Cracking Down on Cyber-Crooks

The Clinton administration may take a high-tech crime bill to Congress next year, despite the absence of a coherent data security policy and growing public fears about computer privacy rights.

. New crime laws are needed to clear up confusion caused by the poor match of existing privacy and crime laws to the rapidly-evolving technology of telecommunications, E-mail, computerized data-bases and the emerging National Information Infrastructure, Justice Department officials said. Without new laws, protection of private data's confidentiality, integrity and availability will be hobbled.

But to get that far, the administration will have to navigate a controversial course through technological advances, industry pressures, privacy proponents and national security concerns.

Those obstacles have already hamstrung efforts to develop a coherent information security policy.

Many of the administration's existing proposals -- such as the Digital Telephony Bill, intended to allow law enforcement authorities better access to sophisticated commercial communications networks -- have run into criticism that the government is intruding into private lives.

"We're a ways off from having an information security policy," said Bruce McConnell, chief of the information policy branch at the administration's Office of Management and Budget. To help formulate the new policies and laws, administration officials plan a July 15 public meeting in Washington, D.C. on NII security. "We need to find out what the users of the NII are going to want," he said. The new policies will be incorporated into the comprehensive high-tech crime proposal now being considered by administration lawyers.

"A lot of existing laws don't fit well with new technologies," said Scott Charney, chief of the computer crime unit at the Department of Justice. For example, the Interstate Stolen Property Act doesn't apply to electronic "property." The Computer Fraud and Abuse Act outlaws the wrong people from accessing a computer system used in interstate commerce but doesn't forbid insiders with authority from meddling. Add to that the problem of warrants, where a computer crime may occur in one state, but the host server is in another.

"If we're going to an intangible environment, then the laws must reflect that reality," Charney said.

Officials will not decide on what to include in the new law until next year, and have not yet decided whether to send Congress one comprehensive measure or a series of more limited measures, Charney said. "The problem may be so large that it is hard to find a comprehensive solution," he said.

Congress is already wrestling with a series of high-tech crime issues. For example, the Digital Telephony Bill, sent to Congress March 25, has been held up in the House and Senate judiciary committees by opposition from the telecommunications industry and from privacy proponents as the Electronic Freedom Foundation.

Law-enforcement officials are confident a version of the bill, intended to clarify service pro-viders' duties to furnish wiretap assistance, will pass this year, FBI spokesman Barry Smith said. But if that bill doesn't make it, it may be rolled into a crime bill next year, said an industry official.

Public criticism has also dogged administration efforts to promote the use of the National Security Agency's Clipper chip encryption device. Although no legislation is pending in Congress to promote Clipper, "Congress has asked a lot of questions about it, and wants to make sure there is a balance between protection of privacy, promotion of business competitiveness and national security and law-enforcement concerns," said Geoffrey Greiveldin-ger, a Justice Department lawyer.

Legislators in Congress are also proposing high-tech crime measures, prompted by fears computers can impinge on privacy.

For example, Sen. Paul Simon, D-Ill., has proposed creating a top-level Privacy Protection Commission to help shape wide-ranging legislation. The measure is included in the Senate version of S-4, the National Competitiveness Act of 1993. Simon and Rep. Pat Williams, D-Mont., have also proposed bills designed to curb employer monitoring of employees' electronic activities.

National security threats also have prompted action. The 1995 defense authorization report, released June 7 by the Senate Armed Services Committee, asks the Pentagon to increase spending on information security -- as much as 50 times the amount it currently shells out, or somewhere between $500 million and $1 billion a year.

So far, Pentagon systems have been hacked into 800 times. Planners are increasingly worried an enemy might try to disable U.S. computer and communications networks during a crisis.

"The security of information systems and networks [is] the major security challenge of this decade and possibly the next century," warned the Joint Security Commission, formed last year by the director of central intelligence and the defense secretary.

The administration's concern over information security is growing, despite controversies over Clipper and Digital Telephony. But federal policy making on the matter has hardly begun, with participants scattered and central issues still unclear.

The July 15 security meeting should help the administration form new security policies and laws, said officials. At the meeting, administration officials will hear the hopes and fears of NII futurists on how they plan to use the highway and what kinds of security risks concern them.

At the center of the administration's security policy is the multiagency Security Issues Forum, part of the administration's Information Infrastructure Task Force, headed by Sally Katzen of the Office of Management and Budget.

In a June 3 OMB statement, Katzen summarized security problems facing her group: "Americans will not use the NII to its full potential unless they trust that information will go where and when they want it and nowhere else."

The key players in the forum include Katzen; Jim Burrows, director of the Computer Systems Laboratory at the National Institute of Standards and Technology; and David Signori of the Defense Information Systems Agency , Arlington, Va.

"At this point we're moving somewhat on instinct," said one agency official.