Statement by U.S. Senator Jon Kyl (R-Arizona)

Chairman, Senate Judiciary Subcommittee on Technology, Terrorism and
Government Information

March 28, 2000

"Cyber Attack: Roadblocks to Investigation and Information Sharing"

The subcommittee will please come to order. Let me first welcome
everyone to this hearing of the Subcommittee on Technology, Terrorism,
and Government Information. Today, we will examine various roadblocks
to the protection of our information systems from cyber attack. Using
the recent denial of service attacks as a backdrop, we will discuss
some of the things that inhibit swift investigation and prosecution of
cyber crimes, and the sharing of vulnerability and threat information
among the private sector and with organizations affiliated with the
federal government. This is the sixth public hearing we have held in
the past three years on the critical issue of securing our nation's
information infrastructure, although the issue has received a great
deal of attention recently.

The latest attacks on 8 well-known Internet sites like eBay, Yahoo,
and CNN raised public awareness, and hopefully will serve as a wake-up
call about the need to protect our critical computer networks.
Uncertainty caused by the attacks contributed to a 258 point drop in
the Dow Jones Industrial Average and halted a string of 3 days of
consecutive record-high closes of the technology-laden Nasdaq
Composite Index. As the New York Times noted in an editorial, "Just
when Americans have begun to get accustomed to the pervasive influence
of the Internet, a wave of anonymous assaults on Web Sites has roiled
the stability of the newly emerging cyberworld." Although disruption
to these sites was substantial, the damage did not even approach what
it could have been, based on the Internet's known vulnerabilities.

Catching and punishing those who commit cyber crimes is essential for
deterring future attacks. When a cyber attack occurs, it is not
initially apparent whether the perpetrator is a mischievous teenager,
a professional hacker, a terrorist group, or a hostile nation. Law
enforcement must be equipped with the resources and authorities
necessary to swiftly trace a cyber attack back to its source and
appropriately prosecute them. Today, we will discuss some impediments
to law enforcement in cyber space, and how the bill I recently
introduced with Sen. Shumer would remove some of these impediments. In
particular, this bill would: modify trap and trace authority so law
enforcement will no longer need to obtain a warrant in every
jurisdiction through which a cyber attack traveled; remove the current
$5000 minimum in damages for a case to be considered for federal
prosecution; remove the current 6 month minimum sentence for cyber
crimes that has led to lesser serious attacks not being prosecuted;
and allows youths 15 or older to be considered for federal prosecution
for committing serious computer crimes.

These recent attacks also illustrated one crucial point that must be
understood when dealing with securing the information infrastructure:
We are only as strong as our weakest link. If only one sector of
society heeds warnings and fixes computer vulnerabilities, that is not
enough. The cyber criminal, terrorist, or enemy nation will search for
another sector that has ignored warnings and not used proper computer
security. The February denial of service attackers first infected
university computers with programs that then launched massive amounts
of invalid inquiries to the victims, shutting them down to legitimate
customers. Computer capacity is increasing so rapidly that individuals
with personal computers at home and work can now be used for similar
types of attacks. We must examine the best way to secure all parts of
our information infrastructure from attack. In order to do that, all
individuals, businesses, and agencies with computers must get serious
about security.

Last Fall, Carnegie Mellon University's Computer Emergency Response
Team posted warnings about these types of denial of service attacks.
The FBI's National Infrastructure Protection Center (NIPC) also posted
warnings, and even provided a tool for anyone to download to check if
their system was infected with the attack program. Many people heeded
those warnings and used the tool, but not enough to prevent the
attacks from occurring. We need to encourage or mandate individuals
and systems administrators to tap into the resources available to
ensure their own security, and that of others connected to the

Finally, overall protection from attack necessitates that information
about cyber vulnerabilities, threats, and attacks be communicated
among companies, and with government agencies. Cooperation among
competitors, while adhering to anti-trust laws must be considered when
trying to create Information Sharing and Analysis Centers (ISACs) in
each portion of the private sector. Additionally, the Freedom of
Information Act may need to be updated to encourage companies to share
information with the federal government. Communication is crucial for
protection, and these roadblocks must be removed.

Our witnesses are well suited to address these issues. Mr. Louis
Freeh, Director of the FBI, will discuss limitations to effective
investigation and prosecution of cyber crimes under current law. He
will explain how the Shumer-Kyl Bill brings some provisions of current
law into the Computer Age. On our second panel, Mr. Rich Pethia,
Director of the Computer Emergency Response Team (CERT) at
Carnegie-Mellon University will testify about CERT's role in analysis
of computer vulnerabilities and better ways of "getting the word out"
and ensuring warnings are heeded. Mr. Harris Miller, President of the
Information Technology Association of America, will present industry's
perspective on impediments to information sharing of threats and
vulnerabilities among private sector companies and government