The agenda today lists for our consideration, S. 2448, the Hatch-Schumer "Internet Integrity and Critical Infrastructure Protection Act." This bill first appeared on the tentative agenda less than an hour after the cancellation of a hearing scheduled for Wednesday morning on "Internet Security and Privacy." These are important issues and I believe a hearing on this bill would have been helpful before we decide on the merits of this legislation. To date, I have not heard whether this bill has garnered the support of any person or organization, including the Department of Justice. A hearing could have clarified the level of support that this bill has in the law enforcement community.

I know that one part of this bill – section 109 – incorporates provisions from the Leahy-DeWine Computer Crime Enforcement Act, S. 1314, which enjoys the support of the Fraternal Order of Police, but I do not know how this group feel about the rest of the Hatch-Schumer bill. I also know that other parts of this bill – sections – also have strong support since they reflect pen register and wiretap reporting requirements that were in the Leahy-Hatch wiretap reporting bill, S. 1769, and were enacted on May 2, 2000 (P.L. 106-197).

As we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack. Just recently we were reminded of how vulnerable – and how inter-connected – all of our computer systems are when the "I love you" virus disabled computers all over the world.

On April 13, 2000, I introduced legislation, S. 2430, The Internet Security Act of 2000, to help law enforcement investigate and prosecute those who jeopardize the integrity of our computer systems and the Internet, while enhancing protection of online privacy. I had hoped that this bill, as well as my E-rights bill, S. 854, The Electronic Rights for the 21st Century Act, introduced on April 21, 1999, would be discussed at the Judiciary Committee hearing that was to have taken place on Wednesday. Unfortunately, even though that hearing was cancelled, the Chairman has chosen, as is his right, to proceed to a mark-up of his legislation.

The issues of Internet security and Internet privacy are important. Although the Chairman's bill may be passed out of the Committee without a hearing, certain points are worth making – both about cybercrime and Internet security in general and about some of the shortcomings in the Chairman's bill.

Cybercrime is not a new problem. We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely "hardening" our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems.

The private sector must assume primary responsibility for protecting its computer systems. Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, Internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such as Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses.

Encryption helps prevent cybercrime. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress earlier this year when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging -- and not restraining -- the use of strong encryption and other technical solutions to protecting our computer systems.

Prior legislative efforts were designed to deter cybercrime. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met.

In this Congress, as I mentioned before, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime.

Computer crime is a problem in Vermont. I recently released a survey on computer crime in Vermont, my home state. My office surveyed 54 law enforcement agencies in Vermont – 43 police departments and 11 State's attorney offices – on their experience investigating and prosecuting computer crimes. The survey found that more than half of these Vermont law enforcement agencies encounter computer crime, with many police departments and state's attorney offices handling 2 to 5 computer crimes per month.

Despite this documented need, far too many law enforcement agencies in Vermont cannot afford the cost of policing against computer crimes. Indeed, my survey found that 98% of the responding Vermont law enforcement agencies do not have funds dedicated for use in computer crime enforcement.

My survey also found that few law enforcement officers in Vermont are properly trained in investigating computer crimes and analyzing cyber-evidence. According to my survey, 83% of responding law enforcement agencies in Vermont do not employ officers properly trained in computer crime investigative techniques. Moreover, my survey found that 52% of the law enforcement agencies that handle one or more computer crimes per month cited their lack of training as a problem encountered during investigations. Proper training is critical to ensuring success in the fight against computer crime.

Our computer crime laws need to be kept up-to-date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens.

My bill, S. 2430, The Internet Security Act of 2000, will make it more efficient for law enforcement to use tools that are already available – such as pen registers and trap and trace devices – to track down computer criminals expeditiously. It will ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It will implement criminal forfeiture provisions to ensure that cybercriminals are forced to relinquish the tools of their trade upon conviction. It will also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, this legislation will assist state and local police departments in their parallel efforts to combat cybercrime, in recognition of the fact that this fight is not just at the federal level.

