Cyber Crime Dilemma is Possible to Guarantee Both Security and Privacy

8/12/2019 Cyber Crime Dilemma is Possible to Guarantee Both Security and Privacy

1/5

Cyber Crime Dilemma: Is Possible to Guarantee Both Security and Privacy?Author(s): Michael O'NeilSource: The Brookings Review, Vol. 19, No. 1 (Winter, 2001), pp. 28-31Published by: Brookings Institution PressStable URL: http://www.jstor.org/stable/20080957.

Accessed: 16/05/2014 03:47

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at.http://www.jstor.org/page/info/about/policies/terms.jsp

.JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of

content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms

of scholarship. For more information about JSTOR, please contact [email protected].

.

Brookings Institution Pressis collaborating with JSTOR to digitize, preserve and extend access to The

Brookings Review.

http://www.jstor.org
http://www.jstor.org/action/showPublisher?publisherCode=brookingshttp://www.jstor.org/stable/20080957?origin=JSTOR-pdfhttp://www.jstor.org/page/info/about/policies/terms.jsphttp://www.jstor.org/page/info/about/policies/terms.jsphttp://www.jstor.org/stable/20080957?origin=JSTOR-pdfhttp://www.jstor.org/action/showPublisher?publisherCode=brookings


2/5

Internetregulation?from

taxation tocensorship?hasbeen a legislative nonstarter inWashington. Yet change the

name from regulation to cyber security and one finds anarray of legislation that could affect web users in funda

Imental ways.Internet security is of much greater concern to the govern

ment than to most Americans. Take Internet sabotage. What formany public officials?and some computer security experts aswell?is a potentially ominous threat is, for many desk-boundoffice workers, merely a day's minor excitement. With theadvent of each new e-mail?borne virus, firms shut down linksto the outside world and wait. Within a few hours everyone is

back on line, an anti-virus is in place, and a new cyber war storymakes the rounds. Indeed, this pattern of spontaneous disruption has become so commonplace in today's computer-drivenbusinesses that for many of us, it seems an acceptable cost ofoperating in the digital age.

Yet more than simple complacency is at work here. Popularresistance to greater government involvement in cyber securityreflects the same tension that exists in the physical world. Americans certainly could minimize the likelihood of being victimized by robbers if they allowed the local sheriff to camp out inthe living room, but for most of us, the resulting loss of privacy

wouldn't be worth the marginal increase in security. The sameholds true on the Internet. Along with its efficiency, Internetusers clearly cherish the anonymity and privacy the new technology affords them. Many users fear that their privacy rightswill be diminished if the FBI is out hunting for cyber crooks.

Protecting Critical InfrastructureCritical infrastructure protection, as posited by the Clintonadministration, involves enlisting the private companies thatrun the nation's energy, transportation, communication, water,and emergency services to help improve the security of thecomputer systems on which all rely. These services are critical,

thetheory goes,

becausethey

are essential notonly

to oureconomy but also to national defense. They can therefore betargeted and, by virtue of their interconnectedness and lowsecurity, shut down?by spies, terrorists, hackers, criminals, oreven disgruntled employees. Yet this hydra-headed threat

hasn't materialized in such a spectacular way as to raise greatpublic alarm and vindicate the government's warnings.

Attacks last February that shut down Yahoo, eBay, and otherpopular e-commerce sites demonstrated that our computersremain vulnerable and that the possibility of serious economic,if not security, harm does exist. But the only arrest to date suggests that a familiar kind of villain, a teenage computer phenomin his basement, may have been responsible for taking down atleast one of the sites. So the threat that government officials

worry about, the disabling or destruction of a major serviceinfrastructure, still appears remote. The lack of any enduring

damage appears once again to have calmed public fears.

New Technology, Familiar ChallengesThe February attacks did get Congress's attention, eliciting several bills in both the House and the Senate to augment lawenforcement capabilities to investigate and prosecute computercrime. At the heart of the legislation, and of the administration'splan for infrastructure assurance, is the proposition that theadvance of digital communications and information networkshas complicated the job of law enforcement?and by corollarythat of intelligence agencies aswell. But even if that propositionis accepted, privacy concerns will remain, if not grow.

The problem that best makes this case is encryption. Nolonger the sole province of governments and spies, effective,easy-to-use encryption allows any computer user to communicate and exchange information in a highly secure manner. In an mage when vast amounts of personal data are stored in net- o

works?and not at home or in bank vaults?encryption offers crprivacy protection that is increasingly important to many Amer- oicans.Yet their increased personal security may come at a price ^in apprehending criminals. Criminals and terrorists are now 2encoding communications and records using the same ubiqui- w

Michael O'Neil is a partner in the lawfirm of Preston Gates Ellis & Rouvelas Meeds.

28 BROOKINGS REVIEW

This content downloaded from 111.68.103.4 on Fri, 16 May 2014 03:47:49 AMAll use subject to JSTOR Terms and Conditions
http://www.jstor.org/page/info/about/policies/terms.jsphttp://www.jstor.org/page/info/about/policies/terms.jsphttp://www.jstor.org/page/info/about/policies/terms.jsp


3/5

3



4/5

tous commercial encryption products. The FBI, the DrugEnforcement Administration, and other law enforcement agencies are hard pressed to break increasingly sophisticated codesused by wrongdoers.

