[Congressional Record Volume 146, Number 47 (Thursday, April 13, 2000)]
[Senate]
[Pages S2738-S2741]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. LEAHY:
  S. 2430. A bill to combat computer hacking through enhanced law 
enforcement and to protect the privacy and constitutional rights of 
Americans, and for other purposes; to the Committee on the Judiciary.


                     Internet Security Act of 2000

  Mr. LEAHY. Mr. President, as we head into the twenty-first century, 
computer-related crime is one of the greatest challenges facing law 
enforcement. Many of our critical infrastructures and our government 
depend upon the reliability and security of complex computer systems. 
We need to make sure that these essential systems are protected from 
all forms of attack. The legislation I am introducing today will help 
law enforcement investigate and prosecute those who jeopardize the 
integrity of our computer systems and the Internet.
  Whether we work in the private sector or in government, we negotiate 
daily through a variety of security checkpoints designed to protect 
ourselves from being victimized by crime or targeted by terrorists. For 
instance, congressional buildings like this one use cement pillars 
placed at entrances, photo identification cards, metal detectors, x-ray 
scanners, and security guards to protect the physical space. These 
security steps and others have become ubiquitous in the private sector 
as well.
  Yet all these physical barriers can be circumvented using the wires 
that run into every building to support the computers and computer 
networks that are the mainstay of how we communicate and do business. 
This plain fact was amply demonstrated by the recent hacker attacks on 
E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet 
sites. These attacks raise serious questions about Internet security--
questions that we need to answer to ensure the long-term stability of 
electronic commerce. More importantly, a well-focused and more malign 
cyber-attack on computer networks that support telecommunications, 
transportation, water supply, banking, electrical power and other 
critical infrastructure systems could wreak havoc on our national 
economy or even jeopardize our national defense. We have learned that 
even law enforcement is not immune. Just recently we learned of a 
denial of service attack successfully perpetrated against a FBI web 
site, shutting down that site for several hours.
  The cybercrime problem is growing. The reports of the CERT 
Coordination Center (formerly called the ``Computer Emergency Response 
Team''), which was established in 1988 to help the Internet community 
detect and resolve computer security incidents, provide chilling 
statistics on the vulnerabilities of the Internet and the scope of the 
problem. Over the last decade, the number of reported computer security 
incidents grew from 6 in 1988 to more than 8,000 in 1999. But that 
alone does not reveal the scope of the problem. According to CERT's 
most recent annual report, more than four million computer hosts were 
affected by the computer security incidents in 1999 alone by damaging 
computer viruses, with names like ``Melissa,'' ``Chernobyl,'' 
``ExploreZip,'' and by the other ways that remote intruders have found 
to exploit system vulnerabilities. Even before the recent headline-
grabbing ``denial-of-service'' attacks, CERT documented that such 
incidents ``grew at rate around 50% per year'' which was ``greater than 
the  rate of growth of Internet hosts.''

