[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]





                            CYBER SECURITY: 
                   PROTECTING AMERICA'S NEW FRONTIER

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON CRIME, TERRORISM,
                         AND HOMELAND SECURITY

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 15, 2011

                               __________

                           Serial No. 112-80

                               __________

         Printed for the use of the Committee on the Judiciary









      Available via the World Wide Web: http://judiciary.house.gov


                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
71-238 PDF                WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001














                       COMMITTEE ON THE JUDICIARY

                      LAMAR SMITH, Texas, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        HOWARD L. BERMAN, California
HOWARD COBLE, North Carolina         JERROLD NADLER, New York
ELTON GALLEGLY, California           ROBERT C. ``BOBBY'' SCOTT, 
BOB GOODLATTE, Virginia                  Virginia
DANIEL E. LUNGREN, California        MELVIN L. WATT, North Carolina
STEVE CHABOT, Ohio                   ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
MIKE PENCE, Indiana                  MAXINE WATERS, California
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     MIKE QUIGLEY, Illinois
TED POE, Texas                       JUDY CHU, California
JASON CHAFFETZ, Utah                 TED DEUTCH, Florida
TIM GRIFFIN, Arkansas                LINDA T. SANCHEZ, California
TOM MARINO, Pennsylvania             [Vacant]
TREY GOWDY, South Carolina
DENNIS ROSS, Florida
SANDY ADAMS, Florida
BEN QUAYLE, Arizona
MARK AMODEI, Nevada

      Sean McLaughlin, Majority Chief of Staff and General Counsel
       Perry Apelbaum, Minority Staff Director and Chief Counsel
                                 ------                                

        Subcommittee on Crime, Terrorism, and Homeland Security

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman

                  LOUIE GOHMERT, Texas, Vice-Chairman

BOB GOODLATTE, Virginia              ROBERT C. ``BOBBY'' SCOTT, 
DANIEL E. LUNGREN, California        Virginia
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
TED POE, Texas                       HENRY C. ``HANK'' JOHNSON, Jr.,
JASON CHAFFETZ, Utah                   Georgia
TIM GRIFFIN, Arkansas                PEDRO R. PIERLUISI, Puerto Rico
TOM MARINO, Pennsylvania             JUDY CHU, California
TREY GOWDY, South Carolina           TED DEUTCH, Florida
SANDY ADAMS, Florida                 SHEILA JACKSON LEE, Texas
MARK AMODEI, Nevada                  MIKE QUIGLEY, Illinois
                                     [Vacant]

                     Caroline Lynch, Chief Counsel

                     Bobby Vassar, Minority Counsel













                            C O N T E N T S

                              ----------                              

                           NOVEMBER 15, 2011

                                                                   Page

                           OPENING STATEMENTS

The Honorable Louis Gohmert, a Representative in Congress from 
  the State of Texas, and Vice-Chairman, Subcommittee on Crime, 
  Terrorism, and Homeland Security...............................     1
The Honorable Robert C. ``Bobby'' Scott, a Representative in 
  Congress from the State of Virginia, and Ranking Member, 
  Subcommittee on Crime, Terrorism, and Homeland Security........     3

                               WITNESSES

Richard W. Downing, Deputy Chief, Computer Crime and Intellectual 
  Property Section, Criminal Division, United States Department 
  of Justice
  Oral Testimony.................................................     5
  Prepared Statement.............................................     8
The Honorable Michael Chertoff, Co-Founder and Managing 
  Principal, The Chertoff Group
  Oral Testimony.................................................    16
  Prepared Statement.............................................    19
James A. Baker, Lecturer on Law, Harvard University
  Oral Testimony.................................................    31
  Prepared Statement.............................................    33
Orin S. Kerr, Professor of Law, George Washington University
  Oral Testimony.................................................    38
  Prepared Statement.............................................    40

                                APPENDIX
               Material Submitted for the Hearing Record

Response to Post-Hearing Questions from Richard W. Downing, 
  Deputy Chief, Computer Crime and Intellectual Property Section, 
  Criminal Division, United States Department of Justice.........    76
Response to Post-Hearing Questions from the Honorable Michael 
  Chertoff, Co-Founder and Managing Principal, The Chertoff Group    82
Response to Post-Hearing Questions from Orin S. Kerr, Professor 
  of Law, George Washington University...........................    83

 
                            CYBER SECURITY: 
                   PROTECTING AMERICA'S NEW FRONTIER

                              ----------                              


                       TUESDAY, NOVEMBER 15, 2011

              House of Representatives,    
              Subcommittee on Crime, Terrorism,    
                             and Homeland Security,
                                Committee on the Judiciary,
                                                    Washington, DC.

    The Subcommittee met, pursuant to call, at 10:03 a.m., in 
room 2141, Rayburn House Office Building, the Honorable Louie 
Gohmert (Vice-Chairman of the Subcommittee) presiding.
    Present: Representatives Gohmert, Scott, Deutch, Forbes, 
Marino, Gowdy, Lungren, Jackson Lee, and Goodlatte.
    Staff present: (Majority) Caroline Lynch, Subcommittee 
Chief Counsel; Arthur Radford Baker, Counsel; Sam Ramer, 
Counsel; Lindsay Hamilton, Clerk; Vishal Amin, Counsel; 
(Minority) Joe Graupensberger, Counsel; Veronica Eligan, 
Professional Staff Member.
    Mr. Gohmert. The Subcommittee will come to order.
    Welcome to today's hearing on cyber security. I would 
especially like to welcome my witnesses and thank you for 
joining us today.
    I am joined today by the distinguished Ranking Member of 
the Subcommittee, Bobby Scott, and by the most recent Chairman 
Emeritus, Mr. Conyers, who as I understand will be coming 
shortly.
    I want to welcome everybody to the hearing on ``Cyber 
Security: Protecting America's New Frontier.'' The Internet 
revolutionized our society in many ways. While its benefits 
abound and extend from our largest corporations to remote rural 
regions throughout the Nation, individuals in the United States 
and abroad have unfortunately been able to exploit the Internet 
for criminal means.
    Cyber crime often is faceless and has proven to defy 
traditional investigative prosecutorial tools. As a result, the 
frequency of cyber crime is growing rapidly and now includes 
many international criminal syndicates and is threatening our 
economy, our safety and our prosperity.
    Even more worrisome are the national security implications 
of cyber intrusion. We in Congress are concerned that we are 
witnessing the opening salvos of a new kind of conflict waged 
in cyberspace.
    As we learned in the Wikileaks case, one individual with 
access to classified data can threaten America's national 
operational security, and as we saw from China's cyber attack 
on Google and other companies, America's edge in innovation and 
technical superiority can be compromised by competing countries 
who make theft of intellectual property a national strategy.
    As recently reported in the Fiscal Times, China's brazen 
use of cyber espionage stands out because the focus is often 
corporate and part of a broader government strategy to help the 
develop or help develop the country's economy.
    Quote, I've been told that if you use an iPhone or a 
BlackBerry everything on it--contacts, calendar, emails--can be 
downloaded in a second. All it takes is someone sitting near 
you on a subway waiting for you to turn it on and they have got 
it, said Kenneth Lieberthal, a former senior White House 
official for Asia who is at the Brookings Institution.
    One security expert reported that he buys a new iPad for 
each visit to China and then never uses it again.
    The problem remains that the United States government does 
not own the networks through which all data flows, as 
totalitarian regimes like China do. Your government and 
industry must team up at times to secure the networks and 
create digital shields to protect our country and our business.
    The Administration has recently released a cyber security 
initiative proposal which aims to make changes to the cyber 
security structure and laws of the United States. We will look 
at the proposal today and we have a distinguished panel of 
experts here to help guide the Committee on what changes should 
be made to protect citizens from cyber criminals.
    One thing is clear. We have learned that computer crime is 
just as important as ordinary crime and should be treated just 
as harshly by our criminal justice system. The risks to our 
national infrastructure and our national wealth are profound 
and we must protect them.
    Besides our national security, we have something in this 
country as precious as wealth--our civil liberties. When it 
comes to cyber crime, Americans are fully engaged on the issue 
of protecting our civil liberties and privacy. They are correct 
to be so concerned, and we on this side of the aisle share 
their concern.
    Sometimes it seems like a dilemma. By using Facebook and 
other websites, Americans are putting more of their private 
lives on the Internet than ever before. Yet, more Americans are 
concerned about privacy than ever before.
    But it is understandable the more Americans rely on the 
Internet for their work, their entertainment, their 
relationships, the more productive and connected they become. 
But they also become vulnerable in new ways.
    It is truly a new frontier for our country and this 
Committee is determined that this new frontier will not be a 
Wild West. Our challenge is to create a legal structure 
flexible enough to protect our interests while allowing the 
freedom of thought and expression that made this country great. 
I am convinced we can thread this needle.
    I look forward to hearing more about this issue and thank 
all of our witnesses for participating in this hearing. It is 
now my pleasure to recognize for his opening statement the 
Ranking Member of the Subcommittee, Congressman Bobby Scott of 
Virginia.
    Mr. Scott. Thank you, Mr. Chairman.
    I am pleased that we are conducting a hearing today on the 
important issue of cyber security. It is a critical issue. It 
is critical that we work together in Congress with the 
Administration and with the business community and with private 
advocates to find ways to enhance the security of our 
government information systems, our business computer networks 
and the personal use of the Internet.
    Last spring, the Administration sent to Congress a 
comprehensive cyber security legislative proposal. I was, 
frankly, disappointed that they called for mandatory minimum 
sentences for certain crimes of damaging critical 
infrastructure computers because mandatory minimums have been 
found to waste the taxpayers' money, do nothing about crime and 
require sentences that often violate common sense.
    Resolving the significant issues relating to cyber security 
including protecting network access and operating aspects of 
our critical infrastructure is a very challenging problem.
    We must not shrink from the challenge but sentencing 
individuals who have been convicted of serious crimes is also a 
serious challenge as it requires individualized determination 
of what the person actually did, the harm they caused and the 
circumstances of the crime.
    And that's why Congress actually did something right in 
this area when it created the U.S. Sentencing Commission whose 
job it is to establish sentencing guidelines to be used by 
judges in imposing appropriate sentences. Calling for mandatory 
minimum sentences shrinks from the challenge of doing this 
right. While the crime involved may involve--may indeed be 
serious, imposing mandatory minimum sentences on everyone will 
not make us more secure.
    The code section of the offense violated does not often--
often does not accurately reflect the seriousness of the crime. 
This practice ultimately leads to injustice, cynicism and 
distress in our criminal justice system and the imposition of 
sentences that make no sense at all.
    Another issue that we need to talk about is the provision 
requiring notification of the government of certain breaches of 
sensitive personal information stored in the computer networks 
of businesses. The bill requires that an entity as of yet 
unnamed in the Department of Homeland Security shall be 
notified and that entity should also notify the FBI and Secret 
Service.
    Both of these agencies have specialized expertise that may 
be called upon depending, for example, whether the crime is one 
that threatens national security or the integrity of our 
financial systems.
    We need to hear more from the Administration and these 
agencies on how this would--how this coordination would take 
place.
    In addition, it is important that we examine whether the 
laws have maintained an appropriate focus on behavior we all 
believe rises to the level of criminal--Federal criminal 
liability. The Computer Fraud and Abuse Act was originally 
enacted to deal with intrusions into computers, what we now 
call hacking.
    Since that time, we have expanded the scope of the law on 
several occasions which has led to a disturbing expansive use 
in recent years which have generated concerns on both sides of 
the aisle.
    For example, now it is possible for someone to be 
prosecuted for violating the user agreement in a social 
networking site. One of our witnesses is the distinguished law 
professor who has written extensively about these concerns.
    I hope this hearing will give us a chance to discuss these 
issues and the best approach for refocusing our efforts in this 
area.
    Finally, I note concern about proposals to expand the 
ability of private companies to share information with 
government and ultimately with law enforcement for the purpose 
of protecting against cyber security threats. If we allow 
vastly overbroad sharing of information, we actually may 
undermine the very privacy rights which should be at the 
forefront of our concern.
    So I thank all of our witnesses for being with you and 
thank you, Mr. Chairman, for calling the hearing.
    Mr. Gohmert. And thank you, Mr. Scott.
    We now will proceed and it is my pleasure to introduce 
today's witnesses. Richard Downing is the Chief Deputy or 
Deputy Chief for computer crime at the Computer Crime and 
Intellectual Property Section of the United States Department 
of Justice in Washington, D.C.
    Mr. Downing supervises the section's computer crime work 
including the prosecution of computer hacking, identity theft 
and other online crimes. Mr. Downing also supervises a wide 
range of legislative and policy issues relating to computer 
crime.
    These issues include the modernization of the Federal 
Computer Hacking Statute policy and legislation aimed at 
improving cyber security, the development of the electronic 
evidence-gathering laws and efforts to enhance international 
cooperation in cyber crime investigations.
    Mr. Downing received his Bachelor of Arts in political 
science from Yale University in 1989 and his Juris Doctor from 
Stanford Law School in 1992.
    I will go ahead and introduce all of the witnesses and so 
we will just take one after the other without your having to be 
interrupted by me.
    The Honorable Michael Chertoff is co-founder and managing 
principal at the Chertoff Group in Washington, D.C. In addition 
to his role at Chertoff Group, Mr. Chertoff is also senior of 
counsel at Covington & Burling LLP and a member of the firm's 
white-collar defense and investigations practice group.
    Prior to his work at Chertoff Group, Mr. Chertoff served as 
Secretary of the United States Department of Homeland Security 
from 2005 to 2009. Before heading up the Department of Homeland 
Security, Mr. Chertoff served as a Federal judge on the U.S. 
Court of Appeals for the Third Circuit.
    Before serving as a judge, he was a Federal prosecutor for 
over a decade. Mr. Chertoff received his undergraduate degree 
from Harvard College in 1975 and his Juris Doctor from Harvard 
Law in 1978.
    Mr. James Baker is currently a lecturer on law at Harvard 
Law School. He most recently served as an Associate Deputy 
Attorney General with the United States Department of Justice 
from 2007 until last month, ending a 17-year career at the 
Department.
    In 2007, Mr. Baker was a Fellow at the Institute of 
Politics at the John F. Kennedy School of Government at Harvard 
University and was a lecturer on law at Harvard Law School. 
From 2001 to 2007, Mr. Baker served as counsel for intelligence 
policy at the Justice Department where he was the head of the 
Office of Intelligence Policy Review.
    Mr. Baker is a former Federal prosecutor. He received his 
Bachelor of Arts in government from the University of Notre 
Dame in 1983 and his Master of Arts in political science and 
Juris Doctor from the University of Michigan in 1988. He 
received--okay.
    And Professor Orin Kerr--Professor Kerr is a professor of 
law at George Washington University where he teaches criminal 
law, criminal procedure and computer crime law.
    Before joining the faculty in 2001, Professor Kerr was an 
honors program trial attorney in the Computer Crime and 
Intellectual Property Section of the criminal division at the 
United States Department of Justice as well as a Special 
Assistant U.S. Attorney for the Eastern District of Virginia.
    He is a former law clerk for Justice Anthony M. Kennedy of 
the U.S. Supreme Court and Judge Leonard Garth of the U.S. 
Court of Appeals for the Third Circuit. In the summer of 2009 
and 2010, he served as special counsel for the Supreme Court 
nominations to Senator John Cornyn on the Senator Judiciary 
Committee.
    He has been a visiting professor at the University of 
Chicago Law School and the University of Pennsylvania Law 
School. Professor Kerr received his Bachelor of Science degree 
in engineering from Princeton University and his Masters of 
Science from Stanford University while earning his Juris Doctor 
from Harvard Law School.
    All of the witnesses' written statements will be entered 
into the record in its entirety and I ask that each witness 
summarize his testimony in 5 minutes or less.
    And at this time then, Mr. Downing, thank you for your 
patience. Please proceed with your opening statement.

