Statement of Senator Patrick Leahy Senate Appropriations Committee Hearing of the Subcommittee on Commerce, Justice, State and the Judiciary, on Internet Security

February 16, 2000

Mr. Chairman, I commend you for your leadership in convening this hearing.

Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, Senate buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners and security guards to protect this physical space. These security steps and others have become ubiquitous in the private sector as well.

Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the hacker attacks last week on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security – questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on the computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense.

The reports of the CERT Coordination Center (formerly called the "Computer Emergency Response Team"), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by computer security incidents in 1999 alone by damaging computer viruses, with names like "Melissa," "Chernobyl," "ExploreZip,"and by other ways that remote intruders have found to exploit system vulnerabilities. Even before the "denial-of-service" attacks last week, CERT documented that such incidents "grew at a rate around 50% per year" which was "greater than the rate of growth of Internet hosts."

CERT has tracked recent trends in severe hacking incidents on the Internet – both are serious cause for concern. First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have "become increasingly difficult to locate and identify." These criminals are operating in many different locations and are using techniques that allow them to operate in "nearly total obscurity."

We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely "hardening" our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government had a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems. Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems.

That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress last month when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems.

Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met.

In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime.

I am convinced that we should be doing more to combat the current wave of computer crime. Those who are engaged in computer hacking, computer fraud and counterfeiting computer programs should be prosecuted and punished appropriately. As we have seen recently, these kinds of criminals wreak havoc on consumers, our interstate businesses and computer systems. To strengthen our laws in these areas, after the recess I plan to introduce legislation to broaden the scope of the prohibitions relating to computer hacking, including a refinement of the definition of what constitutes loss and damage caused by an intruder on a computer system. My proposal also will contain measures to allow our law enforcement officers to investigate and assist in international hacker cases.

President Clinton has proposed $37 million in additional funding in his FY 2001 Department of Justice budget to combat cybercrime. The President's request includes $6 million to develop regional computer forensic labs, $11 million to hire 100 more FBI experts on computer-related crimes and $8 million for U.S. Attorneys to prosecute cybercrime.

I look forward to working with the Chairman and other concerned Senators to consider this budget request and other steps like our pending legislation to give state and local law enforcement agencies the tools they need to combat computer crime and maintain consumer confidence in electronic commerce.

I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights.

Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era. I look forward to hearing from Attorney General Reno and FBI Director Freeh, and the other distinguished witnesses, on this important challenge.