[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
CYBER SECURITY:
PROTECTING AMERICA'S NEW FRONTIER
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CRIME, TERRORISM,
AND HOMELAND SECURITY
OF THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
NOVEMBER 15, 2011
__________
Serial No. 112-80
__________
Printed for the use of the Committee on the Judiciary
Available via the World Wide Web: http://judiciary.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
71-238 PDF WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON THE JUDICIARY
LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina JERROLD NADLER, New York
ELTON GALLEGLY, California ROBERT C. ``BOBBY'' SCOTT,
BOB GOODLATTE, Virginia Virginia
DANIEL E. LUNGREN, California MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio ZOE LOFGREN, California
DARRELL E. ISSA, California SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana MAXINE WATERS, California
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
STEVE KING, Iowa HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona Georgia
LOUIE GOHMERT, Texas PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio MIKE QUIGLEY, Illinois
TED POE, Texas JUDY CHU, California
JASON CHAFFETZ, Utah TED DEUTCH, Florida
TIM GRIFFIN, Arkansas LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania [Vacant]
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
MARK AMODEI, Nevada
Sean McLaughlin, Majority Chief of Staff and General Counsel
Perry Apelbaum, Minority Staff Director and Chief Counsel
------
Subcommittee on Crime, Terrorism, and Homeland Security
F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman
LOUIE GOHMERT, Texas, Vice-Chairman
BOB GOODLATTE, Virginia ROBERT C. ``BOBBY'' SCOTT,
DANIEL E. LUNGREN, California Virginia
J. RANDY FORBES, Virginia STEVE COHEN, Tennessee
TED POE, Texas HENRY C. ``HANK'' JOHNSON, Jr.,
JASON CHAFFETZ, Utah Georgia
TIM GRIFFIN, Arkansas PEDRO R. PIERLUISI, Puerto Rico
TOM MARINO, Pennsylvania JUDY CHU, California
TREY GOWDY, South Carolina TED DEUTCH, Florida
SANDY ADAMS, Florida SHEILA JACKSON LEE, Texas
MARK AMODEI, Nevada MIKE QUIGLEY, Illinois
[Vacant]
Caroline Lynch, Chief Counsel
Bobby Vassar, Minority Counsel
C O N T E N T S
----------
NOVEMBER 15, 2011
Page
OPENING STATEMENTS
The Honorable Louis Gohmert, a Representative in Congress from
the State of Texas, and Vice-Chairman, Subcommittee on Crime,
Terrorism, and Homeland Security............................... 1
The Honorable Robert C. ``Bobby'' Scott, a Representative in
Congress from the State of Virginia, and Ranking Member,
Subcommittee on Crime, Terrorism, and Homeland Security........ 3
WITNESSES
Richard W. Downing, Deputy Chief, Computer Crime and Intellectual
Property Section, Criminal Division, United States Department
of Justice
Oral Testimony................................................. 5
Prepared Statement............................................. 8
The Honorable Michael Chertoff, Co-Founder and Managing
Principal, The Chertoff Group
Oral Testimony................................................. 16
Prepared Statement............................................. 19
James A. Baker, Lecturer on Law, Harvard University
Oral Testimony................................................. 31
Prepared Statement............................................. 33
Orin S. Kerr, Professor of Law, George Washington University
Oral Testimony................................................. 38
Prepared Statement............................................. 40
APPENDIX
Material Submitted for the Hearing Record
Response to Post-Hearing Questions from Richard W. Downing,
Deputy Chief, Computer Crime and Intellectual Property Section,
Criminal Division, United States Department of Justice......... 76
Response to Post-Hearing Questions from the Honorable Michael
Chertoff, Co-Founder and Managing Principal, The Chertoff Group 82
Response to Post-Hearing Questions from Orin S. Kerr, Professor
of Law, George Washington University........................... 83
CYBER SECURITY:
PROTECTING AMERICA'S NEW FRONTIER
----------
TUESDAY, NOVEMBER 15, 2011
House of Representatives,
Subcommittee on Crime, Terrorism,
and Homeland Security,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to call, at 10:03 a.m., in
room 2141, Rayburn House Office Building, the Honorable Louie
Gohmert (Vice-Chairman of the Subcommittee) presiding.
Present: Representatives Gohmert, Scott, Deutch, Forbes,
Marino, Gowdy, Lungren, Jackson Lee, and Goodlatte.
Staff present: (Majority) Caroline Lynch, Subcommittee
Chief Counsel; Arthur Radford Baker, Counsel; Sam Ramer,
Counsel; Lindsay Hamilton, Clerk; Vishal Amin, Counsel;
(Minority) Joe Graupensberger, Counsel; Veronica Eligan,
Professional Staff Member.
Mr. Gohmert. The Subcommittee will come to order.
Welcome to today's hearing on cyber security. I would
especially like to welcome my witnesses and thank you for
joining us today.
I am joined today by the distinguished Ranking Member of
the Subcommittee, Bobby Scott, and by the most recent Chairman
Emeritus, Mr. Conyers, who as I understand will be coming
shortly.
I want to welcome everybody to the hearing on ``Cyber
Security: Protecting America's New Frontier.'' The Internet
revolutionized our society in many ways. While its benefits
abound and extend from our largest corporations to remote rural
regions throughout the Nation, individuals in the United States
and abroad have unfortunately been able to exploit the Internet
for criminal means.
Cyber crime often is faceless and has proven to defy
traditional investigative prosecutorial tools. As a result, the
frequency of cyber crime is growing rapidly and now includes
many international criminal syndicates and is threatening our
economy, our safety and our prosperity.
Even more worrisome are the national security implications
of cyber intrusion. We in Congress are concerned that we are
witnessing the opening salvos of a new kind of conflict waged
in cyberspace.
As we learned in the Wikileaks case, one individual with
access to classified data can threaten America's national
operational security, and as we saw from China's cyber attack
on Google and other companies, America's edge in innovation and
technical superiority can be compromised by competing countries
who make theft of intellectual property a national strategy.
As recently reported in the Fiscal Times, China's brazen
use of cyber espionage stands out because the focus is often
corporate and part of a broader government strategy to help the
develop or help develop the country's economy.
Quote, I've been told that if you use an iPhone or a
BlackBerry everything on it--contacts, calendar, emails--can be
downloaded in a second. All it takes is someone sitting near
you on a subway waiting for you to turn it on and they have got
it, said Kenneth Lieberthal, a former senior White House
official for Asia who is at the Brookings Institution.
One security expert reported that he buys a new iPad for
each visit to China and then never uses it again.
The problem remains that the United States government does
not own the networks through which all data flows, as
totalitarian regimes like China do. Your government and
industry must team up at times to secure the networks and
create digital shields to protect our country and our business.
The Administration has recently released a cyber security
initiative proposal which aims to make changes to the cyber
security structure and laws of the United States. We will look
at the proposal today and we have a distinguished panel of
experts here to help guide the Committee on what changes should
be made to protect citizens from cyber criminals.
One thing is clear. We have learned that computer crime is
just as important as ordinary crime and should be treated just
as harshly by our criminal justice system. The risks to our
national infrastructure and our national wealth are profound
and we must protect them.
Besides our national security, we have something in this
country as precious as wealth--our civil liberties. When it
comes to cyber crime, Americans are fully engaged on the issue
of protecting our civil liberties and privacy. They are correct
to be so concerned, and we on this side of the aisle share
their concern.
Sometimes it seems like a dilemma. By using Facebook and
other websites, Americans are putting more of their private
lives on the Internet than ever before. Yet, more Americans are
concerned about privacy than ever before.
But it is understandable the more Americans rely on the
Internet for their work, their entertainment, their
relationships, the more productive and connected they become.
But they also become vulnerable in new ways.
It is truly a new frontier for our country and this
Committee is determined that this new frontier will not be a
Wild West. Our challenge is to create a legal structure
flexible enough to protect our interests while allowing the
freedom of thought and expression that made this country great.
I am convinced we can thread this needle.
I look forward to hearing more about this issue and thank
all of our witnesses for participating in this hearing. It is
now my pleasure to recognize for his opening statement the
Ranking Member of the Subcommittee, Congressman Bobby Scott of
Virginia.
Mr. Scott. Thank you, Mr. Chairman.
I am pleased that we are conducting a hearing today on the
important issue of cyber security. It is a critical issue. It
is critical that we work together in Congress with the
Administration and with the business community and with private
advocates to find ways to enhance the security of our
government information systems, our business computer networks
and the personal use of the Internet.
Last spring, the Administration sent to Congress a
comprehensive cyber security legislative proposal. I was,
frankly, disappointed that they called for mandatory minimum
sentences for certain crimes of damaging critical
infrastructure computers because mandatory minimums have been
found to waste the taxpayers' money, do nothing about crime and
require sentences that often violate common sense.
Resolving the significant issues relating to cyber security
including protecting network access and operating aspects of
our critical infrastructure is a very challenging problem.
We must not shrink from the challenge but sentencing
individuals who have been convicted of serious crimes is also a
serious challenge as it requires individualized determination
of what the person actually did, the harm they caused and the
circumstances of the crime.
And that's why Congress actually did something right in
this area when it created the U.S. Sentencing Commission whose
job it is to establish sentencing guidelines to be used by
judges in imposing appropriate sentences. Calling for mandatory
minimum sentences shrinks from the challenge of doing this
right. While the crime involved may involve--may indeed be
serious, imposing mandatory minimum sentences on everyone will
not make us more secure.
The code section of the offense violated does not often--
often does not accurately reflect the seriousness of the crime.
This practice ultimately leads to injustice, cynicism and
distress in our criminal justice system and the imposition of
sentences that make no sense at all.
Another issue that we need to talk about is the provision
requiring notification of the government of certain breaches of
sensitive personal information stored in the computer networks
of businesses. The bill requires that an entity as of yet
unnamed in the Department of Homeland Security shall be
notified and that entity should also notify the FBI and Secret
Service.
Both of these agencies have specialized expertise that may
be called upon depending, for example, whether the crime is one
that threatens national security or the integrity of our
financial systems.
We need to hear more from the Administration and these
agencies on how this would--how this coordination would take
place.
In addition, it is important that we examine whether the
laws have maintained an appropriate focus on behavior we all
believe rises to the level of criminal--Federal criminal
liability. The Computer Fraud and Abuse Act was originally
enacted to deal with intrusions into computers, what we now
call hacking.
Since that time, we have expanded the scope of the law on
several occasions which has led to a disturbing expansive use
in recent years which have generated concerns on both sides of
the aisle.
For example, now it is possible for someone to be
prosecuted for violating the user agreement in a social
networking site. One of our witnesses is the distinguished law
professor who has written extensively about these concerns.
I hope this hearing will give us a chance to discuss these
issues and the best approach for refocusing our efforts in this
area.