The idea that technological innovations make it harder tocatch crooks or spies is not new. The advent of the telephonealso forced law enforcement to reexamine its investigative tools.Calls today for expanded cyber crime?fighting authority reveala great deal about how the government views the challenges tolaw enforcement in the Digital Age. Sophisticated terrorists

might take down the nation's electrical grid, so new securitystandards are necessary. The nation's telephone system is going

digital, so major adjustments must be made to ensure lawenforcement's continued ability to wiretap criminals and spies.

Denial-of-service attacks against Internet businesses must beprevented, so the scope of existing computer crimes must beexpanded to cover damages caused by loss of business.All these changes can be useful additions to the electronicprotections both industry and law enforcement need today. Yetthe basis for their justification is also important, because of whatit accepts as reasonable and what itwill justify in the future. Sois it true that technology has increased threats to theAmerican

way of life that must be countered by new government surveillance authority? And must government needs and personal pri

vacy expectations be rebalanced?These questions are hard to answer. Technology is advancingso swiftly that often we cannot perceive how itwill affect our

lives. In such a climate, it takes genuine prescience or unshakable convictions to know what a proper balance should be.

Take, for example, a key weapon in the government's arsenalagainst computer crime, the Electronic Communications Privacy Act. Enacted in 1986, it governs the protection of, aswell asgovernment access to, electronic communications such as email. But in 1986, very few Americans understood the potentialof either e-mail or the Internet. The idea that e-mail wouldgreatly displace written and telephone communicationsbetween businesses, or even within a business, was entirely foreign. Perhaps as a result, despite the undeniably growing relianceof both businesses and individuals on e-mail, the legal protections afforded e-mail do not match those that apply to either

paper records or telephone conversations.Another government tool whose application to the Digital

Age has raised concerns is the pen register, a device used torecord the numbers dialed to begin a telephone conversation.Intercepting the actual conversation requires awarrant based on

a high evidentiary showing. Obtaining the number dialedrequires only the government's certification that the number isrelevant to an ongoing criminal investigation. Amendments

made in 1986 to the pen register law have been interpreted bythe government to extend pen register orders to e-mail messages. Because there is no well-defined parallel between a telephone number and an e-mail address, applying pen registerorders to e-mail has raised concerns about the ever-wideningscope of government intrusion into Internet communications.

The debate about how to balance government and lawenforcement needs with privacy expectations was given a high

voltage jump start in June when itwas revealed that the government is using a new Internet sniffing device to monitor web

traffic. Called Carnivore, the device is essentially a stand-alonecomputer installed at a key node in the system of an Internetservice provider. It monitors all traffic carried over the system atthat point and selects and stores communications the govern

ment is authorized to intercept?sometimes the full text, sometimes only the Internet address. The trouble is that Carnivore isa black box controlled by the government, its programming andselection criteria known only to those who operate it.

Carnivore gives government much more control than MaBell ever did. In the predigital age, the government presented itswarrant or court order to the telephone company, which in

turn routed the specified information to the government listening post. The FBI didn't attach the tap itself, and the commoncarrier was responsible to the court to ensure that the govern

ment got only what the court authorized. Carnivore changesthat relationship andwith it several independent checks on government action.

Thegovernment argues

that these shifts inprivacy protection are not intentional. It points out that Carnivore is used

only by court order and only when an Internet service providerlacks diagnostic andmonitoring capabilities to perform the surveillance ordered. Yet in partial recognition of the privacy issuesraised by Carnivore, the attorney general recently ordered anindependent review by amajor university. In the same vein, the

Clinton administration has suggested both a clarification ofthe pen register statute's application to the Internet and arequirement that a federal judge weigh the factual basis for apen register's relevance to a criminal investigation.

The Debate in CongressThese steps are welcome news to personal privacy advocates,but the seriousness of cyber crime and critical infrastructureprotection suggests that this debate is just beginning. The Clinton administration and Congress put forth a dizzying range of

proposals, including new Internet surveillance provisions, Freedom of Information Act exemptions, regulation of commercialuse of consumer information and, inevitably, the creation of acommission to study all the above. Though the 106th Congressdid not enact comprehensive legislation affecting Internet privacy, cyber crime, and critical infrastructure protection, thenew Congress will address these issues quickly.

What that Congress will take up seems clear enough. Yetunless it is guided by several basic principles, Congress risksaddressing them inadequately and without balance.The first category of issues to be addressed, law enforce

ment, encompasses two related goals. One reflects a bipartisanconsensus to spend money on the problems du jour. In other

words, expect Congress to allocate ever more resources for lawenforcement to investigate and prosecute hackers and othercyber criminals. The other law enforcement effort likely willstrengthen penalties for various computer crimes and expandgovernment authority to police them.

