.
Mr. Chairman, that concludes my prepared statement. I would be pleased to answer any questions that you may have at this time.
Go to . . . CCIPS Home Page || Justice Department Home Pages