Finally, I note concern about proposals to expand the
ability of private companies to share information with
government and ultimately with law enforcement for the purpose
of protecting against cyber security threats. If we allow
vastly overbroad sharing of information, we actually may
undermine the very privacy rights which should be at the
forefront of our concern.
So I thank all of our witnesses for being with you and
thank you, Mr. Chairman, for calling the hearing.
Mr. Gohmert. And thank you, Mr. Scott.
We now will proceed and it is my pleasure to introduce
today's witnesses. Richard Downing is the Chief Deputy or
Deputy Chief for computer crime at the Computer Crime and
Intellectual Property Section of the United States Department
of Justice in Washington, D.C.
Mr. Downing supervises the section's computer crime work
including the prosecution of computer hacking, identity theft
and other online crimes. Mr. Downing also supervises a wide
range of legislative and policy issues relating to computer
crime.
These issues include the modernization of the Federal
Computer Hacking Statute policy and legislation aimed at
improving cyber security, the development of the electronic
evidence-gathering laws and efforts to enhance international
cooperation in cyber crime investigations.
Mr. Downing received his Bachelor of Arts in political
science from Yale University in 1989 and his Juris Doctor from
Stanford Law School in 1992.
I will go ahead and introduce all of the witnesses and so
we will just take one after the other without your having to be
interrupted by me.
The Honorable Michael Chertoff is co-founder and managing
principal at the Chertoff Group in Washington, D.C. In addition
to his role at Chertoff Group, Mr. Chertoff is also senior of
counsel at Covington & Burling LLP and a member of the firm's
white-collar defense and investigations practice group.
Prior to his work at Chertoff Group, Mr. Chertoff served as
Secretary of the United States Department of Homeland Security
from 2005 to 2009. Before heading up the Department of Homeland
Security, Mr. Chertoff served as a Federal judge on the U.S.
Court of Appeals for the Third Circuit.
Before serving as a judge, he was a Federal prosecutor for
over a decade. Mr. Chertoff received his undergraduate degree
from Harvard College in 1975 and his Juris Doctor from Harvard
Law in 1978.
Mr. James Baker is currently a lecturer on law at Harvard
Law School. He most recently served as an Associate Deputy
Attorney General with the United States Department of Justice
from 2007 until last month, ending a 17-year career at the
Department.
In 2007, Mr. Baker was a Fellow at the Institute of
Politics at the John F. Kennedy School of Government at Harvard
University and was a lecturer on law at Harvard Law School.
From 2001 to 2007, Mr. Baker served as counsel for intelligence
policy at the Justice Department where he was the head of the
Office of Intelligence Policy Review.
Mr. Baker is a former Federal prosecutor. He received his
Bachelor of Arts in government from the University of Notre
Dame in 1983 and his Master of Arts in political science and
Juris Doctor from the University of Michigan in 1988. He
received--okay.
And Professor Orin Kerr--Professor Kerr is a professor of
law at George Washington University where he teaches criminal
law, criminal procedure and computer crime law.
Before joining the faculty in 2001, Professor Kerr was an
honors program trial attorney in the Computer Crime and
Intellectual Property Section of the criminal division at the
United States Department of Justice as well as a Special
Assistant U.S. Attorney for the Eastern District of Virginia.
He is a former law clerk for Justice Anthony M. Kennedy of
the U.S. Supreme Court and Judge Leonard Garth of the U.S.
Court of Appeals for the Third Circuit. In the summer of 2009
and 2010, he served as special counsel for the Supreme Court
nominations to Senator John Cornyn on the Senator Judiciary
Committee.
He has been a visiting professor at the University of
Chicago Law School and the University of Pennsylvania Law
School. Professor Kerr received his Bachelor of Science degree
in engineering from Princeton University and his Masters of
Science from Stanford University while earning his Juris Doctor
from Harvard Law School.
All of the witnesses' written statements will be entered
into the record in its entirety and I ask that each witness
summarize his testimony in 5 minutes or less.
And at this time then, Mr. Downing, thank you for your
patience. Please proceed with your opening statement.
TESTIMONY OF RICHARD W. DOWNING, DEPUTY CHIEF, COMPUTER CRIME
AND INTELLECTUAL PROPERTY SECTION, CRIMINAL DIVISION, UNITED
STATES DEPARTMENT OF JUSTICE
Mr. Downing. Good morning, Chairman Gohmert, Ranking Member
Scott and Members of the Committee.
Thank you for the opportunity to testify on behalf of the
Department of Justice regarding the Administration's cyber
legislation proposals.
This Committee knows well that the United States confronts
serious and complex cyber security threats. The critical
infrastructure of our Nation is vulnerable to cyber intrusions
that could damage vital national resources and put lives at
risk, and intruders have also stolen vast databases of
financial information and valuable intellectual property.
At the Department of Justice, we see cyber crime on the
rise with criminal syndicates operating with increasing
sophistication to steal from innocent Americans. That is why
President Obama has made cyber security a high priority. The
Justice Department has done its part.
For example, we have brought a series of important
prosecutions, including cases against offenders from overseas,
in an effort to build real deterrence.
Despite this good work, the problem is far from solved. It
is clear that new legislation can help to improve cyber
security substantially.
To that end, the Administration's legislative proposal
contains a number of ideas and I would like to take a moment to
highlight the parts of that package aimed at improving the
tools we use to punish and deter computer crimes.
First, the Administration's proposal includes reasonable
and focused changes to ensure that computer crimes are punished
to the same extent as other traditional criminal activity.
For example, because cyber crime has become a big business
for organized crime groups, the Administration proposal would
make it clear that the Racketeering Influenced and Corrupt
Organizations Act, or RICO, applies to computer crimes.
Prosecutors have used this statute in the past to charge
the leaders of organized crime families for their roles in
their criminal enterprises, even where they did not themselves
commit a predicate crime such as theft or extortion.
In a similar way, RICO could be used to dismantle criminal
enterprises focused on online theft and extortion and not just
the people with their fingers on the keyboard.
Also, the proposal would increase certain penalties in the
Computer Fraud and Abuse Act, which is the statute used to
prosecute hacking offenses so as to harmonize them with
analogous traditional laws.
For example, the crime of wire fraud carries a maximum
penalty of 20 years in prison, but violations of the Computer
Fraud and Abuse Act that involve very similar conduct carry a
maximum penalty of only 5 years. Such disparities make no
sense.
The Computer Fraud and Abuse Act also currently has
limitations that have prevented it from being fully used by
prosecutors against criminals who traffic in computer
passwords, and these shortcomings should be corrected.
We propose that the scope of the offense for trafficking in
passwords should cover not only passwords, but other methods of
confirming a user's identity such as biometric data, single-use
pass codes, or smart cards used to access an account. This new
language should cover log-in credentials used to access any
protected computer, not just government systems or computers at
financial institutions.
Finally, some have argued that the definition of ``exceeds
authorized access'' in the Computer Fraud and Abuse Act should
be restricted so as to disallow prosecutions based solely upon
a violation of an employee use agreement or a website's terms
of service.
While we appreciate this view, we are concerned that
restricting the statute in this way could make it difficult or
impossible to deter and punish serious threats from malicious
insiders.
The reality of the modern workplace is that employees in
both the private and public sectors require access to databases
containing large amounts of highly personal and sensitive data.
We need look no further than bank customer service
representatives, government employees processing tax returns,
and intelligence analysts handling sensitive material. Because
they need access in order to do their jobs, it is impossible to
restrict their access through passwords or other security
mechanisms.
In most cases, employers communicate clear and reasonable
restrictions on the purposes for which that data may be
accessed.
Employers should be able to set such access restrictions
with the confidence that the law will protect them when their
employees exceed these restrictions. Improperly accessing
personal or commercial information is a serious matter that
requires serious criminal consequences.
We must not impair these prosecutions based on
unsubstantiated fears that the Department will expend its
limited resources on trivial cases such as prosecuting people
who lie about their age on an Internet dating site.
Mr. Chairman and Members of the Committee, this is an
important topic. The country is at risk and there is a lot of
work to be done to stop computer crimes from victimizing and
threatening Americans throughout the country.
I look forward to answering your questions here today.
Thank you.
[The prepared statement of Mr. Downing follows:]
__________
Mr. Gohmert. Thank you very much.
At this time, Mr. Chertoff, we will hear from you.
TESTIMONY OF THE HONORABLE MICHAEL CHERTOFF, CO-FOUNDER AND
MANAGING PRINCIPAL, THE CHERTOFF GROUP
Mr. Chertoff. Thank you, Mr. Chairman. Thank you, Ranking
Member Scott and Members of the Committee. I am delighted to
testify here today.
It is actually my first return to Congress as a witness
since I left office 3 years ago and I used to testify in this
room about border security.
Mr. Gohmert. Yes, you did, and I knew you couldn't stay
away.
Mr. Chertoff. Right. It is hard to stay away.
This is a very important look at an important topic. It is
a topic that includes, obviously, concerns about criminal
behavior but is much broader than that. I would argue that the
issue of cyber security is now at the very top of the list of
security threats faced by the United States.
We have seen multiple dimensions of the threat. Some of
them involve massive acts of criminality. I remember when I was
Secretary we prosecuted the theft of literally tens of millions
of credit card numbers which were used to steal money from
credit card companies and from individual customers.
But beyond that, we have seen the use of cyber attacks as a
way of stealing very valuable intellectual property including
national security secrets and these are reported almost on a
daily or weekly basis.
Beyond that, there is the obvious concern about our
industrial control systems which could in some circumstances be
attacked in a way that might actually cause serious damage to
property and serious loss of life.
We have seen examples back in 2007 and 2008 that are
declassified of attacks against Estonia or Georgia, which are
really part of what you could very well argue is a new way of
war making.
So this has got to be dealt with in a number of different
dimensions. Certainly, the criminal law is part of it but I
would argue there are some other elements as well.
Broadly speaking, I would say there are three concerns we
have in terms of vulnerability. One is the network itself and
how to protect the network, and that is in many respects a
technical problem.
But the supply chain is also a problem. We are living in a
global environment in which hardware and software is fabricated
around the world and our degree of confidence about whether
there are malicious bits of code or other malicious tools
embedded in our hardware or software is not what it needs to
be.
And perhaps most significantly is the insider threat. While
many people think the biggest problem with cyber security is
somebody hacking across a network, experience shows that in
many cases it is the insider who wittingly or unwittingly
introduces malware into the system in a way that causes an
enormous amount of damage.
To this end, I would commend an article written a couple
years ago in Foreign Affairs by then-Deputy Secretary Bill Lynn
who described a major intrusion into our defense networks as
having been caused by somebody picking up a thumb drive and
putting it into a laptop as an act of negligence.
So we have got to deal with all of these problems and one
of my observations over the years I have worked on this issue
is a tendency to believe there is a magic bullet. There is no
magic bullet.
So I would argue that there are several things that we need
to do. I think the current Administration proposal is a good
start but it is a start. It is not an end.
