Document Sample

                 a panel on


            9:30 a.m. - 11:00 a.m.
               October 3, 2002
    George Mason University School of Law
               Fairfax, Virginia

                       Technological Methods


   Professor Ralph Clifford, Southern New England School of Law
   Professor Orin Kerr, The George Washington University Law
   Mr. James Meek, Staff Writer, Washington Bureau, Los Angeles Daily
   Mr. Christopher Painter, Deputy Director, Computer Crime and
   Intellectual Property Section, U.S. Department of Justice, Criminal
   Professor Amitai Aviram, George Mason University School of Law

                  P R O C E E D I N G S

                                                9:30 a.m.

           DEAN GRADY:   We’re very excited about this

conference, which has been organized by our Tech

Center - the National Center for Technology and Law -

and also by the Federalist Society.

           I will say a bit about our Tech Center, of

which we are very proud.   It was founded about three

years ago in 1999.   Its mission is to look at the

dynamic connection between law and technology policy.

By far the biggest project of the Tech Center

currently is a program on cyber-security, looking to

see what institutional arrangements can be used to

incent the owners of systems to use more precaution

with their computers to make those computers more

resistant to attack by terrorists and others.

           That is a very large problem for our country

right now, as I’m sure many of you in this room are

aware.   Our power grid, our banking system, out stock

markets, our air traffic control system - are all

controlled by computers, and these computers are

vulnerable to attack by people within the United

States and by people outside the United States.       Many

of these assets, of course, are owned by civilians.

Even if command and control regulation were a good

idea in other areas, which many of us think it is not,

it would be very difficult to implement in this area

of cyber-security.

           So the question becomes what type of

arrangements can be used to make these systems more

secure.   We see this conference as a part of that

effort.   Of course, one way that you can incent actors

is by disincenting the bad people, those people who

are trying to break into computer systems and wreak

havoc upon them.    Certainly that is a very important

strategy in terms of improving our collective

security, which increasingly depends upon the security

of our computers.

           So without further ado, I think I’ll turn

this podium over to my counterpart for the Federalist

Society, Dean Reuter, who has been a co-organizer of

this conference.    Dean?

           MR. REUTER:      Thank you, Dean Grady.   I just

wanted to say a few quick words about the Federalist

Society and invite you all to learn more about it.     We

are a membership organization composed primarily, but

not exclusively, of attorneys.   We have information

out on the desk that you are welcome to peruse.    We do

a lot of programming just like this in many different

substantive legal areas.   We also sponsor a lot of

scholarship.   I invite you to look us up on our

website or some of the information out on the table.

           I, too, am very pleased to be here and happy

to co-sponsor this event with the National Center for

Technology and Law.   I think it’s very timely, and I

look at cybercrime as the new wave in white collar

crime.   It’s similar in many ways, but I think it’s

different in other important ways that we will hear

about later today.    Because of the differences I think

it’s a new challenge for traditional methods of law


           I think cyber criminals can and do work

around the clock searching for system vulnerabilities

to exploit.    It takes sophisticated measures to find

these people, to detect them out there.   You won’t see

a cyber criminal casing the joint from across the

street with binoculars.   So it’s different than

traditional law enforcement.

          Cyber criminals can now also, for the first

time, steal more than they can carry.   A cyber

criminal can rob a bank in Washington, D.C., for

example, without ever being in the bank, without ever

being in the city, without ever being in the country,

which raises all kinds of enforcement issues,

detection issues, and issues of jurisdiction and

cooperation.   All this is being said without even

discussing what I think is an even more sobering and

emerging threat of cyber-terrorism, which we’ll also

hear about later today.

          We have a very full day planned.   We are

famous for starting on time and for ending on time.

So without taking up more time today, I’ll turn the

podium over to Professor Michael O’Neil.

          PROFESSOR O'NEILL:    Thank you, Dean.   I’d

like to also add to the words of Dean Grady and

welcome you again, from the faculty and from the

students of George Mason University School of Law.

It’s terrific to see so many of you trek out in the

outer reaches of Arlington and come to the Law School

to visit this conference.

            I’m glad that Orin Kerr is here today as one

of our first panelists, because the germ of this idea

actually came from a very good idea that Orin Kerr had

that I hope we revitalize.   He had the foresight to

get a few of us who were interested in electronic

privacy issues, cybercrime, and cyber-terrorism issues

together to have lunch, or was it dinner?   Actually it

was dinner, I believe.   I think it was dinner

together, and we sort of put this little group

together.   We’d gotten together for dinner when this

sort of idea first sort of came to me that we ought to

have an opportunity here, especially being in

Washington, to bring together people in government,

people in industry, people in academia to talk about

some of the very critical issues that are facing this

country at this time.

            One of the difficulties, of course, with

being the most technologically advanced nation on

earth is that our infrastructure largely lies in the

hands of private interests, which is a good thing and

a positive thing.   However, by being so

technologically advanced, it also puts us at a very

interesting position in the sense that much of our

infrastructure, military intelligence, things that we

hold dear in this country - are subject to and

possibly the target of foreign nations, individuals,

and cybercrime.

          I remember when I was a kid one of the first

jobs that I had while I was in college was a

programmer for WordPerfect.       In fact, I don’t know how

many of you even use WordPerfect anymore, but for

those of you who do, I was one of the principal

authors of the very first thesaurus that WordPerfect

came out with.

          In fact if you used to type in a certain

code there, my name would pop up.      Unfortunately, that

was many moons ago and WordPerfect was actually a

force in the market place and before it had been

bought and sold a couple of different times.

          I remember back in those days I used to dink

around on the web, and the web wasn’t a whole heck of

a lot then; it was basically just a few government

sites and some academic communications.   I remember

just moseying around, looking at things, doing things

which now I guess high school kids can do.   Of course,

I made the choice, the brilliant choice, not to become

Bill Gates, but rather to become a very poorly paid

law professor.

          So my parents always wonder if that Yale Law

School education was really worth it or not.   But one

of the things that I noticed that was really

interesting was how easy it was to look at other

people’s stuff; stuff you didn’t necessarily ever

think that you could actually get to.   Now, of course,

we have progressed considerably from those days of the

mid-80s to a situation in which so much of our lives,

so much of our commercial activity takes place on the

net, it’s quite interesting to see that we can really

look at other people’s stuff and trespass into areas

of privacy both for personal individuals and for

industry, and even government, in a way that

heretofore was absolutely impossible.

          So I think that the setting that we have

today, in bringing together folks who are leaders in

industry and government and academia in looking at

these very critical questions of cybercrime, is

something that’s quite important.   This is, for those

of us in the legal profession, certainly a growth

industry for the future.

           I’d just like to lay out today’s panels for

you.   This morning the first panel that we will be

talking about, from 9:30 to 11:00 o’clock a.m., will

deal with technological investigative methods.    From

11:15 to 12:30 we will be having a luncheon address

and a buffet lunch.

           Unfortunately, Deputy Secretary Thompson who

was scheduled to speak, had to pull out at the last

minute because of other pressing concerns at the

Department of Justice.   We’ve got a more than adequate

replacement in John Malcolm, who is Deputy Attorney

General in the Criminal Division.   His portfolio

includes the whole cybercrime issue.

           Following lunch, from 12:45 to 2:15, we will

have a panel on international cooperation.   Obviously

one of the interesting facets of cybercrime is that it

knows no national borders.    It is very interesting to

see the interplay among nation states as they develop

laws that deal with a truly international market


            Obviously the internet allows us to talk to

and to buy goods from people not only in our same

state or within the United States, but all across the

world.    My law school office is up here on the fourth

floor, and I’ve got a couple of friends that I talk to

who are in Europe.   It’s amazing that we can keep in

touch in a way that heretofore simply was not


            The other day in fact, I needed to buy a

camera.   It was a camera that I could not find in the

United States.   It was for my wife for her medical

practice.   I was able to find this camera in Germany.

Through the miracle of international Federal Express,

two days later that camera that I purchased from

Hamburg, Germany appeared on my doorstep.   That’s

something that even 10 years ago certainly I never

could have entertained.

            The barriers to participate in an

international market place were such that being able

to do something like that was simply impossible.     But

of course as an international market place has grown

up, so have opportunities for international

cybercrime.    Just as human beings will congregate and

just as we can have crimes in our communities,

certainly we can experience crime and terrorism on the

net as well.

           One of the interesting facets of this, of

course, is that crime has generally been considered a

local matter.   The constitution provides that all

crimes, the trial of all crimes shall take place in

the districts in which they occur.   Part of that was

the understanding that the general police power in the

United States was reserved to the individual states,

not to the Federal government.

           Well, what happens when you make crime truly

an international event, where somebody in Russia can

work with somebody in Italy to sell child porn in

Iowa?   It used to be the case, of course, for those of

you who are familiar with First Amendment law and deal

at all with obscenity, that we relied upon local

community standards.   So it was local community

standards in Peoria versus Times Square in New York.

           Now it’s not just Peoria and Times Square;

it’s what’s going on in Amsterdam, in Tokyo, in

London.   The relevant communities that the net creates

are quite different than the normal geographic

communities that we’re used to.   The type of shared

values and standards that we have are very different

in an internet community.

           Our second panel, dealing with international

cooperation, will address some of the jurisdictional

and other issues that have arisen as a result of this

community that we call the internet.

           The final panel, which is also one near and

dear to my heart and which Dean Grady will moderate,

deals with public and private sector cooperation.   As

I think Dean Grady touched on in his speech, one of

the interesting facets again of the internet is the

way in which, although started basically by the

government, it’s something that is overwhelmed now by

commercial interests by and large.

           It’s interesting that much of the most

sophisticated technological prowess exists not in the

hands of the government but rather in the hands of

private programmers, people in industry.   Even here in

the good state of Virginia, we are used to the police

having the greatest fire power and relying largely

upon the government for police protection.

          The internet, however, is a different medium

in the sense that it may not necessarily be the

government that has the biggest guns, but private

industry that has the biggest guns.   Creating market

based and private solutions and private and public

cooperation, in my view, is absolutely vital for the

further development of the internet in this time.    So

our final panel will deal with those private and

public cooperation strategies.

          Finally, our afternoon keynote speaker will

be given by Claude Allen, who is the Deputy Secretary

for Health and Human Services.   We decided, given our

general focus on cybercrime, that we thought we’d end

the day on a slightly different note and a slightly

different topic and bring in Secretary Allen.

          Then without any further ado, I’d like to

turn the podium over to my colleague Amitai Aviram.

           PROFESSOR AVIRAM:    Thank you very much,

Michael.   Good morning, and welcome to the first panel

of the cybercrime conference.    This panel will deal

with technological methods - the mechanisms that help

detect or prevent cybercrime.

           Innovation - how we create these mechanisms

- is largely a matter for engineers.    But innovation

is useless without implementation.    And implementation

- putting this technology into effective use - is

largely a matter for law and policy.

           First of all, there are legal and ethical

questions regarding the use of modern technologies for

surveillance and investigation purposes.    For example,

IP tracing becomes a very important issue as more

criminal activity moves onto the internet, but it’s

also quite invasive.   Striking a balance between these

two is a matter for law.

           Second of all, law creates incentives to use

or not to use these technologies.    To illustrate, the

degree to which we impose liability on third parties,

such as website hosts, will affect who implements

safeguards and what safeguards are implemented.    Law

needs to take into consideration these consequences,

of course.

             This panel, which combines expertise from

legal practice, from the media, from academia, is very

well suited to answer these and many other questions

that will come up during this session.      We will begin

with a presentation by each of the speakers, followed

by a short round of replies and finally we will open

the discussion to questions from the audience.

             Our first speaker is James Meek.   James is

the Washington correspondent for the Los Angeles Daily

Journal.   In 1995 James became the first cyber

journalist to receive media credentials from Congress

and the White House while reporting for the online

magazine, Blender.       He has written about criminal

justice and cybercrime for the New York Press, Law and

Order, National Journal, LexisONE, Interactive Week,

and Ladies Home Journal.

             James has covered numerous cybercrimes, from

the Maxus internet fraud to the Mafiaboy attack on

commercial internet sites.

             MR. MEEK:   Thank you very much, Amitai.

Thank you Professor O’Neil for inviting me, and thanks

to the Federalist Society and George Mason Law School.

Last week I told my distinguished fellow panelists

that I wouldn’t take up the full 10 minutes allotted,

but I’m afraid I’m going to go back on my word.

           I actually wrote something, because I’m a

writer.   So I hope this won’t be too dreadful.   I want

to start out with a hypothetical.    This is a question

I want to pose to the audience.    It’s a yes or no

question, so you only have to raise one hand if you

think the answer is yes.

           Imagine for a moment that you’re in law

enforcement, or maybe you don’t have to imagine; maybe

you are a cop or a prosecutor.    You put your life on

the line every day to protect the public.    Then one

day you find out an ex-con has put your name on a

website along with the names of hundreds of fellow

officers in your community.     Besides your name, your

rank and salary are listed, and your social security

number, and your home address and telephone number.

There’s even a map to your house.

           The website’s publisher says he performing a

public service and leveling the field.   It turns out

he got all the information about you from public

sources, court records, tax liens, the white pages.

So, here’s the question:   Is this a cybercrime?   If

‘yes’, raise your hand.

           Now imagine you’re a computer hacker.   You

code a malicious script that allows you to crack

certain web servers, the computers that host websites.

You then secretly break in to a website.   But rather

than steal sensitive information or do any sort of

damage, instead you merely move one file, the index

page, the first page that users hitting that website

ordinarily see when they type in

           Did I mention it’s a government website?     It

was.   Now you move that index file to another place,

and you merely replace it with your own page, a

political screed, digital graffiti that criticizes a

bunch of rock bands trying to shut down the free music

sharing service, Napster, through copyright

infringement litigation.

           You put up identical political speech on 200

more defaced sites: government, military, educational.

No tangible or financial damage done; you’re just a

colossal pain in the ass.    Is that a cybercrime?

Should you be prosecuted under racketeering statutes

like John Gotti?

          One more case.     You download a piece of

software that people use to test the security of their

web servers, but you decide to try it out by launching

a distributed denial of service attack on a big e-

commerce website.   Well, a dozen websites actually.

You flood their servers with data packets that in a

few hours equal the amount of web traffic that each

site would ordinarily see over the course of a year.

          You cause a million dollars in lost revenue

by blocking these online store fronts.    You’re caught

by the FBI, and you’re prosecuted.    How much

punishment should you get if you’re convicted?    Did I

mention you’re a juvenile?

          These are real cases.    Bill Sheehan, the

publisher of has been sued by the

City of Seattle and other municipalities for posting

police officers’ personal information online.    The

state legislature even passed a law prohibiting his

form of speech, as he called it.   But authorities

determined he committed no crime, so you all have the

right instinct.

          Robert Lyttle, a juvenile in Contra Costa

County, California was collared by the FBI and

prosecuted in a juvenile county court for defacing

hundreds of websites with digital graffiti protesting

the Napster lawsuits.   No sooner had Lyttle struck a

deal with county prosecutors for probation than he was

popped again by the FBI for alleging cracking into the

Federal Aviation Administration website.

          He said he wanted to prove the government is

vulnerable to al-Qaeda terrorists, cyber terrorists,

but really only proved that Big Brother doesn’t have a

sense of humor.

          Mike Calce, a.k.a. Mafiaboy, pleaded guilty

a year ago to being responsible for denial of service

attacks on a half dozen major e-commerce websites in

2000, such as E-Bay, Yahoo, and E-Trade.   In

Montreal’s Youth Court he got a tough rap:   eight

whole months in a halfway house.   Mafiaboy now works

as a busboy.

           These are real cases.   They are real issues,

particularly in light of September 11th.   A year ago

the U.S. PATRIOT Act was passed that was a sweeping

anti-terrorism measure that affected criminal statutes

in great part.   It made hacking part of the Federal

crime of terrorism.   It made hacking a RICO predicate.

           Since then there have also been discussions

about sentencing.   Should we sentence an 18-year-old

joy hacker the same as we would somebody who’s

involved in a more serious type of organized crime?

There’s some discussion of that.

           I’ll be honest: I’m not a gear head.   I

couldn’t give a damn about technology personally.     As

a reporter, I like covering ‘blood on the street’

crime.   But, while I don’t get off on bolts and bytes,

I’m fascinated by the imagination and creativity that

cyber-criminals often exhibit.

           As a journalist, I love the accessibility.

How often does a reporter get a chance to ask a crook

what motivates him, even as he or she is literally in

the midst of committing the crime?   Of course, that

raises its own issues, doesn’t it?

          A couple of years ago I had direct email

correspondence with a hacker named Maxus during his

landmark internet fraud.   He allegedly stole 350,000

virgin credit card numbers from e-commerce websites.

He tried to blackmail the companies, and then in

frustration, he said, he posted thousands of these

numbers on a website when the company didn’t pay up.

          Now can you imagine how weird it must have

been to be sitting at home in Des Moines on a Sunday

night watching the Simpsons, and then your phone rings

and some guy is on the other end of the line saying

that he’s a reporter in Washington, D.C. and asks to

read back your credit card number, your expiration

date, your home address, and your full name, just to

confirm that it’s yours.   That was me.

          But it wasn’t as weird as corresponding with

Maxus; something I’ve done with other hackers who have

suddenly appeared on the media radar screen.

Incidentally, it turns out that Maxus might have just

been using the news media to publicize an even larger

scam to sell off stolen credit card numbers by the

bundle to professional carders, although Chris may

have some more information on that.

             If I was a lawyer, and I’m not, I would beg

Chris Painter for a job at the Department of Justice.

He goes after cyber criminals, and believe it or not,

I think that’s really cool.       But if Chris turned me

down, I’d go beg Jennifer Granick for a job.      She’s a

cyber criminal defense lawyer in San Francisco and one

of the few attorneys who specialize in an area, which

I think is a growth industry in the law and law


             Unfortunately, there aren’t nearly enough

Chris Painters or Jennifer Granicks to handle all of

the cybercrime cases out there.      All too often they

get handed to prosecutors who’ve never handled

technology driven cases and to defense lawyers who

don’t know the difference between a script kiddy and a

black hat.    The difference between these two types of

hackers by the way is like the difference between a

carjacker and an art thief.

             It’s unfortunate to see how pitifully under-

resourced American law enforcement has been in this

area in the past 10 years when it comes to cybercrime.

Chris might tell us he’s got more manpower than he can

use and more money than his section can spend, but I’d

be surprised if he did.

           Lately we’ve heard a lot about FBI agents

who couldn’t connect the dots on intelligence leads

prior to September 11th because their 1980’s era

computers couldn’t talk to each other.    In truth the

problem at the FBI’s been much worse than just old

tech.   The problem has been old think.   For decades

innovative technologies at the FBI have been derided

by G-men called knuckle-draggers: FBI agents who do

gumshoe crime cases.   That’s most of the agents at the

Bureau.   Most of those knuckle-draggers aren’t very

proficient at finding terrorists either, apparently.

           So there hasn’t been a career track for

agents interested in pursuing cyber-crooks, at least

not for a very long time.   That may be changing now.

The savviest have left the FBI and the Justice

Department in droves because they were ridiculed by

thick-necked colleagues who love to brag that “real

agents don’t type.”    Or they left when they realized

that government incomes could be tripled in the

private sector.

            Neither patriotism nor treason will put your

kids through college.   Just ask Robert Hanssen, the

FBI agent who spied for Russia by downloading

encrypted national security documents onto his PDA.

When agents leave outfits like the National

Infrastructure Protection Center, they aren’t always


            For years the men and women who get paid to

collar the Mafiaboys and the Kevin Mitnicks haven’t

been taken seriously by some in the leadership at the

FBI and the Justice Department.   We’ve suffered untold

losses as a result of those egregious errors in

judgment and not taking cybercrime as seriously as it

should have been.   I know that Chris is going to tell

me that some people do take it seriously, and that’s

very true; but there certainly is a history of people


            Our privacy has been eroding and our cost of

living has risen because each time a hacker gets away

with fraud, for example, you and I ultimately have to

pay for it.   The Bureau, under Director Robert

Mueller, whose last job was U.S. Attorney in high-tech

San Francisco, would like you to believe that the FBI

is now recruiting people who know a lot about

computers.    That’s great if it’s true, because they

are needed, but they probably won’t make lengthy

careers out of the gig.

             To wrap up, make no mistake, 9/11 changed

the face of Federal law enforcement in some sectors.

The FBI is supposedly reforming itself.      The Justice

Department is reorganizing.       Both the Bureau and the

‘mothership’ have put cybercrime at the top of their

to-do lists.    If that’s true, it should make people

like Chris Painter big stars in government.      If you’re

a law student, make sure to hand him your resume.

             Thank you.

             PROFESSOR AVIRAM:    Thank you very much,

James.   Our next speaker is Orin Kerr.     Orin is an

Associate Professor at George Washington University

Law School where he teaches criminal law, computer

crime, and intellectual property.      He is the author of

a forthcoming book on computer crime law and has

published many articles on the topic.      Orin holds

mechanical engineering degrees from Princeton and

Stanford, so maybe he can also talk about the

innovation, not just the implementation.     Also, he

received his law degree from Harvard, magna cum laude.

          Prior to joining academia, Orin was an

attorney at the United States Department of Justice

investigating and prosecuting computer crimes.

          PROFESSOR KERR:    Thank you.    I’d like to

thank the Federalist Society for inviting me, and

especially Michael O’Neil.    I’m surprised and

delighted to learn I had some role in the formation of

this conference at the early stage.     I feel a little

bit like Gilligan on Gilligan’s Island.     You’ll recall

Gilligan would usually say something stupid, and then

the skipper would say “Gilligan, that’s a brilliant


          Similarly, I feel like my reaction is, “I

had a great idea?   Oh, well great.”    This is not a

three-hour tour, by the way.      This will only be an

hour-and-a-half panel, so no need to worry.

          I wanted to take a different approach to the

problem and focus on comparing physical world crimes

and computer crimes from the standpoint of criminal

investigations.   So you can pretty much break computer

crime law into two areas, much like you can do with

traditional criminal law.   The areas are, substantive

computer crime law and procedural computer crime law.

Substantive computer crime law focuses on questions

like: What is a crime?   What’s the scope of

criminality for conduct involving computers on the

first case?   Procedural computer crime law asks: What

powers does the government have to investigate crime

in the second case?

           I want to focus on that second case and in

particular the surveillance powers of the government

in computer crime investigations and how they compare

to physical world powers that the government has.

           The basic framework is the same.    So in the

physical world the government’s big task is, once a

crime has occurred, how to collect evidence of that

crime.   The government must, first of all, find who

committed the crime, and second, prove beyond a

reasonable doubt with evidence admissible in court

that this particular person is in fact guilty.    That’s

the challenge.   The trick is to collect the evidence.

          The government faces the same basic

challenge in the computer crime context.      Once again,

the government has to collect evidence, needs to prove

beyond a reasonable doubt in court that a particular

defendant was responsible for the crime.      So the same

basic challenge is there.    But because the technology

is quite different, the way that that general task is

effectuated is totally different.      This is what I want

to focus on in my remarks.

          The way the criminal investigation will

actually unfold is very different in the computer

crime context.   The way in which court orders are

obtained is very different.       The reason it’s different

is just that the technology is different.      We’re

dealing with a computer network in which the evidence

is bits and bytes left over from the crime.

          What evidence exists, and how can the

government collect it? Sometimes crimes are ongoing.

The government can actually conduct prospective

surveillance, such as wire taps and pen registers.

These are ways of collecting evidence of crimes that

have not yet occurred. However, a lot of the evidence

collection is finding out what records happen to be

left over from the crime.    Maybe there’s stored email

somewhere in which the defendant said “I just

committed this crime; this is what I did.”    Maybe

there are logs showing that this person was actually

connected to the crime; they were logged on at this

particular time, and sent a particular command.

          It’s that kind of evidence which the

government needs in order to trace back the crime to

the defendant and then show that the defendant, beyond

a reasonable doubt, was responsible for the crime.     So

because the technology works differently, what the

government has to do is somewhat different.

          So what exactly are the differences?    Well,

the one big difference is that the government’s

ability to do its job is highly contingent on the

details of the technology.    Let’s say it’s a computer

hacking case.   The victim calls the FBI, says “I’ve

been hacked.    What can you do about it?”

          The government can start an investigation.

But at the beginning of the investigation they will

usually have no idea who is responsible for the crime,

physically where they are located, or whether there’s

a really good chance or not that they’ll be able to

trace back the crime to the defendant.      The reason is

that whether they can in fact trace back the crime --

and typically that requires step-by-step following the

path back to the hacker -- it’s just going to depend

entirely on what logs happen to be kept by particular

internet service providers.       That’s primarily what the

difference is going to be.

          What evidence may exist is unregulated in

Federal law.   There’s no law that says, for example,

that AOL has to keep its records for 30 days, or any

ISP has to keep any particular records.      Those laws

don’t exist in the U.S.   It means that the government

may happen to stumble upon something that allows the

government to solve the crime easily.      On the other

hand, it may not.

          From a criminal defendant’s point of view,

this means that the smarter you are, the more you know

the technology, the better you can manipulate the

technology - the bits and bytes that are left behind)

– and the harder it is for the government to catch

you.   One of the single dumbest things that criminals

who want to commit their crimes online will do, is

they’ll send an anonymous threat by Hotmail.   So

they’ll go to, they’ll come up as and send an email.       They

say oh this is great, it’s anonymous, the government

will never be able to find me.            Well, if you

know anything about Hotmail, you may know that in the

header to the email, Hotmail includes the originating

IP address, which is the internet protocol address,

where the person is located, when they sent the email.

That may or may not give a physical location, but a

lot of times it will say, for example, that whoever

sent this email had logged on to Hotmail from an AOL

account.   Or they were at a particular internet café.

Or they were actually at a particular computer in a

physical location.   So there are some cases which the

government solved, and the reason they were able to

solve the case is because the original email from

Hotmail, which was supposed to be anonymous, actually

said where the defendant was.    The defendant just

didn’t know it.   That’s an easy way for the government

to crack one of these cases.

          Flip side is, if the defendant is unusually

sophisticated, they can make sure not to make stupid

mistakes like that.    The way I look at it, basically

if you’re a really sophisticated hacker, you shouldn’t

get caught.   You have to mess up, you have to decide

“I want to speak to the press, because I think that

would be really cool.”   You have to brag about it in

chat rooms.   You’d have to sort of take affirmative

steps to taunt, say “ha-ha, you can’t catch me” to the

government, which, surprisingly, a lot of hackers

decide to do.   But that’s what you’d have to do in

order to get caught.   If you’re very smart, you can

probably commit your crime without being caught.

          Another difference that this technological

switch from physical-world crimes to computer crimes

makes is that the evidence collection is almost

exclusively court-order based.   So at almost every

step of the way the government, in particular a

Federal law enforcement agent typically with an

Assistant U.S. Attorney apply for court orders

compelling ISPs to divulge information.

            If you look at Law and Order, you have the

police officer who goes around and they knock on

doors.   They say we want to talk to you about what

happened on the night of September 14th.   Then the

person says, “okay, okay, I’ll disclose that this is

what happened.”   It’s a great drama on TV.

            There won’t be computer crime dramas that

look like that on TV.   Or at least if there are, it’ll

have nothing to do with what actually happens in these

investigations.   Because what happens is that an FBI

agent says “I think we need a court order from

Hotmail,” or “I think we need a court order from AOL.

We need to collect this evidence.”   An Assistant U.S.

Attorney or Justice Department trial attorney types up

a court order.    It is submitted to a judge.   A judge

signs it.   The order is then faxed to the ISP.   Three

days later the ISP faxes back the information.    It

doesn’t make for great television, so you’re unlikely

to ever see that on TV.

            But that’s how every step of the

investigation works.    It is constant court orders at

every step of the way.    A lot of the debate over the

U.S.A. PATRIOT Act that we saw a year ago was about

the circumstances under which those court orders be


             Finally, a big difference between computer

crime investigations and physical world investigations

is that it is nearly impossible for the government to

prove its case without there being a search warrant at

the end, which is normally executed at the defendant’s


             In the physical world, there are lots of

ways in which the government can say “we have enough

evidence to go forward.”    Let’s say it’s an assault.

The victim says “I know what the guy looked like.

I’ll be able to ID him in a line-up.”      The victim in

fact does so.    Put the victim up on a stand, “yes,

that’s the guy who hit me.”       Something like that.

             It doesn’t work that way in the Internet

context, because nobody can actually see what’s

happening.    So all the evidence that the government

has is bits and bytes, an email here, a log here, a

log there.    It’s nearly impossible merely on the basis

of a few sort of scattered pieces of information to

prove beyond a reasonable doubt that a particular

defendant was committing the crime.

          Really the only way that can be done is by

executing a search warrant at the defendant’s house,

which leads to the defendant’s computer, and the

discovery of files inside.    The government can prove

that this defendant committed the crime by showing

that the computer in the defendant’s bedroom has all

the logs, all the information, and the secret file

that was downloaded present on the computer.   That’s

how the government can prove its case.

          From a defense attorney’s standpoint, if we

look at the other side of this, what makes these cases

extremely difficult is that Congress has not added a

statutory suppression remedy to any of the statutory

surveillance laws, like the Wiretap Act and the Pen

Register Law.

          So if you’re a defense attorney and you’re

looking for grounds of suppression, you really can’t

rely on any potential errors in the government’s

investigation up to the search warrant.   The only step

that really can be challenged is the search warrant on

traditional Fourth Amendment grounds. In fact, if you

look at the cases in the area of computer crime law,

you’ll see a lot of cases challenging search warrants,

arguing that there was insufficient probable cause, or

that the warrant was over-broad, at the very last step

of the investigation.

           So those are just a few remarks on the

overall difference between computer crime

investigations and physical world investigations.

           The capsule summary -- I like to do this for

my students who at the end of class say, Professor

Kerr, that was very interesting but what should we

learn from this, what’s on the exam -- is that the

basic framework is the same.    It’s still the

government going out there collecting evidence.     They

still have to prove beyond a reasonable doubt that the

defendant was in fact the person who committed the

crime.   They still need to get search warrants.    The

traditional framework is there. But because the way

the technology works, the way in which the government

goes about this investigation is pretty different.


           PROFESSOR AVIRAM:     Thank you very much,

Orin.   Next we will hear Christopher Painter who is

Deputy Chief of the Computer Crime and Intellectual

Property Section at the Department of Justice.     From

1991 to the year 2000, Chris was a criminal prosecutor

at the U.S. Attorney’s Office for the Central District

of California in Los Angeles.     During his tenure

there, he specialized in investigation and prosecution

of high tech intellectual property and computer crime.

Chris has investigated and prosecuted some of the most

high profile, high-tech cases in the country,

including the first internet stock manipulation case

and one of the first internet auction fraud cases.

           MR. PAINTER:   Thank you.   I agree with Jim:

first of all, I can talk about this subject for hours,

but we don’t have that much time, fortunately for you.

Second, I remember getting a request one time from a

television crew from Tech TV that wanted to do a ride-

along on a computer crime case.

           I look at this problem from three

perspectives.   Actually I’m going to key off some of

the things both of the first two speakers spoke about.

As mentioned, I was a Federal prosecutor for a number

of years, specializing in this area and did cases like

Kevin Mitnick which took approximately seven years to

do, and the stock fraud cases mentioned that took

approximately seven days to do, Mafiaboy and some of

the other cases that were mentioned.

