THE FEDERALIST SOCIETY
a panel on
9:30 a.m. - 11:00 a.m.
October 3, 2002
George Mason University School of Law
THE FEDERALIST SOCIETY
Professor Ralph Clifford, Southern New England School of Law
Professor Orin Kerr, The George Washington University Law
Mr. James Meek, Staff Writer, Washington Bureau, Los Angeles Daily
Mr. Christopher Painter, Deputy Director, Computer Crime and
Intellectual Property Section, U.S. Department of Justice, Criminal
Professor Amitai Aviram, George Mason University School of Law
P R O C E E D I N G S
DEAN GRADY: We’re very excited about this
conference, which has been organized by our Tech
Center - the National Center for Technology and Law -
and also by the Federalist Society.
I will say a bit about our Tech Center, of
which we are very proud. It was founded about three
years ago in 1999. Its mission is to look at the
dynamic connection between law and technology policy.
By far the biggest project of the Tech Center
currently is a program on cyber-security, looking to
see what institutional arrangements can be used to
incent the owners of systems to use more precaution
with their computers to make those computers more
resistant to attack by terrorists and others.
That is a very large problem for our country
right now, as I’m sure many of you in this room are
aware. Our power grid, our banking system, out stock
markets, our air traffic control system - are all
controlled by computers, and these computers are
vulnerable to attack by people within the United
States and by people outside the United States. Many
of these assets, of course, are owned by civilians.
Even if command and control regulation were a good
idea in other areas, which many of us think it is not,
it would be very difficult to implement in this area
So the question becomes what type of
arrangements can be used to make these systems more
secure. We see this conference as a part of that
effort. Of course, one way that you can incent actors
is by disincenting the bad people, those people who
are trying to break into computer systems and wreak
havoc upon them. Certainly that is a very important
strategy in terms of improving our collective
security, which increasingly depends upon the security
of our computers.
So without further ado, I think I’ll turn
this podium over to my counterpart for the Federalist
Society, Dean Reuter, who has been a co-organizer of
this conference. Dean?
MR. REUTER: Thank you, Dean Grady. I just
wanted to say a few quick words about the Federalist
Society and invite you all to learn more about it. We
are a membership organization composed primarily, but
not exclusively, of attorneys. We have information
out on the desk that you are welcome to peruse. We do
a lot of programming just like this in many different
substantive legal areas. We also sponsor a lot of
scholarship. I invite you to look us up on our
website or some of the information out on the table.
I, too, am very pleased to be here and happy
to co-sponsor this event with the National Center for
Technology and Law. I think it’s very timely, and I
look at cybercrime as the new wave in white collar
crime. It’s similar in many ways, but I think it’s
different in other important ways that we will hear
about later today. Because of the differences I think
it’s a new challenge for traditional methods of law
I think cyber criminals can and do work
around the clock searching for system vulnerabilities
to exploit. It takes sophisticated measures to find
these people, to detect them out there. You won’t see
a cyber criminal casing the joint from across the
street with binoculars. So it’s different than
traditional law enforcement.
Cyber criminals can now also, for the first
time, steal more than they can carry. A cyber
criminal can rob a bank in Washington, D.C., for
example, without ever being in the bank, without ever
being in the city, without ever being in the country,
which raises all kinds of enforcement issues,
detection issues, and issues of jurisdiction and
cooperation. All this is being said without even
discussing what I think is an even more sobering and
emerging threat of cyber-terrorism, which we’ll also
hear about later today.
We have a very full day planned. We are
famous for starting on time and for ending on time.
So without taking up more time today, I’ll turn the
podium over to Professor Michael O’Neil.
PROFESSOR O'NEILL: Thank you, Dean. I’d
like to also add to the words of Dean Grady and
welcome you again, from the faculty and from the
students of George Mason University School of Law.
It’s terrific to see so many of you trek out in the
outer reaches of Arlington and come to the Law School
to visit this conference.
I’m glad that Orin Kerr is here today as one
of our first panelists, because the germ of this idea
actually came from a very good idea that Orin Kerr had
that I hope we revitalize. He had the foresight to
get a few of us who were interested in electronic
privacy issues, cybercrime, and cyber-terrorism issues
together to have lunch, or was it dinner? Actually it
was dinner, I believe. I think it was dinner
together, and we sort of put this little group
together. We’d gotten together for dinner when this
sort of idea first sort of came to me that we ought to
have an opportunity here, especially being in
Washington, to bring together people in government,
people in industry, people in academia to talk about
some of the very critical issues that are facing this
country at this time.
One of the difficulties, of course, with
being the most technologically advanced nation on
earth is that our infrastructure largely lies in the
hands of private interests, which is a good thing and
a positive thing. However, by being so
technologically advanced, it also puts us at a very
interesting position in the sense that much of our
infrastructure, military intelligence, things that we
hold dear in this country - are subject to and
possibly the target of foreign nations, individuals,
I remember when I was a kid one of the first
jobs that I had while I was in college was a
programmer for WordPerfect. In fact, I don’t know how
many of you even use WordPerfect anymore, but for
those of you who do, I was one of the principal
authors of the very first thesaurus that WordPerfect
came out with.
In fact if you used to type in a certain
code there, my name would pop up. Unfortunately, that
was many moons ago and WordPerfect was actually a
force in the market place and before it had been
bought and sold a couple of different times.
I remember back in those days I used to dink
around on the web, and the web wasn’t a whole heck of
a lot then; it was basically just a few government
sites and some academic communications. I remember
just moseying around, looking at things, doing things
which now I guess high school kids can do. Of course,
I made the choice, the brilliant choice, not to become
Bill Gates, but rather to become a very poorly paid
So my parents always wonder if that Yale Law
School education was really worth it or not. But one
of the things that I noticed that was really
interesting was how easy it was to look at other
people’s stuff; stuff you didn’t necessarily ever
think that you could actually get to. Now, of course,
we have progressed considerably from those days of the
mid-80s to a situation in which so much of our lives,
so much of our commercial activity takes place on the
net, it’s quite interesting to see that we can really
look at other people’s stuff and trespass into areas
of privacy both for personal individuals and for
industry, and even government, in a way that
heretofore was absolutely impossible.
So I think that the setting that we have
today, in bringing together folks who are leaders in
industry and government and academia in looking at
these very critical questions of cybercrime, is
something that’s quite important. This is, for those
of us in the legal profession, certainly a growth
industry for the future.
I’d just like to lay out today’s panels for
you. This morning the first panel that we will be
talking about, from 9:30 to 11:00 o’clock a.m., will
deal with technological investigative methods. From
11:15 to 12:30 we will be having a luncheon address
and a buffet lunch.
Unfortunately, Deputy Secretary Thompson who
was scheduled to speak, had to pull out at the last
minute because of other pressing concerns at the
Department of Justice. We’ve got a more than adequate
replacement in John Malcolm, who is Deputy Attorney
General in the Criminal Division. His portfolio
includes the whole cybercrime issue.
Following lunch, from 12:45 to 2:15, we will
have a panel on international cooperation. Obviously
one of the interesting facets of cybercrime is that it
knows no national borders. It is very interesting to
see the interplay among nation states as they develop
laws that deal with a truly international market
Obviously the internet allows us to talk to
and to buy goods from people not only in our same
state or within the United States, but all across the
world. My law school office is up here on the fourth
floor, and I’ve got a couple of friends that I talk to
who are in Europe. It’s amazing that we can keep in
touch in a way that heretofore simply was not
The other day in fact, I needed to buy a
camera. It was a camera that I could not find in the
United States. It was for my wife for her medical
practice. I was able to find this camera in Germany.
Through the miracle of international Federal Express,
two days later that camera that I purchased from
Hamburg, Germany appeared on my doorstep. That’s
something that even 10 years ago certainly I never
could have entertained.
The barriers to participate in an
international market place were such that being able
to do something like that was simply impossible. But
of course as an international market place has grown
up, so have opportunities for international
cybercrime. Just as human beings will congregate and
just as we can have crimes in our communities,
certainly we can experience crime and terrorism on the
net as well.
One of the interesting facets of this, of
course, is that crime has generally been considered a
local matter. The constitution provides that all
crimes, the trial of all crimes shall take place in
the districts in which they occur. Part of that was
the understanding that the general police power in the
United States was reserved to the individual states,
not to the Federal government.
Well, what happens when you make crime truly
an international event, where somebody in Russia can
work with somebody in Italy to sell child porn in
Iowa? It used to be the case, of course, for those of
you who are familiar with First Amendment law and deal
at all with obscenity, that we relied upon local
community standards. So it was local community
standards in Peoria versus Times Square in New York.
Now it’s not just Peoria and Times Square;
it’s what’s going on in Amsterdam, in Tokyo, in
London. The relevant communities that the net creates
are quite different than the normal geographic
communities that we’re used to. The type of shared
values and standards that we have are very different
in an internet community.
Our second panel, dealing with international
cooperation, will address some of the jurisdictional
and other issues that have arisen as a result of this
community that we call the internet.
The final panel, which is also one near and
dear to my heart and which Dean Grady will moderate,
deals with public and private sector cooperation. As
I think Dean Grady touched on in his speech, one of
the interesting facets again of the internet is the
way in which, although started basically by the
government, it’s something that is overwhelmed now by
commercial interests by and large.
It’s interesting that much of the most
sophisticated technological prowess exists not in the
hands of the government but rather in the hands of
private programmers, people in industry. Even here in
the good state of Virginia, we are used to the police
having the greatest fire power and relying largely
upon the government for police protection.
The internet, however, is a different medium
in the sense that it may not necessarily be the
government that has the biggest guns, but private
industry that has the biggest guns. Creating market
based and private solutions and private and public
cooperation, in my view, is absolutely vital for the
further development of the internet in this time. So
our final panel will deal with those private and
public cooperation strategies.
Finally, our afternoon keynote speaker will
be given by Claude Allen, who is the Deputy Secretary
for Health and Human Services. We decided, given our
general focus on cybercrime, that we thought we’d end
the day on a slightly different note and a slightly
different topic and bring in Secretary Allen.
Then without any further ado, I’d like to
turn the podium over to my colleague Amitai Aviram.
PROFESSOR AVIRAM: Thank you very much,
Michael. Good morning, and welcome to the first panel
of the cybercrime conference. This panel will deal
with technological methods - the mechanisms that help
detect or prevent cybercrime.
Innovation - how we create these mechanisms
- is largely a matter for engineers. But innovation
is useless without implementation. And implementation
- putting this technology into effective use - is
largely a matter for law and policy.
First of all, there are legal and ethical
questions regarding the use of modern technologies for
surveillance and investigation purposes. For example,
IP tracing becomes a very important issue as more
criminal activity moves onto the internet, but it’s
also quite invasive. Striking a balance between these
two is a matter for law.
Second of all, law creates incentives to use
or not to use these technologies. To illustrate, the
degree to which we impose liability on third parties,
such as website hosts, will affect who implements
safeguards and what safeguards are implemented. Law
needs to take into consideration these consequences,
This panel, which combines expertise from
legal practice, from the media, from academia, is very
well suited to answer these and many other questions
that will come up during this session. We will begin
with a presentation by each of the speakers, followed
by a short round of replies and finally we will open
the discussion to questions from the audience.
Our first speaker is James Meek. James is
the Washington correspondent for the Los Angeles Daily
Journal. In 1995 James became the first cyber
journalist to receive media credentials from Congress
and the White House while reporting for the online
magazine, Blender. He has written about criminal
justice and cybercrime for the New York Press, Law and
Order, National Journal, LexisONE, Interactive Week,
and Ladies Home Journal.
James has covered numerous cybercrimes, from
the Maxus internet fraud to the Mafiaboy attack on
commercial internet sites.
MR. MEEK: Thank you very much, Amitai.
Thank you Professor O’Neil for inviting me, and thanks
to the Federalist Society and George Mason Law School.
Last week I told my distinguished fellow panelists
that I wouldn’t take up the full 10 minutes allotted,
but I’m afraid I’m going to go back on my word.
I actually wrote something, because I’m a
writer. So I hope this won’t be too dreadful. I want
to start out with a hypothetical. This is a question
I want to pose to the audience. It’s a yes or no
question, so you only have to raise one hand if you
think the answer is yes.
Imagine for a moment that you’re in law
enforcement, or maybe you don’t have to imagine; maybe
you are a cop or a prosecutor. You put your life on
the line every day to protect the public. Then one
day you find out an ex-con has put your name on a
website along with the names of hundreds of fellow
officers in your community. Besides your name, your
rank and salary are listed, and your social security
number, and your home address and telephone number.
There’s even a map to your house.
The website’s publisher says he performing a
public service and leveling the field. It turns out
he got all the information about you from public
sources, court records, tax liens, the white pages.
So, here’s the question: Is this a cybercrime? If
‘yes’, raise your hand.
Now imagine you’re a computer hacker. You
code a malicious script that allows you to crack
certain web servers, the computers that host websites.
You then secretly break in to a website. But rather
than steal sensitive information or do any sort of
damage, instead you merely move one file, the index
page, the first page that users hitting that website
ordinarily see when they type in redstonearsenal.mil.
Did I mention it’s a government website? It
was. Now you move that index file to another place,
and you merely replace it with your own page, a
political screed, digital graffiti that criticizes a
bunch of rock bands trying to shut down the free music
sharing service, Napster, through copyright
You put up identical political speech on 200
more defaced sites: government, military, educational.
No tangible or financial damage done; you’re just a
colossal pain in the ass. Is that a cybercrime?
Should you be prosecuted under racketeering statutes
like John Gotti?
One more case. You download a piece of
software that people use to test the security of their
web servers, but you decide to try it out by launching
a distributed denial of service attack on a big e-
commerce website. Well, a dozen websites actually.
You flood their servers with data packets that in a
few hours equal the amount of web traffic that each
site would ordinarily see over the course of a year.
You cause a million dollars in lost revenue
by blocking these online store fronts. You’re caught
by the FBI, and you’re prosecuted. How much
punishment should you get if you’re convicted? Did I
mention you’re a juvenile?
These are real cases. Bill Sheehan, the
publisher of justicefiles.org has been sued by the
City of Seattle and other municipalities for posting
police officers’ personal information online. The
state legislature even passed a law prohibiting his
form of speech, as he called it. But authorities
determined he committed no crime, so you all have the
Robert Lyttle, a juvenile in Contra Costa
County, California was collared by the FBI and
prosecuted in a juvenile county court for defacing
hundreds of websites with digital graffiti protesting
the Napster lawsuits. No sooner had Lyttle struck a
deal with county prosecutors for probation than he was
popped again by the FBI for alleging cracking into the
Federal Aviation Administration website.
He said he wanted to prove the government is
vulnerable to al-Qaeda terrorists, cyber terrorists,
but really only proved that Big Brother doesn’t have a
sense of humor.
Mike Calce, a.k.a. Mafiaboy, pleaded guilty
a year ago to being responsible for denial of service
attacks on a half dozen major e-commerce websites in
2000, such as E-Bay, Yahoo, and E-Trade. In
Montreal’s Youth Court he got a tough rap: eight
whole months in a halfway house. Mafiaboy now works
as a busboy.
These are real cases. They are real issues,
particularly in light of September 11th. A year ago
the U.S. PATRIOT Act was passed that was a sweeping
anti-terrorism measure that affected criminal statutes
in great part. It made hacking part of the Federal
crime of terrorism. It made hacking a RICO predicate.
Since then there have also been discussions
about sentencing. Should we sentence an 18-year-old
joy hacker the same as we would somebody who’s
involved in a more serious type of organized crime?
There’s some discussion of that.
I’ll be honest: I’m not a gear head. I
couldn’t give a damn about technology personally. As
a reporter, I like covering ‘blood on the street’
crime. But, while I don’t get off on bolts and bytes,
I’m fascinated by the imagination and creativity that
cyber-criminals often exhibit.
As a journalist, I love the accessibility.
How often does a reporter get a chance to ask a crook
what motivates him, even as he or she is literally in
the midst of committing the crime? Of course, that
raises its own issues, doesn’t it?
A couple of years ago I had direct email
correspondence with a hacker named Maxus during his
landmark internet fraud. He allegedly stole 350,000
virgin credit card numbers from e-commerce websites.
He tried to blackmail the companies, and then in
frustration, he said, he posted thousands of these
numbers on a website when the company didn’t pay up.
Now can you imagine how weird it must have
been to be sitting at home in Des Moines on a Sunday
night watching the Simpsons, and then your phone rings
and some guy is on the other end of the line saying
that he’s a reporter in Washington, D.C. and asks to
read back your credit card number, your expiration
date, your home address, and your full name, just to
confirm that it’s yours. That was me.
But it wasn’t as weird as corresponding with
Maxus; something I’ve done with other hackers who have
suddenly appeared on the media radar screen.
Incidentally, it turns out that Maxus might have just
been using the news media to publicize an even larger
scam to sell off stolen credit card numbers by the
bundle to professional carders, although Chris may
have some more information on that.
If I was a lawyer, and I’m not, I would beg
Chris Painter for a job at the Department of Justice.
He goes after cyber criminals, and believe it or not,
I think that’s really cool. But if Chris turned me
down, I’d go beg Jennifer Granick for a job. She’s a
cyber criminal defense lawyer in San Francisco and one
of the few attorneys who specialize in an area, which
I think is a growth industry in the law and law
Unfortunately, there aren’t nearly enough
Chris Painters or Jennifer Granicks to handle all of
the cybercrime cases out there. All too often they
get handed to prosecutors who’ve never handled
technology driven cases and to defense lawyers who
don’t know the difference between a script kiddy and a
black hat. The difference between these two types of
hackers by the way is like the difference between a
carjacker and an art thief.
It’s unfortunate to see how pitifully under-
resourced American law enforcement has been in this
area in the past 10 years when it comes to cybercrime.
Chris might tell us he’s got more manpower than he can
use and more money than his section can spend, but I’d
be surprised if he did.
Lately we’ve heard a lot about FBI agents
who couldn’t connect the dots on intelligence leads
prior to September 11th because their 1980’s era
computers couldn’t talk to each other. In truth the
problem at the FBI’s been much worse than just old
tech. The problem has been old think. For decades
innovative technologies at the FBI have been derided
by G-men called knuckle-draggers: FBI agents who do
gumshoe crime cases. That’s most of the agents at the
Bureau. Most of those knuckle-draggers aren’t very
proficient at finding terrorists either, apparently.
So there hasn’t been a career track for
agents interested in pursuing cyber-crooks, at least
not for a very long time. That may be changing now.
The savviest have left the FBI and the Justice
Department in droves because they were ridiculed by
thick-necked colleagues who love to brag that “real
agents don’t type.” Or they left when they realized
that government incomes could be tripled in the
Neither patriotism nor treason will put your
kids through college. Just ask Robert Hanssen, the
FBI agent who spied for Russia by downloading
encrypted national security documents onto his PDA.
When agents leave outfits like the National
Infrastructure Protection Center, they aren’t always
For years the men and women who get paid to
collar the Mafiaboys and the Kevin Mitnicks haven’t
been taken seriously by some in the leadership at the
FBI and the Justice Department. We’ve suffered untold
losses as a result of those egregious errors in
judgment and not taking cybercrime as seriously as it
should have been. I know that Chris is going to tell
me that some people do take it seriously, and that’s
very true; but there certainly is a history of people
Our privacy has been eroding and our cost of
living has risen because each time a hacker gets away
with fraud, for example, you and I ultimately have to
pay for it. The Bureau, under Director Robert
Mueller, whose last job was U.S. Attorney in high-tech
San Francisco, would like you to believe that the FBI
is now recruiting people who know a lot about
computers. That’s great if it’s true, because they
are needed, but they probably won’t make lengthy
careers out of the gig.
To wrap up, make no mistake, 9/11 changed
the face of Federal law enforcement in some sectors.
The FBI is supposedly reforming itself. The Justice
Department is reorganizing. Both the Bureau and the
‘mothership’ have put cybercrime at the top of their
to-do lists. If that’s true, it should make people
like Chris Painter big stars in government. If you’re
a law student, make sure to hand him your resume.
PROFESSOR AVIRAM: Thank you very much,
James. Our next speaker is Orin Kerr. Orin is an
Associate Professor at George Washington University
Law School where he teaches criminal law, computer
crime, and intellectual property. He is the author of
a forthcoming book on computer crime law and has
published many articles on the topic. Orin holds
mechanical engineering degrees from Princeton and
Stanford, so maybe he can also talk about the
innovation, not just the implementation. Also, he
received his law degree from Harvard, magna cum laude.
Prior to joining academia, Orin was an
attorney at the United States Department of Justice
investigating and prosecuting computer crimes.
PROFESSOR KERR: Thank you. I’d like to
thank the Federalist Society for inviting me, and
especially Michael O’Neil. I’m surprised and
delighted to learn I had some role in the formation of
this conference at the early stage. I feel a little
bit like Gilligan on Gilligan’s Island. You’ll recall
Gilligan would usually say something stupid, and then
the skipper would say “Gilligan, that’s a brilliant
Similarly, I feel like my reaction is, “I
had a great idea? Oh, well great.” This is not a
three-hour tour, by the way. This will only be an
hour-and-a-half panel, so no need to worry.
I wanted to take a different approach to the
problem and focus on comparing physical world crimes
and computer crimes from the standpoint of criminal
investigations. So you can pretty much break computer
crime law into two areas, much like you can do with
traditional criminal law. The areas are, substantive
computer crime law and procedural computer crime law.
Substantive computer crime law focuses on questions
like: What is a crime? What’s the scope of
criminality for conduct involving computers on the
first case? Procedural computer crime law asks: What
powers does the government have to investigate crime
in the second case?
I want to focus on that second case and in
particular the surveillance powers of the government
in computer crime investigations and how they compare
to physical world powers that the government has.
The basic framework is the same. So in the
physical world the government’s big task is, once a
crime has occurred, how to collect evidence of that
crime. The government must, first of all, find who
committed the crime, and second, prove beyond a
reasonable doubt with evidence admissible in court
that this particular person is in fact guilty. That’s
the challenge. The trick is to collect the evidence.
The government faces the same basic
challenge in the computer crime context. Once again,
the government has to collect evidence, needs to prove
beyond a reasonable doubt in court that a particular
defendant was responsible for the crime. So the same
basic challenge is there. But because the technology
is quite different, the way that that general task is
effectuated is totally different. This is what I want
to focus on in my remarks.
The way the criminal investigation will
actually unfold is very different in the computer
crime context. The way in which court orders are
obtained is very different. The reason it’s different
is just that the technology is different. We’re
dealing with a computer network in which the evidence
is bits and bytes left over from the crime.
What evidence exists, and how can the
government collect it? Sometimes crimes are ongoing.
The government can actually conduct prospective
surveillance, such as wire taps and pen registers.
These are ways of collecting evidence of crimes that
have not yet occurred. However, a lot of the evidence
collection is finding out what records happen to be
left over from the crime. Maybe there’s stored email
somewhere in which the defendant said “I just
committed this crime; this is what I did.” Maybe
there are logs showing that this person was actually
connected to the crime; they were logged on at this
particular time, and sent a particular command.
It’s that kind of evidence which the
government needs in order to trace back the crime to
the defendant and then show that the defendant, beyond
a reasonable doubt, was responsible for the crime. So
because the technology works differently, what the
government has to do is somewhat different.
So what exactly are the differences? Well,
the one big difference is that the government’s
ability to do its job is highly contingent on the
details of the technology. Let’s say it’s a computer
hacking case. The victim calls the FBI, says “I’ve
been hacked. What can you do about it?”
The government can start an investigation.
But at the beginning of the investigation they will
usually have no idea who is responsible for the crime,
physically where they are located, or whether there’s
a really good chance or not that they’ll be able to
trace back the crime to the defendant. The reason is
that whether they can in fact trace back the crime --
and typically that requires step-by-step following the
path back to the hacker -- it’s just going to depend
entirely on what logs happen to be kept by particular
internet service providers. That’s primarily what the
difference is going to be.
What evidence may exist is unregulated in
Federal law. There’s no law that says, for example,
that AOL has to keep its records for 30 days, or any
ISP has to keep any particular records. Those laws
don’t exist in the U.S. It means that the government
may happen to stumble upon something that allows the
government to solve the crime easily. On the other
hand, it may not.
From a criminal defendant’s point of view,
this means that the smarter you are, the more you know
the technology, the better you can manipulate the
technology - the bits and bytes that are left behind)
– and the harder it is for the government to catch
you. One of the single dumbest things that criminals
who want to commit their crimes online will do, is
they’ll send an anonymous threat by Hotmail. So
they’ll go to www.hotmail.com, they’ll come up as
email@example.com and send an email. They
say oh this is great, it’s anonymous, the government
will never be able to find me. Well, if you
know anything about Hotmail, you may know that in the
header to the email, Hotmail includes the originating
IP address, which is the internet protocol address,
where the person is located, when they sent the email.
That may or may not give a physical location, but a
lot of times it will say, for example, that whoever
sent this email had logged on to Hotmail from an AOL
account. Or they were at a particular internet café.
Or they were actually at a particular computer in a
physical location. So there are some cases which the
government solved, and the reason they were able to
solve the case is because the original email from
Hotmail, which was supposed to be anonymous, actually
said where the defendant was. The defendant just
didn’t know it. That’s an easy way for the government
to crack one of these cases.
Flip side is, if the defendant is unusually
sophisticated, they can make sure not to make stupid
mistakes like that. The way I look at it, basically
if you’re a really sophisticated hacker, you shouldn’t
get caught. You have to mess up, you have to decide
“I want to speak to the press, because I think that
would be really cool.” You have to brag about it in
chat rooms. You’d have to sort of take affirmative
steps to taunt, say “ha-ha, you can’t catch me” to the
government, which, surprisingly, a lot of hackers
decide to do. But that’s what you’d have to do in
order to get caught. If you’re very smart, you can
probably commit your crime without being caught.
Another difference that this technological
switch from physical-world crimes to computer crimes
makes is that the evidence collection is almost
exclusively court-order based. So at almost every
step of the way the government, in particular a
Federal law enforcement agent typically with an
Assistant U.S. Attorney apply for court orders
compelling ISPs to divulge information.
If you look at Law and Order, you have the
police officer who goes around and they knock on
doors. They say we want to talk to you about what
happened on the night of September 14th. Then the
person says, “okay, okay, I’ll disclose that this is
what happened.” It’s a great drama on TV.
There won’t be computer crime dramas that
look like that on TV. Or at least if there are, it’ll
have nothing to do with what actually happens in these
investigations. Because what happens is that an FBI
agent says “I think we need a court order from
Hotmail,” or “I think we need a court order from AOL.
We need to collect this evidence.” An Assistant U.S.
Attorney or Justice Department trial attorney types up
a court order. It is submitted to a judge. A judge
signs it. The order is then faxed to the ISP. Three
days later the ISP faxes back the information. It
doesn’t make for great television, so you’re unlikely
to ever see that on TV.
But that’s how every step of the
investigation works. It is constant court orders at
every step of the way. A lot of the debate over the
U.S.A. PATRIOT Act that we saw a year ago was about
the circumstances under which those court orders be
Finally, a big difference between computer
crime investigations and physical world investigations
is that it is nearly impossible for the government to
prove its case without there being a search warrant at
the end, which is normally executed at the defendant’s
In the physical world, there are lots of
ways in which the government can say “we have enough
evidence to go forward.” Let’s say it’s an assault.
The victim says “I know what the guy looked like.
I’ll be able to ID him in a line-up.” The victim in
fact does so. Put the victim up on a stand, “yes,
that’s the guy who hit me.” Something like that.
It doesn’t work that way in the Internet
context, because nobody can actually see what’s
happening. So all the evidence that the government
has is bits and bytes, an email here, a log here, a
log there. It’s nearly impossible merely on the basis
of a few sort of scattered pieces of information to
prove beyond a reasonable doubt that a particular
defendant was committing the crime.
Really the only way that can be done is by
executing a search warrant at the defendant’s house,
which leads to the defendant’s computer, and the
discovery of files inside. The government can prove
that this defendant committed the crime by showing
that the computer in the defendant’s bedroom has all
the logs, all the information, and the secret file
that was downloaded present on the computer. That’s
how the government can prove its case.
From a defense attorney’s standpoint, if we
look at the other side of this, what makes these cases
extremely difficult is that Congress has not added a
statutory suppression remedy to any of the statutory
surveillance laws, like the Wiretap Act and the Pen
So if you’re a defense attorney and you’re
looking for grounds of suppression, you really can’t
rely on any potential errors in the government’s
investigation up to the search warrant. The only step
that really can be challenged is the search warrant on
traditional Fourth Amendment grounds. In fact, if you
look at the cases in the area of computer crime law,
you’ll see a lot of cases challenging search warrants,
arguing that there was insufficient probable cause, or
that the warrant was over-broad, at the very last step
of the investigation.
So those are just a few remarks on the
overall difference between computer crime
investigations and physical world investigations.
The capsule summary -- I like to do this for
my students who at the end of class say, Professor
Kerr, that was very interesting but what should we
learn from this, what’s on the exam -- is that the
basic framework is the same. It’s still the
government going out there collecting evidence. They
still have to prove beyond a reasonable doubt that the
defendant was in fact the person who committed the
crime. They still need to get search warrants. The
traditional framework is there. But because the way
the technology works, the way in which the government
goes about this investigation is pretty different.
PROFESSOR AVIRAM: Thank you very much,
Orin. Next we will hear Christopher Painter who is
Deputy Chief of the Computer Crime and Intellectual
Property Section at the Department of Justice. From
1991 to the year 2000, Chris was a criminal prosecutor
at the U.S. Attorney’s Office for the Central District
of California in Los Angeles. During his tenure
there, he specialized in investigation and prosecution
of high tech intellectual property and computer crime.
Chris has investigated and prosecuted some of the most
high profile, high-tech cases in the country,
including the first internet stock manipulation case
and one of the first internet auction fraud cases.
MR. PAINTER: Thank you. I agree with Jim:
first of all, I can talk about this subject for hours,
but we don’t have that much time, fortunately for you.
Second, I remember getting a request one time from a
television crew from Tech TV that wanted to do a ride-
along on a computer crime case.
I look at this problem from three
perspectives. Actually I’m going to key off some of
the things both of the first two speakers spoke about.
As mentioned, I was a Federal prosecutor for a number
of years, specializing in this area and did cases like
Kevin Mitnick which took approximately seven years to
do, and the stock fraud cases mentioned that took
approximately seven days to do, Mafiaboy and some of
the other cases that were mentioned.