 TESTIMONY OF RICHARD W. DOWNING, DEPUTY CHIEF, COMPUTER CRIME 
 AND INTELLECTUAL PROPERTY SECTION, CRIMINAL DIVISION, UNITED 
                  STATES DEPARTMENT OF JUSTICE

    Mr. Downing. Good morning, Chairman Gohmert, Ranking Member 
Scott and Members of the Committee.
    Thank you for the opportunity to testify on behalf of the 
Department of Justice regarding the Administration's cyber 
legislation proposals.
    This Committee knows well that the United States confronts 
serious and complex cyber security threats. The critical 
infrastructure of our Nation is vulnerable to cyber intrusions 
that could damage vital national resources and put lives at 
risk, and intruders have also stolen vast databases of 
financial information and valuable intellectual property.
    At the Department of Justice, we see cyber crime on the 
rise with criminal syndicates operating with increasing 
sophistication to steal from innocent Americans. That is why 
President Obama has made cyber security a high priority. The 
Justice Department has done its part.
    For example, we have brought a series of important 
prosecutions, including cases against offenders from overseas, 
in an effort to build real deterrence.
    Despite this good work, the problem is far from solved. It 
is clear that new legislation can help to improve cyber 
security substantially.
    To that end, the Administration's legislative proposal 
contains a number of ideas and I would like to take a moment to 
highlight the parts of that package aimed at improving the 
tools we use to punish and deter computer crimes.
    First, the Administration's proposal includes reasonable 
and focused changes to ensure that computer crimes are punished 
to the same extent as other traditional criminal activity.
    For example, because cyber crime has become a big business 
for organized crime groups, the Administration proposal would 
make it clear that the Racketeering Influenced and Corrupt 
Organizations Act, or RICO, applies to computer crimes.
    Prosecutors have used this statute in the past to charge 
the leaders of organized crime families for their roles in 
their criminal enterprises, even where they did not themselves 
commit a predicate crime such as theft or extortion.
    In a similar way, RICO could be used to dismantle criminal 
enterprises focused on online theft and extortion and not just 
the people with their fingers on the keyboard.
    Also, the proposal would increase certain penalties in the 
Computer Fraud and Abuse Act, which is the statute used to 
prosecute hacking offenses so as to harmonize them with 
analogous traditional laws.
    For example, the crime of wire fraud carries a maximum 
penalty of 20 years in prison, but violations of the Computer 
Fraud and Abuse Act that involve very similar conduct carry a 
maximum penalty of only 5 years. Such disparities make no 
sense.
    The Computer Fraud and Abuse Act also currently has 
limitations that have prevented it from being fully used by 
prosecutors against criminals who traffic in computer 
passwords, and these shortcomings should be corrected.
    We propose that the scope of the offense for trafficking in 
passwords should cover not only passwords, but other methods of 
confirming a user's identity such as biometric data, single-use 
pass codes, or smart cards used to access an account. This new 
language should cover log-in credentials used to access any 
protected computer, not just government systems or computers at 
financial institutions.
    Finally, some have argued that the definition of ``exceeds 
authorized access'' in the Computer Fraud and Abuse Act should 
be restricted so as to disallow prosecutions based solely upon 
a violation of an employee use agreement or a website's terms 
of service.
    While we appreciate this view, we are concerned that 
restricting the statute in this way could make it difficult or 
impossible to deter and punish serious threats from malicious 
insiders.
    The reality of the modern workplace is that employees in 
both the private and public sectors require access to databases 
containing large amounts of highly personal and sensitive data.
    We need look no further than bank customer service 
representatives, government employees processing tax returns, 
and intelligence analysts handling sensitive material. Because 
they need access in order to do their jobs, it is impossible to 
restrict their access through passwords or other security 
mechanisms.
    In most cases, employers communicate clear and reasonable 
restrictions on the purposes for which that data may be 
accessed.
    Employers should be able to set such access restrictions 
with the confidence that the law will protect them when their 
employees exceed these restrictions. Improperly accessing 
personal or commercial information is a serious matter that 
requires serious criminal consequences.
    We must not impair these prosecutions based on 
unsubstantiated fears that the Department will expend its 
limited resources on trivial cases such as prosecuting people 
who lie about their age on an Internet dating site.
    Mr. Chairman and Members of the Committee, this is an 
important topic. The country is at risk and there is a lot of 
work to be done to stop computer crimes from victimizing and 
threatening Americans throughout the country.
    I look forward to answering your questions here today. 
Thank you.
    [The prepared statement of Mr. Downing follows:]
    
    
                               __________

    Mr. Gohmert. Thank you very much.
    At this time, Mr. Chertoff, we will hear from you.

  TESTIMONY OF THE HONORABLE MICHAEL CHERTOFF, CO-FOUNDER AND 
             MANAGING PRINCIPAL, THE CHERTOFF GROUP

    Mr. Chertoff. Thank you, Mr. Chairman. Thank you, Ranking 
Member Scott and Members of the Committee. I am delighted to 
testify here today.
    It is actually my first return to Congress as a witness 
since I left office 3 years ago and I used to testify in this 
room about border security.
    Mr. Gohmert. Yes, you did, and I knew you couldn't stay 
away.
    Mr. Chertoff. Right. It is hard to stay away.
    This is a very important look at an important topic. It is 
a topic that includes, obviously, concerns about criminal 
behavior but is much broader than that. I would argue that the 
issue of cyber security is now at the very top of the list of 
security threats faced by the United States.
    We have seen multiple dimensions of the threat. Some of 
them involve massive acts of criminality. I remember when I was 
Secretary we prosecuted the theft of literally tens of millions 
of credit card numbers which were used to steal money from 
credit card companies and from individual customers.
    But beyond that, we have seen the use of cyber attacks as a 
way of stealing very valuable intellectual property including 
national security secrets and these are reported almost on a 
daily or weekly basis.
    Beyond that, there is the obvious concern about our 
industrial control systems which could in some circumstances be 
attacked in a way that might actually cause serious damage to 
property and serious loss of life.
    We have seen examples back in 2007 and 2008 that are 
declassified of attacks against Estonia or Georgia, which are 
really part of what you could very well argue is a new way of 
war making.
    So this has got to be dealt with in a number of different 
dimensions. Certainly, the criminal law is part of it but I 
would argue there are some other elements as well.
    Broadly speaking, I would say there are three concerns we 
have in terms of vulnerability. One is the network itself and 
how to protect the network, and that is in many respects a 
technical problem.
    But the supply chain is also a problem. We are living in a 
global environment in which hardware and software is fabricated 
around the world and our degree of confidence about whether 
there are malicious bits of code or other malicious tools 
embedded in our hardware or software is not what it needs to 
be.
    And perhaps most significantly is the insider threat. While 
many people think the biggest problem with cyber security is 
somebody hacking across a network, experience shows that in 
many cases it is the insider who wittingly or unwittingly 
introduces malware into the system in a way that causes an 
enormous amount of damage.
    To this end, I would commend an article written a couple 
years ago in Foreign Affairs by then-Deputy Secretary Bill Lynn 
who described a major intrusion into our defense networks as 
having been caused by somebody picking up a thumb drive and 
putting it into a laptop as an act of negligence.
    So we have got to deal with all of these problems and one 
of my observations over the years I have worked on this issue 
is a tendency to believe there is a magic bullet. There is no 
magic bullet.
    So I would argue that there are several things that we need 
to do. I think the current Administration proposal is a good 
start but it is a start. It is not an end.
    First, I think we need to have tougher penalties and I in 
the main approve and applaud the proposals put forward by the 
Administration in that respect. Second, we need to make 
information sharing much easier.
    Time and again, when the private sector suffers an 
intrusion, the ability to get technical assistance about the 
nature of what that intrusion is is hampered by uncertainties 
in the law about whether the U.S. government and the private 
sector can share information. This has got to be made much 
easier and much more streamlined and I think, again, the 
proposal here is a good start.
    Third issue is how do we build standards of cyber security 
in our critical infrastructure. If we have a failure of 
critical infrastructure in, let's say, the electric grid, there 
will be enormous collateral consequences.
    Unfortunately, the value of the damage often exceeds the 
value of the asset, which means that there is no market 
incentive for the asset owner to invest in protecting the 
asset. We have got to change that. Again, I think the 
Administration has begun with a good start in talking about 
having standards for cyber security.
    I am concerned about two things. One, how do we enforce the 
standards. I am not sure naming and shaming is sufficient. And 
second, we are talking about a very complicated and detailed 
rulemaking process which may take a considerable amount of time 
to complete, and the problem is time is not on our side.
    Finally, I conclude by observing that there is a larger 
national security dimension here involving the problem of cyber 
warfare, the actual use of cyber tools as an adjunct to 
military operations, and here we need to be clear about what 
our policy is in responding to those acts of war and we need to 
have a declared policy of deterrence, how we are going to 
prevent these from happening.
    This is work that is beginning but it has got a ways to go. 
I would be happy to answer questions.
    [The prepared statement of Mr. Chertoff follows:]
    