First, I think we need to have tougher penalties and I in
the main approve and applaud the proposals put forward by the
Administration in that respect. Second, we need to make
information sharing much easier.
Time and again, when the private sector suffers an
intrusion, the ability to get technical assistance about the
nature of what that intrusion is is hampered by uncertainties
in the law about whether the U.S. government and the private
sector can share information. This has got to be made much
easier and much more streamlined and I think, again, the
proposal here is a good start.
Third issue is how do we build standards of cyber security
in our critical infrastructure. If we have a failure of
critical infrastructure in, let's say, the electric grid, there
will be enormous collateral consequences.
Unfortunately, the value of the damage often exceeds the
value of the asset, which means that there is no market
incentive for the asset owner to invest in protecting the
asset. We have got to change that. Again, I think the
Administration has begun with a good start in talking about
having standards for cyber security.
I am concerned about two things. One, how do we enforce the
standards. I am not sure naming and shaming is sufficient. And
second, we are talking about a very complicated and detailed
rulemaking process which may take a considerable amount of time
to complete, and the problem is time is not on our side.
Finally, I conclude by observing that there is a larger
national security dimension here involving the problem of cyber
warfare, the actual use of cyber tools as an adjunct to
military operations, and here we need to be clear about what
our policy is in responding to those acts of war and we need to
have a declared policy of deterrence, how we are going to
prevent these from happening.
This is work that is beginning but it has got a ways to go.
I would be happy to answer questions.
[The prepared statement of Mr. Chertoff follows:]
__________
Mr. Gohmert. Thank you very much.
Mr. Baker?
TESTIMONY OF JAMES A. BAKER, LECTURER ON LAW,
HARVARD UNIVERSITY
Mr. Baker. Mr. Chairman, good morning. Ranking Member Scott
and Members of the Committee, it is an honor to appear before
you today to discuss the cyber security challenges that the
country is facing.
I would like to focus my remarks on a very few key points
today. First, as you know and as we have already discussed here
this morning, the United States faces a significant cyber
threat today. The threat comes from many sources, nation
states, non-state actors such as organized crime groups,
terrorist organizations and lone individuals.
As folks have said this morning, the money in our banks,
our intellectual property and our critical infrastructure are
threatened. There is a very real risk that at a time of crisis
some parts of our critical infrastructure such as electrical,
water, financial, transportation and telecommunications systems
will not function as designed or at all.
Presently, the United States is not fully prepared to deal
with the cyber threat that we face. In other words, our
defensive capabilities are insufficient to address the
malicious activities that are directed against the United
States. This includes Federal, state and local governments,
civilian and military authorities and the private sector.
At the present time, we cannot stop the theft of funds,
intellectual property or personally identifiable information
and we cannot ensure the malicious actors will not be able to
degrade or destroy elements of our critical infrastructure at a
time and in a manner of their own choosing.
Although many people in the government and the private
sector are working overtime to find more effective ways to
address these vulnerabilities, right now we cannot guarantee
our cyber security. All we can do is mitigate the risks.
There are many reasons why we are not fully prepared to
address the cyber threat today and these include technological,
organizational, policy and legal issues. My written statement
addresses these matters so in the interest of time I won't
discuss them all now.
I will note, however, that one of the problems we must
confront is that the Federal Government is not where it needs
to be organizationally to address the cyber threat. There has
been much progress in this sphere and the Administration's
proposal contains some important provisions in this regard.
But the government is not where it needs to be in terms of
clearly delineating agency roles and providing for robust but
appropriate information sharing.
Next, I would like to address some of the Administration's
proposals to amend the Computer Fraud and Abuse Act, or CFAA,
and related provisions. Standing alone, as some have mentioned,
these proposals will not address fully all of our--excuse me,
all of our cyber security requirements.
They are important, however, and likely will assist law
enforcement agencies and prosecutors in better ensuring that
cyber crime is deterred effectively and punished appropriately.
I know that some Members have concerns about aspects of this
proposal but I urge Congress to work with the Administration to
find a set of mutually acceptable provisions to modify the CFAA
and related laws as quickly as you can.
What Congress should not do, however, in my view, is to
take steps that would weaken rather than strengthen the
Computer Fraud and Abuse Act. I am concerned that some
proposals to modify the terms of the existing act, in
particular, those directed at modifying the scope of the term
``exceeds authorized access'', would have the unintentional
effect of undermining the CFAA in certain respects.
I understand the concerns that some have raised about the
scope of the act, that it may be ambiguous and that government
overreaching could result in individuals being prosecuted for
what essentially are innocent or harmless violations of the
terms of service of particular websites or services.
I do not believe, however, that the case has been made that
Federal prosecutors have regularly misused the CFAA, and to the
extent that Congress is concerned that such abuses might occur,
it strikes me that it might make more sense to use your
oversight powers to ensure that enforcement of the CFAA is
properly focused on the worst offenders.
But do we really want to make it harder for the government
to prosecute individuals who abuse their authorized access to
immense databases at financial institutions, social networking
sites and email providers to steal money or sensitive personal
information?
In closing, I recommend that the Subcommittee work quickly
to enact some version of the Administration's proposal. Cyber
security is not a problem that is amenable to simple solutions
but we need to start moving in the right direction as quickly
as possible. Our adversaries are not waiting for us to act.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Baker follows:]
__________
Mr. Gohmert. Thank you, Mr. Baker.
Professor Kerr?
TESTIMONY OF ORIN S. KERR, PROFESSOR OF LAW,
GEORGE WASHINGTON UNIVERSITY
Mr. Kerr. Thank you, Judge Gohmert, Ranking Member Scott
for the invitation to appear here this morning. I am going to
begin by doing something that is probably unusual for a witness
before you. I am going to admit that I am a criminal, at least
according to the United States Department of Justice's
interpretation of the Computer Fraud and Abuse Act.
Mr. Gohmert. Sir, you have the right to remain silent.
[Laughter.]
Anything you say may--could be used against you.
Mr. Kerr. I will waive that right.
Mr. Gohmert. You have the right to consult an attorney if
you wish.
Mr. Kerr. In fact, I would like to speak about this. Why am
I----
Mr. Gohmert. If you can't afford an attorney one will be
appointed for you. [Laughter.]
Mr. Kerr. Why am I a criminal? Well, I have a Facebook
account. Facebook requires its terms of service--in its terms
of service that you cannot provide any false information on
Facebook.
However, I do so. I say in my profile that I live in
Washington, D.C. In fact, that is a blatant lie. I live in
Arlington, Virginia. Therefore, I am in blatant violation of
the terms of service, and according to the Justice Department I
violate Federal criminal law every time I log in.
Those of you may have children or grandchildren who are
under the age of 18 who use Google to conduct searches.
According to the Justice Department, they are also all
criminals. Why?
Well, because Google's terms of service say you have to be
of legal age to enter into a contract in order to use Google.
The legal age to enter into a contract in most states is 18.
Therefore, anybody under the age of 18 who uses Google is,
according to the United States Department of Justice, a
criminal.
Tens of millions of Americans have Internet dating
profiles. Those Internet dating profiles typically say the
terms of service of the Internet dating services say that
individuals must give all truthful information and cannot give
misleading information.
According to one study, more than 80 percent of Internet
dating profiles give misleading information. Somebody might say
they are an inch taller than they are, maybe five pounds less.
Maybe they might say they go to the gym every week when they
don't. According to the United States Department of Justice,
that makes them criminals.
In fact, probably most people in this room, most of the
witnesses, Members, counsel, members of the audience, most if
not all are criminals under the United States Department of
Justice's interpretation of the Computer Fraud and Abuse Act.
What is the government's position here in how to amend the
statute? My understanding is that the Justice Department wants
to further broaden the statute so that it encompasses more
cases and is more punitive than before.
I think the answer is to narrow the scope of this act to
ensure that routine computer usage is not criminalized rather
than to further broaden and enhance the penalties of the
statute.
The reason why this is a problem--the reason how we got
into this situation--is that Section 1030 of the Computer Fraud
and Abuse Act treats computers differently than it treats the
physical world. If you think about you are an employee at a
job, your boss says don't go into the personnel files without a
good work-related reason, you might--someone might look into
those personnel files and might be disciplined for that. The
boss might fire them or might not give them a raise but it
wouldn't be a crime just to look into the folder.
On the Internet or in the case of computers, it is a
different rule. The law says you cannot exceed authorized
access, which the Justice Department sees as saying that any
term of use or term of service by an employer or an Internet
service provider is binding as a matter of law.
If an employer says you can't use the workplace computers
for personal reasons and you do so, you are a criminal, again,
a different rule in the case of using computers than there is
in the case of offline real-world conduct.
I think we need to amend the statute to eliminate those
overly broad readings of the Computer Fraud and Abuse Act and
that it is actually quite simple to do so.
I have put in my written testimony two different ways of
amending the statute which would narrow it and yet also
preserve the Justice Department's authority to prosecute the
kinds of cases that they mention when they explain why they
want existing law to be as it is.
In particular, the Justice Department, when it talks about
prosecuting cases under the ``exceeds authorized access''
prong, always talks about cases in which the data that is
obtained is very valuable or very private information.
However, the statute does not contain any such limitation.
The statute applies to any act of exceeding authorized access
to obtain any information at all. One simple way of fixing the
statute would be to limit the Computer Fraud and Abuse Act so
that the ``exceeding authorized access'' prong only applies to
efforts to obtain personal information or valuable information.
That would preserve the Justice Department's ability to
prosecute the kinds of cases it wants to prosecute and yet also
preserve civil liberties of every other American who might, for
good reasons, violate Internet terms of service of websites
which it looks like most Americans who use the Internet and a
computer probably do.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Kerr follows:]
__________
Mr. Gohmert. Thank you.
At this time, we will go to questions and I will reserve
mine to allow other Members to go ahead.
So let's see, Mr. Forbes of Virginia?
Mr. Forbes. Thank you, Mr. Chairman.
Gentlemen, thank you all for your expertise and willingness
to come here, and I understand Professor Kerr's desire to want
to be able to lie on his Facebook account and that is okay. My
concern is this.
I realize that we can have death by a thousand cuts with
all these small cyber attacks but my big concern from sitting
on the Armed Services Committee is the major gaping wounds that
can happen to us if we were to have cyber warfare.
And the question I would ask for all of you gentlemen who
would like to respond is are our laws in any way hampering the
Department of Defense from developing the technologies that we
need to defend and protect against that major kind of attack if
it was coming, which I believe one day we will see it in some
portion or the other.
And secondly, are our laws in any way hampering DOD from
developing the kind of strategies we would need to be able to
use that same kind of attack if, you know, heaven help us, we
would have to do it? And then can you give me a little insight
on how we even know when such a war would be launched against
us?
How do we know who is doing it and how do we possibly say
okay, now this is the time when we can launch a counter action
against that? And I will defer to any of you who would like to
go first. But I really respect and appreciate your insight on
it.