In the last three years I’ve been back at
the Department of Justice concentrating still on the
cases, but also on the policy and some of the
international aspects of these things, including laws
like the PATRIOT Act and some of the policy and legal
regulations that go into it. Also for the past year
I’ve been chair of an international group. The G8 has
a High Tech Crime Subgroup where there are
representatives from each of the G8 countries that
deal with issues on high tech crime, particularly, the
procedures of tracing crime over the internet, which
is necessarily international; discussing data
destruction regimes where data actually gets destroyed
because of some legal regulations in some countries;
tracability of computer communications across borders;
and building means of cross-border law enforcement
cooperation, such as setting up 24/7 points of
Before I get to what I was going to talk
about I just want to comment a little bit about what
was said earlier about what’s happening in terms of
the lack of expertise or the drain of expertise at the
FBI and the Justice Department. I suppose one thing
about going third in panels like this is that you
necessarily react to what some of the other people
say. Although I think Jim made a lot of good points,
I would say that I don’t really agree that the
expertise is being drained away. For one reason,
frankly, the dot-com disaster, I think, has made it
much more unattractive to go into private practice.
But besides that fact, there is a growing
expertise in law enforcement. There is a growing
expertise at the U.S. Attorney level and the
Department of Justice. I think that’s really expanded
fairly dramatically even in the last couple of years.
When the new administration came in, one thing that
Attorney General Ashcroft did was create in 10, now
it’s up to 13, cities around the country, what are
called computer hacking and intellectual property
sections -- teams of prosecutors who concentrate in
When I was in Los Angeles, I was part of a
network that is not only still in existence, but has
grown dramatically, of prosecutors who specialized in
computer crime investigations, who actually understood
at least at some level, the technology, understood the
laws that applied, and understood all the processes
that Orin was going through about why these crimes in
many ways though the goal is the same are different to
That has grown. The Secret Service now has
task forces dealing with Cybercrime. The FBI, under
the reorganization that Bob Mueller has directed, has
created a cyber division led by an Assistant Director
named Larry Medford, who’s building up the cyber
capability at the FBI, at headquarters and at each of
the field offices around the country.
It is, of course, a continuing challenge.
One thing that I will emphasize throughout today is
that because the technology changes so rapidly,
because the laws are not necessarily easy to apply,
and the investigations do require an understanding of
the technology, this is always going to be a game of
not so much catch up, but continued education for
agents and prosecutors, and a continuing challenge to
make sure that we keep up with the criminals.
Let me just talk a little bit about what I
have seen, and it keys a little bit off what Orin had
said about the differences between these different
kinds of crimes. One of the key things is that there
is an explosion of crime on the internet, both of the
sort of "old wine in new bottles," -- the internet
fraud, the stock fraud, the threats, all of those
things; and the new types of crime, the really
internet-specific crimes, the attacks on computers,
the attacks on computer networks, the hacking crimes,
the denial of service crimes. Each type has grown
dramatically over the last few years.
There are a few reasons for this growth, but
one of them is the changing profile in terms of the
people who commit these crimes. Traditional crimes
are still committed by Traditional criminals; however
hacking crimes, where it used to take a Kevin Mitnick
who had a lot of knowledge about how computers and
computer systems work, now has transitioned to someone
like Mafiaboy, who used available tools or tools that
were readily available to him to cause a huge amount
of damage on the internet without really a whole lot
The other thing that I think really
contributes to this crime increase is the fact that
the internet has a degree of both actual and perceived
anonymity. I think Orin talked a little bit about the
perceived anonymity, but there’s actual anonymity,
too. A lot of people who I think traditionally would
not commit a crime in the physical world, since they
would not either have the courage or the resources to
do it, can do it on the internet because (a) it’s easy
and they can reach a lot more victims, and (b) they
don’t think they’re going to get caught; they don’t
think there are consequences to their action; they
don’t think that you can attribute their conduct to
them and find them. Sometimes we can, and sometimes
it’s been more of a challenge.
I take issue with a few of the things Orin
said in terms of whether, if you’re really clever,
you’re never going to get caught. I think sometimes
you can be really clever and you do get caught. I
think the technology both helps and hurts here.
I had a case, a physical world case when I
first started as an Assistant U.S. Attorney, where
someone robbed a bank. This sort of parallels Orin’s
example. He wore a mask, so he was really taking
precautions. But we were able to find out who he was,
because he was a maintenance person in the building
and he left his nametag on. Not the smartest move.
That is similar to Orin’s comment about
people who send threats over the internet and don’t
realize that the IP address is there. The first case,
the first internet stock fraud case, a case I did, and
you can talk about in terms of how you actually trace
conduct over the internet, how you trap and trace the
various IP addresses, involves someone who posted a
fake Bloomberg web page claiming that stock of a
company named Paragain was going to be purchased. The
stock went up 31 percent on NASDAQ in the space of
about three hours.
It was a complete fraud. It was a fake web
page. It was posted on a web hosting service called
Angel Fire. When we started looking to find out who
had done this thing, there was no money trail.
Usually with fraud cases there’s a money trail, but
there was no money trail here. There’s no money trail
on hacking cases either. So there’s no clear
connection, no easy way to trace the conduct.
We started looking at the electronic trail.
We started looking at the fact that the criminal set
up this bogus page on a web hosting service. We
looked at the information the criminal gave to the web
hosting service, because you’re supposed to give
information, including your name and address and
everything. It’s not anything the service verifies,
and as it turns out, the information the web service
had was that guy’s first name, "Headlines" and last
name was "99." Using years of investigatory
experience, we figured that was probably false.
So then we started looking deeper to see
what else was there. Well you had to give a real
email address -- it was a Hotmail address -- to get a
password for the web hosting service to allow you to
access and modify. Again, it was all fake
information, but if you look deeper into the data that
Hotmail and web hosting service had, they did trap in
their logs, the IP address, the originating IP address
of the person using their service. You could use
their information to trace back the communicators to a
physical ISP. This led back to an ISP called
Mindspring, now Earthlink, given a particular IP
address and a data and time. Earthlink was able to
identify a particular subscriber account that was
responsible for the conduct. This does not
conclusively tie the conduct to a particular person
since the account could have been stolen or used by
someone else but, Mindspring kept what were called
"radius" logs, which means when you dial into an ISP,
they not only can tell the particular account used,
but also the phone number accessing the account. We
were able to go right back to a particular number in a
particular residence, search his house, and in seven
days apprehend the perpetrator.
Contrast that with the clever hacker, as
Orin was saying. Contrast that with Kevin Mitnick,
who it took approximately two-and-a-half years to find
on the road, because he was using cloned cellular
phones to call into internet service providers. He
was using hacked accounts. He was bouncing his
communications internationally, and that made it very
difficult to track him.
So that does create a problem. I think the
modus operandi is shifting to the latter, rather than
to the earlier example. I think there are still
people who don’t realize what’s happening with the
technology and still just sending things out without
realizing that we get some information. On the other
hand, even the faudsters, even the people we were able
to track because they did stupid things, are now
getting more clever. They’re encrypting
communications. They’re bouncing their communications
through several sites. They’re doing the things that
hackers have traditionally done, cleaning the computer
logs and other things.
What does that mean for us? That means that
there are certain challenges posed for law
enforcement. The challenges have to be met in a
number of different ways. First, there are the
technical challenges of having the ability to actually
track various criminal activities. Their required
enforcement to develop tools to do this tracing and
working with internet service providers and others so
that they’ll have the necessary abilities.
The second challenge is having the necessary
legal framework in place. A lot of what the U.S.A.
PATRIOT Act really was about, was creating a legal
framework that applied to the internet in a way that
it did to the physical world. We could talk about
that alone for a long time, but I’m just going to hit
one point on that.
On the legal tool development issue and the
PATRIOT Act, one of the over-arching concerns that we
have in government is that there is a real
misunderstanding, I think, in the public of how high
tech crimes happen and what the legal tools are. That
public perception, which hopefully gets cleared up by
people like Jim and others is that they want the
internet to be secure. They want law enforcement to
be able to do its job and make sure that there’s
security and we can trace these communications.
On the other hand, the public is terrified
that law enforcement is abusing its powers, that
somehow in this dark, deep box of the internet, law
enforcement is gathering all kinds of information
about them, without any court order, without any
authority, and it’s putting it somewhere and is
abusing their privacy. The challenge for us is not
just the technical challenge, but educating the public
that there are rules, that there are constraints, and
that we follow those rules, and those rules are there
for a reason in terms of the kind of information we
get and how it is used.
It doesn’t help when you have misperceptions
like twice that revolved around the badly named
Carnivore system that has been renamed DCS-1000. It
was characterized in the media as this device like a
vacuum cleaner that would suck all the communications
from everyone around the world into it and that the
FBI would sit there reading through it and figuring
out what everyone was doing.
Well, if you actually look deeper in to the
technology, it’s no more than a filtering device.
It’s a filtering device that simply allows law
enforcement to effectuate a court order that it gets
from a judge for either what’s called "addressing
information," the same as what is outside of the
envelope essentially, or content information if
permitted by a court as a full wiretap. Despite the
press hype, it wasn’t this thing that was capturing
everything but was operating as a technical tool to
effective Court ordered investigation of criminal
There was perhaps one issue about
accountability when tools like Carnivore were used
that was cured by the PATRIOT Act. Just to make sure
that people understood that their tool was being used
properly, the PATRIOT Act said that the results of
something like Carnivore or DCS-1000 had to be filed
with the court. Fine, that was appropriate; that made
But the kind of paranoia that this thing was
being used in all these ways well beyond what it
really was, I think just underscored the fact that the
public has to understand what we’re doing and we have
to explain our capabilities and legal constraints.
The other thing -- and I’ll close on this --
is sort of misperceptions about the PATRIOT Act.
We’re going to hear much more about this either later
on this panel or later today. But again, there were
all kinds of misconceptions about that law. I’ll
focus on just one provision, and that was the hacker
This also illustrates sort of the odd kind
of collision between traditional law and the
technology as we see it. The Wire Tap Act is
something that deals, as many of you know, with
setting a fairly high bar, a really high bar, for the
real time interception of the content communication.
An appropriately high standard applies for their kind
of activity -- not only the standard of probable
cause, but there are a number of other exhaustion
remedies, et cetera, that are in the Wire Tap statute.
Well, one issue for us in law enforcement,
when dealing with victims, was that when hackers were
breaking into their systems and taking advantage of
their systems, there was a real issue in the victim's
minds and in law enforcement’s minds of whether they
could call law enforcement in to ask then to help
track the intruder in their system. Could we monitor
these intruders in the victims system?
If you look at the physical world, if a
burglar broke into your house and was in the basement,
you certainly could call law enforcement for them to
see what he’s doing and then arrest him. It’s not a
problem. In the non-physical, the cyber analog, it
wasn’t clear you could do the same thing, because the
Wire Tap statute goes beyond the Fourth Amendment to
provide certain statutory protections, and it didn’t
have an express exception for monitoring intruders.
The Wiretap Act wasn’t based on a reasonable
expectation of privacy, the Fourth Amendment
consideration, which an intruder just doesn’t have.
One of the things the PATRIOT Act did was
fix that, it made it clear that we could monitor an
intruder at the victim’s request. Though this makes
good sense, it was really characterized in very
different terms by different groups who might have had
different agendas. It was certainly characterized as
this sweeping expansion by many. Even Jim said this,
that this provision was a sweeping expansion of the
various powers that the government had when it was
very targeted and rational.
I think if anyone actually looked --
MR. MEEK: -- people respond to buzzwords
when you print them, you know?
MR. PAINTER: That’s another problem for
government. I’ll close on that. The problem for
government often is that when the press writes about
these things it sounds far more attractive to come up
with "sweeping expansion of powers" than "a modest
proposal that actually makes sense."
PROFESSOR AVIRAM: Thank you very much,
Chris. Our final speaker is Ralph Clifford, Professor
at the Southern New England School of Law. Ralph
received his B.A. from Duke University and his J.D.
from New York Law School.
Prior to joining legal academia, he
practiced in law concentrating in trial practice and
high technology law. Ralph published numerous
articles and several books in the field of computer
law, including his latest title, which is Cybercrime:
The Investigation, Prosecution and Defense of a
PROFESSOR CLIFFORD: Thank you. I’m
approaching the whole thing from a different
perspective. The topic I’m talking about is legal
consequences of not using technology that is available
to protect your web site; effectively, if you will,
liability for somebody else’s conduct.
When I started thinking about this in the
scope of cybercrime, I was stumped. I couldn’t figure
out how I was going to address the topic that I agreed
to talk about, so I decided to do what law professors
love to do, which is create a hypothetical. I chose a
hypothetical that was very drastic in consequences,
but hopefully not improbable, something that could in
fact happen. It proved out to be a very fruitful tool
in my analysis, so I’m going to start off with a
My hypothetical includes a hacker who gets
angry at a hospital for some reason or another: a
billing dispute, malpractice, it doesn’t matter. He
decides to use his computer skills to make the
hospital pay. He does this by launching a distributed
denial of service attack on the hospital’s web server
and email server.
To achieve that purpose, he buys one of
these CD-ROMS that had millions of addresses on it.
This particular CD-ROM was advertised as having the
addresses of several million users who have high-speed
access to the web, because that’s critical for his
He also knew that a vast majority of these
email address and computers would not have sufficient
firewall protection and would probably not have any
virus protection software that could detect the brand
new virus that he is about to write. Most virus
protection, after all, only detect a virus that has
been seen before.
He sends his email, and he makes it clever.
He disguises it as coming from the Red Cross. It
indicates that if you click on a link, you can get a
new screen saver that is a commemorative of the 9/11
events. Needless to say, that would be very popular
among people who like screen savers. In fact, to make
his message legitimate, he put a screen saver in the
message. But he also had several viruses associated.
First, he had a very classic virus that
replicated his little message and went to the email
address book on the computer and sent the message out
to everybody who was located on the victim’s computer.
The second thing he did is create a zombie, which is a
program that is left after the virus comes along.
That program is designed so that it will become
activated at a particular date, maybe a month later.
It has a trigger date on it.
It’s these zombies that will actually do the work of
destruction of the hospital system.
Finally, to make people like Chris have a
hard time tracking him down, the virus deletes all
copies of the message that came in so that there’s no
trace. That first hop back to the ISP is missing.
The culprit knows enough about computer technology to
be able to delete it everywhere.
On the trigger date thousands of these
zombies that managed to make it through firewalls and
were embedded on the machines launch a distributed
denial of service attack. Each copy of the zombie
would generate thousands, perhaps hundreds of
thousands of email messages, all addressed to the
hospital and would also initiate a like request for
data off of the hospital’s web page. Needless to say,
the hospital’s web page server and email server can’t
handle that kind of volume.
Usually this wouldn’t be that big of a
problem for the hospital, because if cleverly
designed, you don’t have the internet and your
internal computer function the same way. But I’ve
discovered very commonly, particularly for companies
or entities that are trying to save money, they share
the backbone, the principal pipe that connects all the
computers in the particular company. So that in this
hospital on the hypothetical indicates that the
backbone is the same backbone that’s used for all
internal hospital communications also.
So when the web server and the email server
are attacked, because they are then overusing the
backbone of the hospital, the hospital’s entire data
processing system goes down. As a consequence, two
critical systems are lost: patient medical records
disappear, and the systems that are used to monitor
patients, particularly in ICU units, stop functioning
simply because they can’t get their messages through.
They stop functioning in a way that you may
not be aware of the fact that they’ve stopped
functioning. After all, the computer doesn’t expect a
message on a regular basis.
The final step of my hypothetical is that
because of these consequences, several patients die.
That’s obviously the most drastic part of the
consequences of the hypothetical.
Using this hypothetical, I now take the role
of a District Attorney, because this is probably at
the state level, at least for the deaths of the
patients. Who can I prosecute? There are five groups
of actors that I’m going to have to take a look at:
the hacker, the easiest one obviously; the owners of
the various computers that were used by the hacker to
launch the denial of service attack; the ISP of those
owners; the manufacturer of the software that allowed
the virus to work; and finally, potentially the
For my discussion, I’ll use the model Penal
Code simply because that’s a universal descriptor of
the criminal law. I think most state law systems
would be able to do what I’m talking about. We’re
presumably talking about prosecutions for either
manslaughter or negligent homicide.
No one in the hypothetical acted
intentionally with the intent to kill. So as a
consequence, the more serious murder charges, I think,
are excluded by the hypothetical. We’re dealing with
manslaughter, based either on recklessness, or we’re
dealing with negligent homicide based on sort of, if
you will, gross negligence or more than ordinary
What we’re dealing with in terms of
evaluating whether that recklessness or negligence
occurred is whether or not there’s a substantial and
unjustifiable risk that was either perceived by the
individual actor and ignored, or whether it was one of
these risks that should have been perceived by the
actor and wasn’t responded to, to separate the
recklessness from the negligence.
By the way, the other thing you have to
eliminate is accessory liability or accomplice
liability as the Code calls it under 2.06. To be an
aider or abettor in the commission of a crime, at
least as far as I can tell, you have to act with the
purpose of promoting or facilitating the crime.
Nobody but the hacker even knew that a crime was about
to occur, so as a consequence, none of our other
parties could be aiders and abettors. They’re either
going to have to be primarily liable on their own, or
they’re not going to be liable at all.
Let me talk about each. I’m going to start
with the hacker. We can get rid of the hacker fairly
quickly. Assuming he can be found -- and that’s not
an assumption that is necessarily going to be true --
there’s no question that at a minimum negligent
homicide should apply.
Attacking a hospital is different than
attacking a bank. If you do a denial of service
attack against a bank, the expected consequences are
going to be quite different than if you’re doing a
denial of service attack against an entity such as a
hospital. So I don’t think I would have problems as a
District Attorney bringing manslaughter/negligent
homicide against the hacker. But if he’s clever and
does not go around bragging about what he did with the
hospital, it’s going to be very difficult for the law
enforcers to track him down and bring him in for
So, we’re left with the other parties. I’m
going to talk about their liability first and then I
will whether, from a policy perspective, there should
be liability. I’m going to clump the hospital, the
computer owners, and the ISP into one class. I’ll
talk about the manufacturer of the software in a
For most of the people, the hospital, the
computer owners, the ISP, I think criminal prosecution
is improbable. In many ways these three groups of
entities are as much the victim of the crime as were
the patients. They after all did not want this to
happen; it just occurred.
There is one way, however, that they could
be tied in and be determined to be a proximate cause
of the deaths of the different patients. If they had
provided adequate protections so that their systems
would not be able to be used by this kind of denial of
service attack the deaths would not have occurred.
Such technology is available dual way firewall.
Lots of us have firewalls to keep things out.
Very few of us have firewalls to keep our system from
reaching out to the web without our consent or without
our knowledge. But such technology is available, and
If we were using that simple technology, the
zombies would not have been able to send out their
emails. The zombie program itself would not be
recognized by the firewall, and as a consequence, the
firewall would either just deny the zombie access to
the web or would pop up a screen saying this zombie is
attempting to send email messages, do you want it to?
That would have obviously stopped the attack here.
So as a consequence of not using dual way
firewalls, there is a touch of culpability on the
computer users. They didn’t do everything they could
possibly do to prevent the occurrence of the crime.
The ISPs are even one more step removed from
that, because after all, if they have a failure here,
it’s a failure to request that their users install
firewalls. I think we’re really moving out if you get
to the ISPs. Except, of course, my ISP, which
actively discourages you from using firewalls. If you
should be so stupid as to put up a firewall, you lose
your guarantee of service, because it is the
firewall’s problem if there is anything wrong with the
service. So they may be a little more culpable than
the typical ISP, or what I hope is the typical ISP.
We are talking about the liability of these
groups based on omission. That is accepted under the
model code and in state codes. Under section 2.013(b)
of the model code, a failure to act can be criminal,
if and only if there’s a duty to perform the omitted
That’s the rub when we talk about the ISPs,
about the users, and about the hospital: where is
their duty to act? There doesn’t seem to be one as
far as I can tell anywhere, although there’s some
statutory law in California that seems to be running
pretty close to imposing that kind of duty.
We’re not likely to have any change in this
area, at least at the Federal level. If you took a
look at the national strategy to secure cyberspace,
the scheme that’s proposed there is completely
voluntary, as opposed to legally mandated. So if I
were a prosecutor for these groups of people, I
wouldn’t bring charges, because I don’t think they
could be won.
The software company is different. If the
software company had a design flaw in it that allowed
this to be distributed, they could be under a positive
legal compulsion not to have such a design flaw. That
legal compulsion is products liability law. Products
liability law prevents the company from bringing out a
defective product in any way. If this is a defective
product, then they could be help accountable.
There is precedent for this kind of charge.
Some of you may remember from the 1980s that Ford
Motor Company was indicted in Indiana on the basis of
a Ford Pinto gasoline tank explosions. The company
was acquitted, but they were at least indicted for
So in summary, the hacker can be charged.
The software company is at risk of being prosecuted,
but nobody else is. Is this proper? I argue that it
is not proper. In order for the internet to continue
to function, in order for the internet to protect
itself against denial of service attacks in
particular, it’s necessary for every node to
The internet was based on the idea that
every node cooperates with the internet, and in fact,
every node can be trusted to be on the internet. It
was not designed as a commercial system, after all.
As a consequence it would seem that imposing this
obligation of protecting the internet from itself is
something that society definitely needs to do.
I’m not convinced that the criminal law is
necessarily the best mechanism for this. The criminal
law after all is pretty blunt edged; it is a pretty
brutal device to use to convince people to do things.
What I’m afraid of, if you read the President’s
infrastructure report and what other commentators are
saying, is that everybody is saying that somebody
should do something about it. With that attitude, of
course, there’s not going to be any way of protecting
the web from a denial of service attack.
Thank you very much.
PROFESSOR AVIRAM: Thank you very much,
Ralph. We’ll now give each of the speakers an
opportunity for a very short reply. Then we will open
it to questions. James?
MR. MEEK: I’m glad that Chris is here
because the more I mouth off, the more he is going to
correct me, and ultimately the more information I will
have at the end of the day, which is actually my
There were a couple of things that Chris
brought up. In preparing for this panel, we had
discussed some of the things we might talk about.
Chris had brought up at that time an interesting
thought and asked me if perhaps I would comment on it.
The issue was the public’s reaction to law
enforcement, investigating cybercrime, and whether
there is a fear of invasion of privacy. That’s a
great topic. I’ve written many stories about privacy
concerns related to the PATRIOT Act and pre-dating the
Carnivore, this sniffer system that sucks
up, excuse me – carefully filters - emails, looking
for target words, is now renamed DCS-1000. That’s
Deadly Carnivore System. No, I’m kidding. What does
DCS stand for? Do we even know? It doesn’t stand for
anything, does it?
A real fear that the public has is that law
enforcement is going to somehow get access to the
digital home porn movies that they have on their
desktop in the course of investigating some other
cybercrime that has nothing to do with them. Maybe
their computer has been used as a zombie, commandeered
by a hacker to launch denial of service attack or
something. Somehow their love letters or their
personal financial statements or whatever is going to
be discovered. There are many scenarios that people
I think Chris is right. A lot of that
concern has been over hyped by special interest
groups, like the Electronic Privacy Information
Center, which has about a million lawsuits against the
government on various privacy and Freedom of
Information Act litigation trying to find out more
The problem is the government has been its
own worst enemy in this starting with naming this
thing Carnivore. This is an FBI tool. As an aside,
the FBI, you may recall, after 9/11 put out a lot of
terrorism alerts. I’ll never forget one day they put
out one of these alerts saying bridges may be at risk,
and they put it at a web address, a URL on the fbi.gov
website that ended with skyfall.html. Wasn’t exactly
reassuring. Kind of, I don’t know, stupid.
Information about the system has been kept
very secret. EPIC has had to sue because they’re
trying to get more information about what is this
technology. Nobody has been allowed to see it. Very
few people have actually seen it, at least in the
private sector. There was, I believe, Attorney
General Reno, wasn’t it, that appointed some sort of a
commission of folks from the private sector, academic
types, to look at this thing and write a report; let
the public know. They came out and said actually it’s
not as bad as some people have said it was.
Changing topics, one thing I would say about
cybercrime in general is that I’m glad to hear that
what Chris is saying in terms of expertise. Has it
reached a level of perfection? Do you have more
people than you can deal with?
MR. PAINTER: No.
MR. MEEK: So there’s plenty of work to go
around still. Chris is right, the dot-com crash
probably has made the private sector a lot less
attractive, but there are still plenty of people who
leave government to go into the private sector. The
fact of the matter is cyber security, despite the dot-
com crash, has still been a growth industry. There
are not fewer hackers; there are more hackers today
than there were two or three years ago.
There are more threats, legitimate threats
out there, as much to the private sector as to
government. Those threats, as Chris will tell you,
often come from within a company. A lot of their
concerns over security are not from some hacker
breaking in from the outside, it’s an employee who’s a
hacker breaking in from the inside. That’s a major
problem. So the cyber-security business, which is
another area that’s quite lucrative, continues to
The problem is that cybercrime rarely
captures the public’s imagination. The Mafiaboy case
was an exception. Funding in government goes to high
profile criminal investigations or types of
investigations. The great achievement of the PATRIOT
Act was that people like perhaps Chris or other very
savvy people like him convinced those in the
Administration who were helping to craft the PATRIOT
Act that cybercrime should be a major part of this
and, therefore, should get attention and ultimately
more money. That’s a good thing; that’s not a bad
So, I’ll toss the football.
PROFESSOR KERR: Just very briefly I wanted
to comment on Professor Clifford’s remarks and the
idea of third-party criminal liability. It’s an
interesting question, but I don’t think it will ever
happen. Not only do I think no prosecutor would bring
any of these charges, I don’t think it’s there on the
merits for any of the parties, including the software
developers. I don’t think there’s a criminal act,
taking the model Penal Code framework. I don’t think
there’s causation. I don’t think there’s mens rea.
At least off the top of my head, I don’t think any of
the elements are there.
Possibly there’d be a case where some
prosecutor could be aggressive and try to craft the
argument, but I really doubt it. I don’t even think
there’s going to be civil liability for third parties.
If you look at the legal scholarship, this is an idea
that’s been bandied about for about 20 years. There
are articles going back to the early 80s on about how
software developers and ISPs, then you had BBS hosts -
- this is pre-ISP -- are going to have civil liability
for negligent computer security.
As far as I know, no suit like that has ever
been filed. I’m sure eventually some plaintiff’s
attorney is going to file a suit, this being America.
But I doubt that will end up being a really
substantial component of things.
If you think of the analogies in the
physical world of somebody shot by a gun, we’ve seen
already suits against the gun manufacturers. So maybe
that’s the first step of that reasoning in the
physical world. But you could sue almost anybody who
has some sort of role in it. You could sue the people
who designed the road where the people were stopped
where the shooting occurred.
I think keeping that from getting too far
out of control, along those lines I doubt there will
be really substantial civil liability. But then I
probably shouldn’t even guess about those civil
issues, because it’s far beyond my area of expertise.
On the criminal side, at least, I just don’t think
liability is going to extend beyond the actual bad
guy, the hacker.
PROFESSOR AVIRAM: Chris?
MR. PAINTER: Quickly on a couple of things.
I think it’s an interesting dichotomy. People have
different expectations of both their privacy and
expectations of government in the cyber world than
they do in the physical world. I think in time that’s
going to start merging, when people start
understanding the cyber-world better.
I do think the problem with law enforcement
tool development and then the explanation to the
public of how these things work is going to probably
continue. But we need to develop those tools, because
we can’t simply throw up our hands and walk away from
an investigation if we don’t have the ability to
actually trace the conduct. Obviously that’s going to
involve not just us working by ourselves, but us
working with the various providers and the other
people on the infrastructure.
On the point of whether we still need
talented people, we obviously do. One of the things
as I think has been pointed out here today is that
these are not easy investigations to do. They do
require some technical expertise. I can say, and I
definitely want to say, not just because there are
some of them in the audience, that there are FBI
agents and Secret Service agents and prosecutors that
I work with that are the most talented people I’ve
ever seen. They really understand this stuff and they
are great. We definitely need more of them.
But we need more of them not just at the
Federal level. What I see this problem becoming in
the next few years is that every single crime is going
to have a cyber component. Anything you can think of,
the evidence or the communications is going to happen
over the internet or computer networks, which means
that law enforcement at every single level is going to
have to understand these things and be trained.
That’s something that is a challenge for us to
continue to meet.
One other challenge posed for us is the
availability of the widening trail.
In the cyber arena, data is very very
ephemeral. The evidence just doesn’t last very long,
which means not only do you need the technically
skilled people, but you need them to be able to act
incredibly fast, not just nationally but
internationally, and have contacts and work
cooperatively and have the tools available to them and
So, no, we’re not at an optimal level. Yes,
we need more people. I think that’s going to be a
PROFESSOR AVIRAM: Thank you, Chris. Ralph?
PROFESSOR CLIFFORD: Yes, a couple comments
for Chris here, just sort of taking the opposite side.
In general I think the government,
particularly at the Federal level, has been very
effective in fighting cybercrime within the bounds of
our constitutional framework. But for many of us
outside of government, we’re always a little concerned
when government gets more power, not because of what’s
happening right now, but because of a fairly well-
known history of abuses by these Federal agencies.
The example I can cite obviously is the FBI
investigations and files that were maintained on
various civil rights activists in the 60s and 70s, all
of whom were engaged in constitutionally protected
rights but nonetheless were being subject to
investigation and harassment by the very agency who’s
now saying “you can trust us.”
The criticism that many of us in academia
and the privacy community has of the PATRIOT Act comes
not from a lack of recognition that the government
needs the power to investigate cybercrime, but from a
question about whether the PATRIOT Act provides
sufficient oversight by the public and by public non-
governmental agencies to prevent it from becoming
abusive in the future.
There’s no question that when you’re dealing
with cybercrime you need expedited processing. Things
in cyberspace happen very, very quickly. If you’re
going to hamstring the government and make them go
through weeks full of processing in order to get a
search warrant, then the evidence of the crime is
going to be gone.
But with expedited processing under our due
process clause should also come greater protection.
If you take a look at the courts’ decisions in the
area, it’s not a case that the government can’t act
first and then have its hearing or have its
justification where justified, it’s the question of
whether and when is that hearing going to come. When
is the decision, made in the heat of the battle of the
cybercrime investigation, going to be reviewed to make
sure it is legitimate under the government’s scheme?
PROFESSOR AVIRAM: Thank you, Ralph. We now
open it to questions from the audience. But just to
make sure you are all heard, if you want to ask a
question, raise your hand. We will get a cordless
microphone to you. And please state your name and
affiliation as well.