          In the last three years I’ve been back at

the Department of Justice concentrating still on the

cases, but also on the policy and some of the

international aspects of these things, including laws

like the PATRIOT Act and some of the policy and legal

regulations that go into it.   Also for the past year

I’ve been chair of an international group.   The G8 has

a High Tech Crime Subgroup where there are

representatives from each of the G8 countries that

deal with issues on high tech crime, particularly, the

procedures of tracing crime over the internet, which

is necessarily international; discussing data

destruction regimes where data actually gets destroyed

because of some legal regulations in some countries;

tracability of computer communications across borders;

and building means of cross-border law enforcement

cooperation, such as setting up 24/7 points of


           Before I get to what I was going to talk

about I just want to comment a little bit about what

was said earlier about what’s happening in terms of

the lack of expertise or the drain of expertise at the

FBI and the Justice Department.    I suppose one thing

about going third in panels like this is that you

necessarily react to what some of the other people

say.   Although I think Jim made a lot of good points,

I would say that I don’t really agree that the

expertise is being drained away.   For one reason,

frankly, the dot-com disaster, I think, has made it

much more unattractive to go into private practice.

           But besides that fact, there is a growing

expertise in law enforcement.   There is a growing

expertise at the U.S. Attorney level and the

Department of Justice.   I think that’s really expanded

fairly dramatically even in the last couple of years.

When the new administration came in, one thing that

Attorney General Ashcroft did was create in 10, now

it’s up to 13, cities around the country, what are

called computer hacking and intellectual property

sections -- teams of prosecutors who concentrate in

this area.

             When I was in Los Angeles, I was part of a

network that is not only still in existence, but has

grown dramatically, of prosecutors who specialized in

computer crime investigations, who actually understood

at least at some level, the technology, understood the

laws that applied, and understood all the processes

that Orin was going through about why these crimes in

many ways though the goal is the same are different to


             That has grown.   The Secret Service now has

task forces dealing with Cybercrime.     The FBI, under

the reorganization that Bob Mueller has directed, has

created a cyber division led by an Assistant Director

named Larry Medford, who’s building up the cyber

capability at the FBI, at headquarters and at each of

the field offices around the country.

             It is, of course, a continuing challenge.

One thing that I will emphasize throughout today is

that because the technology changes so rapidly,

because the laws are not necessarily easy to apply,

and the investigations do require an understanding of

the technology, this is always going to be a game of

not so much catch up, but continued education for

agents and prosecutors, and a continuing challenge to

make sure that we keep up with the criminals.

          Let me just talk a little bit about what I

have seen, and it keys a little bit off what Orin had

said about the differences between these different

kinds of crimes.   One of the key things is that there

is an explosion of crime on the internet, both of the

sort of "old wine in new bottles," -- the internet

fraud, the stock fraud, the threats, all of those

things; and the new types of crime, the really

internet-specific crimes, the attacks on computers,

the attacks on computer networks, the hacking crimes,

the denial of service crimes.   Each type has grown

dramatically over the last few years.

          There are a few reasons for this growth, but

one of them is the changing profile in terms of the

people who commit these crimes.   Traditional crimes

are still committed by Traditional criminals; however

hacking crimes, where it used to take a Kevin Mitnick

who had a lot of knowledge about how computers and

computer systems work, now has transitioned to someone

like Mafiaboy, who used available tools or tools that

were readily available to him to cause a huge amount

of damage on the internet without really a whole lot

of expertise.

             The other thing that I think really

contributes to this crime increase is the fact that

the internet has a degree of both actual and perceived

anonymity.    I think Orin talked a little bit about the

perceived anonymity, but there’s actual anonymity,

too.   A lot of people who I think traditionally would

not commit a crime in the physical world, since they

would not either have the courage or the resources to

do it, can do it on the internet because (a) it’s easy

and they can reach a lot more victims, and (b) they

don’t think they’re going to get caught; they don’t

think there are consequences to their action; they

don’t think that you can attribute their conduct to

them and find them.    Sometimes we can, and sometimes

it’s been more of a challenge.

           I take issue with a few of the things Orin

said in terms of whether, if you’re really clever,

you’re never going to get caught.    I think sometimes

you can be really clever and you do get caught.    I

think the technology both helps and hurts here.

           I had a case, a physical world case when I

first started as an Assistant U.S. Attorney, where

someone robbed a bank.   This sort of parallels Orin’s

example.   He wore a mask, so he was really taking

precautions.   But we were able to find out who he was,

because he was a maintenance person in the building

and he left his nametag on.     Not the smartest move.

           That is similar to Orin’s comment about

people who send threats over the internet and don’t

realize that the IP address is there.    The first case,

the first internet stock fraud case, a case I did, and

you can talk about in terms of how you actually trace

conduct over the internet, how you trap and trace the

various IP addresses, involves someone who posted a

fake Bloomberg web page claiming that stock of a

company named Paragain was going to be purchased.      The

stock went up 31 percent on NASDAQ in the space of

about three hours.

           It was a complete fraud.   It was a fake web

page.   It was posted on a web hosting service called

Angel Fire.   When we started looking to find out who

had done this thing, there was no money trail.

Usually with fraud cases there’s a money trail, but

there was no money trail here.   There’s no money trail

on hacking cases either.   So there’s no clear

connection, no easy way to trace the conduct.

           We started looking at the electronic trail.

We started looking at the fact that the criminal set

up this bogus page on a web hosting service.     We

looked at the information the criminal gave to the web

hosting service, because you’re supposed to give

information, including your name and address and

everything.   It’s not anything the service verifies,

and as it turns out, the information the web service

had was that guy’s first name, "Headlines" and last

name was "99."   Using years of investigatory

experience, we figured that was probably false.

           So then we started looking deeper to see

what else was there.   Well you had to give a real

email address -- it was a Hotmail address -- to get a

password for the web hosting service to allow you to

access and modify.   Again, it was all fake

information, but if you look deeper into the data that

Hotmail and web hosting service had, they did trap in

their logs, the IP address, the originating IP address

of the person using their service.   You could use

their information to trace back the communicators to a

physical ISP.   This led back to an ISP called

Mindspring, now Earthlink, given a particular IP

address and a data and time.    Earthlink was able to

identify a particular subscriber account that was

responsible for the conduct.    This does not

conclusively tie the conduct to a particular person

since the account could have been stolen or used by

someone else but, Mindspring kept what were called

"radius" logs, which means when you dial into an ISP,

they not only can tell the particular account used,

but also the phone number accessing the account.     We

were able to go right back to a particular number in a

particular residence, search his house, and in seven

days apprehend the perpetrator.

          Contrast that with the clever hacker, as

Orin was saying.   Contrast that with Kevin Mitnick,

who it took approximately two-and-a-half years to find

on the road, because he was using cloned cellular

phones to call into internet service providers.     He

was using hacked accounts.    He was bouncing his

communications internationally, and that made it very

difficult to track him.

          So that does create a problem.     I think the

modus operandi is shifting to the latter, rather than

to the earlier example.   I think there are still

people who don’t realize what’s happening with the

technology and still just sending things out without

realizing that we get some information.     On the other

hand, even the faudsters, even the people we were able

to track because they did stupid things, are now

getting more clever.   They’re encrypting

communications.    They’re bouncing their communications

through several sites.    They’re doing the things that

hackers have traditionally done, cleaning the computer

logs and other things.

          What does that mean for us?    That means that

there are certain challenges posed for law

enforcement.   The challenges have to be met in a

number of different ways.   First, there are the

technical challenges of having the ability to actually

track various criminal activities. Their required

enforcement to develop tools to do this tracing and

working with internet service providers and others so

that they’ll have the necessary abilities.

          The second challenge is having the necessary

legal framework in place.   A lot of what the U.S.A.

PATRIOT Act really was about, was creating a legal

framework that applied to the internet in a way that

it did to the physical world.    We could talk about

that alone for a long time, but I’m just going to hit

one point on that.

          On the legal tool development issue and the

PATRIOT Act, one of the over-arching concerns that we

have in government is that there is a real

misunderstanding, I think, in the public of how high

tech crimes happen and what the legal tools are.    That

public perception, which hopefully gets cleared up by

people like Jim and others is that they want the

internet to be secure.    They want law enforcement to

be able to do its job and make sure that there’s

security and we can trace these communications.

          On the other hand, the public is terrified

that law enforcement is abusing its powers, that

somehow in this dark, deep box of the internet, law

enforcement is gathering all kinds of information

about them, without any court order, without any

authority, and it’s putting it somewhere and is

abusing their privacy.    The challenge for us is not

just the technical challenge, but educating the public

that there are rules, that there are constraints, and

that we follow those rules, and those rules are there

for a reason in terms of the kind of information we

get and how it is used.

          It doesn’t help when you have misperceptions

like twice that revolved around the badly named

Carnivore system that has been renamed DCS-1000.    It

was characterized in the media as this device like a

vacuum cleaner that would suck all the communications

from everyone around the world into it and that the

FBI would sit there reading through it and figuring

out what everyone was doing.

             Well, if you actually look deeper in to the

technology, it’s no more than a filtering device.

It’s a filtering device that simply allows law

enforcement to effectuate a court order that it gets

from a judge for either what’s called "addressing

information," the same as what is outside of the

envelope essentially, or content information if

permitted by a court as a full wiretap.    Despite the

press hype, it wasn’t this thing that was capturing

everything but was operating as a technical tool to

effective Court ordered investigation of criminal


             There was perhaps one issue about

accountability when tools like Carnivore were used

that was cured by the PATRIOT Act.    Just to make sure

that people understood that their tool was being used

properly, the PATRIOT Act said that the results of

something like Carnivore or DCS-1000 had to be filed

with the court.    Fine, that was appropriate; that made


          But the kind of paranoia that this thing was

being used in all these ways well beyond what it

really was, I think just underscored the fact that the

public has to understand what we’re doing and we have

to explain our capabilities and legal constraints.

          The other thing -- and I’ll close on this --

is sort of misperceptions about the PATRIOT Act.

We’re going to hear much more about this either later

on this panel or later today.   But again, there were

all kinds of misconceptions about that law.    I’ll

focus on just one provision, and that was the hacker

trespass provision.

          This also illustrates sort of the odd kind

of collision between traditional law and the

technology as we see it.   The Wire Tap Act is

something that deals, as many of you know, with

setting a fairly high bar, a really high bar, for the

real time interception of the content communication.

An appropriately high standard applies for their kind

of activity -- not only the standard of probable

cause, but there are a number of other exhaustion

remedies, et cetera, that are in the Wire Tap statute.

           Well, one issue for us in law enforcement,

when dealing with victims, was that when hackers were

breaking into their systems and taking advantage of

their systems, there was a real issue in the victim's

minds and in law enforcement’s minds of whether they

could call law enforcement in to ask then to help

track the intruder in their system.   Could we monitor

these intruders in the victims system?

           If you look at the physical world, if a

burglar broke into your house and was in the basement,

you certainly could call law enforcement for them to

see what he’s doing and then arrest him.   It’s not a

problem.   In the non-physical, the cyber analog, it

wasn’t clear you could do the same thing, because the

Wire Tap statute goes beyond the Fourth Amendment to

provide certain statutory protections, and it didn’t

have an express exception for monitoring intruders.

The Wiretap Act wasn’t based on a reasonable

expectation of privacy, the Fourth Amendment

consideration, which an intruder just doesn’t have.

           One of the things the PATRIOT Act did was

fix that, it made it clear that we could monitor an

intruder at the victim’s request. Though this makes

good sense, it was really characterized in very

different terms by different groups who might have had

different agendas. It was certainly characterized as

this sweeping expansion by many.     Even Jim said this,

that this provision was a sweeping expansion of the

various powers that the government had when it was

very targeted and rational.

           I think if anyone actually looked --

           MR. MEEK:   -- people respond to buzzwords

when you print them, you know?

           MR. PAINTER:   That’s another problem for

government.   I’ll close on that.    The problem for

government often is that when the press writes about

these things it sounds far more attractive to come up

with "sweeping expansion of powers" than "a modest

proposal that actually makes sense."

           PROFESSOR AVIRAM:     Thank you very much,

Chris.   Our final speaker is Ralph Clifford, Professor

at the Southern New England School of Law.     Ralph

received his B.A. from Duke University and his J.D.

from New York Law School.

          Prior to joining legal academia, he

practiced in law concentrating in trial practice and

high technology law.   Ralph published numerous

articles and several books in the field of computer

law, including his latest title, which is Cybercrime:

The Investigation, Prosecution and Defense of a

Computer-Related Crime.

          PROFESSOR CLIFFORD:   Thank you.    I’m

approaching the whole thing from a different

perspective.   The topic I’m talking about is legal

consequences of not using technology that is available

to protect your web site; effectively, if you will,

liability for somebody else’s conduct.

          When I started thinking about this in the

scope of cybercrime, I was stumped.   I couldn’t figure

out how I was going to address the topic that I agreed

to talk about, so I decided to do what law professors

love to do, which is create a hypothetical.    I chose a

hypothetical that was very drastic in consequences,

but hopefully not improbable, something that could in

fact happen.   It proved out to be a very fruitful tool

in my analysis, so I’m going to start off with a


          My hypothetical includes a hacker who gets

angry at a hospital for some reason or another:     a

billing dispute, malpractice, it doesn’t matter.    He

decides to use his computer skills to make the

hospital pay.   He does this by launching a distributed

denial of service attack on the hospital’s web server

and email server.

          To achieve that purpose, he buys one of

these CD-ROMS that had millions of addresses on it.

This particular CD-ROM was advertised as having the

addresses of several million users who have high-speed

access to the web, because that’s critical for his


          He also knew that a vast majority of these

email address and computers would not have sufficient

firewall protection and would probably not have any

virus protection software that could detect the brand

new virus that he is about to write.   Most virus

protection, after all, only detect a virus that has

been seen before.

          He sends his email, and he makes it clever.

He disguises it as coming from the Red Cross.   It

indicates that if you click on a link, you can get a

new screen saver that is a commemorative of the 9/11

events.    Needless to say, that would be very popular

among people who like screen savers.   In fact, to make

his message legitimate, he put a screen saver in the

message.   But he also had several viruses associated.

            First, he had a very classic virus that

replicated his little message and went to the email

address book on the computer and sent the message out

to everybody who was located on the victim’s computer.

The second thing he did is create a zombie, which is a

program that is left after the virus comes along.

That program is designed so that it will become

activated at a particular date, maybe a month later.

It has a trigger date on it.

It’s these zombies that will actually do the work of

destruction of the hospital system.

            Finally, to make people like Chris have a

hard time tracking him down, the virus deletes all

copies of the message that came in so that there’s no

trace.    That first hop back to the ISP is missing.

The culprit knows enough about computer technology to

be able to delete it everywhere.

          On the trigger date thousands of these

zombies that managed to make it through firewalls and

were embedded on the machines launch a distributed

denial of service attack.   Each copy of the zombie

would generate thousands, perhaps hundreds of

thousands of email messages, all addressed to the

hospital and would also initiate a like request for

data off of the hospital’s web page.   Needless to say,

the hospital’s web page server and email server can’t

handle that kind of volume.

          Usually this wouldn’t be that big of a

problem for the hospital, because if cleverly

designed, you don’t have the internet and your

internal computer function the same way.   But I’ve

discovered very commonly, particularly for companies

or entities that are trying to save money, they share

the backbone, the principal pipe that connects all the

computers in the particular company.   So that in this

hospital on the hypothetical indicates that the

backbone is the same backbone that’s used for all

internal hospital communications also.

            So when the web server and the email server

are attacked, because they are then overusing the

backbone of the hospital, the hospital’s entire data

processing system goes down.     As a consequence, two

critical systems are lost: patient medical records

disappear, and the systems that are used to monitor

patients, particularly in ICU units, stop functioning

simply because they can’t get their messages through.

            They stop functioning in a way that you may

not be aware of the fact that they’ve stopped

functioning.   After all, the computer doesn’t expect a

message on a regular basis.

            The final step of my hypothetical is that

because of these consequences, several patients die.

That’s obviously the most drastic part of the

consequences of the hypothetical.

            Using this hypothetical, I now take the role

of a District Attorney, because this is probably at

the state level, at least for the deaths of the

patients.   Who can I prosecute?   There are five groups

of actors that I’m going to have to take a look at:

the hacker, the easiest one obviously; the owners of

the various computers that were used by the hacker to

launch the denial of service attack; the ISP of those

owners; the manufacturer of the software that allowed

the virus to work; and finally, potentially the


            For my discussion, I’ll use the model Penal

Code simply because that’s a universal descriptor of

the criminal law.   I think most state law systems

would be able to do what I’m talking about.    We’re

presumably talking about prosecutions for either

manslaughter or negligent homicide.

            No one in the hypothetical acted

intentionally with the intent to kill.   So as a

consequence, the more serious murder charges, I think,

are excluded by the hypothetical.   We’re dealing with

manslaughter, based either on recklessness, or we’re

dealing with negligent homicide based on sort of, if

you will, gross negligence or more than ordinary


            What we’re dealing with in terms of

evaluating whether that recklessness or negligence

occurred is whether or not there’s a substantial and

unjustifiable risk that was either perceived by the

individual actor and ignored, or whether it was one of

these risks that should have been perceived by the

actor and wasn’t responded to, to separate the

recklessness from the negligence.

           By the way, the other thing you have to

eliminate is accessory liability or accomplice

liability as the Code calls it under 2.06.   To be an

aider or abettor in the commission of a crime, at

least as far as I can tell, you have to act with the

purpose of promoting or facilitating the crime.

Nobody but the hacker even knew that a crime was about

to occur, so as a consequence, none of our other

parties could be aiders and abettors.    They’re either

going to have to be primarily liable on their own, or

they’re not going to be liable at all.

           Let me talk about each.   I’m going to start

with the hacker.   We can get rid of the hacker fairly

quickly.   Assuming he can be found -- and that’s not

an assumption that is necessarily going to be true --

there’s no question that at a minimum negligent

homicide should apply.

            Attacking a hospital is different than

attacking a bank.   If you do a denial of service

attack against a bank, the expected consequences are

going to be quite different than if you’re doing a

denial of service attack against an entity such as a

hospital.   So I don’t think I would have problems as a

District Attorney bringing manslaughter/negligent

homicide against the hacker.     But if he’s clever and

does not go around bragging about what he did with the

hospital, it’s going to be very difficult for the law

enforcers to track him down and bring him in for


            So, we’re left with the other parties.     I’m

going to talk about their liability first and then I

will whether, from a policy perspective, there should

be liability.   I’m going to clump the hospital, the

computer owners, and the ISP into one class.    I’ll

talk about the manufacturer of the software in a

second class.

            For most of the people, the hospital, the

computer owners, the ISP, I think criminal prosecution

is improbable.   In many ways these three groups of

entities are as much the victim of the crime as were

the patients.    They after all did not want this to

happen; it just occurred.

           There is one way, however, that they could

be tied in and be determined to be a proximate cause

of the deaths of the different patients.   If they had

provided adequate protections so that their systems

would not be able to be used by this kind of denial of

service attack the deaths would not have occurred.

Such technology is available dual way firewall.

     Lots of us have firewalls to keep things out.

Very few of us have firewalls to keep our system from

reaching out to the web without our consent or without

our knowledge.   But such technology is available, and


           If we were using that simple technology, the

zombies would not have been able to send out their

emails.   The zombie program itself would not be

recognized by the firewall, and as a consequence, the

firewall would either just deny the zombie access to

the web or would pop up a screen saying this zombie is

attempting to send email messages, do you want it to?

That would have obviously stopped the attack here.

             So as a consequence of not using dual way

firewalls, there is a touch of culpability on the

computer users.    They didn’t do everything they could

possibly do to prevent the occurrence of the crime.

             The ISPs are even one more step removed from

that, because after all, if they have a failure here,

it’s a failure to request that their users install

firewalls.    I think we’re really moving out if you get

to the ISPs.    Except, of course, my ISP, which

actively discourages you from using firewalls.     If you

should be so stupid as to put up a firewall, you lose

your guarantee of service, because it is the

firewall’s problem if there is anything wrong with the

service.   So they may be a little more culpable than

the typical ISP, or what I hope is the typical ISP.

             We are talking about the liability of these

groups based on omission.    That is accepted under the

model code and in state codes.    Under section 2.013(b)

of the model code, a failure to act can be criminal,

if and only if there’s a duty to perform the omitted


          That’s the rub when we talk about the ISPs,

about the users, and about the hospital: where is

their duty to act?   There doesn’t seem to be one as

far as I can tell anywhere, although there’s some

statutory law in California that seems to be running

pretty close to imposing that kind of duty.

          We’re not likely to have any change in this

area, at least at the Federal level.   If you took a

look at the national strategy to secure cyberspace,

the scheme that’s proposed there is completely

voluntary, as opposed to legally mandated.    So if I

were a prosecutor for these groups of people, I

wouldn’t bring charges, because I don’t think they

could be won.

          The software company is different.     If the

software company had a design flaw in it that allowed

this to be distributed, they could be under a positive

legal compulsion not to have such a design flaw.    That

legal compulsion is products liability law.    Products

liability law prevents the company from bringing out a

defective product in any way.   If this is a defective

product, then they could be help accountable.

             There is precedent for this kind of charge.

Some of you may remember from the 1980s that Ford

Motor Company was indicted in Indiana on the basis of

a Ford Pinto gasoline tank explosions.    The company

was acquitted, but they were at least indicted for


             So in summary, the hacker can be charged.

The software company is at risk of being prosecuted,

but nobody else is.    Is this proper?   I argue that it

is not proper.    In order for the internet to continue

to function, in order for the internet to protect

itself against denial of service attacks in

particular, it’s necessary for every node to


             The internet was based on the idea that

every node cooperates with the internet, and in fact,

every node can be trusted to be on the internet.       It

was not designed as a commercial system, after all.

As a consequence it would seem that imposing this

obligation of protecting the internet from itself is

something that society definitely needs to do.

            I’m not convinced that the criminal law is

necessarily the best mechanism for this.      The criminal

law after all is pretty blunt edged; it is a pretty

brutal device to use to convince people to do things.

What I’m afraid of, if you read the President’s

infrastructure report and what other commentators are

saying, is that everybody is saying that somebody

should do something about it.      With that attitude, of

course, there’s not going to be any way of protecting

the web from a denial of service attack.

            Thank you very much.

            PROFESSOR AVIRAM:     Thank you very much,

Ralph.   We’ll now give each of the speakers an

opportunity for a very short reply.      Then we will open

it to questions.   James?

            MR. MEEK:   I’m glad that Chris is here

because the more I mouth off, the more he is going to

correct me, and ultimately the more information I will

have at the end of the day, which is actually my


            There were a couple of things that Chris

brought up.   In preparing for this panel, we had

discussed some of the things we might talk about.

Chris had brought up at that time an interesting

thought and asked me if perhaps I would comment on it.

The issue was the public’s reaction to law

enforcement, investigating cybercrime, and whether

there is a fear of invasion of privacy.   That’s a

great topic.   I’ve written many stories about privacy

concerns related to the PATRIOT Act and pre-dating the


          Carnivore, this sniffer system that sucks

up, excuse me – carefully filters - emails, looking

for target words, is now renamed DCS-1000.    That’s

Deadly Carnivore System.   No, I’m kidding.   What does

DCS stand for?   Do we even know?   It doesn’t stand for

anything, does it?

          A real fear that the public has is that law

enforcement is going to somehow get access to the

digital home porn movies that they have on their

desktop in the course of investigating some other

cybercrime that has nothing to do with them.   Maybe

their computer has been used as a zombie, commandeered

by a hacker to launch denial of service attack or

something.    Somehow their love letters or their

personal financial statements or whatever is going to

be discovered.    There are many scenarios that people


             I think Chris is right.   A lot of that

concern has been over hyped by special interest

groups, like the Electronic Privacy Information

Center, which has about a million lawsuits against the

government on various privacy and Freedom of

Information Act litigation trying to find out more

about Carnivore.

             The problem is the government has been its

own worst enemy in this starting with naming this

thing Carnivore.    This is an FBI tool.   As an aside,

the FBI, you may recall, after 9/11 put out a lot of

terrorism alerts.    I’ll never forget one day they put

out one of these alerts saying bridges may be at risk,

and they put it at a web address, a URL on the

website that ended with skyfall.html.      Wasn’t exactly

reassuring.    Kind of, I don’t know, stupid.

             Information about the system has been kept

very secret.    EPIC has had to sue because they’re

trying to get more information about what is this

technology.   Nobody has been allowed to see it.    Very

few people have actually seen it, at least in the

private sector.    There was, I believe, Attorney

General Reno, wasn’t it, that appointed some sort of a

commission of folks from the private sector, academic

types, to look at this thing and write a report; let

the public know.   They came out and said actually it’s

not as bad as some people have said it was.

          Changing topics, one thing I would say about

cybercrime in general is that I’m glad to hear that

what Chris is saying in terms of expertise.    Has it

reached a level of perfection?   Do you have more

people than you can deal with?

          MR. PAINTER:    No.

          MR. MEEK:    So there’s plenty of work to go

around still.   Chris is right, the dot-com crash

probably has made the private sector a lot less

attractive, but there are still plenty of people who

leave government to go into the private sector.     The

fact of the matter is cyber security, despite the dot-

com crash, has still been a growth industry.   There

are not fewer hackers; there are more hackers today

than there were two or three years ago.

           There are more threats, legitimate threats

out there, as much to the private sector as to

government.   Those threats, as Chris will tell you,

often come from within a company.    A lot of their

concerns over security are not from some hacker

breaking in from the outside, it’s an employee who’s a

hacker breaking in from the inside.   That’s a major

problem.   So the cyber-security business, which is

another area that’s quite lucrative, continues to


           The problem is that cybercrime rarely

captures the public’s imagination.    The Mafiaboy case

was an exception.   Funding in government goes to high

profile criminal investigations or types of

investigations.   The great achievement of the PATRIOT

Act was that people like perhaps Chris or other very

savvy people like him convinced those in the

Administration who were helping to craft the PATRIOT

Act that cybercrime should be a major part of this

and, therefore, should get attention and ultimately

more money.   That’s a good thing; that’s not a bad


           So, I’ll toss the football.

           PROFESSOR KERR:   Just very briefly I wanted

to comment on Professor Clifford’s remarks and the

idea of third-party criminal liability.   It’s an

interesting question, but I don’t think it will ever

happen.   Not only do I think no prosecutor would bring

any of these charges, I don’t think it’s there on the

merits for any of the parties, including the software

developers.   I don’t think there’s a criminal act,

taking the model Penal Code framework.    I don’t think

there’s causation.   I don’t think there’s mens rea.

At least off the top of my head, I don’t think any of

the elements are there.

           Possibly there’d be a case where some

prosecutor could be aggressive and try to craft the

argument, but I really doubt it.   I don’t even think

there’s going to be civil liability for third parties.

If you look at the legal scholarship, this is an idea

that’s been bandied about for about 20 years.   There

are articles going back to the early 80s on about how

software developers and ISPs, then you had BBS hosts -

- this is pre-ISP -- are going to have civil liability

for negligent computer security.

          As far as I know, no suit like that has ever

been filed.   I’m sure eventually some plaintiff’s

attorney is going to file a suit, this being America.

But I doubt that will end up being a really

substantial component of things.

          If you think of the analogies in the

physical world of somebody shot by a gun, we’ve seen

already suits against the gun manufacturers.   So maybe

that’s the first step of that reasoning in the

physical world.   But you could sue almost anybody who

has some sort of role in it.    You could sue the people

who designed the road where the people were stopped

where the shooting occurred.

          I think keeping that from getting too far

out of control, along those lines I doubt there will

be really substantial civil liability.   But then I

probably shouldn’t even guess about those civil

issues, because it’s far beyond my area of expertise.

On the criminal side, at least, I just don’t think

liability is going to extend beyond the actual bad

guy, the hacker.

            PROFESSOR AVIRAM:     Chris?

            MR. PAINTER:   Quickly on a couple of things.

I think it’s an interesting dichotomy.      People have

different expectations of both their privacy and

expectations of government in the cyber world than

they do in the physical world.      I think in time that’s

going to start merging, when people start

understanding the cyber-world better.

            I do think the problem with law enforcement

tool development and then the explanation to the

public of how these things work is going to probably

continue.   But we need to develop those tools, because

we can’t simply throw up our hands and walk away from

an investigation if we don’t have the ability to

actually trace the conduct.       Obviously that’s going to

involve not just us working by ourselves, but us

working with the various providers and the other

people on the infrastructure.

            On the point of whether we still need

talented people, we obviously do.      One of the things

as I think has been pointed out here today is that

these are not easy investigations to do.    They do

require some technical expertise.    I can say, and I

definitely want to say, not just because there are

some of them in the audience, that there are FBI

agents and Secret Service agents and prosecutors that

I work with that are the most talented people I’ve

ever seen.    They really understand this stuff and they

are great.    We definitely need more of them.

             But we need more of them not just at the

Federal level.    What I see this problem becoming in

the next few years is that every single crime is going

to have a cyber component.    Anything you can think of,

the evidence or the communications is going to happen

over the internet or computer networks, which means

that law enforcement at every single level is going to

have to understand these things and be trained.

That’s something that is a challenge for us to

continue to meet.

             One other challenge posed for us is the

availability of the widening trail.

             In the cyber arena, data is very very

ephemeral.    The evidence just doesn’t last very long,

which means not only do you need the technically

skilled people, but you need them to be able to act

incredibly fast, not just nationally but

internationally, and have contacts and work

cooperatively and have the tools available to them and


             So, no, we’re not at an optimal level.     Yes,

we need more people.    I think that’s going to be a

continuing challenge.

             PROFESSOR AVIRAM:    Thank you, Chris.   Ralph?

             PROFESSOR CLIFFORD:   Yes, a couple comments

for Chris here, just sort of taking the opposite side.

             In general I think the government,

particularly at the Federal level, has been very

effective in fighting cybercrime within the bounds of

our constitutional framework.      But for many of us

outside of government, we’re always a little concerned

when government gets more power, not because of what’s

happening right now, but because of a fairly well-

known history of abuses by these Federal agencies.

             The example I can cite obviously is the FBI

investigations and files that were maintained on

various civil rights activists in the 60s and 70s, all

of whom were engaged in constitutionally protected

rights but nonetheless were being subject to

investigation and harassment by the very agency who’s

now saying “you can trust us.”

          The criticism that many of us in academia

and the privacy community has of the PATRIOT Act comes

not from a lack of recognition that the government

needs the power to investigate cybercrime, but from a

question about whether the PATRIOT Act provides

sufficient oversight by the public and by public non-

governmental agencies to prevent it from becoming

abusive in the future.

          There’s no question that when you’re dealing

with cybercrime you need expedited processing.    Things

in cyberspace happen very, very quickly.   If you’re

going to hamstring the government and make them go

through weeks full of processing in order to get a

search warrant, then the evidence of the crime is

going to be gone.

          But with expedited processing under our due

process clause should also come greater protection.

If you take a look at the courts’ decisions in the

area, it’s not a case that the government can’t act

first and then have its hearing or have its

justification where justified, it’s the question of

whether and when is that hearing going to come.       When

is the decision, made in the heat of the battle of the

cybercrime investigation, going to be reviewed to make

sure it is legitimate under the government’s scheme?

            PROFESSOR AVIRAM:     Thank you, Ralph.   We now

open it to questions from the audience.      But just to

make sure you are all heard, if you want to ask a

question, raise your hand.      We will get a cordless

microphone to you.   And please state your name and

affiliation as well.