Mr. Chertoff. Well, thank you--thank you for the question.
It is a broad set of questions.
Mr. Forbes. I know it is.
Mr. Chertoff. I will address maybe the last question, which
is what is often referred to as the issue of attribution, and
it is a complicated issue because the reality is many of the
attacks we suffer, if you--if you follow the attack back the
point at which you're proximate to, the target may be in the
United States but it may be a computer that has been taken over
and is being operated remotely from China or someplace else in
the world.
And the difficulty is proving that connection is often very
difficult. It is compounded by the fact that some of the ways
we might prove it make reference to sophisticated and secret
sources and methods that we are not going to want to reveal.
So there is a huge challenge unlike what we faced in the
Cold War when, if a missile was launched, we could demonstrate
where the missile comes from. I think the answer there is a--
the laws are really not the issue here.
The issue here is for us to develop a doctrine and to be
very clear about, first of all, what we believe our response
ought to be to an attack--distinguishing between a theft of
property, which is espionage which we have traditionally not
viewed as an act of war, and an attack on a system that might
destroy the system itself like the electric power grid.
And once we have determined what we want our response to
be, we have got to do two things. We have got to, first of all,
make sure the law permits us to respond, and second, I believe
we need to have a declared policy of deterrence.
We need to, for example, tell the world that if there is an
attack upon our electric grid that results in a loss of life we
reserve the right to respond by, A, eliminating the servers
that launched the attack, we may reserve the right to do so
physically as well as in cyberspace and we need to explain what
our red lines are. If we don't do that, then we run the risk of
a miscalculation where somebody launches on us without a clear
understanding of our response, and experience shows that that
is how people get into wars, when there is an unclarity of
doctrine.
Mr. Baker. I would agree with that completely. I think that
the key problems are making the tough policy choices first, and
once you have the policy, both the policy in terms of what do
we want to do as a country to respond to these kinds of
attacks. And when I am talking about an attack here in this
setting I am talking about something that when it is directed
at us would constitute a use of force against the United States
if it was done by kinetic means. So that is--so when I talk
about an attack that is what I mean, not an exploitation or
espionage or something along those lines.
But I think we need to get the policy right in terms of
what we want our military to do. We need to get the technology
right in terms of what it is that we think we are going to be
doing, what are the collateral effects of that kind of
activity.
For example, if you launch something will you be able to
restrict it narrowly or will it spread more broadly? How
confident are we going to be in that? I think those are the
tough questions.
Once the policy makers figure out what they want to do,
then the lawyers can help figure out how to do this legally
either under the existing regimes with the, you know, the laws
of war, the laws of armed conflict, the very statute they have
to deal with, or that we need to make some kinds of changes and
so on.
Just one other quick question to address the last part of
what you said, knowing whether we are actually under attack may
be difficult in some circumstances because a smart adversary
might just degrade our systems in a way that make them
difficult for us to use and make us--make it hard for us to
respond to a threat somewhere in the physical world but that we
can't quite figure out whether it is actually being destroyed
or not or whether there is an attack that is underfoot.
Mr. Forbes. Mr. Downing, my time is up but I would love at
some point in time to hear your response to that maybe for the
record or maybe if you could give it to me in person.
Mr. Gohmert. Without objection, we will go ahead and extend
the time to allow an answer to that question.
Mr. Forbes. Thank you, Mr. Chairman.
Mr. Downing. So I guess what I would add to these other
comments that have gone before is that I am not aware of any
particular laws that are holding the military back at this
time, although to be clear I work in the Computer Crime Section
of the Department of Justice so perhaps that question is best
asked to members of our Department of Defense.
But what I would emphasize here is that unlike other sorts
of defenses of the Nation, the victims of these attacks are
going to be in the hands of our private infrastructures for the
most part and thus it is not possible for the Defense
Department to defend in the traditional way.
And so that is very much why we see the comprehensive cyber
security package as being very important because it provides
the incentives we need to help industry to defend itself, since
the Defense Department is not going to be able to put up, you
know, ships on the sea and planes in the air to defend that.
Mr. Gohmert. Okay. Thank you, Mr. Forbes.
At this time, Mr. Scott was going to defer and we will hear
from Mr. Deutch.
Mr. Deutch. Thank you, Mr. Chairman.
Mr. Downing, the Administration's proposal for information
sharing states, if I understand it correctly, that
notwithstanding any other provision of law, businesses can
share their customers' private information with Department of
Homeland Security.
I presume that means Internet and email information. What
else are you trying to get at? What else is there that will be
shared and could this information potentially include medical
records and all sorts of other personal information that would
violate the privacy laws?
Mr. Downing. So the idea of that is shared for the purpose
of securing cyber security. So I think the primary areas would
be things like threat and vulnerability information.
A Internet service provider discovers a new exploit that is
allowing people to access computers without authority. It is
able to report it to the government and also to spread that
information to help defend other networks as well.
It is true, though, that sometimes there will be a narrow
set of private information that would have to be disclosed. For
example, in certain kinds of phishing attacks there is an email
that is sent to a particular person in an effort to get them to
give up their password.
So there may be some cases where there is a need for that
sharing of private information. What the bill does, though, is
contain a number of ways that would protect the privacy of that
information, so it would have sharing restrictions once it
reaches the government.
The attorney general would have a set of rules that would
require that it be treated in a protected way. It also requires
that the person giving the information to take out all other
sorts of private information as well.
Mr. Deutch. Just going back to what you just said, though,
when you referred to phishing expeditions that we should be
concerned then about the possibility, understanding that there
are--there are requirements that would be imposed and
guidelines that this could include all kinds of information
about individuals. The sorts of things that these criminals are
looking for are all of the sorts of things that may be turned
over to the government including bank account numbers, credit
card numbers, passwords for all of those accounts.
Might all of that be included in the information that is
going to be turned over?
Mr. Downing. I think it is important to make sure that
there are appropriate privacy restrictions because there will
be some, I think, fairly limited situations where that sort of
information may need to be turned over.
So I think attention to the need to protect that
information appropriately is proper, and we feel we have done a
pretty good job of putting into the bill protections for that.
But, of course, if there are other needs here, we are happy to
work with Congress to sharpen them as well.
Mr. Deutch. All right. I appreciate that.
Mr. Baker, I have a question for you. You said--you said we
can't stop theft, and we can't ensure that elements of our
infrastructure won't be destroyed. You refer to the
technological problems and policy issues.
Can you speak to the extent to which lawmakers, policy
makers can partner with the technology community to approach
some of these issues? Does that--is that happening? Should that
be happening?
Mr. Baker. Partner--I am sorry.
Mr. Deutch. Please.
Mr. Baker. No. I was just going to say partnering directly
on those kinds of issues. I mean, I think the main thing is to
be informed and so calling hearings and bringing folks up to
explain exactly what the problems are and what is going on--I
mean, as Secretary Chertoff explained, the supply chain problem
and the insider problem. The zero-day threat is a significant
one.
But I think one of the main things to do in terms of
lawmakers is to figure out the boxes in terms of what parts of
the United States government are going to have the lead or--
yeah, I guess the lead in addressing these problems and some of
the proposals in the Administration's recommendation try to
address that.
They try to give an enhanced role for DHS to do this. Not
because DHS is perfect. I think they would not say that they
are perfect. But we need to make a decision and move forward.
We need to get going on this legislation and start down
this road and then fix the problems as we go. As Secretary
Chertoff said, this is just the beginning. We have got a long
way to go.
Mr. Deutch. And Mr. Baker, you and Secretary Chertoff both
spend a lot of time thinking about what these--what these
concerns might be. As you--as you play these out, all of the
various risks, in terms of critical infrastructure and the
risks that we face because of the technology, what is it that
worries you most? What do you think--where do you think we are
most vulnerable?
Mr. Baker. Well, I think any of these--any of these systems
are vulnerable, any of them, and the electrical one is one of
the primary ones. I think if that was shut down or degraded in
a significant part of the United States that is a significant
problem.
And it is not only a problem of somebody intentionally
doing that. I mean, there might be reasons that a nation state
is not going to do that in an otherwise--in a situation that is
otherwise a time of peace. They may do it in a time of crisis.
But you might have a terrorist group that gets its hands on
some kind of a tool that would enable them to do this or
somebody is experimenting with something and it leaks out and
it gets out into the wilderness, if you will, out into the wild
and then it just starts shutting down systems and we don't know
what is going on--I mean, that kind of a virus, if you will, in
terms of something leaking out.
So I think any one of these systems is vulnerable. The
financial system is vulnerable. I mean, any of them. Take your
pick.
Mr. Deutch. Thank you. Thank you, Mr. Chairman.
Mr. Gohmert. Okay. Thank you, Mr. Deutch.
At this time, we will hear from Mr. Gowdy from South
Carolina.
Mr. Gowdy. Thank you, Mr. Chairman.
I want to thank all the witnesses for lending us your
expertise.
Mr. Downing, I think I understood you correctly. One of the
Administration's proposals is to raise the statutory maximum.
Mr. Downing. That is correct, in certain ways. Different
parts of the statute, yes.
Mr. Gowdy. I know that sounds good. I get the politics
behind raising the statutory maximum. How many of these cases
ever approach the statutory maximum? If you want to do
something about it, do something about the guidelines, not the
statutory maximums.
Mr. Downing. Well, we certainly agree that a lot of the
sentencing is driven by the guidelines and there actually was
an effort to try to improve the guidelines, by raising the
penalties. That occurred the year before last.
But, unfortunately, the Sentencing Commission largely did
not do much to raise them. I would say though----
Mr. Gowdy. Would you be gracious enough to send to me your
recommendations for the Sentencing Commission? They were kind
enough to come visit with us a few weeks ago too and I was
shocked at how infrequently even judges who were on the
Sentencing Commission bother to follow the sentencing
guidelines. So if you would send me those recommendations.
Also, if you know how many motions for upward departure
Department of Justice may have filed in cyber security cases
that would be helpful to me as well. The----
Mr. Downing. I would be happy to take that back.
Mr. Gowdy. The ratio of motions for downward departure
versus motions for upward departure is 17 to 1 for downward. So
some evidence of the Administration's seriousness about cyber
security to me would be requests for upward departures in the
cases where there has been a prosecution.
RICO, practically, for the line AUSAs in the districts how
is RICO going to help them?
Mr. Downing. RICO is particularly useful in those
situations where you want to try to take down an entire
enterprise and, in particular, where you have leadership of the
enterprise that may not be actually committing the offenses or
may not be in conspiracy with others who are. So the usual
tools of the direct crime and the conspiracy are not available.
We have seen this in terms of cyber security in the area
where you have an organized group that will have different
pieces of the organization doing different parts of the job.
Some of them are actually hacking. Some of them are using
it to commit fraud. Some of them are doing other tasks. And so
we think that it is a useful tool to be able to take down the
entire organization including the senior leadership, and so
that is one important way that it would help.
