Policy Post 6.04: Hack Attacks Raise Specter Of Government Intervention
From
info@cdt.org
Date
Thu, 17 Feb 2000 09:47:35 -0500
[: hacktivism :]
CDT POLICY POST Volume 6, Number 4 February 16, 2000
A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
CONTENTS:
(1) Hack Attacks Raise Specter Of Government Intervention
(2) Reno, Freeh, Senators Propose Computer Crime Legislation
(3) Cdt Urges Privacy At White House Summit On Hack Attacks
(4) Crafting A Balanced Legislative Proposal
(5) Policy Post Administration
______________________________________________________________________
(1) HACK ATTACKS RAISE SPECTER OF GOVERNMENT INTERVENTION
Last week's denial of service attacks on major e-commerce Web sites
have prompted interest in Washington, with potentially serious
implications for the relationship between government and the Internet.
CDT is concerned that the attacks may serve as justification for
legislation or other government mandates that will be harmful to
civil liberties and the positive aspects of the openness and relative
anonymity of the Internet. Such a course is especially unjustified
when there is so much to be done to improve security without changing
the architecture or protocols of the Internet or further eroding
privacy.
While denial of service is appropriately a crime, the recent attacks
highlight a problem not soluble by criminal investigation and
prosecution: basic system security has been ignored far too long.
In terms of developing policy responses, it is important to recognize
that the affected sites were able to recover quickly and install
defenses against further similar attacks. Moreover, the distributed
denial of service (DDOS) attack methods were well-known and widely
reported before they were launched. Like most attacks, they
exploited well-known system vulnerabilities. And, as with most
malicious code, there were diagnostic tools that would have allowed
systems administrators to determine if their computers had been
hijacked for DDOS purposes.
The IETF had recommended a simple and effective method to prohibit
DOS attacks using forged IP addresses in January 1998:
http://www.ietf.org/rfc/rfc2267.txt.
The CERT at Carnegie Mellon had issued a DDOS incident note in
November 1999, specifically describing the kind of tools used in last
week's attacks: http://www.cert.org/incident_notes/IN-99-07.html.
CDT believes that good security can be achieved without sacrificing
privacy, the relative anonymity that is now available online, or the
democratic openness of the Internet. Invasive government measures
are no substitute for the community effort needed to build better
security.
____________________________________________________________________
(2) RENO, FREEH, SENATORS PROPOSE COMPUTER CRIME LEGISLATION
At a Senate hearing today, Attorney General Janet Reno announced that
the Justice Department was preparing a legislative package to better
locate, identify and prosecute cybercriminals. Reno mentioned three
specific items:
* amend the Computer Fraud and Abuse Act to cover hacks that cause
damage to a large number of computers even if no individual computer
sustains damage above the current $5,000 threshold;
* authorize judges in one jurisdiction to issue trap and trace orders
to service providers anywhere in the country;
* increase the penalties for intrusions into private stored communications.
FBI Director Louis Freeh suggested extending RICO to computer crimes.
Under the Racketeer Influenced and Corrupt Organizations Act, two
illegal acts over a period of ten years constitute a "pattern of
racketeering activity," subject to asset forfeiture and up to 20
years in prison.
Freeh also talked about encryption. In a confusing statement, he
said that without the ability to get court-ordered access to
plaintext, law enforcement agencies will be unable to investigate a
large number of cases, but he also said that changes in statute were
not necessary in this regard. Freeh said that last year the FBI had
encountered encryption in only 53 cases.
At the hearing, Sen. Patrick Leahy (D-VT) announced that he was
preparing his own bill to broaden the scope of the prohibitions
relating to computer hacking, including a refinement of the
definition of what constitutes loss and damage caused by an intruder
on a computer system and measures to allow U.S. law enforcement
officials to investigate and assist in international hacker cases.
Jeff Richards of the Internet Alliance called for narrowly tailored
legislation regarding the forgery of header and routing data.