            MR. CLARK:   Hi, my name is Drew Clark with

National Journal’s Technology Daily.      It’s been an

excellent panel and a lot of good perspectives.       Up

until the last comment though I was going to say

what’s missing is the perspective of a privacy


            I do have two questions along those lines

that are related.   I guess the first is for

Christopher and Mr. Kerr.   You both alluded briefly to

data destruction and presumably data retention.       That

is, of course, a lively controversy in Europe right

now.   I’m wondering whether U.S. prosecutors are

interested in something like what they’re trying to do

over there, which is a year’s worth of data logs being

required to be kept.   What are the pros and cons of a

mandatory data retention regime?

           I guess the second question of a privacy

nature is whether you have any reaction to the fact

that the fundamental change the cyber-world has caused

in terms of individual privacy is that we keep details

of our personal lives in databases under the control

of third parties, companies.     There’s simply not

adequate laws to protect the privacy of that

information in the same way that one individual can

protect the privacy of information on a computer in my

home or in my desk drawers.

           The PATRIOT Act just goes further in the

direction of making it easier for law enforcement to

get those third-party records.    So on that perspective

of privacy, could you address that question, please?

           MR. PAINTER:   Let me take the first and a

little bit of the second.   I’m sure Orin might have

some comments, too.   When I said data destruction, you

have to look at this in terms of a continuum.   In the

United States we have a free market system where ISPs

are allowed to keep data for as long as they desire

for particular network security or other purposes as

they see fit.   They are not required to keep data, nor

are they required to destroy data.

           In certain other regimes, in Europe and

other places, there are laws or protocols which tell

ISPs that if they have data that they don’t need for a

billing purpose anymore, they need to destroy that

data.   Now there are reasons for them to say that they

want to do that, but what’s not really thought about

is the real adverse impact that has on law

enforcement.    When data is destroyed, obviously the

electronic trail is not there.

           We do not advocate in this country changing

the system that we have, the balanced system where the

ISPs can and usually do for various reasons, for their

own purposes, not because we ask them to, keep the

kind of data, the logging data, that we need in an

investigation and which we get with court orders.

          So there’s not a move to change that.       The

fear that I and some of the others, including the G8,

have expressed, is when you have data destruction

regimes that get rid of the data that make it

impossible then to trace the electronic trail.

          On the second issue, the entire Electronic

Communications Privacy Act, which is the part of the

U.S. Code which really deals with what law enforcement

needs to do to get certain kinds of information from

third parties - internet service providers, remote

computing services, etc. - goes beyond the Fourth

Amendment protections.   It recognizes that perhaps

there is a greater privacy interest when people store

things in the internet context or in the computer

context with third parties.

          It requires different levels of process and

different showings depending on how sensitive or how

private that information is.    So if we’re talking

about the contents of emails in transit, you need a

search warrant, you need probable cause.    If you’re

talking about certain other kinds of information, you

need something called an articulable facts order

issued by a judge.

          So there are protections Congress has

already thought about in terms of this new environment

where maybe because you’re entrusting it to a third

party, there’s not, perhaps, a constitutional

expectation of privacy, but there certainly is one in

the sense that people are entrusting these things to

third parties and have certain expectations about


          So that scheme is in place.     We obviously

need to be sensitive to that.    That’s a developing

thing, and it will continue to develop.

          PROFESSOR KERR:   Yes, to pick up some of

those questions, the only people that I know of in the

United States who talk about mandatory data retention

are privacy advocates who say the government might be

in favor of it, and we need to watch out for it.

          If you talk to anybody in the Justice

Department or anybody in the government, they’re

against it.   So I don’t think it’s really even on the

table.    I don’t think anyone’s behind it; it’s just

dead.    Currently the laws allow the government to send

a request that requires the ISP to maintain records

that are already created, basically don’t delete

orders.   In effect, the request says, “If you normally

delete this information, don’t delete it now, because

we’re coming soon with a court order.”   It has to be

in those circumstances where the government is

actually coming soon with a court order.   That’s the

current regime in the U.S.    I think it works pretty

well.    I don’t think there’s any support at all for

mandatory data retention really from any corner of the

debate in this issue in the United States.

            As for the broader issue of third party

records, you’re exactly right, which is exactly why

Congress passed the Electronic Communications Privacy

Act back in 1986.   What’s ironic about some of these

issues is here Congress was way ahead of the curve.

They passed ECPA when I was in high school.   That was

only three years ago actually.

            Congress, and in particular Senator Leahy

and several others, were way ahead of the curve and

passed a pretty good framework of laws long before

anyone really thought through these issues.      So to

some extent we’re sort of grappling and realizing that

there are problems now, which Congress recognized a

long time ago.   It’s a rare case, I think, where

Congress was ahead of the curve, not behind it.

           The PATRIOT Act fiddled with some of the

standards but really didn’t change the framework from

1986.   I think that framework will probably be around

for quite a long time.

           PROFESSOR AVIRAM:     Next, please.

           MR. FOREMAN:   I’m Frank Foreman, U.S.

Department of Education, and my question is how bad

can cybercrime get?   I can think of several things

that I’d be afraid of.    There’s an electromagnetic

pulse that puts you behind the dark angel.       There’s

the physical destruction of the internet backbone.

There’s messing up the world’s banking systems.

There’s stealing military secrets.     Finally, there’s

the one I fear the most, which is some virus will eat

up the world’s hard drives.      The question is how bad

can cybercrime get?

             MR. MEEK:   Can I answer this question and

then throw it to Chris, because I’d like to sort of

advance the question a little bit?      I don’t think

personally that we have seen anything compared to

what’s possible.    I don’t think we’ve seen the worst.

I’m not going to say we’re going to see the worst, but

what we have seen barely scratches the surface of what

is possible.    I think maybe Chris can paint some


             Here’s where I’d actually like to ask Chris

a question.    One thing that’s talked about an awful

lot is cyber terrorism.     I would like to know, at this

stage of the game, how the government defines cyber-

terrorism and whether or not you all really think that

there are cyber-terrorists out there?

             In reporting on this over the years, I have

not found a whole lot of evidence.      There are foreign

governments that have cyber-attack units.      There are

people who specialize in information warfare.      The

Chinese get talked about a lot.      But there is no Osama

bin Laden of cyberspace yet.       There may be one day,

but as of now, there is no personality or terrorist

group that is known to be on the internet committing

terrorist acts, like, for instance, shutting down air

traffic control somewhere and causing planes to fly

into each other.   So I’d be curious to see where the

government stands on this at this point.

          MR. PAINTER:    Well, I guess one thing is

that I think it becomes clear as we become more

dependent on information systems for everything, from

control systems for dams to just communication,

banking, everything else, that creates necessarily a

system that can be attacked, just like any other

system can be attacked, and creates vulnerabilities.

          How bad can it get?     I would think it could

get pretty bad.    If someone attacked what are called

SCADA control systems that control dams or other

critical infrastructures, that could get pretty bad,

that could be a real attack.     If they were able to

attack critical systems like airport systems or

banking systems, that could get pretty bad.

          Could they do it here?     Could they do it

internationally?   That’s all possible.   The response

to that has been a recognition that law enforcement

has an important role in this, in trying to attribute

the conduct and make sure their are consequences and

determine for these attacks.     But that’s not the only

answer.    You have to combine strong response and

attribution with prevention. We need to do things like

the draft national strategy talked about to actually

harden systems and have people really think about

security in a disciplined way.

            That dovetails into what I think your

question is.    Do we see cyber-terrorists?   The way I

look at cyber-terrorism is this: It doesn’t matter who

the actor is.   For cyber-terrorism I look at the

results.   If someone opens up a dam and floods a

valley, I don’t care if it was a 12-year-old, or

someone who is “the Osama bin Laden of cyber-

terrorism” - the result is the same.    The result is

still a lot of destruction or disruption of services.

Those things need to be taken seriously.

            I think Orin said that we don’t know in the

beginning of a case who is responsible.    We don’t know

if it’s a “cyber–terrorist” or if it’s a very talented

14-year-old.   We have to take those cases seriously

and investigate them.

            So it’s not so much defining a class of

cyber-terrorists, but trying to make sure those

horrible things don’t happen by hardening the systems

and working to make sure we can make those people who

do those things responsible.

            MR. MEEK:   Well it hasn’t happened, so

somebody must be doing something right.    But terrorism

has always had a fairly specific definition.

            MR. PAINTER:   Let me add one other thing to

that.   I think that even within the PATRIOT Act -- you

mention that the PATRIOT Act had made certain kinds of

cybercrime terrorist offenses but for very limited

purposes, only for supervised release conditions and

some other things.

            There’s another side to that which is that

everyone uses the internet to communicate and to plan.

Terrorists do that too.    I think that’s going to

continue.   Will terrorists develop the ability maybe

to couple physical attacks with disruption of command

and control and communications systems?    Perhaps,

that’s not an unforeseeable consequence.     So those

things, I think, could happen.    That’s another reason

why we need to take these crime seriously.

           PROFESSOR CLIFFORD:   Can I make a comment,

too, just quickly?

           PROFESSOR AVIRAM:    Yes, please, Ralph.

           PROFESSOR CLIFFORD:   This is just dealing

with the basis of the internet itself.    I think the

internet is incredibly robust.    It wasn’t designed to

survive nuclear attack, which is sort of a common

misconception, but it has that effect.    The only way

to destroy the internet is to take down every single

node on the internet.   As long as there are two of

them there, the internet is still functioning at some

level.   So the internet itself is robust.

           The fundamental flaw of some uses of the

internet is that it assumes that the internet at some

point in the future will be secure.    The internet, by

definition, is a system that runs on trust.    Every

node is supposed to be able to trust every other node.

As a consequence, if you have a bad actor node out

there, or someone who has turned a node into a bad

actor, it makes the processing that goes on the

internet extremely vulnerable.

          So I think from a policy perspective what

has to be recognized is although it’s certainly

cheapest to use the internet for your communication,

there are some systems that are so critical --

aircraft control, dams, the power grid -- there are

some things that are so critical to people surviving,

that they should not use the internet.      They should go

to private communications.

          MR. PAINTER:    Let me just add, there are

many government and other critical systems that are --

they say the best security is six inches of air.

They’re really separated from those kind of


          PROFESSOR AVIRAM:       Over there, to the left,

and then the last question will be to the right.

          MR. HEFFNER:    Allen Heffner, I’m with a

company called Issue Dynamics, a public affairs and

internet strategy company.    I was going to ask

Christopher Painter the question first, then I guess

open it up.    Chris, you’re the government

representative, so I figure you know everything and of

course can tell us more possibly from that


          The question is just a first order question

about the scope of the problem, which really wasn’t

addressed at all.   I was hoping maybe you could shed

some light on that.   You’ve talked a lot about

cybercrime, and I’m throwing everything under the

umbrella of fraud and denial of service and viruses

and child porn and cyber terrorism.   Can you give us

some idea of the scope of the problem?    We hear about

an exponential growth over time.   I’m interested in

what kind of data do you have that you can actually

shed some light to show us what kind of exponential

growth there’s been in these various corridors?

          I guess the second question is who really

tracks this information and keeps it?     Is it kept at a

jurisdictional level, at a prosecutorial level where

the crime is committed?   As we know, it’s committed

all over the place.   How is it shared?

          MR. PAINTER:    Well, as far as what the scope

of the problem is you’re right.    Much of the sort of

analysis ends up being anecdotal.   It’s based in part

on the growth of the internet and the users on the

internet and the reports we get of various kinds of


           The scope of the problem can be defined in

so many different ways.   I think there’s a difference

between new cyber-crimes and the traditional crimes

committed over the internet, which I think almost all

of them are now.   I think if you go down to West

Virginia where they have the Internet Fraud Complaint

Center, who gathers complaints from people,

traditionally just on internet fraud but now it’s

expanding to many other kinds of crimes as well, they

show just those limited referrals have been

explosively increasing.   The FTC site that deals with

various kinds of fraud echoes that trail.

           Hacking is a little harder to track, but

we’ve seen through our network of prosecutors around

the country, just on the Federal level, a lot more

cases, and the states have seen a lot more of these

too.   That’s why the states and the attorney generals’

offices around the country have been looking at it

more seriously.

          You’re right, though, that traditionally

we’ve had a problem in actually having kind of some

good statistical survey of this case.   The one that is

most used, and it’s not a scientific survey, it’s a

Computer Security Institute FBI study that comes out

of San Francisco and has for the last, I think, six

years tracked approximately 500 respondents and looked

at trends in cybercrime -- insiders versus outsiders,

type of attacks, why or why they don’t report to law

enforcement, et cetera -- and that’s very helpful to

look at trends.

          You can also look at the statistics at the

Department of Justice, at the individual U.S.

Attorneys’ offices, at the FBI, the Secret Service who

do talk about the number of cases opened, et cetera.

But those are not complete.

          One thing the Department of Justice is doing

is it is looking at putting together a much more

robust statistical survey, which will be rolled out I

think fairly soon and take place over a number of

years, where we can really get a handle on that kind

of statistical information that you mention.

          PROFESSOR AVIRAM:     Okay, last question,

right there.

          MR. ICHOR:   Thank you.   I have a question

about the definition, scope, and perhaps why the

analogy of cybercrime is being used as its own entity.

To help frame the question, I’d like to pose a couple

of hypotheticals.

          If I go to this utility on Gallows Road in

Fairfax, Virginia, just north of 29, just south of 50

and cut the big bundle of fiber that feeds the Bell

Atlantic CLAC, Verizon CLAC, and disconnect most of

Northern Virginia from the rest of the world, is that

a cybercrime?

          If I go to the facility out in Tyson’s

[Corner], which is a major internet peering point and

cut one of the big fiber bundles that’s very nicely

marked in the garage, with a pair of bolt cutters, is

that a cybercrime?

          If in the case of private infrastructure, as

someone had mentioned, that’s riding on the same

infrastructure, it might not be the public shared

infrastructure as we think of it in terms of internet

protocol VPNs.    If I disrupt all of this, is that a


             If I blow up the building -- I mean, at what

point does it stop being a cybercrime, does it become

something else, and at what point do we just need a

new analogy for what determines a crime, because we’re

just changing the venue, not necessarily what it is

that we’re doing.

             And I realize I didn’t introduce myself; I

apologize.    My name is Joshua Ichor.   I’m an

information security specialist.     Thank you.

             PROFESSOR KERR:   I’d like to take this one.

The question of what is a cybercrime versus a non-

cybercrime, I don’t think it’s the right question in

the sense that it’s not like there’s a statute that

says the government can prosecute cybercrimes but not

non-cybercrimes or vice versa.      I think the question

is ultimately what is the criminal conduct?       What fits

the element of some criminal statute that a

legislature passed?

             You might have a statute that prohibits

intentional destruction of property, intentional

interruption of service of a telecommunications

device, something like that.     Basically the way the

laws divide is there are traditional crimes, which can

cover both internet versions of the traditional crimes

or physical world versions.      So possession of child

pornography, the laws apply equally whether it’s a

magazine or a digital image.

           Then there are computer specific crimes,

sort of attacks against computers, such as 18 U.S.C.

1030, the Computer Fraud and Abuse Act, intentionally

accessing a computer without authorization, causing

damage to a computer, that sort of thing.

           So ultimately the question is what fits

within these criminal statutes, and I think it’s

important not to get too hung up on defining what is a

cybercrime versus not a cybercrime.

           MR. PAINTER:   I would completely agree with

Orin.   Of the Federal statutes, only the computer

crime and abuse statute, which deals with hacking and

viruses, really is sort of a core cybercrime.     Every

other kind of conduct committed over computer networks

still is prosecuted under those traditional statutes.

            When you attack something by cutting it off,

that may be destruction of property.      It’s not a

cybercrime.   It’s important, though, because when we

look at things like the national strategy to protect

cyberspace, the draft, and other things like that,

they look at it not just in terms of the cybercrime

element, but also in terms of protecting cyber

infrastructures from physical attacks.      So there is

some confluence there.   When we talk about cybercrime,

we’re really talking more about the heartland of

attacks on cyber systems.

            PROFESSOR AVIRAM:     Do any of the other

panelists want to respond?

            PROFESSOR CLIFFORD:    I can respond with an

old joke.   How many programmers does it take to change

a light bulb?   The answer is none, because that’s a

software problem.   In my mind, a lot of the definition

of cyberspace is that you’re dealing in the software

world as opposed to hardware world.      To a certain

extent, if you can touch it, it’s not cyberspace.

            Similarly on a lot of your hypotheticals,

because you’re destroying things that I can touch, in

my own mind - not that it has any practical difference

in terms of the real world - in my own mind those are

not cybercrimes.   Those are regular crimes.

          If you used a computer program to achieve

the same result by taking down the software that’s

running on one of these hardware nodes, in my mind I

would define that as a cybercrime.

          PROFESSOR AVIRAM:     Thank you.   We have to

conclude, at this point, the first panel.     We’ve had a

very stimulating conversation.    I’d like to thank all

of our panelists, James Meek, Orin Kerr, Chris

Painter, and Ralph Clifford, for a terrific



       A Luncheon Address

                   by the

    Honorable John Malcolm,

United States Department of Justice

             11:15 a.m. - 12:45 p.m.
                October 3, 2002
      George Mason University School of Law
                Fairfax, Virginia

                  THE FEDERALIST SOCIETY


                                                   11:15 a.m.

            MR. REUTER:   I think we’re all ready to get

started.    I am pleased today, as we resume with our

luncheon speaker, to introduce John Malcolm, who is

the Deputy Assistant Attorney General in the Criminal

Division at the U.S. Department of Justice.

            I have known John for a few years now.        It’s

good to have him here today.       It’s even better to have

somebody of his talents and demeanor back in

Government service.   He’s an honors graduate at

Columbia College and Harvard Law School.       He has a

distinguished, if not yet long, career.       He has

clerked in both the U.S. District Court for the

Northern District of Georgia and the 11th Circuit Court

of Appeals.   He’s been an Assistant U.S. Attorney in

Atlanta.    He’s also been an Associate Independent

Counsel in Washington, D.C.        He’s been a partner at a

law firm in Atlanta that bears his name, Malcolm and


            So without further ado, I give you John


            MR. MALCOLM:   First of all I’d like to

extend apologies on behalf of Larry Thompson.    Larry

got called up to the Hill to testify at the last

minute.    I’m in no way, shape, or form seeking to deny

or denigrate Congress’s legitimate oversight

responsibilities, but I feel safe in terms of saying

that I think Larry would probably prefer to be here if

he had a choice.

            I’m also going to do something a little bit

unusual.    I’m, of course, speaking on a panel this

afternoon, so you get the unmitigated joy of hearing

me twice.   I got called a couple of days ago by Dean

saying "Look, Larry’s had this conflict come up, do

you mind speaking?   I said, no problem at all."

            I wrote up this great presentation about the

U.S.A. PATRIOT Act figuring okay, this is a good cyber

crowd.    I sent it over to my good friend, Chris

Painter, who read this and said "You absolutely can’t

give this, because everything you’re going to be

saying this afternoon at lunch, we’re going to be

saying during the first panel."

             In part he’s right.    So I have actually got

something unusual.    I have two speeches.     I’m going to

get a quick show of hands.    I’m not going to bother

counting.    I’d like to get sort of a general consensus

or else I’m just going to pick one.        You can hear a

speech about the U.S.A. PATRIOT Act in which you will

hear some repetition, mostly about hacker trespass, or

you can hear a speech about something totally

different, dealing with enemy combatants and closed

immigration hearings, obviously topics that have been

talked about a lot as of late, but having very little

to do with the cyber world.

             By the way, afterwards I am happy to answer

questions.    There were a lot of topics I could have

talked about:    FBI guidelines, special administrative

measures, and I’m happy to stick my foot in my mouth

on all manner of topics, so I have no problem with

people asking me questions.

             So, before I begin, let me ask you, who

would like to hear about the detention of enemy

combatants and closed public hearings on immigration

matters?    Hold them up high.     Okay.

           Who would like to hear U.S.A. PATRIOT Act?

Okay.   It looks like I can proceed to give the second.

           I will try not to repeat too much of what

you heard this morning.   It was an excellent panel; I

should have anticipated that they would cover some of

these matters.

           The debate about how to strike a proper

balance between cherished privacy rights and the

legitimate needs of law enforcement and the

intelligence community is not a new one.   This debate,

however, has grown more vigorous and more vociferous

and, of course, increasingly more important since the

shocking and unprovoked attacks on the World Trade

Center and the Pentagon on September 11th of 2001.

           Although it is vitally important that we do

everything we can to pursue and apprehend terrorists,

I do not believe that, at least as it pertains to the

Electronic Surveillance provisions, the U.S.A. PATRIOT

Act signals some kind of fundamental shift between

online privacy and Governmental power.

           There are those who believe that with

respect to many aspects of the war on terrorism and

also with respect to the surveillance provisions in

the U.S.A. PATRIOT Act, the pendulum has swung way too

far in terms of denigrating privacy rights at the

expense of law enforcement and intelligence gathering.

In fact, I think there are those people out there who

think that the Department of Justice is essentially

acting like some voracious PacMan that’s running

around and swallowing civil liberties at every turn.

            Still there are others who believe that the

Government ought to be given even greater tools to

protect the public from further harm.   It is certainly

true that the public at large expects us to use, in an

appropriate manner, all of the tools that are in our

arsenal, including those set forth in the U.S.A.

PATRIOT Act to prevent additional attacks and to bring

to justice those who were and are responsible for

plotting against us.   And, speaking, at least from the

perspective of the Department of Justice, I believe

that we are doing just that, and I’m unapologetic

about it.

            We recognize though that while desirous of

feeling safe and secure, Americans are extremely

reluctant, as they should be, to give up their

privacy.   Many are understandably on guard against

what they perceive as Governmental overreaching at

this time of crisis.    This backdrop frames much of the

debate about security versus freedom and explains much

of the controversy that continues to surround the

U.S.A. PATRIOT Act, and I assume will be surrounding

it for years to come.

           This is an important debate that is healthy

for a free society which is governed by the rule of

law.   The Department of Justice has not abandoned the

rule of law; we embrace the rule of law.   I applaud

all of those attorneys out there in privacy groups

that are challenging government actions.   These issues

are being trumpeted in the public and talked about in

front of Congress and talked about in the courts.

That’s good; that’s the way it ought to be.

           I believe, however, that in terms of

advancing this debate, there has been a lot of

misinformation and hyperbole about the scope of change

brought about by the U.S.A. PATRIOT Act.   In addition,

there are provisions of the U.S.A. PATRIOT Act that in

fact protect and extend civil liberties, including

increased civil penalties for improper disclosure of

surveillance information and new reporting

requirements when the government installs its own pen

trap device such as DCS-1000, which of course was

originally referred to as Carnivore.   I suspect that

the person who originally named it Carnivore is one of

those people who, as a previous speaker suggested, is

now in the private sector.    A lot of these privacy

enhancing provisions have been roundly ignored by the


          While there are those who contend that the

U.S.A. PATRIOT Act has dramatically expanded the

powers of law enforcement, I would contend that in

fact it is a very measured piece of legislation.    I’d

like to begin with a brief overview of the PATRIOT Act

and then discuss a couple of its more controversial

provisions, specifically the pen register and trap and

trace statute and its application to the Internet, and

the computer trespasser exception, which Chris Painter

talked about a little bit.

          The U.S.A. PATRIOT Act provides the law

enforcement and intelligence communities with new

tools and resources to prevent terrorist acts and to

apprehend and punish the perpetrators of such acts.

Two fundamental objectives animate its provisions.

First, to increase our surveillance capacities with

respect to criminals and terrorist networks.   Second,

to enhance our abilities to swiftly track down and

apprehend criminals and terrorists, hopefully before

they act.

            Now regarding the Internet and other

electronic communications, the Act expands existing

provisions that permit law enforcement, with

appropriate judicial oversight, to intercept and

access communications.

            The U.S.A. PATRIOT Act accomplishes many of

its objectives by updating surveillance laws to

account for changes in technologies that have occurred

over the intervening years, such as the increased

usage of emails, the Internet, and cell phones by both

cyber criminals and by terrorists.   In this way it

updates the law by making it technology neutral.

            Just because new technologies have emerged,

should that mean that criminals now have some new ways

to thwart legitimate law enforcement activities?    By

means of the U.S.A. PATRIOT Act Congress has declared

that cyberspace should not be a safe haven for cyber

criminals, terrorists, and others who are bent on

committing criminal activity.   By the same token, the

same privacy protections that were afforded to users

of the telephone during its hay-day, have for the most

part been extended to these new technologies, too.

          Now as I previously mentioned, one of the

more controversial provisions of the PATRIOT Act

involves the application of the pen register and trap

and trace statute to the Internet.    Congress enacted

the pen register and trap and trace statute in 1986,

and it requires the Government to seek a court order

for so-called pen trap information.

          Now in rough terms, a pen register records

outgoing addressing information, and a trap and trace

device records incoming information.   For the

telephone a pen register would record the numbers

dialed from a telephone, and a trap and trace device

would record all the incoming numbers.

          In 1979 the Supreme Court ruled that in the

telephone context there was no reasonable expectation

of privacy in this sort of non-content information,

because it was shared by the user with communication

service providers.   This means that from a

constitutional perspective there was no court order

necessary in order for law enforcement to compel

production of this information.

          When Congress enacted the pen trap statute,

thereby providing statutory protections that were not

afforded by the constitution, it did not anticipate

the new communication technologies which we have

today, such as the Internet.       Indeed, some of the

language that Congress drafted in the original pen

trap statute appeared to relate to the telephone only.

For instance, it defined pen registers in terms of

numbers dialed.

          The PATRIOT Act updates the pen trap

statute’s language to make it tech-neutral, as it now

applies more generally to dialing, routing, signaling,

or addressing information.    It also makes explicit

that which had previously been implicit and

constitutionally based, a distinction between content

and non-content.

             Thus, the pen trap statute now unambiguously

applies to Internet communications, which could be

interpreted, by the way, as another extension of civil

liberties.    If something wasn’t constitutionally based

and the original statute didn’t apply, arguably law

enforcement didn’t need any kind of a court order in

order to get this information.     Now the pen trap

statute clearly applies to the Internet.    Clearly you

have to get a court order.

             However, the pen trap statute’s new language

does not constitute a significant expansion of

Government power.    In fact it’s hardly an expansion at

all.    Prior to the U.S.A. PATRIOT Act, the Government

was already using the pen trap statute, adopted almost

universally by every court to consider the issue, in

order to get non-content information in many

jurisdictions.    The PATRIOT Act has simply confirmed

that this was a proper course of action.

             Consider, for example, the case of James

Kopp.   You may recall that he was indicted for the

murder of Dr. Barnett Slepian, who was an abortion

doctor in East Amherst, New York.    Mr. Kopp, who was

wanted by law enforcement officials, communicated with

his cohorts through a shared Yahoo account.    To avoid

sending emails, they left messages for each other in

the account’s drafts box, which they then accessed

through the Internet.

           Federal prosecutors sought a trap and trace

device in order to get information concerning the IP

addresses from which the account had been accessed.

Through that information, Mr. Kopp was traced to

France, and he was arrested.     This happened in

February of 2001, during the very early days of the

Bush Administration, long before the events of

September 11th and long before the enactment of the

U.S.A. PATRIOT Act.   Mr. Kopp has been extradited

here.   He is now awaiting trial.

           Next let’s consider the U.S.A. PATRIOT Act’s

computer trespasser exception, also known, as Chris

Painter already told you, as the hacker trespass

exception to the Wire Tap Act.    This provision

generated a surprising amount of opposition.    A good

portion of that resistance, I believe, comes from

people who simply don’t understand what it is.

           For example, there was one senator during

the debate who said that the hacker trespass exception

could be used to monitor the emails of an employee who

has used her computer at work to shop for Christmas

gifts.   This is simply untrue.

           All right, so what is the computer

trespasser exception?   To explain, I’d like to give a

very brief overview of the Wire Tap Act, which

provides the statutory framework governing real time

electronic surveillance of the contents of


           The structure of the Wire Tap Act is

surprisingly simple.    The statute’s drafters assumed

that every private communication could be modeled as

two-way connection between two participating parties,

such as a telephone call between Person A and Person

B.   The statute prohibits a third party, such as the

government, from intercepting private communications

between those parties using an electronic, mechanical,

or other device absent a court order, unless one of

several statutory exceptions applies.

          Now under this general framework, as it

applied prior to the PATRIOT Act, the communications

of network intruders, which may be routed through a

whole series of compromised computers, could be

protected by the Wire Tap Act from interception by the

government or any other third party.    The PATRIOT Act

simply enacted another exception to that rule.

          The computer trespasser exception allows

victims of computer attacks to authorize law

enforcement to intercept the wire or electronic

communications of a computer trespasser.    It includes

several significant limitations which ensure that it

does not expand beyond its core function.

          First, the owner or operator of the computer

has to authorize the interception of the trespasser’s

communications.   More importantly, the interception

cannot acquire any communications other than those

that are transmitted to or from the computer


          Finally, the exception may not be used when

the party that’s going to be monitored has an existing

contractual relationship with the owner or operator of

the computer.    They may be going beyond the extent of

that authorization, that contractual limitation, but

if they have an existing contract, they are not an

outside hacker.    Therefore, an entity’s legitimate

customers and employees can’t be monitored under this

exception.    In sum, the statue was crafted carefully

to ensure that the government is only monitoring

outside trespassers.

             Now, although narrowly confined in scope,

the computer trespasser exception is a significant new

tool for law enforcement.    For example, weekly we read

about successful distributed denial of service attacks

on computer systems all around the country.    Typically

these attacks are channeled through zombie computers

that have been compromised and which are owned by

innocent third parties.

             The computer trespasser exception gives law

enforcement the ability, with the consent of that

innocent third party, to monitor the communications

through their computers.    Now some have criticized the

computer trespasser exception as somehow restricting

the judicial role in investigations.   You’ve heard a

lot about that.

          It’s true that without this exception, law

enforcement would have to make a probable cause

showing before a magistrate before intercepting a

hacker’s communications.    However, I believe that the

hacker trespass exception again strikes an appropriate

balance between privacy and law enforcement.

          When a citizen finds a burglar in his

basement in the middle of the night, he wants to

protect his family, find out who this person is, and

why that person is there.   When that citizen calls the

police, he wants and deserves immediate action.    By

being able to act immediately, the odds of the police

catching the burglar before real harm occurs goes up


          When the law enforcement officer gets that

call, he has no need to wake up a prosecutor or judge

in the middle of the night in order to get a warrant.

The burglar has no right to and no reasonable

expectation of privacy to prowl in the middle of the

night in someone else’s basement.   The same is true in

the online world.

             A computer hacker who is acting without

authorization has no right to and no reasonable

expectation of privacy in routing around in somebody

else’s computer system.    Just as there was no need in

the real world example to wake up a prosecutor and a

judge, there should be no need for a prosecutor and a

judge in the online example.       There is no legitimate

privacy expectation that would be served by requiring

a court order and judicial oversight in this


             Moreover, just as it’s impossible to tell

who’s in the basement, when a computer hacker enters

into a sensitive network, it’s impossible to tell

whether that hacker is a script kiddie who wants to do

something malicious, route around, maybe deface a

page, or something like that, or whether we are

talking about somebody who is a serious cyber

criminal, or a cyber terrorist, who is plotting an

attack, who is trying to get valuable critical

infrastructure information to create a threat to life

and limb.

           Under these circumstances, time is of the

essence.   By being able to act immediately, the

chances of finding out who that hacker is, what that

hacker wants to do, and catching that hacker increase

immeasurably to prevent real harm both to the

immediate victim and also possibly to others who might

be harmed by that intrusion.

