STATEMENT OF SENATOR PATRICK LEAHY
Hearing Before The Senate Judiciary
Subcommittee On Technology,
Terrorism, and Government Information
"Internet Crimes Affecting Consumers"
March 19, 1997
I congratulate the Chairman and the Ranking Member for
convening this hearing on how criminal activity on the Internet
may be affecting consumers, and I appreciate the opportunity to
testify here today.
THE NATURE OF COMPUTER CRIME
Cyberspace is no refuge from the problems we find in physical,
or "real," space. As more consumers discover the ease
with which they can use the Internet, and the possibilities for
buying and selling goods and services on-line, criminals will
follow the money into cyberspace. Vandalism, theft, "Peeping
Toms", fraud, extortion and blackmail -- are examples of
crimes that have existed probably as long as people have lived
together in communities. Each of these crimes, and others, have
their analogs in cyberspace.
For example, modern-day graffiti has moved beyond scribbles on
monuments and subway cars and now takes the form of leaving
messages on government Web sites. Earlier this month, hackers
broke into a NASA Web server and posted on NASA's public Web page
a message threatening "digital terrorism" against
corporate America. Last year, hackers broke into CIA's Web site,
changed the posted name of the agency to the "Central
Stupidity Agency", added obscenities, and linked the site to
Playboy Magazine and other sites. The Justice Department's Web
site also suffered a hacker attack last year, when hackers
substituted legitimate information on the home page with
swastikas, pornographic photos and criticism of the
Communications Decency Act.
Such highly publicized break-ins reveal the vulnerability of
government systems to hackers. But these pranks are no joking
matter. These vulnerabilities can pose serious security breaches.
The General Accounting Office published a startling report last
year that the Department of Defense may have experienced as many
as 250,000 hacker attacks in 1995 alone. The report estimated
that the majority of the attacks -- 64 percent-- were successful,
and that only a small number were even detected. The
vulnerability of our government computer systems puts vast
amounts of sensitive government information at risk of
unauthorized access and disclosure.
Government computer systems are not the only systems at risk.
A recent survey of major U.S. firms conducted by Information
Week and Ernst & Young found that more than half of the
companies surveyed experienced losses due to information security
breaches over the last two years. When you add computer viruses
to the mix, a huge number -- 78 percent -- suffered losses. Some
of the companies reported losses of as much as $1 million
or more. Even though most of the companies were using
the Internet for business communications and functions, nearly
three-quarters of the executives at these firms lacked confidence
in the security of their computer networks from attacks from both
insiders and outsiders. These fears are well-founded. The survey
revealed that significant losses were caused by malicious or
disgruntled company insiders, and by outside hackers who could
dial in through external Internet connections.
As this survey confirms, computer crime is not just a law
enforcement issue; it is also an economic one. Breaches of
computer security are causing direct financial losses to U.S.
businesses from the theft of trade secret and proprietary
information. This hurts our economy.
We need to protect both government and private computers, and
the information on those computers, from computer crime. The
facts speak for themselves: Computer crime is on the rise. The
Computer Emergency and Response Team -- or "CERT" for
short-- keeps track of Internet security incidents. CERT reports
that more than 10,700 Internet sites were affected by 2,573
security incidents in 1996 alone. In fact, there has been a 2000
percent increase in the number of incidents since CERT was
established in 1988.
NATIONAL INFORMATION INFRASTRUCTURE ACT
The distinguished Chairman, Senator Kyl, and I share a mutual
concern about computer crime. In the 104th Congress we worked
closely together and with the Department of Justice to craft
legislation to strengthen protection for computer systems, both
government and private, and the information on those computers,
from the growing threat of computer crime. This legislation, the
"National Information Infrastructure Protection Act,"
was enacted last year to close several gaps in our computer crime
laws. I will highlight just a few aspects of this new law.
For example, there is a new and emerging problem of
computer-age blackmail, a high-tech variation on old-fashioned
extortion, in which someone threatens to crash a computer system
unless the blackmailer is given money or free access to the
system. One can also imagine situations in which hackers
penetrate a system, encrypt a database and then demand money for
the decoding key. The new law ensures law enforcement's ability
to prosecute these modern day blackmailers.
This legislation also extends the protection of federal law to
cover computers in interstate or foreign commerce or
communications. This would cover most of the computers -- both
private and government -- connected to the Internet. The new law
expressly penalizes both outside hackers and malicious insiders
who, without authorization, raid private computers to grab
valuable information. This helps protect consumers, because
hackers who break into private computers connected to the
Internet by using "spoofing" programs to masquerade as
a trusted person, or who use "sniffing" programs to
collect private user name and password information, can now be
prosecuted for stealing information.
Third, the new law provides more protection from damaging
computer viruses injected into government and financial
institution computer systems.
NEEDED: STRONG ENCRYPTION
Targeting cybercrime with up-to-date criminal laws and tougher
law enforcement is only part of the solution. While criminal
penalties may deter some computer criminals, these laws usually
come into play too late, after the crime has been committed and
the injury inflicted. We should keep in mind the old
adage that "the best defense is a good offense."
Americans and American firms must be encouraged to take
preventive measures to protect their computer information and
That is where encryption technology comes in. The December
1996 issue of the FBI Law Enforcement Bulletin noted "a
significant relationship between file or data encryption and
reduced theft of intellectual property. Encryption,
therefore, should be considered an important tool for protecting
As the FBI recognizes, encryption is one important tool in our
arsenal to protect the security of our computer information.
Nevertheless, a prominent expert on computer security told a
Senate panel last year that:
"U.S. cryptographic policy has generally not been
sufficiently oriented toward improving the infrastructure, in
that it has been more concerned with limiting the use of good
cryptography. U.S. crypto policy has instead acted as a deterrent
to better security."
[Senate Governmental Affairs Permanent Subcommittee on
Investigations Hearings on "Security in Cyberspace",
June 21, 1996, S. Hrg. 104-701, testimony of Peter Neumann, at p.
Encryption cannot be the sole source of protection for our
critical computer-based infrastructure, but we need to make sure
the government is encouraging -- and not restraining -- the use
of strong encryption and other technical solutions to protecting
our computer systems. CERT, which provides 24-hour technical help
for responding to Internet security incidents, recently made
recommendations to the President's Commission on Critical
Infrastructure Protection on how the government can reduce risks
to the Internet and other critical infrastructures. CERT noted
that "many of the computer security crimes and
incidents on the Internet could have resulted in less damage or
been avoided with the personal use of strong encryption."
CERT recommended that the government take steps to "ensure
public policy facilitates the widespread use of encryption to
protect information and users of cyberspace."
I fully concur with CERT's recommendation and have introduced
encryption legislation to do just this: encourage the widespread
availability of strong encryption. In fact, the Commerce
Committee is holding hearings on this legislation this afternoon.
I look forward to working with the Members of this Committee, as well as with the Members of the Commerce Committee, in crafting a constructive U.S. encryption policy that gets the government out of the way of better security for our computer networks. Our national encryption policy has focused almost entirely on the needs of our law enforcement and national security agencies and has neglected the needs of individuals, businesses and our economy. We need to bring some common sense and better balance to this issue.
Originally posted at: http://www.senate.gov/~leahy/compcrhr.htm