Policy Post 6.04 | Hack Attacks Raise Specter Of Government Intervention

CDT POLICY POST Volume 6, Number 4 February 16, 2000

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1) HACK ATTACKS RAISE SPECTER OF GOVERNMENT INTERVENTION
(2) RENO, FREEH, SENATORS PROPOSE COMPUTER CRIME LEGISLATION
(3) CDT URGES PRIVACY AT WHITE HOUSE SUMMIT ON HACK ATTACKS
(4) CRAFTING A BALANCED LEGISLATIVE PROPOSAL
(5) Policy Post Administration

______________________________________________________________________

(1) HACK ATTACKS RAISE SPECTER OF GOVERNMENT INTERVENTION

Last week's denial of service attacks on major e-commerce Web sites have prompted interest in Washington, with potentially serious implications for the relationship between government and the Internet.

CDT is concerned that the attacks may serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the openness and relative anonymity of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.

While denial of service is appropriately a crime, the recent attacks highlight a problem not soluble by criminal investigation and prosecution: basic system security has been ignored far too long.

In terms of developing policy responses, it is important to recognize that the affected sites were able to recover quickly and install defenses against further similar attacks. Moreover, the distributed denial of service (DDOS) attack methods were well-known and widely reported before they were launched. Like most attacks, they exploited well-known system vulnerabilities. And, as with most malicious code, there were diagnostic tools that would have allowed systems administrators to determine if their computers had been hijacked for DDOS purposes.

The IETF had recommended a simple and effective method to prohibit DOS attacks using forged IP addresses in January 1998: http://www.ietf.org/rfc/rfc2267.txt.

The CERT at Carnegie Mellon had issued a DDOS incident note in November 1999, specifically describing the kind of tools used in last week's attacks: http://www.cert.org/incident_notes/IN-99-07.html.

CDT believes that good security can be achieved without sacrificing privacy, the relative anonymity that is now available online, or the democratic openness of the Internet. Invasive government measures are no substitute for the community effort needed to build better security.
____________________________________________________________________

(2) RENO, FREEH, SENATORS PROPOSE COMPUTER CRIME LEGISLATION

At a Senate hearing today, Attorney General Janet Reno announced that the Justice Department was preparing a legislative package to better locate, identify and prosecute cybercriminals. Reno mentioned three specific items:

amend the Computer Fraud and Abuse Act to cover hacks that cause damage to a large number of computers even if no individual computer sustains damage above the current $5,000 threshold;
authorize judges in one jurisdiction to issue trap and trace orders to service providers anywhere in the country;
increase the penalties for intrusions into private stored communications.

FBI Director Louis Freeh suggested extending RICO to computer crimes. Under the Racketeer Influenced and Corrupt Organizations Act, two illegal acts over a period of ten years constitute a "pattern of racketeering activity," subject to asset forfeiture and up to 20 years in prison.

Freeh also talked about encryption. In a confusing statement, he said that without the ability to get court-ordered access to plaintext, law enforcement agencies will be unable to investigate a large number of cases, but he also said that changes in statute were not necessary in this regard. Freeh said that last year the FBI had encountered encryption in only 53 cases.

At the hearing, Sen. Patrick Leahy (D-VT) announced that he was preparing his own bill to broaden the scope of the prohibitions relating to computer hacking, including a refinement of the definition of what constitutes loss and damage caused by an intruder on a computer system and measures to allow U.S. law enforcement officials to investigate and assist in international hacker cases.

Jeff Richards of the Internet Alliance called for narrowly tailored legislation regarding the forgery of header and routing data.

Finally, in a Dear Colleague letter circulated today, Sen. Charles Schumer (D-NY) announced that he too was drafting computer crime legislation.

Testimony from today's hearing should be online soon at http://www.senate.gov/~appropriations/commerce/hrgtest.htm.

Statements by Sens. Leahy and Schumer are at http://www.cdt.org/security/.
________________________________________________________________

(3) CDT URGES PRIVACY AT WHITE HOUSE SUMMIT ON HACK ATTACKS

The tenor of today's Congressional hearing contrasted with Tuesday's cyber-security summit at the White House, as CDT joined industry and academic experts in urging President Clinton to let industry take the lead in responding to the hacks. CDT senior staff counsel Jim Dempsey stressed that good network security can be achieved without sacrificing privacy or anonymity online. The President, who stayed for the full 90-minute meeting, appeared to understand that government had a limited role and that any approaches taken must preserve privacy and the openness of the Internet.

Among other initiatives, industry pledged to establish a system for sharing information about vulnerabilities and attacks.

One of the best points was by Whit Diffie, who argued that government needs to move from a "police department" model to a "fire department" model, emphasizing prevention and public education. Others agreed, using the public health model, stressing the need for "computer hygiene" to extirpate malicious code and install and regularly upgrade security measures.

In the press briefing following the meeting, White House chief of staff John D. Podesta reiterated that "the solutions we talked about did not involve greater government regulation, or really greater governmental power. They were things that we could do, again, in partnership with the private sector to increase security."

The President's opening remarks and the industry statement are online at http://www.cdt.org/security/.

CDT's analysis of the Administration's plan for FIDNet and other security measures aimed at the government's own systems is at http://www.cdt.org/policy/terrorism/oneildempseymemo.html.

_________________________________________________________________

(4) CRAFTING A BALANCED LEGISLATIVE PROPOSAL

The flurry of legislative proposals raises two concerns: (a) ensuring that cyber-security does not become the proverbial legislative Christmas tree that legislators rush to hang more provisions on; and (b) that any legislation balance expanded crimes or authorities with changes to strengthen standards for government access to information.

At today's hearing, the Attorney General stated that "both our substantive laws and procedural tools are not always adequate to keep pace with the rapid changes in technology." From the privacy perspective, this is undoubtedly true. The recognized deficiencies with the Electronic Communications Privacy Act of 1986 include the following:

It is not clear what personal information can be or must be disclosed to the government under a pen register or trap and trace order served on an Internet service provider or in other packet networks. There is even confusion about how query strings and URLs should be treated.
The standard pen register (which collect phone dialing information in real time) is minimal - judges must rubber stamp any application presented to them.
Many of the protections in the wiretap law, including the statutory rule against use of illegally obtained evidence and the remedies for privacy violations, do not apply to email and other Internet communications.
Data stored on networks is not afforded full privacy protection.
ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits; notice of government requests can be delayed until it is too late to object.

Problems also exist under the 1968 wiretap law, notably in the courts' weakening of the rule against monitoring innocent conversations.

And inconsistent standards apply to government access to information about one's habits depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.

______________________________________________________________________

(5) POLICY POST ADMINISTRATION

To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org In the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org In the BODY of the message type "unsubscribe policy-posts" without the quotes.

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_6.04.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org