           In conclusion, I want to say that I think

it’s entirely appropriate following September 11th to

ask questions about the balance that has been struck

between privacy and law enforcement and security. It’s

entirely proper to ask such questions.   I think it’s


           However, I think the U.S.A. PATRIOT Act

demonstrates that, at least in the Internet context,

what was needed was simply a tune-up.    It wasn’t a

major overhaul.   Congress updated the statute to

accommodate for new technologies and new situations.

It did so in a manner which remains faithful to old

principles and long-standing constitutional doctrines.

           The debate about privacy versus security is

not likely to end any time soon.   These are difficult

times, and difficult questions that we face.       Nobody

should claim to have all the right answers, because

none of us is omniscient.      It is entirely appropriate

that we have debates like this in symposiums, in

courts of law, and within the Executive Branch and

also in our dealings with the Legislative Branch.

             Obviously there is going to be oversight.      A

lot of these provisions are sun-setted.       We have

people like Larry Thompson who go up to the Hill on a

regular basis to report on these things.       There is

judicial oversight.       We’ll see where this goes.

             Thanks for inviting me.    I’ll be happy to

take your questions.

             MR. CLARK:    Thanks.   Drew Clark, National

Journalist Tech Daily.      I guess I’ve got a number of

questions, but I'm trying to limit them.

             MR. MALCOLM:    No, go ahead.

             MR. CLARK:    At presentations such as this

it’s natural that the Justice Department would want to

put the most favorable interpretation of legislation

on the table, and you have done that and I appreciate

your tone.    I just must ask, all of the things that

you didn’t mention, the things such as the secret

searches that are now enabled and not sun-setted.       For

example, I guess the most important piece about which

I’d really be interested in your reaction, is the

changes to the Foreign Intelligence Surveillance Act,

and how that opens the door to new expansive searches

of individual citizens without probable cause to

believe they have committed any crime whatsoever, and

indeed the opening up of third-party and educational

records under the FISA provisions that are now


            MR. MALCOLM:   I’ve got to write down the

ones you’ve asked me about.    Hold on a second.   Go


            MR. CLARK:   Yes, there are some privacy

provisions as you point out in the statute, but I

guess I feel compelled to point out each of those

provisions you mentioned were the result of a

legislative compromise that was not originally

proposed by the Justice Department.    The Carnivore

reporting was Mr. Armey’s insistence. Changes to the

computer trespassing were narrowed because of Senator

Leahy’s objections.    So I guess I raise that to point

out that yes, it’s notable as you point out, it’s

important to have this debate, but these weren’t

suggestions the Justice Department came forward with.

They were only added at the insistence of Congress.

          So any reactions to those points that I’ve


          MR. MALCOLM:    I’ll react to all of them.

I’ll take your last one first.    We live in a system of

checks and balances.   That’s great.   We have two major

parties, multiple other parties, three branches of

Government -- Federal system and the state system --

and they’re all supposed to be questioning each other.

They’re all supposed to be looking at each other.

Things are often a series of compromises.

          If you were to look at the Administration’s

original bill, there may be certain provisions that

you thought were way over the line.    I certainly think

there were good justifications to support all of those

provisions.   Did they get compromised?   Sure.   Did

they get weakened in some instances?   Probably.   Did

they get strengthened in some instances?    Probably.

Did some ideas originate within the government?    Yes.

Did some ideas originate within Congress?   Yes.   Did

some ideas originate within privacy groups?   Yes.

That’s good.

          I don’t think, though, that it’s an accurate

characterization to say that after September 11th, the

U.S.A. PATRIOT Act was drafted by the government as

some kind of Christmas tree that was going to go and

steam roll across the country as a complete wish list

of Government actions.   I think that it was a tempered

by Congress as it deemed appropriate.    That’s the way

our system operates, and I see nothing wrong with that

at all.

          I don’t think it’s accurate to somehow say

"Well, had it been up to the Executive Branch, the

Constitution would have somehow been done away with,

and it’s only Congress that saved it."   I think there

was a lot of give and take in the PATRIOT Act.

          With respect to so-called sneak and peek

searches, the idea that you can go in with a court

order, not knock and announce your presence, but go in

secretly, search for something, or implant a device,

is not terribly new.

           There are Title III orders (Title III has

been around for a long time), for instance, in which

you get a court order to go in and plant a bug, say to

go plant a bug in a mobster meeting room, that takes

place under cover of darkness.    People don’t know that

an agent has been there.    They don’t know an agent has

left.   Hopefully they don’t find the evidence that

indicates that an agent has been there.

           All this does is apply this mode of

operation to the search context. Sneak and peeks have

been done in the drug area for a long time.   So I

think this is really a clearer codification of what

was existing all along.    I don’t think that there’s

anything particularly novel about that.   A lot of

times you need to go in somewhere where a crime has

occurred or is being plotted and get the best

information that you can.   But it’s not an appropriate

time to bring down an investigation.   You want to

develop leads.   There’s judicial oversight there.

           It’s not as if United States Government

agents are knocking on the door or breaking in at

night without any kind of oversight.    All of these

situations involve going in front of a judge and

saying why you believe evidence is there and why you

believe you need to get in there, and why there is a

need to do this secretly and not to leave a sign, a

calling card, that you’ve been there.    So there’s

appropriate judicial oversight to that, and I don’t

think that it’s a particularly new law.

             With respect to the FISA Court changes, I

assume you are talking about the balance between law

enforcement and the intel community -- to those of you

who may not know what we’re talking about, and of

course if you were referring to something else, let me

know -- the FISA Court is the Foreign Intelligence

Surveillance Court.    It’s a special court that sits

within the Department of Justice that enters orders in

cases involving -- not necessarily terrorists, it can

involve terrorists    -- but it can also involve

espionage.    It involves foreign powers and agents of

foreign powers conducting something of interest to the

intelligence community.

             The FISA Court orders do not have a lesser

showing to make; they have a different showing to make

than one would have to make before a judge in a

criminal case in which you need to show probable cause

that a crime has occurred and probable cause to

believe that evidence is in a particular location.

             The FISA Court rules, which are set forth in

the Foreign Intelligence Surveillance Act, had a

provision that said that if you got a FISA Court order

with this sort of surveillance by a FISA Court judge,

that the primary purpose had to be for intelligence

gathering. It didn’t say that there couldn’t be some

correlative law enforcement purpose, but that the

primary purpose for the order was for intelligence

gathering.    It was designed to separate the intel side

of the house from the law enforcement side of the


             The showing that had to be made had less to

do with whether or not there was a crime being

committed.    Frankly, some of the stuff may or may not

be a crime, but you’re going to gather intelligence to

see whether or not somebody is harming our national

interest, that is the showing that you had to make by

probable cause was that there was a foreign agent

involved or a foreign country involved or an agent of

a foreign power.    So you still had a showing to make,

and there was still a judge there who determined that.

             The FISA Court statute has been amended to

change the word primary to significant. The law

enforcement and the intelligence community have always

worked to some degree together in the FISA Court

context. However, you could now have a situation in

which a law enforcement objective is the primary

reason to go to a FISA Court, and regarding the

intelligence aspect of things, there’s a significant

purpose for it.    It doesn’t have to be the primary

reason.   There are a lot of people who are very

concerned about a weakening of this wall of separation

between the intel community and the law enforcement


             There’s only so much I that can say about

it, because the matter is currently in litigation

before the FISA Court Appeal Board.    For the first

time in the history of the statute such an appeal has

been taken, and there was a court order issued by the

FISA Court questioning the legitimacy of this change.

I guess my response is (1) it’s a change that Congress

made; and (2) this was not hidden.      The purpose for

this, at the time that Congress considered it, was all

within the Congressional record.      I suppose the major

reason to justify this change is because the lines in

the terrorism context and the times we’re facing now

between law enforcement and intelligence gathering

have largely blurred.   They’ve blurred for several

reasons.   One, we had a shocking revelation that there

were intelligence failures prior to September 11th.

There are people out there now who are saying "Why

didn’t you connect the dots?       There were signs out

there that you should have read, and if you had read

them, disaster might have been averted."      Well, I

don’t know whether there were enough dots out there in

order to avert a disaster.    That’s one of those

unknowable questions.

           However, it is true that we need to do a

better job about connecting dots.      We’ve literally had

situations, in which the intel community was gathering

information about potential terrorist attacks, which

of course involves criminal acts as well, and you had

the criminal law enforcement community within the

context of grand jury proceedings, which are secret

proceedings, gathering information about criminal

activity that could implicate a terrorist attack.        The

two sides weren’t talking to each other.

             We need to find a way to get them talking to

each other.    In addition to that, the lines are

blurred because people now realize that law

enforcement, stopping people and arresting people, can

be a legitimate tool in intelligence collection in the

same way that intelligence collection can be a

legitimate tool to aid law enforcement.      It is a

change.   I don’t think it’s a dramatic change.     It’s a

change of emphasis.       The matter is in litigation.

Those are the reasons for the change.      You can agree

or disagree with them.

             I believe you also talked about records

searches.    I assume that mostly what you are concerned

about are library searches.      Is that fair?

             MR. CLARK:    Yes, but I think it’s broader

than that.

            MR. MALCOLM:   It is broader than that.     I’m

not completely familiar with all of the parameters of

this.   Please forgive me, but I will tell you what I

can tell you, which is I don’t think that there’s any

secret that after September 11th it was discovered that

a lot of these terrorists, Mohamed Atta and the lot,

did a lot of communicating in libraries on the

Internet.   They’re there; they’re accessible; you can

use them and remain relatively anonymous.      I think it

is safe to say that libraries contain useful

information for law enforcement in both criminal

investigations and terrorism investigations and also

for the intelligence community.

            There is obviously a high degree of

skepticism about law enforcement activity involving

libraries, because a lot of legitimate First Amendment

protected activity takes place in libraries:        what you

read, what you look at.     The overwhelming majority of

people who are there are there for perfectly

legitimate purposes, and it shouldn’t really be

anybody’s business what it is that they’re reading.

            I hear you.    I’m with you.   I also

understand that there is a history of FBI abuses to

some degree in that area.   There were references to

the 1960s civil rights era in which FBI agents were

keeping files on people who were engaging in First

Amendment-protected activity that was somehow

unpopular within law enforcement’s counter intel

program.   That’s part of the FBI’s history.   We don’t

want to forget the lessons of history.

           The guidelines that are in place for library

searches reflect a recognition of that history and a

wish to avoid repeating that history.    One, an FBI

agent can’t just go in and get these records.   He

again has to go to a FISA Court judge or a designated

magistrate, make the appropriate showing, and get a

court order.

           Before you ever get to a FISA Court, the FBI

guidelines in this context require approval, several

levels up the chain.   They make very clear that there

have to be legitimate law enforcement or intelligence

purposes to get this information that is not protected

by the First Amendment.   You’ve got to show that there

is some real likelihood that there’s going to be

something there showing nefarious activity that can

harm our national interest in a very serious way.

             So is that something to be watched?         Yes,

it’s something to be watched.          Should there be

oversight over that?      Yes.    But there is quite a bit

of oversight built in to the system that’s now been

changed, and let’s hope that those tools are used

appropriately and that they won’t get abused.

             MR. CLARK:   Just one follow up.

             MR. MALCOLM:   Another question, okay.

             MR. CLARK:   Why isn’t the Justice Department

responding to the House and Senate Judiciary Committee

request for information about oversight if there is

oversight, and you expressed the desire that there be

oversight?    Why aren’t you responding to those


             MR. MALCOLM:   I didn’t express the desire

that there be oversight, but I think it’s perfectly

legitimate to have oversight.          Actually, no, I think

it’s a good thing to have oversight; of course it’s a

good thing to have oversight.

             I think that’s painting with a broad brush

to say that the Department is not responding to


            MR. CLARK:   That’s not answering the


            MR. MALCOLM:   Well, wait a minute.   I think

that’s painting with a broad brush.    There are, as you

know, many, many subcommittees within Congress.      All

of the Senators and the Representatives in the House

have all been elected. They’re all important people;

they all have a right to ask for and get information.

            On the other hand, there’s a lot of work to

be done.    The Justice Department’s got a day job, too,

of catching criminals and fighting terrorism.       If

every Congressman or Congressional subcommittee is

asking for information, there’s a lot of duplication

that is going on.   Not to mention the fact that a lot

of the information that’s being requested is

classified.    There are certain subcommittees that are

set up specifically to deal with classified


            So, one, there are appropriate channels to

funnel information to Congress, appropriate

subcommittees.   Just because one subcommittee is upset

about the fact that it’s not receiving information

does not in fact mean that that information is not

being relayed to Congress.    Part one.

          Part two, there are, as you know, and this

is nothing new, legitimate disagreements of opinion

about what is producible.    Congress has its view of

Executive privilege and the President’s constitutional

prerogatives.    The Executive Branch has its view about

internal deliberation and Executive privilege material

that should not be turned over.

          It’s not unique to the area of terrorism.

You see this for instance in the fight over judges.

Ask Miguel Estrada about whether or not his memoranda

from the time that he worked in the Solicitor

General’s office ought to be turned over to the Senate

Judiciary Committee.   The Executive Branch has taken

the position, as have a number of Solicitor Generals,

both Democrat and Republican, that this is internal

deliberation material and in an Executive Branch

context and should not be producible under the

Separation of Powers Doctrine.

            The same debates though apply with respect

to intelligence and law enforcement.     I don’t think

that it’s fair to say that the Administration is

somehow sticking it to Congress.     We are working with

Congress to see to it that Congress can satisfy its

legitimate oversight activities while at the same time

doing the job of protecting our country and also

protecting the Executive Branch.     It’s not just for

this administration; it’s also for future


            MS. KAPLAN:    Hi, I’m Kathleen Kaplan from

Howard University.

            MR. MALCOLM:   Hi.

            MS. KAPLAN:    One of the things when you were

talking that came to my mind was this information

overload.   As a lowly professor at Howard, I get 50 to

100 emails a day, which is like reading a book every

single day.

            MR. MALCOLM:   Tell me about it.

            MS. KAPLAN:    So, is some of the problem just

information overload with catching these cyber

criminals and other types of criminals.     Where you get

so much information, how are you going to determine

what’s important and what’s not?

            MR. MALCOLM:   I don’t know.   I’m not 100

percent sure I know what you mean, but let me try to

tackle what I think you mean.      It’s a difficult

question.   We’re being bombarded with information.       I

have the greatest sympathy for people, for instance,

who say "Okay, we’re going to raise the level of alert

status from yellow to orange.      But they’re non-

specific threats; we can’t tell you when they’ll

occur, and we can’t tell you where they’ll occur or if

they’ll occur at all."

            What do you do in response to that?       I

understand that.   It’s difficult to process that sort

of information.    It’s a little bit, however, a

situation of (1) there are a lot of people out there

that are seeking that information who get very upset

when you don’t give it, and (2) there’s a little bit

of a damned if you do and damned if you don’t.

            If you give the information, you’re accused

of panicking the public and overloading folks.        On the

other hand, if you don’t give that sort of

information, and God forbid something does

happen...let’s face it, we live in perilous times.      We

have enemies abroad.   There are soldiers fighting now.

We have enemies within our borders, terrorist cells,

people who are bent on our destruction, living right

here within our shores.

            If you don’t give that information and

people don’t act in an extra vigilant manner and take

whatever precautions they want to take, they avoid

taking an unnecessary flights or a trip or what have

you, then they’ll say "You mean you knew that and you

didn’t tell us about it?"   It’s tough.

            We live in a time of instantaneous news.

You can get it over the Internet from any number of

channels.   You can get it on cable TV from any number

of sources.   A lot of us are news junkies.   How you

take that information and process that information, we

all struggle with that.   I get more than 50 emails a


            The public has a right to know about it.

Whether you choose to tune it out or pay attention to

it, that’s an individual choice.

          MR. FOREMAN:    Frank Foreman, U.S. Department

of Education.   Since this is the Federalist Society,

let me ask a Federalism question.   More specifically

for you, what are the sorts of things that the states

and local governments are incapable of doing?

          MR. MALCOLM:    Are capable of doing?

          MR. FOREMAN:    Capable and incapable of doing

as far as cyber crime is concerned.

          MR. MALCOLM:    Well, you can give an answer

with respect to cyber crime and with respect to all

sorts of crimes, including terrorism, including

organized crime.   States have certain advantages over

the Federal Government when it comes to law

enforcement.    The Federal Government has certain

advantages in law enforcement vis-a-vis the states.

          In terms of crimes that are taking place

within a state, there’s your local law enforcement

officer who’s going to know the business community,

those people on the ground, know the neighborhoods

where criminals are acting, be able to go out on the

street and have that day-to-day contact with folks,

and do a very effective job of rooting out crime, much

of which will be intrastate, some of which will be

interstate.   They can do so perfectly well without the

intervention of the FBI or Secret Service or DEA or

whoever, thank you very much.

          However, the Federal Government has more

resources that it can bring to bear in certain

specialized cases.   It has certain expertise that it

can bring to bear in certain cases.

          I’ll give you a good example.    It is

cybercrime and it’s not cybercrime.   It crosses into

the area that the gentleman in the back asked about

before, because it involves child porn.   Many of you

may have heard about the CandyMan case.

          The CandyMan was an email group that was

distributing child porn internationally and across

many, many states in this country.    Now if you look at

an individual group member in one particular

jurisdiction, maybe you can take the idea that "Okay,

all child porn is just bad period.    Even if there’s

only one perpetrator, we’re going to investigate it

thoroughly and we’re going to prosecute it."

          However, using that as an example, you can

have crime that is in fact broad ranging.   In any one

state the consequences may not be serious enough to

justify having the state use its local scarce

resources to fight that problem.   They may do so

because they lack the resources and don’t have the

intelligence to get the big picture and to realize

that what’s a small problem in this state is in fact a

very large organization and is affecting many, many,

many states.

            Those are the sorts of resources that the

Federal Government can bring to bear.   It can look and

say, "Well, you know, it may look like a small

problem, but it’s a small problem here, and in this

city, and in Arkansas, and in Nevada, and in Utah, and

in Maine.   When you add it all up, it’s a pretty big

problem."   We have the resources and the ability to

look at the totality of that and to really hit these

people who are perpetrating this heinous activity hard

in a way in which the locals can’t.

            Obviously there’s a big concern, which is an

entirely different debate topic near and dear to the

Federalist Society’s heart, about the Federalization

of crime.    One, from a constitutional perspective, and

two, from a resource perspective.       Federal resources

are not limitless.    They are also specialized, and you

want to make sure that they are being used to maximum

advantage.    So where do you cross that line between

Federal resources and state resources?       When do you

choose to deploy Federal resources?       A lot of the time

we work in task forces; we work in coordination with

each other.    That has to be done occasionally.

             MR. FOREMAN:   Is cybercrime substantially

different from other kinds of crime in a way, as far

as the Federal state balance would turn out?

             MR. MALCOLM:   Well, it’s substantially

different.    One, in that there tends to be more

expertise, although we’re trying to remedy that, at

the Federal level than at the state level.       Two,

people who perpetrate cybercrimes have the ability to

cast a very, very broad net.        They can perpetrate this

crime far and wide.

             Let’s take a simple example.     Your Nigerian

scam letter.    We all used to get one or two of those

letters.    It used to be that somebody had to sit in a

room, draft this letter, sign this letter, stick it in

an envelope, put on a postage stamp, and send it.

Then if it came back, they had to keep a file of who

they contacted and how much money they got and what

letter the victim had gotten in the scam.

            Now with the computer, you get these letters

all the time.   It’s easy.   You draft it up online and

you send it out all over the world.   If you get a

positive response, it goes into one database; if you

get a no, it goes into another database.

            So any criminal activity, if you use the

computer as a facilitating device, can be spread

astronomically.   Well, locally the government can’t

handle that.    It doesn’t know the scope of what’s out

there.   It doesn’t have the law enforcement tools --

maybe some states do, but by and large they don’t have

the law enforcement tools to take on that sort of

activity.   They don’t tend to have the expertise,

although we are working very closely with groups like

the National Institute of Justice to remedy that as

quickly as we can.

            I know there’s a hand back there.

           AUDIENCE MEMBER:    I have a question, I want

to go back to the oversight question that Drew was

asking.   This is really a factual question from my

ignorance, no doubt, of the PATRIOT Act.    When you

were talking about the example of the library search,

there is a perception out there, and I hope you can

counter it to assure us all, a perception of the sort

of star chamber quality to these matters.

           You mentioned there are FBI guidelines,

approval up the chain of command, but of course still

within the FBI.

           MR. MALCOLM:   Right.

           AUDIENCE MEMBER:    An application made to a

court that is, as you say, within the Justice

Department.   Who does now, is there independent focus

of those decisions?

           MR. MALCOLM:   The Court meets within the

Justice Department.   The Court is made up of Article

III judges, life tenured, nominated, confirmed by the

Senate, a separate branch of Government.    These are

not people who are in any way, shape, or form toadies

to what the Executive Branch of the Federal Government

would like to have happen.

           We live in an open society.    Unfortunately,

because of the dangers that we confront, there is

information of a very secret nature that has to remain

secret.   If you tell it to people, your sources and

methods are compromised.   What you know is going to be

out, and perhaps what is more important is what you

don’t know.   People will be able to rearrange their

plans, alter their strategies, have a greater chance

at perpetrating their crimes, or to avoid detection.

           If we’re conducting an intelligence

investigation, let’s say of a hostile government or

maybe even an ally trying to gain a competitive

advantage or to make up for a technological

deficiency.   It may be economic espionage.   If you

have that information out in the public, you’ve

completely defeated the purpose of the investigation.

           I mean no more that you would want to have

Donald Rumsfeld sitting with the Joint Chiefs of Staff

holding a public hearing and taking questions about

where they’re going to attack tomorrow.    You can’t be

in the position of telling people who are bent in a

literal way, on destroying us where we think they’re

going to strike next.

          So what you do is try to have appropriate

oversight and make sure that due process is followed.

We try to be as open as we can.   There are times,

however, in order to protect our national security and

insure domestic tranquility, which is a constitutional

mandate, that there’s a need for secrecy.

          One more back there.

          MS. EDWARD:   My name is Abigail Edward and

I’m an Assistant State’s Attorney.   Let me just

preface my remark by saying that I understand working

in the criminal field for a very long time.   In no

arena that I have been in have I ever found the

cooperation among and between law enforcement and

prosecutors as great as in cybercrime.   It is a

remarkably cooperative experience.

          My question is a follow up to the previous

gentleman, who was asking about the Federal balance.

Do you think that that Federal balance changes as you

differently define cybercrime?    I think that the

trouble with the definition of cybercrime is that what

we term cybercrime here has been Internet crime.     If

you conclude that cybercrime also is an attack on a

computer, which is very often done by disgruntled

employees, which is a purely local matter, or could

be, it could change the federal balance dramatically

in my view.   I wonder if you have any thoughts on


            MR. MALCOLM:   Just because we have an

insider perpetrating the cybercrime doesn’t mean it's

not a Federal crime.

            MS. EDWARD:    It does not have to be, but it

could be.

            MR. MALCOLM:   With respect to many statutes,

there is concurrent jurisdiction.     I supposed state

laws vary from state to state, but a lot of times

there’s concurrent federal jurisdiction.     The

overwhelming majority of prosecutions take place at

the state and local level precisely for that reason.

There’s no need to spend scarce Federal resources

prosecuting every crime that could be prosecuted as a

Federal crime.

            There are a lot of crimes that have a

peculiarly local impact.    I would imagine that that

balance takes place at a practical, on-the-street, in-

the-office, where-prosecutors-and-law enforcement-

agents-are-meeting level.   It’s not taking place at a

more theoretical constitutional level.

          If you have an insider perpetrating the

crime, if we’re talking about a computer network, I

venture to say that all the companies that are here

today that earn their daily bread online, your

customers don’t all come from within the state.

          So if you have an insider wreaking havoc,

it’s going to have dramatic implications to people all

over the country.

          I think my time’s up.    Thank you very much.

          MR. REUTER:   Thank you, John.   We’re going

to start the next panel as soon as we can get them in

the room, so there will be no break at this point.


                  a panel on




             12:45 P.M. - 2:15 P.M.
                October 3, 2002
     George Mason University School of Law
                Fairfax, Virginia

Battling Cybercrime through International Cooperation

 Wan Kim, Republican Counsel, U.S. Senate Judiciary Committee

 David Post, Professor, Temple University School of Law

 Abraham Sofaer, Senior Fellow, The Hoover Institution

 Michael O’Neill, Associate Professor, George Mason School of Law (Moderator)


              Battling Cybercrime through

               International Cooperation

                                                   12:45 p.m.

          PROFESSOR O’NEILL:     Good afternoon.    We’d

like to welcome you to the second half of our daylong

cybercrime extravaganza.

          Our first panel this afternoon is going to

be speaking specifically about and addressing those

questions surrounding international aspects of

cybercrime and cyberterrorism.    One of the

particularly interesting features of the Internet, of

course, is that it knows no national boundaries.

Communities are largely created based on interest, not

geographical divide.   The creation of such

international communities, however, has also fostered

the growth of international crime.    Also unique, in

some respects, is that it knows no specific


          Crime, interestingly enough -- and for those

of you who are practitioners of it, either from the

defense, prosecution or participant side -- know that

crime has been largely a uniquely local phenomenon.

Indeed, the Constitution, as I mentioned this morning,

reserves the general police powers to the states and

the Sixth Amendment to the Constitution requires that

"all criminal prosecutions take place in the state and

district wherein the crime shall have been committed."

While this may have been a relatively straightforward

determination in 1791 when the Bill of Rights was

enacted, it is not quite as clear in 2002.

          Hackers from the Philippines can release

worms on the Net, taking advantage of the fact that

such conduct might not be illegal in their country.

Obscenity, long viewed as being somewhat dependent

upon community or local standards, is now proliferated

throughout the Internet.   I mentioned this morning

that the difference was not between Peoria and Times

Square, but rather between Peoria and Times Square and

Tokyo or Amsterdam or Lisbon.

          Similarly, intellectual property rights,

which enjoy vigorous protection within the United

States might not quite be as respected in the

developing world, which may have little short-term

incentive to bow to Washington’s intellectual property

rights demands.    Where do we prosecute?   Whom do we

prosecute?    Whose laws do we decide that we’re going

to use?   How do we resolve the fairly complicated

jurisdictional issues that can arise?    These are all

important questions that demand answers.    If people

feel unsafe to venture commercial transactions upon

the net, commercial ventures may wither.    If

international organized crime rings are able to make

cybercrime profitable, it may be hard to forestall


             To consider these international efforts to

combat cybercrime and terrorism, I’d like to turn to

our guests today who are particularly well versed in

this area and who should provide for a very

interesting and hopefully lively discussion.

             I’d first like to introduce Professor

Abraham Sofaer.    Professor Sofaer, who will be our

concluding speaker -- we’ll go in reverse order --

served as legal advisorLegal Adviser to the U.S.

Department of State from 1985 to 1990 and was

appointed the first George P. SchultzShultz

Distinguished Scholar and Fellow at the Hoover

Institution in 1994.

            Professor Sofaer’s work has focused on

separation of powers issues in the American system of

government, and he currently teaches a course on

transactional law Transnational Law at the Stanford

Law School.   During his distinguished career,

Professor Sofaer has been a prosecutor, a legal

educator, judge, government official and private

attorney.   Indeed, in 1979, he was appointed as a U.S.

district court judge in the Southern District of New

York.   Now, I’d like to think he gave up that august

position for an even more important position; that is,

tenure at a law school.

            He left the bench, however, to render

further service to the country as a legal counselor to

the State Department.

            Professor Sofaer was a veteran of the U.S.

Air Force, received an L.L.B. from New York

University, and holds a B.A. in history from Yeshiva.

After graduating from law school, he clerked for

Justice William Brennan.   Perhaps most importantly,

and this was key to inviting him to speak on this

particular panel, as any jazz fans in the crowd may

know, Professor Sofaer is a founding trustee of the

National Museum of Jazz in Harlem.    And it’s rumored,

apparently, that he and President Clinton share an

office in Harlem -- is that true, Professor Sofaer?

           PROFESSOR SOFAER:    I’ll do anything for


           PROFESSOR O’NEILL:    I’m also pleased to

introduce Wan Kim.   Makan Delrahim, who is the chief

counsel of the Senate Judiciary Committee,

unfortunately was unable at the last minute to join us

because -- the people in the Department of Justice

might be interested in knowing this -- the Department

of Justice reauthorization bill is currently on the

floor.   So, Makan, unfortunately, was unable to join


           One would think that the Department of

Justice would not be a terribly controversial

reauthorization, but then, one only has to remember

that the rules of germaneness in the Senate are

basically nonexistent, so it’s almost always about

something else other than DOJ authorization


             Fortunately, however, we’re honored and

pleased to have as his replacement Wan Kim, who is

currently Counsel on the Senate Judiciary Committee

and is working specifically with these issues.      Mr.

Kim was formerly an attorney at Kellogg Huber Hanson

Todd & Evans, and I imagine he actually took a major

boost in salary to then go to the Senate Judiciary

Committee.    Anyone who is familiar with that firm will

know that I am saying this with deep irony.

             Mr. Kim also has worked as a special

attorney to the United States Attorney General, and in

the Department of Justice through the Attorney

General’s Honors Program.    And he clerked for one of

my personal favorites, Judge Buckley of the U.S. Court

of Appeals for the District of Columbia Circuit.

             Mr. Kim graduated from the University of

Chicago with a J.D., and Johns Hopkins University.

             Last but not least, we are pleased to hear

from Professor David Post, who is currently a law

professor at Temple University, where he teaches

intellectual property law and the law of cyberspace.

He’s also a senior fellow at the National Center for

Technology and Law here at George Mason University --

I’ll point and give a little plug here to the Tech

Center in our banner -- and as the cofounder and co-

director of the Cyberspace Law Institute and the

cofounder and co-editor of

           Professor Post has a very interesting

background, I found out.   Trained originally as a

physical anthropologist, Professor Post spent two

years studying the feeding ecology of yellow baboons

in Kenya, and he taught at the Columbia University

Department of Anthropology.    Realizing that his study

of baboons might translate well to the legal

environment he then attended the Georgetown Law

Center.   After attending Georgetown, after holding

various and sundry posts, he wound up somehow finding

himself clerking not once but twice for both Judge and

Justice Ruth Bader Ginsberg.

           And perhaps of interest to Professor Sofaer,

if he’s interested in any future inductees to the Jazz

Museum, Professor Post plays guitar, piano, banjo and

harmonica. And the name of the band happens to be "Bad

Dog."   The band’s name, hopefully, is not any

reflection upon its musical acumen.

           In any event, I’d like to welcome each of

our panelists here to George Mason University.    We’d

like to start out, Professor Post, with you.     We’ll

give you a little bit of time to make your

presentation, and then an opportunity to ask one

another questions before opening it up to the crowd.

           PROFESSOR POST:   Thank you.   That was very

nicely said.    What Professor O’Neill said to us before

he started was, "ten minutes to pontificate."    So,

starting now.

           I want to talk about the issues of

international jurisdiction and cybercrime by focusing

on the Convention on Cybercrime.    It’s a document that

was drafted by the Council of Europe last year with

substantial United States participation.    It was

signed by the United States along with, I think,

several dozen other countries last year, although it

has not yet been ratified.    I don’t think it has been

submitted yet to the United States Senate for

ratification.   In But, we are a signatory toother

words, we have signed, but not ratified, the


          I want to talk about the jurisdictional

dilemma a little bit, in general terms, and then about

why I’m deeply concerned that things like the

Convention on Cybercrime we are not dealing with this

dilemma in a sensible manner.

