Chairman Thurmond, Chairman McCollum, and Subcommittee Members, thank you for the opportunity to testify on the important issue of Internet security and the federal response. The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include enhancing privacy protections for individuals and preserving the open architecture of the Internet. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.

CDT focuses much of its work on the Internet because we believe that, more than any other medium, it has characteristics that are uniquely supportive of democratic values. In framing policy solutions for the Internet, we believe it is imperative to recognize and preserve the open, global, decentralized, interactive, and user-controlled nature of this medium. The Internet has become the engine of our economy. It is transforming education, medicine, journalism, and entertainment. It also has the power to enhance the democratic relationship between government and its citizens. All one has to do is look at Thomas, the Web site of the Library of Congress, or consider how the Internet is being used in election campaigns to bring into the political process people never before involved in politics to see how it has the potential to revitalize democracy and restore trust in government. For the sake of the economic, social and political benefits of this medium, Congress should do nothing that will interfere with its open architecture and user-controlled nature.

Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all crimes, appropriately so, and the perpetrators of the recent denial of service attacks should be punished if caught. But Congress must recognize that the problem of Internet security is not one primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter for the private sector, which has built this amazing system in such a short time without government interference. It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match, given the rapid pace of technology change and the decentralized nature of the medium.

It is always appropriate to consider whether our laws have been outdated by changes in technology, and several proposals have been under consideration since before the recent attacks to amend the computer crime statute and the electronic surveillance laws to enhance law enforcement authorities. The Subcommittees, after careful analysis, may find that some modest changes are appropriate. But we urge caution, especially in terms of any changes that would enhance surveillance powers or government access to information. Americans are already deeply concerned about their privacy, especially online. Changes in technology are making ever more information available to government investigators, often with minimal process falling far short of Fourth Amendment standards. You must be careful to ensure that the recent Internet attacks do not serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the openness and relative anonymity of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.

The major problem we see in the law now is that the standards for government access to information are not high enough to protect the privacy of legitimate computer users. If the Congress concludes that any legislative changes are necessary in response to Internet security, those changes should be equally balanced with measures to improve privacy by tightening the standards for government surveillance and access to information. We are prepared to work with the Committees and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.

A major issue on the Internet today is trust. The cyber-attacks undermined that trust. But so would government mandates. Security and privacy go hand-in-hand. Trying to improve security without addressing privacy will leave a trust deficit.

Finally, we caution against any government requirements on Internet service providers to keep additional records or to design the Internet to be easier to monitor. These are unlikely to have any long-term positive benefit, they pose obvious risks to privacy, and they could actually harm security. We must not head down the path of government mandates that could end up impeding the growth of this sector and eroding rather than building public trust. It is clear that the private sector is taking the lead to improve Internet security. The potential for the government to help is limited, while the risk of government doing harm is very high.

With that introduction, I would like to address three questions:

1. What was the nature of the attacks three weeks ago and what do they tell us about the problem of Internet security in general?
2. What are the best means to improve Internet security, and what can government do to support that goal?
3. What additional criminal or investigative authorities, if any, are needed and how should they be balanced with privacy protections to ensure that privacy also keeps pace with changes in technology?

1. Internet Security Has Been Ignored for Too Long, But The Solutions Are in the Hands of the Internet Community, Not the Government

Starting three weeks ago in earnest, malicious hackers began attacking prominent e-commerce Web sites with what are known as "denial of service attacks." The targeted e-commerce sites were not broken into. No data were stolen or destroyed. Nobody's credit card number was compromised. Instead, the targeted computers were bombarded with phony messages, so many that legitimate traffic could not get through. It was a little like pranksters repeatedly and rapidly calling your office phone number, tying up all the lines so that constituents could not get through. The impact of the attacks was magnified greatly because the attackers had commandeered a large number of other computers belonging to innocent third parties --universities, other businesses, perhaps even some government agencies -- and programmed them to send out to the targeted sites this barrage of phony messages. Thus the name "distributed" denial of service attack.

However, there are several things unique about these attacks -- differences unique to the Internet -- that make them quite unlike a barrage of phone calls to your office and that point the way to the proper policy response:

• the method of attack was previously well-known and had been the subject of multiple alerts and warnings;
• it exploited vulnerabilities in computer systems that were also well-known;
• there are readily available fixes for those vulnerabilities that would have greatly diminished the force of the attacks, if conscientiously applied by the Internet community;
• most importantly, victims of the attacks, such a eBay, were themselves able to change their systems and work with their Internet Service Providers in order to turn back the attacks and restore full service, usually within one or two hours.