Mr. Gowdy. What leads you to think the Department of
Homeland Security is the best agency to handle this?
Mr. Downing. Well, to handle this, I am not quite sure
which piece of it you mean. You mean why should they get
clarified authorities to be a leader in the area of cyber
security?
Mr. Gowdy. Right, as opposed to the Bureau.
Mr. Downing. Well, we think the Bureau is an important
piece of the puzzle but they have a very different role then
that we would proscribe for the Department of Homeland
Security. The Bureau does a terrific job on investigating cases
and they are a critical piece of creating deterrence.
However, DHS has an important role too. DHS, as the
proposal would suggest, would strengthen or clarify the rules
that would allow it to be better at outreach with private
industry, making clear its role in helping to protect the
civilian infrastructure and the government infrastructure.
So it is really a different role that we see for DHS, and
that is why we are seeking to have its authorities clearly laid
out in legislation.
Mr. Gowdy. Can you tell me the difference between computer
trespassing/theft and treason?
Mr. Downing. I am sorry. And treason?
Mr. Gowdy. Treason. When does it become treason?
Mr. Downing. Well----
Mr. Gowdy. Because the penalty for treason is already
pretty high, I think.
Mr. Downing. I believe it is, yes. Treason, I would have to
probably get back to you on that. I am not sure I know the
elements of the offense of treason. But my understanding would
be that it would require that it be done in terms of wartime or
where it would be a direct----
Mr. Gowdy. So it has to be during a time of war to be
treasonous?
Mr. Downing. I am sorry. I don't want to guess.
Mr. Gowdy. What about one of our law professors?
Mr. Kerr. My understanding is that treason is defined by
the Constitution and requires somebody who is loyal to the
United States who does an act intentionally against the
interests of the United States as an act, intentional act of
disloyalty to the United States.
So I don't see how that is implicated in an act of computer
trespass, which can be conducted for many different reasons. It
might be. You could have an act of computer trespass that is
part of an act.
Mr. Gowdy. So if a soldier were to download information and
give it to an enemy, would that be treasonous or not?
Mr. Kerr. I don't know.
Mr. Gowdy. What do you think?
Mr. Kerr. Well, prosecutions for treason, my recollection
is that the Constitution has requirements as to the witnesses
that have to be available for acts of treason. So it is
actually a very rarely prosecuted crime. I don't know if there
have been prosecutions for treason in my lifetime.
But it certainly would be a criminal act with severe
penalties. Whether it is an act of treason or not, I don't
know.
Mr. Gowdy. I yield back, Mr. Chairman, or yield to the
gentleman--no, I am out of time.
Mr. Gohmert. I thank the gentleman.
The Chair now recognizes the distinguished gentleman from
Virginia, Congressman Scott.
Mr. Scott. Thank you, Mr. Chairman.
Mr. Chairman, one of the issues we have been working on is
ID theft and the statutory maximum is not usually the problem.
The problem is that these cases don't even get investigated
much less prosecuted.
And so let me ask in that line, Mr. Downing, is
unauthorized possession of credit card numbers, passwords, ID
information--is unauthorized possession only a crime?
Mr. Downing. Under criminal law, it generally has to be
with an intent to commit a fraud. So mere possession may not be
but in almost all cases we can show that there is a intent to
commit a fraud.
Mr. Scott. Well, you have--but just--if you just looked in
my computer and found all kinds of credit card information you
would have to either show that I intended to do something with
it or that I obtained it illegally.
Mr. Downing. That is right.
Mr. Scott. That mere possession is not a crime.
Mr. Downing. I believe that is the case.
Mr. Scott. Now, child pornography, if you found something
on somebody's computer you wouldn't care how they got it, would
you?
Mr. Downing. We would definitely care how they got it. It
would also be a crime for mere possession.
Mr. Scott. Well, I mean, in terms--in terms of a crime
being committed you could prosecute without being concerned
about how they got it.
Mr. Downing. That is true. Mere possession of child
pornography is a crime.
Mr. Scott. Is--do you know if in the Federal Government
whether or not there is any requirement that banks try to limit
ID theft by doing things like sending a real-time email every
time a charge is made?
I mean, there is no technological problem with the bank if
somebody uses a credit card instantaneously text messaging that
to the user. Is there anything--does anybody have any authority
in the Federal Government to require banks to do stuff like
that?
Mr. Downing. As a technological matter, I assume that it is
possible to do that. As far as the regulations----
Mr. Scott. But it is technologically possible to do it. Is
there anybody in Federal Government that can order the banks to
do that?
Mr. Downing. I don't know the answer to that question, I am
afraid.
Mr. Scott. Under RICO, we--Mr. Downing, you want to use
RICO for computer crimes. Why is not the underlying crime that
you are investigating enough to access RICO rather than the
fact that they used a computer?
I mean, if they--if they are doing some operation that is
some big organized crime effort that ought to be enough to get
RICO. Why do you have to show that they are using a computer?
Why is that important?
Mr. Downing. There are, certainly, some cases where there
is another predicate offense that could be used to prove the
RICO. But there are some situations where it might not be. I am
going to give you an example.
If an organized crime group were to use a denial of service
attack against a gambling website, let's say, to prevent the
site from operating right before a critical event, it would be
an extortion under Section 1030(a)(7). It is not clear that
that sort of extortion falls into traditional extortion
statutes since there is no physical property at risk and no
risk of harm to human life.
So it is true that there are some areas that could be done
through a RICO prosecution, but we feel that this would close
some gaps and allow us to make sure that it covers it in all
situations.
Mr. Scott. You have in your testimony the statement that
the Administration has proposed a mandatory minimum sentence of
3 years imprisonment as one appropriate way to achieve the
needed deterrence.
Do you have any research that shows that mandatory minimums
rather than longer maximum sentences subject to guidelines
serves as a deterrence?
Mr. Downing. I am not an expert on the research on
mandatory minimums, but I can say that this particular one is
very narrowly focused.
Mr. Scott. Can you point to any--can you point to any
research--you can't point to any research that shows that it
serves as a deterrence.
Mr. Downing. I would be happy to research that issue and
get back to you.
Mr. Scott. Are you aware of research that shows that
mandatory minimums do not reduce crime and serve only to waste
the taxpayers' money? Are you familiar with that research?
Mr. Downing. I am not aware of that research either. That
is not my field of expertise.
Mr. Scott. Mr. Chairman, my time is just about up. But
before I yield back, I would just like to ask for the record
for the witnesses, I guess Mr. Downing and anybody else, on
these reports, exactly what--how these reports work, who can
ask for it, do you need a subpoena and then what happens to it
because in earlier versions of Homeland Security, information
sharing was very important.
So if Homeland Security got something the FBI and
Department of Defense and everybody else could look at it, how
this information is shared and what exactly--what information
there can be, and also we talked a little bit about the
international aspects of the Internet and trying to prove who
did it is a problem.
But another problem is if you find out who did it does the
Department of Justice have jurisdictional problems--if things
are going on in France that affect things in the United States
how we deal with the jurisdictional problems, if anybody would
want to respond to those for the record.
Thank you, Mr. Chairman.
Mr. Forbes [presiding]. Thank you, Congressman Scott. And
do each of you have a comfortable understanding of what
Congressman Scott needs to supply? Good.
If you have any questions I am sure he will be glad to
clarify that for you and if you would respond to the record for
him on that we would appreciate it.
Chair recognizes the former Attorney General of California,
Mr. Lungren.
Mr. Lungren. Thank you very much, Mr. Chairman.
Secretary Chertoff, in the Cyber Security Task Force we had
on the Republican side early this year information that we got
both public and private was that the best estimate was that
perhaps 85 percent of intrusions in the cyber world could be
taken care of if we just had good cyber hygiene and that
because of that, because we don't have that, the 85 percent
clutter that is out there makes it more difficult for to
identify the 15 percent of the more serious nature.
When we are asked to perhaps pass new laws with respect to
criminal sanctions and so forth, I guess one of the questions
our constituents would ask is are we as a government as well as
the private sector doing what we need to do to identify and
encourage good cyber hygiene, and if not, why not?
Mr. Chertoff. Well, Congressman, I think you are dead right
about this. I think that, and I can't tell you if 85 percent is
exactly the right number, but I think you could take a lot of
hay off the haystack with good cyber hygiene. What do I mean by
that?
I mean appropriate use of passwords and changing of
passwords, appropriate implementation of access controls,
appropriate rules about who and what can download off a network
and who and what can insert various kind of media into a
network.
And you are quite right. A lot of this is in private hands
and that is why when I look at the Administration's proposal,
in many ways, to me, the more significant element has to do
with the requirements as it relates to critical infrastructure
and requiring that a nationally significant critical
infrastructure have plans and programs in place to make sure
they have cyber security and much of that involves internal
processes and internal programs.
Now, there are a lot of different ways to skin the cat and
I am not prescribing one particular way to do it. But a big
challenge is to architect your internal security system so that
it is not so cumbersome that people just avoid it altogether
but that it is robust enough so that it is not obvious or easy
for people to penetrate it.
You know, take a very simple thing like the ability to take
a thumb drive and put it into a network and download, as was
reported to be the case with Bradley Manning. If you are
dealing with sensitive systems you ought to have restrictions
on who has the capability to do that.
So, to me, rolling out a set of processes and having the
private sector have to meet certain standards would take a lot
of hay off that haystack.
Mr. Lungren. I guess it would be my observation that as we
are looking at these proposals, and I certainly support us
moving forward in the area of cyber security, enhanced
awareness of it within our various laws, I would hope that we
would have at least as much effort in the public and private
sector on raising the awareness of the need for computer
hygiene.
I mean, we need a equivalent of a Smokey the Bear campaign
to somehow help us. That is not to say we ought not to do these
things now.
One thing I would like to address to Professor Kerr and Mr.
Chertoff and Mr. Downing is this. There has been a Memorandum
of Understanding entered into by the--by DHS and by the Defense
Department in terms of proper exchange of information, et
cetera. I happen to think that is a good start.
However, if we do not from the beginning ensure that civil
liberties are protected here and that we are not in any way
acting in a position that does not recognize the traditional
and constitutional priority of civilian control of the
military, we are buying a real problem.
I guess my question--I will start with you, Professor Kerr,
if you have some knowledge of that Memorandum of Understanding.
Are you satisfied that that--it has reached an appropriate
position of balance such that as we designate DHS as the
primary repository of this information and the coordinator of
information and--or overview of cyber security throughout the
Federal Government that the concern--the legitimate concerns of
civil libertarians or anybody, any American concerned about
that, have been met?
Mr. Kerr. I share, certainly, all of your concerns with the
need to protect privacy and civil liberties in this situation
and also to balance that with the appropriate exchange of
information within the government, which can be tremendously
important.
As an outsider, I really can't tell how things are working.
So I would love to know the answer just as you would like to
know the answer but, unfortunately, I don't have it.