          With respect to the jurisdictional dilemma,

Michael gave something of an overview -- perfectly

adequate overview.   I think everybody is sort of

basically familiar with the problem.   There is a

global network.   It has no internal boundaries to

speak of, at least none that map onto the boundaries

of existing jurisdictional entities, states or

counties or cities or, for that matter, countries.

There is no American portion of cyberspace.      There’s

no Turkish portion of cyberspace.   There’s no

Brazilian portion of cyberspace.    There’s no

Arlington, Virginia portion of cyberspace.

          Now, the same, in a sense, is true of

Antarctica or outer space, which is a parallel that

people sometimes draw when talking about this problem.

So, given that the same thing is true about outer

space -- there’s no American portion of outer space --

what’s the big jurisdictional dilemma here, on the

global network?   What’s the big problem?

          The problem, of course -- again, it should

be obvious -- is that unlike Antarctica and unlike

outer space, the global network, cyberspace, is

intimately connected at the same time to the real

world, to the United States and Turkey and Arlington

and Brazil.

          The big problem, as we’ve heard several

times already today, is that it is now orders of

magnitude easier to commit crimes against the United

States or Turks or Brazilians without ever coming near

America or Turkey or Brazil.     The example was used

earlier of the Love Bug virus, which was released from

the Philippines, where it apparently was not a

criminal activity in the Philippines but(where it was

apparently not a criminal act) which did incalculable

damage to property and economic activity throughout

the world, including the United States.

          It is a serious problem and it demands

serious attention, I think especially – and obviously

-- in these post 9/11 days.   And fundamentally,

conceptually speaking, there are really two approaches

to the problem.

     One is what I’ll call the "mi casa es su casa

approach; my house is your house.   The Philippines, in

the example, could say, "You can come into our

country, you can come into the Philippines to

prosecute crimes, you can enforce your criminal law

against persons or entities who are acting in the

Philippines.   You can extradite or try anyone from the

Philippines who violates your criminal law."    It’s a

simple approach.   The downside of that approach is

also fairly simple and fairly obvious.    The

Philippines will, in turn, insist upon the same rights

vis-à-vis American citizens and American companies, as

will the Turks and the Brazilians and the Belgians and

the Egyptians, etc.

          Well, what’s wrong with that?    What’s wrong

with that, of course, is that the people of the world

have very different ideas about what does or does not

constitute criminal activity.     The United States

criminal code and the Belgian or Egyptian criminal

codes are very different beasts.    We don’t like the

prospect, particularly, of American citizens or

companies being hauled into court in Egypt for

violating provisions of Egyptian law when they are

acting lawfully under United States law, and the

Egyptians don’t like it anymore than we do when it

operates in the reverse direction.

            What’s wrong with this approach also -- the

downside of this approach, if you will, part two -- is

that it completely disregards the fundamental premise

upon which our government, at least, is based: that

governments derive their just powers from the consent

of the government.   I have not consented to be

governed by Egyptian or Belgian law, nor, in my view,

can my representatives give my consent on my behalf.

I have no participation in the formulation of Egyptian

or Belgian law, nor should I.     It is, quite simply,

unjust to apply it to me.

            So, that is approach one, basically


            Approach two is the "harmonize the law"

approach.   Let’s see if we can all agree on a minimum

set of really bad things.   A set of things we can all

comfortably, within our differing legal traditions,

define as criminal conduct.   Let’s get that list and

get everyone to make those things domestically a crime

in their respective jurisdictions.   Then, while there

are still obviously many problems of investigation and

enforcement that sill remain, there’s no real

jurisdictional problem with respect to those crimes


            Now, the Convention on Cybercrime takes both

of these approaches.   It defines a series of crimes

that signatory nations agree to make criminal and it

pledges mutual assistance among the signatories in

investigating such crimes and extraditing those

accused of such criminal activity.

     And, it incorporates, I think, unfortunately, the

worst features of both of these approaches.

            I don’t always agree with the American Civil

Liberties Union on many things, but I agree with them

on this.    The ACLU wrote about the Convention on

Cybercrime: "The treaty began with a modest objective:

facilitating cooperation among law enforcement

authorities across countries to track cybercrime.

Somehow, like a monster, it has vastly outgrown its

original mission."   I think that’s right.

          I don’t have time to give you the full bill

of particulars, but let me touch on some highlights.

In regard to harmonizing the law, the second of the

approaches that I talked about, the list of things

that signatories to this Convention must define as

criminal activity includes a number of non-

controversial items:   computer forgery; intentional

interception, without right, of non-public

transmissions with computer data; child pornography;

computer fraud; the serious hindering without right of

the functioning of the computer system -- something

like the Love Bug.

          It also requires signatories to criminalize

the production or sale of any device designed for the

purpose of deleting computer data, for example.   It

also requires all signatories to make criminal all

copyright infringement conducted "by means of a

computer system."   It also requires all signatories to

criminalize the infringement of the so-called related

rights of the Rome Convention -- you all know what

that is, don’t you?   I didn’t either, even though I’m

an intellectual property professor.   It’s a series of

rights that belong to the owners of sound recordings,

protected under the Rome Phonogram Convention.

          Signatories must also ensure that

corporations can be held liable for any computer-

related offenses committed for the corporation’s

benefit, or committed by any person "with a leading

position in the corporation," a provision that seems

to me, to my eyes, to override by treaty a hundred

years of American law regarding corporate liability.

The Convention also provides that corporations must be

held liable where their lack of supervision or control

has made possible the commission of one or more of

these computer-related offenses.

          Here’s the first additional protocol to the

Convention, which is in draft form -- thank goodness -

- but which will become part of the Convention

eventually, presumably.   Each signatory under the

first additional protocol must establish as a criminal

offense under its domestic law "offering racist or

xenophobic material to the public through a computer

system," which is defined as thoughts -- thoughts! --

or theories which advocate or promote hatred against

any individual or group of individuals based on race,

color, ethnic origin, etc.      Each party shall ensure

that these offenses are not regarded as political

offenses justifying refusal to comply with requests

for mutual assistance.

             It’s too broad.   It’s too broad.   It goes

far beyond the steps necessary to define a set of

conduct that is truly considered heinous and criminal

around the globe.    And it includes much conduct that

is far more controversial than that.     Some of these

are new criminal penalties for the United States, as

well as for other signatory nations.     I think new

criminal penalties should not be established by

international convention in an area like copyright law

or third party liability, where national law is so


             Let me take two minutes on the other

approach, the "mi casa es su casa" approach of

cooperation.   The Convention establishes a plan under

which law enforcement authorities in each signatory

nation will cooperate with each other in the

investigation of purported violations.   The activities

described above on the list of bad things are made

extraditable offenses.   The signatories, furthermore,

agree to provisions to provide mutual assistance "to

the widest extent possible" for investigations or

proceedings concerning criminal offenses relating to

computer systems, or for the collection of evidence in

electronic form of a criminal offense.   So, the mutual

assistance pledge among nations goes beyond just

cooperating and prosecuting these specific criminal

offenses.   But any time the Bulgarians are looking for

evidence that is in computer form, in electronic form,

of any criminal offense under the Bulgarian criminal

code, they have the right to demand the assistance of

the United States law enforcement authorities.   This

would include required information sharing at the

request of other signatories regarding such

investigations; the production of court orders

requiring service providers to turn over subscriber

information at the request of foreign law enforcement

officials; assistance in intercepting communications

at the request of foreign law enforcement officials.

As I said, these provisions apply not just to the

expansive list of cybercrimes laid out in the first

section, but to all computer-related crime and to all

evidence, in electronic form, relevant to criminal


            Well, it sounds great.   Who’s against

cooperation?   And maybe it would be great, if that

cooperation were restricted carefully and narrowly to

criminal activity that really matters.    But it’s not.

An obligation to make the law enforcement machinery of

the United States available to the Belgians or the

Bulgarians for the investigation and prosecution of

violations of the related rights provisions of the

Rome Convention on Phonograms is not the best use of

law enforcement resources in the United States in

these difficult times.

            The first time that U.S. law enforcement and

investigative powers are put to work for the

prosecution of political dissidents, at the behest of

some foreign power, which is well within the

parameters of this treaty, we will regret having

signed it, and I hope that is not too late.    Thank


          PROFESSOR O’NEILL:     I was going to say, the

Rome Phonographic, whatever it was, sounded a lot like

our university speech code, so it didn’t clink all

that surprising on my ears, I guess.

          Mr. Kim, we now turn to you.

          MR. KIM:   Thank you.    One of the things that

I, like Professor Post, I wrote down on my little

notepad here was when Mike said "pontificate", because

that is exactly what I’ll be doing at best.

          As you can tell from my nametag, I am what’s

called a last-minute fill-in.     So, they did not send

the expert; they sent the generalist.

          PROFESSOR O’NEILL:     But we all like the

filling of the Oreos better than the crust.

          MR. KIM:   I hope that remains true.

          What Mike didn’t tell you is that I’m

actually an assistant United States Attorney on detail

to the Senate Judiciary Committee.    I tell you that

only because I need to start off by doing what I do

with every jury that I go before, and that is lower


             I am not here to tell you what the answers

are.   I am here more to ask questions, questions that

a lot of the Congressmen and the Senators ask when

considering these very, very difficult issues.

             The Senate’s role in government is a rather

unique one, as many of you know.    That is, the Senate,

more than any other body in government, tries to look

for consensus.    In the administration, the President

does what he wants to do.    Congress, by and large, the

House of Representatives, they have the majority and

they pretty much do what they want to do.    And the

courts, when they have a majority, in a five-four bid

or two-one, do what the majority wants to do.    But not

so, the Senate, because of its unique role in giving

each Senator a large voice in stopping things utterly

to a halt.

             I say that because I want to emphasize the

fact that legislation moves sometimes at a glacial

pace precisely because people are asking questions

like the ones posed in this panel.   I am not an expert

in this field, and that is probably a good thing

because neither, to my knowledge, is any senator.    I

am, in my job, a thousand miles wide and one inch

deep.   That is why all of us look to the experts in

the field to see what the questions are and to see

whether we can reach an agreement as to what the best

solutions would be.

           In the area that we’re talking about right

now, cyber-issues, that really have no global

boundaries, no individual set of laws, no mechanisms

for resolving whatever rules we might agree upon, it

is a particularly challenging one because if the

government of the United States acts unilaterally,

well, we may be in a bind because no other government

may help us enforce those laws.   But if we don’t act

strongly enough, well, then, we really do open up a

wild, wild west in the area of, say, the Internet,

where, as we all know, a lot of harm can occur.

           So, it’s a difficult balancing act that

Congress is looking at in this issue, and they’ve been

looking at it for several years now.    It’s an area

that I think it’s fair to say Congress has moved very

carefully.    If you look at some areas of the criminal

code now, the areas that I’m most familiar with, you

can see where Congress has moved forward in some

manner -- usually areas where the fear is great and

the threat of danger is extremely high.

             For example, 18 U.S.C. 2332(a) is a statute

that prohibits the use of "weapons of mass

destruction".    I was one of the most junior

prosecutors on the prosecution of Timothy McVeigh and

Terry Nichols for the blowing up of the Murrah Federal

Building in Oklahoma City.    The statute that was used

to carry the penalty was 2332(a).    What that statute

provides in addition to the death penalty is

extraterritorial jurisdiction.     That is, we can reach

outside the borders of the United States to enforce

this statute, if, for example, you try to blow up an

embassy in the Middle East.

             Luckily, we were able to avoid those issues

in this case because of the fact that it was done

within our geographic borders.     But those issues are

fast diminishing, as we have, one, more of a worldwide

presence and, two, more crimes that are being

committed from abroad directed to the United States.

            Even if we all agree that those types of

crimes, crimes committed from abroad and directed

within our borders, can be legislated, which I think

most of us could do, we also have the problem of how

the heck do we get those people to the United States?

That, again, raises a whole separate issue of law, and

cooperation.   How do we get those other nations to

cooperate with us into bringing those people to the

United States to enforce what we think our notions of

justice are and should be?

            These are not questions that are raised

lightly, and these are not questions that are answered

lightly.    There is, obviously, a difficult balancing

act here.   We want to be able to legislate ahead of

the curve so that when the problem arises, we have the

mechanisms to deal with it.    The problem with

legislating ahead of the curve, of course, is figuring

out what the right answer is going to be.   When there

is wide disagreement between academics and the

international community as to what the right answer

is, often you get no answer at all.   This leaves us in

the other conundrum, which is not having an adequate

system of laws.

          That is why Senator Hatch, members of

Congress, are widely in agreement that the Council of

Europe, the Convention on Cybercrime that Professor

Post mentioned, is a very good thing.   The more

countries that we can get onboard with a set of norms

that we can all agree upon or a set of norms to be

enforced, the better we all are.

          Let me just give you one minor example of

how this problem arises in actual legislation and how

it’s being addressed by various members of the

different bodies in Congress.    H.R. 2643 is a bill

that was introduced by Representative Lamar Smith on

the House side, and it dealt with the issue of child

pornography.   This has become an issue that was

recently brought into constitutional focus by the

Supreme Court earlier this year in a decision called

Ashcroft v. Free Speech Coalition.    That decision

struck down some key provisions of a 1996 law that

Senator Hatch wrote that prohibited the possession of

virtual child pornography.

             I’m not going to bore you with the

constitutional details, but there was a case out there

called New York v. Ferber, which basically said that

child pornography could be regulated because it

involved harm to children.    That is, children were

being used in the process of making child pornography,

and that’s a crime in every jurisdiction, so you could

prosecute what results, even if some people might call

it speech.

             Well, the problem with the Internet is that

it makes what used to be a very, very underground,

difficult market to penetrate, very easy.    You go on

the Internet and you type a few keywords, and boom,

you’re directed to a hundred sites that contain or

allege to contain child pornography.    How do you

regulate that problem?

             Well, the Supreme Court in Free Speech

Coalition said you can’t do it by prosecuting purely

virtual creations of child pornography; that is

pornography that did not involve actual children but

merely the digital images of what looks to be, by all

accounts, real children.    That creates a problem.   How

do you enforce those laws if you can’t tell if it’s a

real child or whether it’s a computer creation

thereof.   How do you shut down the market for porn

sites that actually do upload images of real children.

What happens if, as in the Internet betting arena, all

these people move offshore and say, you people can’t

touch us because we’re now having our mainframes

located in the Bahamas or in China or in Taiwan or

wherever they might be.    These are difficult


             H.R. 4623 represented the administration’s

attempt to answer that; they drafted large portions of

this bill.    They included a provision which says that

we have jurisdiction if the person transports such

visual depictions to, or otherwise makes it available

within, the United States, or otherwise makes it

available.    Basically, it means the website could be

located anywhere, never targeted to any U.S. person or

entity.    Yet, we would be exerting jurisdiction in our

courts with our system of laws and our systems of

justice as to a person who may have set up a website

in the Netherlands specifically intending only to

target other people in the Netherlands, which may have

different notions as to what’s permissible and not

permissible in the field of child pornography.

           That raises a whole host of difficult

issues, as Professor Post just started talking about a

little while ago.   Is that something that we want to

do?   Is that something that is wise to do, even if we

want to do it?

           As a general matter, many lawmakers would

agree that as long as we are the ones pulling people

into our system of justice, that’s fine -- as long as

the other side is not sure that they’ve pulled us into

their system of justice, which is what we don’t want

to happen, of course.   That is a lot of the

justification for why we have refused to submit to the

jurisdiction of the International Criminal Court.    We

don’t want your system of justice applied to us

because we may not be treated fairly.   Other people

obviously would raise the same concerns about the U.S.

system of justice applied to foreigners.

            These are the kinds of issues that have

arisen in the real-world context and will continue to

arise.    And unless there is widespread international

agreement on what can be done, I think it is likely

going to be the case that Congress will be hesitant to

act except in the areas where it feels the greatest

need or the greatest dangers lie, the dangers in

inaction and the dangers in not doing anything.

            The PATRIOT Act, which was passed in the

wake of the September 11 bombings, did expand certain

provisions in current law to encompass

extraterritorial acts.   For example, it expanded 18

U.S.C. 1030, which is the Computer Fraud and Abuse

Act, to prohibit acts of computer hacking that

affected foreign computers.   That actually is a

mechanism that people haven’t really disagreed with

too much because it generally opens up the doors to

prosecute people in America for acts they commit

abroad.   For example, a hacker might be sitting in

Minneapolis and attack a French computer system.

            Under pre-existing law, prior to the PATRIOT

Act, it was not clear whether we had jurisdiction to

prosecute that because the damage was done entirely to

a different government on a different continent.     The

modification made by the PATRIOT Act to §1030 makes it

clear that we can prosecute, and that’s one that’s

pretty much a win-win.   We increase our system of laws

and provide better mechanisms for policing these types

of crimes, and the international community, if

anything, is made better off by doing so.

          There are other difficult questions, though,

because it’s still not clear and it still has not been

decided what can be done if a hacker in Country A

somehow uses the infrastructure in the United States

to perpetrate an attack on the computer system of

another country, Country C.    So, if we are just the

unharmed intermediary, even though our systems have

been used, do we have jurisdiction to do anything

about that, and should we?    Again, these are all

difficult questions, and that’s why I say I come here

with a lot more questions than answers.

          The last thing I want to talk about very

briefly is that this issue not only arises in the

criminal arena, it arises in the civil arena, as well.

And as many people in the business world will tell

you, it arises with even more frequency and with even

more pressing need.

           Digital piracy has become a huge problem.

It is a problem for content providers.   When I say

content providers, I mean, for example, the recording

industry, Disney, all the people that produce the

things that we like to see and we like to hear not

only in the United States but abroad.    It’s also a

problem for the people in the transfer agencies.

Those are the people who man the Internet sites and

give you the bandwidth to transfer from point A to

point B.   Under a lot of the proposals that have been

floating around out there, the transfer agencies might

be responsible for policing their highways to make

sure that this type of material is not being conveyed

on their highways.

           The way I would frame this issue is to say

that it’s very difficult to come up with, not only the

right answer, but an answer that everybody can agree

upon is the right answer, which as you will find as

lawyers is the hardest thing in the world to do.

             If you think about it in the context of just

normal property law, in a sense we are attempting to

define property rights all over again.      Everyone

remembers the case of Pearson v. Post, whose fox was

it?   And everyone remembers the concept of fee-simple

states.   Those were difficult concepts, but they were

resolved hundreds of years ago.      And the best thing

you can say about how they were resolved, they were

resolved in a court system that had unquestioned

jurisdiction to resolve it.    Now we are talking about

assigning property rights not only to things that are

not tangible per se -- I mean, a series of zeros and

ones in a lot of cases, digital code -- but also how

the right that is assigned gets enforced?      As we all

know, a right is only as meaningful as the enforcement


             So, if these problems are arising in

mainland China, how do we enforce that, even if we can

all agree what the right is?       And can we all agree

upon it in an international community?      Those are huge

challenges that Congress is trying to address, is

going to hopefully address.    But at the end of the

day, it may not be best addressed simply by an act of

Congress unless the international community comes

together and agrees upon a set of norms and a set

mechanism for enforcing those norms.

          Again, I will echo the common theme that I

had in giving this presentation and that is, it’s a

very difficult area, it’s a challenging area, and it’s

an area where a lot more will be done in the

foreseeable future.   With that, I’ll turn it over.

          PROFESSOR SOFAER:    This is a gig I would not

have missed.   I’ve been working in the area of

cybercrime and terrorism now for several years.     At

the Hoover National Security Forum, we had a

conference about three years ago.     Sy Goodman, who’s

now in Georgia at the Sam Nunn School, and I, ran that

conference and we. We invited everyone and we had a

lot of discussion about the problem of international

cybercrime and terrorism.   It is a huge problem.

Everyone can seize see that.      I mean, if you look at

the national draft of the plan for cyber-security, you

see what they say.    I think you should know what they

concede is, essentially, that there is a need to

promote development of an international network to

identify and defend against cyber incidents as they

begin.   At least they’re the government is starting to

move in this area toward the notion of preemption and

prevention rather than simply prosecution that Alan so

rightly mentioned.

           The draft states that we have to encourage

all nations to pass adequate cyber-security laws and

to help the U.S. prosecute crimes, and that the U.S.

should help the states prosecute these crimes.    And

then they said the report also says we would work

through international organizations to foster a

culture of security.   Well, of course, we can’t do

that here, let alone through international


           We have a mad culture here.   I’ve had six

kids in my life, so I know what they’re like.

           These guys -- one of them went to Case

Western, and over there, they have these groups.    It’s

almost like gang warfare.   They actually practice on

each other.   There’s no culture of security in the

cyber world, that’s for sure, and it’s not going to be

created through discussions through UNESCO, etc.

           The government report says we’re going to

promote the adoption of common international technical

standards that can help assure the security of the

global information infrastructure.   Now you’re

talking.   Now, But who’s going to do that?   That’s

really a separate issue, and Professor Post and I are

going to start out like we’re in two separate worlds.

I hope I’m going to come back and he and I are going

to be much closer at the end of this discussion.

           The federal government doesn’t know how to

draft cyber-security standards.   The federal

government doesn’t have the vaguest idea about how to

give anybody information security.   If you read the

GAO and OMB reports on federal information security

implementation, you would see that those guys ought to

be indicted themselves.

           These agencies have violated statutory

demands that Congress has put out with impunity.    They

have failed to incorporate.   They don’t have security

plans.   They don’t have the expertise to create plans.

People who I know in the private sector who deal with

the federal government tell me, if only they the

government knew what questions to ask, we might be

able to help them, but they don’t.    The fact of the

matter is the federal government is way, way behind

the private sector. in information security.

             Now, who developed the security systems that

we have, to the extent we have them?    Well, the IETF

did, and the people of the private sector who have

taken over the Internet have taken over those security

standards.    So, when I start talking about the agency

that I would like to see created in the world, the

international agency, don’t assume that I’m talking

about turning over the security standard-setting

operation of the Internet worldwide to a group of

people similar to the politicians and prosecutors that

drafted the Council of Europe Convention.    Forget

about it.    It’s That would be the worst thing in the

world to do -- absolutely the wrong move.

             But you what we should do is create an

agency and turn it over to people like you, to people

who are experts in this area, who know and who are

sensitive to the conflicting interests in the field

and who are going to move very carefully, slowly, to

develop a secure infrastructure for the world, that.

That is the kind of approach I advocate and have been

advocating for the last three years.

            Let me go through very quickly why this

makes sense.   First of all, we do need to agree on

certain common crimes, certain common improper

activity.   We do.   But what the Council of Europe does

is it takes the project of protecting the information

infrastructure, which is a critical project,

absolutely important, and it uses that as a basis for

attempting to implement all kinds of schemes. If

anything, I don’t agree with Professor Post that going

after computer fraud is the kind of thing that’s going

to be non-controversial.   This is very controversial,

as is this the hate crime protocol, which just shows

you where their minds are.    They want to take their

power over the protection of computer infrastructure

and use it to control all aspects of society,

essentially, that they normally control through

prosecutions of various kinds.

            But if you focus on the infrastructure

itself, the actual information infrastructure, you can

it is possible to agree on a set of standards as to

the kinds of behavior, attacks, trespasses, etc., that

do put the infrastructure into jeopardy -- viruses,

worms, etc.   These things can be defined in general

terms and we can have worldwide uniformity on that.

And we need it.

          We also need uniformity on what kinds of

things we’re going to do for each other in cooperating

with each other’s prosecutions.    I think a lot of the

stuff in the Council of Europe is good in this draft,

on this move is good but much too detailed.   They

essentially think they can The draft attempts to

define today what kinds of measures are going to help

prosecutors five years from now. They’re crazy. This

will not work. The kinds of things that prosecutors

want done today are going to look like absurdly

antique methods within a decade.   What you we need to

do is set up a body of people like you, where people

who are largely drawn from the private sector all over

the world , to serve on committees that report to an

assemblyAssembly that is half government and half

private, as we recommend in the Stanford Cyber

Convention draft.    That assembly will Assembly would

gradually develop the standards and procedures, just

as the IKOICAO develops the standards and procedures

for aircraft safety or the international maritime

organization International Maritime Organization has

developed no fewer than 20 treaties over time, working

with the experts in the maritime field to develop the


             My third point is that states must have the

capacity to cooperate with one another.      We are we

dreaming, if we think that states like the Philippines

are actually going to be able to cooperate with the

United States in some of these prosecutions.      They

didn’t even make the transmission of the I Love You

virus illegal.    Their Attorney General, incidentally,

found that as a formal fact.       It wasn’t something

that, well, maybe it was illegal.      It was legal, what

was done in the I Love You case.

             We need through this the international

organization I contemplate to help other states

develop their capacities with regard to the Internet

and with regard to cybercrime and cyber-transmission,

and cyberterrorism, incidentally..   That is done

throughout the world in a variety of substantive

technological areas.   Don’t let these people who may

happen to be in power today convince you that

cooperating internationally on some of these

technological areas is some kind of weirdo practice;

it isn’t., or an abandonment of sovereignty.    Our

world is full of these kinds of regimes that are very

effective in cooperating in these technological fields

-- and vary apolitically, I might add.

           Then, we come to the standards for safety.

Who’s going to draft these standards for safety?      I

told you these experts.   The only way such standards

for safety are going to be drafted properly is if you

have an a competent and authoritative body. to do the

work.   It doesn’t have to be a typical government from

the, top down, looking-down operation.   It can be a

body.   It can be a body where you have that consensus-

driven process that, such as the IETF has, and

essentially govern the kinds of standards that we

need.   Those standards, then, would become universally

applicable.   And only through such standards, I would

submit to you, can we do internationally what this

government is committed to do domestically and

internationally in all areas of terrorism.    We’ve

heard what Alan Raul said about preemption and

prevention being the key; it’s the word; it’s. He is

right. It’s what we have to do.

           Well, Richard Clark of the NSC was the Czar

of Terrorism when we had a prosecutorial approach to

all forms of terrorism.   Now he’s been shifted over to

cyberterrorism and we still have a prosecutorial

approach to cyberterrorism.   Now, all the rest of the

All other forms of terrorism, thank God, have been

taken out from that passive regime, and now is run by

in accordance with a different philosophy, a

philosophy of preemption and prevention.   Clearly,

that is the philosophy that we have to apply to this

area of terrorism, just like all the other areas. as

well.   We are really setting ourselves up for another

attack before we realize we cannot stop people who are

ready to kill us, to attack us, and are ready to make

massive sacrifices in that regard simply by

prosecuting them after the fact.     We must be much more

proactive and we need this approach, an effective

multilateral approach, that sets up an agency that is

essentially controlled by the private sector to help

bring all this about.

           Now, what about limits?    There clearly are

real limits.   And in this regard, I want to say that

those in the private sector who are using their

muscle, there are limits.   Some assertions are like

Disney World, what can be done without cooperation?

The things they say -- the things they say about what

has to be done.   “If all of us would only protect our

part of the Internet, everything would be fine.’”

That’s absurd.    How can you think that way in this

world?   Neither the government nor the private sector

will be able to protect your particular parts of the

Internet indefinitely from all types of attacks on it.

It’s wishful thinking.   To think that the government

is going to be able to protect its part of the

Internet is particularly ludicrous.

           The private sector has to use its influence

to create what, as Larry Lessig says: you’ve got to

use your influence to create, an international regime

with the proper limitations on it so that it doesn’t

go too far in controlling commerce or in controlling


            We need to build into this the treaty

ultimately adopted (as we have in the Stanford draft,

and I hope you look at it) exceptions on cooperation

that are based on our national policies.    Absolutely.

We cannot cooperate.   In this regard, I must say, the

Council of Europe treaty was greatly improved over its

25 drafts; it did go through 25 published drafts.    It

has been greatly improved by the efforts of Department

of Justice lawyers.    It now makes clear and I think

that the Stanford draft is even clearer, that we

absolutely will not cooperate with China in going

after dissidents and on down the line.

            So, keep an open mind.   Take a look at the

Stanford draft because, if you don’t, eventually we’re

going to have a Council of Europe prosecutorial

approach without the proper protections and

international support that you all really should like

to see.   Thank you.

          PROFESSOR O’NEILL:      I bet you flame a lot of

people on the Internet, huh?      It’s always difficult

when one moderates a panel where the panelists have so

few personal opinions.

          Before we open up to questioning from the

crowd, I’d like to give each of the panelists a chance

to comment on what the other panelists had to say.

          PROFESSOR POST:    Well, I really do want to

get to the question and answer section, so I’ll just

say briefly, and in particular to Professor Sofaer, I

actually think we are closer to being in agreement

than it might appear.    Everybody’s in favor of

harmonization and everybody’s in favor of cooperation;

the devil is always in the details.

          Harmonization can be Orwellian.      This is the

Federalist Society, for goodness’ sake.

          PROFESSOR POST:    The Federalist Society

knows that diversity among legal regimes is a

profoundly good thing.   It is a way for us to uncover

different approaches to legal and moral and ethical

issues, and we preserve that and cherish that, while

that harmonization, though, is about destroying that.

We are in an environment that, as everyone has said,

is a profoundly challenging one, and we need to take

careful steps.    I think that’s right.

             In this area, I think we need to move slowly

to avoid a headlong rush into a kind of Orwellian

legal regime for the world that is, I think, very


             I wanted to ask you all a question.   How

many of you actually knew of the Convention on

Cybercrime?     So, it’s 10, 15 percent.

             One of the things that I think is troubling

in this arena is the lack of public awareness, public

discussion, about these very profound issues about

United States sovereignty.

             Again, the Federalist Society banner is a

very appropriate one here.    We’re talking about issues

of national sovereignty.    We’re talking about a new

era of national sovereignty in which the boundaries

are getting blurred and we will be changing what we

think is appropriate United States-versus-the-world

approaches to these things.

             This is not to be left to the experts.   This

is not to be left to the bureaucrats.    This is not to

be left to law professors, thank you very much.      It is

really for the people to decide, as they did in 1787,

about how they feel about modifications to

longstanding views about sovereignty.    That’s my


            MR. KIM:   I don’t have a soapbox.   I work on

Capitol Hill right now, so I basically agree with

everybody as Mike used to and still does.

            Just a few comments.   I actually don’t see

the differences as being as profound as they may

appear.    I do think that, at least as a Republican, I

accept to be true, that private industry is a positive

good.   People should do the most they can to protect

what’s theirs and to keep what’s theirs.    All of us

should keep our doors locked at night.    The question

is, what happens if someone breaks in?    That is really

the stopgap measure where we think legislation and

cooperation is necessary.

            Obviously, private industry should do all it

can to create norms, to create standards, and to

create things that everyone can agree upon, or at

least a lot of people can agree upon, is the right

tack to take.   What happens when those measure don’t

work?   That’s really where I and, I hope, Congress is

more focused: on doing the least amount of damage in

the cases where the damage is most profound.

           Again, as a Republican, I feel, and Senator

Hatch, I’m sure feels, very strongly that federal

government doesn’t get it right.    We’re too darned

big, the bureaucracy is too darn entrenched, and it

gets worse and worse.   So, to the extent that the

government is not necessary, that’s great.   But again,

the government has to be there in some sense to

provide a safety net.   In this context, Congress, the

U.S. government, the U.S. courts, can’t do it by

itself.   I don’t believe it can.   I believe at some

point we have to reach a set of norms that everyone

can agree upon, and whether that set of norms is this

big or this big is a big subject of dispute.

           I have not parsed through the Treaty, the

Convention, the drafts they’ve been working on, not

one of them much less 26 of them.   I don’t know what

the intricacies are, but I do think that whatever

agreement we could reach on this issue is probably

going to be in the main a good thing.   Does that mean

every single detail is going to be a good thing?     Of

course not.

