25 February 2000 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ----------------------------------------------------------------------- [Congressional Record: February 24, 2000 (Senate)] [Page S799-S820] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr24fe00-47] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTION [Excerpt] By Mr. SCHUMER (for himself and Mr. Kyl): S. 2092. A bill to amend title 18, United States Code, to modify authorities relating to the use of pen registers and trap and trace devices, to modify provisions relating to fraud and related activities in connection with computers, and for other purposes; to the Committee on the Judiciary. high tech crime bill Mr. SCHUMER. Mr. President, I rise today to introduce with my friend from Arizona, Senator Kyl, a high tech crime bill aimed at combating computer crime. For the past nine months I have been discussing with law enforcement and computer crime experts how best to address the growing threat that computer crimes pose to our increasingly networked society. Many of the best solutions are far-reaching and complex and will only be achieved through sustained and thoughtful hard work on an international level by both government and the private sector in the years ahead. There are, however, modes changes to existing laws that can be made now, which will serve as a significant first step in a much-needed effort to give law enforcement to tools they need to effectively fight cybercrime. The legislation that Senator Kyl and I are introducing today will, among other things, make the following changes to existing law. We must update our laws governing the use of what are called pen registers (which record the numbers dialed on a phone line) and trap and trace devices (which capture incoming electronic impulses that identify the originating number). These laws have become outdated and their procedures are too slow for the speed of criminals online. Under current law, investigators must obtain a trap and trace order in each jurisdiction through which an electronic communication is made. Thus, for example, to trace on online communication between two terrorists that starts at a computer in New York, goes through a server in New Jersey, bounces off a computer in Wisconsin, and then ends in San Francisco, investigators may be forced to go successively to a court in each jurisdiction for an order permitting the trace (not to mention having to approach each provider along the way). In the recent Denial of Service attacks, hackers utilized dozens or even hundreds of ``zombie'' computers from which the attacks on specific sites were then launched. No doubt, these computers were located all over the country. and tracing them quickly under current law is therefore virtually impossible. This legislation will amend current law to authorize the issuance of a single order to completely trace an online communication to its source, regardless of how many intermediate sites it passes through. Law enforcement must still meet the exact same burden to obtain such an order; the only difference is that they will not have to repeat this process over and over each time a communication passes to a new carrier in a different Jurisdiction. One deficiency of the Computer Fraud and Abuse Act, 18 U.C.C. Sec. 1030, is its requirement of proof of damages in excess of $5,000. In several cases, prosecutors have found that while computer intruders had attempted to harm computers vital to our critical infrastructures, such as telecommunications and financial services, damages of $5,000 could not be proven. Nevertheless, these intrusions pose a great risk of harm to our country and must be prosecuted, punished, and deterred. The Schumer-Kyl bill will unambiguously permit federal jurisdiction at the outset of an unauthorized intrusion into critical infrastructure systems rather than having investigators wait for any damage assessment. Crimes that exceed the $5,000 limit will be prosecuted as felonies, while crimes below that amount will be defined as misdemeanors. The bill will also clarify that a $5,000 loss resulting from a computer attack may include the costs of responding to the offense, conducting a damage assessment, restoring a system to its original condition, and any lost revenue or costs incurred as a result of an interruption in service. The $5,000 requirement should not serve as a barrier to the prosecution of serious computer criminals who threaten our country's networks. This legislation will also modify a directive to the sentencing commission contained in the Antiterrorism and Effective Death Penalty Act of 1999, which required a mandatory minimum sentence of six months' imprisonment for certain violations of section 1030. Computer intrusions that violate the statute vary in their severity and maliciousness. All violations should be punished, but under the current regime the mandatory imprisonment applies to some misdemeanor charges, even where the attack caused no damage. As a result, some prosecutors have declined to bring cases, knowing that the result would be mandatory imprisonment. We should insure that federal prosecutors are bringing cases under section 1030, but we also should insure that the sentences being meted out fit the crime. [[Page S805]] Often the most technologically savvy individuals are juveniles who have grown up with computers always at their fingertips. Unfortunately, certain juveniles are committing the most serious computer crimes and wreaking havoc on our critical infrastructures. For example, one juvenile hacker caused an airport in Worcester, Massachusetts to shut down for over six hours when its telecommunications connections were brought down. Similarly, two California teenagers broke into sensitive military computers, including those at Lawrence Livermore National Laboratory and the U.S. Air Force. As a longer term strategy, we need to do a better job of teaching our children from a very young age that, like anywhere else, certain conduct on the Internet is wrong and illegal. But we also need to send a clear message that crimes on the Internet will have real consequences. This legislation will amend 18 U.S.C. Sec. 1030 to give federal law enforcement authorities the power to investigate and prosecute juvenile offenders of computer crimes in appropriate cases. The bill will make juveniles fifteen years of age or older who commit the most serious violations of section 1030 eligible for federal prosecution in cases where the Attorney General certifies that such prosecution is appropriate. In conjunction with the elimination of the six-month mandatory minimum, this legislation will provide a balanced, measured approach to juvenile hacking crimes. Again, these are just the first steps that should be taken in a very long battle against cybercrime that many of us will wage for years to come. And while we fight computer crime by modifying our criminal laws, we also should seek concomitant ways to fully protect the fundamental rights of innocent individuals on the Internet. I want to thank Senator Kyl for joining me in introducing this bill. As chairman of the Subcommittee on Technology, Terrorism, and Government Information, I know that he cares deeply about these issues and I look forward to working with him on this commonsense, bipartisan legislation.<bullet> ______