    
    
    
                               __________

    Mr. Gohmert. Thank you very much.
    Mr. Baker?

         TESTIMONY OF JAMES A. BAKER, LECTURER ON LAW, 
                       HARVARD UNIVERSITY

    Mr. Baker. Mr. Chairman, good morning. Ranking Member Scott 
and Members of the Committee, it is an honor to appear before 
you today to discuss the cyber security challenges that the 
country is facing.
    I would like to focus my remarks on a very few key points 
today. First, as you know and as we have already discussed here 
this morning, the United States faces a significant cyber 
threat today. The threat comes from many sources, nation 
states, non-state actors such as organized crime groups, 
terrorist organizations and lone individuals.
    As folks have said this morning, the money in our banks, 
our intellectual property and our critical infrastructure are 
threatened. There is a very real risk that at a time of crisis 
some parts of our critical infrastructure such as electrical, 
water, financial, transportation and telecommunications systems 
will not function as designed or at all.
    Presently, the United States is not fully prepared to deal 
with the cyber threat that we face. In other words, our 
defensive capabilities are insufficient to address the 
malicious activities that are directed against the United 
States. This includes Federal, state and local governments, 
civilian and military authorities and the private sector.
    At the present time, we cannot stop the theft of funds, 
intellectual property or personally identifiable information 
and we cannot ensure the malicious actors will not be able to 
degrade or destroy elements of our critical infrastructure at a 
time and in a manner of their own choosing.
    Although many people in the government and the private 
sector are working overtime to find more effective ways to 
address these vulnerabilities, right now we cannot guarantee 
our cyber security. All we can do is mitigate the risks.
    There are many reasons why we are not fully prepared to 
address the cyber threat today and these include technological, 
organizational, policy and legal issues. My written statement 
addresses these matters so in the interest of time I won't 
discuss them all now.
    I will note, however, that one of the problems we must 
confront is that the Federal Government is not where it needs 
to be organizationally to address the cyber threat. There has 
been much progress in this sphere and the Administration's 
proposal contains some important provisions in this regard.
    But the government is not where it needs to be in terms of 
clearly delineating agency roles and providing for robust but 
appropriate information sharing.
    Next, I would like to address some of the Administration's 
proposals to amend the Computer Fraud and Abuse Act, or CFAA, 
and related provisions. Standing alone, as some have mentioned, 
these proposals will not address fully all of our--excuse me, 
all of our cyber security requirements.
    They are important, however, and likely will assist law 
enforcement agencies and prosecutors in better ensuring that 
cyber crime is deterred effectively and punished appropriately. 
I know that some Members have concerns about aspects of this 
proposal but I urge Congress to work with the Administration to 
find a set of mutually acceptable provisions to modify the CFAA 
and related laws as quickly as you can.
    What Congress should not do, however, in my view, is to 
take steps that would weaken rather than strengthen the 
Computer Fraud and Abuse Act. I am concerned that some 
proposals to modify the terms of the existing act, in 
particular, those directed at modifying the scope of the term 
``exceeds authorized access'', would have the unintentional 
effect of undermining the CFAA in certain respects.
    I understand the concerns that some have raised about the 
scope of the act, that it may be ambiguous and that government 
overreaching could result in individuals being prosecuted for 
what essentially are innocent or harmless violations of the 
terms of service of particular websites or services.
    I do not believe, however, that the case has been made that 
Federal prosecutors have regularly misused the CFAA, and to the 
extent that Congress is concerned that such abuses might occur, 
it strikes me that it might make more sense to use your 
oversight powers to ensure that enforcement of the CFAA is 
properly focused on the worst offenders.
    But do we really want to make it harder for the government 
to prosecute individuals who abuse their authorized access to 
immense databases at financial institutions, social networking 
sites and email providers to steal money or sensitive personal 
information?
    In closing, I recommend that the Subcommittee work quickly 
to enact some version of the Administration's proposal. Cyber 
security is not a problem that is amenable to simple solutions 
but we need to start moving in the right direction as quickly 
as possible. Our adversaries are not waiting for us to act.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Baker follows:]
    
    
    

                               __________
    Mr. Gohmert. Thank you, Mr. Baker.
    Professor Kerr?

         TESTIMONY OF ORIN S. KERR, PROFESSOR OF LAW, 
                  GEORGE WASHINGTON UNIVERSITY

    Mr. Kerr. Thank you, Judge Gohmert, Ranking Member Scott 
for the invitation to appear here this morning. I am going to 
begin by doing something that is probably unusual for a witness 
before you. I am going to admit that I am a criminal, at least 
according to the United States Department of Justice's 
interpretation of the Computer Fraud and Abuse Act.
    Mr. Gohmert. Sir, you have the right to remain silent. 
[Laughter.]
    Anything you say may--could be used against you.
    Mr. Kerr. I will waive that right.
    Mr. Gohmert. You have the right to consult an attorney if 
you wish.
    Mr. Kerr. In fact, I would like to speak about this. Why am 
I----
    Mr. Gohmert. If you can't afford an attorney one will be 
appointed for you. [Laughter.]
    Mr. Kerr. Why am I a criminal? Well, I have a Facebook 
account. Facebook requires its terms of service--in its terms 
of service that you cannot provide any false information on 
Facebook.
    However, I do so. I say in my profile that I live in 
Washington, D.C. In fact, that is a blatant lie. I live in 
Arlington, Virginia. Therefore, I am in blatant violation of 
the terms of service, and according to the Justice Department I 
violate Federal criminal law every time I log in.
    Those of you may have children or grandchildren who are 
under the age of 18 who use Google to conduct searches. 
According to the Justice Department, they are also all 
criminals. Why?
    Well, because Google's terms of service say you have to be 
of legal age to enter into a contract in order to use Google. 
The legal age to enter into a contract in most states is 18.
    Therefore, anybody under the age of 18 who uses Google is, 
according to the United States Department of Justice, a 
criminal.
    Tens of millions of Americans have Internet dating 
profiles. Those Internet dating profiles typically say the 
terms of service of the Internet dating services say that 
individuals must give all truthful information and cannot give 
misleading information.
    According to one study, more than 80 percent of Internet 
dating profiles give misleading information. Somebody might say 
they are an inch taller than they are, maybe five pounds less. 
Maybe they might say they go to the gym every week when they 
don't. According to the United States Department of Justice, 
that makes them criminals.
    In fact, probably most people in this room, most of the 
witnesses, Members, counsel, members of the audience, most if 
not all are criminals under the United States Department of 
Justice's interpretation of the Computer Fraud and Abuse Act.
    What is the government's position here in how to amend the 
statute? My understanding is that the Justice Department wants 
to further broaden the statute so that it encompasses more 
cases and is more punitive than before.
    I think the answer is to narrow the scope of this act to 
ensure that routine computer usage is not criminalized rather 
than to further broaden and enhance the penalties of the 
statute.
    The reason why this is a problem--the reason how we got 
into this situation--is that Section 1030 of the Computer Fraud 
and Abuse Act treats computers differently than it treats the 
physical world. If you think about you are an employee at a 
job, your boss says don't go into the personnel files without a 
good work-related reason, you might--someone might look into 
those personnel files and might be disciplined for that. The 
boss might fire them or might not give them a raise but it 
wouldn't be a crime just to look into the folder.
    On the Internet or in the case of computers, it is a 
different rule. The law says you cannot exceed authorized 
access, which the Justice Department sees as saying that any 
term of use or term of service by an employer or an Internet 
service provider is binding as a matter of law.
    If an employer says you can't use the workplace computers 
for personal reasons and you do so, you are a criminal, again, 
a different rule in the case of using computers than there is 
in the case of offline real-world conduct.
    I think we need to amend the statute to eliminate those 
overly broad readings of the Computer Fraud and Abuse Act and 
that it is actually quite simple to do so.
    I have put in my written testimony two different ways of 
amending the statute which would narrow it and yet also 
preserve the Justice Department's authority to prosecute the 
kinds of cases that they mention when they explain why they 
want existing law to be as it is.
    In particular, the Justice Department, when it talks about 
prosecuting cases under the ``exceeds authorized access'' 
prong, always talks about cases in which the data that is 
obtained is very valuable or very private information.
    However, the statute does not contain any such limitation. 
The statute applies to any act of exceeding authorized access 
to obtain any information at all. One simple way of fixing the 
statute would be to limit the Computer Fraud and Abuse Act so 
that the ``exceeding authorized access'' prong only applies to 
efforts to obtain personal information or valuable information. 
That would preserve the Justice Department's ability to 
prosecute the kinds of cases it wants to prosecute and yet also 
preserve civil liberties of every other American who might, for 
good reasons, violate Internet terms of service of websites 
which it looks like most Americans who use the Internet and a 
computer probably do.
    Thank you. I look forward to your questions.
    [The prepared statement of Mr. Kerr follows:]
    
    