MR. CLARK: Hi, my name is Drew Clark with
National Journal’s Technology Daily. It’s been an
excellent panel and a lot of good perspectives. Up
until the last comment though I was going to say
what’s missing is the perspective of a privacy
I do have two questions along those lines
that are related. I guess the first is for
Christopher and Mr. Kerr. You both alluded briefly to
data destruction and presumably data retention. That
is, of course, a lively controversy in Europe right
now. I’m wondering whether U.S. prosecutors are
interested in something like what they’re trying to do
over there, which is a year’s worth of data logs being
required to be kept. What are the pros and cons of a
mandatory data retention regime?
I guess the second question of a privacy
nature is whether you have any reaction to the fact
that the fundamental change the cyber-world has caused
in terms of individual privacy is that we keep details
of our personal lives in databases under the control
of third parties, companies. There’s simply not
adequate laws to protect the privacy of that
information in the same way that one individual can
protect the privacy of information on a computer in my
home or in my desk drawers.
The PATRIOT Act just goes further in the
direction of making it easier for law enforcement to
get those third-party records. So on that perspective
of privacy, could you address that question, please?
MR. PAINTER: Let me take the first and a
little bit of the second. I’m sure Orin might have
some comments, too. When I said data destruction, you
have to look at this in terms of a continuum. In the
United States we have a free market system where ISPs
are allowed to keep data for as long as they desire
for particular network security or other purposes as
they see fit. They are not required to keep data, nor
are they required to destroy data.
In certain other regimes, in Europe and
other places, there are laws or protocols which tell
ISPs that if they have data that they don’t need for a
billing purpose anymore, they need to destroy that
data. Now there are reasons for them to say that they
want to do that, but what’s not really thought about
is the real adverse impact that has on law
enforcement. When data is destroyed, obviously the
electronic trail is not there.
We do not advocate in this country changing
the system that we have, the balanced system where the
ISPs can and usually do for various reasons, for their
own purposes, not because we ask them to, keep the
kind of data, the logging data, that we need in an
investigation and which we get with court orders.
So there’s not a move to change that. The
fear that I and some of the others, including the G8,
have expressed, is when you have data destruction
regimes that get rid of the data that make it
impossible then to trace the electronic trail.
On the second issue, the entire Electronic
Communications Privacy Act, which is the part of the
U.S. Code which really deals with what law enforcement
needs to do to get certain kinds of information from
third parties - internet service providers, remote
computing services, etc. - goes beyond the Fourth
Amendment protections. It recognizes that perhaps
there is a greater privacy interest when people store
things in the internet context or in the computer
context with third parties.
It requires different levels of process and
different showings depending on how sensitive or how
private that information is. So if we’re talking
about the contents of emails in transit, you need a
search warrant, you need probable cause. If you’re
talking about certain other kinds of information, you
need something called an articulable facts order
issued by a judge.
So there are protections Congress has
already thought about in terms of this new environment
where maybe because you’re entrusting it to a third
party, there’s not, perhaps, a constitutional
expectation of privacy, but there certainly is one in
the sense that people are entrusting these things to
third parties and have certain expectations about
So that scheme is in place. We obviously
need to be sensitive to that. That’s a developing
thing, and it will continue to develop.
PROFESSOR KERR: Yes, to pick up some of
those questions, the only people that I know of in the
United States who talk about mandatory data retention
are privacy advocates who say the government might be
in favor of it, and we need to watch out for it.
If you talk to anybody in the Justice
Department or anybody in the government, they’re
against it. So I don’t think it’s really even on the
table. I don’t think anyone’s behind it; it’s just
dead. Currently the laws allow the government to send
a request that requires the ISP to maintain records
that are already created, basically don’t delete
orders. In effect, the request says, “If you normally
delete this information, don’t delete it now, because
we’re coming soon with a court order.” It has to be
in those circumstances where the government is
actually coming soon with a court order. That’s the
current regime in the U.S. I think it works pretty
well. I don’t think there’s any support at all for
mandatory data retention really from any corner of the
debate in this issue in the United States.
As for the broader issue of third party
records, you’re exactly right, which is exactly why
Congress passed the Electronic Communications Privacy
Act back in 1986. What’s ironic about some of these
issues is here Congress was way ahead of the curve.
They passed ECPA when I was in high school. That was
only three years ago actually.
Congress, and in particular Senator Leahy
and several others, were way ahead of the curve and
passed a pretty good framework of laws long before
anyone really thought through these issues. So to
some extent we’re sort of grappling and realizing that
there are problems now, which Congress recognized a
long time ago. It’s a rare case, I think, where
Congress was ahead of the curve, not behind it.
The PATRIOT Act fiddled with some of the
standards but really didn’t change the framework from
1986. I think that framework will probably be around
for quite a long time.
PROFESSOR AVIRAM: Next, please.
MR. FOREMAN: I’m Frank Foreman, U.S.
Department of Education, and my question is how bad
can cybercrime get? I can think of several things
that I’d be afraid of. There’s an electromagnetic
pulse that puts you behind the dark angel. There’s
the physical destruction of the internet backbone.
There’s messing up the world’s banking systems.
There’s stealing military secrets. Finally, there’s
the one I fear the most, which is some virus will eat
up the world’s hard drives. The question is how bad
can cybercrime get?
MR. MEEK: Can I answer this question and
then throw it to Chris, because I’d like to sort of
advance the question a little bit? I don’t think
personally that we have seen anything compared to
what’s possible. I don’t think we’ve seen the worst.
I’m not going to say we’re going to see the worst, but
what we have seen barely scratches the surface of what
is possible. I think maybe Chris can paint some
Here’s where I’d actually like to ask Chris
a question. One thing that’s talked about an awful
lot is cyber terrorism. I would like to know, at this
stage of the game, how the government defines cyber-
terrorism and whether or not you all really think that
there are cyber-terrorists out there?
In reporting on this over the years, I have
not found a whole lot of evidence. There are foreign
governments that have cyber-attack units. There are
people who specialize in information warfare. The
Chinese get talked about a lot. But there is no Osama
bin Laden of cyberspace yet. There may be one day,
but as of now, there is no personality or terrorist
group that is known to be on the internet committing
terrorist acts, like, for instance, shutting down air
traffic control somewhere and causing planes to fly
into each other. So I’d be curious to see where the
government stands on this at this point.
MR. PAINTER: Well, I guess one thing is
that I think it becomes clear as we become more
dependent on information systems for everything, from
control systems for dams to just communication,
banking, everything else, that creates necessarily a
system that can be attacked, just like any other
system can be attacked, and creates vulnerabilities.
How bad can it get? I would think it could
get pretty bad. If someone attacked what are called
SCADA control systems that control dams or other
critical infrastructures, that could get pretty bad,
that could be a real attack. If they were able to
attack critical systems like airport systems or
banking systems, that could get pretty bad.
Could they do it here? Could they do it
internationally? That’s all possible. The response
to that has been a recognition that law enforcement
has an important role in this, in trying to attribute
the conduct and make sure their are consequences and
determine for these attacks. But that’s not the only
answer. You have to combine strong response and
attribution with prevention. We need to do things like
the draft national strategy talked about to actually
harden systems and have people really think about
security in a disciplined way.
That dovetails into what I think your
question is. Do we see cyber-terrorists? The way I
look at cyber-terrorism is this: It doesn’t matter who
the actor is. For cyber-terrorism I look at the
results. If someone opens up a dam and floods a
valley, I don’t care if it was a 12-year-old, or
someone who is “the Osama bin Laden of cyber-
terrorism” - the result is the same. The result is
still a lot of destruction or disruption of services.
Those things need to be taken seriously.
I think Orin said that we don’t know in the
beginning of a case who is responsible. We don’t know
if it’s a “cyber–terrorist” or if it’s a very talented
14-year-old. We have to take those cases seriously
and investigate them.
So it’s not so much defining a class of
cyber-terrorists, but trying to make sure those
horrible things don’t happen by hardening the systems
and working to make sure we can make those people who
do those things responsible.
MR. MEEK: Well it hasn’t happened, so
somebody must be doing something right. But terrorism
has always had a fairly specific definition.
MR. PAINTER: Let me add one other thing to
that. I think that even within the PATRIOT Act -- you
mention that the PATRIOT Act had made certain kinds of
cybercrime terrorist offenses but for very limited
purposes, only for supervised release conditions and
some other things.
There’s another side to that which is that
everyone uses the internet to communicate and to plan.
Terrorists do that too. I think that’s going to
continue. Will terrorists develop the ability maybe
to couple physical attacks with disruption of command
and control and communications systems? Perhaps,
that’s not an unforeseeable consequence. So those
things, I think, could happen. That’s another reason
why we need to take these crime seriously.
PROFESSOR CLIFFORD: Can I make a comment,
too, just quickly?
PROFESSOR AVIRAM: Yes, please, Ralph.
PROFESSOR CLIFFORD: This is just dealing
with the basis of the internet itself. I think the
internet is incredibly robust. It wasn’t designed to
survive nuclear attack, which is sort of a common
misconception, but it has that effect. The only way
to destroy the internet is to take down every single
node on the internet. As long as there are two of
them there, the internet is still functioning at some
level. So the internet itself is robust.
The fundamental flaw of some uses of the
internet is that it assumes that the internet at some
point in the future will be secure. The internet, by
definition, is a system that runs on trust. Every
node is supposed to be able to trust every other node.
As a consequence, if you have a bad actor node out
there, or someone who has turned a node into a bad
actor, it makes the processing that goes on the
internet extremely vulnerable.
So I think from a policy perspective what
has to be recognized is although it’s certainly
cheapest to use the internet for your communication,
there are some systems that are so critical --
aircraft control, dams, the power grid -- there are
some things that are so critical to people surviving,
that they should not use the internet. They should go
to private communications.
MR. PAINTER: Let me just add, there are
many government and other critical systems that are --
they say the best security is six inches of air.
They’re really separated from those kind of
PROFESSOR AVIRAM: Over there, to the left,
and then the last question will be to the right.
MR. HEFFNER: Allen Heffner, I’m with a
company called Issue Dynamics, a public affairs and
internet strategy company. I was going to ask
Christopher Painter the question first, then I guess
open it up. Chris, you’re the government
representative, so I figure you know everything and of
course can tell us more possibly from that
The question is just a first order question
about the scope of the problem, which really wasn’t
addressed at all. I was hoping maybe you could shed
some light on that. You’ve talked a lot about
cybercrime, and I’m throwing everything under the
umbrella of fraud and denial of service and viruses
and child porn and cyber terrorism. Can you give us
some idea of the scope of the problem? We hear about
an exponential growth over time. I’m interested in
what kind of data do you have that you can actually
shed some light to show us what kind of exponential
growth there’s been in these various corridors?
I guess the second question is who really
tracks this information and keeps it? Is it kept at a
jurisdictional level, at a prosecutorial level where
the crime is committed? As we know, it’s committed
all over the place. How is it shared?
MR. PAINTER: Well, as far as what the scope
of the problem is you’re right. Much of the sort of
analysis ends up being anecdotal. It’s based in part
on the growth of the internet and the users on the
internet and the reports we get of various kinds of
The scope of the problem can be defined in
so many different ways. I think there’s a difference
between new cyber-crimes and the traditional crimes
committed over the internet, which I think almost all
of them are now. I think if you go down to West
Virginia where they have the Internet Fraud Complaint
Center, who gathers complaints from people,
traditionally just on internet fraud but now it’s
expanding to many other kinds of crimes as well, they
show just those limited referrals have been
explosively increasing. The FTC site that deals with
various kinds of fraud echoes that trail.
Hacking is a little harder to track, but
we’ve seen through our network of prosecutors around
the country, just on the Federal level, a lot more
cases, and the states have seen a lot more of these
too. That’s why the states and the attorney generals’
offices around the country have been looking at it
You’re right, though, that traditionally
we’ve had a problem in actually having kind of some
good statistical survey of this case. The one that is
most used, and it’s not a scientific survey, it’s a
Computer Security Institute FBI study that comes out
of San Francisco and has for the last, I think, six
years tracked approximately 500 respondents and looked
at trends in cybercrime -- insiders versus outsiders,
type of attacks, why or why they don’t report to law
enforcement, et cetera -- and that’s very helpful to
look at trends.
You can also look at the statistics at the
Department of Justice, at the individual U.S.
Attorneys’ offices, at the FBI, the Secret Service who
do talk about the number of cases opened, et cetera.
But those are not complete.
One thing the Department of Justice is doing
is it is looking at putting together a much more
robust statistical survey, which will be rolled out I
think fairly soon and take place over a number of
years, where we can really get a handle on that kind
of statistical information that you mention.
PROFESSOR AVIRAM: Okay, last question,
MR. ICHOR: Thank you. I have a question
about the definition, scope, and perhaps why the
analogy of cybercrime is being used as its own entity.
To help frame the question, I’d like to pose a couple
If I go to this utility on Gallows Road in
Fairfax, Virginia, just north of 29, just south of 50
and cut the big bundle of fiber that feeds the Bell
Atlantic CLAC, Verizon CLAC, and disconnect most of
Northern Virginia from the rest of the world, is that
If I go to the facility out in Tyson’s
[Corner], which is a major internet peering point and
cut one of the big fiber bundles that’s very nicely
marked in the garage, with a pair of bolt cutters, is
that a cybercrime?
If in the case of private infrastructure, as
someone had mentioned, that’s riding on the same
infrastructure, it might not be the public shared
infrastructure as we think of it in terms of internet
protocol VPNs. If I disrupt all of this, is that a
If I blow up the building -- I mean, at what
point does it stop being a cybercrime, does it become
something else, and at what point do we just need a
new analogy for what determines a crime, because we’re
just changing the venue, not necessarily what it is
that we’re doing.
And I realize I didn’t introduce myself; I
apologize. My name is Joshua Ichor. I’m an
information security specialist. Thank you.
PROFESSOR KERR: I’d like to take this one.
The question of what is a cybercrime versus a non-
cybercrime, I don’t think it’s the right question in
the sense that it’s not like there’s a statute that
says the government can prosecute cybercrimes but not
non-cybercrimes or vice versa. I think the question
is ultimately what is the criminal conduct? What fits
the element of some criminal statute that a
You might have a statute that prohibits
intentional destruction of property, intentional
interruption of service of a telecommunications
device, something like that. Basically the way the
laws divide is there are traditional crimes, which can
cover both internet versions of the traditional crimes
or physical world versions. So possession of child
pornography, the laws apply equally whether it’s a
magazine or a digital image.
Then there are computer specific crimes,
sort of attacks against computers, such as 18 U.S.C.
1030, the Computer Fraud and Abuse Act, intentionally
accessing a computer without authorization, causing
damage to a computer, that sort of thing.
So ultimately the question is what fits
within these criminal statutes, and I think it’s
important not to get too hung up on defining what is a
cybercrime versus not a cybercrime.
MR. PAINTER: I would completely agree with
Orin. Of the Federal statutes, only the computer
crime and abuse statute, which deals with hacking and
viruses, really is sort of a core cybercrime. Every
other kind of conduct committed over computer networks
still is prosecuted under those traditional statutes.
When you attack something by cutting it off,
that may be destruction of property. It’s not a
cybercrime. It’s important, though, because when we
look at things like the national strategy to protect
cyberspace, the draft, and other things like that,
they look at it not just in terms of the cybercrime
element, but also in terms of protecting cyber
infrastructures from physical attacks. So there is
some confluence there. When we talk about cybercrime,
we’re really talking more about the heartland of
attacks on cyber systems.
PROFESSOR AVIRAM: Do any of the other
panelists want to respond?
PROFESSOR CLIFFORD: I can respond with an
old joke. How many programmers does it take to change
a light bulb? The answer is none, because that’s a
software problem. In my mind, a lot of the definition
of cyberspace is that you’re dealing in the software
world as opposed to hardware world. To a certain
extent, if you can touch it, it’s not cyberspace.
Similarly on a lot of your hypotheticals,
because you’re destroying things that I can touch, in
my own mind - not that it has any practical difference
in terms of the real world - in my own mind those are
not cybercrimes. Those are regular crimes.
If you used a computer program to achieve
the same result by taking down the software that’s
running on one of these hardware nodes, in my mind I
would define that as a cybercrime.
PROFESSOR AVIRAM: Thank you. We have to
conclude, at this point, the first panel. We’ve had a
very stimulating conversation. I’d like to thank all
of our panelists, James Meek, Orin Kerr, Chris
Painter, and Ralph Clifford, for a terrific
THE FEDERALIST SOCIETY
A Luncheon Address
Honorable John Malcolm,
United States Department of Justice
11:15 a.m. - 12:45 p.m.
October 3, 2002
George Mason University School of Law
THE FEDERALIST SOCIETY
MR. REUTER: I think we’re all ready to get
started. I am pleased today, as we resume with our
luncheon speaker, to introduce John Malcolm, who is
the Deputy Assistant Attorney General in the Criminal
Division at the U.S. Department of Justice.
I have known John for a few years now. It’s
good to have him here today. It’s even better to have
somebody of his talents and demeanor back in
Government service. He’s an honors graduate at
Columbia College and Harvard Law School. He has a
distinguished, if not yet long, career. He has
clerked in both the U.S. District Court for the
Northern District of Georgia and the 11th Circuit Court
of Appeals. He’s been an Assistant U.S. Attorney in
Atlanta. He’s also been an Associate Independent
Counsel in Washington, D.C. He’s been a partner at a
law firm in Atlanta that bears his name, Malcolm and
So without further ado, I give you John
MR. MALCOLM: First of all I’d like to
extend apologies on behalf of Larry Thompson. Larry
got called up to the Hill to testify at the last
minute. I’m in no way, shape, or form seeking to deny
or denigrate Congress’s legitimate oversight
responsibilities, but I feel safe in terms of saying
that I think Larry would probably prefer to be here if
he had a choice.
I’m also going to do something a little bit
unusual. I’m, of course, speaking on a panel this
afternoon, so you get the unmitigated joy of hearing
me twice. I got called a couple of days ago by Dean
saying "Look, Larry’s had this conflict come up, do
you mind speaking? I said, no problem at all."
I wrote up this great presentation about the
U.S.A. PATRIOT Act figuring okay, this is a good cyber
crowd. I sent it over to my good friend, Chris
Painter, who read this and said "You absolutely can’t
give this, because everything you’re going to be
saying this afternoon at lunch, we’re going to be
saying during the first panel."
In part he’s right. So I have actually got
something unusual. I have two speeches. I’m going to
get a quick show of hands. I’m not going to bother
counting. I’d like to get sort of a general consensus
or else I’m just going to pick one. You can hear a
speech about the U.S.A. PATRIOT Act in which you will
hear some repetition, mostly about hacker trespass, or
you can hear a speech about something totally
different, dealing with enemy combatants and closed
immigration hearings, obviously topics that have been
talked about a lot as of late, but having very little
to do with the cyber world.
By the way, afterwards I am happy to answer
questions. There were a lot of topics I could have
talked about: FBI guidelines, special administrative
measures, and I’m happy to stick my foot in my mouth
on all manner of topics, so I have no problem with
people asking me questions.
So, before I begin, let me ask you, who
would like to hear about the detention of enemy
combatants and closed public hearings on immigration
matters? Hold them up high. Okay.
Who would like to hear U.S.A. PATRIOT Act?
Okay. It looks like I can proceed to give the second.
I will try not to repeat too much of what
you heard this morning. It was an excellent panel; I
should have anticipated that they would cover some of
The debate about how to strike a proper
balance between cherished privacy rights and the
legitimate needs of law enforcement and the
intelligence community is not a new one. This debate,
however, has grown more vigorous and more vociferous
and, of course, increasingly more important since the
shocking and unprovoked attacks on the World Trade
Center and the Pentagon on September 11th of 2001.
Although it is vitally important that we do
everything we can to pursue and apprehend terrorists,
I do not believe that, at least as it pertains to the
Electronic Surveillance provisions, the U.S.A. PATRIOT
Act signals some kind of fundamental shift between
online privacy and Governmental power.
There are those who believe that with
respect to many aspects of the war on terrorism and
also with respect to the surveillance provisions in
the U.S.A. PATRIOT Act, the pendulum has swung way too
far in terms of denigrating privacy rights at the
expense of law enforcement and intelligence gathering.
In fact, I think there are those people out there who
think that the Department of Justice is essentially
acting like some voracious PacMan that’s running
around and swallowing civil liberties at every turn.
Still there are others who believe that the
Government ought to be given even greater tools to
protect the public from further harm. It is certainly
true that the public at large expects us to use, in an
appropriate manner, all of the tools that are in our
arsenal, including those set forth in the U.S.A.
PATRIOT Act to prevent additional attacks and to bring
to justice those who were and are responsible for
plotting against us. And, speaking, at least from the
perspective of the Department of Justice, I believe
that we are doing just that, and I’m unapologetic
We recognize though that while desirous of
feeling safe and secure, Americans are extremely
reluctant, as they should be, to give up their
privacy. Many are understandably on guard against
what they perceive as Governmental overreaching at
this time of crisis. This backdrop frames much of the
debate about security versus freedom and explains much
of the controversy that continues to surround the
U.S.A. PATRIOT Act, and I assume will be surrounding
it for years to come.
This is an important debate that is healthy
for a free society which is governed by the rule of
law. The Department of Justice has not abandoned the
rule of law; we embrace the rule of law. I applaud
all of those attorneys out there in privacy groups
that are challenging government actions. These issues
are being trumpeted in the public and talked about in
front of Congress and talked about in the courts.
That’s good; that’s the way it ought to be.
I believe, however, that in terms of
advancing this debate, there has been a lot of
misinformation and hyperbole about the scope of change
brought about by the U.S.A. PATRIOT Act. In addition,
there are provisions of the U.S.A. PATRIOT Act that in
fact protect and extend civil liberties, including
increased civil penalties for improper disclosure of
surveillance information and new reporting
requirements when the government installs its own pen
trap device such as DCS-1000, which of course was
originally referred to as Carnivore. I suspect that
the person who originally named it Carnivore is one of
those people who, as a previous speaker suggested, is
now in the private sector. A lot of these privacy
enhancing provisions have been roundly ignored by the
While there are those who contend that the
U.S.A. PATRIOT Act has dramatically expanded the
powers of law enforcement, I would contend that in
fact it is a very measured piece of legislation. I’d
like to begin with a brief overview of the PATRIOT Act
and then discuss a couple of its more controversial
provisions, specifically the pen register and trap and
trace statute and its application to the Internet, and
the computer trespasser exception, which Chris Painter
talked about a little bit.
The U.S.A. PATRIOT Act provides the law
enforcement and intelligence communities with new
tools and resources to prevent terrorist acts and to
apprehend and punish the perpetrators of such acts.
Two fundamental objectives animate its provisions.
First, to increase our surveillance capacities with
respect to criminals and terrorist networks. Second,
to enhance our abilities to swiftly track down and
apprehend criminals and terrorists, hopefully before
Now regarding the Internet and other
electronic communications, the Act expands existing
provisions that permit law enforcement, with
appropriate judicial oversight, to intercept and
The U.S.A. PATRIOT Act accomplishes many of
its objectives by updating surveillance laws to
account for changes in technologies that have occurred
over the intervening years, such as the increased
usage of emails, the Internet, and cell phones by both
cyber criminals and by terrorists. In this way it
updates the law by making it technology neutral.
Just because new technologies have emerged,
should that mean that criminals now have some new ways
to thwart legitimate law enforcement activities? By
means of the U.S.A. PATRIOT Act Congress has declared
that cyberspace should not be a safe haven for cyber
criminals, terrorists, and others who are bent on
committing criminal activity. By the same token, the
same privacy protections that were afforded to users
of the telephone during its hay-day, have for the most
part been extended to these new technologies, too.
Now as I previously mentioned, one of the
more controversial provisions of the PATRIOT Act
involves the application of the pen register and trap
and trace statute to the Internet. Congress enacted
the pen register and trap and trace statute in 1986,
and it requires the Government to seek a court order
for so-called pen trap information.
Now in rough terms, a pen register records
outgoing addressing information, and a trap and trace
device records incoming information. For the
telephone a pen register would record the numbers
dialed from a telephone, and a trap and trace device
would record all the incoming numbers.
In 1979 the Supreme Court ruled that in the
telephone context there was no reasonable expectation
of privacy in this sort of non-content information,
because it was shared by the user with communication
service providers. This means that from a
constitutional perspective there was no court order
necessary in order for law enforcement to compel
production of this information.
When Congress enacted the pen trap statute,
thereby providing statutory protections that were not
afforded by the constitution, it did not anticipate
the new communication technologies which we have
today, such as the Internet. Indeed, some of the
language that Congress drafted in the original pen
trap statute appeared to relate to the telephone only.
For instance, it defined pen registers in terms of
The PATRIOT Act updates the pen trap
statute’s language to make it tech-neutral, as it now
applies more generally to dialing, routing, signaling,
or addressing information. It also makes explicit
that which had previously been implicit and
constitutionally based, a distinction between content
Thus, the pen trap statute now unambiguously
applies to Internet communications, which could be
interpreted, by the way, as another extension of civil
liberties. If something wasn’t constitutionally based
and the original statute didn’t apply, arguably law
enforcement didn’t need any kind of a court order in
order to get this information. Now the pen trap
statute clearly applies to the Internet. Clearly you
have to get a court order.
However, the pen trap statute’s new language
does not constitute a significant expansion of
Government power. In fact it’s hardly an expansion at
all. Prior to the U.S.A. PATRIOT Act, the Government
was already using the pen trap statute, adopted almost
universally by every court to consider the issue, in
order to get non-content information in many
jurisdictions. The PATRIOT Act has simply confirmed
that this was a proper course of action.
Consider, for example, the case of James
Kopp. You may recall that he was indicted for the
murder of Dr. Barnett Slepian, who was an abortion
doctor in East Amherst, New York. Mr. Kopp, who was
wanted by law enforcement officials, communicated with
his cohorts through a shared Yahoo account. To avoid
sending emails, they left messages for each other in
the account’s drafts box, which they then accessed
through the Internet.
Federal prosecutors sought a trap and trace
device in order to get information concerning the IP
addresses from which the account had been accessed.
Through that information, Mr. Kopp was traced to
France, and he was arrested. This happened in
February of 2001, during the very early days of the
Bush Administration, long before the events of
September 11th and long before the enactment of the
U.S.A. PATRIOT Act. Mr. Kopp has been extradited
here. He is now awaiting trial.
Next let’s consider the U.S.A. PATRIOT Act’s
computer trespasser exception, also known, as Chris
Painter already told you, as the hacker trespass
exception to the Wire Tap Act. This provision
generated a surprising amount of opposition. A good
portion of that resistance, I believe, comes from
people who simply don’t understand what it is.
For example, there was one senator during
the debate who said that the hacker trespass exception
could be used to monitor the emails of an employee who
has used her computer at work to shop for Christmas
gifts. This is simply untrue.
All right, so what is the computer
trespasser exception? To explain, I’d like to give a
very brief overview of the Wire Tap Act, which
provides the statutory framework governing real time
electronic surveillance of the contents of
The structure of the Wire Tap Act is
surprisingly simple. The statute’s drafters assumed
that every private communication could be modeled as
two-way connection between two participating parties,
such as a telephone call between Person A and Person
B. The statute prohibits a third party, such as the
government, from intercepting private communications
between those parties using an electronic, mechanical,
or other device absent a court order, unless one of
several statutory exceptions applies.
Now under this general framework, as it
applied prior to the PATRIOT Act, the communications
of network intruders, which may be routed through a
whole series of compromised computers, could be
protected by the Wire Tap Act from interception by the
government or any other third party. The PATRIOT Act
simply enacted another exception to that rule.
The computer trespasser exception allows
victims of computer attacks to authorize law
enforcement to intercept the wire or electronic
communications of a computer trespasser. It includes
several significant limitations which ensure that it
does not expand beyond its core function.
First, the owner or operator of the computer
has to authorize the interception of the trespasser’s
communications. More importantly, the interception
cannot acquire any communications other than those
that are transmitted to or from the computer
Finally, the exception may not be used when
the party that’s going to be monitored has an existing
contractual relationship with the owner or operator of
the computer. They may be going beyond the extent of
that authorization, that contractual limitation, but
if they have an existing contract, they are not an
outside hacker. Therefore, an entity’s legitimate
customers and employees can’t be monitored under this
exception. In sum, the statue was crafted carefully
to ensure that the government is only monitoring
Now, although narrowly confined in scope,
the computer trespasser exception is a significant new
tool for law enforcement. For example, weekly we read
about successful distributed denial of service attacks
on computer systems all around the country. Typically
these attacks are channeled through zombie computers
that have been compromised and which are owned by
innocent third parties.
The computer trespasser exception gives law
enforcement the ability, with the consent of that
innocent third party, to monitor the communications
through their computers. Now some have criticized the
computer trespasser exception as somehow restricting
the judicial role in investigations. You’ve heard a
lot about that.
It’s true that without this exception, law
enforcement would have to make a probable cause
showing before a magistrate before intercepting a
hacker’s communications. However, I believe that the
hacker trespass exception again strikes an appropriate
balance between privacy and law enforcement.
When a citizen finds a burglar in his
basement in the middle of the night, he wants to
protect his family, find out who this person is, and
why that person is there. When that citizen calls the
police, he wants and deserves immediate action. By
being able to act immediately, the odds of the police
catching the burglar before real harm occurs goes up
When the law enforcement officer gets that
call, he has no need to wake up a prosecutor or judge
in the middle of the night in order to get a warrant.
The burglar has no right to and no reasonable
expectation of privacy to prowl in the middle of the
night in someone else’s basement. The same is true in
the online world.
A computer hacker who is acting without
authorization has no right to and no reasonable
expectation of privacy in routing around in somebody
else’s computer system. Just as there was no need in
the real world example to wake up a prosecutor and a
judge, there should be no need for a prosecutor and a
judge in the online example. There is no legitimate
privacy expectation that would be served by requiring
a court order and judicial oversight in this
Moreover, just as it’s impossible to tell
who’s in the basement, when a computer hacker enters
into a sensitive network, it’s impossible to tell
whether that hacker is a script kiddie who wants to do
something malicious, route around, maybe deface a
page, or something like that, or whether we are
talking about somebody who is a serious cyber
criminal, or a cyber terrorist, who is plotting an
attack, who is trying to get valuable critical
infrastructure information to create a threat to life
Under these circumstances, time is of the
essence. By being able to act immediately, the
chances of finding out who that hacker is, what that
hacker wants to do, and catching that hacker increase
immeasurably to prevent real harm both to the
immediate victim and also possibly to others who might
be harmed by that intrusion.