Mr. Lungren. Mr. Chertoff or Mr. Downing?
Mr. Chertoff. I think I can probably offer some insight
into this because I think this in the main reflects an
agreement that we had in the prior Administration between DHS
and the Department of Defense concerning the proper allocation
of responsibility.
With respect to government networks and the commercial
domain, I think it was understood that the authorities should
be DHS authorities to maintain the principle of civilian
control.
On the other hand, there are unique capabilities in the
Department of Defense both in terms of access to information
and tools and techniques which are important to have available
to deploy to protect the United States, and as long as that is
undertaken under the authorities of DHS I think you manage to
balance between using all of the elements of national power but
having a civilian-controlled and civil-liberty respecting way
of actually operationalizing.
You know, I would leave you with this thought. I don't
think security and privacy here are in conflict. I think they
actually are mutually reinforcing.
You cannot have privacy on the computer if you don't have
the security to be able to control who gets into your computer,
and I think that it is important not to lose sight of the fact
that it would not be a triumph of civil liberties to keep the
U.S. government from protecting computers so the Chinese
government could get on our computers. [Laughter.]
Mr. Downing. If I may, I would add, certainly, the
Administration is very concerned about the sharing of
information and that there are appropriate civil liberties and
privacy protections in place.
One example of that is what I referred to earlier in the
legislative proposal where sharing is going to occur under a
set of rules that allows the private sector to share with the
government. We have really been very careful to think through
how that sharing is going to happen once it occurs inside the
government, and there would be appropriate limitations to make
sure that there isn't going to be any abuse.
Mr. Gohmert [presiding]. Thank you, Mr. Lungren.
At this time we will hear questions from Ms. Jackson Lee of
Texas.
Ms. Jackson Lee. Let me thank the Chairman and the Ranking
Member for this hearing. It is interesting to see our former
Secretary of Homeland Security, thanking him for his service
and as well the numbers of individuals.
Mr. Baker, I was looking for my friend from Texas but you
have a good name and certainly I know that testimony has been
productive. Mr. Secretary Chertoff would know that I was in
Homeland Security and going back to Homeland Security, still
serve on Homeland Security and cyber security has been a
enormous issue.
I am going to go right to you, Mr. Secretary, and I think
we do have a dilemma between the First Amendment rights, as we
have always had a tension, the whole question of the--when we
had the discussion on the PATRIOT Act was during your tenure
and some of the ramifications of that.
But I am going to go directly to an entity, that preceding
9/11 there were challenges and that is China, and cyber
security is not any longer a fly that we swat at. It is
annoying. They have just gotten my formula for the--or the
formula for how to do a Gucci purse or they have just found out
how to make Colgate toothpaste or at least label it and say it
is Colgate toothpaste.
How dangerous is it to have a friend that is engaging in
the intrusion of one's cyber system and does that friend's
accessibility then open it up to individual--to entities that
would wish to do us harm?
Mr. Chertoff. Well, I think, you know, the National
Counterintelligence Executive recently publicized the extent to
which our networks and our systems are being penetrated by
foreign powers, and I would--I would have to say I think it is
now a general consensus that in terms of both our economic well
being and potentially our national security and military
posture the ability of foreign governments to penetrate into
our networks is probably at the very top of the list of threats
that we face.
You know, I have heard people debate whether the theft of
intellectual property has national significance. If you
consider the amount of money and time we spend developing our
technological advances, to have somebody come in and steal it
and short circuit it is nothing less than giving away our
economic competitiveness.
Beyond that, again, just relying on open source public
documents like the U.S.-China Security Commission, we know that
in China, for example, there is a military doctrine that looks
to cyber warfare as one of the domains of warfare.
So, again, we have to be concerned about the possibilities,
as Mr. Baker said, either in a tense situation or even in a
peacetime situation a foreign adversary taking advantage of
their ability to distract us by degrading or disrupting our
networks.
So, you know, there are multiple dimensions to this. There
are some diplomatic issues that need to be pursued. But most
important, I think, we need to have the internal capability to
manage our risk in a way that does not leave us hostage to
foreign actors.
Ms. Jackson Lee. I thank you. And Mr. Baker, I don't know
if this--thank you very much, Secretary--whether this would fit
you but on the Homeland Security side we are completely
frightened of this process or prospect of cyber security as it
relates to, and I know that the government witness is from
Intellectual Property but the extent that cyber security can
intrude on water distribution, electrical grids and how much
government oversight, intrusion and emergency action should be
engaged in as it relates to cyber security or the protection of
our cyberspace.
There are a lot of bells going off but how much government
activity should we have? How precious is this cyberspace that
it could literally shut us down as a Nation?
Mr. Baker. The cyberspace is precious. It is absolutely
precious. We have to be worried about it being degraded and
destroyed, disruptive and having a shut down, having
significant parts of our economy shut down.
As others have said, I think we are in, you know, based on
everything that I have seen, sort of a pre-9/11 mode right now
where we see we have got some significant problems. We see we
have got significant vulnerability. We have got adversaries out
there that are serious about doing us harm and we need to get
going and we need to get organized.
Ms. Jackson Lee. What would you want us to do and----
Mr. Baker. So we need--we need to figure out one thing,
just for example, and was talked about here. One thing we need
to figure out is as a society how much government involvement,
meaning how much government monitoring of private
communications, do we want and are we willing to tolerate.
And if we are going to have government monitoring of
private communications in order to obtain information to
protect us from cyber security threats, how are we going to
monitor that, how do we monitor the monitoring. In other words,
what privacy protections do we have in place, what oversight.
We have to pay for that oversight. Everybody talks about
oversight. Oversight is expensive so we need to make a
commitment that we are going to pay to have the right people in
place to do that kind of oversight.
So I think it is inevitable that you are going to have
government monitoring of private communications to some degree.
The question is how much and then who watches to make sure that
we are all comfortable with what is going on.
So I think it is--I think you are going to have--you have
to have--I think no entity standing alone, private sector or
government, anybody else, military, civilian, has all the tools
necessary to address this threat.
We need to bring all of our resources together in a way
that we are all comfortable with and then move forward.
Ms. Jackson Lee. Mr. Chairman, would you allow Mr. Kerr to
answer that question?
Mr. Gohmert. Yes, without objection. Mr. Kerr, you may
answer.
Ms. Jackson Lee. And you might put your influence on the
question. Thank you.
Mr. Kerr. Yeah.
Ms. Jackson Lee. And I thank Mr. Baker. Thank you,
Professor.
Mr. Kerr. Thank you. I think striking the right balance is
quite difficult then and Mr. Baker's answer raises, I think,
what is the missing half of the puzzle that we are looking at
in this hearing, which is the procedural rights, the rights of
government investigation.
The problem in cyber security from the standpoint of
criminal law is not that the punishments aren't high enough.
The punishments are not only as high as they are in non-cyber
crime laws. In many ways, they are higher.
The difficulty is it is very difficult to catch people. So
what tends to happen is the government wants more investigatory
power. That becomes quite controversial. So instead, the
government gets broader and broader substantive criminal laws
and greater and greater punishments for crimes.
We should not use substantive criminal law and the Computer
Fraud and Abuse Act as a substitute for the difficulty of
catching the bad guys. We should focus on making sure the
government has the power necessary to catch people that are
engaging in wrongdoing online.
Ms. Jackson Lee. I thank the Chairman.
Mr. Chairman, if I could just say to you or say for the
record I know that we are in the Crime Subcommittee and the
Committee dealing with terrorism but I truly believe I think
Secretary Chertoff and I think Professor Baker might answer Mr.
Kerr's point.
I think we need to ramp up and get coordination between
military, civilian and government resources. We need to get in
front of this. If we are pre-9/11 on cyber security we have got
some work to do, and I hope this Committee can be part of the
solution, Mr. Chairman.
I thank you very much for yielding.
Mr. Gohmert. Thank you, Ms. Jackson Lee, and you do make a
very good point. We do need to get ahead of it and I appreciate
you all addressing that. Hopefully, we will get into that a
little further.
At this time, I have the Honorable Mr. Goodlatte from
Virginia with questions.
Mr. Goodlatte. Thank you, Mr. Chairman.
Welcome, all of you. I want to direct this first question
to Mr. Downing and Mr. Baker.
The Administration proposal includes a so-called ``name and
shame'' provision to coerce industry to beef up cyber security.
We certainly understand what that objective is but I wonder if
that doesn't paint a target on the backs of vulnerable systems
for cyber criminals to exploit or to encourage others to keep
their problems as hidden as possible so that they won't be
discovered to have been put in that situation.
I wonder if you might comment on that, starting with you,
Mr. Downing?
Mr. Downing. Certainly. The--it is important to understand
that this publicizing the vulnerability of a particular company
is done at an extremely high level. It wouldn't reveal any
particular threats that would be successful against a network.
It would simply provide some information to the public and to
the government about how well the company is doing overall.
I think it is also important to think about what sort of
incentives we think are appropriate to encourage the kind of
better cyber security behavior that we would like to see. One
option that the Administration has not proposed is to create a
huge regulatory framework that would require lots of fines and
auditors and all that sort of thing.
Instead, it is a light-touch regulatory idea that would
require but there still has to be some incentive made to cause
companies to change their behavior. And so in this way, we
think that by publicizing those that need to improve, that will
provide a significant but not overreaching type of incentive to
get them to change.
Mr. Goodlatte. Mr. Baker?
Mr. Baker. Yes, just real quick.
I think you are right to be concerned about that. I think
the Administration understood that and tried to come up with a
solution where there was a sufficient amount of enhanced
incentives for people to--companies to improve their cyber
security posture without making them a target, as you suggest.
I think you are right, we need to make sure we get the
legislation right on that point. I would say, however, I mean,
I think to a certain degree even today companies face risks in
this area by not exposing to some extent what their
vulnerabilities are because they have obligations to their
shareholders and reporting requirements to the SEC to make
known a set of risks that may be material in some fashion. The
SEC recently put out some guidance on this.
I think that is very significant. I mean, I think there is
an incentive already and I just think it is unrecognized.
Mr. Goodlatte. Thank you.
Mr. Chertoff, how can Congress encourage the kind of
innovative solutions we need from the private sector for cyber
security and at the same time avoid a one-size-fits-all
regulatory scheme?
Mr. Chertoff. Well, first, let me say that, as I said in my
opening statement regarding the legislation, I think it is a
good start but I think there are some pieces that need to be
strengthened.
The good start piece is the concept of having the
government lay out general standards and requirements but
allowing the private sector to meet those standards using a
variety of different methods. That is actually pretty similar
to what we did in the chemical security area back when I was at
DHS.
So the good news is I think that gives you flexibility and
allows people to tailor an approach, including one which the
private sector can help to develop.