                               __________
    Mr. Gohmert. Thank you.
    At this time, we will go to questions and I will reserve 
mine to allow other Members to go ahead.
    So let's see, Mr. Forbes of Virginia?
    Mr. Forbes. Thank you, Mr. Chairman.
    Gentlemen, thank you all for your expertise and willingness 
to come here, and I understand Professor Kerr's desire to want 
to be able to lie on his Facebook account and that is okay. My 
concern is this.
    I realize that we can have death by a thousand cuts with 
all these small cyber attacks but my big concern from sitting 
on the Armed Services Committee is the major gaping wounds that 
can happen to us if we were to have cyber warfare.
    And the question I would ask for all of you gentlemen who 
would like to respond is are our laws in any way hampering the 
Department of Defense from developing the technologies that we 
need to defend and protect against that major kind of attack if 
it was coming, which I believe one day we will see it in some 
portion or the other.
    And secondly, are our laws in any way hampering DOD from 
developing the kind of strategies we would need to be able to 
use that same kind of attack if, you know, heaven help us, we 
would have to do it? And then can you give me a little insight 
on how we even know when such a war would be launched against 
us?
    How do we know who is doing it and how do we possibly say 
okay, now this is the time when we can launch a counter action 
against that? And I will defer to any of you who would like to 
go first. But I really respect and appreciate your insight on 
it.
    Mr. Chertoff. Well, thank you--thank you for the question. 
It is a broad set of questions.
    Mr. Forbes. I know it is.
    Mr. Chertoff. I will address maybe the last question, which 
is what is often referred to as the issue of attribution, and 
it is a complicated issue because the reality is many of the 
attacks we suffer, if you--if you follow the attack back the 
point at which you're proximate to, the target may be in the 
United States but it may be a computer that has been taken over 
and is being operated remotely from China or someplace else in 
the world.
    And the difficulty is proving that connection is often very 
difficult. It is compounded by the fact that some of the ways 
we might prove it make reference to sophisticated and secret 
sources and methods that we are not going to want to reveal.
    So there is a huge challenge unlike what we faced in the 
Cold War when, if a missile was launched, we could demonstrate 
where the missile comes from. I think the answer there is a--
the laws are really not the issue here.
    The issue here is for us to develop a doctrine and to be 
very clear about, first of all, what we believe our response 
ought to be to an attack--distinguishing between a theft of 
property, which is espionage which we have traditionally not 
viewed as an act of war, and an attack on a system that might 
destroy the system itself like the electric power grid.
    And once we have determined what we want our response to 
be, we have got to do two things. We have got to, first of all, 
make sure the law permits us to respond, and second, I believe 
we need to have a declared policy of deterrence.
    We need to, for example, tell the world that if there is an 
attack upon our electric grid that results in a loss of life we 
reserve the right to respond by, A, eliminating the servers 
that launched the attack, we may reserve the right to do so 
physically as well as in cyberspace and we need to explain what 
our red lines are. If we don't do that, then we run the risk of 
a miscalculation where somebody launches on us without a clear 
understanding of our response, and experience shows that that 
is how people get into wars, when there is an unclarity of 
doctrine.
    Mr. Baker. I would agree with that completely. I think that 
the key problems are making the tough policy choices first, and 
once you have the policy, both the policy in terms of what do 
we want to do as a country to respond to these kinds of 
attacks. And when I am talking about an attack here in this 
setting I am talking about something that when it is directed 
at us would constitute a use of force against the United States 
if it was done by kinetic means. So that is--so when I talk 
about an attack that is what I mean, not an exploitation or 
espionage or something along those lines.
    But I think we need to get the policy right in terms of 
what we want our military to do. We need to get the technology 
right in terms of what it is that we think we are going to be 
doing, what are the collateral effects of that kind of 
activity.
    For example, if you launch something will you be able to 
restrict it narrowly or will it spread more broadly? How 
confident are we going to be in that? I think those are the 
tough questions.
    Once the policy makers figure out what they want to do, 
then the lawyers can help figure out how to do this legally 
either under the existing regimes with the, you know, the laws 
of war, the laws of armed conflict, the very statute they have 
to deal with, or that we need to make some kinds of changes and 
so on.
    Just one other quick question to address the last part of 
what you said, knowing whether we are actually under attack may 
be difficult in some circumstances because a smart adversary 
might just degrade our systems in a way that make them 
difficult for us to use and make us--make it hard for us to 
respond to a threat somewhere in the physical world but that we 
can't quite figure out whether it is actually being destroyed 
or not or whether there is an attack that is underfoot.
    Mr. Forbes. Mr. Downing, my time is up but I would love at 
some point in time to hear your response to that maybe for the 
record or maybe if you could give it to me in person.
    Mr. Gohmert. Without objection, we will go ahead and extend 
the time to allow an answer to that question.
    Mr. Forbes. Thank you, Mr. Chairman.
    Mr. Downing. So I guess what I would add to these other 
comments that have gone before is that I am not aware of any 
particular laws that are holding the military back at this 
time, although to be clear I work in the Computer Crime Section 
of the Department of Justice so perhaps that question is best 
asked to members of our Department of Defense.
    But what I would emphasize here is that unlike other sorts 
of defenses of the Nation, the victims of these attacks are 
going to be in the hands of our private infrastructures for the 
most part and thus it is not possible for the Defense 
Department to defend in the traditional way.
    And so that is very much why we see the comprehensive cyber 
security package as being very important because it provides 
the incentives we need to help industry to defend itself, since 
the Defense Department is not going to be able to put up, you 
know, ships on the sea and planes in the air to defend that.
    Mr. Gohmert. Okay. Thank you, Mr. Forbes.
    At this time, Mr. Scott was going to defer and we will hear 
from Mr. Deutch.
    Mr. Deutch. Thank you, Mr. Chairman.
    Mr. Downing, the Administration's proposal for information 
sharing states, if I understand it correctly, that 
notwithstanding any other provision of law, businesses can 
share their customers' private information with Department of 
Homeland Security.
    I presume that means Internet and email information. What 
else are you trying to get at? What else is there that will be 
shared and could this information potentially include medical 
records and all sorts of other personal information that would 
violate the privacy laws?
    Mr. Downing. So the idea of that is shared for the purpose 
of securing cyber security. So I think the primary areas would 
be things like threat and vulnerability information.
    A Internet service provider discovers a new exploit that is 
allowing people to access computers without authority. It is 
able to report it to the government and also to spread that 
information to help defend other networks as well.
    It is true, though, that sometimes there will be a narrow 
set of private information that would have to be disclosed. For 
example, in certain kinds of phishing attacks there is an email 
that is sent to a particular person in an effort to get them to 
give up their password.
    So there may be some cases where there is a need for that 
sharing of private information. What the bill does, though, is 
contain a number of ways that would protect the privacy of that 
information, so it would have sharing restrictions once it 
reaches the government.
    The attorney general would have a set of rules that would 
require that it be treated in a protected way. It also requires 
that the person giving the information to take out all other 
sorts of private information as well.
    Mr. Deutch. Just going back to what you just said, though, 
when you referred to phishing expeditions that we should be 
concerned then about the possibility, understanding that there 
are--there are requirements that would be imposed and 
guidelines that this could include all kinds of information 
about individuals. The sorts of things that these criminals are 
looking for are all of the sorts of things that may be turned 
over to the government including bank account numbers, credit 
card numbers, passwords for all of those accounts.
    Might all of that be included in the information that is 
going to be turned over?
    Mr. Downing. I think it is important to make sure that 
there are appropriate privacy restrictions because there will 
be some, I think, fairly limited situations where that sort of 
information may need to be turned over.
    So I think attention to the need to protect that 
information appropriately is proper, and we feel we have done a 
pretty good job of putting into the bill protections for that. 
But, of course, if there are other needs here, we are happy to 
work with Congress to sharpen them as well.
    Mr. Deutch. All right. I appreciate that.
    Mr. Baker, I have a question for you. You said--you said we 
can't stop theft, and we can't ensure that elements of our 
infrastructure won't be destroyed. You refer to the 
technological problems and policy issues.
    Can you speak to the extent to which lawmakers, policy 
makers can partner with the technology community to approach 
some of these issues? Does that--is that happening? Should that 
be happening?
    Mr. Baker. Partner--I am sorry.
    Mr. Deutch. Please.
    Mr. Baker. No. I was just going to say partnering directly 
on those kinds of issues. I mean, I think the main thing is to 
be informed and so calling hearings and bringing folks up to 
explain exactly what the problems are and what is going on--I 
mean, as Secretary Chertoff explained, the supply chain problem 
and the insider problem. The zero-day threat is a significant 
one.
    But I think one of the main things to do in terms of 
lawmakers is to figure out the boxes in terms of what parts of 
the United States government are going to have the lead or--
yeah, I guess the lead in addressing these problems and some of 
the proposals in the Administration's recommendation try to 
address that.
    They try to give an enhanced role for DHS to do this. Not 
because DHS is perfect. I think they would not say that they 
are perfect. But we need to make a decision and move forward.
    We need to get going on this legislation and start down 
this road and then fix the problems as we go. As Secretary 
Chertoff said, this is just the beginning. We have got a long 
way to go.
    Mr. Deutch. And Mr. Baker, you and Secretary Chertoff both 
spend a lot of time thinking about what these--what these 
concerns might be. As you--as you play these out, all of the 
various risks, in terms of critical infrastructure and the 
risks that we face because of the technology, what is it that 
worries you most? What do you think--where do you think we are 
most vulnerable?
    Mr. Baker. Well, I think any of these--any of these systems 
are vulnerable, any of them, and the electrical one is one of 
the primary ones. I think if that was shut down or degraded in 
a significant part of the United States that is a significant 
problem.
    And it is not only a problem of somebody intentionally 
doing that. I mean, there might be reasons that a nation state 
is not going to do that in an otherwise--in a situation that is 
otherwise a time of peace. They may do it in a time of crisis.
    But you might have a terrorist group that gets its hands on 
some kind of a tool that would enable them to do this or 
somebody is experimenting with something and it leaks out and 
it gets out into the wilderness, if you will, out into the wild 
and then it just starts shutting down systems and we don't know 
what is going on--I mean, that kind of a virus, if you will, in 
terms of something leaking out.
    So I think any one of these systems is vulnerable. The 
financial system is vulnerable. I mean, any of them. Take your 
pick.
    Mr. Deutch. Thank you. Thank you, Mr. Chairman.
    Mr. Gohmert. Okay. Thank you, Mr. Deutch.
    At this time, we will hear from Mr. Gowdy from South 
Carolina.
    Mr. Gowdy. Thank you, Mr. Chairman.
    I want to thank all the witnesses for lending us your 
expertise.
    Mr. Downing, I think I understood you correctly. One of the 
Administration's proposals is to raise the statutory maximum.
    Mr. Downing. That is correct, in certain ways. Different 
parts of the statute, yes.
    Mr. Gowdy. I know that sounds good. I get the politics 
behind raising the statutory maximum. How many of these cases 
ever approach the statutory maximum? If you want to do 
something about it, do something about the guidelines, not the 
statutory maximums.
    Mr. Downing. Well, we certainly agree that a lot of the 
sentencing is driven by the guidelines and there actually was 
an effort to try to improve the guidelines, by raising the 
penalties. That occurred the year before last.
    But, unfortunately, the Sentencing Commission largely did 
not do much to raise them. I would say though----
    Mr. Gowdy. Would you be gracious enough to send to me your 
recommendations for the Sentencing Commission? They were kind 