First, the distributed denial of service (DDOS) attack methods were well-known and were the subject of many warnings and alerts before they were launched. The programs used to launch the attacks had been identified and analyzed. The Computer Emergency Response Center (CERT) at Carnegie Mellon had issued a DDOS alert in November 18, 1999, and an update on December 28, specifically describing the kind of software used in the denial of service attacks experienced earlier this month. (Indeed, as early as July 22, 1999, CERT warned of denial of service attacks of this general type.) The FBI issued alerts on December 6, 1999 and on December 30. In addition, various private Internet security companies issued warnings to their clients, and the Financial Services Information Sharing and Analysis Center (FS/ISAC) issued warnings to its members. The attacks were actually used on a smaller scale throughout last Fall. The existence of the DDOS tools was even reported by the major print media, in the San Diego Tribune on November 20 and in USA Today on December 7.) Rarely is any "crime" offline so widely commented upon and analyzed before it occurs.

Second, the attackers who launched these attacks were able to break into hundreds of computers on the Internet and commandeer them because, like most hackers, they were able to exploit well-known system vulnerabilities. And, as with most malicious code, there were diagnostic tools that would have allowed systems administrators to determine if their computers had been hijacked for DDOS purposes. Some systems operators had carefully scrubbed their systems to detect and remove the malicious code; others were less diligent and did not practice good "computer hygiene."

Third, there has long been a means available to prevent DDOS attacks. The Internet Engineering Task Force, a private, non-profit standards-setting body, had recommended a simple and effective method to prohibit DDOS attacks using forged IP addresses in January 1998. Some systems operators had adopted this preventive measures; others, obviously, had not.

Finally, some of the owners of the attacked systems were able to respond to them, and to turn back the attack within less than two hours. For example, eBay testified in the Senate that, when the attack began, it quickly took a number of steps to fight back. Initially, it put in a number of firewalls to repel the bad traffic. When the volume became too great, it turned to its ISPs, and worked with them to develop filtering mechanisms to prevent bad traffic from even reaching eBay's site. Within 90 minutes, the filter effectively stopped the bad traffic and allowed eBay to return to normal service, even though the attack itself continued for an additional 90 minutes. The following day, when the attack resumed, eBay and its ISPs responded so quickly that there was no disruption in service. Within days of the attacks, other Internet security companies had come forward with other countermeasures.

These factors should give pause to policymakers seeking to assign government a major role in Internet security. The tools for warning, diagnosing, preventing and even investigating Internet attacks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime. The ability of the government, and in particular the criminal law, to respond to this problem is quite limited. Even with vastly expanded powers, the government would never be able to respond to even a small percentage of cases as quickly as the private sector can.

It must be stressed that the source of the security problem is not the architectural openness of the Internet, nor does the problem have anything to do with anonymity. Security weaknesses in the Internet are not an inevitable byproduct of the architecture itself: indeed, the decentralized, open, user-controlled architecture is what makes the Internet as resilient as it is. Rather, the problem is that security measures compatible with the open and anonymous nature of the Internet have been given a low priority as the Internet has grown. The explosion of services and business online and the rapid roll-out of new software with new features have come at a price. In that sense, the denial of service attacks were a wake-up call, not because they highlighted the lack of security -- everyone concerned should have known that long ago -- but because they hit the bottom line. They had an impact in the market, both the stock market and the consumer market. As a result, competitive forces are far more likely to produce good security practice than anything the government could do.

The conclusion to be drawn from this is that computer security is not a problem soluble by criminal investigation and prosecution: basic system security has been ignored far too long. Good security can be achieved without sacrificing privacy, the relative anonymity that is now available online, or the democratic openness of the Internet. Invasive government measures are no substitute for the community effort needed to build better security.

Some in government have argued that the Internet's uniqueness requires not less, but more intervention. In particular, they complain about the anonymity or lack of traceability on the Internet. This is a red herring. There is probably more traceability online than in the real world. An anonymous vandal can throw a brick through a bank window and run away down any number of streets. An anonymous pickpocket can lift your wallet with credit cards and melt into the crowd. But we do not require people to carry identification cards, nor do we install checkpoints on our streets. We do not have perfect traceability in the real world, for good reasons. We do not need perfect identity and traceability online either. Nobody has shown that authentication would have stopped these attacks. If anything, experts have explained that some authentication mechanisms would have made the problem worse.

