Testimony of James X. Dempsey
Senior Staff Counsel
Center for Democracy and Technology
Subcommittee on Crime of the House Judiciary Committee
Subcommittee on Criminal Justice Oversight of the Senate Judiciary Committee
February 29, 2000
Chairman Thurmond, Chairman McCollum, and Subcommittee Members, thank you for the opportunity to testify on the important issue of Internet security and the federal response. The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include enhancing privacy protections for individuals and preserving the open architecture of the Internet. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.
CDT focuses much of its work on the Internet because we believe that, more than any other medium, it has characteristics that are uniquely supportive of democratic values. In framing policy solutions for the Internet, we believe it is imperative to recognize and preserve the open, global, decentralized, interactive, and user-controlled nature of this medium. The Internet has become the engine of our economy. It is transforming education, medicine, journalism, and entertainment. It also has the power to enhance the democratic relationship between government and its citizens. All one has to do is look at Thomas, the Web site of the Library of Congress, or consider how the Internet is being used in election campaigns to bring into the political process people never before involved in politics to see how it has the potential to revitalize democracy and restore trust in government. For the sake of the economic, social and political benefits of this medium, Congress should do nothing that will interfere with its open architecture and user-controlled nature.
Hacking, unauthorized access to computers, denial of service attacks, and the theft, alteration or destruction of data are all crimes, appropriately so, and the perpetrators of the recent denial of service attacks should be punished if caught. But Congress must recognize that the problem of Internet security is not one primarily within the control of the federal government. Particularly, it is not a problem to be solved through the criminal justice system. Internet security is primarily a matter for the private sector, which has built this amazing system in such a short time without government interference. It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match, given the rapid pace of technology change and the decentralized nature of the medium.
It is always appropriate to consider whether our laws have been outdated by changes in technology, and several proposals have been under consideration since before the recent attacks to amend the computer crime statute and the electronic surveillance laws to enhance law enforcement authorities. The Subcommittees, after careful analysis, may find that some modest changes are appropriate. But we urge caution, especially in terms of any changes that would enhance surveillance powers or government access to information. Americans are already deeply concerned about their privacy, especially online. Changes in technology are making ever more information available to government investigators, often with minimal process falling far short of Fourth Amendment standards. You must be careful to ensure that the recent Internet attacks do not serve as justification for legislation or other government mandates that will be harmful to civil liberties and the positive aspects of the openness and relative anonymity of the Internet. Such a course is especially unjustified when there is so much to be done to improve security without changing the architecture or protocols of the Internet or further eroding privacy.
The major problem we see in the law now is that the standards for government access to information are not high enough to protect the privacy of legitimate computer users. If the Congress concludes that any legislative changes are necessary in response to Internet security, those changes should be equally balanced with measures to improve privacy by tightening the standards for government surveillance and access to information. We are prepared to work with the Committees and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.
A major issue on the Internet today is trust. The cyber-attacks undermined that trust. But so would government mandates. Security and privacy go hand-in-hand. Trying to improve security without addressing privacy will leave a trust deficit.
Finally, we caution against any government requirements on Internet service providers to keep additional records or to design the Internet to be easier to monitor. These are unlikely to have any long-term positive benefit, they pose obvious risks to privacy, and they could actually harm security. We must not head down the path of government mandates that could end up impeding the growth of this sector and eroding rather than building public trust. It is clear that the private sector is taking the lead to improve Internet security. The potential for the government to help is limited, while the risk of government doing harm is very high.
With that introduction, I would like to address three questions:
1. Internet Security Has Been Ignored for Too Long, But The Solutions Are in the Hands of the Internet Community, Not the Government
Starting three weeks ago in earnest, malicious hackers began attacking prominent e-commerce Web sites with what are known as "denial of service attacks." The targeted e-commerce sites were not broken into. No data were stolen or destroyed. Nobody's credit card number was compromised. Instead, the targeted computers were bombarded with phony messages, so many that legitimate traffic could not get through. It was a little like pranksters repeatedly and rapidly calling your office phone number, tying up all the lines so that constituents could not get through. The impact of the attacks was magnified greatly because the attackers had commandeered a large number of other computers belonging to innocent third parties --universities, other businesses, perhaps even some government agencies -- and programmed them to send out to the targeted sites this barrage of phony messages. Thus the name "distributed" denial of service attack.