In conclusion, I want to say that I think
it’s entirely appropriate following September 11th to
ask questions about the balance that has been struck
between privacy and law enforcement and security. It’s
entirely proper to ask such questions. I think it’s
However, I think the U.S.A. PATRIOT Act
demonstrates that, at least in the Internet context,
what was needed was simply a tune-up. It wasn’t a
major overhaul. Congress updated the statute to
accommodate for new technologies and new situations.
It did so in a manner which remains faithful to old
principles and long-standing constitutional doctrines.
The debate about privacy versus security is
not likely to end any time soon. These are difficult
times, and difficult questions that we face. Nobody
should claim to have all the right answers, because
none of us is omniscient. It is entirely appropriate
that we have debates like this in symposiums, in
courts of law, and within the Executive Branch and
also in our dealings with the Legislative Branch.
Obviously there is going to be oversight. A
lot of these provisions are sun-setted. We have
people like Larry Thompson who go up to the Hill on a
regular basis to report on these things. There is
judicial oversight. We’ll see where this goes.
Thanks for inviting me. I’ll be happy to
take your questions.
MR. CLARK: Thanks. Drew Clark, National
Journalist Tech Daily. I guess I’ve got a number of
questions, but I'm trying to limit them.
MR. MALCOLM: No, go ahead.
MR. CLARK: At presentations such as this
it’s natural that the Justice Department would want to
put the most favorable interpretation of legislation
on the table, and you have done that and I appreciate
your tone. I just must ask, all of the things that
you didn’t mention, the things such as the secret
searches that are now enabled and not sun-setted. For
example, I guess the most important piece about which
I’d really be interested in your reaction, is the
changes to the Foreign Intelligence Surveillance Act,
and how that opens the door to new expansive searches
of individual citizens without probable cause to
believe they have committed any crime whatsoever, and
indeed the opening up of third-party and educational
records under the FISA provisions that are now
MR. MALCOLM: I’ve got to write down the
ones you’ve asked me about. Hold on a second. Go
MR. CLARK: Yes, there are some privacy
provisions as you point out in the statute, but I
guess I feel compelled to point out each of those
provisions you mentioned were the result of a
legislative compromise that was not originally
proposed by the Justice Department. The Carnivore
reporting was Mr. Armey’s insistence. Changes to the
computer trespassing were narrowed because of Senator
Leahy’s objections. So I guess I raise that to point
out that yes, it’s notable as you point out, it’s
important to have this debate, but these weren’t
suggestions the Justice Department came forward with.
They were only added at the insistence of Congress.
So any reactions to those points that I’ve
MR. MALCOLM: I’ll react to all of them.
I’ll take your last one first. We live in a system of
checks and balances. That’s great. We have two major
parties, multiple other parties, three branches of
Government -- Federal system and the state system --
and they’re all supposed to be questioning each other.
They’re all supposed to be looking at each other.
Things are often a series of compromises.
If you were to look at the Administration’s
original bill, there may be certain provisions that
you thought were way over the line. I certainly think
there were good justifications to support all of those
provisions. Did they get compromised? Sure. Did
they get weakened in some instances? Probably. Did
they get strengthened in some instances? Probably.
Did some ideas originate within the government? Yes.
Did some ideas originate within Congress? Yes. Did
some ideas originate within privacy groups? Yes.
I don’t think, though, that it’s an accurate
characterization to say that after September 11th, the
U.S.A. PATRIOT Act was drafted by the government as
some kind of Christmas tree that was going to go and
steam roll across the country as a complete wish list
of Government actions. I think that it was a tempered
by Congress as it deemed appropriate. That’s the way
our system operates, and I see nothing wrong with that
I don’t think it’s accurate to somehow say
"Well, had it been up to the Executive Branch, the
Constitution would have somehow been done away with,
and it’s only Congress that saved it." I think there
was a lot of give and take in the PATRIOT Act.
With respect to so-called sneak and peek
searches, the idea that you can go in with a court
order, not knock and announce your presence, but go in
secretly, search for something, or implant a device,
is not terribly new.
There are Title III orders (Title III has
been around for a long time), for instance, in which
you get a court order to go in and plant a bug, say to
go plant a bug in a mobster meeting room, that takes
place under cover of darkness. People don’t know that
an agent has been there. They don’t know an agent has
left. Hopefully they don’t find the evidence that
indicates that an agent has been there.
All this does is apply this mode of
operation to the search context. Sneak and peeks have
been done in the drug area for a long time. So I
think this is really a clearer codification of what
was existing all along. I don’t think that there’s
anything particularly novel about that. A lot of
times you need to go in somewhere where a crime has
occurred or is being plotted and get the best
information that you can. But it’s not an appropriate
time to bring down an investigation. You want to
develop leads. There’s judicial oversight there.
It’s not as if United States Government
agents are knocking on the door or breaking in at
night without any kind of oversight. All of these
situations involve going in front of a judge and
saying why you believe evidence is there and why you
believe you need to get in there, and why there is a
need to do this secretly and not to leave a sign, a
calling card, that you’ve been there. So there’s
appropriate judicial oversight to that, and I don’t
think that it’s a particularly new law.
With respect to the FISA Court changes, I
assume you are talking about the balance between law
enforcement and the intel community -- to those of you
who may not know what we’re talking about, and of
course if you were referring to something else, let me
know -- the FISA Court is the Foreign Intelligence
Surveillance Court. It’s a special court that sits
within the Department of Justice that enters orders in
cases involving -- not necessarily terrorists, it can
involve terrorists -- but it can also involve
espionage. It involves foreign powers and agents of
foreign powers conducting something of interest to the
The FISA Court orders do not have a lesser
showing to make; they have a different showing to make
than one would have to make before a judge in a
criminal case in which you need to show probable cause
that a crime has occurred and probable cause to
believe that evidence is in a particular location.
The FISA Court rules, which are set forth in
the Foreign Intelligence Surveillance Act, had a
provision that said that if you got a FISA Court order
with this sort of surveillance by a FISA Court judge,
that the primary purpose had to be for intelligence
gathering. It didn’t say that there couldn’t be some
correlative law enforcement purpose, but that the
primary purpose for the order was for intelligence
gathering. It was designed to separate the intel side
of the house from the law enforcement side of the
The showing that had to be made had less to
do with whether or not there was a crime being
committed. Frankly, some of the stuff may or may not
be a crime, but you’re going to gather intelligence to
see whether or not somebody is harming our national
interest, that is the showing that you had to make by
probable cause was that there was a foreign agent
involved or a foreign country involved or an agent of
a foreign power. So you still had a showing to make,
and there was still a judge there who determined that.
The FISA Court statute has been amended to
change the word primary to significant. The law
enforcement and the intelligence community have always
worked to some degree together in the FISA Court
context. However, you could now have a situation in
which a law enforcement objective is the primary
reason to go to a FISA Court, and regarding the
intelligence aspect of things, there’s a significant
purpose for it. It doesn’t have to be the primary
reason. There are a lot of people who are very
concerned about a weakening of this wall of separation
between the intel community and the law enforcement
There’s only so much I that can say about
it, because the matter is currently in litigation
before the FISA Court Appeal Board. For the first
time in the history of the statute such an appeal has
been taken, and there was a court order issued by the
FISA Court questioning the legitimacy of this change.
I guess my response is (1) it’s a change that Congress
made; and (2) this was not hidden. The purpose for
this, at the time that Congress considered it, was all
within the Congressional record. I suppose the major
reason to justify this change is because the lines in
the terrorism context and the times we’re facing now
between law enforcement and intelligence gathering
have largely blurred. They’ve blurred for several
reasons. One, we had a shocking revelation that there
were intelligence failures prior to September 11th.
There are people out there now who are saying "Why
didn’t you connect the dots? There were signs out
there that you should have read, and if you had read
them, disaster might have been averted." Well, I
don’t know whether there were enough dots out there in
order to avert a disaster. That’s one of those
However, it is true that we need to do a
better job about connecting dots. We’ve literally had
situations, in which the intel community was gathering
information about potential terrorist attacks, which
of course involves criminal acts as well, and you had
the criminal law enforcement community within the
context of grand jury proceedings, which are secret
proceedings, gathering information about criminal
activity that could implicate a terrorist attack. The
two sides weren’t talking to each other.
We need to find a way to get them talking to
each other. In addition to that, the lines are
blurred because people now realize that law
enforcement, stopping people and arresting people, can
be a legitimate tool in intelligence collection in the
same way that intelligence collection can be a
legitimate tool to aid law enforcement. It is a
change. I don’t think it’s a dramatic change. It’s a
change of emphasis. The matter is in litigation.
Those are the reasons for the change. You can agree
or disagree with them.
I believe you also talked about records
searches. I assume that mostly what you are concerned
about are library searches. Is that fair?
MR. CLARK: Yes, but I think it’s broader
MR. MALCOLM: It is broader than that. I’m
not completely familiar with all of the parameters of
this. Please forgive me, but I will tell you what I
can tell you, which is I don’t think that there’s any
secret that after September 11th it was discovered that
a lot of these terrorists, Mohamed Atta and the lot,
did a lot of communicating in libraries on the
Internet. They’re there; they’re accessible; you can
use them and remain relatively anonymous. I think it
is safe to say that libraries contain useful
information for law enforcement in both criminal
investigations and terrorism investigations and also
for the intelligence community.
There is obviously a high degree of
skepticism about law enforcement activity involving
libraries, because a lot of legitimate First Amendment
protected activity takes place in libraries: what you
read, what you look at. The overwhelming majority of
people who are there are there for perfectly
legitimate purposes, and it shouldn’t really be
anybody’s business what it is that they’re reading.
I hear you. I’m with you. I also
understand that there is a history of FBI abuses to
some degree in that area. There were references to
the 1960s civil rights era in which FBI agents were
keeping files on people who were engaging in First
Amendment-protected activity that was somehow
unpopular within law enforcement’s counter intel
program. That’s part of the FBI’s history. We don’t
want to forget the lessons of history.
The guidelines that are in place for library
searches reflect a recognition of that history and a
wish to avoid repeating that history. One, an FBI
agent can’t just go in and get these records. He
again has to go to a FISA Court judge or a designated
magistrate, make the appropriate showing, and get a
Before you ever get to a FISA Court, the FBI
guidelines in this context require approval, several
levels up the chain. They make very clear that there
have to be legitimate law enforcement or intelligence
purposes to get this information that is not protected
by the First Amendment. You’ve got to show that there
is some real likelihood that there’s going to be
something there showing nefarious activity that can
harm our national interest in a very serious way.
So is that something to be watched? Yes,
it’s something to be watched. Should there be
oversight over that? Yes. But there is quite a bit
of oversight built in to the system that’s now been
changed, and let’s hope that those tools are used
appropriately and that they won’t get abused.
MR. CLARK: Just one follow up.
MR. MALCOLM: Another question, okay.
MR. CLARK: Why isn’t the Justice Department
responding to the House and Senate Judiciary Committee
request for information about oversight if there is
oversight, and you expressed the desire that there be
oversight? Why aren’t you responding to those
MR. MALCOLM: I didn’t express the desire
that there be oversight, but I think it’s perfectly
legitimate to have oversight. Actually, no, I think
it’s a good thing to have oversight; of course it’s a
good thing to have oversight.
I think that’s painting with a broad brush
to say that the Department is not responding to
MR. CLARK: That’s not answering the
MR. MALCOLM: Well, wait a minute. I think
that’s painting with a broad brush. There are, as you
know, many, many subcommittees within Congress. All
of the Senators and the Representatives in the House
have all been elected. They’re all important people;
they all have a right to ask for and get information.
On the other hand, there’s a lot of work to
be done. The Justice Department’s got a day job, too,
of catching criminals and fighting terrorism. If
every Congressman or Congressional subcommittee is
asking for information, there’s a lot of duplication
that is going on. Not to mention the fact that a lot
of the information that’s being requested is
classified. There are certain subcommittees that are
set up specifically to deal with classified
So, one, there are appropriate channels to
funnel information to Congress, appropriate
subcommittees. Just because one subcommittee is upset
about the fact that it’s not receiving information
does not in fact mean that that information is not
being relayed to Congress. Part one.
Part two, there are, as you know, and this
is nothing new, legitimate disagreements of opinion
about what is producible. Congress has its view of
Executive privilege and the President’s constitutional
prerogatives. The Executive Branch has its view about
internal deliberation and Executive privilege material
that should not be turned over.
It’s not unique to the area of terrorism.
You see this for instance in the fight over judges.
Ask Miguel Estrada about whether or not his memoranda
from the time that he worked in the Solicitor
General’s office ought to be turned over to the Senate
Judiciary Committee. The Executive Branch has taken
the position, as have a number of Solicitor Generals,
both Democrat and Republican, that this is internal
deliberation material and in an Executive Branch
context and should not be producible under the
Separation of Powers Doctrine.
The same debates though apply with respect
to intelligence and law enforcement. I don’t think
that it’s fair to say that the Administration is
somehow sticking it to Congress. We are working with
Congress to see to it that Congress can satisfy its
legitimate oversight activities while at the same time
doing the job of protecting our country and also
protecting the Executive Branch. It’s not just for
this administration; it’s also for future
MS. KAPLAN: Hi, I’m Kathleen Kaplan from
MR. MALCOLM: Hi.
MS. KAPLAN: One of the things when you were
talking that came to my mind was this information
overload. As a lowly professor at Howard, I get 50 to
100 emails a day, which is like reading a book every
MR. MALCOLM: Tell me about it.
MS. KAPLAN: So, is some of the problem just
information overload with catching these cyber
criminals and other types of criminals. Where you get
so much information, how are you going to determine
what’s important and what’s not?
MR. MALCOLM: I don’t know. I’m not 100
percent sure I know what you mean, but let me try to
tackle what I think you mean. It’s a difficult
question. We’re being bombarded with information. I
have the greatest sympathy for people, for instance,
who say "Okay, we’re going to raise the level of alert
status from yellow to orange. But they’re non-
specific threats; we can’t tell you when they’ll
occur, and we can’t tell you where they’ll occur or if
they’ll occur at all."
What do you do in response to that? I
understand that. It’s difficult to process that sort
of information. It’s a little bit, however, a
situation of (1) there are a lot of people out there
that are seeking that information who get very upset
when you don’t give it, and (2) there’s a little bit
of a damned if you do and damned if you don’t.
If you give the information, you’re accused
of panicking the public and overloading folks. On the
other hand, if you don’t give that sort of
information, and God forbid something does
happen...let’s face it, we live in perilous times. We
have enemies abroad. There are soldiers fighting now.
We have enemies within our borders, terrorist cells,
people who are bent on our destruction, living right
here within our shores.
If you don’t give that information and
people don’t act in an extra vigilant manner and take
whatever precautions they want to take, they avoid
taking an unnecessary flights or a trip or what have
you, then they’ll say "You mean you knew that and you
didn’t tell us about it?" It’s tough.
We live in a time of instantaneous news.
You can get it over the Internet from any number of
channels. You can get it on cable TV from any number
of sources. A lot of us are news junkies. How you
take that information and process that information, we
all struggle with that. I get more than 50 emails a
The public has a right to know about it.
Whether you choose to tune it out or pay attention to
it, that’s an individual choice.
MR. FOREMAN: Frank Foreman, U.S. Department
of Education. Since this is the Federalist Society,
let me ask a Federalism question. More specifically
for you, what are the sorts of things that the states
and local governments are incapable of doing?
MR. MALCOLM: Are capable of doing?
MR. FOREMAN: Capable and incapable of doing
as far as cyber crime is concerned.
MR. MALCOLM: Well, you can give an answer
with respect to cyber crime and with respect to all
sorts of crimes, including terrorism, including
organized crime. States have certain advantages over
the Federal Government when it comes to law
enforcement. The Federal Government has certain
advantages in law enforcement vis-a-vis the states.
In terms of crimes that are taking place
within a state, there’s your local law enforcement
officer who’s going to know the business community,
those people on the ground, know the neighborhoods
where criminals are acting, be able to go out on the
street and have that day-to-day contact with folks,
and do a very effective job of rooting out crime, much
of which will be intrastate, some of which will be
interstate. They can do so perfectly well without the
intervention of the FBI or Secret Service or DEA or
whoever, thank you very much.
However, the Federal Government has more
resources that it can bring to bear in certain
specialized cases. It has certain expertise that it
can bring to bear in certain cases.
I’ll give you a good example. It is
cybercrime and it’s not cybercrime. It crosses into
the area that the gentleman in the back asked about
before, because it involves child porn. Many of you
may have heard about the CandyMan case.
The CandyMan was an email group that was
distributing child porn internationally and across
many, many states in this country. Now if you look at
an individual group member in one particular
jurisdiction, maybe you can take the idea that "Okay,
all child porn is just bad period. Even if there’s
only one perpetrator, we’re going to investigate it
thoroughly and we’re going to prosecute it."
However, using that as an example, you can
have crime that is in fact broad ranging. In any one
state the consequences may not be serious enough to
justify having the state use its local scarce
resources to fight that problem. They may do so
because they lack the resources and don’t have the
intelligence to get the big picture and to realize
that what’s a small problem in this state is in fact a
very large organization and is affecting many, many,
Those are the sorts of resources that the
Federal Government can bring to bear. It can look and
say, "Well, you know, it may look like a small
problem, but it’s a small problem here, and in this
city, and in Arkansas, and in Nevada, and in Utah, and
in Maine. When you add it all up, it’s a pretty big
problem." We have the resources and the ability to
look at the totality of that and to really hit these
people who are perpetrating this heinous activity hard
in a way in which the locals can’t.
Obviously there’s a big concern, which is an
entirely different debate topic near and dear to the
Federalist Society’s heart, about the Federalization
of crime. One, from a constitutional perspective, and
two, from a resource perspective. Federal resources
are not limitless. They are also specialized, and you
want to make sure that they are being used to maximum
advantage. So where do you cross that line between
Federal resources and state resources? When do you
choose to deploy Federal resources? A lot of the time
we work in task forces; we work in coordination with
each other. That has to be done occasionally.
MR. FOREMAN: Is cybercrime substantially
different from other kinds of crime in a way, as far
as the Federal state balance would turn out?
MR. MALCOLM: Well, it’s substantially
different. One, in that there tends to be more
expertise, although we’re trying to remedy that, at
the Federal level than at the state level. Two,
people who perpetrate cybercrimes have the ability to
cast a very, very broad net. They can perpetrate this
crime far and wide.
Let’s take a simple example. Your Nigerian
scam letter. We all used to get one or two of those
letters. It used to be that somebody had to sit in a
room, draft this letter, sign this letter, stick it in
an envelope, put on a postage stamp, and send it.
Then if it came back, they had to keep a file of who
they contacted and how much money they got and what
letter the victim had gotten in the scam.
Now with the computer, you get these letters
all the time. It’s easy. You draft it up online and
you send it out all over the world. If you get a
positive response, it goes into one database; if you
get a no, it goes into another database.
So any criminal activity, if you use the
computer as a facilitating device, can be spread
astronomically. Well, locally the government can’t
handle that. It doesn’t know the scope of what’s out
there. It doesn’t have the law enforcement tools --
maybe some states do, but by and large they don’t have
the law enforcement tools to take on that sort of
activity. They don’t tend to have the expertise,
although we are working very closely with groups like
the National Institute of Justice to remedy that as
quickly as we can.
I know there’s a hand back there.
AUDIENCE MEMBER: I have a question, I want
to go back to the oversight question that Drew was
asking. This is really a factual question from my
ignorance, no doubt, of the PATRIOT Act. When you
were talking about the example of the library search,
there is a perception out there, and I hope you can
counter it to assure us all, a perception of the sort
of star chamber quality to these matters.
You mentioned there are FBI guidelines,
approval up the chain of command, but of course still
within the FBI.
MR. MALCOLM: Right.
AUDIENCE MEMBER: An application made to a
court that is, as you say, within the Justice
Department. Who does now, is there independent focus
of those decisions?
MR. MALCOLM: The Court meets within the
Justice Department. The Court is made up of Article
III judges, life tenured, nominated, confirmed by the
Senate, a separate branch of Government. These are
not people who are in any way, shape, or form toadies
to what the Executive Branch of the Federal Government
would like to have happen.
We live in an open society. Unfortunately,
because of the dangers that we confront, there is
information of a very secret nature that has to remain
secret. If you tell it to people, your sources and
methods are compromised. What you know is going to be
out, and perhaps what is more important is what you
don’t know. People will be able to rearrange their
plans, alter their strategies, have a greater chance
at perpetrating their crimes, or to avoid detection.
If we’re conducting an intelligence
investigation, let’s say of a hostile government or
maybe even an ally trying to gain a competitive
advantage or to make up for a technological
deficiency. It may be economic espionage. If you
have that information out in the public, you’ve
completely defeated the purpose of the investigation.
I mean no more that you would want to have
Donald Rumsfeld sitting with the Joint Chiefs of Staff
holding a public hearing and taking questions about
where they’re going to attack tomorrow. You can’t be
in the position of telling people who are bent in a
literal way, on destroying us where we think they’re
going to strike next.
So what you do is try to have appropriate
oversight and make sure that due process is followed.
We try to be as open as we can. There are times,
however, in order to protect our national security and
insure domestic tranquility, which is a constitutional
mandate, that there’s a need for secrecy.
One more back there.
MS. EDWARD: My name is Abigail Edward and
I’m an Assistant State’s Attorney. Let me just
preface my remark by saying that I understand working
in the criminal field for a very long time. In no
arena that I have been in have I ever found the
cooperation among and between law enforcement and
prosecutors as great as in cybercrime. It is a
remarkably cooperative experience.
My question is a follow up to the previous
gentleman, who was asking about the Federal balance.
Do you think that that Federal balance changes as you
differently define cybercrime? I think that the
trouble with the definition of cybercrime is that what
we term cybercrime here has been Internet crime. If
you conclude that cybercrime also is an attack on a
computer, which is very often done by disgruntled
employees, which is a purely local matter, or could
be, it could change the federal balance dramatically
in my view. I wonder if you have any thoughts on
MR. MALCOLM: Just because we have an
insider perpetrating the cybercrime doesn’t mean it's
not a Federal crime.
MS. EDWARD: It does not have to be, but it
MR. MALCOLM: With respect to many statutes,
there is concurrent jurisdiction. I supposed state
laws vary from state to state, but a lot of times
there’s concurrent federal jurisdiction. The
overwhelming majority of prosecutions take place at
the state and local level precisely for that reason.
There’s no need to spend scarce Federal resources
prosecuting every crime that could be prosecuted as a
There are a lot of crimes that have a
peculiarly local impact. I would imagine that that
balance takes place at a practical, on-the-street, in-
the-office, where-prosecutors-and-law enforcement-
agents-are-meeting level. It’s not taking place at a
more theoretical constitutional level.
If you have an insider perpetrating the
crime, if we’re talking about a computer network, I
venture to say that all the companies that are here
today that earn their daily bread online, your
customers don’t all come from within the state.
So if you have an insider wreaking havoc,
it’s going to have dramatic implications to people all
over the country.
I think my time’s up. Thank you very much.
MR. REUTER: Thank you, John. We’re going
to start the next panel as soon as we can get them in
the room, so there will be no break at this point.
THE FEDERALIST SOCIETY
a panel on
BATTLING CYBER CRIME
12:45 P.M. - 2:15 P.M.
October 3, 2002
George Mason University School of Law
THE FEDERALIST SOCIETY
Battling Cybercrime through International Cooperation
Wan Kim, Republican Counsel, U.S. Senate Judiciary Committee
David Post, Professor, Temple University School of Law
Abraham Sofaer, Senior Fellow, The Hoover Institution
Michael O’Neill, Associate Professor, George Mason School of Law (Moderator)
THE FEDERALIST SOCIETY
Battling Cybercrime through
PROFESSOR O’NEILL: Good afternoon. We’d
like to welcome you to the second half of our daylong
Our first panel this afternoon is going to
be speaking specifically about and addressing those
questions surrounding international aspects of
cybercrime and cyberterrorism. One of the
particularly interesting features of the Internet, of
course, is that it knows no national boundaries.
Communities are largely created based on interest, not
geographical divide. The creation of such
international communities, however, has also fostered
the growth of international crime. Also unique, in
some respects, is that it knows no specific
Crime, interestingly enough -- and for those
of you who are practitioners of it, either from the
defense, prosecution or participant side -- know that
crime has been largely a uniquely local phenomenon.
Indeed, the Constitution, as I mentioned this morning,
reserves the general police powers to the states and
the Sixth Amendment to the Constitution requires that
"all criminal prosecutions take place in the state and
district wherein the crime shall have been committed."
While this may have been a relatively straightforward
determination in 1791 when the Bill of Rights was
enacted, it is not quite as clear in 2002.
Hackers from the Philippines can release
worms on the Net, taking advantage of the fact that
such conduct might not be illegal in their country.
Obscenity, long viewed as being somewhat dependent
upon community or local standards, is now proliferated
throughout the Internet. I mentioned this morning
that the difference was not between Peoria and Times
Square, but rather between Peoria and Times Square and
Tokyo or Amsterdam or Lisbon.
Similarly, intellectual property rights,
which enjoy vigorous protection within the United
States might not quite be as respected in the
developing world, which may have little short-term
incentive to bow to Washington’s intellectual property
rights demands. Where do we prosecute? Whom do we
prosecute? Whose laws do we decide that we’re going
to use? How do we resolve the fairly complicated
jurisdictional issues that can arise? These are all
important questions that demand answers. If people
feel unsafe to venture commercial transactions upon
the net, commercial ventures may wither. If
international organized crime rings are able to make
cybercrime profitable, it may be hard to forestall
To consider these international efforts to
combat cybercrime and terrorism, I’d like to turn to
our guests today who are particularly well versed in
this area and who should provide for a very
interesting and hopefully lively discussion.
I’d first like to introduce Professor
Abraham Sofaer. Professor Sofaer, who will be our
concluding speaker -- we’ll go in reverse order --
served as legal advisorLegal Adviser to the U.S.
Department of State from 1985 to 1990 and was
appointed the first George P. SchultzShultz
Distinguished Scholar and Fellow at the Hoover
Institution in 1994.
Professor Sofaer’s work has focused on
separation of powers issues in the American system of
government, and he currently teaches a course on
transactional law Transnational Law at the Stanford
Law School. During his distinguished career,
Professor Sofaer has been a prosecutor, a legal
educator, judge, government official and private
attorney. Indeed, in 1979, he was appointed as a U.S.
district court judge in the Southern District of New
York. Now, I’d like to think he gave up that august
position for an even more important position; that is,
tenure at a law school.
He left the bench, however, to render
further service to the country as a legal counselor to
the State Department.
Professor Sofaer was a veteran of the U.S.
Air Force, received an L.L.B. from New York
University, and holds a B.A. in history from Yeshiva.
After graduating from law school, he clerked for
Justice William Brennan. Perhaps most importantly,
and this was key to inviting him to speak on this
particular panel, as any jazz fans in the crowd may
know, Professor Sofaer is a founding trustee of the
National Museum of Jazz in Harlem. And it’s rumored,
apparently, that he and President Clinton share an
office in Harlem -- is that true, Professor Sofaer?
PROFESSOR SOFAER: I’ll do anything for
PROFESSOR O’NEILL: I’m also pleased to
introduce Wan Kim. Makan Delrahim, who is the chief
counsel of the Senate Judiciary Committee,
unfortunately was unable at the last minute to join us
because -- the people in the Department of Justice
might be interested in knowing this -- the Department
of Justice reauthorization bill is currently on the
floor. So, Makan, unfortunately, was unable to join
One would think that the Department of
Justice would not be a terribly controversial
reauthorization, but then, one only has to remember
that the rules of germaneness in the Senate are
basically nonexistent, so it’s almost always about
something else other than DOJ authorization
Fortunately, however, we’re honored and
pleased to have as his replacement Wan Kim, who is
currently Counsel on the Senate Judiciary Committee
and is working specifically with these issues. Mr.
Kim was formerly an attorney at Kellogg Huber Hanson
Todd & Evans, and I imagine he actually took a major
boost in salary to then go to the Senate Judiciary
Committee. Anyone who is familiar with that firm will
know that I am saying this with deep irony.
Mr. Kim also has worked as a special
attorney to the United States Attorney General, and in
the Department of Justice through the Attorney
General’s Honors Program. And he clerked for one of
my personal favorites, Judge Buckley of the U.S. Court
of Appeals for the District of Columbia Circuit.
Mr. Kim graduated from the University of
Chicago with a J.D., and Johns Hopkins University.
Last but not least, we are pleased to hear
from Professor David Post, who is currently a law
professor at Temple University, where he teaches
intellectual property law and the law of cyberspace.
He’s also a senior fellow at the National Center for
Technology and Law here at George Mason University --
I’ll point and give a little plug here to the Tech
Center in our banner -- and as the cofounder and co-
director of the Cyberspace Law Institute and the
cofounder and co-editor of ICANNWatch.org.
Professor Post has a very interesting
background, I found out. Trained originally as a
physical anthropologist, Professor Post spent two
years studying the feeding ecology of yellow baboons
in Kenya, and he taught at the Columbia University
Department of Anthropology. Realizing that his study
of baboons might translate well to the legal
environment he then attended the Georgetown Law
Center. After attending Georgetown, after holding
various and sundry posts, he wound up somehow finding
himself clerking not once but twice for both Judge and
Justice Ruth Bader Ginsberg.
And perhaps of interest to Professor Sofaer,
if he’s interested in any future inductees to the Jazz
Museum, Professor Post plays guitar, piano, banjo and
harmonica. And the name of the band happens to be "Bad
Dog." The band’s name, hopefully, is not any
reflection upon its musical acumen.
In any event, I’d like to welcome each of
our panelists here to George Mason University. We’d
like to start out, Professor Post, with you. We’ll
give you a little bit of time to make your
presentation, and then an opportunity to ask one
another questions before opening it up to the crowd.
PROFESSOR POST: Thank you. That was very
nicely said. What Professor O’Neill said to us before
he started was, "ten minutes to pontificate." So,
I want to talk about the issues of
international jurisdiction and cybercrime by focusing
on the Convention on Cybercrime. It’s a document that
was drafted by the Council of Europe last year with
substantial United States participation. It was
signed by the United States along with, I think,
several dozen other countries last year, although it
has not yet been ratified. I don’t think it has been
submitted yet to the United States Senate for
ratification. In But, we are a signatory toother
words, we have signed, but not ratified, the
I want to talk about the jurisdictional
dilemma a little bit, in general terms, and then about
why I’m deeply concerned that things like the
Convention on Cybercrime we are not dealing with this
dilemma in a sensible manner.