          As everyone knows, the more cooks you get

involved in a process, the more the process gets

dumbed down to reach the least common denominator, so

you can get an agreement.   That is not the best way to

have innovation.    It’s not the best way to build a

better mousetrap.   But at the end of the day, maybe it

is the best way to get something done, when something,

as bad as it might be, as imperfect as it might be, is

better than nothing.

          PROFESSOR SOFAER:    If you think about it for

a moment, let’s follow that analogy of a house.    I

think it’s clear that when you have a house and you

live in an earthquake-prone area, you’re going to go

to an insurance company and ask for insurance.    And if

you get it, the insurance company is going to look

into the possibility of an earthquake and charge you

an extra amount for that possibility.   And if you

haven’t put in earthquake-proofing -- you can see, I

live in California now -- your charge is going to be

higher.   In fact, there’s a report coming out very

soon from one of the academies, the National Academies

of Technology, a subsidiary of the NRC, that is going

to go through a number of these things -- the civil

litigation, the insurance, etc.   It’s a very

productive, helpful report.   But the fact of the

matter is, the bigger the building you build, the more

society has an interest in making sure that you build

it according to certain specifications.

           If you build, let’s say, marine vessels and

you’re going to have them carry oil, we, universally,

throughout the world, concluded you can’t have just a

single hull.   You’ve got to have a double hull because

we’ve found that -- you’d have no oil spill in 90

percent of the accidents if you had a second hull.    If

you hit a rock, you know, you’d cut the outside hull,

and instead of having a spill now, because of that,

you’d have a double hull and all the oil’s going to

stay inside.   Most--unfortunately not all --the

countries of the world, went to agreed through the

International Maritime Organization and they agreed on

protocols for a protocol requiring double hulls.

            That’s what’s happened with our airline

industry.   You Our planes don’t think our planes just

fly around wherever they want to.   There are aviation

regulations that are internationally adopted.    Every

pilot is turned over to a regional control center that

tells the pilot where to go, what path to follow, in

order to land safely, etc.

            When President Bush dealt recently with the

protocol on pollutants, the Convention on Long-Range

Trans-Border Air Pollution, early in his

administration, he approved that protocol even though

it did all the things that we’re talking about

conceptually doing in this area.    That is, give money

to an organization that sets standards on these

persistent pesticides in order to give the other

nations of the world the capacity to learn about

persistent pesticides and to control them in their

environment because they spread everywhere.   That’s

the kind of the thing we do sometimes trans-nationally

in order to make life better for ourselves, as well as

for others.

            PROFESSOR O’NEILL:    Thank you.    I’d like,

now to take a moment to take questions from the

audience.   We would ask, since this proceeding is

being transcribed, if you could please use the

microphones so that we can pick up both your question

and the answer.

            AUDIENCE PARTICIPANT:    My name is Ty

Cooper.   I’m an IT security manager with a federal

agency, so I share your concern about the lack of

compliance with federal regs.     My mantra is IT

security should be built in, not painted in.

            Security 87 mandated certain things be done

to protect our IT system in the federal government,

and to this day, most of them have not been


            PROFESSOR SOFAER:    24 out of 24 agencies

failed OMB’s test.   That’s pretty good.       That’s good.

            AUDIENCE PARTICIPANT:    GSRA, the Government

Security Reform Act of 2000, tied compliance with

federal regs for IT security program management to

federal budgets.   Now we’re getting something done

because the budget is tied to your security plan.

           So, I’m involved in that process.      The IT

security folks are trying their best to get the other

people to come along and get aboard.      But tying it to

the budget was the best thing that ever happened.        It

should have happened in ‘87.       I agree with you;

prevention is part of the cure.

           Security in our systems, the law can’t do

for us.   The FBI can’t protect everybody, if you leave

your doors open and your windows unlocked.      So, we

need to lock down our systems and use common sense,

for federal agencies to follow federal law, and due

diligence and general best practices, and protect the

system the best you can.    You won’t need so many other

things to happen around you.

           MR. MALCOLM:    I want to take issue with a

few of the things that Professor Post said.      One, I

disagree that the Council of Europe Cybercrime

Convention constitutes a reversal of corporate

criminal liability.   I think in criminal corporate

liability it is fairly well established that if agents

of a corporation engage in illegal conduct that inures

to the benefit of the corporation that the corporation

can be held criminally liable.    Certainly, the folks

at Arthur Andersen are under that impression.    So I

don’t think there’s a reversal.

           With respect to two other issues, with all

due respect, I think you misspoke, and because the

Council of Europe Cybercrime Convention is currently

being considered, I think they’re important.    One, I

want to make clear that signatories to the underlying

Cyber-Convention are not bound by optional protocol

dealing with racists and xenophobic speech.    The

United States, which has signed the cybercrime

Convention that is up before the Senate, has not

signed the optional protocol on racist and xenophobic

speech.   I will fall out of my chair if it does sign

the optional protocol.   That will never be presented

to the United States Senate, so we are not going to be

bound by that.

           Similarly, you used the example of mutual

legal assistance treaties, about what happens if

Bulgaria or China or whomever is investigating

political discontent over the Internet, and they send

an MLAT to the United States.    Are we going to have to

cooperate with that?    The answer is no.   The way the

Cybercrime Treaty is drafted, an MLAT is, one,

permissive, but two, only to be honored if we

recognize that conduct as illegal domestically.      I

think that it was important to clear that up, and I’m

pretty sure of my sources on that.

           PROFESSOR POST:    I agree with you about the

protocol, by the way.    First of all, it is the racist

speech part, using Draft A.    And it is not necessary

that all signatories sign it.      And I agree with you

completely; the United States will not sign that,

certainly, as drafted.

           My point was that the Council of Europe has

an agenda that is beyond -- far beyond -- as Professor

Sofaer said, the minimum set of attacks on

infrastructure that they were initially targeting

here.   I think the countries of the world could agree

on a set of standards about it.     Here, though, they

have a different agenda about this.     That is an

example of it.   I agree, we will not sign on to that.

           I think you’re wrong about the corporate

liability point. We can have this argument, obviously,

elsewhere.    I think that under this provision, a

professor at George Mason University Law School who is

violating the rights under the Berne Convention, who

is infringing copyright because of inadequate

supervision by George Mason University, subjects the

University to liability for that in a way that is not

necessarily true, as a matter currently the case under

United States law.    Under United States law, the

professor would have to be acting within the scope of

his employment to subject the employer to liability,

and that’s not the case under this Convention.    I

think it is an expansion.    Reasonable people can

disagree about that.

             On the dual criminality point on criminal

dissidents, not all of the mutual assistance

provisions in this treaty are necessarily mandatory.

I think the extradition provisions, as a result of

United States pressure, will require that there be

dual criminal acts.    We will not extradite someone to

China for a criminal activity that is not criminal in

the United States, unless we so provide elsewhere.

             I do not believe -- and again, I’ll rush

after this panel to read this very carefully -- that

is true for all of the mutual assistance provisions,

including, for example, the provision that China can

come and demand access to ISP records. characterized

as an expansion of liability.      Reasonable people,

though, might disagree about that.

          AUDIENCE PARTICIPANT:       I believe you.

          PROFESSOR POST:    Okay.

          PROFESSOR SOFAER:     I think that they’re

right about that. Cooperation is limited to the crimes

set out in the Convention.

          WENDY LIEBOWITZ:      Hi, my name is Wendy

Liebowitz and I write and edit Cybercrime Newsletter

and other legal newsletters dealing with these issues.

I thank the panel for your presentations, and I have

two questions dealing with these issues.     The first is

spam; the second is terrorism.

          As the Nigerian scam illustrates, it is

very, very difficult to deal with this.     I haven’t

seen any kind of coordinated response.     The Nigerian

scam has been extremely successful, so it’s spawned

several imitators now from South Africa.

             If we can’t handle spam, how are we going to

handle terrorism?    I’m very concerned.   To me, it’s an

inconvenience; I push my delete button.    There are

some states, on a local level, that are coming up with

laws that are slowly being enforced in Washington

State and California.

             But in terms of getting any kind of

national, let alone international penalties, or

protocols or standards for regulating commercial,

annoying and sometimes pornographic and offensive

email, I don’t see it happening.    I’d love to hear

from the panel as to whether anything can or should be

done on this matter that, to most of us, is just an

annoyance, but for network administrators is a real

burden on the system and can really bring it down.

             The second question deals with international

terrorism.    The only reason I’ve heard about this

Council of Europe Treaty is because I’ve had to write

about the darned thing.    I don’t know if it will be

implemented or if it will be successful.    I guess I

hope it will be.    My main concern is, A, the

government doesn’t seem to be communicating well to

the ordinary public, which cares a lot about the

Internet, and about harmonizing things, and it sees

the government, I think, as walking away.   We’re

disregarding environmental treaties, which are

extremely important to our European colleagues and

many other people.   And the environment also

transcends borders, and we seem to say we’ll cooperate

and we’ll demand cooperation from you on things that

we care about, but on things you care about, you can

go burn in hell.   I don’t think this earns us a lot of

good will in terms of fighting terrorism and so forth.

          My question to you is what the government

could do to communicate better.   I’ve tried to call

the Department of Justice to get comment on various

things. It’s extremely difficult.   It’s much easier

just to call the ACLU and the CBT and EPIC.     And it is

part of the problem because our government, even with

our own citizens, doesn’t communicate well.     Now we’re

talking about harmonizing with other countries that,

frankly, see us as the bad boy of the Internet.     That

is my question.    We’re the bad boys in terms of

tolerating pornography, except for child porn.      We’re

bad boys because of our free speech amendments that

protect these racist and xenophobic and upsetting

websites, and it’s important that we tolerate them.

But other countries, particularly France and Germany,

which are not countries that can be lightly

disregarded don’t understand why.

           And finally, we’re the bad boy because we

don’t seem to care about other protocols.    It’s just,

these are our laws; everything else should be sort of

an optional protocol.   Maybe we’ll sign it and maybe

we won’t, but the important thing is what we do, and

everyone should fall in line.    And I just wonder how

do we combat that in a responsible way that doesn’t

violate our laws.

           PROFESSOR SOFAER:    Let me comment on the

other issue of how do you do it, and how do you get it

together, and of our being the bad boy.    Let me turn

it around a little bit.

           We are a nation that’s entitled to our point

of view.   Nations make decisions in multilateral form

on the basis of what they think and what they’re ready

to do. At the first RIO conference, I was there

because I was counsel to WWF: I wasn’t in Rio, but I

saw the plot by the environmental groups developed a

way to take over that conference.   I mean I’m a

Republican environmentalist; I also love jazz.

           The fact of the matter is that NGOs have

gone into these multilateral conventions and taken

over.   In Rome, there were some 450 NGOs at the

International Criminal Court Convention -- 450..

There were about 150 states and 450 NGOs.    All of the

NGOs wanted an international criminal court that was

not "subservient" to the Security Council.   Instead,

they wound up with an International Criminal Court

subservient to the Assembly of States, which is any 60

states in the world that can create criminal law to

control everybody in the world.   The United States

thinks that is ludicrous.   We have seen what the

General Assembly creates, let alone what this Assembly

of States is going to create, and they’re going to

define aggression.   And the Assembly of States is

going to define aggression.

           So, the NGOS took over the ICC Conference.

They took over Kyoto.   In fact, since Kyoto, no one

has ever supported the enforcement of Kyoto in

America.   No Democratic senator has.   Now the

President is out there -- President Clinton, my friend

-- is out there saying we need to support Kyoto, but

he didn’t say that when he was in the White House; not

at all.    In fact, when the issue went up to Europe for

discussion, it was commonly agreed that we had to

change the rules and give more credit to transferring,

and exchange rules.   And there are other things that

the underdeveloped world has to do to compensate for

all the things the developed world has to do. It’s too

bad because it could have been done.    It really could

have been done if the states had worked together.

            The same thing happened with the Land Mine

Convention.   The lady in Canada who won the Nobel

Prize -- terrific -- she just insisted, and their

other NGOs insisted, that there had to be a total

elimination of mines, even in Korea.    We were ready to

go along with the whole deal.     But because of the

power of the so-called private sector -- this is not a

democracy, mind you; these are groups that, we decided

to join.   These NGOs are not representative in any

democratic sense.    They are funded by the elites of

the world.    I don’t mind being a part of the elites of

the world, but I recognize that we elites do not

represent all the people of the world.      The fact is

that NGOs undermined the Land Mind Convention.      We

would have had a unanimous Convention.      We would have

had enforcement and clearing all over the world.

Instead of that, just because of the Korea thing,

which we won an exception on, it didn’t’ happen.

             In short, one reason our government doesn’t

push any multilateral agenda now is because they don’t

want things to get out of control.      You can understand

that.   You really can.   What I’ve been saying is

simply this.    We need to plan in advance for these

multilateral conventions.    We need to be much more

careful.   We need to have an understanding of what is

going to happen before we go in, and we need to be

able to control the parameters of what happens when

we’re there.

             PROFESSOR O’NEILL:    I have to bang the gavel

on the judge really quickly and allow one last comment

because we’re running out of time.

           PROFESSOR POST:   I just want to say two

things about the spam thing.       Spam is a good example

of precisely how difficult it is to control this

network.   On the one hand, the constitutional issues

are very substantial.    The First Amendment to the

Constitution does not, unfortunately, only protect

legitimate people.   It protects all those lunatics,

too.   You can criminalize fraud, and I assume that

most of these things I get are in fact fraudulent

solicitations.   But you cannot criminalize, without

great difficulty, soliciting people for money or

sending them messages.

           What’s really interesting about spam is that

it shows the blurring of the line between speech -- my

attempt to persuade you to send money to some cause --

and an attack on the network.      Spam is both. IT this

is a problem for IT managers.      Managers are swamped

with these solicitations, and the network actually

bogs down as a result.   So, the speech component

(which is very, very difficult to regulate) is one

thing the network component in a sense, (which is

easier regulable and probably should be regulable) is

another.   I think how to regulate is another.   How to

navigate that line is proving to be extremely

difficult, and it is why, in a sense, I don’t think we

have come up with a solution to that problem yet, at


           PROFESSOR O’NEILL:    Unfortunately, despite

the other questions in the audience, we’re going to

have to draw to a close now, and we’d like to thank

this panel.   It was an outstanding panel in an area of

various viewpoints on this particularly important

topic.   Thank you.



                  a panel on



            2:30 P.M. - 4:00 P.M.
               October 3, 2002
    George Mason University School of Law
               Fairfax, Virginia

         Public/Private Sector Cooperation

Manus Cooney, CEO, Potomac Counsel, LLC
Bill Guidera, Federal Government Affairs Manager, Microsoft Corporation
John Malcolm, Deputy Assistant Attorney General, Criminal Division, U.S.
Department of Justice
Mark Grady, Dean, George Mason University School of Law (Moderator)


                 Public/Private Sector


                                                  2:30 p.m.

          DEAN GRADY:   (In progress) -- to the

perspectives of many of us.   Of course, cyberspace

does not respect the boundaries of sovereign nations,

and so it would be ideal if some sort of private

ordering solution to the various problems that beset

cyberspace could be found.    Of course, it may be

useful for the government to be involved in these

basically private systems of regulation, and our

panelists are going to explore the general theme of

what can be done to improve the cooperation between

the private sector and the government sector.

          I've asked the panelists to confine their

opening remarks to about seven minutes so we can get

to a broader discussion with you all, and also among

the panelists themselves, concerning any issues that

may arise from these opening presentations.

          With that, I will introduce you to Manus

Cooney, who I know is a good friend, of our faculty

member, Michael O'Neill.    He has just formed a

bipartisan legal policy firm with Karen Robb – Potomac

Counsel, LLC.    Let me get the sequence right.    You've

done so many things here.

          You served as the Vice President for

Corporate and Policy Development for the file-sharing

company Napster, and what you're doing right now is

organizing the legal policy firm with Karen Robb.

That's right.

          At Napster, Manus was responsible for

setting the strategic course on the legislative policy

issues that affected the company.   And I'm sure there

were many of those.   He represented Napster before the

Congress and the administration, and advised the

company on licensing, strategic alliances and

partnerships, both domestically and abroad.   While at

Napster, he also gave numerous lectures on technology

policy and drafted legislation for Congressional


          He's got a long history on Capitol Hill as

Chief Counsel and Staff Director of the United States

Senate Judiciary Committee.      He was the principal

legal and policy advisor to the committee's chairman,

Senator Orrin Hatch.       In addition to overseeing the

committee's day-to-day operations, Manus was primarily

responsible for the development and stewardship of the

committee's legislative, executive and oversight


             The issues overseen by him during this time

include the judicial nominations process; intellectual

property law, including the American Investors

Protection Act and the Digital Millennium Copyright

Act; and also Internet policy issues, including the

antitrust hearings on Microsoft, bankruptcy reform,

antitrust law and a whole diversity of other issues.

Certainly from a legal point of view, there's no more

important committee than the Senate Judiciary


             Manus Cooney holds degree from VillaNova

University, and from the University of Baltimore Law

School.    Manus.

             MR. COONEY:    Thank you, Dean.   First of all,

I want to thank Dean Grady for having me here, and I'd

like to thank George Mason Law School and the

Federalist Society for convening this panel and this

conference today.   I wouldn't miss being here.     I

think it's great.   I've worked for many years in crime

policy and cyber technology policy issues, and so it's

certainly a thrill to be here.

          As a testament to my shop being relatively

new, I'm still listed as being vice president of

Napster, but Napster as we knew it is no more.      And

after having helped put the Napster that I spent

nearly two years with in the grave, so to speak, I've

moved on and opened a public policy organization with

a prominent Democrat here in town.

          I tell you, my years at Napster I wouldn't

trade for anything in the world.   I'd do it over again

But were I to do it over again, I might get more money

up front and less stock.

          MR. COONEY:    But I'd do it again in a

heartbeat because we went through more there in my two

years than most executives and most businesses go

through in a lifetime.   I think that from my

perspective, it was certainly a tremendous learning

experience, and I think that for the country and for

public policymakers, it also provides a genuine case

study in some of the issues that we'll be talking a

little bit about here today.

          We're not being asked to discuss the

capabilities of the public and private sectors to

prevent and prosecute cybercrime.   Fundamentally, I

think the panel that preceded us may have demonstrated

a bit that before you can have partnerships to prevent

and prosecute cybercrime, you have to have general

agreement on what cybercrime is.    There's a real gulf

between my argument and others.    The general premise

of my short presentation is that, increasingly, among

tech-savvy consumers in the general public and

government policymakers and commercial interests,

there's a growing gap between what is and isn't

appropriate over the Internet.

          There's a spectrum of concerns that many of

us are familiar with -- vandalization of websites,

script kitties, denial of service attacks; we're

familiar with those.   Those are considered the lower

end of the threshold of concerns.   And then the

extreme is terrorism and critical infrastructure

attacks and assaults.   Those are the kinds of things

our government should be, and generally is, concerned

with.   Within this spectrum, however, increasingly, I

would argue that interests are seeking to protect

themselves and incumbent industries are trying to

protect themselves, or protect preferred business

models, and having those wrapped in the cloak of


           Interestingly enough, the Department of

Justice is investigating a number of companies that

have gotten together to form joint ventures to thwart

competition from outsiders in relevant markets for

purposes of providing business online, and that's

taking place in several industries.   It's taken place

in the music industry; it's taken place in the motion

picture industry for purposes of providing online

commercial services.    Amazingly enough, it has not

entered into the common lexicon of most public policy

thinkers, into the lexicon of what is and isn't

cybercrime.   But it's still the same sort of activity;

it's arguably illegal, criminal activity taking place

over the Internet.

          So, why isn't that, too, cybercrime and why

aren't we also folding that into the cybercrime

conventions?   The problem is that, as a previous

panelist noted, increasingly these conventions and

these policymaking entities are not hearing from

individuals or consumers or consumer organizations,

but hearing from NGOs, and trade associations are

included among those NGOs, and trade associations are

representing the concerns of incumbent industries.

          I think there are several problems that

confront policymakers, government and private, in

dealing with cybercrime.   Those are obviously,

fundamentally an awareness of the problem itself, the

general problem of cybercrime; the costs associated

with it, which I think are legitimate.   Some argued

that, absent a vigorous, real liability model, threat

of liability, many businesses will not undertake the

costs necessary to adequately safeguard their

interests or their customers' interests.

          The legal terrain, as I allude to, is

somewhat dubious.    There's a patchwork of laws.

Consumer rights -- to what extent do they apply

online?   What is the liability for ISPs, for example?

There's a patchwork of legal attention -- HIPAA, DMCA,

BMA, a number of different laws that treat different

industries somewhat differently.   So, it's very

confusing, if you're a general counsel for a company,

to figure out what your responsibilities are to the

general public.

           And finally, and very important, which I

think must be considered, the general public, I would

submit, is dubious about the government's ability,

frankly, to deal with the problem.   They somewhat

question the real threat.   Does anybody mention Y2K?

           We heard a lot about that then.   Companies

spent a lot of money, and a lot of the companies that

are arguing that government and industry need to spend

more to safeguard against cybercrime are the same

companies that argued that industry needed to spend

more to safeguard themselves against a Y2K threat.

           Finally, the fairness and equity of some

laws that are being proposed.   A great law review

article by Professor O'Neill asked this question --

does what is right or wrong on the Internet differ at

all from what is right or wrong in real space?

Professor O'Neill argues that, no, it really doesn't.

I would argue that it does in many ways.

            Technology and law are always evolving and

questions do exist among many familiar with

technology, particularly consumers who are familiar

with technology, as to whether that evolution of the

law is being done to safeguard the general public's

interest or to protect preferred business models, as

we've seen in the case of the recording industry.

            For example, the recording industry's

litigation against Napster reached the point where the

fundamental issue was the consumer's ability to use

technology innovation to their advantage versus the

commercial copyright interests of the record labels,

which did win out.   It reached a point there over a

year and a half ago, where the 9th Circuit Court of

Appeals, three judges, sided with the recording

industry.   But then, litigation continued and the

company eventually went bankrupt.   Now, one would

argue that the litigation continued not a matter of

what was right or wrong, or vindicating against a

particular wrong that was incurred by the money.    No

money was going to be taken out of this company,

Napster.   I would argue that the litigation continued

primarily to send a message to the capital markets, a

message to the capital markets that was, "do not

invest in innovative nascent technology companies that

threaten our core business.    If you do, we will fight

much harder than you will."

           I think a good thing that Mike O'Neill does

raise in his article that must be considered is self-

help.   I don't think enough consideration is being

given to self-help measures.   the government cannot

solve the problem.   I think technology will and must

have the final say about whether it's fair for

consumers to use technologies to advantage themselves.

           Arguably, it should be fair for industries

that are threatened by that technology to advantage

themselves, as well.   But, you have to weigh the

relative costs such measures will have on the overall

functionality and attractiveness of the Internet as a

marketplace for entrepreneurs, consumers and

investors, if industry and interests are allowed to

use self-help measures to protect and safeguard their

interests and really have less concern about -- and

they put those interests over and above the overall

value and attractiveness of the Internet.

          In the end, we are left with the question,

is technology in the hands of consumers good or bad?

And if you believe that technology in the hands of

consumers is good as a general premise, and that there

ought to be innovation, then we must move slowly and

carefully and cautiously down this road towards having

the government empowered to police what others might

believe qualifies as cybercrime.

          Thank you.

          PROFESSOR GRADY:   Thank you very much,


          I'm proud to introduce our next speaker

because he's a graduate of our law school and over the

past few years has been a very good and helpful

advisor to me.   It's Bill Guidera, who is currently

and has been for sometime with Microsoft Corporation

as a corporate attorney and their federal affairs


           Bill specializes in public safety matters

associated with cyber security, software licensing and

competition.   He joined Microsoft's legal department

in 1999, and is a former member of the Internet

Content Rating Association.

           Bill has his B.A. from Bates College in

Lewiston, Maine, and his J.D., I'm proud to say, from

George Mason University School of Law.   Bill.

           MR. GUIDERA:   Thank you, Dean.   It was

several years ago when you gave me that diploma.      I

was grateful then, and I'm grateful to be here today.

I don't know if I earned it, but I thank you for

giving it to me.

           I was also a student here on the old campus,

where I signed up as a member of the Federalist

Society, so this is a two-fer for me.    I'm very proud

to be here.    Thanks.

           I'm here on behalf of Microsoft, even though

I still am a card-carrying member of the Federalist

Society and a de facto member of the Alumni

Association of this school.   But let me talk a little

bit about what Microsoft's doing in this space.

             For those of you who have been here all day,

you know that there is a significant cybercrime issue

out there.    There are cyber vulnerabilities.   I don't

think there's any debate about that now.     As Manus

said, we've seen script kitties and viruses and Trojan

horses, and we've seen the threat of cyberterrorism.

Last year, within a week of the September 11th

attacks, the NIMDA attack came out, which did billions

of dollars worth of damage.    Who did it?   We don't

know.   Where did it come from?   Don't know.    Was it

coincidental with September 11th?      Don't know, but it

could well be.    These are the questions we now face.

They're not questions that we faced several years ago.

The threat model has evolved considerably, and we now

realize that there are real threats out there.

             We also see these threats hitting all

platforms.    I represent Microsoft.   We got hit by Code

Red and NIMDA and other things that have done

significant damage.    But we're not alone, and we

partner with our industry colleagues to address this

situation.    The Lion and Ramen attacks hit the Linux

code base.    Solar Sunrise and Trinu hit the Unix code

base.   AOL's had problems; MSN's had problems.     What

we find is that software is an extremely complex

entity, and the Windows code base is something like 40

million lines of codes that has to operate with lots

and lots of different variations; not just Microsoft

stuff, but other companies' stuff, whether it's

Napster or Kaza or AOL's ISP or whatever.      It's an

extremely complex thing.    Some people have said it's

one of the most complex things humankind has ever


             In that venture you will have

vulnerabilities.    Sometimes those vulnerabilities get

exploited by some pretty nasty people.       That's what

happened in Code Red and NIMDA, which hit us, as well

as other attacks.    So, those are sort of the basics.

Those are things we know now.    You will not have

perfect software at some point, or perfect technology

at some point, that's impervious to attack, unless

it's really, really small and really, really useless

for the most part; like not plugged into the Internet

and with very few lines of code.    You always will have

that functionality and security trade-off.   Our job is

to create evermore secure software and technology, and

to do so in partnership with government and industry

or industry partners.

            We have a special role within the industry.

Certainly, we have a significant market share of

desktops.   We have less than half in the server space.

But we have a leadership role that we have to play and

we have accepted that.

            In January of this year, Bill Gates sent a

memo out to every Microsoft employee -- something he

only does every two or three years or so, and they're

usually quite significant.   Several years ago, it was

embracing the Internet; that was in '95 or '96.    A few

years later, it was .net, which is a new platform for

us built around some unique technology.

            In January, it was trustworthy computing.

He said that we learned from Code Red and NIMDA and

the Love Bug and all these other attacks that our

customers will no longer trust us unless we provide

more secure technology that responds to what is a

growing threat from criminal hackers, whether they be

script kitty writers, or at the most extreme,


          What we've had happen since then is a

cultural change in the company that's really quite

phenomenal.   For 20-some odd years, we were all about

building more functional software, something that made

it easier for you to run your desktop, to print a

document, to download a picture from the Internet and

put in your library to use other companies'

technology.   That's still happening; you know, we're

still certainly all about functionality.    But what

we've got is a change in the mindset of our

developers, who are now saying, "What can I do now as

I build this technology to make it more secure?"

That's really pretty neat, and that's a response to

the market telling us that people won't buy our stuff

if they don't trust us.

          It's quite phenomenal to see how the company

has shifted its vision and its culture in a major way.

We're seeing the results of that already.   The Windows

XP service pack just came out, and there were

improvements in that based on the work we've done

since Gates sent his mail in January, and improvements

that were done based on something we did in February

and March.    Anyone who knows the business knows the

importance of keeping your production cycle tight and

efficient.    You want it as short as possible so you

can get your new products out to market as soon as

possible and generate more revenue.

             We did something a little different with the

most recent product cycle.    We took every single

Windows developer, every single person who writes the

code that is Windows, and in February and March, we

took them offline and said don't produce product.

Come to class and learn how to create more secure

code.   We gave them advanced training in how to write

secure software.    That's two months off the bottom

line, frankly, and it's from every Windows product

forward.   We just moved every product back two months.

That's real money, and people who were leading this

class were experts within Microsoft and from outside

who were helping our developers learn how to write

better code.

             We're also changing the way we release

products.   More and more features are released with

the defaults off, making them less functional out of

the box, which bums some consumers out.   It makes them

unhappy. You can't use everything right out of the

box.   But it is a security measure we're taking, and

it's one way we get security into the consumer's face.

If not everything works when you turn it on and you

actually have to go in and find the toggle switch to

activate a feature, that means you're being confronted

right away with improved security and products and a

new way of handling a very different security threat

than what we faced with Windows 95 or Windows 3.1 or

even Windows 2000.

            We also have measures in place to respond to

vulnerabilities in our own products.   We have a group

of folks who work 7-24/365 responding to alerts that

there's a problem with one of our products.   Last year

they got 10,000 alerts from outside.   It could be one

of you.    I'm sure Riptech perhaps has had some people

who've alerted Microsoft to a potential problem in the


            These guys determine whether there is a real

problem, and if there is, they get a patch out as

quickly as possible.    Last year, there were a hundred

of these patches put out after 10,000 reports of

potential problems.    That is something that's going to

happen in software.    That's part of the way software

works.   It gets very complex; it has vulnerabilities;

you find them; you fix them; you get a patch out


             Another way we put security right in the

consumer's face is in Windows XP, for something called

the Windows Auto Update.    If one of these new patches

comes out and it's critical that you apply it to your

system, you get a little balloon on the bottom right

of your Start page when you activate the system.      It

says, "Critical update available; click here to

download."    That's right there in your face.   It says,

"Here's security.    Download this patch.   We're

providing it for free right here over the Internet.

Please put it on."    Those are things that I don't

think people even considered in '95 or '96 or '97.      I

never thought about patching my system for fear that a

hacker might use it as a dummy machine to launch

another attack.

            I mentioned several things we do on our own.

We also work with lots of industry partners, companies

like Symantec and Network Associates are retained to

beat the heck out of our systems.   Test them for

vulnerabilities; test them for openings.   Make them


            We also work with lots of companies to form

the IT ISAC, the Information Technologies Information

Sharing and Analysis Center.   We're in Partnership for

Critical Infrastructure Security, and we recently

announced a coalition with several other companies to

manage the reporting of vulnerabilities in a more

cohesive and efficient way that lessens the likelihood

that someone would find a vulnerability in a product

and post it right to the Internet for the world to

see, which is one of the most irresponsible things a

person could do. If they find a hole in a Windows or

Unix system, one of these people might take that hole

and post it to the Internet so that any of us could

find it, study it, and launch an attack based on that

hole.   It's facilitating a crime, essentially.

          What we've created is a structure so that,

if you find a hole, you report it to this coalition

and to the vendor, and you give the vendor a fair

opportunity to create a patch before you publish that


          To wrap-up, quickly -- because I'm a

legislative guy.   I'll just tell you a few things that

we're very interested in, in the legislative and

policy arena right now.   Increased deterrents:   we're

strong supporters of the bill that's passed the House,

the Cybercrime Enforcement bill, H.R. 3482), that

would ask Mike O'Neill and his colleagues on the

Sentencing Commission to revisit how criminal hackers

are sentenced.   We support FOIA reform, Freedom of

Information Act reform, to facilitate information

sharing among industry and government.   We support

additional resources for law enforcement.   It's tough

keeping up with hackers, and some of them are very

sophisticated and talented computer programmers.    Law

enforcers need equipment, resources and training to

keep up with those folks.

