Policy Post 6.04: Hack Attacks Raise Specter Of Government Intervention

From info@cdt.org
Date Thu, 17 Feb 2000 09:47:35 -0500

[: hacktivism :]

CDT POLICY POST Volume 6, Number 4 February 16, 2000


(1) Hack Attacks Raise Specter Of Government Intervention
(2) Reno, Freeh, Senators Propose Computer Crime Legislation
(3) Cdt Urges Privacy At White House Summit On Hack Attacks
(4) Crafting A Balanced Legislative Proposal
(5) Policy Post Administration



Last week's denial of service attacks on major e-commerce Web sites 
have prompted interest in Washington, with potentially serious 
implications for the relationship between government and the Internet.

CDT is concerned that the attacks may serve as justification for 
legislation or other government mandates that will be harmful to 
civil liberties and the positive aspects of the openness and relative 
anonymity of the Internet. Such a course is especially unjustified 
when there is so much to be done to improve security without changing 
the architecture or protocols of the Internet or further eroding 

While denial of service is appropriately a crime, the recent attacks 
highlight a problem not soluble by criminal investigation and 
prosecution: basic system security has been ignored far too long.

In terms of developing policy responses, it is important to recognize 
that the affected sites were able to recover quickly and install 
defenses against further similar attacks.  Moreover, the distributed 
denial of service (DDOS) attack methods were well-known and widely 
reported before they were launched.  Like most attacks, they 
exploited well-known system vulnerabilities.  And, as with most 
malicious code, there were diagnostic tools that would have allowed 
systems administrators to determine if their computers had been 
hijacked for DDOS purposes.

The IETF had recommended a simple and effective method to prohibit 
DOS attacks using forged IP addresses in January 1998: 

The CERT at Carnegie Mellon had issued a DDOS incident note in 
November 1999, specifically describing the kind of tools used in last 
week's attacks: http://www.cert.org/incident_notes/IN-99-07.html.

CDT believes that good security can be achieved without sacrificing 
privacy, the relative anonymity that is now available online, or the 
democratic openness of the Internet.  Invasive government measures 
are no substitute for the community effort needed to build better 


At a Senate hearing today, Attorney General Janet Reno announced that 
the Justice Department was preparing a legislative package to better 
locate, identify and prosecute cybercriminals.  Reno mentioned three 
specific items:

* amend the Computer Fraud and Abuse Act to cover hacks that cause 
damage to a large number of computers even if no individual computer 
sustains damage above the current $5,000 threshold;

* authorize judges in one jurisdiction to issue trap and trace orders 
to  service providers anywhere in the country;

* increase the penalties for intrusions into private stored communications.

FBI Director Louis Freeh suggested extending RICO to computer crimes. 
Under the Racketeer Influenced and Corrupt Organizations Act, two 
illegal acts over a period of ten years constitute a "pattern of 
racketeering activity," subject to asset forfeiture and up to 20 
years in prison.

Freeh also talked about encryption.  In a confusing statement, he 
said that without the ability to get court-ordered access to 
plaintext, law enforcement agencies will be unable to investigate a 
large number of cases, but he also said that changes in statute were 
not necessary in this regard.  Freeh said that last year the FBI had 
encountered encryption in only 53 cases.

At the hearing, Sen. Patrick Leahy (D-VT) announced that he was 
preparing his own bill to broaden the scope of the prohibitions 
relating to computer hacking, including a refinement of the 
definition of what constitutes loss and damage caused by an intruder 
on a computer system and measures to allow U.S. law enforcement 
officials to investigate and assist in international hacker cases.

Jeff Richards of the Internet Alliance called for narrowly tailored 
legislation regarding the forgery of header and routing data.

Finally, in a Dear Colleague letter circulated today, Sen. Charles 
Schumer (D-NY) announced that he too was drafting computer crime 

Testimony from today's hearing should be online soon at 

Statements by Sens. Leahy and Schumer are at http://www.cdt.org/security/


The tenor of today's Congressional hearing contrasted with Tuesday's 
cyber-security summit at the White House, as CDT joined industry and 
academic experts in urging President Clinton to let industry take the 
lead in responding to the hacks. CDT senior staff counsel Jim Dempsey 
stressed that good network security can be achieved without 
sacrificing privacy or anonymity online.  The President, who stayed 
for the full 90-minute meeting, appeared to understand that 
government had a limited role and that any approaches taken must 
preserve privacy and the openness of the Internet.

Among other initiatives, industry pledged to establish a system for 
sharing information about vulnerabilities and attacks.

One of the best points was by Whit Diffie, who argued that government 
needs to move from a "police department" model to a "fire department" 
model, emphasizing prevention and public education.  Others agreed, 
using the public health model, stressing the need for "computer 
hygiene" to extirpate malicious code and install and regularly 
upgrade security measures.

In the press briefing following the meeting, White House chief of 
staff John D. Podesta reiterated that "the solutions we talked about 
did not involve greater government regulation, or really greater 
governmental power.  They were things that we could do, again, in 
partnership with the private sector to increase security."

The President's opening remarks and the industry statement are online 
at http://www.cdt.org/security/

CDT's analysis of the Administration's plan for FIDNet and other 
security measures aimed at the government's own systems is at 


The flurry of legislative proposals raises two concerns: (a) ensuring 
that cyber-security does not become the proverbial legislative 
Christmas tree that legislators rush to hang more provisions on; and 
(b) that any legislation balance expanded crimes or authorities with 
changes to strengthen standards for government access to information.

At today's hearing, the Attorney General stated that "both our 
substantive laws and procedural tools are not always adequate to keep 
pace with the rapid changes in technology."  From the privacy 
perspective, this is undoubtedly true.  The recognized deficiencies 
with the Electronic Communications Privacy Act of 1986 include the 

* It is not clear what personal information can be or must be 
disclosed to the government under a pen register or trap and trace 
order served on an Internet service provider or in other packet 
networks.  There is even confusion about how query strings and URLs 
should be treated.

* The standard pen register (which collect phone dialing information 
in real time) is minimal - judges must rubber stamp any application 
presented to them.

* Many of the protections in the wiretap law, including the statutory 
rule against use of illegally obtained evidence and the remedies for 
privacy violations, do not apply to email and other Internet 

* Data stored on networks is not afforded full privacy protection.

* ISP customers are not entitled to notice when personal information 
is subpoenaed in civil lawsuits; notice of government requests can be 
delayed until it is too late to object.

Problems also exist under the 1968 wiretap law, notably in the 
courts' weakening of the rule against monitoring innocent 

And inconsistent standards apply to government access to information 
about one's habits depending on the type of technology used.  For 
example, watching the same movie via satellite, cable TV, Internet 
cable modem and video rental is subject to four different privacy 



To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "subscribe policy-posts" without the quotes.

To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "unsubscribe policy-posts" without the quotes.

Detailed information about online civil liberties issues may be found at

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_6.04.shtml. Excerpts may be re-posted
with prior permission of ari@cdt.org

Policy Post 6.4 Copyright 2000 Center for Democracy and Technology

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]