The second category concerns continuing governmentefforts to get its own house in order. Specifically, look for

30 BROOKINGS REVIEW



5/5

Congress to fund efforts by federal agencies to better protecttheir information systems. Most urgent is the shortage ofhighly trained information technology specialists within thegovernment to protect critical networks, a need just nowbeginning to be addressed.

Third, Congress undoubtedly will move to protect individuals' privacy rights

in the cyber world.In some cases, this stepmight involve simply applying the same standards from the

physical world; in others, itmight mean expanding protectionsto account for the publics growing reliance on electroniccommunication and record keeping.

Finally, expect Congress to try to create a better climate forinformation sharing between the government and the _;_

private sector, especially concerning threats and ^/ . t 11attacks on the nation s critical information infra- ^^ i^^^structure. Bills to accomplish this goal won wide- ^mj jr^spread support in Congress and in industry this m/ /^^flyear,butfellvictim totime. if j? M||

Principles for Drafting New Laws ^^How Congress will resolve these matters is critical.Many factors will come into play, ranging from new

technological developments to the political makeup ofthe next Congress and administration. Here are somesuggestions as to how Congress, the executive, and thepublic should think about and work through theseimportant and complex issues.

What is first required is a recognition that technology has changed the nature of individual privacy infundamental ways. What the founding fathers soughtto protect from unreasonable intrusion by the govern

ment?the privacy of a citizen's home and personalpapers?is no longer found in the home or even on paper.Nowadays, our private information is as likely to be stored oncomputers, often computers that are part of a network, in electronic files, and often with third parties that many Americanseither cannot identify or of whom they are unaware. Communications course through a much more diverse electronicmedium than did telephone calls just a dozen years ago. Thiskind of change is likely to continue?and in ways not easilyforeseeable to most of us.

Second, the law, especially federal laws with national scopeand application to the government itself,must adjust not onlyto changes in technology, but to the effect those changes clearlyhave had on the protection of individual privacy. This task willrequire dogged perseverance on the part of lawmakers. The lawenforcement community will not easily cede surveillancecapacity now or in the future. Itsbattle cry will be preservation,even improvement, of current capability in the face of evermore sophisticated cyber-criminal enterprise. After Congresspassed the 1995 Communications Assistance to Law Enforce

ment Act to require common carriers to modify their equipment to permit government wiretapping of new digital telephone equipment, the industry spent years developing thenecessary technical standards, only to have the Justice Department reject them on the grounds thatmore capabilities could

be, and therefore should be, included. When the Federal Communications Commission then largely approved the broad newrequirements the Justice Department demanded, a federalappeals court had to point out that the balance between what

was technically possible and the protections against unreasonable intrusion had not been struck. Congress had required justsuch a balancing test in the law,but had not reckoned with thetenacity shown by law enforcement in protecting and expanding its powers.

Third, there will be a great deal to get right the first timeamong all the issues that are likely to be addressed. Forinstance, clarifying how the pen register law applies to email should make clear whether the subject line is

ii i . more akin to a telephone number or to messageM^ >. content and to what extent an individual's

/*Sw V^k Internet browsing must be disclosed. A FreeI^Kll^N ^^ dorn of Information Act exemption for sharK3 Jlk \ ing cyber security information with the govU^J^ijr / ernment should encourage information

f sharing not just with law enforcement agenciesbut between other parts of the government andamong private-sector entities. And making computercrime laws tougher should not discourage prosecution, as current juvenile sentencing guidelines do. Inthe area of commercial privacy protection, a host ofissues must be addressed, fleshing out just what

notice, disclosure, and consent mean.Fourth, there is much that neither Congress nor a

new administration should try to do. In the area ofcritical infrastructure protection, cyber security shouldbe improved through voluntary, private-sectororganized mechanisms. This will frustrate some in

government, particularly at those times when fresh cyberattacks appear to threaten our use of Internet services. Yet thenetworks at risk, and the essential service industries they support, are largely designed, built, operated, and maintained bythe businesses that own them.To be effective, critical infrastructure protection policy cannot be dictated by government, especially given the government's admitted failure thus far toimprove security within its own ranks. Private-sector solutions,not public regulations, aremost likely towork best for industryand, ultimately, consumers.

Finally, to return to the point on which I began, thenational debate on new cyber law must avoid the dangers oflabel oversimplification. All the issues discussed above can begrouped together under the rubric of privacy protection. Yet,in the case of cyber crime initiatives, real care will have to betaken to achieve even modest gains in privacy protection. Andensuring effective personal privacy in commercial use of theInternet may well hinge more on better uses of the same software technologies that created the threat in the first place thanon new federal laws.Thus, calling what we are doing by its real

name?Internet surveillance or increased wiretapping powersin the case of some cyber crime provisions?may be the best

way to deal both with the advance of technology and withprotecting what remains of our electronic privacy.

Technologyhas changedthe natureof individualprivacy infundamental

ways.

WINTER 2001 31


Cyber Crime Dilemma is Possible to Guarantee Both Security and Privacy

Documents

Transcript of Cyber Crime Dilemma is Possible to Guarantee Both Security and Privacy