          Research and development on cyber security:

we have been big beneficiaries of government-funded

R&D.    We just ask that that work product be made

available to the private sector in ways that we can

integrate it into our technology without encumbering


             On the national strategy:   I'll close on

this.   Mr. Sofaer took a swipe at Microsoft for paring

back the scope of the national strategy.     As the

primary lobbyist to Mr. Clark's office, I confronted

him afterwards and let him know he was wrong.

             In fact, our position has been that this

national strategy can be much tougher in many areas,

including asking universities and state and local

institutions to put in place tougher measures to

handle cybercrime more efficiently such as 7/24

centers to respond to threats, attacks or incidents

that take place at those places.

             We work closely with Clark's office.     We'd

like to see the document be stronger.     I'll close with

that and look forward to Mr. Malcolm's comments and


             DEAN GRADY:   Thank you very much.   Our last

speaker -- I think you've been introduced before,

haven't you?

          MR. MALCOLM:    Yes.

          DEAN GRADY:    Well, you're still the Deputy

Assistant Attorney General of the Criminal Division at

the Department of Justice with oversight

responsibility for the computer crime and intellectual

property section, among others.

          MR. MALCOLM:    I'll pick up a little bit on

where Bill left off.    I'd like to focus my remarks on

critical infrastructure protection and the need for

public-private cooperation in this critical area.

          As we've all heard today, but I think it

bears repeating, cyberspace security is not just about

protecting email systems.   Although this is somewhat

of a shifting concept, critical infrastructure is

generally taken to mean infrastructure that pertains

to telecommunications, energy, banking and finance,

transportation, water supply systems, emergency

services -- which include medical, police, fire and

rescue services -- and continuity of government.    In

other words, things that, if the system shut down,

we'd be hurting.   We'd be in a lot of trouble.

            It is a fact, as we all know, that computers

control many of the critical infrastructures upon

which we rely, and many of these computers are in an

unmanaged or relatively unmanaged environment and are

vulnerable to attack.   As more people become computer

literate and hostile groups and terrorists start

devoting additional resources to exploiting these

weaknesses, perhaps coupled with physical attacks,

vulnerability increases dramatically.

            Our ability to ensure unimpeded access to

our critical infrastructure and to maintaining order

and our physical wellbeing depends on our ability to

do the best that we can to secure these networks.      It

is also a fact, as Mike O'Neill alluded to in his

opening remarks at this conference, that approximately

85 percent of a nation's critical infrastructure is

owned and operated by the private sector.   That means

that a partnership between the public sector and the

private sector is going to be essential to achieve


            When it comes to critical infrastructure

protection, both government and industry have huge

roles to play, and hopefully they will be able to play

them in a way which gets the job done while not

getting in each other's way.   As a large purchaser of

security products for federal installations and

federal agencies, the government has the opportunity

to lead by example, by demanding high standards and by

testing these products.   Furthermore, through its

involvement with the National Institute of Standards

and Technology, the government also has a large role

to play -- that's not to say a sole role to play; we

don't have a monopoly on this -- but a large role to

play in terms of setting industry standards that help

to establish a marketplace for security products and

services.   Of course, the government has been

responsible, as we've been hearing, for the role of

enforcing cybercrime laws.

            Industry, of course, has its role to play.

As you all know, and as these people at the table

certainly know, software tends to be very complex

today, and it is exceedingly difficult, if not

impossible, to produce bug-free software.   As it

responds to threats, private industry is going to need

to develop and deploy secure products, making it

easier to maintain security over time as threats

change and vulnerabilities are uncovered.

          As a repository of intelligence information,

the government can also play a critical role in

assessing threats to our critical infrastructure, and

in disseminating information, as needed, to entities

and individuals in the private sector who can take

necessary steps to protect the critical infrastructure

that are in jeopardy, in order to avoid a disaster.

However, as I'll discuss briefly in a few moments,

this information flow has got to be a two-way street.

          This panel, in part in its description, was

asked to explore a distinction between prevention of

cybercrime and prosecution of cybercriminals.     And

actually, Judge Sofaer tended to poo-poo this and say

that prosecution somehow has no role to play in terms

of prevention.    I would take issue with that.   I don't

see them as distinct, but rather, I see prevention and

prosecution, in this area in particular, as being part

of a continuum.

          In addition to the obvious point that

effective prosecution can serve as a deterrent to

others who might otherwise think of becoming

cybercriminals, unlike a physical attack, the lines

between prevention and response when it comes to a

cyberattack are not as distinct.   This is because

cyber-incidents are continual and they build on

themselves.   Once one weakness is exploited, that can

lead to additional exploitation, such as creating

zombie computers, inserting Trojan horses, and

prompting new assaults by other groups.   The effects

of some of these efforts, such as with Trojan horses,

might not be felt for some time, long after the

initial cyberincident.   So I would argue that,

actually, prompt and effective law enforcement

responses to cyber incidents can in a very real and

tangible way prevent those incidents from escalating

into something far more serious.

          There are some people in private industry,

again, who control all this critical infrastructure,

who would rather go it alone.   They'd like to respond

to a cyber incident by reformatting their hard drives,

patching their operating systems, saying a little

prayer and hoping that their problems are over.    From

my perspective, I think that this is a mistake.    This

kind of solution, I believe, delays the inevitable day

when a response from law enforcement is going to be

involved and, of course, leaves others vulnerable to

some cyber marauder who's out there and who's already

attacked that one company's system.

          In order to combat cybercrime, and most

especially to protect our critical infrastructure

there needs to be a two-way flow of information

between the private sector that controls those

networks and law enforcement that can disseminate

useful information and respond to incidents.

          I've heard throughout this debate a lot of

reasons why companies are very reluctant to share

information with the government, and I'd like to

address three of these.   First, I've heard that there

are a lot of companies that believe that law

enforcement somehow is, one, going to be incompetent:

and two, going to be intrusive or insensitive to

respecting their business necessities when they are

conducting investigations.   As you've heard some

people already say, law enforcement is dedicated to

fighting cybercrime.   Although we have a learning

curve, we're attracting a lot of talented people

within the Department of Justice, the FBI, the Secret

Service and other agencies that are involved in

protecting against cybercriminals, and they are

getting up to speed in the technological challenges

that are posed by this fight.

          The federal government has committed

significant resources to this fight.   There is at

least one FBI agent in every field office, and, in

many cases, far more than that, and prosecutors in

every U.S. attorney’s office throughout the country,

who specialize in and are devoted to fighting

cybercrime.   Chris Painter referred to the 13 CHIP

units, Computer Hacking Intellectual Property units.

There are more on the drawing board.   Director Mueller

of the FBI was the U.S. Attorney out in San Francisco

when the first CHIP unit was developed there.    He

promoted that program when he came back to the

Department of Justice, before becoming FBI Director.

And as the Director, he clearly sees the value in

developing the expertise in this area to fight


           As well, the Computer Crime and Intellectual

Property section, affectionately known as CCIPS, and

the cyber unit within the FBI, have that expertise,

and it is centralized and disseminated to the field as

needed.   Our specialists work very closely with

industry and are sensitive to business needs.    We

realize the companies that have been attacked are the

victims, and we appreciate their cooperation.    We

don't want to haul away entire networks as evidence if

you don't want us to and if we don't need it.

           We don't disclose facts in cases in which we

investigate.   Indeed, under grand jury secrecy rules,

we are prohibited from doing so.    We devote a lot of

resources and specialization to these tasks, and we

have started to generate results.   I'm happy to say

that we catch more cybercriminals today than we ever

have before, although, granted, it's a growing field

of criminals, and there are a lot of people out there

who remain uncaught.

           Second, I've heard a lot of companies say

that they are afraid to share security information

amongst themselves and with the government for fear of

possibly incurring antitrust liability.   Well,

historically, the Justice Department has viewed

requests for antitrust exemptions in this particular

area from the private sector as unnecessary since

submitting this type of information is unlikely to

violate antitrust laws.   Indeed, the Justice

Department already has a mechanism for alleviating

concern, known as the business review letter.     The

Department has never brought an enforcement action

against anybody who's ever received a business review

letter.   Nonetheless, while we don’t think this is a

real problem, we believe that if there is any

uncertainty, a business review letter will suffice.

           The danger, of course, to an antitrust

exemption is that companies are going to get together

under the guise of discussing security and talk about

a lot more than security.   They're going to talk about

pricing information and the like that can lead to real

antitrust crimes.   That having been said, a specific

antitrust exemption with respect to critical

infrastructure information is being discussed within

the administration.   We have closed no doors.   We are

open to that.

          Third, as Bill just said, I've heard there

are some companies that are afraid to provide security

information to the government because they fear that

that information will later have to be disclosed under

the Freedom of Information Act, or FOIA, thereby

resulting in a panopoly of bad things -- bad

publicity; subjecting a company to competitive

disadvantages; lawsuits from disgruntled shareholders

or customers who are upset about vulnerabilities, or

what have you.

          This is a legitimate concern.   The Justice

Department believes that critical infrastructure

information that is voluntarily submitted to the

government is, in fact, already protected from

disclosure under current law.   However, we realize

that there are some within the industry who disagree

about this, and also there are some people who, while

they might not disagree, at least are uncomfortable

with a lack of certainty in that area that makes them

reluctant to share that information.   Both the House

and Senate, with the support of the Administration,

are currently considering bills that would

specifically bar disclosure under FOIA of any

information that has been voluntarily submitted to

government agencies to protect critical


            Again, the information flow has got to be a

two-way street.   The Administration has in place and

is putting in place a lot of programs in order to

facilitate that information flow.   For instance, the

FBI, NIPC, the National Infrastructure Protection

Center, has its infra-guard program, which is actually

remarkably successful and is being so recognized by

industry.   It's an alliance in many cities between the

government and the private sector in order to

facilitate information sharing.

            Several other government agencies and

industries have gotten together and formed information

sharing and analysis centers. They've been referred to

as ISACs, and they're developing plans to share

information on an industry-specific level.   And there

are other organizations -- the National Infrastructure

Protection Center that I've just referred to; the

Critical Infrastructure Assurance Office; the Office

of Homeland Security; the Federal Computer Incident

Response Center.   All of these are being established,

or are up and running, and are going to serve as a

mechanism to break down those barriers.   This

Administration supports and encourages all of those.

           In conclusion, let me say that something

clearly has got to be done.   The consequences of harm

to our critical infrastructure from a cyber and/or

physical attack are simply too great.   We have the

responsibility to protect the public and to ensure

domestic tranquility.    We can't just sit by and do


           Both the private sector and the public

sector are going to have to work cooperatively and

think creatively in order to bridge the gaps that

exist.   You've heard a lot about the national strategy

to secure cyberspace.    Unlike Judge Sofaer, I will not

poo-poo that document.   It is in draft form, and its

purpose is to permit such a dialog to occur, and it is

occurring.    This is a critical time in terms of

developing an appropriate strategy to protect our

critical infrastructure.     I, for one, am looking

forward to seeing what all these bright people who sit

down in a room together can come up with.     Thanks.

             DEAN GRADY:   Well, since this is a

Federalist Society conference, as well as a GMU Law

School Tech Center conference, I thought maybe I'd try

to ask our panelists, I hope, provocative questions

having to do with whether there is really a need at

all for government involvement in this particular

area.   So, make the distinction that I guess Judge

Sofaer made, which I think is quite a useful

distinction between prosecution and prevention.       Let's

look at prosecution first.      I think, John Malcolm,

you assume and probably many people believe that the

government has a very important role in the

prosecution of criminals.     In this area, however, why

wouldn't it be possible for individuals or groups to

organize themselves into protective societies.       It

almost exists in Los Angeles now.     If you drive

through some of the neighborhoods, you see signs out

in front of houses indicating which private security

company the house is protected by.     Why couldn't you

have that type of system in cyberspace?    In effect,

prosecution would be private prosecution. The

associations would maybe hack back and destroy the

computers that launched the attack.    Maybe there would

be bonding requirements for these associations, so

that they would be liable in the event that they hack

back against the wrong computer.   So, that would be

one set of Libertarian policy proposals.

          Perhaps another one would be on the

prevention side.   Some have considered, for instance,

computers constituting the power grid, maybe of the

Northwest power grid.   Some have said, "Well, really,

there need to be government standards for

cybersecurity.   These computers are not building

firewalls that are high enough or thick enough, and

the government needs to be involved by way of

regulation."   Why is that the case?   Why will the

market not solve that particular problem.    It seems to

be one in which you've got profit-maximizing

organizations.    Why is the government needed to

provide that type of regulation?

             Or, with respect to Microsoft and other

software producers, some people have proposed products

liability.    Why is that products liability required?

Why won't ordinary market competition produce the

optimal security in software?

             I was hearing the other day about a defect

that existed in a particular model of the Honda

automobile.    There is a pipe, apparently, in this

Honda that controls the brakes, and if ice hits it in

exactly the wrong way, it will spring a leak.    So,

they've recalled all of these Hondas.    Well, the

normal argument for products liability is that this is

such a low-probability event, the susceptibility of a

car to that type of defect, that you can't rely on

market forces to regulate the market to ensure the

proper quality.

             In the area of security, it seems exactly

the opposite; everyone is concerned with security.

Why isn't due security strength of a software tool

like the taste of ice cream?    In other words, we don't

really need the government to regulate Ben & Jerry's

to make sure that the Cherries Garcia tastes good; why

is there a better argument for requiring Microsoft to

have better security?    Isn't that a central concern

that consumers would be interested in?

          I would ask our panelists to comment on any

or all of those issues revolving around the broader

issue of why government involvement is involved in

this area at all.

          MR. MALCOLM:    That's a lot to bite off.     I

notice that we did change the structure somewhat in

that previous panelists had an opportunity to respond

to other panelists, and, at some point, I have a

couple of things to say in response to Manus'

presentation. But he can prepare for that.

          With respect to the notion of private

prosecutions and the related concept of hacking back,

there are already private prosecutions of a sort;

they're called plaintiff's lawyers.   There's already a

lot of concern about government people who are subject

to all sorts of statutes and regulations that don't

apply to the private sector, and people are concerned

about the government being involved in prosecutions.

So, somehow, having an English system of private

prosecutions, I think, would fall on deaf ears in this


             In terms of hacking back, that's an

interesting concept, and of course there's the Berman

Bill that's being bandied about in terms of peer-to-

peer hack-backs.    The administration hasn't taken a

position on it other than to say that the way the law

is written now, hacking is illegal.

             I will say that there are problems with

hack-backs, particularly when a lot of people who

engage in hacking are very sophisticated and actually

route their attacks through innocent, zombie

computers.    And if you hack back, you are, without

authorization or any approval from any court (which is

what the United States government's got to get before

it can react) breaking into somebody's system.     Once

you break into somebody's system, the consequences can

be pretty bad.    Can somebody be sued civilly if they

do it wrongly?    Yeah, but that's a little bit like

addressing the problem after the horse has left the

barn.   So, with respect to laws permitting hack-backs,

the devil will be in the details.    It's certainly

innovative; it's certainly true that the private

sector, in many ways, is in a better position to react

swiftly and to protect itself.   It is problematic and

I do think that we need to look at that and to debate

it seriously.

           With respect to government standards, and

the possible need for regulation, this is important

stuff and the government needs to be involved.   It is

never this Administration's first response to say that

what we need is more regulation.    Government standards

in this area would be problematic.   Where we are

pretty good, I think, is in gathering a lot of bright

people together and trying to come up with a list of

recommended practices.   However, as has been pointed

out by many speakers already, a lot of the knowledge

rests in private sector and not in the government.

Coming up with standards takes an exceedingly long

period of time, and this is a dynamic market in which

vulnerabilities can change and the need to adapt

standards can evolve very, very quickly.   Any time you

have a government-imposed solution, it may be

muscular, but it's not always flexible.   So, I think

the preference would be to come up with standards that

are flexible and muscular and that largely come from

the private sector.

          With respect to a need for cooperation and

why optimal security cannot be achieved on its own by

the private sector, with the government sort of

leaving its hands off -- I would say that, at least

with respect to critical infrastructure, the

consequences are simply too important.    In addition,

there are a lot of sensitive government networks --

the military, intelligence -- that, through private

contracts, are run by private companies that controls

those networks.   So the government has a direct

interest in protecting its own information by securing

this part of our critical infrastructure.

          In addition to that, if the water supply for

an entire city gets tainted, or if the energy supply

is disrupted in a city, or the air traffic control

system goes whack and planes start crashing into each

other and falling out of the sky, the general public

is not going to be looking to the private company that

controlled that system.      They're going to be looking

to the federal government -- and rightfully so -- and

saying "Why didn't you protect us?"

             MR. GUIDERA:    John, very quickly, if I could

jump in, when you talk about hacking back, when you

talk about going out and injuring the party that

injured you, one of the interesting things that was

presented to me in Code Red, our developers had found

a way to create, if you will, a virus that would take

advantage of the same exploit in the Microsoft server

to actually patch it.       So, they actually wanted to

launch to go back out and hack into somebody's system

and actually fix the patch so that our customers would

actually stop getting pinged.      I'm curious about what

the Department of Justice would think about something

like that.    I was very nervous when he presented that

to me.

             MR. MALCOLM:    I'm sorry -- your concern is

what now?

             PROFESSOR GRADY:    It's a benign trespass,

basically.    So, you're going back into a system and

basically patching the system of your customer,

without the express consent of your customer.

             MR. GUIDERA:   Actually, it's not even our

customers.    It's some third-party server that's a

zombie that's acting as a launch site for the bug.

             PROFESSOR GRADY:   So your disabling the

zombie, basically.

             MR. GUIDERA:   Fixing it.

             PROFESSOR GRADY:   Fixing it, right.

             MR. MALCOLM:   Well, you are patching a

vulnerability that, if someone doesn't do it

themselves, can create an exploitation.     That’s an

interesting idea.    Look, as I say, we need to be

flexible in our approach.

             PROFESSOR GRADY:   As an irony, isn't there a

statute that prevents self-help in this area?       It's an

irony that if someone steals whatever you're carrying,

your umbrella, for example, you have the right to go

after that individual and tackle that person and grab

your umbrella.    Now, I don't think you have the

ability in cyberspace, do you, because of the statute

that's been passed?    I mean, it's basically the same

principle.    Why should rights be more circumscribed?

             To rephrase Professor O'Neill's question,

why should rights be more circumscribed in cyberspace

than in real space?    It seems like there are fewer

rights of self-help now.

             MR. MALCOLM:   What limits self-help is that

you're hacking into somebody's system without their

consent, and that's a violation of Section 1030.        With

respect to --

             PROFESSOR GRADY:   How about if they're --

             MR. MALCOLM:   Well, hold on a minute --

             PROFESSOR GRADY:   How about if they've

hacked into you?

             MR. MALCOLM:   I understand that.   With

respect to your real-world example of somebody

stealing your umbrella, there are laws that apply,

including laws of self-defense. You can't, for

instance, for somebody who steals your umbrella, go

and kill him.    You can't act like Rambo and just go

start shooting at other computers because you don't

know who you're going to take down in the process.

             I'm not saying that there can't be some kind

of solution in appropriate circumstances --

          PROFESSOR GRADY:     Well, if you --

          MR. MALCOLM:   -- well, hang on one second --

including the one that was just identified saying,

well, okay, we have software, we know who has our

software, we've discovered a vulnerability, perhaps

that makes sense.

          PROFESSOR GRADY:     Yes.

          MR. MALCOLM:   But it needs to be under

circumscribed circumstances.

          MR. GUIDERA:   In effect, we've got --

          PROFESSOR GRADY:     Well, as a government

regulation in some way, I guess.      But I mean, it's a

very well-developed system in the umbrella area so if

someone steals your umbrella, you can go after them.

And if you tackle the wrong person, then you're liable

to that person.   Why couldn't the same principle work

out in this area?   It seems odd that the Bush

Administration, of all others, ought to be advocating

a reliance upon public regulation as opposed to these

time-honored methods of private ordering and private


            I don't know where the truth is in this

area.    I'm just trying to stir something up here, I


            One thing that did strike me was your

statement that since it's so important, the government

had to be involved.   A lot of people would say, it's

just the opposite; the government ought not to be


            MR. MALCOLM:   I don't know about you, but

when I go outside, I'm by and large relying upon

police, law enforcement officers, to protect me.      I'm

not relying upon every citizen who's got a gun to pull

it out when they think something's happening to me and

blasting away.

            Again, when we're talking about critical

infrastructure, the potential harm is devastating. I

don't remember which types of airlines the terrorists

on September on 11th were flying, but I remember Pan

Am over Lockerbie.    We don't sit there and say let's

all go and blame Pan Am for what happened there.

There may be civil consequence; people may sue.     But

in terms of what happened and the people dying and the

terrorist organization, they're not looking for Pan Am

to handle all of that.   They're looking for airport

security and for security for transportation and

traveling, to be handled in large part by the federal


          Now, if you don't think the federal

government has a role to play in that, I suggest that

that might be a recipe for anarchy.   But, does it make

sense always to have a government-imposed solution and

to totally cut out the private sector?   No, I don't

think this makes sense and I'm glad we're having this


          MR. COONEY:    On that point, though, there's

talk about the need to protect critical components of

the critical infrastructure.   Is the entertainment

industry a critical component of the critical

infrastructure for our country?

          And if not, then why is the Department of

Justice talking so much about going after individual

consumers and users of file-sharing services?

          MR. MALCOLM:   Glad you asked that.   Now, I

get my opportunity to make my two or three points that

I wanted to make with respect to you.

          One, the Department of Justice has not

entered into any partnership with any industry -- not

the Recording Industry of America or the Motion

Picture Association of America.   I understand you

worked at Napster and you had some bitter experiences.

          However, we are not looking to stifle

innovation; we are not out to stifle competition.    We

are looking to enforce federal laws that have been

enacted by Congress, that have been signed by the

President, and whose constitutionality has been upheld

or is being challenged.   However, I will answer your

question on whether the entertainment industry is a

critical infrastructure. The answer is clearly no, so

let's dispense with that.

          Nonetheless, the software industry is a very

important and thriving sector of our economy.

          It is a vital sector.   Intellectual property

rights are enforceable rights, and a lot of the

intellectual property is being stolen overseas.    This

is costing American jobs, hurting the American

economy, and we are losing a huge tax base, and also,

by the way, causing security problems.    I would say

that, with respect to IP rights, since that's of

obvious concern to you, I think the Department of

Justice, contrary to popular opinion, has been

remarkably circumspect in terms of its enforcement

efforts.   In terms of IP, we've done big operations

involving large Internet piracy rings, like Operation

Buccaneer.    There's only been one or two DMCA cases,

Digital Millennia Copyright Act, and I think if we had

time to go through the facts of each of those cases, I

might have time to get most, if not all of the people

in this room to agree.

             I would remind you that with respect to

Napster's demise, that was done by civil lawsuits by

private parties.    The federal government wasn't in

there doing some kind of enforcement action.    There

was no criminal investigation, no threatened

prosecution.    You know, that was not government


             You made one other comment that I thought

was interesting.    You talked about a threat; you

talked about Y2K, and you somehow said that's an

overreaction, and that's a government failure.     I

don't see that at all.   In fact, I view the Y2K

problem as an example of government success.    It was a

verifiable threat.   It was a verifiable threat that

the government learned about, disseminated that

information and didn't impose any kind of action,

didn't impose any kind of regulations, didn't

threatened anyone with criminal liability if they

didn't fix that problem, and said "Here's the problem.

You ought to be aware of it, and fix it."    And

thankfully, enough private-sector people did that and

averted what could have been a very bad situation.

          PROFESSOR GRADY:    All right.   I wonder if

there are questions from the audience?     Yes, in the

back there.

          AUDIENCE PARTICIPANT:    Before I turn to my

question, Dean, I think the distinction here is we are

a cybercrime conference, not a cybertort conference.

Maybe we should have one of those, and it would be a

fascinating time.    But I guess on the cybercrime

conference, we need to talk about what the role of the

government is.

           I'm Dave Weitzel from Mitretech, and we're

in the business of buying a lot of stuff for the

government so that they can be secure.   In that

research, I noticed in a recent study by St. Paul

Insurance, in a study of network security officers,

this is the first year that they discovered that there

were actually more outside attacks to their networks

than there were inside attacks.   This is the first

year that it's been a bigger threat on the outside.

Isn't that because the use of Internet technology in

those kinds of attacks is different than the use of

the Internet itself?   I was wondering if the panelists

can talk about that insider threat and how you manage

that as you assess the threat.

           MR. GUIDERA:   I didn't realize that this was

the first year where external is actually more because

I always thought it was the opposite, so I'm intrigued

by it.   Certainly what we do is, you restrict access

to certain parts of the code to people who may have

their backgrounds checked.   So, if you're going to

work on a sensitive cryptomodule, we're going to do a

background check on you to make sure you're all right.

This recently happened with a different platform than

ours.   Someone had written a Trojan horse into the

code and the code got released out into the open

public.   I think it was an open source model.      And if

that happens to us, that person not only gets fired,

but we'll turn them over to John, right?

           We've got a whole bunch of people onboard

and companies that do intrusion detection monitoring

our networks all the time.    But, this area's growing a

lot on the roots of IP enforcement because in the

past, a large part of the problem has been internal

employees taking intellectual property and putting it

up on the Internet.   That's why you could get Windows

XP on the Internet before it was released to the

public.   You know, that's one way it gets out there.

We're learning from the IP enforcement measure, and

you put systems in place to try to track your folks,

and if they do, you fire them and you turn them over

to the cops.

           MR. GUIDERA:    If I may, I've got the

microphone for a moment.    I just want to address

something the Dean asked earlier.    I didn't have a

chance to do so.    You know, the premise of your

questions, Dean Grady, seem to be that the market may

not be working as well as it ought to.    And I think

what we're seeing is evidence that the market is

responding quite rapidly and quite aggressively to the


            If any of you subscribe to the Economist,

you've seen nothing on the back page of the Economist

magazine lately but ads for Oracle announcing their

unbreakability.    That is an enormous expense to buy

that ad space and to put their credibility on the

line, saying their stuff is secure.    That's pretty

cool, right?   Three or four years ago, would any

company market its security?    I mean, any major

software company, commercial software company that

wasn't a security firm?   Were we out there saying our

stuff's more secure?   It was the exception rather than

the norm.

            Microsoft, like I said, putting our

credibility on the line with trustworthy computing,

that's a huge, huge response to market change.

            PROFESSOR GRADY:   I thought I was agreeing

with you, Bill.

            MR. GUIDERA:   One of the things that John

said about the information sharing example, I want to

give you an example of how we share information with

competitors and the government that shows how the

system can work pretty well and perhaps might show a

flaw in it, too.

            When the Love Bug virus came out a few years

ago -- this is the one that was called "Love Letter",

and the message said "I love you", and you were

supposed to double-click on the thing and it unleashed

a virus: Lots and lots of people opened that.    It

started in Asia.   A few hours, or perhaps only even a

couple of hours after it was unleashed, our security

apparatus in Redmond saw a major spike in that work

activity.   They thought, that's a little out of the

usual.    They brought our chief security strategist in;

got him out of bed at 11 p.m. and brought him into the

office.   And by midnight, we realized there was

something out there and secured our own networks.

Somewhere in that process, our chief security guy

called his counterpart from one of our major, major

competitors -- a company, incidentally, that seeks the

break-up of Microsoft -- but he called up this guy and

said "Are you seeing this, too?    Are you seeing this

major spike in network activity?"    Yes, they were.

They realized they had a major incident.    They were

sharing information and cooperating and helped the

other company secure their networks.    And that started

an information-sharing circle.    That's happening all

across our industry.

             Shortly thereafter, our guy called the FBI.

And this was in a prior administration under prior

leadership of this entity within the FBI. And he got a

voicemail message, he got the answering service saying

"no one's here to take your call; we'll get back to


             That was about one in the morning, something

like that.    A few hours later, he called again and

didn't get through.    The long and short of it is,

eight hours later, his call got returned and that was

how our company informed the FBI.    We called the

Pentagon, too. They run the .mil domain, so we let

them know that this incident was out there.    That was

an example of ad hoc information sharing that was

super-productive.   And I think in the current

government structure, it's working really, really

well.    But that's an example where information sharing

works extremely well and where companies like

Microsoft and the DOJ and other government entities

are working side-by-side to address this problem in

ways we couldn't even imagine five or six years ago.

            PROFESSOR GRADY:    Yes, you had a question

back there.

            AUDIENCE PARTICIPANT:    First, I want to

respectfully disagree with Mr. Malcolm, who said with

the Y2K problem, the government didn't go around

saying here's a problem and you'd better fix it or

else.    I worked for the Chronicle of Higher Education

during the Y2K scare.      Obviously, it was a very real

thing.   But you bet, the government went around to

publicly funded institutions and the Government

certainly did come along and do that.

            MR. MALCOLM:    That's an important

qualification.   When federal funding, government

money, was involved, then different rules applied.

But that's an important qualification.   That was the

exception rather than the rule, but that's an

important qualification.

           AUDIENCE PARTCIPANT:   Now I'd like to just

flip and argue the other side, which is where I wish

the government would say to companies like Microsoft

and other companies that are marketing their company

as trustworthy this and don't worry and put us on your

system.   Until extremely recently, there were known

software flaws and trapdoors, and Microsoft assumed

that people would find these during these informal

information chains, and that then Microsoft could

publish patches, and that's the way the system would

work.   In fact, the defaults for many of these

software programs were to assume that everybody wanted

any email to automatically launch and be sent to every

single email address in your address book.   With the

amount of negligence that was perpetrated by companies

like Microsoft and others, and it was just

extraordinary, I don't know why the civil bar didn't

do anything.   I wish this were a cybertort conference.

Why doesn't the government act when there are knowing

bugs and real security glitches in these widely-used

software programs?

           MR. MALCOLM:   Well, again, unless a critical

infrastructure is threatened, government doesn’t

usually get involved. But I'm not at Microsoft; I've

never worked for Microsoft.    I can tell you that their

chief security strategist, Scott Charney, who used to

be head of the computer crime and intellectual

property section, is an extremely bright guy who's

very focused on security.   And I take Microsoft at its

word that this is a new day.   I mean, if they stopped

production for two weeks or whatever it was in order

to focus on security, I can tell you that when we

become aware of vulnerabilities through things like

the Infraguard system, we make sure the private sector

knows about it.   It's all of relatively recent

vintage.   This entire development of vulnerability in

areas of cybercrime, and working together, it is new


           MR. MALCOLM:   Well, again, unless a critical

infrastructure is threatened, government doesn’t

usually get involved. But I'm not at Microsoft; I've

never worked for Microsoft.    I can tell you that their

chief security strategist, Scott Charney, who used to

be head of the computer crime and intellectual

property section, is an extremely bright guy who's

very focused on security.   And I take Microsoft at its

word that this is a new day.   I mean, if they stopped

production for two weeks or whatever it was in order

to focus on security, I can tell you that when we

become aware of vulnerabilities through things like

the Infraguard system, we make sure the private sector

knows about it.   It's all of relatively recent

vintage.   This entire development of vulnerability in

areas of cybercrime, and working together, it is new


           MR. GUIDERA: You say that companies like

Microsoft are saying "Don't worry."   That comment is

bizarre to the point of comedy.   Read anything we are

saying on security today, anything we are doing; look

at everything we are doing.    You'll see that we worry

a hell of a lot about it. That's why we do so much.

