Exerpts of Terradon Communications Group's letter to Represenative Shelly Moore Capito (R) WV. Quotes from law or proposed legislation will be denoted with ***** Again, no further comment will come from me regarding our analysis. I don't wish to discourage discussion on the matter, but to simply state that I won't be involved in it. <snip> would like to address some serious concerns in the proposed "Anti-Terrorism Act of 2001." As you are aware, <snip> is a West Virginia information technology and information security firm. In particular, two sections of the legislation raise some major red flags. Additionally, the retroactive nature of this legislation raises some concerns relative to the "expert advice or assistance" language in section 306. Section 309. Definition. Section 309 defines USC Title 18, Chapter 47, Section 1030 (a)(1), (a)(4), (a)(5)A, and (a)(7) as terrorist acts, punishable by life in prison without the possibility of parole. Upon close examination of section 1030, it becomes very clear that all possible violations of this statute could not possibly be considered terrorist acts. ****** Sec. 1030. Fraud and related activity in connection with computers (a) Whoever - (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; ****** This section seems reasonable. It limits the definition of a terrorist act to breach of information or unauthorized access to systems containing national secrets. (a)(4) begins to broaden the definition of a terrorist act. ****** knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; ****** This effectively defines any unauthorized access as a terrorist act, regardless of intention to damage or steal information relative to attacks against the american people or the telecommunications infrastructure. (a)(5) covers virii or other malicious programs such as worms or trojans. ****** (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; ****** What is particularly disturbing, and far too broadly defines terrorist acts, are the definitions found in (a)(7). (a)(7) is in direct reference to (a)(6) which reads: ****** knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if - (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; [1] ****** Virtually every computer connected to the internet falls under the jurisdiction of (a)(6)(A) as defined by affecting interstate commerce. Almost all computer crimes currently fall under the jurisdiction of the FBI for investigation and prosecution under the Interstate Commerce Act. (a)(7) covers making threats regarding the defined activities. This statute provides no provision for scope or terroristic intention. Under the proposed legislation, a hacker or cracker who breaks into and defaces any website, could be prosecuted as a terrorist and face a life prison term without the possibility of parole. Though <snip> certainly does not condone such activity, defacing a website could, and should be analogous to climbing a fence, and spray-painting a slogan on a wall. This is quite a far cry from slamming a fully loaded 767 into a crowded sky-scraper. This legislation intends to make no such distinction. The language in the proposed "Anti-Terrorism Act" (Section 306, Support of Terrorism Through Expert Advice or Assistance) references section 2339A of USC title 18. This would read: ****** Offense. - Whoever, within the United States, provides material support or resources or conceals or disguises the nature, location, source, or ownership of material support or resources, knowing or intending that they are to be used in preparation for, or in carrying out, any Federal terrorism offense, or in preparation for, or in carrying out, the concealment or an escape from the commission of any such offense, shall be fined under this title, imprisoned not more than 10 years, or both. (b) Definition. - In this section, the term ''material support or resources'' means currency or other financial securities, financial services, lodging, training, expert advice or assistance, safehouses, false documentation or identification, communications equipment, facilities, weapons, lethal substances, explosives, personnel, transportation, and other physical assets, except medicine or religious materials. ****** This could define anyone who places computer security, or security related information in public view, on the web, or publicly available via other media as terrorists. This could in-fact, label almost every computer security firm in the world, and most information technology related firms as terrorists. The information technology industry should be quaking in their boots. Not only could this make future publishing of such information a terrorist act, but any past publication of such material that is normally designed to improve systems security and systems security awareness a terrorist act, but it would be retroactive under the "Anti-Terrorism Act" to include those firms that have ever published such information. 301 ( c ) of the "Anti-Terrorism Act" would amend USC Title 18, Chapter 213, section 3286 to read: ****** Notwithstanding section 3282, no person shall be prosecuted, tried, or punished for any non-capital offense involving a violation of section 32 (aircraft destruction), section 37 (airport violence), section 112 (assaults upon diplomats), section 351 (crimes against Congressmen or Cabinet officers), section 1116 (crimes against diplomats), section 1203 (hostage taking), section 1361 (willful injury to government property), section 1751 (crimes against the President), section 2280 (maritime violence), section 2281 (maritime platform violence), section 2332 (terrorist acts abroad against United States nationals), section 2332a (use of weapons of mass destruction), 2332b (acts of terrorism transcending national boundaries), or section 2340A (torture) of this title or section 46502, 46504, 46505, or 46506 of title 49, unless the indictment is found or the information is instituted within 8 years after the offense was committed. Notwithstanding any other provision of law, an indictment may be found or an information instituted for any Federal terrorism offense at any time without limitation. (b) CONFORMING AMENDMENT.-The analysis for chapter 213 of title 18, United States Code, is amended by amending the item relating to section 3286 to read as follows (c) APPLICATION.--The amendments made by this section shall apply to the prosecution of any offense committed before, on, or after the date of enactment of this section. ****** This would abolish the statute of limitations, and institute a retroactive policy towards acts defined throughout the bill as terrorist acts. With regards to most aspects of computer crime at least, this could certainly be constitutionally questionable under the Ex Post Facto Clause of the constitution, which prohibits changing legal consequences of an action, after an action has occurred. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 10:28:35 PDT