The key provisions of the Internet Security Act are:

Jurisdictional and Definitional Changes to the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is the primary federal criminal statute prohibiting computer frauds and hacking. This bill would amend the statute to clarify the appropriate scope of federal jurisdiction. First, the bill adds a broad definition of "loss" to the definitions section. Calculation of loss is important both in determining whether the $5,000 jurisdictional hurdle in the statute is met, and, at sentencing, in calculating the appropriate guideline range and restitution amount.

Second, the bill amends the definition of "protected computer," to expressly include qualified computers even when they are physically located outside of the United States. This clarification will preserve the ability of the United States to assist in international hacking cases. A "Sense of Congress" provision specifies that federal jurisdiction is justified by the "interconnected and interdependent nature of computers used in interstate or foreign commerce."

Finally, the bill expands the jurisdiction of the United States Secret Service to encompass investigations of all violations of 18 U.S.C. § 1030. Prior to the 1996 amendments to the Computer Fraud and Abuse Act, the Secret Service was authorized to investigate any and all violations of section 1030, pursuant to an agreement between the Secretary of Treasury and the Attorney General. The 1996 amendments, however, concentrated Secret Service jurisdiction on certain specified subsections of section 1030. The current amendment would return full jurisdiction to the Secret Service and would allow the Justice and Treasury Departments to decide on the appropriate work-sharing balance between the two.

Elimination of Mandatory Minimum Sentence for Certain Violations of Computer Fraud and Abuse Act: Currently, a directive to the Sentencing Commission requires that all violations, including misdemeanor violations, of certain provisions of the Computer Fraud and Abuse Act be punished with a term of imprisonment of at least six months. The bill would change this directive to the Sentencing Commission so that no such mandatory minimum would be required.

Additional Criminal Forfeiture Provisions: The bill adds a criminal forfeiture provision to the Computer Fraud and Abuse Act, requiring forfeiture of physical property used in or to facilitate the offense as well as property derived from proceeds of the offense. It also supplements the current forfeiture provision in 18 U.S.C. § 2318, which prohibits trafficking in, among other things, counterfeit computer program documentation and packaging, to require the forfeiture of replicators and other devices used in the production of such counterfeit items.

Pen Registers and Trap and Trace Devices: The bill makes it easier for law enforcement to use these investigative techniques in the area of cybercrime, and institutes corresponding privacy protections. On the law enforcement side, the bill gives nationwide effect to pen register and trap and trace orders obtained by Government attorneys, thus obviating the need to obtain identical orders in multiple federal jurisdictions. It also clarifies that such devices can be used on all electronic communication lines, not just telephone lines. On the privacy side, the bill provides for greater judicial review of applications for pen registers and trap and trace devices and institutes a minimization requirement for the use of such devices. The bill also amends the reporting requirements for applications for such devices by specifying the information to be reported.

Denial of Service Investigations: Currently, a person whose computer is accessed by a hacker as a means for the hacker to reach a third computer cannot simply consent to law enforcement monitoring of his computer. Instead, because this person is not technically a party to the communication, law enforcement needs wiretap authorization under Title III to conduct such monitoring. The bill will close this loophole by explicitly permitting such monitoring without a wiretap if prior consent is obtained from the person whose computer is being hacked through and used to send "harmful interference to a lawfully operating computer system."

State and Local Computer Crime Enforcement: The bill directs the Office of Federal Programs to make grants to assist State and local law enforcement in the investigation and prosecution of computer crime.

Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights.

While I support some of the provisions in the legislation offered by Senator Hatch, indeed some are virtually identical to ones in my Internet Security Act, others should give us pause. Let me explain.