However, there are several things unique about these attacks -- differences unique to the Internet -- that make them quite unlike a barrage of phone calls to your office and that point the way to the proper policy response:
First, the distributed denial of service (DDOS) attack methods were well-known and were the subject of many warnings and alerts before they were launched. The programs used to launch the attacks had been identified and analyzed. The Computer Emergency Response Center (CERT) at Carnegie Mellon had issued a DDOS alert in November 18, 1999, and an update on December 28, specifically describing the kind of software used in the denial of service attacks experienced earlier this month. (Indeed, as early as July 22, 1999, CERT warned of denial of service attacks of this general type.) The FBI issued alerts on December 6, 1999 and on December 30. In addition, various private Internet security companies issued warnings to their clients, and the Financial Services Information Sharing and Analysis Center (FS/ISAC) issued warnings to its members. The attacks were actually used on a smaller scale throughout last Fall. The existence of the DDOS tools was even reported by the major print media, in the San Diego Tribune on November 20 and in USA Today on December 7.) Rarely is any "crime" offline so widely commented upon and analyzed before it occurs.
Second, the attackers who launched these attacks were able to break into hundreds of computers on the Internet and commandeer them because, like most hackers, they were able to exploit well-known system vulnerabilities. And, as with most malicious code, there were diagnostic tools that would have allowed systems administrators to determine if their computers had been hijacked for DDOS purposes. Some systems operators had carefully scrubbed their systems to detect and remove the malicious code; others were less diligent and did not practice good "computer hygiene."
Third, there has long been a means available to prevent DDOS attacks. The Internet Engineering Task Force, a private, non-profit standards-setting body, had recommended a simple and effective method to prohibit DDOS attacks using forged IP addresses in January 1998. Some systems operators had adopted this preventive measures; others, obviously, had not.
Finally, some of the owners of the attacked systems were able to respond to them, and to turn back the attack within less than two hours. For example, eBay testified in the Senate that, when the attack began, it quickly took a number of steps to fight back. Initially, it put in a number of firewalls to repel the bad traffic. When the volume became too great, it turned to its ISPs, and worked with them to develop filtering mechanisms to prevent bad traffic from even reaching eBay's site. Within 90 minutes, the filter effectively stopped the bad traffic and allowed eBay to return to normal service, even though the attack itself continued for an additional 90 minutes. The following day, when the attack resumed, eBay and its ISPs responded so quickly that there was no disruption in service. Within days of the attacks, other Internet security companies had come forward with other countermeasures.
These factors should give pause to policymakers seeking to assign government a major role in Internet security. The tools for warning, diagnosing, preventing and even investigating Internet attacks are uniquely in the hands of the private sector. In these ways, Internet crime is quite different from other forms of crime. The ability of the government, and in particular the criminal law, to respond to this problem is quite limited. Even with vastly expanded powers, the government would never be able to respond to even a small percentage of cases as quickly as the private sector can.
It must be stressed that the source of the security problem is not the architectural openness of the Internet, nor does the problem have anything to do with anonymity. Security weaknesses in the Internet are not an inevitable byproduct of the architecture itself: indeed, the decentralized, open, user-controlled architecture is what makes the Internet as resilient as it is. Rather, the problem is that security measures compatible with the open and anonymous nature of the Internet have been given a low priority as the Internet has grown. The explosion of services and business online and the rapid roll-out of new software with new features have come at a price. In that sense, the denial of service attacks were a wake-up call, not because they highlighted the lack of security -- everyone concerned should have known that long ago -- but because they hit the bottom line. They had an impact in the market, both the stock market and the consumer market. As a result, competitive forces are far more likely to produce good security practice than anything the government could do.
The conclusion to be drawn from this is that computer security is not a problem soluble by criminal investigation and prosecution: basic system security has been ignored far too long. Good security can be achieved without sacrificing privacy, the relative anonymity that is now available online, or the democratic openness of the Internet. Invasive government measures are no substitute for the community effort needed to build better security.