With respect to the jurisdictional dilemma,
Michael gave something of an overview -- perfectly
adequate overview. I think everybody is sort of
basically familiar with the problem. There is a
global network. It has no internal boundaries to
speak of, at least none that map onto the boundaries
of existing jurisdictional entities, states or
counties or cities or, for that matter, countries.
There is no American portion of cyberspace. There’s
no Turkish portion of cyberspace. There’s no
Brazilian portion of cyberspace. There’s no
Arlington, Virginia portion of cyberspace.
Now, the same, in a sense, is true of
Antarctica or outer space, which is a parallel that
people sometimes draw when talking about this problem.
So, given that the same thing is true about outer
space -- there’s no American portion of outer space --
what’s the big jurisdictional dilemma here, on the
global network? What’s the big problem?
The problem, of course -- again, it should
be obvious -- is that unlike Antarctica and unlike
outer space, the global network, cyberspace, is
intimately connected at the same time to the real
world, to the United States and Turkey and Arlington
The big problem, as we’ve heard several
times already today, is that it is now orders of
magnitude easier to commit crimes against the United
States or Turks or Brazilians without ever coming near
America or Turkey or Brazil. The example was used
earlier of the Love Bug virus, which was released from
the Philippines, where it apparently was not a
criminal activity in the Philippines but(where it was
apparently not a criminal act) which did incalculable
damage to property and economic activity throughout
the world, including the United States.
It is a serious problem and it demands
serious attention, I think especially – and obviously
-- in these post 9/11 days. And fundamentally,
conceptually speaking, there are really two approaches
to the problem.
One is what I’ll call the "mi casa es su casa
approach; my house is your house. The Philippines, in
the example, could say, "You can come into our
country, you can come into the Philippines to
prosecute crimes, you can enforce your criminal law
against persons or entities who are acting in the
Philippines. You can extradite or try anyone from the
Philippines who violates your criminal law." It’s a
simple approach. The downside of that approach is
also fairly simple and fairly obvious. The
Philippines will, in turn, insist upon the same rights
vis-à-vis American citizens and American companies, as
will the Turks and the Brazilians and the Belgians and
the Egyptians, etc.
Well, what’s wrong with that? What’s wrong
with that, of course, is that the people of the world
have very different ideas about what does or does not
constitute criminal activity. The United States
criminal code and the Belgian or Egyptian criminal
codes are very different beasts. We don’t like the
prospect, particularly, of American citizens or
companies being hauled into court in Egypt for
violating provisions of Egyptian law when they are
acting lawfully under United States law, and the
Egyptians don’t like it anymore than we do when it
operates in the reverse direction.
What’s wrong with this approach also -- the
downside of this approach, if you will, part two -- is
that it completely disregards the fundamental premise
upon which our government, at least, is based: that
governments derive their just powers from the consent
of the government. I have not consented to be
governed by Egyptian or Belgian law, nor, in my view,
can my representatives give my consent on my behalf.
I have no participation in the formulation of Egyptian
or Belgian law, nor should I. It is, quite simply,
unjust to apply it to me.
So, that is approach one, basically
Approach two is the "harmonize the law"
approach. Let’s see if we can all agree on a minimum
set of really bad things. A set of things we can all
comfortably, within our differing legal traditions,
define as criminal conduct. Let’s get that list and
get everyone to make those things domestically a crime
in their respective jurisdictions. Then, while there
are still obviously many problems of investigation and
enforcement that sill remain, there’s no real
jurisdictional problem with respect to those crimes
Now, the Convention on Cybercrime takes both
of these approaches. It defines a series of crimes
that signatory nations agree to make criminal and it
pledges mutual assistance among the signatories in
investigating such crimes and extraditing those
accused of such criminal activity.
And, it incorporates, I think, unfortunately, the
worst features of both of these approaches.
I don’t always agree with the American Civil
Liberties Union on many things, but I agree with them
on this. The ACLU wrote about the Convention on
Cybercrime: "The treaty began with a modest objective:
facilitating cooperation among law enforcement
authorities across countries to track cybercrime.
Somehow, like a monster, it has vastly outgrown its
original mission." I think that’s right.
I don’t have time to give you the full bill
of particulars, but let me touch on some highlights.
In regard to harmonizing the law, the second of the
approaches that I talked about, the list of things
that signatories to this Convention must define as
criminal activity includes a number of non-
controversial items: computer forgery; intentional
interception, without right, of non-public
transmissions with computer data; child pornography;
computer fraud; the serious hindering without right of
the functioning of the computer system -- something
like the Love Bug.
It also requires signatories to criminalize
the production or sale of any device designed for the
purpose of deleting computer data, for example. It
also requires all signatories to make criminal all
copyright infringement conducted "by means of a
computer system." It also requires all signatories to
criminalize the infringement of the so-called related
rights of the Rome Convention -- you all know what
that is, don’t you? I didn’t either, even though I’m
an intellectual property professor. It’s a series of
rights that belong to the owners of sound recordings,
protected under the Rome Phonogram Convention.
Signatories must also ensure that
corporations can be held liable for any computer-
related offenses committed for the corporation’s
benefit, or committed by any person "with a leading
position in the corporation," a provision that seems
to me, to my eyes, to override by treaty a hundred
years of American law regarding corporate liability.
The Convention also provides that corporations must be
held liable where their lack of supervision or control
has made possible the commission of one or more of
these computer-related offenses.
Here’s the first additional protocol to the
Convention, which is in draft form -- thank goodness -
- but which will become part of the Convention
eventually, presumably. Each signatory under the
first additional protocol must establish as a criminal
offense under its domestic law "offering racist or
xenophobic material to the public through a computer
system," which is defined as thoughts -- thoughts! --
or theories which advocate or promote hatred against
any individual or group of individuals based on race,
color, ethnic origin, etc. Each party shall ensure
that these offenses are not regarded as political
offenses justifying refusal to comply with requests
for mutual assistance.
It’s too broad. It’s too broad. It goes
far beyond the steps necessary to define a set of
conduct that is truly considered heinous and criminal
around the globe. And it includes much conduct that
is far more controversial than that. Some of these
are new criminal penalties for the United States, as
well as for other signatory nations. I think new
criminal penalties should not be established by
international convention in an area like copyright law
or third party liability, where national law is so
Let me take two minutes on the other
approach, the "mi casa es su casa" approach of
cooperation. The Convention establishes a plan under
which law enforcement authorities in each signatory
nation will cooperate with each other in the
investigation of purported violations. The activities
described above on the list of bad things are made
extraditable offenses. The signatories, furthermore,
agree to provisions to provide mutual assistance "to
the widest extent possible" for investigations or
proceedings concerning criminal offenses relating to
computer systems, or for the collection of evidence in
electronic form of a criminal offense. So, the mutual
assistance pledge among nations goes beyond just
cooperating and prosecuting these specific criminal
offenses. But any time the Bulgarians are looking for
evidence that is in computer form, in electronic form,
of any criminal offense under the Bulgarian criminal
code, they have the right to demand the assistance of
the United States law enforcement authorities. This
would include required information sharing at the
request of other signatories regarding such
investigations; the production of court orders
requiring service providers to turn over subscriber
information at the request of foreign law enforcement
officials; assistance in intercepting communications
at the request of foreign law enforcement officials.
As I said, these provisions apply not just to the
expansive list of cybercrimes laid out in the first
section, but to all computer-related crime and to all
evidence, in electronic form, relevant to criminal
Well, it sounds great. Who’s against
cooperation? And maybe it would be great, if that
cooperation were restricted carefully and narrowly to
criminal activity that really matters. But it’s not.
An obligation to make the law enforcement machinery of
the United States available to the Belgians or the
Bulgarians for the investigation and prosecution of
violations of the related rights provisions of the
Rome Convention on Phonograms is not the best use of
law enforcement resources in the United States in
these difficult times.
The first time that U.S. law enforcement and
investigative powers are put to work for the
prosecution of political dissidents, at the behest of
some foreign power, which is well within the
parameters of this treaty, we will regret having
signed it, and I hope that is not too late. Thank
PROFESSOR O’NEILL: I was going to say, the
Rome Phonographic, whatever it was, sounded a lot like
our university speech code, so it didn’t clink all
that surprising on my ears, I guess.
Mr. Kim, we now turn to you.
MR. KIM: Thank you. One of the things that
I, like Professor Post, I wrote down on my little
notepad here was when Mike said "pontificate", because
that is exactly what I’ll be doing at best.
As you can tell from my nametag, I am what’s
called a last-minute fill-in. So, they did not send
the expert; they sent the generalist.
PROFESSOR O’NEILL: But we all like the
filling of the Oreos better than the crust.
MR. KIM: I hope that remains true.
What Mike didn’t tell you is that I’m
actually an assistant United States Attorney on detail
to the Senate Judiciary Committee. I tell you that
only because I need to start off by doing what I do
with every jury that I go before, and that is lower
I am not here to tell you what the answers
are. I am here more to ask questions, questions that
a lot of the Congressmen and the Senators ask when
considering these very, very difficult issues.
The Senate’s role in government is a rather
unique one, as many of you know. That is, the Senate,
more than any other body in government, tries to look
for consensus. In the administration, the President
does what he wants to do. Congress, by and large, the
House of Representatives, they have the majority and
they pretty much do what they want to do. And the
courts, when they have a majority, in a five-four bid
or two-one, do what the majority wants to do. But not
so, the Senate, because of its unique role in giving
each Senator a large voice in stopping things utterly
to a halt.
I say that because I want to emphasize the
fact that legislation moves sometimes at a glacial
pace precisely because people are asking questions
like the ones posed in this panel. I am not an expert
in this field, and that is probably a good thing
because neither, to my knowledge, is any senator. I
am, in my job, a thousand miles wide and one inch
deep. That is why all of us look to the experts in
the field to see what the questions are and to see
whether we can reach an agreement as to what the best
solutions would be.
In the area that we’re talking about right
now, cyber-issues, that really have no global
boundaries, no individual set of laws, no mechanisms
for resolving whatever rules we might agree upon, it
is a particularly challenging one because if the
government of the United States acts unilaterally,
well, we may be in a bind because no other government
may help us enforce those laws. But if we don’t act
strongly enough, well, then, we really do open up a
wild, wild west in the area of, say, the Internet,
where, as we all know, a lot of harm can occur.
So, it’s a difficult balancing act that
Congress is looking at in this issue, and they’ve been
looking at it for several years now. It’s an area
that I think it’s fair to say Congress has moved very
carefully. If you look at some areas of the criminal
code now, the areas that I’m most familiar with, you
can see where Congress has moved forward in some
manner -- usually areas where the fear is great and
the threat of danger is extremely high.
For example, 18 U.S.C. 2332(a) is a statute
that prohibits the use of "weapons of mass
destruction". I was one of the most junior
prosecutors on the prosecution of Timothy McVeigh and
Terry Nichols for the blowing up of the Murrah Federal
Building in Oklahoma City. The statute that was used
to carry the penalty was 2332(a). What that statute
provides in addition to the death penalty is
extraterritorial jurisdiction. That is, we can reach
outside the borders of the United States to enforce
this statute, if, for example, you try to blow up an
embassy in the Middle East.
Luckily, we were able to avoid those issues
in this case because of the fact that it was done
within our geographic borders. But those issues are
fast diminishing, as we have, one, more of a worldwide
presence and, two, more crimes that are being
committed from abroad directed to the United States.
Even if we all agree that those types of
crimes, crimes committed from abroad and directed
within our borders, can be legislated, which I think
most of us could do, we also have the problem of how
the heck do we get those people to the United States?
That, again, raises a whole separate issue of law, and
cooperation. How do we get those other nations to
cooperate with us into bringing those people to the
United States to enforce what we think our notions of
justice are and should be?
These are not questions that are raised
lightly, and these are not questions that are answered
lightly. There is, obviously, a difficult balancing
act here. We want to be able to legislate ahead of
the curve so that when the problem arises, we have the
mechanisms to deal with it. The problem with
legislating ahead of the curve, of course, is figuring
out what the right answer is going to be. When there
is wide disagreement between academics and the
international community as to what the right answer
is, often you get no answer at all. This leaves us in
the other conundrum, which is not having an adequate
system of laws.
That is why Senator Hatch, members of
Congress, are widely in agreement that the Council of
Europe, the Convention on Cybercrime that Professor
Post mentioned, is a very good thing. The more
countries that we can get onboard with a set of norms
that we can all agree upon or a set of norms to be
enforced, the better we all are.
Let me just give you one minor example of
how this problem arises in actual legislation and how
it’s being addressed by various members of the
different bodies in Congress. H.R. 2643 is a bill
that was introduced by Representative Lamar Smith on
the House side, and it dealt with the issue of child
pornography. This has become an issue that was
recently brought into constitutional focus by the
Supreme Court earlier this year in a decision called
Ashcroft v. Free Speech Coalition. That decision
struck down some key provisions of a 1996 law that
Senator Hatch wrote that prohibited the possession of
virtual child pornography.
I’m not going to bore you with the
constitutional details, but there was a case out there
called New York v. Ferber, which basically said that
child pornography could be regulated because it
involved harm to children. That is, children were
being used in the process of making child pornography,
and that’s a crime in every jurisdiction, so you could
prosecute what results, even if some people might call
Well, the problem with the Internet is that
it makes what used to be a very, very underground,
difficult market to penetrate, very easy. You go on
the Internet and you type a few keywords, and boom,
you’re directed to a hundred sites that contain or
allege to contain child pornography. How do you
regulate that problem?
Well, the Supreme Court in Free Speech
Coalition said you can’t do it by prosecuting purely
virtual creations of child pornography; that is
pornography that did not involve actual children but
merely the digital images of what looks to be, by all
accounts, real children. That creates a problem. How
do you enforce those laws if you can’t tell if it’s a
real child or whether it’s a computer creation
thereof. How do you shut down the market for porn
sites that actually do upload images of real children.
What happens if, as in the Internet betting arena, all
these people move offshore and say, you people can’t
touch us because we’re now having our mainframes
located in the Bahamas or in China or in Taiwan or
wherever they might be. These are difficult
H.R. 4623 represented the administration’s
attempt to answer that; they drafted large portions of
this bill. They included a provision which says that
we have jurisdiction if the person transports such
visual depictions to, or otherwise makes it available
within, the United States, or otherwise makes it
available. Basically, it means the website could be
located anywhere, never targeted to any U.S. person or
entity. Yet, we would be exerting jurisdiction in our
courts with our system of laws and our systems of
justice as to a person who may have set up a website
in the Netherlands specifically intending only to
target other people in the Netherlands, which may have
different notions as to what’s permissible and not
permissible in the field of child pornography.
That raises a whole host of difficult
issues, as Professor Post just started talking about a
little while ago. Is that something that we want to
do? Is that something that is wise to do, even if we
want to do it?
As a general matter, many lawmakers would
agree that as long as we are the ones pulling people
into our system of justice, that’s fine -- as long as
the other side is not sure that they’ve pulled us into
their system of justice, which is what we don’t want
to happen, of course. That is a lot of the
justification for why we have refused to submit to the
jurisdiction of the International Criminal Court. We
don’t want your system of justice applied to us
because we may not be treated fairly. Other people
obviously would raise the same concerns about the U.S.
system of justice applied to foreigners.
These are the kinds of issues that have
arisen in the real-world context and will continue to
arise. And unless there is widespread international
agreement on what can be done, I think it is likely
going to be the case that Congress will be hesitant to
act except in the areas where it feels the greatest
need or the greatest dangers lie, the dangers in
inaction and the dangers in not doing anything.
The PATRIOT Act, which was passed in the
wake of the September 11 bombings, did expand certain
provisions in current law to encompass
extraterritorial acts. For example, it expanded 18
U.S.C. 1030, which is the Computer Fraud and Abuse
Act, to prohibit acts of computer hacking that
affected foreign computers. That actually is a
mechanism that people haven’t really disagreed with
too much because it generally opens up the doors to
prosecute people in America for acts they commit
abroad. For example, a hacker might be sitting in
Minneapolis and attack a French computer system.
Under pre-existing law, prior to the PATRIOT
Act, it was not clear whether we had jurisdiction to
prosecute that because the damage was done entirely to
a different government on a different continent. The
modification made by the PATRIOT Act to §1030 makes it
clear that we can prosecute, and that’s one that’s
pretty much a win-win. We increase our system of laws
and provide better mechanisms for policing these types
of crimes, and the international community, if
anything, is made better off by doing so.
There are other difficult questions, though,
because it’s still not clear and it still has not been
decided what can be done if a hacker in Country A
somehow uses the infrastructure in the United States
to perpetrate an attack on the computer system of
another country, Country C. So, if we are just the
unharmed intermediary, even though our systems have
been used, do we have jurisdiction to do anything
about that, and should we? Again, these are all
difficult questions, and that’s why I say I come here
with a lot more questions than answers.
The last thing I want to talk about very
briefly is that this issue not only arises in the
criminal arena, it arises in the civil arena, as well.
And as many people in the business world will tell
you, it arises with even more frequency and with even
more pressing need.
Digital piracy has become a huge problem.
It is a problem for content providers. When I say
content providers, I mean, for example, the recording
industry, Disney, all the people that produce the
things that we like to see and we like to hear not
only in the United States but abroad. It’s also a
problem for the people in the transfer agencies.
Those are the people who man the Internet sites and
give you the bandwidth to transfer from point A to
point B. Under a lot of the proposals that have been
floating around out there, the transfer agencies might
be responsible for policing their highways to make
sure that this type of material is not being conveyed
on their highways.
The way I would frame this issue is to say
that it’s very difficult to come up with, not only the
right answer, but an answer that everybody can agree
upon is the right answer, which as you will find as
lawyers is the hardest thing in the world to do.
If you think about it in the context of just
normal property law, in a sense we are attempting to
define property rights all over again. Everyone
remembers the case of Pearson v. Post, whose fox was
it? And everyone remembers the concept of fee-simple
states. Those were difficult concepts, but they were
resolved hundreds of years ago. And the best thing
you can say about how they were resolved, they were
resolved in a court system that had unquestioned
jurisdiction to resolve it. Now we are talking about
assigning property rights not only to things that are
not tangible per se -- I mean, a series of zeros and
ones in a lot of cases, digital code -- but also how
the right that is assigned gets enforced? As we all
know, a right is only as meaningful as the enforcement
So, if these problems are arising in
mainland China, how do we enforce that, even if we can
all agree what the right is? And can we all agree
upon it in an international community? Those are huge
challenges that Congress is trying to address, is
going to hopefully address. But at the end of the
day, it may not be best addressed simply by an act of
Congress unless the international community comes
together and agrees upon a set of norms and a set
mechanism for enforcing those norms.
Again, I will echo the common theme that I
had in giving this presentation and that is, it’s a
very difficult area, it’s a challenging area, and it’s
an area where a lot more will be done in the
foreseeable future. With that, I’ll turn it over.
PROFESSOR SOFAER: This is a gig I would not
have missed. I’ve been working in the area of
cybercrime and terrorism now for several years. At
the Hoover National Security Forum, we had a
conference about three years ago. Sy Goodman, who’s
now in Georgia at the Sam Nunn School, and I, ran that
conference and we. We invited everyone and we had a
lot of discussion about the problem of international
cybercrime and terrorism. It is a huge problem.
Everyone can seize see that. I mean, if you look at
the national draft of the plan for cyber-security, you
see what they say. I think you should know what they
concede is, essentially, that there is a need to
promote development of an international network to
identify and defend against cyber incidents as they
begin. At least they’re the government is starting to
move in this area toward the notion of preemption and
prevention rather than simply prosecution that Alan so
The draft states that we have to encourage
all nations to pass adequate cyber-security laws and
to help the U.S. prosecute crimes, and that the U.S.
should help the states prosecute these crimes. And
then they said the report also says we would work
through international organizations to foster a
culture of security. Well, of course, we can’t do
that here, let alone through international
We have a mad culture here. I’ve had six
kids in my life, so I know what they’re like.
These guys -- one of them went to Case
Western, and over there, they have these groups. It’s
almost like gang warfare. They actually practice on
each other. There’s no culture of security in the
cyber world, that’s for sure, and it’s not going to be
created through discussions through UNESCO, etc.
The government report says we’re going to
promote the adoption of common international technical
standards that can help assure the security of the
global information infrastructure. Now you’re
talking. Now, But who’s going to do that? That’s
really a separate issue, and Professor Post and I are
going to start out like we’re in two separate worlds.
I hope I’m going to come back and he and I are going
to be much closer at the end of this discussion.
The federal government doesn’t know how to
draft cyber-security standards. The federal
government doesn’t have the vaguest idea about how to
give anybody information security. If you read the
GAO and OMB reports on federal information security
implementation, you would see that those guys ought to
be indicted themselves.
These agencies have violated statutory
demands that Congress has put out with impunity. They
have failed to incorporate. They don’t have security
plans. They don’t have the expertise to create plans.
People who I know in the private sector who deal with
the federal government tell me, if only they the
government knew what questions to ask, we might be
able to help them, but they don’t. The fact of the
matter is the federal government is way, way behind
the private sector. in information security.
Now, who developed the security systems that
we have, to the extent we have them? Well, the IETF
did, and the people of the private sector who have
taken over the Internet have taken over those security
standards. So, when I start talking about the agency
that I would like to see created in the world, the
international agency, don’t assume that I’m talking
about turning over the security standard-setting
operation of the Internet worldwide to a group of
people similar to the politicians and prosecutors that
drafted the Council of Europe Convention. Forget
about it. It’s That would be the worst thing in the
world to do -- absolutely the wrong move.
But you what we should do is create an
agency and turn it over to people like you, to people
who are experts in this area, who know and who are
sensitive to the conflicting interests in the field
and who are going to move very carefully, slowly, to
develop a secure infrastructure for the world, that.
That is the kind of approach I advocate and have been
advocating for the last three years.
Let me go through very quickly why this
makes sense. First of all, we do need to agree on
certain common crimes, certain common improper
activity. We do. But what the Council of Europe does
is it takes the project of protecting the information
infrastructure, which is a critical project,
absolutely important, and it uses that as a basis for
attempting to implement all kinds of schemes. If
anything, I don’t agree with Professor Post that going
after computer fraud is the kind of thing that’s going
to be non-controversial. This is very controversial,
as is this the hate crime protocol, which just shows
you where their minds are. They want to take their
power over the protection of computer infrastructure
and use it to control all aspects of society,
essentially, that they normally control through
prosecutions of various kinds.
But if you focus on the infrastructure
itself, the actual information infrastructure, you can
it is possible to agree on a set of standards as to
the kinds of behavior, attacks, trespasses, etc., that
do put the infrastructure into jeopardy -- viruses,
worms, etc. These things can be defined in general
terms and we can have worldwide uniformity on that.
And we need it.
We also need uniformity on what kinds of
things we’re going to do for each other in cooperating
with each other’s prosecutions. I think a lot of the
stuff in the Council of Europe is good in this draft,
on this move is good but much too detailed. They
essentially think they can The draft attempts to
define today what kinds of measures are going to help
prosecutors five years from now. They’re crazy. This
will not work. The kinds of things that prosecutors
want done today are going to look like absurdly
antique methods within a decade. What you we need to
do is set up a body of people like you, where people
who are largely drawn from the private sector all over
the world , to serve on committees that report to an
assemblyAssembly that is half government and half
private, as we recommend in the Stanford Cyber
Convention draft. That assembly will Assembly would
gradually develop the standards and procedures, just
as the IKOICAO develops the standards and procedures
for aircraft safety or the international maritime
organization International Maritime Organization has
developed no fewer than 20 treaties over time, working
with the experts in the maritime field to develop the
My third point is that states must have the
capacity to cooperate with one another. We are we
dreaming, if we think that states like the Philippines
are actually going to be able to cooperate with the
United States in some of these prosecutions. They
didn’t even make the transmission of the I Love You
virus illegal. Their Attorney General, incidentally,
found that as a formal fact. It wasn’t something
that, well, maybe it was illegal. It was legal, what
was done in the I Love You case.
We need through this the international
organization I contemplate to help other states
develop their capacities with regard to the Internet
and with regard to cybercrime and cyber-transmission,
and cyberterrorism, incidentally.. That is done
throughout the world in a variety of substantive
technological areas. Don’t let these people who may
happen to be in power today convince you that
cooperating internationally on some of these
technological areas is some kind of weirdo practice;
it isn’t., or an abandonment of sovereignty. Our
world is full of these kinds of regimes that are very
effective in cooperating in these technological fields
-- and vary apolitically, I might add.
Then, we come to the standards for safety.
Who’s going to draft these standards for safety? I
told you these experts. The only way such standards
for safety are going to be drafted properly is if you
have an a competent and authoritative body. to do the
work. It doesn’t have to be a typical government from
the, top down, looking-down operation. It can be a
body. It can be a body where you have that consensus-
driven process that, such as the IETF has, and
essentially govern the kinds of standards that we
need. Those standards, then, would become universally
applicable. And only through such standards, I would
submit to you, can we do internationally what this
government is committed to do domestically and
internationally in all areas of terrorism. We’ve
heard what Alan Raul said about preemption and
prevention being the key; it’s the word; it’s. He is
right. It’s what we have to do.
Well, Richard Clark of the NSC was the Czar
of Terrorism when we had a prosecutorial approach to
all forms of terrorism. Now he’s been shifted over to
cyberterrorism and we still have a prosecutorial
approach to cyberterrorism. Now, all the rest of the
All other forms of terrorism, thank God, have been
taken out from that passive regime, and now is run by
in accordance with a different philosophy, a
philosophy of preemption and prevention. Clearly,
that is the philosophy that we have to apply to this
area of terrorism, just like all the other areas. as
well. We are really setting ourselves up for another
attack before we realize we cannot stop people who are
ready to kill us, to attack us, and are ready to make
massive sacrifices in that regard simply by
prosecuting them after the fact. We must be much more
proactive and we need this approach, an effective
multilateral approach, that sets up an agency that is
essentially controlled by the private sector to help
bring all this about.
Now, what about limits? There clearly are
real limits. And in this regard, I want to say that
those in the private sector who are using their
muscle, there are limits. Some assertions are like
Disney World, what can be done without cooperation?
The things they say -- the things they say about what
has to be done. “If all of us would only protect our
part of the Internet, everything would be fine.’”
That’s absurd. How can you think that way in this
world? Neither the government nor the private sector
will be able to protect your particular parts of the
Internet indefinitely from all types of attacks on it.
It’s wishful thinking. To think that the government
is going to be able to protect its part of the
Internet is particularly ludicrous.
The private sector has to use its influence
to create what, as Larry Lessig says: you’ve got to
use your influence to create, an international regime
with the proper limitations on it so that it doesn’t
go too far in controlling commerce or in controlling
We need to build into this the treaty
ultimately adopted (as we have in the Stanford draft,
and I hope you look at it) exceptions on cooperation
that are based on our national policies. Absolutely.
We cannot cooperate. In this regard, I must say, the
Council of Europe treaty was greatly improved over its
25 drafts; it did go through 25 published drafts. It
has been greatly improved by the efforts of Department
of Justice lawyers. It now makes clear and I think
that the Stanford draft is even clearer, that we
absolutely will not cooperate with China in going
after dissidents and on down the line.
So, keep an open mind. Take a look at the
Stanford draft because, if you don’t, eventually we’re
going to have a Council of Europe prosecutorial
approach without the proper protections and
international support that you all really should like
to see. Thank you.
PROFESSOR O’NEILL: I bet you flame a lot of
people on the Internet, huh? It’s always difficult
when one moderates a panel where the panelists have so
few personal opinions.
Before we open up to questioning from the
crowd, I’d like to give each of the panelists a chance
to comment on what the other panelists had to say.
PROFESSOR POST: Well, I really do want to
get to the question and answer section, so I’ll just
say briefly, and in particular to Professor Sofaer, I
actually think we are closer to being in agreement
than it might appear. Everybody’s in favor of
harmonization and everybody’s in favor of cooperation;
the devil is always in the details.
Harmonization can be Orwellian. This is the
Federalist Society, for goodness’ sake.
PROFESSOR POST: The Federalist Society
knows that diversity among legal regimes is a
profoundly good thing. It is a way for us to uncover
different approaches to legal and moral and ethical
issues, and we preserve that and cherish that, while
that harmonization, though, is about destroying that.
We are in an environment that, as everyone has said,
is a profoundly challenging one, and we need to take
careful steps. I think that’s right.
In this area, I think we need to move slowly
to avoid a headlong rush into a kind of Orwellian
legal regime for the world that is, I think, very
I wanted to ask you all a question. How
many of you actually knew of the Convention on
Cybercrime? So, it’s 10, 15 percent.
One of the things that I think is troubling
in this arena is the lack of public awareness, public
discussion, about these very profound issues about
United States sovereignty.
Again, the Federalist Society banner is a
very appropriate one here. We’re talking about issues
of national sovereignty. We’re talking about a new
era of national sovereignty in which the boundaries
are getting blurred and we will be changing what we
think is appropriate United States-versus-the-world
approaches to these things.
This is not to be left to the experts. This
is not to be left to the bureaucrats. This is not to
be left to law professors, thank you very much. It is
really for the people to decide, as they did in 1787,
about how they feel about modifications to
longstanding views about sovereignty. That’s my
MR. KIM: I don’t have a soapbox. I work on
Capitol Hill right now, so I basically agree with
everybody as Mike used to and still does.
Just a few comments. I actually don’t see
the differences as being as profound as they may
appear. I do think that, at least as a Republican, I
accept to be true, that private industry is a positive
good. People should do the most they can to protect
what’s theirs and to keep what’s theirs. All of us
should keep our doors locked at night. The question
is, what happens if someone breaks in? That is really
the stopgap measure where we think legislation and
cooperation is necessary.
Obviously, private industry should do all it
can to create norms, to create standards, and to
create things that everyone can agree upon, or at
least a lot of people can agree upon, is the right
tack to take. What happens when those measure don’t
work? That’s really where I and, I hope, Congress is
more focused: on doing the least amount of damage in
the cases where the damage is most profound.
Again, as a Republican, I feel, and Senator
Hatch, I’m sure feels, very strongly that federal
government doesn’t get it right. We’re too darned
big, the bureaucracy is too darn entrenched, and it
gets worse and worse. So, to the extent that the
government is not necessary, that’s great. But again,
the government has to be there in some sense to
provide a safety net. In this context, Congress, the
U.S. government, the U.S. courts, can’t do it by
itself. I don’t believe it can. I believe at some
point we have to reach a set of norms that everyone
can agree upon, and whether that set of norms is this
big or this big is a big subject of dispute.