That's why we're spending hundreds of millions on it

right now, if not even more.

          That's why we stopped the release of a

product recently.    It was just about to go out the

door -- a major, major release -- and we said, "No,

we're sending it back to the shop floor to re-do it."

That's money right off the bottom line.   That's my

stock value going down.    That's the company saying we

care a hell of a lot about this.   When we have that

little pop-up window in XP, it's saying, "We've got a

problem in our product."   It's saying right to you,

"Wow, we've got a mistake here.    Download the patch.

We're going to give it to you as easily as we possibly

can."   There's a huge amount of activity; not just my

company but others doing everything they can to

address the problem, and I don't think anyone is

saying don't worry.   That's bizarre.   Why are we

having this panel?    Of course, we worry tremendously

about this.

          And you mentioned the Love Bug situation.

Yes, the default was set so that you could open an

attachment in an email without a block between.      The

default wasn't set so that it said double-click on an

attachment so that it can unleash a virus that

corrupts your entire inbox and causes global calamity.

           What did we do immediately thereafter?      We

put a system in place that says, "Do you really want

to open this thing?"   What you had happen was

reasonableness changed because of that incident.

Reasonableness was different than it was on September

12th in airline safety.   Reasonableness before the

Love Bug came out was different than it was after, and

we changed with the marketplace and we changed the

standard for reliability.    Reasonableness changed as a

result of those incidents.   The company changed as a

result of it, and all of us changed as a result of it.

           We've all changed.   Before the Love Bug, did

anyone have an issue about double-clicking on an

attachment and opening it?   Yeah, some did.   Yeah,

there's one or two guys in the back.    But the rest of

us?   Not a lot.   Now we understand.   We're learning.

Like I said, reasonableness changes over time, and how

you measure reasonableness in this environment is an

extremely difficult venture.

            DEAN GRADY:   Well said.    Yes.

            AUDIENCE PARTICIPANT:      Frank Foreman, U.S.

Department of Education.    I have a book, a number and

a question.

            The book is The Culture of Conspiracy.       It's

a wonderful cultural counterpart to the crime issues

you've been discussing here.    The book goes into why

it is that the default methodology for understanding

the world today is paranoia.    The book was written by

Pinight.    I forget the first name; I forgot to bring

the book. It's very entertaining, as well as very


            The number all you panelists want to know is

400.   That is the number bits of code that it would

take to make an unbreakable encryption.        There are 10

to the 89th particles in the universe, most of them

photons.    There have been 10 to the 31st plank moments

since the Big Bang.   A plank moment is the length of

time it takes a photon to cross the minimum plank

distance.   So, 10 to the 89th and 10 to the 31st is 10

to the 120th possible computations in the universe.

And 10 to the 120th is 2 to the 400th.         So, that's the

answer.   You can't break a code that long if the whole

universe were a computer from the beginning of time.

             That's a very small number, and if you ask

most people, they'd say it's up in the millionths or


             DEAN GRADY:    So, I guess the question is why

don't we rely on better encryption to resolve these


             MR. MALCOLM:   Gee, I hope there's not a test

after that question.

             MR. GUIDERA: That blew my calculator out.

             MR. MALCOLM:    I think that better encryption

is part of the solution.      I also think it's going to

be part of the problem; it depends on who's using it.

However, to secure networks and engage in commerce and

take advantage of all of the things that there are on

the Internet, I think encryption's a good thing. But

that's part of it.

             SPEAKER:   Encryption's part of the solution,

of course.    But the panel was asked what can the

government and industry do in partnership.      I would

argue that the government should focus its resources

and energies on the critical infrastructure issues,

those issues of most concern to the general public.

             The point I was making, and perhaps not well

enough, was that you have a generation of young people

who view with skepticism the way in which the laws are

being written and the ways in which the laws are being

applied or enforced, whether it's through the civil

court system or whether the Department of Justice

files an amicus brief in support of the plaintiffs in

that case, or through the criminal courts or through

the development of international cybercrime treaties

that criminalize what had been previously a civil

violation.    The ability of the government to

accomplish all of these tasks effectively is


             What ends up happening is the cynicism

increases among the general population and it becomes

more difficult for the private sector to deal with it

on its own.    So, for the long term, I think that what

we ought to be focusing on are those areas that are

most important, most critical, to the general

population and to this country, and leave to the

private sector what the private sector is in the best

position to deal with.

            PROFESSOR GRADY:   We have one more question.


            AUDIENCE PARTICIPANT:    Question and comment.

We have a lot of servers out there and a lot of PCs

out there, and a lot of IAS web servers, so we rely

very heavily on our management and our resources.

These people could have patch accidents and people are

not patching their servers appropriately and fast

enough.   That's certainly true.    But another point of

view is why are we running bad software or inferior


            I've been involved in security summits, and

I'm very happy to hear that Microsoft is really taking

a strong stance on security and the whole industry is.

From my point of view, it's about time.

            MR. GUIDERA:   That's fair.    Listen, that's a

totally fair comment and I appreciate that.      You're

right; we had the patch available for the Code Red

vulnerability in June of 2001.      It hit, I believe, in

October -- excuse me, in late July.       So, we had it

available.    Did we get it out there in the best way we

possibly could?    No.   Patch management's a huge issue

for us.   It's probably our number 1 customer problem

for people who have been working on our web server

side.   Have we always done security well?     Absolutely


             To the comment that you don't worry about

it, we're worried about it because we didn't do it

very well for a very long time.     Straight up, we just

did not do security very well.     We were all about

functionality.    You know, lower cost, more

functionality, and security was an externality we

didn't internalize, if I may say that, Dean.     So,

yeah, I think that's a totally fair comment.     What

we've done is we've seen the environment change and

we're trying to do a culture shift.     Are we there yet?

No.    We've got a long way to go, and that's why we

work with government and industry to get better at

this stuff.

             PROFESSOR GRADY:   Thank you very much.    I

want to thank all of you who have attended this

symposium and I want to thank all of our panelists

here for a very lively session.





      The Honorable Claude Allen

             Deputy Secretary

Department of Health and Human Services

                       4:00 P.M.
                    October 3, 2002
         George Mason University School of Law
                    Fairfax, Virginia

 1                    THE FEDERALIST SOCIETY

 2                      Closing Address by

 3                  The Honorable Claude Allen

 4                                                 4:00 p.m.


 6               PROFESSOR O'NEILL:   We're going to call

 7   the last session of our meeting to order here, if

 8   we could.   As we draw to the close of our

 9   cybercrime conference, we thought it would be

10   interesting to view the problem of crime and

11   terrorism and some of the issues facing the nation

12   today from a slightly different perspective, and

13   that's the perspective provided to us by the

14   Department of Health and Human Services.

15               It's therefore my pleasure to introduce

16   to you Mr. Claude Allen, the Deputy Secretary of

17   the Department of Health and Human Services.    Often

18   when we say it's a pleasure to introduce someone,

19   we mean it only as an obligatory gesture.    In this

20   case, however, I actually mean it sincerely, for

21   Claude and I have been friends for many, many

 1   years. Indeed, the first job I had out of law

 2   school, when I graduated from law school, was

 3   serving as a clerk together with Mr. Allen; it's

 4   hard to call him Mr. Allen.   It was during those

 5   days that we spent all those arduous hours we spent

 6   clerking together on the D.C. Circuit that we were

 7   able to forge a fast friendship.

 8             Deputy Secretary Allen -- I'll try to

 9   stick with his formal title for the occasion here -

10   - is about as close to a billionaire as I will ever

11   come in my life, for he presides over an agency

12   with a budget of $429 billion.   Yes -- that's $429

13   billion, a budget larger than most of the

14   individual states or many foreign nations, in fact.

15   In fact, I was hoping, before Deputy Secretary

16   Allen left, that he might consider endowing a chair

17   in my name.    You know, for $429 billion, he could

18   probably endow a whole living room in my name, for

19   that matter.

20             Prior to joining Health and Human

21   Services, Deputy Secretary Allen was the Secretary

22   of Health and Human Services for the Commonwealth


 1   of Virginia, where he led some 13 agencies and

 2   roughly 15,000 employees.   Mr. Allen spearheaded

 3   Governor Gilmore's initiative for a patient bill of

 4   rights, which passed in 1999, directed the

 5   Commonwealth's Welfare Reform Initiative, and

 6   provided leadership to overhaul the state's many

 7   mental health institutions and community services.

 8               Before joining the Gilmore administration

 9   in that capacity, Deputy Secretary Allen was

10   counsel to the Virginia Attorney General, and later

11   Deputy Attorney General for the Civil Litigation

12   Division.   Prior to holding that post, he practiced

13   law in Washington, D.C. at Baker & Botts,

14   specializing in international law.   He holds a J.D.

15   and a Masters Degree in international comparative

16   law from Duke University, and a Bachelors Degree

17   from the University of North Carolina.

18               Now, oddly, his official biography omits

19   a very important detail:    the fact that he was my

20   functional best man and basically organized my

21   wedding.    Indeed, he was the person to gently break

22   it to my wife on that very hot day on the first of


 1   June that our wedding cake had melted and that she

 2   wouldn't actually get to see the wedding cake.    But

 3   most important, Deputy Secretary Allen has been a

 4   husband, a father.   He has been a great friend and

 5   mentor to me during lo, these many years.    I'd like

 6   to introduce to you Deputy Secretary Claude Allen.

 7             MR. ALLEN:      Thank you, Mike, for that

 8   very kind introduction.    Indeed, much has changed

 9   and much has stayed the same, and friendships

10   really do last throughout the time.

11             It's interesting.    When we clerked

12   together on the D.C. Circuit, what was interesting

13   was that Mike was always very interested in

14   criminal law, and so he ended up as a law professor

15   and serving on the U.S. Sentencing Commission. I

16   was always very interested in international law.

17   Our judge was the one judge on the D.C. Circuit who

18   always had a clerk who had security clearances, so

19   that clerk would always handle all of the very

20   sensitive cases that come to the D.C. Circuit.    I

21   happened to be that clerk who got the clearances,

22   and so I got to work very closely with Mike on


 1   trying to combine the two, the international piece,

 2   the very security-oriented pieces, and the

 3   criminal.

 4               In fact, we got to work on cases such as

 5   the Falwell's Unis [?] case.   We worked on John

 6   Poindexter's appeal.   Judge Sentelle also had Ollie

 7   North's appeal as it came through the court, and it

 8   always had some security aspect to it.   And so,

 9   it's not unusual to find Mike here teaching and

10   working closely in this regard.   But it is very

11   strange to find me as the Number Two at the

12   Department of Health and Human Services.     As Mike

13   pointed out, our department is very large.

14               I want to run you through this

15   presentation and talk with you a little bit about

16   what we do, and then tie it into what I think the

17   theme of your conference has been today.     But I

18   want to show you some aspects of it that you're

19   probably not aware of.

20               As Mike has already pointed out, HHS's

21   budget is huge, and I would like to endow more than

22   just a chair and a living room; maybe an entire


 1   building would be something to do.    Our budget

 2   really is large.   That $429 billion was the 2002

 3   budget.   So, in the time that I've been there, in

 4   little more than a year, the budget has grown,

 5   actually, to $458 billion, and our proposed budget

 6   that's currently before Congress is $489 billion.

 7   HHS, if it were a country, we would be the sixth

 8   largest country in the world, presently.   And with

 9   our proposed budget, which we know Congress will

10   very much increase, we will surpass Italy to become

11   the fifth largest country in the world.

12              We are the single largest civilian agency

13   in the world.   And I have to manage the budget;

14   Mike knows I can't balance my checkbook, so it's

15   always a real challenge to do that.

16              But as you see here, the role of the

17   Department is very simple.   Our department is

18   designed to provide services.   We serve as the

19   principal agency that protects the health of all

20   Americans in providing essential human services,

21   and particularly to those who can least afford them

22   themselves.


 1             From a schematic of the organization

 2   chart, you can see, it's massive.   But to give you

 3   an idea, we actually have what we call operation

 4   divisions in the middle.   They range from the

 5   Administration on Aging all the way through to the

 6   Food and Drug Administration; the Centers for

 7   Disease Control and Prevention; the National

 8   Institutes of Health; the Human Resources Services

 9   Administration.   We impact your life in some way,

10   shape or form every day, from the bottle that you

11   have or the can that's sitting on that table.    Look

12   on the back at that nutrition label; it is the Food

13   and Drug Administration that took care of that.    To

14   the encouragement for you, having had a heavy

15   lunch, to get out and make sure that you get some

16   exercise, that you go to the doctor -- that's what

17   we do through the Centers for Disease Control and

18   Prevention.   To education and research.   The

19   research that looks at the differences between us,

20   but more importantly, the similarities between

21   every person in this room, the Human Genome

22   Project, which is part of what we do through the


 1   National Institutes of Health.    So, we actually

 2   impact peoples' lives every day.

 3                We are also very aggressive about the

 4   work that we do, and we really appreciate it.       But

 5   we have some priorities right now that we are

 6   laying out.    One of the top priorities right now is

 7   bioterrorism preparedness, healthcare disparities,

 8   prevention, welfare reform, Medicare reform.    I

 9   know that given the inclination of many here at

10   this university, the school of law and this focus

11   on law and economics, you have some impact in what

12   we do every day, but we're very active in all these

13   areas.

14                I'll talk a little bit for you about

15   bioterrorism to give you an idea about what we're

16   dealing with there.    I took my job in June of last

17   year, and in August is when my family moved up to

18   this area.    We went away on vacation, came back,

19   and lo and behold, September 11th hit.    Now, I had

20   been prepared to do many things as the Deputy

21   Secretary, to manage the day-to-day operations of

22   the department.    Managing a crisis of this nature


 1   was not quite what I had anticipated I would be

 2   called upon to do.    That was not part of my job

 3   description, I thought.    But certainly, we have

 4   become experts in these areas in a very short

 5   amount of time.    These are the challenges that we

 6   faced at that time:    coordination of efforts;

 7   detection of surveillance ability; logistics and

 8   distribution of small pox vaccine or addressing

 9   what's happening right now -- West Nile virus

10   that's spreading around the country; or addressing

11   the challenges that are confronting us in the Gulf

12   area with the hurricane coming through.    We deal

13   with that.    Hospital surge capacity; fatality

14   management -- all of these are issues that we deal

15   with on a daily basis in the Department.

16                We're also very focused on the creation

17   of a homeland security department.    Since September

18   11th, those are areas that we've worked in, as well

19   as: coalition information center, which the White

20   House created over there immediately after 9/11;

21   our Office of Public Health and Emergency

22   Preparedness, which is now an assistant


 1   secretaryship within the Department that is

 2   coordinating all of the HHS pieces of this puzzle.

 3   We also created the Office of Public Health that

 4   was coordinated out of my office.   It was my

 5   conference room for three months.   It was taken

 6   over to be the operations center for HHS after

 7   9/11.   That's how quickly things took place.

 8              Under the federal rolls, there is what's

 9   known as a federal response plan, and that federal

10   response plan lays out requirements for all of the

11   departments.   Each department has what's known as

12   emergency support functions.    HHS had the lead in

13   what is known as Emergency Support Function 8,

14   which focuses on health and medical services, and

15   that's what we spend much of our time working on

16   specifically in these areas of the current

17   situation under bioterrorism.    I'll talk a little

18   bit more about that, as well.

19              What is ESFA?   It really focuses on four

20   primary things:   preventative health services,

21   medical services, mental health services and

22   environmental health services.   I'm going to tie


 1   this into your theme today of cybercrime and where

 2   we're going, as well, as we go forward.

 3             One of the systems we have is called the

 4   National Disaster Medical System.   Most folks don't

 5   realize that when 9/11 hit, one of the first things

 6   that was done by Secretary Tommy Thompson was to

 7   activate what is known as his powers under Section

 8   319 of the Public Health Services Act.    Section 319

 9   gives the Secretary certain extraordinary powers to

10   call up and basically take action to respond to an

11   emergency crisis in this country that has public

12   health implications.   What most people don't

13   realize is that when he did that, it activates what

14   we call our National Disaster Medical System.    The

15   agencies that are represented include FEMA, the

16   Veteran's Administration, DOD and HHS.

17             When the Secretary declared a Section 319

18   emergency on September 11th, it was the first time

19   it had been enacted in more than 45 years, since

20   the Act went into place. It made the Department of

21   Defense, the Veterans Administration and FEMA

22   report under the Secretary of Health and Human


 1   Services.   In our efforts to respond to that

 2   disaster, the assets of DOD, the Veterans

 3   Administration and FEMA came under Secretary

 4   Thompson and the Department and we were able to

 5   deploy them.

 6               So, for example, when you saw in New York

 7   City the USS Mercy, the ship that was out in the

 8   harbor serving shortly after 9/11, that vessel,

 9   while it was a Coast Guard Vessel, was actually

10   under the command of Secretary Tommy Thompson.      And

11   all of the surgeons general for the various

12   branches of the military reported under Secretary

13   Thompson at that time.

14               These are the major components of the

15   National Disaster Medical System.   It focuses on

16   medical response, patient evacuation and definitive

17   medical care.   There are over 7,000 participating

18   health professionals.    Twenty-four thousand

19   hospital beds -- expansion to 52,000 beds that are

20   made available around the country to deal with

21   crises within 24 hours.   Many of those beds are in

22   regional hospitals, but a lot of them are actually


 1   in veterans hospitals.   When we activate this, the

 2   Veterans Administration would move out of their

 3   hospital system their least severe patients into

 4   the community, and we would actually have access to

 5   those beds.    We also would have 95,000 beds

 6   available to us in 30 days.   We've also looked at

 7   focusing on issues of providing rapid response in

 8   case of weapons of mass destruction.   These are all

 9   areas that we focus on in the Department.

10             We have several teams called disaster

11   medical assistance teams.   These are teams that are

12   able to respond within 12 to 24 hours anywhere in

13   the country.   So, for example, on 9/11 we had teams

14   dispatched all around the nation that were actually

15   addressing not only the immediate needs in New York

16   City, here in Washington, and in Pennsylvania, but

17   we had teams that were on call and in position to

18   address anything else that might have come down the

19   pike at that time.   We also have what we call our

20   disaster medical assistance support teams.      They

21   provide medical support.

22             We had burn teams that were actually


 1   dispatched to New York to deal with the burns that

 2   were taking place from many of the folks who were

 3   survivors of the World Trade Center disaster, but

 4   also the workers were there.

 5              We have pediatric teams, crush medicine

 6   teams, veterinarian medical teams.   Think about all

 7   the dogs that were up there in the search and

 8   rescue.   Many of those dogs had injuries to their

 9   pads and could not be very effectively utilized.

10   We had teams that were trained to go in and care

11   for the dogs.   It was phenomenal to see the work.

12              We have disaster mortuary teams.   We had

13   local morgues that were teams set up to go in and,

14   initially thinking we were going to be dealing with

15   recovery efforts.   But, we immediately saw that we

16   needed to be prepared to identify remains, and

17   that's what they ended up doing very effectively in

18   New York City and around the country.

19              This is a little bit about what our

20   disaster medical assistance teams do.   They're

21   basically formed to augment local care, so that we

22   don't have to draw upon the local resources in a


 1   community.    They augment that care, as well, and

 2   they report to federal, state and local officials

 3   who can call them up by making a request to the

 4   department.

 5                These teams are scattered throughout the

 6   country.   And I want you to focus in on that

 7   because I want to talk to you about how this

 8   relates to what your conference is about today.      We

 9   have teams scattered throughout the country, about

10   120 teams that are located throughout the United

11   States.    These teams are in positions, again, so

12   they can respond very quickly.    But what we've done

13   is we've also created some other teams that are

14   called national medical response teams.    These

15   teams go in to do decontamination work.    And we are

16   challenged by making sure, when we send these teams

17   in, to ensure that they're going into a situation

18   that we have already anticipated, so that they're

19   not put at risk, so that they then can turn around

20   and decontaminate the area so that other first

21   responders can come in.    These teams are confronted

22   by many of the hazardous materials that I'll be


 1   addressing.

 2              We also have, as I said, our disaster

 3   mortuary teams.   They're operational throughout the

 4   country.   Not only did they operate throughout New

 5   York and here in Washington, but most recently, you

 6   may recall in Georgia, when they had the crematory

 7   down there that was not actually cremating bodies

 8   but was scattering them all about the property.

 9   These teams were activated to go down and help

10   identify the remains.   So, they do more than just

11   respond to the disasters that we identified

12   earlier, such as the World Trade Center after 9/11.

13              Our management support teams support all

14   of the activities on the grounds that are taking

15   place.   And federal coordinating systems are the

16   centers that we have around the country that are

17   focusing on the problem of providing training,

18   leadership and bringing these teams together.    But

19   I want you to focus on the northern portion of the

20   U.S., where you see Montana, Wyoming, South Dakota,

21   North Dakota.   In the DMAT map there was also a

22   blank up there.   Keep focusing on it as we go


 1   forward.

 2               We have a corps called the Commission

 3   Corps Readiness Force.   You may see them walking

 4   around.    You may think that they're naval officers,

 5   oftentimes:    You'll see them in black Navy uniforms

 6   oftentimes, and in the summer, the white uniforms.

 7   This is actually a fifth corps of officers who

 8   respond to the surgeon general.    These individuals

 9   are capable of responding in extraordinary times to

10   any emergency that exists.   They are there to serve

11   in disasters and strife and public health

12   emergencies.

13               Most recently, we had a situation here in

14   Washington, D.C. Back in the fall, D.C. decided

15   they weren't going to allow students to come back

16   to school without immunizations.   By activating our

17   commission corps, we were able to vaccinate some

18   60,000 kids in a three-day period here in

19   Washington.    But these folks are trained health

20   professionals, over 1,400 of them, all across the

21   various branches of the health professions, and

22   they're deployed all around the world in addition


 1   to here in this country.

 2               The Metropolitan Medical Response System

 3   that we have is designed in our urban areas to

 4   focus on issues of bioterrorism preparedness.

 5   We've got them there doing that as well.   These are

 6   some of the exercises that they go through.   Their

 7   real focus is on trying to address what is

 8   happening at the local level.   How do we augment

 9   local resources in a manner that will help them be

10   prepared?

11               Another map shows these teams scattered

12   throughout the country.    But a huge gap exists.

13   The concern that I'm raising here is one in terms

14   of trying to be prepared for a terrorism response,

15   we have to make sure that the weakest links are the

16   strongest links.   One of the things that we're

17   focusing on at the Department is how do we address

18   the fact that, not only are these areas where we

19   don't have a lot of coverage, but these are areas

20   along the border with Canada, and Canada has a much

21   different immigrations law than we do?   They're

22   much more willing to let people into the country.


 1              One of the challenges we had is how do we

 2   secure our borders when we don't have assets pre-

 3   positioned in these locations to try to address

 4   them. What's also interesting about it is, most of

 5   these areas are very sparsely populated, except

 6   for, largely, tribal lands. And so, one of the

 7   things that we have focused on over the last year

 8   is how do we build our system so that we are

 9   strengthening the weakest links by reaching into

10   rural areas.

11              We're using the National Pharmaceutical

12   Stockpile to be able to position assets in a very

13   short amount of time.   This is 50,000 tons of

14   pharmaceutical supplies that can be positioned

15   around the country in less than 12 hours.    We were

16   able to move 50,000 tons of medical equipment to

17   New York in less than seven hours on 9/11.   We have

18   some of these also scattered the country.    I can't

19   show you where, or I'll have to kill you.

20              That's because of the security associated

21   with it.   But these we break down into what we call

22   12-hour push packs, and we have vendors who help


 1   restock these supplies.

 2               This is really cool.   This can actually

 3   go into the belly of a plane; it can be broken up

 4   and put into the back of a series of tractor

 5   trailers.   We pre-position these so that we're able

 6   to disseminate them throughout the country.

 7               Think about this.   If our enemies are

 8   able to go onto the website right now and pull down

 9   the patent that exists at the Patent Office and

10   figure out how we do this, they can wreak havoc on

11   our system.   Think about this.    Because of the

12   openness of our patent laws, because everything is

13   registered, many of the pharmaceuticals in the

14   stockpile, have their patents or copyrights or some

15   intellectual property protected, and it's on the

16   website at the U.S. Patent Office.    An enemy can

17   get that, can break down the chemical structure,

18   and actually design around it.     In fact, we have

19   spent a lot of time working with the U.S. Patent

20   Office to explain to them how vulnerable we are in

21   terms of the information that's on there.    I know

22   Larry Thompson was here today, talking with you


 1   earlier.

 2              One of the things we've been focusing on

 3   is, we know that al Quaeda has been surfing our,

 4   government websites, pulling down information about

 5   our vulnerabilities, and using that to plan their

 6   activities.   So, while we're in this age of

 7   preparing homeland security and homeland defense,

 8   we need to be prepared to address the sort of

 9   issues that we're raising here.   These are just

10   some of the things that we're dealing with.

11              I could go into a lot more, but I want to

12   end with this, and then I want to open it up for

13   questions and answers.

14              Some of the things that we're focusing on

15   right now, as you're addressing cybercrime, we've

16   had to have a lot of changes in our legal system.

17   One of the challenges that we have is to walk that

18   very delicate balance between the freedoms that we

19   enjoy as Americans, and not violating those

20   freedoms, but at the same time protecting the

21   security of the homeland.   How do we do that in a

22   way that respects the Constitution but actually


 1   gives effect to protecting and putting a defense-

 2   first, forward posture for the United States?

 3   That's what we grapple with everyday here in the

 4   United States.

 5              I'm going to stop there.    I'm going to

 6   answer any questions that you may have at this

 7   time.   I know we've gone over a little bit, and I

 8   want to be respectful of your time because I know

 9   that I'm the last speaker here of the day between

10   you and anything you may want to do this evening,

11   including me going home to celebrate my daughter's

12   sixth birthday.

13              PROFESSOR O'NEILL:   My question is, with

14   all the rapid response units and everything that

15   exists, how dependent is the Department of Health

16   and Human Services, upon the current

17   infrastructure, like the web, in terms of being

18   able to deploy forces?

19              MR. ALLEN:    Excellent question.   We are

20   critically dependent upon that.   In fact, one of

21   the major areas that, if you didn't discuss today,

22   is one that we're certainly discussing at the


 1   department level with both the National Security

 2   Council and the Homeland Security Council.       That is

 3   protection of our critical infrastructure.       We are

 4   very heavily dependent upon the exchange of

 5   information over the web.

 6                A good example:   September 11th.   What

 7   happened in New York City, the towers were built

 8   upon the information grid, the whole network, the

 9   technology grid there, and when those towers went

10   down, that whole grid went down.     Therefore, we had

11   to come up with some creative ways to communicate

12   with our folks on the ground.     So, we've learned a

13   lot of lessons since last year and learned what our

14   vulnerabilities are.    And we're now working very

15   aggressively to try to shore those up.     But as a

16   government, as a society, we're heavily dependent

17   upon that.

18                Since last year, I now have seven phones.

19   It's incredible -- and I got four of them all

20   within one week.    I have one phone that I use all

21   the time.    I have a second phone that's called a

22   priority phone.    I can override anything that


 1   you're doing.   I can override your phones and just

 2   get through.    I've got a third phone that is

 3   supposed to be a secure cell phone.   When I'm

 4   traveling, if I have to have a secure conversation,

 5   as I did on Tuesday when I had to participate in

 6   the National Security Council, I was able to use my

 7   secure cell phone in a secure location, but not

 8   have to be land-locked.   I have a phone that is a

 9   Nextel phone, I guess it is.   It's supposed to be

10   some kind of walkie-talkie device; I've never even

11   opened the box.

12             And I also have a satellite phone so that

13   I can travel anywhere in the world, and, depending

14   on where the satellite is, I can use it to

15   communicate back and forth.    All of this since last

16   year, 9/11. All this technology has suddenly had to

17   be utilized in order for us to communicate to

18   ensure that we're protecting the health and safety

19   of all Americans.   It's amazing.

20             AUDIENCE PARTICIPANT:     You mentioned

21   that you were engaged at the patent office to

22   discuss our vulnerabilities, and I was just


 1   wondering if you have a specific solution in mind

 2   for that situation.

 3              MR. ALLEN:     Yeah, a couple of things

 4   that we've recommended.    We've actually recommended

 5   that they pull down some stuff off of their

 6   website.   That's the first thing; just to remove

 7   it.

 8              Second, we have urged the Patent Office

 9   to do very much what all the other departments are

10   beginning to look at.   That's to look at the

11   information on there from a vulnerability

12   perspective; to do a risk assessment.    We believe

13   in a risk-based approach to homeland defense.    And

14   that is, what is the risk of this information

15   falling into the wrong hands and being used or

16   manipulated to have an adverse impact on this

17   society?   And so, part of what we're working toward

18   is, if they're not going to pull it off their

19   website, creative a secure site where those who

20   have a need to know can do so.    But before they do

21   so, they have to go through a clearance process

22   where there are background checks involved, etc.


 1               Prior to this time, we had thousands of

 2   foreign nationals who were in the National

 3   Institutes of Health, in the Centers for Disease

 4   Control, in the Food and Drug Administration, in

 5   the U.S. Department of Agriculture working in labs

 6   with what we call biohazard level 4 material,

 7   select agents.   We had no idea who they were, where

 8   they were coming from, or who could they account

 9   for them.   In fact, there were some who were

10   identified to be connected with terrorist

11   organizations that fled the country.   So, we very

12   quickly had to address that.

13               That's the level of security that we've

14   got to now look at in terms of dealing with the

15   Patent Office or any other office we've got with

16   our information on the websites.

17               AUDIENCE PARTICIPANT:   I've been a

18   federal IT manager for about three or four years

19   now.   I know that a lot of agencies in the federal

20   government have not implemented federal standards

21   and federal laws and OMB requirements and this

22   guidance in terms of managing their IT security


 1   systems. I'm sure that with all the critical stuff

 2   that you have at HHS, how far along are you in

 3   terms of your systems being secured at the system

 4   level?

 5             MR. ALLEN:     We are aggressively moving

 6   in that direction.   The biggest challenge that the

 7   government is going to face about that is manpower.

 8   In government, we don't have enough people who have

 9   the technical skills to do exactly what you're

10   identifying.    So that is a real gap in our system,

11   the human resources, the human capital.   But we're

12   moving as quickly as possible to secure it, at

13   least within HHS and throughout the government.

14             I was at a meeting yesterday where we

15   were discussing exactly this issue at my level, the

16   deputy level.   What are you doing?   What is your

17   time frame?    What are going to be the standards,

18   the measures that we're going to check to make sure

19   that this is happening in a very timely manner?

20   It's a challenge, it really is.   But it is one that

21   we're trying to address.

22             What we're trying to do is minimize our


 1   vulnerabilities externally while we strengthen our

 2   capabilities internally.      That's really what the

 3   process has to be, and you know full well the

 4   challenges that presents.     But the money is there.

 5   Congress has appropriated the money; now how do we

 6   find the people to do the job?

 7                I have kept you long enough.    I will

 8   hang around a little bit afterwards if others have

 9   questions.    Thank you for being patient and

10   allowing me to get here, and I look forward to

11   working with you all.

12                And please, for those of you who are

13   attorneys or students here, one thing I want to

14   encourage.    I started out as a lawyer.    I'm still a

15   lawyer, but public service is the greatest thing to

16   ever do.   I have the best job in the world.    And I

17   say that, even though my boss might say that he has

18   to do all the work.    I just enjoy being behind the

19   scenes getting the job done.

20                So, thank you.   I enjoyed talking with

21   you.