I think on the--on the disappointing side, I would actually
like to see some tougher responses to the issue of those
elements of critical infrastructure that don't meet those
standards or requirements because I think if you have a serious
vulnerability in our electric grid or our water or any other
important element of national security we are not going to have
a lot of time to coax those entities into coming into
compliance.
We need to have the ability at some point to compel them to
come into compliance. So that is an area where I would,
frankly, like to see a little bit of strengthening.
Mr. Goodlatte. Thank you.
And back to you, Mr. Baker, how would including the CFAA
within RICO help protect Americans from cyber criminals?
Mr. Baker. It is a further tool that prosecutors can use to
go after these very aggressive robust organized crime groups,
mainly located overseas, and I take Professor Kerr's point. It
is difficult.
You have to have two things. You have to have the legal
tools in place so that you can investigate and prosecute these
crimes if and when you get your hands on somebody.
But then we need to work with our international partners as
the FBI does regularly to actually go out and get them and
bring them to justice either in the United States or in a
separate jurisdiction. But I think RICO is another tool that
strikes me as appropriate here because that is what is going
on. Organized crime groups are using the Internet to steal a
vast amount of funds.
Mr. Goodlatte. Thank you very much.
Thank you, Mr. Chairman.
Mr. Gohmert. Thank you, Mr. Goodlatte. And having been a
judge for a decade and at times sat on the bench and thought
does this lawyer not know that he's wasting his time asking
those silly questions, it is a real honor to listen to such
insightful questions that I think we have heard on both sides
of the aisle here, and it points to the understanding people
here have of the risks and problems inherent in what we are
talking about.
One of the things that--I don't know, it may be the only
thing that the Heritage Foundation, the ACLU, Mr. Scott and I
have agreed on and that is that we have over criminalized so
many things, 5,000 or so crimes.
We don't even know how many because they are not required
to come through the Judiciary Committee in order to slap a
prison sentence on, and there are so many things that have been
made a crime. And people say oh, well gee, the Justice
Department would never pursue anything like that.
But it turns out it is not just up to the Justice
Department. You know, we had a hearing previously where a guy
just didn't stick the little sticker on his package that had an
airplane with a line through it and he went to prison. You
know, a guy received an orchid from a South American company
without properly filling out their material. He went to prison
for 18 months.
So some things do get prosecuted. The poor guy that sent
the package without the sticker with the airplane with the line
through it was run off the road with what sounds like what
amounted to an EPA SWAT team, ran him off the road, threw him
to the ground, handcuffed him and hauled him in.
So we are rather sensitive to over criminalizing and if I
understand correctly we are talking about the potential for the
Federal Government to run somebody off the road like they did
the gentleman from Washington State and put him in handcuffs
because he checked that he had scrolled down and read and
agreed to the end user agreement and he didn't actually do
that, and then as a result now he has committed a Federal
crime.
Is that a possibility, Mr. Kerr?
Mr. Kerr. It is certainly my understanding of the Justice
Department's interpretation of the law but I don't know if the
Justice Department here would agree.
Mr. Gohmert. Well, and then a good question was asked, Mr.
Baker. How much government monitoring of private communications
are we going to allow, and that has been a concern of a lot of
us on both sides of the aisle.
Have any of you read the President's American Jobs Act? Not
my American Jobs Act. It was two pages. But the President's
that was 155 pages.
Were you aware that he set up a--the Public Safety
Broadband Corporation in that that will help take care of our
use of broadband? I mean, had you all heard that?
Well, it won't do anything to create jobs but it will give
more government control of our broadband, and you couple that
with a potential push for more control of the Internet here it
causes me some concerns.
But on the same--at the same time, I know the question was
asked who would have ever dreamed that planes would be flown
into a building and some of us said well, that was Tom Clancy
back several years ago had a hijacker fly one into the Capitol.
Well, Clancy, if you--he has also written about this Net
problem and Net security.
So I mean, it is clearly an issue that we have got to deal
with. Let me ask what--Mr. Chertoff, I will start with you. You
said the value of damage for our intrusion may exceed the value
of the asset. How do you think it would be damaged, if you
could be more specific?
Mr. Chertoff. I mean, here is the challenge you have, I
think, in the case of some of the critical infrastructure. You
might own a power plant and it might be worth a certain amount
of money, and no rational person is going to invest more in
securing the power plant than it is worth.
Mr. Gohmert. Right.
Mr. Chertoff. I mean, that is common sense. The problem is,
and we have seen this both in terms of cyber and in the
physical world, that power plant may be critical in terms of
the whole surrounding community, even a state, involving public
health, involving public safety, involving public
communication.
If that power plant goes down, there could be an enormous
loss of life and economic damage that exceeds the value of the
asset.
So the challenge is how do you make the people who operate
the asset and own the asset invest enough to protect against a
cyber attack, and I think that is where it is appropriate to
have the government play a role in laying out a set of general
metrics and a set of general standards and then allowing the
private sector to figure out the precise way in order to meet
those standards and metrics.
Mr. Gohmert. Anybody else care to comment on that aspect?
If not----
Mr. Scott. Can I make another comment, a quick comment?
Mr. Gohmert. Well, sure. It is your turn.
Mr. Scott. No. I have already asked questions.
Mr. Gohmert. Oh, okay. All right. Yes. Then we will go to
Mr. Scott.
Mr. Scott. Mr. Chairman, Mr. Baker and Professor Kerr have
talked about the problems in defining ``exceeds unauthorized
access.'' You kind of know it when you see it but, obviously,
that term can cover a lot more than we want covered and, for
the record, they can--if they have any suggestions as how we
can define ``exceeds unauthorized access'' in a way that covers
what we want covered without being over expansive that would be
helpful.
Thank you, Mr. Chairman.
Mr. Gohmert. Well, thank you, Mr. Scott. Do you have any
further questions? I mean, we could mount to a second round if
you wish. Pardon?
Mr. Scott. If you want a second round.
Mr. Gohmert. Okay. Go ahead. I will allow Mr. Scott to
complete--you can see the two of us are here and this is such
an important issue. If you don't mind, let's--go ahead, Mr.
Scott, if you would.
Mr. Scott. Well, if--do you want to--do you want to--do you
have any recommendations on ``exceeds unauthorized access?"
Mr. Kerr. I do. I think there are two basic strategies that
could be used to limit ``exceeds authorized access.''
One would be to just amend the current definition.
Unfortunately, the current definition of ``exceeds authorized
access'' is entirely circular. It says that you exceed
authorized access when you do that to which you are not
entitled, which doesn't really answer the question.
It just makes the issue entitlement rather than
authorization, just substitute a word. So one method of
limiting the statute would be to clarify that that definition
does not apply to mere terms of service violations and computer
use policies, essentially just defining by exclusion that which
the definition does not apply.
And another approach would be to limit the substantive
statute rather than limiting ``exceeds authorized access'' by
saying that Section 1030, the Computer Fraud and Abuse Act,
only applies to obtaining personal information or valuable
information rather than any information.
So under that approach, violating a terms of service or
violating a terms of use could in fact lead to criminality but
only in the kind of cases that the Justice Department focuses
on, namely those cases where there's access to a sensitive
database by a government employee or particularly valuable
information that is taken in violation of an employer's
computer use policy.
Both of those strategies, I think, are two different ways
of getting to the same conclusion and either is acceptable.
Mr. Baker. I think the main thing that I am concerned about
is making sure that we have the tools necessary to prosecute
insiders who have access to vast amounts of data whether they
are at a government employer or whether they are with a
private-sector employer.
I mean, if you think about how much data employees at
Facebook or Google have access to, it is amazing, about--access
to information about Americans and what Americans are doing.
And so I think that is the kind of thing that I want to make
sure that we don't change the statute to somehow inhibit or
cripple, in some ways, the ability of the government to
prosecute those kinds of cases.
So if you were to somehow take--I mean, I have seen some of
the suggestions with respect to amending the definition of
``exceeds authorized access.''
As long as they still allow for prosecution of in the
employment context I think that would be the key thing and it
would avoid some of the things that Professor Kerr was talking
about in terms of what--you know, misrepresentations that
people make on Facebook or website and so on.
The other--I think his suggestion with respect to amending
the specific provision of 1030(a)(2)(C) I think shows--I think
there is more promise there. It is a more narrowly-focused
provision. It doesn't deal with this definition. It applies to
the whole statute, and I think it does get at the kinds of
cases where somebody does something, accesses information in
order to steal something or do something fraudulent or cause
some harm. I think that shows much more promise, at least in my
mind.
Mr. Scott. Mr. Downing, this is limited to--this entire
code section is limited to computers--government computers,
financial institutions and protected computers. What about my
computer? Is that--is that a Federal jurisdictional problem?
Mr. Downing. The computer in your office? Yes, it would
certainly be covered. A protected computer----
Mr. Scott. What about my personal computer?
Mr. Downing. Protected computer is actually a fairly broad
term. So it would include----
Mr. Scott. What is--what is not included?
Mr. Downing. Not included would be certain stand-alone
computers that aren't connected to the Internet, for example.
Relatively rare these days. Most computers are covered by the
term ``protected computer.''
Mr. Kerr. If I could add--if I could add a brief comment,
actually computers--stand-alone computers are also protected
computers. Every computer in the United States is a protected
computer because the definition of protected computer includes
any computer that affects interstate commerce, a term of art
which included anything that the Commerce Clause can include,
and under the court's--Supreme Court's--Commerce Clause
jurisprudence that would include every computer.
So basically everything with a microchip except for a
handheld calculator--there's an old 1980's era exclusion in
there--is included.
Mr. Scott. Thank you.
Mr. Downing, under civil forfeiture, who gets the proceeds
of the forfeiture?
Mr. Downing. Generally, the proceeds are kept by the
government. In part, they are used to further enforce the laws
and part of it is put back to the general Treasury.
Mr. Scott. Does the local--one of the problems I have with
some of these civil forfeitures are is there is an incentive to
do law enforcement based on how you can make money and fund
your local operation, which kind of distorts the criminal
justice system.
When you say the law, does the FBI get to keep the money
generally or does the local FBI office get to keep the money
and avoid cutbacks in employment that may be coming with this
budget deal?
Mr. Downing. I am afraid I don't know all the ins and outs
of the forfeiture rules. But my understanding is that it
doesn't go to the local office at all, no. This is an important
tool for getting at certain kinds of actors where criminal law
is not sufficient.
Mr. Scott. Well, yeah. And I know why we have civil
forfeiture. My question is whether it is distorting. You have
got Eighth Amendment problems of proportionality. Two people
commit the same crime and one loses a house and a car. Another
one doesn't lose anything.
Who gets the money and whether or not you want civil
forfeiture rather than criminal forfeiture means that you don't
have to prove that somebody is guilty. They got to prove their
innocence to get their money back, and so even if they are
innocent they are out of attorneys' fees and a lot. So civil
forfeiture, if not done properly, can be problematic.
Thank you, Mr. Chairman.