Finally, in a Dear Colleague letter circulated today, Sen. Charles
Schumer (D-NY) announced that he too was drafting computer crime
legislation.
Testimony from today's hearing should be online soon at
http://www.senate.gov/~appropriations/commerce/hrgtest.htm.
Statements by Sens. Leahy and Schumer are at http://www.cdt.org/security/
________________________________________________________________
(3) CDT URGES PRIVACY AT WHITE HOUSE SUMMIT ON HACK ATTACKS
The tenor of today's Congressional hearing contrasted with Tuesday's
cyber-security summit at the White House, as CDT joined industry and
academic experts in urging President Clinton to let industry take the
lead in responding to the hacks. CDT senior staff counsel Jim Dempsey
stressed that good network security can be achieved without
sacrificing privacy or anonymity online. The President, who stayed
for the full 90-minute meeting, appeared to understand that
government had a limited role and that any approaches taken must
preserve privacy and the openness of the Internet.
Among other initiatives, industry pledged to establish a system for
sharing information about vulnerabilities and attacks.
One of the best points was by Whit Diffie, who argued that government
needs to move from a "police department" model to a "fire department"
model, emphasizing prevention and public education. Others agreed,
using the public health model, stressing the need for "computer
hygiene" to extirpate malicious code and install and regularly
upgrade security measures.
In the press briefing following the meeting, White House chief of
staff John D. Podesta reiterated that "the solutions we talked about
did not involve greater government regulation, or really greater
governmental power. They were things that we could do, again, in
partnership with the private sector to increase security."
The President's opening remarks and the industry statement are online
at http://www.cdt.org/security/
CDT's analysis of the Administration's plan for FIDNet and other
security measures aimed at the government's own systems is at
http://www.cdt.org/policy/terrorism/oneildempseymemo.html
_________________________________________________________________
(4) CRAFTING A BALANCED LEGISLATIVE PROPOSAL
The flurry of legislative proposals raises two concerns: (a) ensuring
that cyber-security does not become the proverbial legislative
Christmas tree that legislators rush to hang more provisions on; and
(b) that any legislation balance expanded crimes or authorities with
changes to strengthen standards for government access to information.
At today's hearing, the Attorney General stated that "both our
substantive laws and procedural tools are not always adequate to keep
pace with the rapid changes in technology." From the privacy
perspective, this is undoubtedly true. The recognized deficiencies
with the Electronic Communications Privacy Act of 1986 include the
following:
* It is not clear what personal information can be or must be
disclosed to the government under a pen register or trap and trace
order served on an Internet service provider or in other packet
networks. There is even confusion about how query strings and URLs
should be treated.
* The standard pen register (which collect phone dialing information
in real time) is minimal - judges must rubber stamp any application
presented to them.
* Many of the protections in the wiretap law, including the statutory
rule against use of illegally obtained evidence and the remedies for
privacy violations, do not apply to email and other Internet
communications.
* Data stored on networks is not afforded full privacy protection.
* ISP customers are not entitled to notice when personal information
is subpoenaed in civil lawsuits; notice of government requests can be
delayed until it is too late to object.
Problems also exist under the 1968 wiretap law, notably in the
courts' weakening of the rule against monitoring innocent
conversations.
And inconsistent standards apply to government access to information
about one's habits depending on the type of technology used. For
example, watching the same movie via satellite, cable TV, Internet
cable modem and video rental is subject to four different privacy
standards.
______________________________________________________________________
(5) POLICY POST ADMINISTRATION
To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "subscribe policy-posts" without the quotes.
To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "unsubscribe policy-posts" without the quotes.
Detailed information about online civil liberties issues may be found at
http://www.cdt.org/.
This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_6.04.shtml. Excerpts may be re-posted
with prior permission of ari@cdt.org
Policy Post 6.4 Copyright 2000 Center for Democracy and Technology
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]