2. The Government Has a Limited Role, Focused on Getting Its Own House In Order, Hiring Trained Staff, and Supporting R&D

Given the unique decentralized, global and user-controlled nature of the Internet, the role of the government is limited. But the government does have a role. First, it must get its own computer security house in order. The Administration's "National Plan" for cyber-security, which focuses on protecting the government's own systems, has some laudable and long-overdue elements. We are concerned, though, that it relies too heavily on a monitoring system that threatens privacy and other civil liberties ("FIDNet") and gives too little priority to closing the known vulnerabilities and fundamental security flaws in government computer systems. (Target date for establishment of the FIDNet monitoring system: October 2000. Target date for fixing "the most significant known vulnerabilities" in critical government computers: May 2003.) To improve government computer security and enforce the computer crime laws, the government needs the resources and Title 5 authority to hire and retain skilled investigators and computer security experts.

The government should do more to support basic research and development in computer security. It is a positive step that the Administration has stopped fighting encryption. We are concerned, though, that CALEA is being used to build surveillance features into the telephone network without adequate attention to security -- that is, the CALEA compliance measures themselves constitute a security vulnerability.

One point often raised is information sharing. The role of the government here, however, is limited. The private sector again is far ahead, and the involvement of the government only increases suspicion.

3. Privacy Protections Have Failed to Keep Pace with Technology, and Need to Be Strengthened to Extend the Fourth Amendment to Cyberspace

The next question that should be addressed is whether any legislative changes are needed: what changes in law, if any, would likely have deterred or made it easier to investigate and prosecute the denial of service attacks, or other exploitations of Internet vulnerability? There is a risk that the recent media focus on the attacks against the e-commerce sites will serve as the vehicle for unrelated enhancements in government authority. The proposals that have been floated in recent weeks predate the denial of service attacks -- they are items that have been sought by the Justice Department for some time.

Secondly, if there is to be legislation modifying the computer crime law or government investigative authorities, how could those changes be balanced and defined so as to protect privacy? Just as there are ways in which law enforcement authorities may need to be updated in response to changing technologies or recognized gaps in the law, so the privacy protections can become outdated and need to be strengthened to keep pace with evolving technology.

There are three major laws setting privacy standards for government interception of communications and access to subscriber information:

• the federal wiretap statute ("Title III"), 18 USC 2510 et seq., requiring a probable cause order from a judge for real-time interception of voice and data communications;
• the Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2701 et seq., setting standards for access to stored electronic communications and transactional records (subscriber identifying information, logs, toll records);
• the pen register and trap and trace statute, enacted as part of ECPA, 18 USC 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line."

In other respects, it is clear that the laws' protections are too weak:

• The standard for pen registers (which collect phone dialing information in real time) is minimal - judges must rubber stamp any application presented to them.
• Many of the protections in the wiretap law, including the special approval requirements and the statutory rule against use of illegally obtained evidence, do not apply to email and other Internet communications.
• Data stored on networks is not afforded full privacy protection.
• ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits; notice of government requests can be delayed until it is too late to object.

Problems also exist under the 1968 wiretap law, notably in the courts' weakening of the rule against monitoring innocent conversations. And inconsistent standards apply to government access to information about one's activities depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.

A. Law enforcement enhancements The proposals being discussed to expand the computer fraud and abuse act (18 USC 1030) or to amend the surveillance laws include:

• Amend the Computer Fraud and Abuse Act to allow federal investigation and prosecution in cases where the total damage is less than $5,000. The Act already allows cumulation of loss to cover hacks that cause a small amount of damage to a large number of computers so long as the total damage in the course of any 1-year period is at least $5,000. 18 USC 1030(e)(8). The problem seems to be not that the threshold is too low, but that the definition of "loss" is unclear. The total estimated loss of revenue associated with the denial of service attacks earlier this month was $100 million. An alternative approach is to specify that loss for purposes of determining damage includes the reasonable costs to any victim of conducting a damage assessment, restoring the system and data to their prior condition, and any lost revenue. This is already in the sentencing guidelines. (Sec. 2B1.1, Commentary.)
• Authorize judges in one jurisdiction to issue pen register and trap and trace orders to service providers anywhere in the country. 18 USC 3123(a) currently states that a judge shall authorize the installation and use of a pen register or trap and trace device "within the jurisdiction of the court." The proposed change would not be limited to computer crime cases -- it would also apply to plain old telephones. Nor would it be limited to situations where a communication passed through multiple service providers: it would allow a Miami judge to authorize the use of a pen register in New York on communications starting and ending in New York.
• Increasing computer crime prosecutions by modifying a sentencing directive. Sen. Schumer has noted that a Congressional directive to the Sentencing Commission required a mandatory minimum sentence of six months in prison for violations of certain section 1030 violations. This has in effect discouraged some prosecutors from bringing small cases.
• Amend section 1030 to make juveniles 15 years of age and older eligible for federal prosecution in cases where the Attorney General certifies that such prosecution is appropriate.
• Add computers located outside the United States to the definition of protected computers in 18 USC 1030(e)(2)(B).
• Add forfeiture of any property used or intended to be used to commit or facilitate the crime to the penalties provided under 1030; and add forfeiture of any device used to copy a computer program or other item to which a counterfeit label is affixed, under 18 USC 2318.
• Permit interception without a court order upon consent of an operator of a system when the system is the subject of attack.

