STATEMENT OF SENATOR PATRICK LEAHY

Hearing Before The Senate Judiciary

Subcommittee On Technology,

Terrorism, and Government Information

"Internet Crimes Affecting Consumers"

March 19, 1997

I congratulate the Chairman and the Ranking Member for convening this hearing on how criminal activity on the Internet may be affecting consumers, and I appreciate the opportunity to testify here today.

THE NATURE OF COMPUTER CRIME

Cyberspace is no refuge from the problems we find in physical, or "real," space. As more consumers discover the ease with which they can use the Internet, and the possibilities for buying and selling goods and services on-line, criminals will follow the money into cyberspace. Vandalism, theft, "Peeping Toms", fraud, extortion and blackmail -- are examples of crimes that have existed probably as long as people have lived together in communities. Each of these crimes, and others, have their analogs in cyberspace.

For example, modern-day graffiti has moved beyond scribbles on monuments and subway cars and now takes the form of leaving messages on government Web sites. Earlier this month, hackers broke into a NASA Web server and posted on NASA's public Web page a message threatening "digital terrorism" against corporate America. Last year, hackers broke into CIA's Web site, changed the posted name of the agency to the "Central Stupidity Agency", added obscenities, and linked the site to Playboy Magazine and other sites. The Justice Department's Web site also suffered a hacker attack last year, when hackers substituted legitimate information on the home page with swastikas, pornographic photos and criticism of the Communications Decency Act.

Such highly publicized break-ins reveal the vulnerability of government systems to hackers. But these pranks are no joking matter. These vulnerabilities can pose serious security breaches. The General Accounting Office published a startling report last year that the Department of Defense may have experienced as many as 250,000 hacker attacks in 1995 alone. The report estimated that the majority of the attacks -- 64 percent-- were successful, and that only a small number were even detected. The vulnerability of our government computer systems puts vast amounts of sensitive government information at risk of unauthorized access and disclosure.

Government computer systems are not the only systems at risk. A recent survey of major U.S. firms conducted by Information Week and Ernst & Young found that more than half of the companies surveyed experienced losses due to information security breaches over the last two years. When you add computer viruses to the mix, a huge number -- 78 percent -- suffered losses. Some of the companies reported losses of as much as $1 million or more. Even though most of the companies were using the Internet for business communications and functions, nearly three-quarters of the executives at these firms lacked confidence in the security of their computer networks from attacks from both insiders and outsiders. These fears are well-founded. The survey revealed that significant losses were caused by malicious or disgruntled company insiders, and by outside hackers who could dial in through external Internet connections.

As this survey confirms, computer crime is not just a law enforcement issue; it is also an economic one. Breaches of computer security are causing direct financial losses to U.S. businesses from the theft of trade secret and proprietary information. This hurts our economy.

We need to protect both government and private computers, and the information on those computers, from computer crime. The facts speak for themselves: Computer crime is on the rise. The Computer Emergency and Response Team -- or "CERT" for short-- keeps track of Internet security incidents. CERT reports that more than 10,700 Internet sites were affected by 2,573 security incidents in 1996 alone. In fact, there has been a 2000 percent increase in the number of incidents since CERT was established in 1988.

NATIONAL INFORMATION INFRASTRUCTURE ACT

The distinguished Chairman, Senator Kyl, and I share a mutual concern about computer crime. In the 104th Congress we worked closely together and with the Department of Justice to craft legislation to strengthen protection for computer systems, both government and private, and the information on those computers, from the growing threat of computer crime. This legislation, the "National Information Infrastructure Protection Act," was enacted last year to close several gaps in our computer crime laws. I will highlight just a few aspects of this new law.

For example, there is a new and emerging problem of computer-age blackmail, a high-tech variation on old-fashioned extortion, in which someone threatens to crash a computer system unless the blackmailer is given money or free access to the system. One can also imagine situations in which hackers penetrate a system, encrypt a database and then demand money for the decoding key. The new law ensures law enforcement's ability to prosecute these modern day blackmailers.

This legislation also extends the protection of federal law to cover computers in interstate or foreign commerce or communications. This would cover most of the computers -- both private and government -- connected to the Internet. The new law expressly penalizes both outside hackers and malicious insiders who, without authorization, raid private computers to grab valuable information. This helps protect consumers, because hackers who break into private computers connected to the Internet by using "spoofing" programs to masquerade as a trusted person, or who use "sniffing" programs to collect private user name and password information, can now be prosecuted for stealing information.

Third, the new law provides more protection from damaging computer viruses injected into government and financial institution computer systems.

NEEDED: STRONG ENCRYPTION

Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the old adage that "the best defense is a good offense." Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems.

That is where encryption technology comes in. The December 1996 issue of the FBI Law Enforcement Bulletin noted "a significant relationship between file or data encryption and reduced theft of intellectual property. Encryption, therefore, should be considered an important tool for protecting confidence information."

As the FBI recognizes, encryption is one important tool in our arsenal to protect the security of our computer information. Nevertheless, a prominent expert on computer security told a Senate panel last year that:

"U.S. cryptographic policy has generally not been sufficiently oriented toward improving the infrastructure, in that it has been more concerned with limiting the use of good cryptography. U.S. crypto policy has instead acted as a deterrent to better security."

[Senate Governmental Affairs Permanent Subcommittee on Investigations Hearings on "Security in Cyberspace", June 21, 1996, S. Hrg. 104-701, testimony of Peter Neumann, at p. 351].

Encryption cannot be the sole source of protection for our critical computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems. CERT, which provides 24-hour technical help for responding to Internet security incidents, recently made recommendations to the President's Commission on Critical Infrastructure Protection on how the government can reduce risks to the Internet and other critical infrastructures. CERT noted that "many of the computer security crimes and incidents on the Internet could have resulted in less damage or been avoided with the personal use of strong encryption." CERT recommended that the government take steps to "ensure public policy facilitates the widespread use of encryption to protect information and users of cyberspace."

I fully concur with CERT's recommendation and have introduced encryption legislation to do just this: encourage the widespread availability of strong encryption. In fact, the Commerce Committee is holding hearings on this legislation this afternoon.

I look forward to working with the Members of this Committee, as well as with the Members of the Commerce Committee, in crafting a constructive U.S. encryption policy that gets the government out of the way of better security for our computer networks. Our national encryption policy has focused almost entirely on the needs of our law enforcement and national security agencies and has neglected the needs of individuals, businesses and our economy. We need to bring some common sense and better balance to this issue.

Originally posted at: http://www.senate.gov/~leahy/compcrhr.htm