enough to come visit with us a few weeks ago too and I was 
shocked at how infrequently even judges who were on the 
Sentencing Commission bother to follow the sentencing 
guidelines. So if you would send me those recommendations.
    Also, if you know how many motions for upward departure 
Department of Justice may have filed in cyber security cases 
that would be helpful to me as well. The----
    Mr. Downing. I would be happy to take that back.
    Mr. Gowdy. The ratio of motions for downward departure 
versus motions for upward departure is 17 to 1 for downward. So 
some evidence of the Administration's seriousness about cyber 
security to me would be requests for upward departures in the 
cases where there has been a prosecution.
    RICO, practically, for the line AUSAs in the districts how 
is RICO going to help them?
    Mr. Downing. RICO is particularly useful in those 
situations where you want to try to take down an entire 
enterprise and, in particular, where you have leadership of the 
enterprise that may not be actually committing the offenses or 
may not be in conspiracy with others who are. So the usual 
tools of the direct crime and the conspiracy are not available.
    We have seen this in terms of cyber security in the area 
where you have an organized group that will have different 
pieces of the organization doing different parts of the job.
    Some of them are actually hacking. Some of them are using 
it to commit fraud. Some of them are doing other tasks. And so 
we think that it is a useful tool to be able to take down the 
entire organization including the senior leadership, and so 
that is one important way that it would help.
    Mr. Gowdy. What leads you to think the Department of 
Homeland Security is the best agency to handle this?
    Mr. Downing. Well, to handle this, I am not quite sure 
which piece of it you mean. You mean why should they get 
clarified authorities to be a leader in the area of cyber 
security?
    Mr. Gowdy. Right, as opposed to the Bureau.
    Mr. Downing. Well, we think the Bureau is an important 
piece of the puzzle but they have a very different role then 
that we would proscribe for the Department of Homeland 
Security. The Bureau does a terrific job on investigating cases 
and they are a critical piece of creating deterrence.
    However, DHS has an important role too. DHS, as the 
proposal would suggest, would strengthen or clarify the rules 
that would allow it to be better at outreach with private 
industry, making clear its role in helping to protect the 
civilian infrastructure and the government infrastructure.
    So it is really a different role that we see for DHS, and 
that is why we are seeking to have its authorities clearly laid 
out in legislation.
    Mr. Gowdy. Can you tell me the difference between computer 
trespassing/theft and treason?
    Mr. Downing. I am sorry. And treason?
    Mr. Gowdy. Treason. When does it become treason?
    Mr. Downing. Well----
    Mr. Gowdy. Because the penalty for treason is already 
pretty high, I think.
    Mr. Downing. I believe it is, yes. Treason, I would have to 
probably get back to you on that. I am not sure I know the 
elements of the offense of treason. But my understanding would 
be that it would require that it be done in terms of wartime or 
where it would be a direct----
    Mr. Gowdy. So it has to be during a time of war to be 
treasonous?
    Mr. Downing. I am sorry. I don't want to guess.
    Mr. Gowdy. What about one of our law professors?
    Mr. Kerr. My understanding is that treason is defined by 
the Constitution and requires somebody who is loyal to the 
United States who does an act intentionally against the 
interests of the United States as an act, intentional act of 
disloyalty to the United States.
    So I don't see how that is implicated in an act of computer 
trespass, which can be conducted for many different reasons. It 
might be. You could have an act of computer trespass that is 
part of an act.
    Mr. Gowdy. So if a soldier were to download information and 
give it to an enemy, would that be treasonous or not?
    Mr. Kerr. I don't know.
    Mr. Gowdy. What do you think?
    Mr. Kerr. Well, prosecutions for treason, my recollection 
is that the Constitution has requirements as to the witnesses 
that have to be available for acts of treason. So it is 
actually a very rarely prosecuted crime. I don't know if there 
have been prosecutions for treason in my lifetime.
    But it certainly would be a criminal act with severe 
penalties. Whether it is an act of treason or not, I don't 
know.
    Mr. Gowdy. I yield back, Mr. Chairman, or yield to the 
gentleman--no, I am out of time.
    Mr. Gohmert. I thank the gentleman.
    The Chair now recognizes the distinguished gentleman from 
Virginia, Congressman Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Chairman, one of the issues we have been working on is 
ID theft and the statutory maximum is not usually the problem. 
The problem is that these cases don't even get investigated 
much less prosecuted.
    And so let me ask in that line, Mr. Downing, is 
unauthorized possession of credit card numbers, passwords, ID 
information--is unauthorized possession only a crime?
    Mr. Downing. Under criminal law, it generally has to be 
with an intent to commit a fraud. So mere possession may not be 
but in almost all cases we can show that there is a intent to 
commit a fraud.
    Mr. Scott. Well, you have--but just--if you just looked in 
my computer and found all kinds of credit card information you 
would have to either show that I intended to do something with 
it or that I obtained it illegally.
    Mr. Downing. That is right.
    Mr. Scott. That mere possession is not a crime.
    Mr. Downing. I believe that is the case.
    Mr. Scott. Now, child pornography, if you found something 
on somebody's computer you wouldn't care how they got it, would 
you?
    Mr. Downing. We would definitely care how they got it. It 
would also be a crime for mere possession.
    Mr. Scott. Well, I mean, in terms--in terms of a crime 
being committed you could prosecute without being concerned 
about how they got it.
    Mr. Downing. That is true. Mere possession of child 
pornography is a crime.
    Mr. Scott. Is--do you know if in the Federal Government 
whether or not there is any requirement that banks try to limit 
ID theft by doing things like sending a real-time email every 
time a charge is made?
    I mean, there is no technological problem with the bank if 
somebody uses a credit card instantaneously text messaging that 
to the user. Is there anything--does anybody have any authority 
in the Federal Government to require banks to do stuff like 
that?
    Mr. Downing. As a technological matter, I assume that it is 
possible to do that. As far as the regulations----
    Mr. Scott. But it is technologically possible to do it. Is 
there anybody in Federal Government that can order the banks to 
do that?
    Mr. Downing. I don't know the answer to that question, I am 
afraid.
    Mr. Scott. Under RICO, we--Mr. Downing, you want to use 
RICO for computer crimes. Why is not the underlying crime that 
you are investigating enough to access RICO rather than the 
fact that they used a computer?
    I mean, if they--if they are doing some operation that is 
some big organized crime effort that ought to be enough to get 
RICO. Why do you have to show that they are using a computer? 
Why is that important?
    Mr. Downing. There are, certainly, some cases where there 
is another predicate offense that could be used to prove the 
RICO. But there are some situations where it might not be. I am 
going to give you an example.
    If an organized crime group were to use a denial of service 
attack against a gambling website, let's say, to prevent the 
site from operating right before a critical event, it would be 
an extortion under Section 1030(a)(7). It is not clear that 
that sort of extortion falls into traditional extortion 
statutes since there is no physical property at risk and no 
risk of harm to human life.
    So it is true that there are some areas that could be done 
through a RICO prosecution, but we feel that this would close 
some gaps and allow us to make sure that it covers it in all 
situations.
    Mr. Scott. You have in your testimony the statement that 
the Administration has proposed a mandatory minimum sentence of 
3 years imprisonment as one appropriate way to achieve the 
needed deterrence.
    Do you have any research that shows that mandatory minimums 
rather than longer maximum sentences subject to guidelines 
serves as a deterrence?
    Mr. Downing. I am not an expert on the research on 
mandatory minimums, but I can say that this particular one is 
very narrowly focused.
    Mr. Scott. Can you point to any--can you point to any 
research--you can't point to any research that shows that it 
serves as a deterrence.
    Mr. Downing. I would be happy to research that issue and 
get back to you.
    Mr. Scott. Are you aware of research that shows that 
mandatory minimums do not reduce crime and serve only to waste 
the taxpayers' money? Are you familiar with that research?
    Mr. Downing. I am not aware of that research either. That 
is not my field of expertise.
    Mr. Scott. Mr. Chairman, my time is just about up. But 
before I yield back, I would just like to ask for the record 
for the witnesses, I guess Mr. Downing and anybody else, on 
these reports, exactly what--how these reports work, who can 
ask for it, do you need a subpoena and then what happens to it 
because in earlier versions of Homeland Security, information 
sharing was very important.
    So if Homeland Security got something the FBI and 
Department of Defense and everybody else could look at it, how 
this information is shared and what exactly--what information 
there can be, and also we talked a little bit about the 
international aspects of the Internet and trying to prove who 
did it is a problem.
    But another problem is if you find out who did it does the 
Department of Justice have jurisdictional problems--if things 
are going on in France that affect things in the United States 
how we deal with the jurisdictional problems, if anybody would 
want to respond to those for the record.
    Thank you, Mr. Chairman.
    Mr. Forbes [presiding]. Thank you, Congressman Scott. And 
do each of you have a comfortable understanding of what 
Congressman Scott needs to supply? Good.
    If you have any questions I am sure he will be glad to 
clarify that for you and if you would respond to the record for 
him on that we would appreciate it.
    Chair recognizes the former Attorney General of California, 
Mr. Lungren.
    Mr. Lungren. Thank you very much, Mr. Chairman.
    Secretary Chertoff, in the Cyber Security Task Force we had 
on the Republican side early this year information that we got 
both public and private was that the best estimate was that 
perhaps 85 percent of intrusions in the cyber world could be 
taken care of if we just had good cyber hygiene and that 
because of that, because we don't have that, the 85 percent 
clutter that is out there makes it more difficult for to 
identify the 15 percent of the more serious nature.
    When we are asked to perhaps pass new laws with respect to 
criminal sanctions and so forth, I guess one of the questions 
our constituents would ask is are we as a government as well as 
the private sector doing what we need to do to identify and 
encourage good cyber hygiene, and if not, why not?
    Mr. Chertoff. Well, Congressman, I think you are dead right 
about this. I think that, and I can't tell you if 85 percent is 
exactly the right number, but I think you could take a lot of 
hay off the haystack with good cyber hygiene. What do I mean by 
that?
    I mean appropriate use of passwords and changing of 
passwords, appropriate implementation of access controls, 
appropriate rules about who and what can download off a network 
and who and what can insert various kind of media into a 
network.
    And you are quite right. A lot of this is in private hands 
and that is why when I look at the Administration's proposal, 
in many ways, to me, the more significant element has to do 
with the requirements as it relates to critical infrastructure 
and requiring that a nationally significant critical 
infrastructure have plans and programs in place to make sure 
they have cyber security and much of that involves internal 
processes and internal programs.
    Now, there are a lot of different ways to skin the cat and 
I am not prescribing one particular way to do it. But a big 
challenge is to architect your internal security system so that 
it is not so cumbersome that people just avoid it altogether 
but that it is robust enough so that it is not obvious or easy 
for people to penetrate it.
    You know, take a very simple thing like the ability to take 
a thumb drive and put it into a network and download, as was 
reported to be the case with Bradley Manning. If you are 
dealing with sensitive systems you ought to have restrictions 
on who has the capability to do that.
    So, to me, rolling out a set of processes and having the 
private sector have to meet certain standards would take a lot 
of hay off that haystack.
    Mr. Lungren. I guess it would be my observation that as we 
are looking at these proposals, and I certainly support us 
moving forward in the area of cyber security, enhanced 
awareness of it within our various laws, I would hope that we 
would have at least as much effort in the public and private 
sector on raising the awareness of the need for computer 
hygiene.
    I mean, we need a equivalent of a Smokey the Bear campaign 
to somehow help us. That is not to say we ought not to do these 
things now.
    One thing I would like to address to Professor Kerr and Mr. 
Chertoff and Mr. Downing is this. There has been a Memorandum 
of Understanding entered into by the--by DHS and by the Defense 
Department in terms of proper exchange of information, et 
cetera. I happen to think that is a good start.
    However, if we do not from the beginning ensure that civil 
liberties are protected here and that we are not in any way 
acting in a position that does not recognize the traditional 