Some in government have argued that the Internet's uniqueness requires not less, but more intervention. In particular, they complain about the anonymity or lack of traceability on the Internet. This is a red herring. There is probably more traceability online than in the real world. An anonymous vandal can throw a brick through a bank window and run away down any number of streets. An anonymous pickpocket can lift your wallet with credit cards and melt into the crowd. But we do not require people to carry identification cards, nor do we install checkpoints on our streets. We do not have perfect traceability in the real world, for good reasons. We do not need perfect identity and traceability online either. Nobody has shown that authentication would have stopped these attacks. If anything, experts have explained that some authentication mechanisms would have made the problem worse.
2. The Government Has a Limited Role, Focused on Getting Its Own House In Order, Hiring Trained Staff, and Supporting R&D
Given the unique decentralized, global and user-controlled nature of the Internet, the role of the government is limited. But the government does have a role. First, it must get its own computer security house in order. The Administration's "National Plan" for cyber-security, which focuses on protecting the government's own systems, has some laudable and long-overdue elements. We are concerned, though, that it relies too heavily on a monitoring system that threatens privacy and other civil liberties ("FIDNet") and gives too little priority to closing the known vulnerabilities and fundamental security flaws in government computer systems. (Target date for establishment of the FIDNet monitoring system: October 2000. Target date for fixing "the most significant known vulnerabilities" in critical government computers: May 2003.) To improve government computer security and enforce the computer crime laws, the government needs the resources and Title 5 authority to hire and retain skilled investigators and computer security experts.
The government should do more to support basic research and development in computer security. It is a positive step that the Administration has stopped fighting encryption. We are concerned, though, that CALEA is being used to build surveillance features into the telephone network without adequate attention to security -- that is, the CALEA compliance measures themselves constitute a security vulnerability.
One point often raised is information sharing. The role of the government here, however, is limited. The private sector again is far ahead, and the involvement of the government only increases suspicion.
3. Privacy Protections Have Failed to Keep Pace with Technology, and Need to Be Strengthened to Extend the Fourth Amendment to Cyberspace
The next question that should be addressed is whether any legislative changes are needed: what changes in law, if any, would likely have deterred or made it easier to investigate and prosecute the denial of service attacks, or other exploitations of Internet vulnerability? There is a risk that the recent media focus on the attacks against the e-commerce sites will serve as the vehicle for unrelated enhancements in government authority. The proposals that have been floated in recent weeks predate the denial of service attacks -- they are items that have been sought by the Justice Department for some time.
Secondly, if there is to be legislation modifying the computer crime law or government investigative authorities, how could those changes be balanced and defined so as to protect privacy? Just as there are ways in which law enforcement authorities may need to be updated in response to changing technologies or recognized gaps in the law, so the privacy protections can become outdated and need to be strengthened to keep pace with evolving technology.
There are three major laws setting privacy standards for government interception of communications and access to subscriber information:
In other respects, it is clear that the laws' protections are too weak:
Problems also exist under the 1968 wiretap law, notably in the courts' weakening of the rule against monitoring innocent conversations. And inconsistent standards apply to government access to information about one's activities depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.
A. Law enforcement enhancements The proposals being discussed to expand the computer fraud and abuse act (18 USC 1030) or to amend the surveillance laws include:
B. Privacy enhancements Many privacy issues have been identified, including the following, some of which are in legislation proposed by Sen. Leahy and others. If Congress starts "fixing" the problems identified by the Justice Department, no bill can be considered balanced and responsive to the needs of Internet users unless it addresses privacy as well:
Our message today is one of caution and balance: Internet security is a problem, and it requires solutions, but those solutions must map onto the uniquely global, decentralized, and user-controlled nature of the Internet. The Internet has flourished without government intervention. Building more secure networks is largely within the domain of the private sector. The government cannot offer much and can do grave harm. There is a role for law enforcement, but it cannot be separated from the issue of privacy. Fourth Amendment standards are not fully applicable to networks, and the continued availability of information has outpaced the privacy protections in statute. Any legislation enhancing law enforcement must be coupled with privacy legislation tightening the standards for government access.
House Rule XI, clause 2(g)(4) disclosure: Neither James X. Dempsey nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.