I have not parsed through the Treaty, the
Convention, the drafts they’ve been working on, not
one of them much less 26 of them. I don’t know what
the intricacies are, but I do think that whatever
agreement we could reach on this issue is probably
going to be in the main a good thing. Does that mean
every single detail is going to be a good thing? Of
As everyone knows, the more cooks you get
involved in a process, the more the process gets
dumbed down to reach the least common denominator, so
you can get an agreement. That is not the best way to
have innovation. It’s not the best way to build a
better mousetrap. But at the end of the day, maybe it
is the best way to get something done, when something,
as bad as it might be, as imperfect as it might be, is
better than nothing.
PROFESSOR SOFAER: If you think about it for
a moment, let’s follow that analogy of a house. I
think it’s clear that when you have a house and you
live in an earthquake-prone area, you’re going to go
to an insurance company and ask for insurance. And if
you get it, the insurance company is going to look
into the possibility of an earthquake and charge you
an extra amount for that possibility. And if you
haven’t put in earthquake-proofing -- you can see, I
live in California now -- your charge is going to be
higher. In fact, there’s a report coming out very
soon from one of the academies, the National Academies
of Technology, a subsidiary of the NRC, that is going
to go through a number of these things -- the civil
litigation, the insurance, etc. It’s a very
productive, helpful report. But the fact of the
matter is, the bigger the building you build, the more
society has an interest in making sure that you build
it according to certain specifications.
If you build, let’s say, marine vessels and
you’re going to have them carry oil, we, universally,
throughout the world, concluded you can’t have just a
single hull. You’ve got to have a double hull because
we’ve found that -- you’d have no oil spill in 90
percent of the accidents if you had a second hull. If
you hit a rock, you know, you’d cut the outside hull,
and instead of having a spill now, because of that,
you’d have a double hull and all the oil’s going to
stay inside. Most--unfortunately not all --the
countries of the world, went to agreed through the
International Maritime Organization and they agreed on
protocols for a protocol requiring double hulls.
That’s what’s happened with our airline
industry. You Our planes don’t think our planes just
fly around wherever they want to. There are aviation
regulations that are internationally adopted. Every
pilot is turned over to a regional control center that
tells the pilot where to go, what path to follow, in
order to land safely, etc.
When President Bush dealt recently with the
protocol on pollutants, the Convention on Long-Range
Trans-Border Air Pollution, early in his
administration, he approved that protocol even though
it did all the things that we’re talking about
conceptually doing in this area. That is, give money
to an organization that sets standards on these
persistent pesticides in order to give the other
nations of the world the capacity to learn about
persistent pesticides and to control them in their
environment because they spread everywhere. That’s
the kind of the thing we do sometimes trans-nationally
in order to make life better for ourselves, as well as
PROFESSOR O’NEILL: Thank you. I’d like,
now to take a moment to take questions from the
audience. We would ask, since this proceeding is
being transcribed, if you could please use the
microphones so that we can pick up both your question
and the answer.
AUDIENCE PARTICIPANT: My name is Ty
Cooper. I’m an IT security manager with a federal
agency, so I share your concern about the lack of
compliance with federal regs. My mantra is IT
security should be built in, not painted in.
Security 87 mandated certain things be done
to protect our IT system in the federal government,
and to this day, most of them have not been
PROFESSOR SOFAER: 24 out of 24 agencies
failed OMB’s test. That’s pretty good. That’s good.
AUDIENCE PARTICIPANT: GSRA, the Government
Security Reform Act of 2000, tied compliance with
federal regs for IT security program management to
federal budgets. Now we’re getting something done
because the budget is tied to your security plan.
So, I’m involved in that process. The IT
security folks are trying their best to get the other
people to come along and get aboard. But tying it to
the budget was the best thing that ever happened. It
should have happened in ‘87. I agree with you;
prevention is part of the cure.
Security in our systems, the law can’t do
for us. The FBI can’t protect everybody, if you leave
your doors open and your windows unlocked. So, we
need to lock down our systems and use common sense,
for federal agencies to follow federal law, and due
diligence and general best practices, and protect the
system the best you can. You won’t need so many other
things to happen around you.
MR. MALCOLM: I want to take issue with a
few of the things that Professor Post said. One, I
disagree that the Council of Europe Cybercrime
Convention constitutes a reversal of corporate
criminal liability. I think in criminal corporate
liability it is fairly well established that if agents
of a corporation engage in illegal conduct that inures
to the benefit of the corporation that the corporation
can be held criminally liable. Certainly, the folks
at Arthur Andersen are under that impression. So I
don’t think there’s a reversal.
With respect to two other issues, with all
due respect, I think you misspoke, and because the
Council of Europe Cybercrime Convention is currently
being considered, I think they’re important. One, I
want to make clear that signatories to the underlying
Cyber-Convention are not bound by optional protocol
dealing with racists and xenophobic speech. The
United States, which has signed the cybercrime
Convention that is up before the Senate, has not
signed the optional protocol on racist and xenophobic
speech. I will fall out of my chair if it does sign
the optional protocol. That will never be presented
to the United States Senate, so we are not going to be
bound by that.
Similarly, you used the example of mutual
legal assistance treaties, about what happens if
Bulgaria or China or whomever is investigating
political discontent over the Internet, and they send
an MLAT to the United States. Are we going to have to
cooperate with that? The answer is no. The way the
Cybercrime Treaty is drafted, an MLAT is, one,
permissive, but two, only to be honored if we
recognize that conduct as illegal domestically. I
think that it was important to clear that up, and I’m
pretty sure of my sources on that.
PROFESSOR POST: I agree with you about the
protocol, by the way. First of all, it is the racist
speech part, using Draft A. And it is not necessary
that all signatories sign it. And I agree with you
completely; the United States will not sign that,
certainly, as drafted.
My point was that the Council of Europe has
an agenda that is beyond -- far beyond -- as Professor
Sofaer said, the minimum set of attacks on
infrastructure that they were initially targeting
here. I think the countries of the world could agree
on a set of standards about it. Here, though, they
have a different agenda about this. That is an
example of it. I agree, we will not sign on to that.
I think you’re wrong about the corporate
liability point. We can have this argument, obviously,
elsewhere. I think that under this provision, a
professor at George Mason University Law School who is
violating the rights under the Berne Convention, who
is infringing copyright because of inadequate
supervision by George Mason University, subjects the
University to liability for that in a way that is not
necessarily true, as a matter currently the case under
United States law. Under United States law, the
professor would have to be acting within the scope of
his employment to subject the employer to liability,
and that’s not the case under this Convention. I
think it is an expansion. Reasonable people can
disagree about that.
On the dual criminality point on criminal
dissidents, not all of the mutual assistance
provisions in this treaty are necessarily mandatory.
I think the extradition provisions, as a result of
United States pressure, will require that there be
dual criminal acts. We will not extradite someone to
China for a criminal activity that is not criminal in
the United States, unless we so provide elsewhere.
I do not believe -- and again, I’ll rush
after this panel to read this very carefully -- that
is true for all of the mutual assistance provisions,
including, for example, the provision that China can
come and demand access to ISP records. characterized
as an expansion of liability. Reasonable people,
though, might disagree about that.
AUDIENCE PARTICIPANT: I believe you.
PROFESSOR POST: Okay.
PROFESSOR SOFAER: I think that they’re
right about that. Cooperation is limited to the crimes
set out in the Convention.
WENDY LIEBOWITZ: Hi, my name is Wendy
Liebowitz and I write and edit Cybercrime Newsletter
and other legal newsletters dealing with these issues.
I thank the panel for your presentations, and I have
two questions dealing with these issues. The first is
spam; the second is terrorism.
As the Nigerian scam illustrates, it is
very, very difficult to deal with this. I haven’t
seen any kind of coordinated response. The Nigerian
scam has been extremely successful, so it’s spawned
several imitators now from South Africa.
If we can’t handle spam, how are we going to
handle terrorism? I’m very concerned. To me, it’s an
inconvenience; I push my delete button. There are
some states, on a local level, that are coming up with
laws that are slowly being enforced in Washington
State and California.
But in terms of getting any kind of
national, let alone international penalties, or
protocols or standards for regulating commercial,
annoying and sometimes pornographic and offensive
email, I don’t see it happening. I’d love to hear
from the panel as to whether anything can or should be
done on this matter that, to most of us, is just an
annoyance, but for network administrators is a real
burden on the system and can really bring it down.
The second question deals with international
terrorism. The only reason I’ve heard about this
Council of Europe Treaty is because I’ve had to write
about the darned thing. I don’t know if it will be
implemented or if it will be successful. I guess I
hope it will be. My main concern is, A, the
government doesn’t seem to be communicating well to
the ordinary public, which cares a lot about the
Internet, and about harmonizing things, and it sees
the government, I think, as walking away. We’re
disregarding environmental treaties, which are
extremely important to our European colleagues and
many other people. And the environment also
transcends borders, and we seem to say we’ll cooperate
and we’ll demand cooperation from you on things that
we care about, but on things you care about, you can
go burn in hell. I don’t think this earns us a lot of
good will in terms of fighting terrorism and so forth.
My question to you is what the government
could do to communicate better. I’ve tried to call
the Department of Justice to get comment on various
things. It’s extremely difficult. It’s much easier
just to call the ACLU and the CBT and EPIC. And it is
part of the problem because our government, even with
our own citizens, doesn’t communicate well. Now we’re
talking about harmonizing with other countries that,
frankly, see us as the bad boy of the Internet. That
is my question. We’re the bad boys in terms of
tolerating pornography, except for child porn. We’re
bad boys because of our free speech amendments that
protect these racist and xenophobic and upsetting
websites, and it’s important that we tolerate them.
But other countries, particularly France and Germany,
which are not countries that can be lightly
disregarded don’t understand why.
And finally, we’re the bad boy because we
don’t seem to care about other protocols. It’s just,
these are our laws; everything else should be sort of
an optional protocol. Maybe we’ll sign it and maybe
we won’t, but the important thing is what we do, and
everyone should fall in line. And I just wonder how
do we combat that in a responsible way that doesn’t
violate our laws.
PROFESSOR SOFAER: Let me comment on the
other issue of how do you do it, and how do you get it
together, and of our being the bad boy. Let me turn
it around a little bit.
We are a nation that’s entitled to our point
of view. Nations make decisions in multilateral form
on the basis of what they think and what they’re ready
to do. At the first RIO conference, I was there
because I was counsel to WWF: I wasn’t in Rio, but I
saw the plot by the environmental groups developed a
way to take over that conference. I mean I’m a
Republican environmentalist; I also love jazz.
The fact of the matter is that NGOs have
gone into these multilateral conventions and taken
over. In Rome, there were some 450 NGOs at the
International Criminal Court Convention -- 450..
There were about 150 states and 450 NGOs. All of the
NGOs wanted an international criminal court that was
not "subservient" to the Security Council. Instead,
they wound up with an International Criminal Court
subservient to the Assembly of States, which is any 60
states in the world that can create criminal law to
control everybody in the world. The United States
thinks that is ludicrous. We have seen what the
General Assembly creates, let alone what this Assembly
of States is going to create, and they’re going to
define aggression. And the Assembly of States is
going to define aggression.
So, the NGOS took over the ICC Conference.
They took over Kyoto. In fact, since Kyoto, no one
has ever supported the enforcement of Kyoto in
America. No Democratic senator has. Now the
President is out there -- President Clinton, my friend
-- is out there saying we need to support Kyoto, but
he didn’t say that when he was in the White House; not
at all. In fact, when the issue went up to Europe for
discussion, it was commonly agreed that we had to
change the rules and give more credit to transferring,
and exchange rules. And there are other things that
the underdeveloped world has to do to compensate for
all the things the developed world has to do. It’s too
bad because it could have been done. It really could
have been done if the states had worked together.
The same thing happened with the Land Mine
Convention. The lady in Canada who won the Nobel
Prize -- terrific -- she just insisted, and their
other NGOs insisted, that there had to be a total
elimination of mines, even in Korea. We were ready to
go along with the whole deal. But because of the
power of the so-called private sector -- this is not a
democracy, mind you; these are groups that, we decided
to join. These NGOs are not representative in any
democratic sense. They are funded by the elites of
the world. I don’t mind being a part of the elites of
the world, but I recognize that we elites do not
represent all the people of the world. The fact is
that NGOs undermined the Land Mind Convention. We
would have had a unanimous Convention. We would have
had enforcement and clearing all over the world.
Instead of that, just because of the Korea thing,
which we won an exception on, it didn’t’ happen.
In short, one reason our government doesn’t
push any multilateral agenda now is because they don’t
want things to get out of control. You can understand
that. You really can. What I’ve been saying is
simply this. We need to plan in advance for these
multilateral conventions. We need to be much more
careful. We need to have an understanding of what is
going to happen before we go in, and we need to be
able to control the parameters of what happens when
PROFESSOR O’NEILL: I have to bang the gavel
on the judge really quickly and allow one last comment
because we’re running out of time.
PROFESSOR POST: I just want to say two
things about the spam thing. Spam is a good example
of precisely how difficult it is to control this
network. On the one hand, the constitutional issues
are very substantial. The First Amendment to the
Constitution does not, unfortunately, only protect
legitimate people. It protects all those lunatics,
too. You can criminalize fraud, and I assume that
most of these things I get are in fact fraudulent
solicitations. But you cannot criminalize, without
great difficulty, soliciting people for money or
sending them messages.
What’s really interesting about spam is that
it shows the blurring of the line between speech -- my
attempt to persuade you to send money to some cause --
and an attack on the network. Spam is both. IT this
is a problem for IT managers. Managers are swamped
with these solicitations, and the network actually
bogs down as a result. So, the speech component
(which is very, very difficult to regulate) is one
thing the network component in a sense, (which is
easier regulable and probably should be regulable) is
another. I think how to regulate is another. How to
navigate that line is proving to be extremely
difficult, and it is why, in a sense, I don’t think we
have come up with a solution to that problem yet, at
PROFESSOR O’NEILL: Unfortunately, despite
the other questions in the audience, we’re going to
have to draw to a close now, and we’d like to thank
this panel. It was an outstanding panel in an area of
various viewpoints on this particularly important
topic. Thank you.
THE FEDERALIST SOCIETY
a panel on
2:30 P.M. - 4:00 P.M.
October 3, 2002
George Mason University School of Law
THE FEDERALIST SOCIETY
Public/Private Sector Cooperation
Manus Cooney, CEO, Potomac Counsel, LLC
Bill Guidera, Federal Government Affairs Manager, Microsoft Corporation
John Malcolm, Deputy Assistant Attorney General, Criminal Division, U.S.
Department of Justice
Mark Grady, Dean, George Mason University School of Law (Moderator)
THE FEDERALIST SOCIETY
DEAN GRADY: (In progress) -- to the
perspectives of many of us. Of course, cyberspace
does not respect the boundaries of sovereign nations,
and so it would be ideal if some sort of private
ordering solution to the various problems that beset
cyberspace could be found. Of course, it may be
useful for the government to be involved in these
basically private systems of regulation, and our
panelists are going to explore the general theme of
what can be done to improve the cooperation between
the private sector and the government sector.
I've asked the panelists to confine their
opening remarks to about seven minutes so we can get
to a broader discussion with you all, and also among
the panelists themselves, concerning any issues that
may arise from these opening presentations.
With that, I will introduce you to Manus
Cooney, who I know is a good friend, of our faculty
member, Michael O'Neill. He has just formed a
bipartisan legal policy firm with Karen Robb – Potomac
Counsel, LLC. Let me get the sequence right. You've
done so many things here.
You served as the Vice President for
Corporate and Policy Development for the file-sharing
company Napster, and what you're doing right now is
organizing the legal policy firm with Karen Robb.
At Napster, Manus was responsible for
setting the strategic course on the legislative policy
issues that affected the company. And I'm sure there
were many of those. He represented Napster before the
Congress and the administration, and advised the
company on licensing, strategic alliances and
partnerships, both domestically and abroad. While at
Napster, he also gave numerous lectures on technology
policy and drafted legislation for Congressional
He's got a long history on Capitol Hill as
Chief Counsel and Staff Director of the United States
Senate Judiciary Committee. He was the principal
legal and policy advisor to the committee's chairman,
Senator Orrin Hatch. In addition to overseeing the
committee's day-to-day operations, Manus was primarily
responsible for the development and stewardship of the
committee's legislative, executive and oversight
The issues overseen by him during this time
include the judicial nominations process; intellectual
property law, including the American Investors
Protection Act and the Digital Millennium Copyright
Act; and also Internet policy issues, including the
antitrust hearings on Microsoft, bankruptcy reform,
antitrust law and a whole diversity of other issues.
Certainly from a legal point of view, there's no more
important committee than the Senate Judiciary
Manus Cooney holds degree from VillaNova
University, and from the University of Baltimore Law
MR. COONEY: Thank you, Dean. First of all,
I want to thank Dean Grady for having me here, and I'd
like to thank George Mason Law School and the
Federalist Society for convening this panel and this
conference today. I wouldn't miss being here. I
think it's great. I've worked for many years in crime
policy and cyber technology policy issues, and so it's
certainly a thrill to be here.
As a testament to my shop being relatively
new, I'm still listed as being vice president of
Napster, but Napster as we knew it is no more. And
after having helped put the Napster that I spent
nearly two years with in the grave, so to speak, I've
moved on and opened a public policy organization with
a prominent Democrat here in town.
I tell you, my years at Napster I wouldn't
trade for anything in the world. I'd do it over again
But were I to do it over again, I might get more money
up front and less stock.
MR. COONEY: But I'd do it again in a
heartbeat because we went through more there in my two
years than most executives and most businesses go
through in a lifetime. I think that from my
perspective, it was certainly a tremendous learning
experience, and I think that for the country and for
public policymakers, it also provides a genuine case
study in some of the issues that we'll be talking a
little bit about here today.
We're not being asked to discuss the
capabilities of the public and private sectors to
prevent and prosecute cybercrime. Fundamentally, I
think the panel that preceded us may have demonstrated
a bit that before you can have partnerships to prevent
and prosecute cybercrime, you have to have general
agreement on what cybercrime is. There's a real gulf
between my argument and others. The general premise
of my short presentation is that, increasingly, among
tech-savvy consumers in the general public and
government policymakers and commercial interests,
there's a growing gap between what is and isn't
appropriate over the Internet.
There's a spectrum of concerns that many of
us are familiar with -- vandalization of websites,
script kitties, denial of service attacks; we're
familiar with those. Those are considered the lower
end of the threshold of concerns. And then the
extreme is terrorism and critical infrastructure
attacks and assaults. Those are the kinds of things
our government should be, and generally is, concerned
with. Within this spectrum, however, increasingly, I
would argue that interests are seeking to protect
themselves and incumbent industries are trying to
protect themselves, or protect preferred business
models, and having those wrapped in the cloak of
Interestingly enough, the Department of
Justice is investigating a number of companies that
have gotten together to form joint ventures to thwart
competition from outsiders in relevant markets for
purposes of providing business online, and that's
taking place in several industries. It's taken place
in the music industry; it's taken place in the motion
picture industry for purposes of providing online
commercial services. Amazingly enough, it has not
entered into the common lexicon of most public policy
thinkers, into the lexicon of what is and isn't
cybercrime. But it's still the same sort of activity;
it's arguably illegal, criminal activity taking place
over the Internet.
So, why isn't that, too, cybercrime and why
aren't we also folding that into the cybercrime
conventions? The problem is that, as a previous
panelist noted, increasingly these conventions and
these policymaking entities are not hearing from
individuals or consumers or consumer organizations,
but hearing from NGOs, and trade associations are
included among those NGOs, and trade associations are
representing the concerns of incumbent industries.
I think there are several problems that
confront policymakers, government and private, in
dealing with cybercrime. Those are obviously,
fundamentally an awareness of the problem itself, the
general problem of cybercrime; the costs associated
with it, which I think are legitimate. Some argued
that, absent a vigorous, real liability model, threat
of liability, many businesses will not undertake the
costs necessary to adequately safeguard their
interests or their customers' interests.
The legal terrain, as I allude to, is
somewhat dubious. There's a patchwork of laws.
Consumer rights -- to what extent do they apply
online? What is the liability for ISPs, for example?
There's a patchwork of legal attention -- HIPAA, DMCA,
BMA, a number of different laws that treat different
industries somewhat differently. So, it's very
confusing, if you're a general counsel for a company,
to figure out what your responsibilities are to the
And finally, and very important, which I
think must be considered, the general public, I would
submit, is dubious about the government's ability,
frankly, to deal with the problem. They somewhat
question the real threat. Does anybody mention Y2K?
We heard a lot about that then. Companies
spent a lot of money, and a lot of the companies that
are arguing that government and industry need to spend
more to safeguard against cybercrime are the same
companies that argued that industry needed to spend
more to safeguard themselves against a Y2K threat.
Finally, the fairness and equity of some
laws that are being proposed. A great law review
article by Professor O'Neill asked this question --
does what is right or wrong on the Internet differ at
all from what is right or wrong in real space?
Professor O'Neill argues that, no, it really doesn't.
I would argue that it does in many ways.
Technology and law are always evolving and
questions do exist among many familiar with
technology, particularly consumers who are familiar
with technology, as to whether that evolution of the
law is being done to safeguard the general public's
interest or to protect preferred business models, as
we've seen in the case of the recording industry.
For example, the recording industry's
litigation against Napster reached the point where the
fundamental issue was the consumer's ability to use
technology innovation to their advantage versus the
commercial copyright interests of the record labels,
which did win out. It reached a point there over a
year and a half ago, where the 9th Circuit Court of
Appeals, three judges, sided with the recording
industry. But then, litigation continued and the
company eventually went bankrupt. Now, one would
argue that the litigation continued not a matter of
what was right or wrong, or vindicating against a
particular wrong that was incurred by the money. No
money was going to be taken out of this company,
Napster. I would argue that the litigation continued
primarily to send a message to the capital markets, a
message to the capital markets that was, "do not
invest in innovative nascent technology companies that
threaten our core business. If you do, we will fight
much harder than you will."
I think a good thing that Mike O'Neill does
raise in his article that must be considered is self-
help. I don't think enough consideration is being
given to self-help measures. the government cannot
solve the problem. I think technology will and must
have the final say about whether it's fair for
consumers to use technologies to advantage themselves.
Arguably, it should be fair for industries
that are threatened by that technology to advantage
themselves, as well. But, you have to weigh the
relative costs such measures will have on the overall
functionality and attractiveness of the Internet as a
marketplace for entrepreneurs, consumers and
investors, if industry and interests are allowed to
use self-help measures to protect and safeguard their
interests and really have less concern about -- and
they put those interests over and above the overall
value and attractiveness of the Internet.
In the end, we are left with the question,
is technology in the hands of consumers good or bad?
And if you believe that technology in the hands of
consumers is good as a general premise, and that there
ought to be innovation, then we must move slowly and
carefully and cautiously down this road towards having
the government empowered to police what others might
believe qualifies as cybercrime.
PROFESSOR GRADY: Thank you very much,
I'm proud to introduce our next speaker
because he's a graduate of our law school and over the
past few years has been a very good and helpful
advisor to me. It's Bill Guidera, who is currently
and has been for sometime with Microsoft Corporation
as a corporate attorney and their federal affairs
Bill specializes in public safety matters
associated with cyber security, software licensing and
competition. He joined Microsoft's legal department
in 1999, and is a former member of the Internet
Content Rating Association.
Bill has his B.A. from Bates College in
Lewiston, Maine, and his J.D., I'm proud to say, from
George Mason University School of Law. Bill.
MR. GUIDERA: Thank you, Dean. It was
several years ago when you gave me that diploma. I
was grateful then, and I'm grateful to be here today.
I don't know if I earned it, but I thank you for
giving it to me.
I was also a student here on the old campus,
where I signed up as a member of the Federalist
Society, so this is a two-fer for me. I'm very proud
to be here. Thanks.
I'm here on behalf of Microsoft, even though
I still am a card-carrying member of the Federalist
Society and a de facto member of the Alumni
Association of this school. But let me talk a little
bit about what Microsoft's doing in this space.
For those of you who have been here all day,
you know that there is a significant cybercrime issue
out there. There are cyber vulnerabilities. I don't
think there's any debate about that now. As Manus
said, we've seen script kitties and viruses and Trojan
horses, and we've seen the threat of cyberterrorism.
Last year, within a week of the September 11th
attacks, the NIMDA attack came out, which did billions
of dollars worth of damage. Who did it? We don't
know. Where did it come from? Don't know. Was it
coincidental with September 11th? Don't know, but it
could well be. These are the questions we now face.
They're not questions that we faced several years ago.
The threat model has evolved considerably, and we now
realize that there are real threats out there.
We also see these threats hitting all
platforms. I represent Microsoft. We got hit by Code
Red and NIMDA and other things that have done
significant damage. But we're not alone, and we
partner with our industry colleagues to address this
situation. The Lion and Ramen attacks hit the Linux
code base. Solar Sunrise and Trinu hit the Unix code
base. AOL's had problems; MSN's had problems. What
we find is that software is an extremely complex
entity, and the Windows code base is something like 40
million lines of codes that has to operate with lots
and lots of different variations; not just Microsoft
stuff, but other companies' stuff, whether it's
Napster or Kaza or AOL's ISP or whatever. It's an
extremely complex thing. Some people have said it's
one of the most complex things humankind has ever
In that venture you will have
vulnerabilities. Sometimes those vulnerabilities get
exploited by some pretty nasty people. That's what
happened in Code Red and NIMDA, which hit us, as well
as other attacks. So, those are sort of the basics.
Those are things we know now. You will not have
perfect software at some point, or perfect technology
at some point, that's impervious to attack, unless
it's really, really small and really, really useless
for the most part; like not plugged into the Internet
and with very few lines of code. You always will have
that functionality and security trade-off. Our job is
to create evermore secure software and technology, and
to do so in partnership with government and industry
or industry partners.
We have a special role within the industry.
Certainly, we have a significant market share of
desktops. We have less than half in the server space.
But we have a leadership role that we have to play and
we have accepted that.
In January of this year, Bill Gates sent a
memo out to every Microsoft employee -- something he
only does every two or three years or so, and they're
usually quite significant. Several years ago, it was
embracing the Internet; that was in '95 or '96. A few
years later, it was .net, which is a new platform for
us built around some unique technology.
In January, it was trustworthy computing.
He said that we learned from Code Red and NIMDA and
the Love Bug and all these other attacks that our
customers will no longer trust us unless we provide
more secure technology that responds to what is a
growing threat from criminal hackers, whether they be
script kitty writers, or at the most extreme,
What we've had happen since then is a
cultural change in the company that's really quite
phenomenal. For 20-some odd years, we were all about
building more functional software, something that made
it easier for you to run your desktop, to print a
document, to download a picture from the Internet and
put in your library to use other companies'
technology. That's still happening; you know, we're
still certainly all about functionality. But what
we've got is a change in the mindset of our
developers, who are now saying, "What can I do now as
I build this technology to make it more secure?"
That's really pretty neat, and that's a response to
the market telling us that people won't buy our stuff
if they don't trust us.
It's quite phenomenal to see how the company
has shifted its vision and its culture in a major way.
We're seeing the results of that already. The Windows
XP service pack just came out, and there were
improvements in that based on the work we've done
since Gates sent his mail in January, and improvements
that were done based on something we did in February
and March. Anyone who knows the business knows the
importance of keeping your production cycle tight and
efficient. You want it as short as possible so you
can get your new products out to market as soon as
possible and generate more revenue.
We did something a little different with the
most recent product cycle. We took every single
Windows developer, every single person who writes the
code that is Windows, and in February and March, we
took them offline and said don't produce product.
Come to class and learn how to create more secure
code. We gave them advanced training in how to write
secure software. That's two months off the bottom
line, frankly, and it's from every Windows product
forward. We just moved every product back two months.
That's real money, and people who were leading this
class were experts within Microsoft and from outside
who were helping our developers learn how to write
We're also changing the way we release
products. More and more features are released with
the defaults off, making them less functional out of
the box, which bums some consumers out. It makes them
unhappy. You can't use everything right out of the
box. But it is a security measure we're taking, and
it's one way we get security into the consumer's face.
If not everything works when you turn it on and you
actually have to go in and find the toggle switch to
activate a feature, that means you're being confronted
right away with improved security and products and a
new way of handling a very different security threat
than what we faced with Windows 95 or Windows 3.1 or
even Windows 2000.
We also have measures in place to respond to
vulnerabilities in our own products. We have a group
of folks who work 7-24/365 responding to alerts that
there's a problem with one of our products. Last year
they got 10,000 alerts from outside. It could be one
of you. I'm sure Riptech perhaps has had some people
who've alerted Microsoft to a potential problem in the
These guys determine whether there is a real
problem, and if there is, they get a patch out as
quickly as possible. Last year, there were a hundred
of these patches put out after 10,000 reports of
potential problems. That is something that's going to
happen in software. That's part of the way software
works. It gets very complex; it has vulnerabilities;
you find them; you fix them; you get a patch out
Another way we put security right in the
consumer's face is in Windows XP, for something called
the Windows Auto Update. If one of these new patches
comes out and it's critical that you apply it to your
system, you get a little balloon on the bottom right
of your Start page when you activate the system. It
says, "Critical update available; click here to
download." That's right there in your face. It says,
"Here's security. Download this patch. We're
providing it for free right here over the Internet.
Please put it on." Those are things that I don't
think people even considered in '95 or '96 or '97. I
never thought about patching my system for fear that a
hacker might use it as a dummy machine to launch
I mentioned several things we do on our own.
We also work with lots of industry partners, companies
like Symantec and Network Associates are retained to
beat the heck out of our systems. Test them for
vulnerabilities; test them for openings. Make them
We also work with lots of companies to form
the IT ISAC, the Information Technologies Information
Sharing and Analysis Center. We're in Partnership for
Critical Infrastructure Security, and we recently
announced a coalition with several other companies to
manage the reporting of vulnerabilities in a more
cohesive and efficient way that lessens the likelihood
that someone would find a vulnerability in a product
and post it right to the Internet for the world to
see, which is one of the most irresponsible things a
person could do. If they find a hole in a Windows or
Unix system, one of these people might take that hole
and post it to the Internet so that any of us could
find it, study it, and launch an attack based on that
hole. It's facilitating a crime, essentially.