and constitutional priority of civilian control of the 
military, we are buying a real problem.
    I guess my question--I will start with you, Professor Kerr, 
if you have some knowledge of that Memorandum of Understanding. 
Are you satisfied that that--it has reached an appropriate 
position of balance such that as we designate DHS as the 
primary repository of this information and the coordinator of 
information and--or overview of cyber security throughout the 
Federal Government that the concern--the legitimate concerns of 
civil libertarians or anybody, any American concerned about 
that, have been met?
    Mr. Kerr. I share, certainly, all of your concerns with the 
need to protect privacy and civil liberties in this situation 
and also to balance that with the appropriate exchange of 
information within the government, which can be tremendously 
important.
    As an outsider, I really can't tell how things are working. 
So I would love to know the answer just as you would like to 
know the answer but, unfortunately, I don't have it.
    Mr. Lungren. Mr. Chertoff or Mr. Downing?
    Mr. Chertoff. I think I can probably offer some insight 
into this because I think this in the main reflects an 
agreement that we had in the prior Administration between DHS 
and the Department of Defense concerning the proper allocation 
of responsibility.
    With respect to government networks and the commercial 
domain, I think it was understood that the authorities should 
be DHS authorities to maintain the principle of civilian 
control.
    On the other hand, there are unique capabilities in the 
Department of Defense both in terms of access to information 
and tools and techniques which are important to have available 
to deploy to protect the United States, and as long as that is 
undertaken under the authorities of DHS I think you manage to 
balance between using all of the elements of national power but 
having a civilian-controlled and civil-liberty respecting way 
of actually operationalizing.
    You know, I would leave you with this thought. I don't 
think security and privacy here are in conflict. I think they 
actually are mutually reinforcing.
    You cannot have privacy on the computer if you don't have 
the security to be able to control who gets into your computer, 
and I think that it is important not to lose sight of the fact 
that it would not be a triumph of civil liberties to keep the 
U.S. government from protecting computers so the Chinese 
government could get on our computers. [Laughter.]
    Mr. Downing. If I may, I would add, certainly, the 
Administration is very concerned about the sharing of 
information and that there are appropriate civil liberties and 
privacy protections in place.
    One example of that is what I referred to earlier in the 
legislative proposal where sharing is going to occur under a 
set of rules that allows the private sector to share with the 
government. We have really been very careful to think through 
how that sharing is going to happen once it occurs inside the 
government, and there would be appropriate limitations to make 
sure that there isn't going to be any abuse.
    Mr. Gohmert [presiding]. Thank you, Mr. Lungren.
    At this time we will hear questions from Ms. Jackson Lee of 
Texas.
    Ms. Jackson Lee. Let me thank the Chairman and the Ranking 
Member for this hearing. It is interesting to see our former 
Secretary of Homeland Security, thanking him for his service 
and as well the numbers of individuals.
    Mr. Baker, I was looking for my friend from Texas but you 
have a good name and certainly I know that testimony has been 
productive. Mr. Secretary Chertoff would know that I was in 
Homeland Security and going back to Homeland Security, still 
serve on Homeland Security and cyber security has been a 
enormous issue.
    I am going to go right to you, Mr. Secretary, and I think 
we do have a dilemma between the First Amendment rights, as we 
have always had a tension, the whole question of the--when we 
had the discussion on the PATRIOT Act was during your tenure 
and some of the ramifications of that.
    But I am going to go directly to an entity, that preceding 
9/11 there were challenges and that is China, and cyber 
security is not any longer a fly that we swat at. It is 
annoying. They have just gotten my formula for the--or the 
formula for how to do a Gucci purse or they have just found out 
how to make Colgate toothpaste or at least label it and say it 
is Colgate toothpaste.
    How dangerous is it to have a friend that is engaging in 
the intrusion of one's cyber system and does that friend's 
accessibility then open it up to individual--to entities that 
would wish to do us harm?
    Mr. Chertoff. Well, I think, you know, the National 
Counterintelligence Executive recently publicized the extent to 
which our networks and our systems are being penetrated by 
foreign powers, and I would--I would have to say I think it is 
now a general consensus that in terms of both our economic well 
being and potentially our national security and military 
posture the ability of foreign governments to penetrate into 
our networks is probably at the very top of the list of threats 
that we face.
    You know, I have heard people debate whether the theft of 
intellectual property has national significance. If you 
consider the amount of money and time we spend developing our 
technological advances, to have somebody come in and steal it 
and short circuit it is nothing less than giving away our 
economic competitiveness.
    Beyond that, again, just relying on open source public 
documents like the U.S.-China Security Commission, we know that 
in China, for example, there is a military doctrine that looks 
to cyber warfare as one of the domains of warfare.
    So, again, we have to be concerned about the possibilities, 
as Mr. Baker said, either in a tense situation or even in a 
peacetime situation a foreign adversary taking advantage of 
their ability to distract us by degrading or disrupting our 
networks.
    So, you know, there are multiple dimensions to this. There 
are some diplomatic issues that need to be pursued. But most 
important, I think, we need to have the internal capability to 
manage our risk in a way that does not leave us hostage to 
foreign actors.
    Ms. Jackson Lee. I thank you. And Mr. Baker, I don't know 
if this--thank you very much, Secretary--whether this would fit 
you but on the Homeland Security side we are completely 
frightened of this process or prospect of cyber security as it 
relates to, and I know that the government witness is from 
Intellectual Property but the extent that cyber security can 
intrude on water distribution, electrical grids and how much 
government oversight, intrusion and emergency action should be 
engaged in as it relates to cyber security or the protection of 
our cyberspace.
    There are a lot of bells going off but how much government 
activity should we have? How precious is this cyberspace that 
it could literally shut us down as a Nation?
    Mr. Baker. The cyberspace is precious. It is absolutely 
precious. We have to be worried about it being degraded and 
destroyed, disruptive and having a shut down, having 
significant parts of our economy shut down.
    As others have said, I think we are in, you know, based on 
everything that I have seen, sort of a pre-9/11 mode right now 
where we see we have got some significant problems. We see we 
have got significant vulnerability. We have got adversaries out 
there that are serious about doing us harm and we need to get 
going and we need to get organized.
    Ms. Jackson Lee. What would you want us to do and----
    Mr. Baker. So we need--we need to figure out one thing, 
just for example, and was talked about here. One thing we need 
to figure out is as a society how much government involvement, 
meaning how much government monitoring of private 
communications, do we want and are we willing to tolerate.
    And if we are going to have government monitoring of 
private communications in order to obtain information to 
protect us from cyber security threats, how are we going to 
monitor that, how do we monitor the monitoring. In other words, 
what privacy protections do we have in place, what oversight.
    We have to pay for that oversight. Everybody talks about 
oversight. Oversight is expensive so we need to make a 
commitment that we are going to pay to have the right people in 
place to do that kind of oversight.
    So I think it is inevitable that you are going to have 
government monitoring of private communications to some degree. 
The question is how much and then who watches to make sure that 
we are all comfortable with what is going on.
    So I think it is--I think you are going to have--you have 
to have--I think no entity standing alone, private sector or 
government, anybody else, military, civilian, has all the tools 
necessary to address this threat.
    We need to bring all of our resources together in a way 
that we are all comfortable with and then move forward.
    Ms. Jackson Lee. Mr. Chairman, would you allow Mr. Kerr to 
answer that question?
    Mr. Gohmert. Yes, without objection. Mr. Kerr, you may 
answer.
    Ms. Jackson Lee. And you might put your influence on the 
question. Thank you.
    Mr. Kerr. Yeah.
    Ms. Jackson Lee. And I thank Mr. Baker. Thank you, 
Professor.
    Mr. Kerr. Thank you. I think striking the right balance is 
quite difficult then and Mr. Baker's answer raises, I think, 
what is the missing half of the puzzle that we are looking at 
in this hearing, which is the procedural rights, the rights of 
government investigation.
    The problem in cyber security from the standpoint of 
criminal law is not that the punishments aren't high enough. 
The punishments are not only as high as they are in non-cyber 
crime laws. In many ways, they are higher.
    The difficulty is it is very difficult to catch people. So 
what tends to happen is the government wants more investigatory 
power. That becomes quite controversial. So instead, the 
government gets broader and broader substantive criminal laws 
and greater and greater punishments for crimes.
    We should not use substantive criminal law and the Computer 
Fraud and Abuse Act as a substitute for the difficulty of 
catching the bad guys. We should focus on making sure the 
government has the power necessary to catch people that are 
engaging in wrongdoing online.
    Ms. Jackson Lee. I thank the Chairman.
    Mr. Chairman, if I could just say to you or say for the 
record I know that we are in the Crime Subcommittee and the 
Committee dealing with terrorism but I truly believe I think 
Secretary Chertoff and I think Professor Baker might answer Mr. 
Kerr's point.
    I think we need to ramp up and get coordination between 
military, civilian and government resources. We need to get in 
front of this. If we are pre-9/11 on cyber security we have got 
some work to do, and I hope this Committee can be part of the 
solution, Mr. Chairman.
    I thank you very much for yielding.
    Mr. Gohmert. Thank you, Ms. Jackson Lee, and you do make a 
very good point. We do need to get ahead of it and I appreciate 
you all addressing that. Hopefully, we will get into that a 
little further.
    At this time, I have the Honorable Mr. Goodlatte from 
Virginia with questions.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Welcome, all of you. I want to direct this first question 
to Mr. Downing and Mr. Baker.
    The Administration proposal includes a so-called ``name and 
shame'' provision to coerce industry to beef up cyber security. 
We certainly understand what that objective is but I wonder if 
that doesn't paint a target on the backs of vulnerable systems 
for cyber criminals to exploit or to encourage others to keep 
their problems as hidden as possible so that they won't be 
discovered to have been put in that situation.
    I wonder if you might comment on that, starting with you, 
Mr. Downing?
    Mr. Downing. Certainly. The--it is important to understand 
that this publicizing the vulnerability of a particular company 
is done at an extremely high level. It wouldn't reveal any 
particular threats that would be successful against a network. 
It would simply provide some information to the public and to 
the government about how well the company is doing overall.
    I think it is also important to think about what sort of 
incentives we think are appropriate to encourage the kind of 
better cyber security behavior that we would like to see. One 
option that the Administration has not proposed is to create a 
huge regulatory framework that would require lots of fines and 
auditors and all that sort of thing.
    Instead, it is a light-touch regulatory idea that would 
require but there still has to be some incentive made to cause 
companies to change their behavior. And so in this way, we 
think that by publicizing those that need to improve, that will 
provide a significant but not overreaching type of incentive to 
get them to change.
    Mr. Goodlatte. Mr. Baker?
    Mr. Baker. Yes, just real quick.
    I think you are right to be concerned about that. I think 
the Administration understood that and tried to come up with a 
solution where there was a sufficient amount of enhanced 
incentives for people to--companies to improve their cyber 
security posture without making them a target, as you suggest.
    I think you are right, we need to make sure we get the 
legislation right on that point. I would say, however, I mean, 
I think to a certain degree even today companies face risks in 
this area by not exposing to some extent what their 
vulnerabilities are because they have obligations to their 
shareholders and reporting requirements to the SEC to make 
known a set of risks that may be material in some fashion. The 
SEC recently put out some guidance on this.
    I think that is very significant. I mean, I think there is 
an incentive already and I just think it is unrecognized.
    Mr. Goodlatte. Thank you.
    Mr. Chertoff, how can Congress encourage the kind of 
innovative solutions we need from the private sector for cyber 
security and at the same time avoid a one-size-fits-all 
regulatory scheme?
    Mr. Chertoff. Well, first, let me say that, as I said in my 