Mr. Gohmert. Okay. Thank you, Mr. Scott, and I just want to
follow up. Now, of course, we have had a Federal court say you
can't prosecute, as has been done before, a cheerleader mom
that violates an end user agreement. But it brings to question
in my mind is there anybody that polices the end user
agreements, just what people are required to agree to before
they utilize a service.
Mr. Downing. Well, I am not sure what you mean by polices
but, certainly, there are a couple of forces that would control
what gets put into an end user agreement by a big website.
Certainly, these things are made public because, obviously,
people are signing them, and when Facebook recently or perhaps
it was last year changed their user agreement in a way that was
really egregious in the eyes of many of the customers, they
protested and moved away from that--using that service. So
there's a real vote-with-your-feet kind of possibility here.
The importance of end user agreements is also important in
the context of the Federal Trade Commission. So companies have
to live up to their--what they say in their agreements, and if
they fail to do that then they can be sanctioned for unfair
trade practices.
Mr. Gohmert. And we know here on the Hill--it hadn't been
disclosed publicly--we have had government, our congressional
computers hacked from foreign countries, at least one, and it
is a threat and it is--can be international terrorism of a sort
when you, as you all have discussed, realize what could be done
by destroying our Internet usage.
But by the same token, you don't want to create a problem
for the greatest freedoms any country has ever experienced, as
we do here.
I know there are some that say well, gee, the Justice
Department would never pursue that because that would just be
too much. But we have heard example after example of when
prosecutions have occurred that people can't believe. It just
sounds like a Kafka novel or something.
But I would hope that on both sides we are ready to be as
tough as possible on espionage, whether it is domestic or
foreign, so that the Homeland Security, our Justice Department
intelligence has the ability to pursue those that want to hurt
us but at the same time not pursue somebody just because they
made some minor mistake or even negligently made a mistake.
And one of the things we pushed is, and we haven't done it
yet, defining what things are really just clerical
administrative mistakes individually where maybe you should
have somebody subject to a fine and what requires prison
sentences, forfeiture, all of those kind of things so that we
don't keep--just so that we can show how tough we are for the
next election criminalize some conduct where it is more
appropriate to just make it a fine or decide does it justify
somebody being thrown down in front of their wife and kids and
handcuffed and hauled in.
So I think that is the issue and a lot of us on both sides
of the aisle want to make sure that we don't do that.
Before we conclude the hearing, you have given your opening
statements. You have answered questions and been very gracious
in doing so. But I would just like any final comments based on
the questions that have been asked, things that may have been
triggered in your mind, things that we ought to consider
because this is all be part of the congressional record here.
So if you would, starting with Mr. Downing.
Mr. Downing. Thank you for that opportunity.
There have been a lot of characterizations of what the
Department of Justice position is on the 1030(a)(2) question of
``exceeds authorized access.'' Let me be very clear that DOJ is
in no way interested in bringing cases against people who lie
about their age on a dating site or anything of the sort. We
don't have time or resources to do that.
And, in fact, no court has in fact ruled that that is an
appropriate use of the statute and, quite to the contrary, the
one case that has addressed it ruled that it is not an
appropriate use, and the government has not brought any further
cases. So we are a little bit concerned whether this is truly a
problem.
Given all that, however, we recognize that this is an
issue, and we are very much interested in working with the
Committee to resolve this question in a way that is proper for
all.
What we do need to be careful about is to make sure that as
we do that, we don't harm the ability to bring cases that
everyone in the room would agree are proper and appropriate
ones.
And so, as we think about what sort of solution might be
available here, that we do it in a way that isn't going to
cause other harm and actually harm our ability to create
deterrence in this area, which is so important.
Mr. Gohmert. Mr. Chertoff?
Mr. Chertoff. Well, I guess I would just conclude by saying
I do think it is worth giving serious consideration to
Professor Kerr's point about maybe some narrowing of the--of
the statute.
I agree with Mr. Baker that I think we are probably more
concerned about insiders and employees who exploit their
privileged position than we are people getting on Facebook.
But the other point I would make, which I think is
important, is there is a little bit of a tendency over--
observed over the years to deal with the issue of criminalizing
by simply piling on additional penalties and jail time rather
than recognizing the real challenges and being more efficient
and more effective in enforcing the law against a broader
number of law breakers. And here the problem is a lot of the
activity is overseas, and we are not going to find the people
who do this stuff because they are never coming over to the
United States.
And, frankly, in some countries there is not a lot of
interest in cooperating with us.
So an area which I think is worth exploring is what we can
do to leverage, again, all of our economic and other powers to
really induce countries in the world that have tolerated open
and notorious criminal activity on the Internet into coming
into compliance with what ought to be any reasonable
international norm about preventing this kind of cyber
criminality.
Mr. Gohmert. Do you have any last suggestions about how we
do that, how we deal with foreign individuals?
Mr. Chertoff. Well, you know, I mean, one of the, of
course, is a topic for a whole separate hearing probably. You
know, we have entered into conventions with other countries
and, certainly, the Europeans have been--have been cooperative.
But there are countries in the world where, although there
is lip service to wanting to play by the rules, they will
tolerate the existence of these servers which are nothing more
than marketplaces for criminal activity.
Now, we do have a lot of economic power. We have trade
power and the ability to use that, to say to some of these
countries you not only have to sign up to doing the right thing
but you have got to then walk the walk, I think is worth taking
a serious look at.
Mr. Gohmert. Yeah. Those sanctions work so well. I mean,
basically we brought Iran to their knees.
Oh, wait. No, that hasn't worked. Never mind.
Mr. Baker?
Mr. Baker. Yes, Mr. Chairman, just two quick points.
One, I agree with Mr. Downing. I don't foresee the Justice
Department prosecuting the kinds of cases that folks are
concerned about. I understand the concern. It is a legitimate--
--
Mr. Gohmert. But you understand, we just want to get the
law right so it is not even an option. We give them the power
to go after the bad guys as completely as necessary without
even risking some runaway prosecutor.
Mr. Baker. I agree, but, you know, my experience is with
any statute that you write there is this huge amount of
ambiguity in any of these statutes.
I mean, if you look at the mail fraud and wire fraud
statutes, they don't even define fraud and so the government
and courts have figured out how to--how to prosecute cases and
how to adjudicate those kinds of cases over the years. But I--
it is difficult to write a statute that is so tightly focused
to only get at the problem you are trying to get at without
having some kind of collateral effect as well.
I just--I would just be cautious about that and I would say
then that it is a matter then of oversight for this
Subcommittee to make sure that you stay on top of the Justice
Department, to make sure you know what they are doing in terms
of these prosecutions and bring them up here and have them
explain why they did X, Y or Z in a particular case. That would
be my suggestion on that.
To go back just to close a loop, I think on a question that
Mr. Forbes had raised earlier, just briefly, I think in terms
of the legal problems that we are facing versus other kinds of
questions, again, I think it is a policy problem more than a
legal problem.
But I think folks should be comfortable, I think, that the
President has the authority, in the event of an imminent or
actual attack on the United States, he has the authority under
the Constitution and laws of the United States to take whatever
actions are necessary to protect the country today. He has that
authority today.
The difficult question is figuring out how he would
implement that authority, how that would be done and exactly
what would the military do and under what circumstances or what
other elements the United States government would do.
That is what we need to figure out, as opposed to worrying
about whether we have, you know, enough legal authority and
whether he is going to be hamstrung in the event of a crisis.
I think--I think he does have that authority. We need to
figure out technically, strategically, doctrinally what we want
to do to protect us.
Mr. Gohmert. Thank you, and----
Mr. Scott. Mr. Chairman?
Mr. Gohmert. Yeah.
Mr. Scott. I would hope if the President concludes that we
are in a imminent threat that he wouldn't have to fool around
and try to figure out how this fits under a computer law where
he can take----
Mr. Baker. I don't think he would have to do that. That is
what I am saying. I think he has the authority to take whatever
steps he deems appropriate in a crisis of that nature.
Mr. Scott. Without having to worry about whether it
technically fits under some computer--whether they are using
computers as they do it or a protected computer or something
like that. If he makes that----
Mr. Baker. That would not be top on his list.
Mr. Scott. If he makes that conclusion then we would expect
action to be taken.
Mr. Baker. I think--well, I am suggesting this would be the
situation in a cyber event and he could take whatever action
are necessary whether it is a cyber action or some kind of
physical kinetic action.
Mr. Gohmert. Okay. Thank you, Mr. Scott.
And you had said we need to figure that out and so I would
ask you have recommendations in that regard if you would submit
them to the Committee that would be extremely helpful.
It is helpful to point out we need to figure this out and
what we should do but it is even more helpful when you have a
suggestion as to the best way to proceed in figuring it out.
Mr. Baker. Yes, sir.
Mr. Gohmert. But Mr. Kerr, final comment?
Mr. Kerr. Thank you, Judge Gohmert. Just two quick points.
First, I think the concern of the Justice Department's
overbroad reading of the Computer Fraud and Abuse Act is a real
one.
Just a few weeks ago, the Ninth Circuit granted rehearing
in a case in which the earlier panel of the Ninth Circuit Court
of Appeals had held that private-sector employee computer use
policies do in fact--are in fact--criminally enforceable. The
employer had a policy that said you can't use the computer for
non-business reasons.
The Justice Department prosecuted the employee for using
the computer for a non-business reason. The Ninth Circuit
granted rehearing. We don't know what the court's
interpretation will be but this is a very real current
question.
And then, second, on the question of civil RICO and
mandatory minimums under the Computer Fraud and Abuse Act, I
think it is really important to be specific as to where are the
cases where this is necessary.
In my experience, the actual penalties in Computer Fraud
and Abuse Act cases tend to be relatively low because the
damage tends to be low in the kinds of cases where the Justice
Department actually catches the bad guy.
So I don't think there is a lot of--there aren't any
demonstrated cases of which I am aware of where, for example,
there is the need for a mandatory minimum where under current
law there wouldn't be and there is an actual case where the law
would have applied.
So some of the Justice Department's concerns strike me as
very abstract, kind of, ``well, if we ever catch someone like
this it would be nice to be able to give them a higher
sentence.'' I think we should be responding to real problems,
not abstract hypothetical ones.
Mr. Gohmert. Okay. Thank you.
We appreciate the witnesses being here. We know you are not
here because of the money witnesses get paid since you don't
get paid at all but--and Mr. Chertoff, nice to see you again. I
was a little bit surprised you were willing to come in
voluntarily after some of the hearings you have had here but--
--
Mr. Chertoff. Yeah, I was a little surprised too, actually.
[Laughter.]
Mr. Gohmert. Well, we do appreciate all of you being here
on such a serious topic that has to do with our national
security.
Thank you all very much. This hearing now is adjourned.
[Whereupon, at 11:45 a.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Response to Post-Hearing Questions from Richard W. Downing, Deputy
Chief, Computer Crime and Intellectual Property Section, Criminal
Division, United States Department of Justice