What we've created is a structure so that,
if you find a hole, you report it to this coalition
and to the vendor, and you give the vendor a fair
opportunity to create a patch before you publish that
To wrap-up, quickly -- because I'm a
legislative guy. I'll just tell you a few things that
we're very interested in, in the legislative and
policy arena right now. Increased deterrents: we're
strong supporters of the bill that's passed the House,
the Cybercrime Enforcement bill, H.R. 3482), that
would ask Mike O'Neill and his colleagues on the
Sentencing Commission to revisit how criminal hackers
are sentenced. We support FOIA reform, Freedom of
Information Act reform, to facilitate information
sharing among industry and government. We support
additional resources for law enforcement. It's tough
keeping up with hackers, and some of them are very
sophisticated and talented computer programmers. Law
enforcers need equipment, resources and training to
keep up with those folks.
Research and development on cyber security:
we have been big beneficiaries of government-funded
R&D. We just ask that that work product be made
available to the private sector in ways that we can
integrate it into our technology without encumbering
On the national strategy: I'll close on
this. Mr. Sofaer took a swipe at Microsoft for paring
back the scope of the national strategy. As the
primary lobbyist to Mr. Clark's office, I confronted
him afterwards and let him know he was wrong.
In fact, our position has been that this
national strategy can be much tougher in many areas,
including asking universities and state and local
institutions to put in place tougher measures to
handle cybercrime more efficiently such as 7/24
centers to respond to threats, attacks or incidents
that take place at those places.
We work closely with Clark's office. We'd
like to see the document be stronger. I'll close with
that and look forward to Mr. Malcolm's comments and
DEAN GRADY: Thank you very much. Our last
speaker -- I think you've been introduced before,
MR. MALCOLM: Yes.
DEAN GRADY: Well, you're still the Deputy
Assistant Attorney General of the Criminal Division at
the Department of Justice with oversight
responsibility for the computer crime and intellectual
property section, among others.
MR. MALCOLM: I'll pick up a little bit on
where Bill left off. I'd like to focus my remarks on
critical infrastructure protection and the need for
public-private cooperation in this critical area.
As we've all heard today, but I think it
bears repeating, cyberspace security is not just about
protecting email systems. Although this is somewhat
of a shifting concept, critical infrastructure is
generally taken to mean infrastructure that pertains
to telecommunications, energy, banking and finance,
transportation, water supply systems, emergency
services -- which include medical, police, fire and
rescue services -- and continuity of government. In
other words, things that, if the system shut down,
we'd be hurting. We'd be in a lot of trouble.
It is a fact, as we all know, that computers
control many of the critical infrastructures upon
which we rely, and many of these computers are in an
unmanaged or relatively unmanaged environment and are
vulnerable to attack. As more people become computer
literate and hostile groups and terrorists start
devoting additional resources to exploiting these
weaknesses, perhaps coupled with physical attacks,
vulnerability increases dramatically.
Our ability to ensure unimpeded access to
our critical infrastructure and to maintaining order
and our physical wellbeing depends on our ability to
do the best that we can to secure these networks. It
is also a fact, as Mike O'Neill alluded to in his
opening remarks at this conference, that approximately
85 percent of a nation's critical infrastructure is
owned and operated by the private sector. That means
that a partnership between the public sector and the
private sector is going to be essential to achieve
When it comes to critical infrastructure
protection, both government and industry have huge
roles to play, and hopefully they will be able to play
them in a way which gets the job done while not
getting in each other's way. As a large purchaser of
security products for federal installations and
federal agencies, the government has the opportunity
to lead by example, by demanding high standards and by
testing these products. Furthermore, through its
involvement with the National Institute of Standards
and Technology, the government also has a large role
to play -- that's not to say a sole role to play; we
don't have a monopoly on this -- but a large role to
play in terms of setting industry standards that help
to establish a marketplace for security products and
services. Of course, the government has been
responsible, as we've been hearing, for the role of
enforcing cybercrime laws.
Industry, of course, has its role to play.
As you all know, and as these people at the table
certainly know, software tends to be very complex
today, and it is exceedingly difficult, if not
impossible, to produce bug-free software. As it
responds to threats, private industry is going to need
to develop and deploy secure products, making it
easier to maintain security over time as threats
change and vulnerabilities are uncovered.
As a repository of intelligence information,
the government can also play a critical role in
assessing threats to our critical infrastructure, and
in disseminating information, as needed, to entities
and individuals in the private sector who can take
necessary steps to protect the critical infrastructure
that are in jeopardy, in order to avoid a disaster.
However, as I'll discuss briefly in a few moments,
this information flow has got to be a two-way street.
This panel, in part in its description, was
asked to explore a distinction between prevention of
cybercrime and prosecution of cybercriminals. And
actually, Judge Sofaer tended to poo-poo this and say
that prosecution somehow has no role to play in terms
of prevention. I would take issue with that. I don't
see them as distinct, but rather, I see prevention and
prosecution, in this area in particular, as being part
of a continuum.
In addition to the obvious point that
effective prosecution can serve as a deterrent to
others who might otherwise think of becoming
cybercriminals, unlike a physical attack, the lines
between prevention and response when it comes to a
cyberattack are not as distinct. This is because
cyber-incidents are continual and they build on
themselves. Once one weakness is exploited, that can
lead to additional exploitation, such as creating
zombie computers, inserting Trojan horses, and
prompting new assaults by other groups. The effects
of some of these efforts, such as with Trojan horses,
might not be felt for some time, long after the
initial cyberincident. So I would argue that,
actually, prompt and effective law enforcement
responses to cyber incidents can in a very real and
tangible way prevent those incidents from escalating
into something far more serious.
There are some people in private industry,
again, who control all this critical infrastructure,
who would rather go it alone. They'd like to respond
to a cyber incident by reformatting their hard drives,
patching their operating systems, saying a little
prayer and hoping that their problems are over. From
my perspective, I think that this is a mistake. This
kind of solution, I believe, delays the inevitable day
when a response from law enforcement is going to be
involved and, of course, leaves others vulnerable to
some cyber marauder who's out there and who's already
attacked that one company's system.
In order to combat cybercrime, and most
especially to protect our critical infrastructure
there needs to be a two-way flow of information
between the private sector that controls those
networks and law enforcement that can disseminate
useful information and respond to incidents.
I've heard throughout this debate a lot of
reasons why companies are very reluctant to share
information with the government, and I'd like to
address three of these. First, I've heard that there
are a lot of companies that believe that law
enforcement somehow is, one, going to be incompetent:
and two, going to be intrusive or insensitive to
respecting their business necessities when they are
conducting investigations. As you've heard some
people already say, law enforcement is dedicated to
fighting cybercrime. Although we have a learning
curve, we're attracting a lot of talented people
within the Department of Justice, the FBI, the Secret
Service and other agencies that are involved in
protecting against cybercriminals, and they are
getting up to speed in the technological challenges
that are posed by this fight.
The federal government has committed
significant resources to this fight. There is at
least one FBI agent in every field office, and, in
many cases, far more than that, and prosecutors in
every U.S. attorney’s office throughout the country,
who specialize in and are devoted to fighting
cybercrime. Chris Painter referred to the 13 CHIP
units, Computer Hacking Intellectual Property units.
There are more on the drawing board. Director Mueller
of the FBI was the U.S. Attorney out in San Francisco
when the first CHIP unit was developed there. He
promoted that program when he came back to the
Department of Justice, before becoming FBI Director.
And as the Director, he clearly sees the value in
developing the expertise in this area to fight
As well, the Computer Crime and Intellectual
Property section, affectionately known as CCIPS, and
the cyber unit within the FBI, have that expertise,
and it is centralized and disseminated to the field as
needed. Our specialists work very closely with
industry and are sensitive to business needs. We
realize the companies that have been attacked are the
victims, and we appreciate their cooperation. We
don't want to haul away entire networks as evidence if
you don't want us to and if we don't need it.
We don't disclose facts in cases in which we
investigate. Indeed, under grand jury secrecy rules,
we are prohibited from doing so. We devote a lot of
resources and specialization to these tasks, and we
have started to generate results. I'm happy to say
that we catch more cybercriminals today than we ever
have before, although, granted, it's a growing field
of criminals, and there are a lot of people out there
who remain uncaught.
Second, I've heard a lot of companies say
that they are afraid to share security information
amongst themselves and with the government for fear of
possibly incurring antitrust liability. Well,
historically, the Justice Department has viewed
requests for antitrust exemptions in this particular
area from the private sector as unnecessary since
submitting this type of information is unlikely to
violate antitrust laws. Indeed, the Justice
Department already has a mechanism for alleviating
concern, known as the business review letter. The
Department has never brought an enforcement action
against anybody who's ever received a business review
letter. Nonetheless, while we don’t think this is a
real problem, we believe that if there is any
uncertainty, a business review letter will suffice.
The danger, of course, to an antitrust
exemption is that companies are going to get together
under the guise of discussing security and talk about
a lot more than security. They're going to talk about
pricing information and the like that can lead to real
antitrust crimes. That having been said, a specific
antitrust exemption with respect to critical
infrastructure information is being discussed within
the administration. We have closed no doors. We are
open to that.
Third, as Bill just said, I've heard there
are some companies that are afraid to provide security
information to the government because they fear that
that information will later have to be disclosed under
the Freedom of Information Act, or FOIA, thereby
resulting in a panopoly of bad things -- bad
publicity; subjecting a company to competitive
disadvantages; lawsuits from disgruntled shareholders
or customers who are upset about vulnerabilities, or
what have you.
This is a legitimate concern. The Justice
Department believes that critical infrastructure
information that is voluntarily submitted to the
government is, in fact, already protected from
disclosure under current law. However, we realize
that there are some within the industry who disagree
about this, and also there are some people who, while
they might not disagree, at least are uncomfortable
with a lack of certainty in that area that makes them
reluctant to share that information. Both the House
and Senate, with the support of the Administration,
are currently considering bills that would
specifically bar disclosure under FOIA of any
information that has been voluntarily submitted to
government agencies to protect critical
Again, the information flow has got to be a
two-way street. The Administration has in place and
is putting in place a lot of programs in order to
facilitate that information flow. For instance, the
FBI, NIPC, the National Infrastructure Protection
Center, has its infra-guard program, which is actually
remarkably successful and is being so recognized by
industry. It's an alliance in many cities between the
government and the private sector in order to
facilitate information sharing.
Several other government agencies and
industries have gotten together and formed information
sharing and analysis centers. They've been referred to
as ISACs, and they're developing plans to share
information on an industry-specific level. And there
are other organizations -- the National Infrastructure
Protection Center that I've just referred to; the
Critical Infrastructure Assurance Office; the Office
of Homeland Security; the Federal Computer Incident
Response Center. All of these are being established,
or are up and running, and are going to serve as a
mechanism to break down those barriers. This
Administration supports and encourages all of those.
In conclusion, let me say that something
clearly has got to be done. The consequences of harm
to our critical infrastructure from a cyber and/or
physical attack are simply too great. We have the
responsibility to protect the public and to ensure
domestic tranquility. We can't just sit by and do
Both the private sector and the public
sector are going to have to work cooperatively and
think creatively in order to bridge the gaps that
exist. You've heard a lot about the national strategy
to secure cyberspace. Unlike Judge Sofaer, I will not
poo-poo that document. It is in draft form, and its
purpose is to permit such a dialog to occur, and it is
occurring. This is a critical time in terms of
developing an appropriate strategy to protect our
critical infrastructure. I, for one, am looking
forward to seeing what all these bright people who sit
down in a room together can come up with. Thanks.
DEAN GRADY: Well, since this is a
Federalist Society conference, as well as a GMU Law
School Tech Center conference, I thought maybe I'd try
to ask our panelists, I hope, provocative questions
having to do with whether there is really a need at
all for government involvement in this particular
area. So, make the distinction that I guess Judge
Sofaer made, which I think is quite a useful
distinction between prosecution and prevention. Let's
look at prosecution first. I think, John Malcolm,
you assume and probably many people believe that the
government has a very important role in the
prosecution of criminals. In this area, however, why
wouldn't it be possible for individuals or groups to
organize themselves into protective societies. It
almost exists in Los Angeles now. If you drive
through some of the neighborhoods, you see signs out
in front of houses indicating which private security
company the house is protected by. Why couldn't you
have that type of system in cyberspace? In effect,
prosecution would be private prosecution. The
associations would maybe hack back and destroy the
computers that launched the attack. Maybe there would
be bonding requirements for these associations, so
that they would be liable in the event that they hack
back against the wrong computer. So, that would be
one set of Libertarian policy proposals.
Perhaps another one would be on the
prevention side. Some have considered, for instance,
computers constituting the power grid, maybe of the
Northwest power grid. Some have said, "Well, really,
there need to be government standards for
cybersecurity. These computers are not building
firewalls that are high enough or thick enough, and
the government needs to be involved by way of
regulation." Why is that the case? Why will the
market not solve that particular problem. It seems to
be one in which you've got profit-maximizing
organizations. Why is the government needed to
provide that type of regulation?
Or, with respect to Microsoft and other
software producers, some people have proposed products
liability. Why is that products liability required?
Why won't ordinary market competition produce the
optimal security in software?
I was hearing the other day about a defect
that existed in a particular model of the Honda
automobile. There is a pipe, apparently, in this
Honda that controls the brakes, and if ice hits it in
exactly the wrong way, it will spring a leak. So,
they've recalled all of these Hondas. Well, the
normal argument for products liability is that this is
such a low-probability event, the susceptibility of a
car to that type of defect, that you can't rely on
market forces to regulate the market to ensure the
In the area of security, it seems exactly
the opposite; everyone is concerned with security.
Why isn't due security strength of a software tool
like the taste of ice cream? In other words, we don't
really need the government to regulate Ben & Jerry's
to make sure that the Cherries Garcia tastes good; why
is there a better argument for requiring Microsoft to
have better security? Isn't that a central concern
that consumers would be interested in?
I would ask our panelists to comment on any
or all of those issues revolving around the broader
issue of why government involvement is involved in
this area at all.
MR. MALCOLM: That's a lot to bite off. I
notice that we did change the structure somewhat in
that previous panelists had an opportunity to respond
to other panelists, and, at some point, I have a
couple of things to say in response to Manus'
presentation. But he can prepare for that.
With respect to the notion of private
prosecutions and the related concept of hacking back,
there are already private prosecutions of a sort;
they're called plaintiff's lawyers. There's already a
lot of concern about government people who are subject
to all sorts of statutes and regulations that don't
apply to the private sector, and people are concerned
about the government being involved in prosecutions.
So, somehow, having an English system of private
prosecutions, I think, would fall on deaf ears in this
In terms of hacking back, that's an
interesting concept, and of course there's the Berman
Bill that's being bandied about in terms of peer-to-
peer hack-backs. The administration hasn't taken a
position on it other than to say that the way the law
is written now, hacking is illegal.
I will say that there are problems with
hack-backs, particularly when a lot of people who
engage in hacking are very sophisticated and actually
route their attacks through innocent, zombie
computers. And if you hack back, you are, without
authorization or any approval from any court (which is
what the United States government's got to get before
it can react) breaking into somebody's system. Once
you break into somebody's system, the consequences can
be pretty bad. Can somebody be sued civilly if they
do it wrongly? Yeah, but that's a little bit like
addressing the problem after the horse has left the
barn. So, with respect to laws permitting hack-backs,
the devil will be in the details. It's certainly
innovative; it's certainly true that the private
sector, in many ways, is in a better position to react
swiftly and to protect itself. It is problematic and
I do think that we need to look at that and to debate
With respect to government standards, and
the possible need for regulation, this is important
stuff and the government needs to be involved. It is
never this Administration's first response to say that
what we need is more regulation. Government standards
in this area would be problematic. Where we are
pretty good, I think, is in gathering a lot of bright
people together and trying to come up with a list of
recommended practices. However, as has been pointed
out by many speakers already, a lot of the knowledge
rests in private sector and not in the government.
Coming up with standards takes an exceedingly long
period of time, and this is a dynamic market in which
vulnerabilities can change and the need to adapt
standards can evolve very, very quickly. Any time you
have a government-imposed solution, it may be
muscular, but it's not always flexible. So, I think
the preference would be to come up with standards that
are flexible and muscular and that largely come from
the private sector.
With respect to a need for cooperation and
why optimal security cannot be achieved on its own by
the private sector, with the government sort of
leaving its hands off -- I would say that, at least
with respect to critical infrastructure, the
consequences are simply too important. In addition,
there are a lot of sensitive government networks --
the military, intelligence -- that, through private
contracts, are run by private companies that controls
those networks. So the government has a direct
interest in protecting its own information by securing
this part of our critical infrastructure.
In addition to that, if the water supply for
an entire city gets tainted, or if the energy supply
is disrupted in a city, or the air traffic control
system goes whack and planes start crashing into each
other and falling out of the sky, the general public
is not going to be looking to the private company that
controlled that system. They're going to be looking
to the federal government -- and rightfully so -- and
saying "Why didn't you protect us?"
MR. GUIDERA: John, very quickly, if I could
jump in, when you talk about hacking back, when you
talk about going out and injuring the party that
injured you, one of the interesting things that was
presented to me in Code Red, our developers had found
a way to create, if you will, a virus that would take
advantage of the same exploit in the Microsoft server
to actually patch it. So, they actually wanted to
launch to go back out and hack into somebody's system
and actually fix the patch so that our customers would
actually stop getting pinged. I'm curious about what
the Department of Justice would think about something
like that. I was very nervous when he presented that
MR. MALCOLM: I'm sorry -- your concern is
PROFESSOR GRADY: It's a benign trespass,
basically. So, you're going back into a system and
basically patching the system of your customer,
without the express consent of your customer.
MR. GUIDERA: Actually, it's not even our
customers. It's some third-party server that's a
zombie that's acting as a launch site for the bug.
PROFESSOR GRADY: So your disabling the
MR. GUIDERA: Fixing it.
PROFESSOR GRADY: Fixing it, right.
MR. MALCOLM: Well, you are patching a
vulnerability that, if someone doesn't do it
themselves, can create an exploitation. That’s an
interesting idea. Look, as I say, we need to be
flexible in our approach.
PROFESSOR GRADY: As an irony, isn't there a
statute that prevents self-help in this area? It's an
irony that if someone steals whatever you're carrying,
your umbrella, for example, you have the right to go
after that individual and tackle that person and grab
your umbrella. Now, I don't think you have the
ability in cyberspace, do you, because of the statute
that's been passed? I mean, it's basically the same
principle. Why should rights be more circumscribed?
To rephrase Professor O'Neill's question,
why should rights be more circumscribed in cyberspace
than in real space? It seems like there are fewer
rights of self-help now.
MR. MALCOLM: What limits self-help is that
you're hacking into somebody's system without their
consent, and that's a violation of Section 1030. With
respect to --
PROFESSOR GRADY: How about if they're --
MR. MALCOLM: Well, hold on a minute --
PROFESSOR GRADY: How about if they've
hacked into you?
MR. MALCOLM: I understand that. With
respect to your real-world example of somebody
stealing your umbrella, there are laws that apply,
including laws of self-defense. You can't, for
instance, for somebody who steals your umbrella, go
and kill him. You can't act like Rambo and just go
start shooting at other computers because you don't
know who you're going to take down in the process.
I'm not saying that there can't be some kind
of solution in appropriate circumstances --
PROFESSOR GRADY: Well, if you --
MR. MALCOLM: -- well, hang on one second --
including the one that was just identified saying,
well, okay, we have software, we know who has our
software, we've discovered a vulnerability, perhaps
that makes sense.
PROFESSOR GRADY: Yes.
MR. MALCOLM: But it needs to be under
MR. GUIDERA: In effect, we've got --
PROFESSOR GRADY: Well, as a government
regulation in some way, I guess. But I mean, it's a
very well-developed system in the umbrella area so if
someone steals your umbrella, you can go after them.
And if you tackle the wrong person, then you're liable
to that person. Why couldn't the same principle work
out in this area? It seems odd that the Bush
Administration, of all others, ought to be advocating
a reliance upon public regulation as opposed to these
time-honored methods of private ordering and private
I don't know where the truth is in this
area. I'm just trying to stir something up here, I
One thing that did strike me was your
statement that since it's so important, the government
had to be involved. A lot of people would say, it's
just the opposite; the government ought not to be
MR. MALCOLM: I don't know about you, but
when I go outside, I'm by and large relying upon
police, law enforcement officers, to protect me. I'm
not relying upon every citizen who's got a gun to pull
it out when they think something's happening to me and
Again, when we're talking about critical
infrastructure, the potential harm is devastating. I
don't remember which types of airlines the terrorists
on September on 11th were flying, but I remember Pan
Am over Lockerbie. We don't sit there and say let's
all go and blame Pan Am for what happened there.
There may be civil consequence; people may sue. But
in terms of what happened and the people dying and the
terrorist organization, they're not looking for Pan Am
to handle all of that. They're looking for airport
security and for security for transportation and
traveling, to be handled in large part by the federal
Now, if you don't think the federal
government has a role to play in that, I suggest that
that might be a recipe for anarchy. But, does it make
sense always to have a government-imposed solution and
to totally cut out the private sector? No, I don't
think this makes sense and I'm glad we're having this
MR. COONEY: On that point, though, there's
talk about the need to protect critical components of
the critical infrastructure. Is the entertainment
industry a critical component of the critical
infrastructure for our country?
And if not, then why is the Department of
Justice talking so much about going after individual
consumers and users of file-sharing services?
MR. MALCOLM: Glad you asked that. Now, I
get my opportunity to make my two or three points that
I wanted to make with respect to you.
One, the Department of Justice has not
entered into any partnership with any industry -- not
the Recording Industry of America or the Motion
Picture Association of America. I understand you
worked at Napster and you had some bitter experiences.
However, we are not looking to stifle
innovation; we are not out to stifle competition. We
are looking to enforce federal laws that have been
enacted by Congress, that have been signed by the
President, and whose constitutionality has been upheld
or is being challenged. However, I will answer your
question on whether the entertainment industry is a
critical infrastructure. The answer is clearly no, so
let's dispense with that.
Nonetheless, the software industry is a very
important and thriving sector of our economy.
It is a vital sector. Intellectual property
rights are enforceable rights, and a lot of the
intellectual property is being stolen overseas. This
is costing American jobs, hurting the American
economy, and we are losing a huge tax base, and also,
by the way, causing security problems. I would say
that, with respect to IP rights, since that's of
obvious concern to you, I think the Department of
Justice, contrary to popular opinion, has been
remarkably circumspect in terms of its enforcement
efforts. In terms of IP, we've done big operations
involving large Internet piracy rings, like Operation
Buccaneer. There's only been one or two DMCA cases,
Digital Millennia Copyright Act, and I think if we had
time to go through the facts of each of those cases, I
might have time to get most, if not all of the people
in this room to agree.
I would remind you that with respect to
Napster's demise, that was done by civil lawsuits by
private parties. The federal government wasn't in
there doing some kind of enforcement action. There
was no criminal investigation, no threatened
prosecution. You know, that was not government
You made one other comment that I thought
was interesting. You talked about a threat; you
talked about Y2K, and you somehow said that's an
overreaction, and that's a government failure. I
don't see that at all. In fact, I view the Y2K
problem as an example of government success. It was a
verifiable threat. It was a verifiable threat that
the government learned about, disseminated that
information and didn't impose any kind of action,
didn't impose any kind of regulations, didn't
threatened anyone with criminal liability if they
didn't fix that problem, and said "Here's the problem.
You ought to be aware of it, and fix it." And
thankfully, enough private-sector people did that and
averted what could have been a very bad situation.
PROFESSOR GRADY: All right. I wonder if
there are questions from the audience? Yes, in the
AUDIENCE PARTICIPANT: Before I turn to my
question, Dean, I think the distinction here is we are
a cybercrime conference, not a cybertort conference.
Maybe we should have one of those, and it would be a
fascinating time. But I guess on the cybercrime
conference, we need to talk about what the role of the
I'm Dave Weitzel from Mitretech, and we're
in the business of buying a lot of stuff for the
government so that they can be secure. In that
research, I noticed in a recent study by St. Paul
Insurance, in a study of network security officers,
this is the first year that they discovered that there
were actually more outside attacks to their networks
than there were inside attacks. This is the first
year that it's been a bigger threat on the outside.
Isn't that because the use of Internet technology in
those kinds of attacks is different than the use of
the Internet itself? I was wondering if the panelists
can talk about that insider threat and how you manage
that as you assess the threat.
MR. GUIDERA: I didn't realize that this was
the first year where external is actually more because
I always thought it was the opposite, so I'm intrigued
by it. Certainly what we do is, you restrict access
to certain parts of the code to people who may have
their backgrounds checked. So, if you're going to
work on a sensitive cryptomodule, we're going to do a
background check on you to make sure you're all right.
This recently happened with a different platform than
ours. Someone had written a Trojan horse into the
code and the code got released out into the open
public. I think it was an open source model. And if
that happens to us, that person not only gets fired,
but we'll turn them over to John, right?
We've got a whole bunch of people onboard
and companies that do intrusion detection monitoring
our networks all the time. But, this area's growing a
lot on the roots of IP enforcement because in the
past, a large part of the problem has been internal
employees taking intellectual property and putting it
up on the Internet. That's why you could get Windows
XP on the Internet before it was released to the
public. You know, that's one way it gets out there.
We're learning from the IP enforcement measure, and
you put systems in place to try to track your folks,
and if they do, you fire them and you turn them over
to the cops.
MR. GUIDERA: If I may, I've got the
microphone for a moment. I just want to address
something the Dean asked earlier. I didn't have a
chance to do so. You know, the premise of your
questions, Dean Grady, seem to be that the market may
not be working as well as it ought to. And I think
what we're seeing is evidence that the market is
responding quite rapidly and quite aggressively to the
If any of you subscribe to the Economist,
you've seen nothing on the back page of the Economist
magazine lately but ads for Oracle announcing their
unbreakability. That is an enormous expense to buy
that ad space and to put their credibility on the
line, saying their stuff is secure. That's pretty
cool, right? Three or four years ago, would any
company market its security? I mean, any major
software company, commercial software company that
wasn't a security firm? Were we out there saying our
stuff's more secure? It was the exception rather than
Microsoft, like I said, putting our
credibility on the line with trustworthy computing,
that's a huge, huge response to market change.
PROFESSOR GRADY: I thought I was agreeing
with you, Bill.
MR. GUIDERA: One of the things that John
said about the information sharing example, I want to
give you an example of how we share information with
competitors and the government that shows how the
system can work pretty well and perhaps might show a
flaw in it, too.
When the Love Bug virus came out a few years
ago -- this is the one that was called "Love Letter",
and the message said "I love you", and you were
supposed to double-click on the thing and it unleashed
a virus: Lots and lots of people opened that. It
started in Asia. A few hours, or perhaps only even a
couple of hours after it was unleashed, our security
apparatus in Redmond saw a major spike in that work
activity. They thought, that's a little out of the
usual. They brought our chief security strategist in;
got him out of bed at 11 p.m. and brought him into the
office. And by midnight, we realized there was
something out there and secured our own networks.
Somewhere in that process, our chief security guy
called his counterpart from one of our major, major
competitors -- a company, incidentally, that seeks the
break-up of Microsoft -- but he called up this guy and
said "Are you seeing this, too? Are you seeing this
major spike in network activity?" Yes, they were.
They realized they had a major incident. They were
sharing information and cooperating and helped the
other company secure their networks. And that started
an information-sharing circle. That's happening all
across our industry.
Shortly thereafter, our guy called the FBI.
And this was in a prior administration under prior
leadership of this entity within the FBI. And he got a
voicemail message, he got the answering service saying
"no one's here to take your call; we'll get back to
That was about one in the morning, something
like that. A few hours later, he called again and
didn't get through. The long and short of it is,
eight hours later, his call got returned and that was
how our company informed the FBI. We called the
Pentagon, too. They run the .mil domain, so we let
them know that this incident was out there. That was
an example of ad hoc information sharing that was
super-productive. And I think in the current
government structure, it's working really, really
well. But that's an example where information sharing
works extremely well and where companies like
Microsoft and the DOJ and other government entities
are working side-by-side to address this problem in
ways we couldn't even imagine five or six years ago.
PROFESSOR GRADY: Yes, you had a question
AUDIENCE PARTICIPANT: First, I want to
respectfully disagree with Mr. Malcolm, who said with
the Y2K problem, the government didn't go around
saying here's a problem and you'd better fix it or
else. I worked for the Chronicle of Higher Education
during the Y2K scare. Obviously, it was a very real
thing. But you bet, the government went around to
publicly funded institutions and the Government
certainly did come along and do that.
MR. MALCOLM: That's an important
qualification. When federal funding, government
money, was involved, then different rules applied.
But that's an important qualification. That was the
exception rather than the rule, but that's an
AUDIENCE PARTCIPANT: Now I'd like to just
flip and argue the other side, which is where I wish
the government would say to companies like Microsoft
and other companies that are marketing their company
as trustworthy this and don't worry and put us on your
system. Until extremely recently, there were known
software flaws and trapdoors, and Microsoft assumed
that people would find these during these informal
information chains, and that then Microsoft could
publish patches, and that's the way the system would
work. In fact, the defaults for many of these
software programs were to assume that everybody wanted
any email to automatically launch and be sent to every
single email address in your address book. With the
amount of negligence that was perpetrated by companies
like Microsoft and others, and it was just
extraordinary, I don't know why the civil bar didn't
do anything. I wish this were a cybertort conference.
Why doesn't the government act when there are knowing
bugs and real security glitches in these widely-used
MR. MALCOLM: Well, again, unless a critical
infrastructure is threatened, government doesn’t
usually get involved. But I'm not at Microsoft; I've
never worked for Microsoft. I can tell you that their
chief security strategist, Scott Charney, who used to
be head of the computer crime and intellectual
property section, is an extremely bright guy who's
very focused on security. And I take Microsoft at its
word that this is a new day. I mean, if they stopped
production for two weeks or whatever it was in order
to focus on security, I can tell you that when we
become aware of vulnerabilities through things like
the Infraguard system, we make sure the private sector
knows about it. It's all of relatively recent
vintage. This entire development of vulnerability in
areas of cybercrime, and working together, it is new
MR. MALCOLM: Well, again, unless a critical
infrastructure is threatened, government doesn’t
usually get involved. But I'm not at Microsoft; I've
never worked for Microsoft. I can tell you that their
chief security strategist, Scott Charney, who used to
be head of the computer crime and intellectual
property section, is an extremely bright guy who's
very focused on security. And I take Microsoft at its
word that this is a new day. I mean, if they stopped
production for two weeks or whatever it was in order
to focus on security, I can tell you that when we
become aware of vulnerabilities through things like
the Infraguard system, we make sure the private sector
knows about it. It's all of relatively recent
vintage. This entire development of vulnerability in
areas of cybercrime, and working together, it is new
MR. GUIDERA: You say that companies like
Microsoft are saying "Don't worry." That comment is
bizarre to the point of comedy. Read anything we are
saying on security today, anything we are doing; look
at everything we are doing. You'll see that we worry
a hell of a lot about it. That's why we do so much.