B. Privacy enhancements Many privacy issues have been identified, including the following, some of which are in legislation proposed by Sen. Leahy and others. If Congress starts "fixing" the problems identified by the Justice Department, no bill can be considered balanced and responsive to the needs of Internet users unless it addresses privacy as well:

• To limit the pen register/trap and trace authority and to improve further the privacy protections adopted under ECPA for pen register and trap and trace investigations:
  • Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on an Internet service provider or in other packet networks. Specify that the pen register or trap and trace authority authorizes collection only of information used for communication-routing purposes by the service provider upon whom the order is served and requiring that service providers and law enforcement agencies execute pen register and trap and trace orders in such a way as to minimize the disclosure and collection of content and other information not used for communication-routing purposes by the service provider upon whom the order is served. This would make it clear that a service provider is not responsible for tracing communications outside its network or providing routing information used by others service providers. (Sen. Leahy, E-PRIVACY bill, sec. 105.)
  • Increase the standard for pen registers. Under current law, a court order is required but the judge is a mere rubber stamp -- the statute presently says that the judge "shall" approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. The proposal is to require the court to affirmatively find, based on a showing by the government, that the information sought is relevant and material. (Sen. Leahy, E-PRIVACY sec. 105(a), E-Rights sec. 103.)
• Add electronic communications to the Title III exclusionary rule in 18 USC 2515. This would respond to the McVeigh/AOL case, by prohibiting the government from using improperly obtained information about electronic communications.
• Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.
• Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.
• Require statistical reports for 2703 disclosures, similar to the reports required under Title III. (Sen Leahy's E-Rights bill, sec. 107.)
• Limit sale and disclosure of transactional information about Internet usage -- bring 2703 standards for disclosure to private parties into line with rules applicable to telephones. (E-Rights, sec. 110.)
• Clarify whether Internet queries are content, which cannot be disclosed without consent or legal process.
• Provide enhanced protection for information on networks: probable cause for seizure without prior notice, opportunity to object for subpoena access. (Sen. Leahy's E-PRIVACY bill, sec. 103; E-Rights, sec. 101.)
• Clarify and strengthen the minimization requirement.
• Limit authority for roving taps. (E-Rights, sec. 108.)
• Establish probable cause standard for access to wireless phone location data in real- time. (E-PRIVACY, sec. 104.)
• Enact clearer standard for interception of conference calls. (E-Rights, sec. 104.)
• Extend Title III to law enforcement interceptions overseas.
• Privacy standards for government access to data collected by DNS registrars and registries. (E-Rights sec. 106.)
• Add DVD to 18 USC 2710 (privacy protection for video rental records) and conform to cable viewing privacy standards, add satellites to cable viewing privacy standards (E-Rights sec. 401) and extend cable viewing rules to Internet over cable and DSL, thereby creating one standard for cable, Internet, satellite, or rental.

Conclusion

Our message today is one of caution and balance: Internet security is a problem, and it requires solutions, but those solutions must map onto the uniquely global, decentralized, and user-controlled nature of the Internet. The Internet has flourished without government intervention. Building more secure networks is largely within the domain of the private sector. The government cannot offer much and can do grave harm. There is a role for law enforcement, but it cannot be separated from the issue of privacy. Fourth Amendment standards are not fully applicable to networks, and the continued availability of information has outpaced the privacy protections in statute. Any legislation enhancing law enforcement must be coupled with privacy legislation tightening the standards for government access.

House Rule XI, clause 2(g)(4) disclosure: Neither James X. Dempsey nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.