S. 2448 Would Over-Federalize Minor Computer Abuses: Currently, federal jurisdiction exists for a variety of computer crimes if, and only if, such criminal offenses result in at least $5,000 of aggregate damage or cause another specified injury, such as the impairment of medical treatment, physical injury to a person or a threat to public safety. The Hatch/Schumer bill would criminalize a variety of minor computer abuses, regardless of whether any harm results. In addition, for certain hacking offenses, the maximum punishment has been doubled.

Specifically, the bill would amend 1030(a)(5)(A) (sending transmissions intending to cause damage), and 1030(a)(5)(B)(intentionally accessing computer and recklessly causing damage) provisions to eliminate the now-existing jurisdictional triggers and to criminalize as 3-year federal felonies all such offenses, whether or not they cause $5,000 loss or other specified injury. In addition, the bill would amend 1030(a)(5)(C)(intentionally accessing computer and causing damage) to eliminate now-existing jurisdictional triggers to criminalize as misdemeanors all such offenses, whether or not they cause $5,000 loss or other specified injury. These minor incidents were not previously punishable under federal law.

These provisions are overkill. Our federal laws do not need to reach each and every minor, inadvertent and harmless hacking offense – after all, each of the 50 states does have its own computer crime laws. Rather, our federal laws need to reach those offenses for which federal jurisdiction is appropriate. This can be accomplished, as I have done in the Internet Security Act as described above, by simply adding an appropriate definition of "loss" to the statute.

Prior Congresses have declined to over-federalize computer offenses and sensibly determined that not all computer abuses warrant federal criminal sanctions. When the computer crime law was first enacted in 1984, "the Federal jurisdictional threshold is that there must be $5,000 worth of benefit to the defendant or loss to another in order to concentrate Federal resources on the more substantial computer offenses that affect interstate or foreign commerce." (H.Rep. 98-894, at p. 22, July 24, 1984).

Similarly, the Senate Judiciary Committee under the chairmanship of Senator Thurmond, rejected suggestions that "the Congress should enact as sweeping a Federal statute as possible so that no computer crime is potentially uncovered." (S. Rep. 99-432, at p. 4, September 3, 1986).

For example, if a private sector employee snoops without authorization on a co-worker's computer and accidently deletes file or a message, current Federal law does not make that conduct a crime. That conduct may be cause for discipline within the company but not for the FBI to swoop in and investigate. Yet, under S. 2448, this conduct would constitute a felony violation of 1030(a)(5)(B), punishable by up to 3 years' imprisonment, with mandatory minimum of at least 6 months in jail under U.S.S.G. §2B1.3, or a misdemeanor violation of 1030(a)(5)(C).

Let us look at another example of a teenage hacker, who plays a trick on a friend by modifying the friend's vanity Web page. Under current law, no federal crime has occurred. Yet, under S. 2448, this conduct could constitute a felony violation of 1030(a)(5)(B), punishable by up to 3 years' imprisonment, with mandatory 6-month jail term under U.S.S.G. §2B1.3, or a misdemeanor violation of 1030(a)(5)(C). If the damage to the Web page resulted in more than $5,000 in damage, then the conduct would be punishable by up to 10 years' imprisonment.

Another part of S. 2448 would authorize the Attorney General to provide computer crime evidence to foreign law enforcement authorities under the provisions of computer crime Mutual Legal Assistance Treaty ("MLAT") and "without regard to whether the conduct investigated violates any Federal computer crime law." This title appears to expand the Justice Department's investigative authority broadly to investigate lawful conduct in the U.S. at the request of foreign governments. Moreover, this title may be construed to force the Justice Department to negotiate MLATs narrowly limited to computer crimes, rather than addressing criminal activity generally, and consequently may require more, not less, work for the Department to obtain constructive assistance from foreign governments in computer crime cases.

Process is important. Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress, the Administration and the private sector need to work together to meet these new challenges while preserving the benefits of our new era. We should not be rushing forward with legislation without a hearing and without engaging in discussions with the Administration and industry to ensure the legislation addresses problems constructively without inadvertently creating other problems.