Computer industry tells Congress new anti-hacker laws not needed

By TED BRIDIS The Associated Press 2/28/00 9:00 PM

WASHINGTON (AP) -- Even amid dramatic attacks by cyber vandals on some of the Internet's flagship Web sites, the nation's technology industry appears reluctant to ask Congress for new or expanded anti-hacker measures.

The industry appears to be maintaining its traditional reluctance against inviting government into its affairs, even in its defense against hackers and online vandals.

Those sentiments, expected to be delivered to lawmakers at a congressional hearing Tuesday, illustrate the gulf between Washington and the high-tech industry beyond the 2,400 miles physically separating the epicenters of the two cultures.

Panels from the House and Senate Judiciary committees organized Tuesday's hearing to determine what changes, if any, they need to make to existing crime laws in the wake of electronic attacks earlier in February that disrupted for hours Web sites run by Yahoo!, Amazon.Com, eBay, ETrade and others.

But industry leaders, anxious about an expanded government presence, appear uninterested. Companies are worried about bad publicity or poor consumer confidence if they're identified in court as victims. Many are more concerned about restoring online business quickly than enduring a protracted legal investigation that results in the arrest, for example, of a misguided college student.

"Infrastructure security ... does not lend itself to government management," Microsoft's chief information security officer, Howard Schmidt, said in remarks prepared for the hearing. "... The private sector has the knowledge and expertise to help fight against computer crimes on the infrastructures on which they operate."

Schmidt warned lawmakers against "unnecessary outside regulation or interference in the operation of dynamic, very productive businesses."

The FBI still is trying to trace the origin of the assaults, which used dozens of "zombie" computers nationwide where attack software had been implanted and activated by hackers. The technique, called a "denial of service," is similar to programming fax machines to dial a company's telephone number repeatedly to prevent other incoming calls.

Rep. Bill McCollum, R-Fla., chairman of the House crime subcommittee, was expected to poll federal authorities and technology executives whether existing laws against hacking -- which typically prohibit breaking into computers -- can be used to prosecute vandals in denial-of-service attacks.

In most of the recent attacks, the companies and their Internet providers successfully filtered incoming "junk" data within hours to restore service to their Web sites. Yahoo!, for example, indicated that financial losses from the attack weren't serious.

"The technology industry showed that it can respond swiftly and effectively, taking steps to quickly beat back the attacks to make it harder for similar assaults to succeed in the future," Charles Giancarlo, a senior vice president for Cisco Systems Inc., said in prepared testimony.

Cisco, which makes computer hardware used by many of the major sites, helped stem the attack against the online auction site, eBay Inc.

Giancarlo added: "We do not ask Congress for new laws in the area of Internet security."

An executive for Amazon.Com Inc., whose Web site fell under attack for more than an hour late Feb. 8, did not identify in his testimony any new laws the FBI might need, although the company said it supports better training and more money for federal agents to become digital detectives.

"Current laws ... appear to provide some prosecutorial authority and have been used successfully in several recent hacking cases," Paul Misener, Amazon's vice president for global public policy, said.

Congress has already offered to write new laws or change existing ones to protect Internet companies. Sen. Kay Bailey Hutchison, R-Texas, has promised new legislation to double the penalties for hackers to 10 years in prison for a first offense and 20 years for a second offense.

Sen. Patrick Leahy, D-Vt., wants to amend federal wiretap laws to make it easier for authorities to trace vandals from the "zombie" computers where they implant their attack software. Under current law, agents require a wiretap order to examine data traffic flowing through those computers, even with permission from the machine's owner.

Others outside Congress are worried that lawmakers' eagerness to help trace attacks against lucrative technology companies -- which are gradually becoming powerful players in Washington -- could result in draconian surveillance networks.

"It is clear that the private sector is stepping up its security efforts, with an effectiveness that the government could never match," said James X. Dempsey of the Center for Democracy and Technology. "... The potential for the government to help is limited, while the risk of the government doing harm is very high."

http://www.cleveland.com/newsflash/index.ssf?/cgi-free/getstory_ssf.cgi?a0761_AM_HackerInvestigation&&news&newsflash-washington

-- Martin Thompson (mthom1927@aol.com), February 28, 2000