opening statement regarding the legislation, I think it is a 
good start but I think there are some pieces that need to be 
strengthened.
    The good start piece is the concept of having the 
government lay out general standards and requirements but 
allowing the private sector to meet those standards using a 
variety of different methods. That is actually pretty similar 
to what we did in the chemical security area back when I was at 
DHS.
    So the good news is I think that gives you flexibility and 
allows people to tailor an approach, including one which the 
private sector can help to develop.
    I think on the--on the disappointing side, I would actually 
like to see some tougher responses to the issue of those 
elements of critical infrastructure that don't meet those 
standards or requirements because I think if you have a serious 
vulnerability in our electric grid or our water or any other 
important element of national security we are not going to have 
a lot of time to coax those entities into coming into 
compliance.
    We need to have the ability at some point to compel them to 
come into compliance. So that is an area where I would, 
frankly, like to see a little bit of strengthening.
    Mr. Goodlatte. Thank you.
    And back to you, Mr. Baker, how would including the CFAA 
within RICO help protect Americans from cyber criminals?
    Mr. Baker. It is a further tool that prosecutors can use to 
go after these very aggressive robust organized crime groups, 
mainly located overseas, and I take Professor Kerr's point. It 
is difficult.
    You have to have two things. You have to have the legal 
tools in place so that you can investigate and prosecute these 
crimes if and when you get your hands on somebody.
    But then we need to work with our international partners as 
the FBI does regularly to actually go out and get them and 
bring them to justice either in the United States or in a 
separate jurisdiction. But I think RICO is another tool that 
strikes me as appropriate here because that is what is going 
on. Organized crime groups are using the Internet to steal a 
vast amount of funds.
    Mr. Goodlatte. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Gohmert. Thank you, Mr. Goodlatte. And having been a 
judge for a decade and at times sat on the bench and thought 
does this lawyer not know that he's wasting his time asking 
those silly questions, it is a real honor to listen to such 
insightful questions that I think we have heard on both sides 
of the aisle here, and it points to the understanding people 
here have of the risks and problems inherent in what we are 
talking about.
    One of the things that--I don't know, it may be the only 
thing that the Heritage Foundation, the ACLU, Mr. Scott and I 
have agreed on and that is that we have over criminalized so 
many things, 5,000 or so crimes.
    We don't even know how many because they are not required 
to come through the Judiciary Committee in order to slap a 
prison sentence on, and there are so many things that have been 
made a crime. And people say oh, well gee, the Justice 
Department would never pursue anything like that.
    But it turns out it is not just up to the Justice 
Department. You know, we had a hearing previously where a guy 
just didn't stick the little sticker on his package that had an 
airplane with a line through it and he went to prison. You 
know, a guy received an orchid from a South American company 
without properly filling out their material. He went to prison 
for 18 months.
    So some things do get prosecuted. The poor guy that sent 
the package without the sticker with the airplane with the line 
through it was run off the road with what sounds like what 
amounted to an EPA SWAT team, ran him off the road, threw him 
to the ground, handcuffed him and hauled him in.
    So we are rather sensitive to over criminalizing and if I 
understand correctly we are talking about the potential for the 
Federal Government to run somebody off the road like they did 
the gentleman from Washington State and put him in handcuffs 
because he checked that he had scrolled down and read and 
agreed to the end user agreement and he didn't actually do 
that, and then as a result now he has committed a Federal 
crime.
    Is that a possibility, Mr. Kerr?
    Mr. Kerr. It is certainly my understanding of the Justice 
Department's interpretation of the law but I don't know if the 
Justice Department here would agree.
    Mr. Gohmert. Well, and then a good question was asked, Mr. 
Baker. How much government monitoring of private communications 
are we going to allow, and that has been a concern of a lot of 
us on both sides of the aisle.
    Have any of you read the President's American Jobs Act? Not 
my American Jobs Act. It was two pages. But the President's 
that was 155 pages.
    Were you aware that he set up a--the Public Safety 
Broadband Corporation in that that will help take care of our 
use of broadband? I mean, had you all heard that?
    Well, it won't do anything to create jobs but it will give 
more government control of our broadband, and you couple that 
with a potential push for more control of the Internet here it 
causes me some concerns.
    But on the same--at the same time, I know the question was 
asked who would have ever dreamed that planes would be flown 
into a building and some of us said well, that was Tom Clancy 
back several years ago had a hijacker fly one into the Capitol. 
Well, Clancy, if you--he has also written about this Net 
problem and Net security.
    So I mean, it is clearly an issue that we have got to deal 
with. Let me ask what--Mr. Chertoff, I will start with you. You 
said the value of damage for our intrusion may exceed the value 
of the asset. How do you think it would be damaged, if you 
could be more specific?
    Mr. Chertoff. I mean, here is the challenge you have, I 
think, in the case of some of the critical infrastructure. You 
might own a power plant and it might be worth a certain amount 
of money, and no rational person is going to invest more in 
securing the power plant than it is worth.
    Mr. Gohmert. Right.
    Mr. Chertoff. I mean, that is common sense. The problem is, 
and we have seen this both in terms of cyber and in the 
physical world, that power plant may be critical in terms of 
the whole surrounding community, even a state, involving public 
health, involving public safety, involving public 
communication.
    If that power plant goes down, there could be an enormous 
loss of life and economic damage that exceeds the value of the 
asset.
    So the challenge is how do you make the people who operate 
the asset and own the asset invest enough to protect against a 
cyber attack, and I think that is where it is appropriate to 
have the government play a role in laying out a set of general 
metrics and a set of general standards and then allowing the 
private sector to figure out the precise way in order to meet 
those standards and metrics.
    Mr. Gohmert. Anybody else care to comment on that aspect? 
If not----
    Mr. Scott. Can I make another comment, a quick comment?
    Mr. Gohmert. Well, sure. It is your turn.
    Mr. Scott. No. I have already asked questions.
    Mr. Gohmert. Oh, okay. All right. Yes. Then we will go to 
Mr. Scott.
    Mr. Scott. Mr. Chairman, Mr. Baker and Professor Kerr have 
talked about the problems in defining ``exceeds unauthorized 
access.'' You kind of know it when you see it but, obviously, 
that term can cover a lot more than we want covered and, for 
the record, they can--if they have any suggestions as how we 
can define ``exceeds unauthorized access'' in a way that covers 
what we want covered without being over expansive that would be 
helpful.
    Thank you, Mr. Chairman.
    Mr. Gohmert. Well, thank you, Mr. Scott. Do you have any 
further questions? I mean, we could mount to a second round if 
you wish. Pardon?
    Mr. Scott. If you want a second round.
    Mr. Gohmert. Okay. Go ahead. I will allow Mr. Scott to 
complete--you can see the two of us are here and this is such 
an important issue. If you don't mind, let's--go ahead, Mr. 
Scott, if you would.
    Mr. Scott. Well, if--do you want to--do you want to--do you 
have any recommendations on ``exceeds unauthorized access?"
    Mr. Kerr. I do. I think there are two basic strategies that 
could be used to limit ``exceeds authorized access.''
    One would be to just amend the current definition. 
Unfortunately, the current definition of ``exceeds authorized 
access'' is entirely circular. It says that you exceed 
authorized access when you do that to which you are not 
entitled, which doesn't really answer the question.
    It just makes the issue entitlement rather than 
authorization, just substitute a word. So one method of 
limiting the statute would be to clarify that that definition 
does not apply to mere terms of service violations and computer 
use policies, essentially just defining by exclusion that which 
the definition does not apply.
    And another approach would be to limit the substantive 
statute rather than limiting ``exceeds authorized access'' by 
saying that Section 1030, the Computer Fraud and Abuse Act, 
only applies to obtaining personal information or valuable 
information rather than any information.
    So under that approach, violating a terms of service or 
violating a terms of use could in fact lead to criminality but 
only in the kind of cases that the Justice Department focuses 
on, namely those cases where there's access to a sensitive 
database by a government employee or particularly valuable 
information that is taken in violation of an employer's 
computer use policy.
    Both of those strategies, I think, are two different ways 
of getting to the same conclusion and either is acceptable.
    Mr. Baker. I think the main thing that I am concerned about 
is making sure that we have the tools necessary to prosecute 
insiders who have access to vast amounts of data whether they 
are at a government employer or whether they are with a 
private-sector employer.
    I mean, if you think about how much data employees at 
Facebook or Google have access to, it is amazing, about--access 
to information about Americans and what Americans are doing. 
And so I think that is the kind of thing that I want to make 
sure that we don't change the statute to somehow inhibit or 
cripple, in some ways, the ability of the government to 
prosecute those kinds of cases.
    So if you were to somehow take--I mean, I have seen some of 
the suggestions with respect to amending the definition of 
``exceeds authorized access.''
    As long as they still allow for prosecution of in the 
employment context I think that would be the key thing and it 
would avoid some of the things that Professor Kerr was talking 
about in terms of what--you know, misrepresentations that 
people make on Facebook or website and so on.
    The other--I think his suggestion with respect to amending 
the specific provision of 1030(a)(2)(C) I think shows--I think 
there is more promise there. It is a more narrowly-focused 
provision. It doesn't deal with this definition. It applies to 
the whole statute, and I think it does get at the kinds of 
cases where somebody does something, accesses information in 
order to steal something or do something fraudulent or cause 
some harm. I think that shows much more promise, at least in my 
mind.
    Mr. Scott. Mr. Downing, this is limited to--this entire 
code section is limited to computers--government computers, 
financial institutions and protected computers. What about my 
computer? Is that--is that a Federal jurisdictional problem?
    Mr. Downing. The computer in your office? Yes, it would 
certainly be covered. A protected computer----
    Mr. Scott. What about my personal computer?
    Mr. Downing. Protected computer is actually a fairly broad 
term. So it would include----
    Mr. Scott. What is--what is not included?
    Mr. Downing. Not included would be certain stand-alone 
computers that aren't connected to the Internet, for example. 
Relatively rare these days. Most computers are covered by the 
term ``protected computer.''
    Mr. Kerr. If I could add--if I could add a brief comment, 
actually computers--stand-alone computers are also protected 
computers. Every computer in the United States is a protected 
computer because the definition of protected computer includes 
any computer that affects interstate commerce, a term of art 
which included anything that the Commerce Clause can include, 
and under the court's--Supreme Court's--Commerce Clause 
jurisprudence that would include every computer.
    So basically everything with a microchip except for a 
handheld calculator--there's an old 1980's era exclusion in 
there--is included.
    Mr. Scott. Thank you.
    Mr. Downing, under civil forfeiture, who gets the proceeds 
of the forfeiture?
    Mr. Downing. Generally, the proceeds are kept by the 
government. In part, they are used to further enforce the laws 
and part of it is put back to the general Treasury.
    Mr. Scott. Does the local--one of the problems I have with 
some of these civil forfeitures are is there is an incentive to 
do law enforcement based on how you can make money and fund 
your local operation, which kind of distorts the criminal 
justice system.
    When you say the law, does the FBI get to keep the money 
generally or does the local FBI office get to keep the money 
and avoid cutbacks in employment that may be coming with this 
budget deal?
    Mr. Downing. I am afraid I don't know all the ins and outs 
of the forfeiture rules. But my understanding is that it 
doesn't go to the local office at all, no. This is an important 
tool for getting at certain kinds of actors where criminal law 
is not sufficient.
    Mr. Scott. Well, yeah. And I know why we have civil 
forfeiture. My question is whether it is distorting. You have 
got Eighth Amendment problems of proportionality. Two people 
commit the same crime and one loses a house and a car. Another 
one doesn't lose anything.
    Who gets the money and whether or not you want civil 
forfeiture rather than criminal forfeiture means that you don't 
have to prove that somebody is guilty. They got to prove their 