That's why we're spending hundreds of millions on it
right now, if not even more.
That's why we stopped the release of a
product recently. It was just about to go out the
door -- a major, major release -- and we said, "No,
we're sending it back to the shop floor to re-do it."
That's money right off the bottom line. That's my
stock value going down. That's the company saying we
care a hell of a lot about this. When we have that
little pop-up window in XP, it's saying, "We've got a
problem in our product." It's saying right to you,
"Wow, we've got a mistake here. Download the patch.
We're going to give it to you as easily as we possibly
can." There's a huge amount of activity; not just my
company but others doing everything they can to
address the problem, and I don't think anyone is
saying don't worry. That's bizarre. Why are we
having this panel? Of course, we worry tremendously
And you mentioned the Love Bug situation.
Yes, the default was set so that you could open an
attachment in an email without a block between. The
default wasn't set so that it said double-click on an
attachment so that it can unleash a virus that
corrupts your entire inbox and causes global calamity.
What did we do immediately thereafter? We
put a system in place that says, "Do you really want
to open this thing?" What you had happen was
reasonableness changed because of that incident.
Reasonableness was different than it was on September
12th in airline safety. Reasonableness before the
Love Bug came out was different than it was after, and
we changed with the marketplace and we changed the
standard for reliability. Reasonableness changed as a
result of those incidents. The company changed as a
result of it, and all of us changed as a result of it.
We've all changed. Before the Love Bug, did
anyone have an issue about double-clicking on an
attachment and opening it? Yeah, some did. Yeah,
there's one or two guys in the back. But the rest of
us? Not a lot. Now we understand. We're learning.
Like I said, reasonableness changes over time, and how
you measure reasonableness in this environment is an
extremely difficult venture.
DEAN GRADY: Well said. Yes.
AUDIENCE PARTICIPANT: Frank Foreman, U.S.
Department of Education. I have a book, a number and
The book is The Culture of Conspiracy. It's
a wonderful cultural counterpart to the crime issues
you've been discussing here. The book goes into why
it is that the default methodology for understanding
the world today is paranoia. The book was written by
Pinight. I forget the first name; I forgot to bring
the book. It's very entertaining, as well as very
The number all you panelists want to know is
400. That is the number bits of code that it would
take to make an unbreakable encryption. There are 10
to the 89th particles in the universe, most of them
photons. There have been 10 to the 31st plank moments
since the Big Bang. A plank moment is the length of
time it takes a photon to cross the minimum plank
distance. So, 10 to the 89th and 10 to the 31st is 10
to the 120th possible computations in the universe.
And 10 to the 120th is 2 to the 400th. So, that's the
answer. You can't break a code that long if the whole
universe were a computer from the beginning of time.
That's a very small number, and if you ask
most people, they'd say it's up in the millionths or
DEAN GRADY: So, I guess the question is why
don't we rely on better encryption to resolve these
MR. MALCOLM: Gee, I hope there's not a test
after that question.
MR. GUIDERA: That blew my calculator out.
MR. MALCOLM: I think that better encryption
is part of the solution. I also think it's going to
be part of the problem; it depends on who's using it.
However, to secure networks and engage in commerce and
take advantage of all of the things that there are on
the Internet, I think encryption's a good thing. But
that's part of it.
SPEAKER: Encryption's part of the solution,
of course. But the panel was asked what can the
government and industry do in partnership. I would
argue that the government should focus its resources
and energies on the critical infrastructure issues,
those issues of most concern to the general public.
The point I was making, and perhaps not well
enough, was that you have a generation of young people
who view with skepticism the way in which the laws are
being written and the ways in which the laws are being
applied or enforced, whether it's through the civil
court system or whether the Department of Justice
files an amicus brief in support of the plaintiffs in
that case, or through the criminal courts or through
the development of international cybercrime treaties
that criminalize what had been previously a civil
violation. The ability of the government to
accomplish all of these tasks effectively is
What ends up happening is the cynicism
increases among the general population and it becomes
more difficult for the private sector to deal with it
on its own. So, for the long term, I think that what
we ought to be focusing on are those areas that are
most important, most critical, to the general
population and to this country, and leave to the
private sector what the private sector is in the best
position to deal with.
PROFESSOR GRADY: We have one more question.
AUDIENCE PARTICIPANT: Question and comment.
We have a lot of servers out there and a lot of PCs
out there, and a lot of IAS web servers, so we rely
very heavily on our management and our resources.
These people could have patch accidents and people are
not patching their servers appropriately and fast
enough. That's certainly true. But another point of
view is why are we running bad software or inferior
I've been involved in security summits, and
I'm very happy to hear that Microsoft is really taking
a strong stance on security and the whole industry is.
From my point of view, it's about time.
MR. GUIDERA: That's fair. Listen, that's a
totally fair comment and I appreciate that. You're
right; we had the patch available for the Code Red
vulnerability in June of 2001. It hit, I believe, in
October -- excuse me, in late July. So, we had it
available. Did we get it out there in the best way we
possibly could? No. Patch management's a huge issue
for us. It's probably our number 1 customer problem
for people who have been working on our web server
side. Have we always done security well? Absolutely
To the comment that you don't worry about
it, we're worried about it because we didn't do it
very well for a very long time. Straight up, we just
did not do security very well. We were all about
functionality. You know, lower cost, more
functionality, and security was an externality we
didn't internalize, if I may say that, Dean. So,
yeah, I think that's a totally fair comment. What
we've done is we've seen the environment change and
we're trying to do a culture shift. Are we there yet?
No. We've got a long way to go, and that's why we
work with government and industry to get better at
PROFESSOR GRADY: Thank you very much. I
want to thank all of you who have attended this
symposium and I want to thank all of our panelists
here for a very lively session.
THE FEDERALIST SOCIETY
The Honorable Claude Allen
Department of Health and Human Services
October 3, 2002
George Mason University School of Law
1 THE FEDERALIST SOCIETY
2 Closing Address by
3 The Honorable Claude Allen
4 4:00 p.m.
6 PROFESSOR O'NEILL: We're going to call
7 the last session of our meeting to order here, if
8 we could. As we draw to the close of our
9 cybercrime conference, we thought it would be
10 interesting to view the problem of crime and
11 terrorism and some of the issues facing the nation
12 today from a slightly different perspective, and
13 that's the perspective provided to us by the
14 Department of Health and Human Services.
15 It's therefore my pleasure to introduce
16 to you Mr. Claude Allen, the Deputy Secretary of
17 the Department of Health and Human Services. Often
18 when we say it's a pleasure to introduce someone,
19 we mean it only as an obligatory gesture. In this
20 case, however, I actually mean it sincerely, for
21 Claude and I have been friends for many, many
1 years. Indeed, the first job I had out of law
2 school, when I graduated from law school, was
3 serving as a clerk together with Mr. Allen; it's
4 hard to call him Mr. Allen. It was during those
5 days that we spent all those arduous hours we spent
6 clerking together on the D.C. Circuit that we were
7 able to forge a fast friendship.
8 Deputy Secretary Allen -- I'll try to
9 stick with his formal title for the occasion here -
10 - is about as close to a billionaire as I will ever
11 come in my life, for he presides over an agency
12 with a budget of $429 billion. Yes -- that's $429
13 billion, a budget larger than most of the
14 individual states or many foreign nations, in fact.
15 In fact, I was hoping, before Deputy Secretary
16 Allen left, that he might consider endowing a chair
17 in my name. You know, for $429 billion, he could
18 probably endow a whole living room in my name, for
19 that matter.
20 Prior to joining Health and Human
21 Services, Deputy Secretary Allen was the Secretary
22 of Health and Human Services for the Commonwealth
1 of Virginia, where he led some 13 agencies and
2 roughly 15,000 employees. Mr. Allen spearheaded
3 Governor Gilmore's initiative for a patient bill of
4 rights, which passed in 1999, directed the
5 Commonwealth's Welfare Reform Initiative, and
6 provided leadership to overhaul the state's many
7 mental health institutions and community services.
8 Before joining the Gilmore administration
9 in that capacity, Deputy Secretary Allen was
10 counsel to the Virginia Attorney General, and later
11 Deputy Attorney General for the Civil Litigation
12 Division. Prior to holding that post, he practiced
13 law in Washington, D.C. at Baker & Botts,
14 specializing in international law. He holds a J.D.
15 and a Masters Degree in international comparative
16 law from Duke University, and a Bachelors Degree
17 from the University of North Carolina.
18 Now, oddly, his official biography omits
19 a very important detail: the fact that he was my
20 functional best man and basically organized my
21 wedding. Indeed, he was the person to gently break
22 it to my wife on that very hot day on the first of
1 June that our wedding cake had melted and that she
2 wouldn't actually get to see the wedding cake. But
3 most important, Deputy Secretary Allen has been a
4 husband, a father. He has been a great friend and
5 mentor to me during lo, these many years. I'd like
6 to introduce to you Deputy Secretary Claude Allen.
7 MR. ALLEN: Thank you, Mike, for that
8 very kind introduction. Indeed, much has changed
9 and much has stayed the same, and friendships
10 really do last throughout the time.
11 It's interesting. When we clerked
12 together on the D.C. Circuit, what was interesting
13 was that Mike was always very interested in
14 criminal law, and so he ended up as a law professor
15 and serving on the U.S. Sentencing Commission. I
16 was always very interested in international law.
17 Our judge was the one judge on the D.C. Circuit who
18 always had a clerk who had security clearances, so
19 that clerk would always handle all of the very
20 sensitive cases that come to the D.C. Circuit. I
21 happened to be that clerk who got the clearances,
22 and so I got to work very closely with Mike on
1 trying to combine the two, the international piece,
2 the very security-oriented pieces, and the
4 In fact, we got to work on cases such as
5 the Falwell's Unis [?] case. We worked on John
6 Poindexter's appeal. Judge Sentelle also had Ollie
7 North's appeal as it came through the court, and it
8 always had some security aspect to it. And so,
9 it's not unusual to find Mike here teaching and
10 working closely in this regard. But it is very
11 strange to find me as the Number Two at the
12 Department of Health and Human Services. As Mike
13 pointed out, our department is very large.
14 I want to run you through this
15 presentation and talk with you a little bit about
16 what we do, and then tie it into what I think the
17 theme of your conference has been today. But I
18 want to show you some aspects of it that you're
19 probably not aware of.
20 As Mike has already pointed out, HHS's
21 budget is huge, and I would like to endow more than
22 just a chair and a living room; maybe an entire
1 building would be something to do. Our budget
2 really is large. That $429 billion was the 2002
3 budget. So, in the time that I've been there, in
4 little more than a year, the budget has grown,
5 actually, to $458 billion, and our proposed budget
6 that's currently before Congress is $489 billion.
7 HHS, if it were a country, we would be the sixth
8 largest country in the world, presently. And with
9 our proposed budget, which we know Congress will
10 very much increase, we will surpass Italy to become
11 the fifth largest country in the world.
12 We are the single largest civilian agency
13 in the world. And I have to manage the budget;
14 Mike knows I can't balance my checkbook, so it's
15 always a real challenge to do that.
16 But as you see here, the role of the
17 Department is very simple. Our department is
18 designed to provide services. We serve as the
19 principal agency that protects the health of all
20 Americans in providing essential human services,
21 and particularly to those who can least afford them
1 From a schematic of the organization
2 chart, you can see, it's massive. But to give you
3 an idea, we actually have what we call operation
4 divisions in the middle. They range from the
5 Administration on Aging all the way through to the
6 Food and Drug Administration; the Centers for
7 Disease Control and Prevention; the National
8 Institutes of Health; the Human Resources Services
9 Administration. We impact your life in some way,
10 shape or form every day, from the bottle that you
11 have or the can that's sitting on that table. Look
12 on the back at that nutrition label; it is the Food
13 and Drug Administration that took care of that. To
14 the encouragement for you, having had a heavy
15 lunch, to get out and make sure that you get some
16 exercise, that you go to the doctor -- that's what
17 we do through the Centers for Disease Control and
18 Prevention. To education and research. The
19 research that looks at the differences between us,
20 but more importantly, the similarities between
21 every person in this room, the Human Genome
22 Project, which is part of what we do through the
1 National Institutes of Health. So, we actually
2 impact peoples' lives every day.
3 We are also very aggressive about the
4 work that we do, and we really appreciate it. But
5 we have some priorities right now that we are
6 laying out. One of the top priorities right now is
7 bioterrorism preparedness, healthcare disparities,
8 prevention, welfare reform, Medicare reform. I
9 know that given the inclination of many here at
10 this university, the school of law and this focus
11 on law and economics, you have some impact in what
12 we do every day, but we're very active in all these
14 I'll talk a little bit for you about
15 bioterrorism to give you an idea about what we're
16 dealing with there. I took my job in June of last
17 year, and in August is when my family moved up to
18 this area. We went away on vacation, came back,
19 and lo and behold, September 11th hit. Now, I had
20 been prepared to do many things as the Deputy
21 Secretary, to manage the day-to-day operations of
22 the department. Managing a crisis of this nature
1 was not quite what I had anticipated I would be
2 called upon to do. That was not part of my job
3 description, I thought. But certainly, we have
4 become experts in these areas in a very short
5 amount of time. These are the challenges that we
6 faced at that time: coordination of efforts;
7 detection of surveillance ability; logistics and
8 distribution of small pox vaccine or addressing
9 what's happening right now -- West Nile virus
10 that's spreading around the country; or addressing
11 the challenges that are confronting us in the Gulf
12 area with the hurricane coming through. We deal
13 with that. Hospital surge capacity; fatality
14 management -- all of these are issues that we deal
15 with on a daily basis in the Department.
16 We're also very focused on the creation
17 of a homeland security department. Since September
18 11th, those are areas that we've worked in, as well
19 as: coalition information center, which the White
20 House created over there immediately after 9/11;
21 our Office of Public Health and Emergency
22 Preparedness, which is now an assistant
1 secretaryship within the Department that is
2 coordinating all of the HHS pieces of this puzzle.
3 We also created the Office of Public Health that
4 was coordinated out of my office. It was my
5 conference room for three months. It was taken
6 over to be the operations center for HHS after
7 9/11. That's how quickly things took place.
8 Under the federal rolls, there is what's
9 known as a federal response plan, and that federal
10 response plan lays out requirements for all of the
11 departments. Each department has what's known as
12 emergency support functions. HHS had the lead in
13 what is known as Emergency Support Function 8,
14 which focuses on health and medical services, and
15 that's what we spend much of our time working on
16 specifically in these areas of the current
17 situation under bioterrorism. I'll talk a little
18 bit more about that, as well.
19 What is ESFA? It really focuses on four
20 primary things: preventative health services,
21 medical services, mental health services and
22 environmental health services. I'm going to tie
1 this into your theme today of cybercrime and where
2 we're going, as well, as we go forward.
3 One of the systems we have is called the
4 National Disaster Medical System. Most folks don't
5 realize that when 9/11 hit, one of the first things
6 that was done by Secretary Tommy Thompson was to
7 activate what is known as his powers under Section
8 319 of the Public Health Services Act. Section 319
9 gives the Secretary certain extraordinary powers to
10 call up and basically take action to respond to an
11 emergency crisis in this country that has public
12 health implications. What most people don't
13 realize is that when he did that, it activates what
14 we call our National Disaster Medical System. The
15 agencies that are represented include FEMA, the
16 Veteran's Administration, DOD and HHS.
17 When the Secretary declared a Section 319
18 emergency on September 11th, it was the first time
19 it had been enacted in more than 45 years, since
20 the Act went into place. It made the Department of
21 Defense, the Veterans Administration and FEMA
22 report under the Secretary of Health and Human
1 Services. In our efforts to respond to that
2 disaster, the assets of DOD, the Veterans
3 Administration and FEMA came under Secretary
4 Thompson and the Department and we were able to
5 deploy them.
6 So, for example, when you saw in New York
7 City the USS Mercy, the ship that was out in the
8 harbor serving shortly after 9/11, that vessel,
9 while it was a Coast Guard Vessel, was actually
10 under the command of Secretary Tommy Thompson. And
11 all of the surgeons general for the various
12 branches of the military reported under Secretary
13 Thompson at that time.
14 These are the major components of the
15 National Disaster Medical System. It focuses on
16 medical response, patient evacuation and definitive
17 medical care. There are over 7,000 participating
18 health professionals. Twenty-four thousand
19 hospital beds -- expansion to 52,000 beds that are
20 made available around the country to deal with
21 crises within 24 hours. Many of those beds are in
22 regional hospitals, but a lot of them are actually
1 in veterans hospitals. When we activate this, the
2 Veterans Administration would move out of their
3 hospital system their least severe patients into
4 the community, and we would actually have access to
5 those beds. We also would have 95,000 beds
6 available to us in 30 days. We've also looked at
7 focusing on issues of providing rapid response in
8 case of weapons of mass destruction. These are all
9 areas that we focus on in the Department.
10 We have several teams called disaster
11 medical assistance teams. These are teams that are
12 able to respond within 12 to 24 hours anywhere in
13 the country. So, for example, on 9/11 we had teams
14 dispatched all around the nation that were actually
15 addressing not only the immediate needs in New York
16 City, here in Washington, and in Pennsylvania, but
17 we had teams that were on call and in position to
18 address anything else that might have come down the
19 pike at that time. We also have what we call our
20 disaster medical assistance support teams. They
21 provide medical support.
22 We had burn teams that were actually
1 dispatched to New York to deal with the burns that
2 were taking place from many of the folks who were
3 survivors of the World Trade Center disaster, but
4 also the workers were there.
5 We have pediatric teams, crush medicine
6 teams, veterinarian medical teams. Think about all
7 the dogs that were up there in the search and
8 rescue. Many of those dogs had injuries to their
9 pads and could not be very effectively utilized.
10 We had teams that were trained to go in and care
11 for the dogs. It was phenomenal to see the work.
12 We have disaster mortuary teams. We had
13 local morgues that were teams set up to go in and,
14 initially thinking we were going to be dealing with
15 recovery efforts. But, we immediately saw that we
16 needed to be prepared to identify remains, and
17 that's what they ended up doing very effectively in
18 New York City and around the country.
19 This is a little bit about what our
20 disaster medical assistance teams do. They're
21 basically formed to augment local care, so that we
22 don't have to draw upon the local resources in a
1 community. They augment that care, as well, and
2 they report to federal, state and local officials
3 who can call them up by making a request to the
5 These teams are scattered throughout the
6 country. And I want you to focus in on that
7 because I want to talk to you about how this
8 relates to what your conference is about today. We
9 have teams scattered throughout the country, about
10 120 teams that are located throughout the United
11 States. These teams are in positions, again, so
12 they can respond very quickly. But what we've done
13 is we've also created some other teams that are
14 called national medical response teams. These
15 teams go in to do decontamination work. And we are
16 challenged by making sure, when we send these teams
17 in, to ensure that they're going into a situation
18 that we have already anticipated, so that they're
19 not put at risk, so that they then can turn around
20 and decontaminate the area so that other first
21 responders can come in. These teams are confronted
22 by many of the hazardous materials that I'll be
2 We also have, as I said, our disaster
3 mortuary teams. They're operational throughout the
4 country. Not only did they operate throughout New
5 York and here in Washington, but most recently, you
6 may recall in Georgia, when they had the crematory
7 down there that was not actually cremating bodies
8 but was scattering them all about the property.
9 These teams were activated to go down and help
10 identify the remains. So, they do more than just
11 respond to the disasters that we identified
12 earlier, such as the World Trade Center after 9/11.
13 Our management support teams support all
14 of the activities on the grounds that are taking
15 place. And federal coordinating systems are the
16 centers that we have around the country that are
17 focusing on the problem of providing training,
18 leadership and bringing these teams together. But
19 I want you to focus on the northern portion of the
20 U.S., where you see Montana, Wyoming, South Dakota,
21 North Dakota. In the DMAT map there was also a
22 blank up there. Keep focusing on it as we go
2 We have a corps called the Commission
3 Corps Readiness Force. You may see them walking
4 around. You may think that they're naval officers,
5 oftentimes: You'll see them in black Navy uniforms
6 oftentimes, and in the summer, the white uniforms.
7 This is actually a fifth corps of officers who
8 respond to the surgeon general. These individuals
9 are capable of responding in extraordinary times to
10 any emergency that exists. They are there to serve
11 in disasters and strife and public health
13 Most recently, we had a situation here in
14 Washington, D.C. Back in the fall, D.C. decided
15 they weren't going to allow students to come back
16 to school without immunizations. By activating our
17 commission corps, we were able to vaccinate some
18 60,000 kids in a three-day period here in
19 Washington. But these folks are trained health
20 professionals, over 1,400 of them, all across the
21 various branches of the health professions, and
22 they're deployed all around the world in addition
1 to here in this country.
2 The Metropolitan Medical Response System
3 that we have is designed in our urban areas to
4 focus on issues of bioterrorism preparedness.
5 We've got them there doing that as well. These are
6 some of the exercises that they go through. Their
7 real focus is on trying to address what is
8 happening at the local level. How do we augment
9 local resources in a manner that will help them be
11 Another map shows these teams scattered
12 throughout the country. But a huge gap exists.
13 The concern that I'm raising here is one in terms
14 of trying to be prepared for a terrorism response,
15 we have to make sure that the weakest links are the
16 strongest links. One of the things that we're
17 focusing on at the Department is how do we address
18 the fact that, not only are these areas where we
19 don't have a lot of coverage, but these are areas
20 along the border with Canada, and Canada has a much
21 different immigrations law than we do? They're
22 much more willing to let people into the country.
1 One of the challenges we had is how do we
2 secure our borders when we don't have assets pre-
3 positioned in these locations to try to address
4 them. What's also interesting about it is, most of
5 these areas are very sparsely populated, except
6 for, largely, tribal lands. And so, one of the
7 things that we have focused on over the last year
8 is how do we build our system so that we are
9 strengthening the weakest links by reaching into
10 rural areas.
11 We're using the National Pharmaceutical
12 Stockpile to be able to position assets in a very
13 short amount of time. This is 50,000 tons of
14 pharmaceutical supplies that can be positioned
15 around the country in less than 12 hours. We were
16 able to move 50,000 tons of medical equipment to
17 New York in less than seven hours on 9/11. We have
18 some of these also scattered the country. I can't
19 show you where, or I'll have to kill you.
20 That's because of the security associated
21 with it. But these we break down into what we call
22 12-hour push packs, and we have vendors who help
1 restock these supplies.
2 This is really cool. This can actually
3 go into the belly of a plane; it can be broken up
4 and put into the back of a series of tractor
5 trailers. We pre-position these so that we're able
6 to disseminate them throughout the country.
7 Think about this. If our enemies are
8 able to go onto the website right now and pull down
9 the patent that exists at the Patent Office and
10 figure out how we do this, they can wreak havoc on
11 our system. Think about this. Because of the
12 openness of our patent laws, because everything is
13 registered, many of the pharmaceuticals in the
14 stockpile, have their patents or copyrights or some
15 intellectual property protected, and it's on the
16 website at the U.S. Patent Office. An enemy can
17 get that, can break down the chemical structure,
18 and actually design around it. In fact, we have
19 spent a lot of time working with the U.S. Patent
20 Office to explain to them how vulnerable we are in
21 terms of the information that's on there. I know
22 Larry Thompson was here today, talking with you
2 One of the things we've been focusing on
3 is, we know that al Quaeda has been surfing our,
4 government websites, pulling down information about
5 our vulnerabilities, and using that to plan their
6 activities. So, while we're in this age of
7 preparing homeland security and homeland defense,
8 we need to be prepared to address the sort of
9 issues that we're raising here. These are just
10 some of the things that we're dealing with.
11 I could go into a lot more, but I want to
12 end with this, and then I want to open it up for
13 questions and answers.
14 Some of the things that we're focusing on
15 right now, as you're addressing cybercrime, we've
16 had to have a lot of changes in our legal system.
17 One of the challenges that we have is to walk that
18 very delicate balance between the freedoms that we
19 enjoy as Americans, and not violating those
20 freedoms, but at the same time protecting the
21 security of the homeland. How do we do that in a
22 way that respects the Constitution but actually
1 gives effect to protecting and putting a defense-
2 first, forward posture for the United States?
3 That's what we grapple with everyday here in the
4 United States.
5 I'm going to stop there. I'm going to
6 answer any questions that you may have at this
7 time. I know we've gone over a little bit, and I
8 want to be respectful of your time because I know
9 that I'm the last speaker here of the day between
10 you and anything you may want to do this evening,
11 including me going home to celebrate my daughter's
12 sixth birthday.
13 PROFESSOR O'NEILL: My question is, with
14 all the rapid response units and everything that
15 exists, how dependent is the Department of Health
16 and Human Services, upon the current
17 infrastructure, like the web, in terms of being
18 able to deploy forces?
19 MR. ALLEN: Excellent question. We are
20 critically dependent upon that. In fact, one of
21 the major areas that, if you didn't discuss today,
22 is one that we're certainly discussing at the
1 department level with both the National Security
2 Council and the Homeland Security Council. That is
3 protection of our critical infrastructure. We are
4 very heavily dependent upon the exchange of
5 information over the web.
6 A good example: September 11th. What
7 happened in New York City, the towers were built
8 upon the information grid, the whole network, the
9 technology grid there, and when those towers went
10 down, that whole grid went down. Therefore, we had
11 to come up with some creative ways to communicate
12 with our folks on the ground. So, we've learned a
13 lot of lessons since last year and learned what our
14 vulnerabilities are. And we're now working very
15 aggressively to try to shore those up. But as a
16 government, as a society, we're heavily dependent
17 upon that.
18 Since last year, I now have seven phones.
19 It's incredible -- and I got four of them all
20 within one week. I have one phone that I use all
21 the time. I have a second phone that's called a
22 priority phone. I can override anything that
1 you're doing. I can override your phones and just
2 get through. I've got a third phone that is
3 supposed to be a secure cell phone. When I'm
4 traveling, if I have to have a secure conversation,
5 as I did on Tuesday when I had to participate in
6 the National Security Council, I was able to use my
7 secure cell phone in a secure location, but not
8 have to be land-locked. I have a phone that is a
9 Nextel phone, I guess it is. It's supposed to be
10 some kind of walkie-talkie device; I've never even
11 opened the box.
12 And I also have a satellite phone so that
13 I can travel anywhere in the world, and, depending
14 on where the satellite is, I can use it to
15 communicate back and forth. All of this since last
16 year, 9/11. All this technology has suddenly had to
17 be utilized in order for us to communicate to
18 ensure that we're protecting the health and safety
19 of all Americans. It's amazing.
20 AUDIENCE PARTICIPANT: You mentioned
21 that you were engaged at the patent office to
22 discuss our vulnerabilities, and I was just
1 wondering if you have a specific solution in mind
2 for that situation.
3 MR. ALLEN: Yeah, a couple of things
4 that we've recommended. We've actually recommended
5 that they pull down some stuff off of their
6 website. That's the first thing; just to remove
8 Second, we have urged the Patent Office
9 to do very much what all the other departments are
10 beginning to look at. That's to look at the
11 information on there from a vulnerability
12 perspective; to do a risk assessment. We believe
13 in a risk-based approach to homeland defense. And
14 that is, what is the risk of this information
15 falling into the wrong hands and being used or
16 manipulated to have an adverse impact on this
17 society? And so, part of what we're working toward
18 is, if they're not going to pull it off their
19 website, creative a secure site where those who
20 have a need to know can do so. But before they do
21 so, they have to go through a clearance process
22 where there are background checks involved, etc.
1 Prior to this time, we had thousands of
2 foreign nationals who were in the National
3 Institutes of Health, in the Centers for Disease
4 Control, in the Food and Drug Administration, in
5 the U.S. Department of Agriculture working in labs
6 with what we call biohazard level 4 material,
7 select agents. We had no idea who they were, where
8 they were coming from, or who could they account
9 for them. In fact, there were some who were
10 identified to be connected with terrorist
11 organizations that fled the country. So, we very
12 quickly had to address that.
13 That's the level of security that we've
14 got to now look at in terms of dealing with the
15 Patent Office or any other office we've got with
16 our information on the websites.
17 AUDIENCE PARTICIPANT: I've been a
18 federal IT manager for about three or four years
19 now. I know that a lot of agencies in the federal
20 government have not implemented federal standards
21 and federal laws and OMB requirements and this
22 guidance in terms of managing their IT security
1 systems. I'm sure that with all the critical stuff
2 that you have at HHS, how far along are you in
3 terms of your systems being secured at the system
5 MR. ALLEN: We are aggressively moving
6 in that direction. The biggest challenge that the
7 government is going to face about that is manpower.
8 In government, we don't have enough people who have
9 the technical skills to do exactly what you're
10 identifying. So that is a real gap in our system,
11 the human resources, the human capital. But we're
12 moving as quickly as possible to secure it, at
13 least within HHS and throughout the government.
14 I was at a meeting yesterday where we
15 were discussing exactly this issue at my level, the
16 deputy level. What are you doing? What is your
17 time frame? What are going to be the standards,
18 the measures that we're going to check to make sure
19 that this is happening in a very timely manner?
20 It's a challenge, it really is. But it is one that
21 we're trying to address.
22 What we're trying to do is minimize our
1 vulnerabilities externally while we strengthen our
2 capabilities internally. That's really what the
3 process has to be, and you know full well the
4 challenges that presents. But the money is there.
5 Congress has appropriated the money; now how do we
6 find the people to do the job?
7 I have kept you long enough. I will
8 hang around a little bit afterwards if others have
9 questions. Thank you for being patient and
10 allowing me to get here, and I look forward to
11 working with you all.
12 And please, for those of you who are
13 attorneys or students here, one thing I want to
14 encourage. I started out as a lawyer. I'm still a
15 lawyer, but public service is the greatest thing to
16 ever do. I have the best job in the world. And I
17 say that, even though my boss might say that he has
18 to do all the work. I just enjoy being behind the
19 scenes getting the job done.
20 So, thank you. I enjoyed talking with