innocence to get their money back, and so even if they are 
innocent they are out of attorneys' fees and a lot. So civil 
forfeiture, if not done properly, can be problematic.
    Thank you, Mr. Chairman.
    Mr. Gohmert. Okay. Thank you, Mr. Scott, and I just want to 
follow up. Now, of course, we have had a Federal court say you 
can't prosecute, as has been done before, a cheerleader mom 
that violates an end user agreement. But it brings to question 
in my mind is there anybody that polices the end user 
agreements, just what people are required to agree to before 
they utilize a service.
    Mr. Downing. Well, I am not sure what you mean by polices 
but, certainly, there are a couple of forces that would control 
what gets put into an end user agreement by a big website.
    Certainly, these things are made public because, obviously, 
people are signing them, and when Facebook recently or perhaps 
it was last year changed their user agreement in a way that was 
really egregious in the eyes of many of the customers, they 
protested and moved away from that--using that service. So 
there's a real vote-with-your-feet kind of possibility here.
    The importance of end user agreements is also important in 
the context of the Federal Trade Commission. So companies have 
to live up to their--what they say in their agreements, and if 
they fail to do that then they can be sanctioned for unfair 
trade practices.
    Mr. Gohmert. And we know here on the Hill--it hadn't been 
disclosed publicly--we have had government, our congressional 
computers hacked from foreign countries, at least one, and it 
is a threat and it is--can be international terrorism of a sort 
when you, as you all have discussed, realize what could be done 
by destroying our Internet usage.
    But by the same token, you don't want to create a problem 
for the greatest freedoms any country has ever experienced, as 
we do here.
    I know there are some that say well, gee, the Justice 
Department would never pursue that because that would just be 
too much. But we have heard example after example of when 
prosecutions have occurred that people can't believe. It just 
sounds like a Kafka novel or something.
    But I would hope that on both sides we are ready to be as 
tough as possible on espionage, whether it is domestic or 
foreign, so that the Homeland Security, our Justice Department 
intelligence has the ability to pursue those that want to hurt 
us but at the same time not pursue somebody just because they 
made some minor mistake or even negligently made a mistake.
    And one of the things we pushed is, and we haven't done it 
yet, defining what things are really just clerical 
administrative mistakes individually where maybe you should 
have somebody subject to a fine and what requires prison 
sentences, forfeiture, all of those kind of things so that we 
don't keep--just so that we can show how tough we are for the 
next election criminalize some conduct where it is more 
appropriate to just make it a fine or decide does it justify 
somebody being thrown down in front of their wife and kids and 
handcuffed and hauled in.
    So I think that is the issue and a lot of us on both sides 
of the aisle want to make sure that we don't do that.
    Before we conclude the hearing, you have given your opening 
statements. You have answered questions and been very gracious 
in doing so. But I would just like any final comments based on 
the questions that have been asked, things that may have been 
triggered in your mind, things that we ought to consider 
because this is all be part of the congressional record here.
    So if you would, starting with Mr. Downing.
    Mr. Downing. Thank you for that opportunity.
    There have been a lot of characterizations of what the 
Department of Justice position is on the 1030(a)(2) question of 
``exceeds authorized access.'' Let me be very clear that DOJ is 
in no way interested in bringing cases against people who lie 
about their age on a dating site or anything of the sort. We 
don't have time or resources to do that.
    And, in fact, no court has in fact ruled that that is an 
appropriate use of the statute and, quite to the contrary, the 
one case that has addressed it ruled that it is not an 
appropriate use, and the government has not brought any further 
cases. So we are a little bit concerned whether this is truly a 
problem.
    Given all that, however, we recognize that this is an 
issue, and we are very much interested in working with the 
Committee to resolve this question in a way that is proper for 
all.
    What we do need to be careful about is to make sure that as 
we do that, we don't harm the ability to bring cases that 
everyone in the room would agree are proper and appropriate 
ones.
    And so, as we think about what sort of solution might be 
available here, that we do it in a way that isn't going to 
cause other harm and actually harm our ability to create 
deterrence in this area, which is so important.
    Mr. Gohmert. Mr. Chertoff?
    Mr. Chertoff. Well, I guess I would just conclude by saying 
I do think it is worth giving serious consideration to 
Professor Kerr's point about maybe some narrowing of the--of 
the statute.
    I agree with Mr. Baker that I think we are probably more 
concerned about insiders and employees who exploit their 
privileged position than we are people getting on Facebook.
    But the other point I would make, which I think is 
important, is there is a little bit of a tendency over--
observed over the years to deal with the issue of criminalizing 
by simply piling on additional penalties and jail time rather 
than recognizing the real challenges and being more efficient 
and more effective in enforcing the law against a broader 
number of law breakers. And here the problem is a lot of the 
activity is overseas, and we are not going to find the people 
who do this stuff because they are never coming over to the 
United States.
    And, frankly, in some countries there is not a lot of 
interest in cooperating with us.
    So an area which I think is worth exploring is what we can 
do to leverage, again, all of our economic and other powers to 
really induce countries in the world that have tolerated open 
and notorious criminal activity on the Internet into coming 
into compliance with what ought to be any reasonable 
international norm about preventing this kind of cyber 
criminality.
    Mr. Gohmert. Do you have any last suggestions about how we 
do that, how we deal with foreign individuals?
    Mr. Chertoff. Well, you know, I mean, one of the, of 
course, is a topic for a whole separate hearing probably. You 
know, we have entered into conventions with other countries 
and, certainly, the Europeans have been--have been cooperative.
    But there are countries in the world where, although there 
is lip service to wanting to play by the rules, they will 
tolerate the existence of these servers which are nothing more 
than marketplaces for criminal activity.
    Now, we do have a lot of economic power. We have trade 
power and the ability to use that, to say to some of these 
countries you not only have to sign up to doing the right thing 
but you have got to then walk the walk, I think is worth taking 
a serious look at.
    Mr. Gohmert. Yeah. Those sanctions work so well. I mean, 
basically we brought Iran to their knees.
    Oh, wait. No, that hasn't worked. Never mind.
    Mr. Baker?
    Mr. Baker. Yes, Mr. Chairman, just two quick points.
    One, I agree with Mr. Downing. I don't foresee the Justice 
Department prosecuting the kinds of cases that folks are 
concerned about. I understand the concern. It is a legitimate--
--
    Mr. Gohmert. But you understand, we just want to get the 
law right so it is not even an option. We give them the power 
to go after the bad guys as completely as necessary without 
even risking some runaway prosecutor.
    Mr. Baker. I agree, but, you know, my experience is with 
any statute that you write there is this huge amount of 
ambiguity in any of these statutes.
    I mean, if you look at the mail fraud and wire fraud 
statutes, they don't even define fraud and so the government 
and courts have figured out how to--how to prosecute cases and 
how to adjudicate those kinds of cases over the years. But I--
it is difficult to write a statute that is so tightly focused 
to only get at the problem you are trying to get at without 
having some kind of collateral effect as well.
    I just--I would just be cautious about that and I would say 
then that it is a matter then of oversight for this 
Subcommittee to make sure that you stay on top of the Justice 
Department, to make sure you know what they are doing in terms 
of these prosecutions and bring them up here and have them 
explain why they did X, Y or Z in a particular case. That would 
be my suggestion on that.
    To go back just to close a loop, I think on a question that 
Mr. Forbes had raised earlier, just briefly, I think in terms 
of the legal problems that we are facing versus other kinds of 
questions, again, I think it is a policy problem more than a 
legal problem.
    But I think folks should be comfortable, I think, that the 
President has the authority, in the event of an imminent or 
actual attack on the United States, he has the authority under 
the Constitution and laws of the United States to take whatever 
actions are necessary to protect the country today. He has that 
authority today.
    The difficult question is figuring out how he would 
implement that authority, how that would be done and exactly 
what would the military do and under what circumstances or what 
other elements the United States government would do.
    That is what we need to figure out, as opposed to worrying 
about whether we have, you know, enough legal authority and 
whether he is going to be hamstrung in the event of a crisis.
    I think--I think he does have that authority. We need to 
figure out technically, strategically, doctrinally what we want 
to do to protect us.
    Mr. Gohmert. Thank you, and----
    Mr. Scott. Mr. Chairman?
    Mr. Gohmert. Yeah.
    Mr. Scott. I would hope if the President concludes that we 
are in a imminent threat that he wouldn't have to fool around 
and try to figure out how this fits under a computer law where 
he can take----
    Mr. Baker. I don't think he would have to do that. That is 
what I am saying. I think he has the authority to take whatever 
steps he deems appropriate in a crisis of that nature.
    Mr. Scott. Without having to worry about whether it 
technically fits under some computer--whether they are using 
computers as they do it or a protected computer or something 
like that. If he makes that----
    Mr. Baker. That would not be top on his list.
    Mr. Scott. If he makes that conclusion then we would expect 
action to be taken.
    Mr. Baker. I think--well, I am suggesting this would be the 
situation in a cyber event and he could take whatever action 
are necessary whether it is a cyber action or some kind of 
physical kinetic action.
    Mr. Gohmert. Okay. Thank you, Mr. Scott.
    And you had said we need to figure that out and so I would 
ask you have recommendations in that regard if you would submit 
them to the Committee that would be extremely helpful.
    It is helpful to point out we need to figure this out and 
what we should do but it is even more helpful when you have a 
suggestion as to the best way to proceed in figuring it out.
    Mr. Baker. Yes, sir.
    Mr. Gohmert. But Mr. Kerr, final comment?
    Mr. Kerr. Thank you, Judge Gohmert. Just two quick points.
    First, I think the concern of the Justice Department's 
overbroad reading of the Computer Fraud and Abuse Act is a real 
one.
    Just a few weeks ago, the Ninth Circuit granted rehearing 
in a case in which the earlier panel of the Ninth Circuit Court 
of Appeals had held that private-sector employee computer use 
policies do in fact--are in fact--criminally enforceable. The 
employer had a policy that said you can't use the computer for 
non-business reasons.
    The Justice Department prosecuted the employee for using 
the computer for a non-business reason. The Ninth Circuit 
granted rehearing. We don't know what the court's 
interpretation will be but this is a very real current 
question.
    And then, second, on the question of civil RICO and 
mandatory minimums under the Computer Fraud and Abuse Act, I 
think it is really important to be specific as to where are the 
cases where this is necessary.
    In my experience, the actual penalties in Computer Fraud 
and Abuse Act cases tend to be relatively low because the 
damage tends to be low in the kinds of cases where the Justice 
Department actually catches the bad guy.
    So I don't think there is a lot of--there aren't any 
demonstrated cases of which I am aware of where, for example, 
there is the need for a mandatory minimum where under current 
law there wouldn't be and there is an actual case where the law 
would have applied.
    So some of the Justice Department's concerns strike me as 
very abstract, kind of, ``well, if we ever catch someone like 
this it would be nice to be able to give them a higher 
sentence.'' I think we should be responding to real problems, 
not abstract hypothetical ones.
    Mr. Gohmert. Okay. Thank you.
    We appreciate the witnesses being here. We know you are not 
here because of the money witnesses get paid since you don't 
get paid at all but--and Mr. Chertoff, nice to see you again. I 
was a little bit surprised you were willing to come in 
voluntarily after some of the hearings you have had here but--
--
    Mr. Chertoff. Yeah, I was a little surprised too, actually. 
[Laughter.]
    Mr. Gohmert. Well, we do appreciate all of you being here 
on such a serious topic that has to do with our national 
security.
    Thank you all very much. This hearing now is adjourned.
    [Whereupon, at 11:45 a.m., the Subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              


               Material Submitted for the Hearing Record

  Response to Post-Hearing Questions from Richard W. Downing, Deputy 
   Chief, Computer Crime and Intellectual Property Section, Criminal 
             Division, United States Department of Justice








                                 