  CERT has tracked recent trends in severe hacking incidents on the 
Internet and made the following observations, First, hacking techniques 
are getting more sophisticated. That means law enforcement is going to 
have to get smarter too, and we need to give them the resources to do 
this. Second, hackers have ``become increasingly difficult to locate 
and identify.'' These criminals are operating in many different 
locations and are using techniques that allow them to operate in 
``nearly total obscurity.''
  We have been aware of the vulnerabilities to terrorist attacks of our 
computer networks for more than a decade. It became clear to me, when I 
chaired a series of hearings in 1988 and 1989 by the Subcommittee on 
Technology and the Law in the Senate Judiciary Committee on the subject 
of high-tech terrorism and the threat of computer viruses, that merely 
``hardening'' our physical space from potential attack would only 
prompt committed criminals and terrorists to switch tactics and use new 
technologies to reach vulnerable softer targets, such as our computer 
systems and other critical infrastructures. The government has a 
responsibility to work with those in the private sector to assess those 
vulnerabilities and defend them. That means making sure our law 
enforcement agencies have the tools they need, but also that the 
government does not stand in the way of smart technical solutions to 
defend our computer systems.
  Targeting cybercrime with up-to-date criminal laws and tougher law 
enforcement is only part of the solution. While criminal penalties may 
deter some computer criminals, these laws usually come into play too 
late, after the crime has been committed and the injury inflicted. We 
should keep in mind the adage that the best defense is a good offense. 
Americans and American firms must be encouraged to take preventive 
measures to protect their computer information and systems. Just 
recently, internet providers and companies such as Yahoo! and 
Amazon.com Inc., and computer hardware companies such a Cisco Systems 
Inc., proved successful at stemming attacks within hours thereby 
limiting losses.
  That is why, for years, I have advocated and sponsored legislation to 
encourage the widespread use of strong encryption. Encryption is an 
important tool in our arsenal to protect the security of our computer 
information and networks. The Administration made enormous progress 
earlier this year when it issued new regulations relaxing export 
controls on strong encryption. Of course, encryption technology cannot 
be the sole source of protection for our critical computer networks and 
computer-based infrastructure, but we need to make sure the government 
is encouraging--and not restraining--the use of strong encryption and 
other technical solutions to protecting our computer systems.
  Congress has responded again and again to help our law enforcement 
agencies keep up with the challenges of new crimes being executed over 
computer networks. In 1984, we passed the Computer Fraud and Abuse Act, 
and  its amendments, to criminalize conduct when carried out by means 
of unauthorized access to a computer. In 1986, we passed the Electronic 
Communications Privacy Act (ECPA), which I was proud to sponsor, to 
criminalize tampering with electronic mail systems and remote data 
processing systems and to protect the privacy of computer users. In the 
104th Congress, Senators Kyl, Grassley, and I worked together to enact 
the National Information Infrastructure Protection Act to increase 
protection under federal criminal law for both government and private 
computers, and to address an emerging problem of computer-age blackmail 
in which a criminal threatens to harm or shut down a computer system 
unless their extortion demands are met.

[[Page S2739]]

  In this Congress, I have introduced a bill with Senator DeWine, the 
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant 
program within the U.S. Department of Justice for states to tap for 
improved education, training, enforcement and prosecution of computer 
crimes. All 50 states have now enacted tough computer crime control 
laws. These state laws establish a firm groundwork for electronic 
commerce and Internet security. Unfortunately, too many state and local 
law enforcement agencies are struggling to afford the high cost of 
training and equipment necessary for effective enforcement of their 
state computer crime statutes. Our legislation, the Computer Crime 
Enforcement Act, would help state and local law enforcement join the 
fight to combat the worsening threats we face from computer crime.
  Computer crime is a problem nationwide and in Vermont. I recently 
released a survey on computer crime in Vermont. My office surveyed 54 
law enforcement agencies in Vermont--43 police departments and 11 
State's attorney offices--on their experience investigating and 
prosecuting computer crimes. The survey found that more than half of 
these Vermont law enforcement agencies encounter computer crime, with 
many police departments and state's attorney offices handling 2 to 5 
computer crimes per month.
  Despite this documented need, far too many law enforcement agencies 
in Vermont cannot afford the cost of policing against computer crimes. 
Indeed, my survey found that 98% of the responding Vermont law 
enforcement agencies do not have funds dedicated for use in computer 
crime enforcement.
  My survey also found that few law enforcement officers in Vermont are 
properly trained in investigating computer crimes and analyzing cyber-
evidence. According to my survey, 83% of responding law enforcement 
agencies in Vermont do not employ officers properly trained in computer 
crime investigative techniques. Moreover, my survey found that 52% of 
the law enforcement agencies that handle one or more computer crimes 
per month cited their lack of training as a problem encountered during 
investigations. Proper training is critical to ensuring success in the 
fight against computer crime.
  This bill will help our computer crime laws up to date as an 
important backstop and deterrent. I believe that our current computer 
crime laws can be enhanced and that the time to act is now. We should 
pass legislation designed to improve our law enforcement efforts while 
at the same time protecting the privacy rights of American citizens.
  The bill I offer today will make it more efficient for law 
enforcement to use tools that are already available--such as pen 
registers and trap and trace devices--to track down computer criminals 
expeditiously. It will ensure that law enforcement can investigate and 
prosecute hacker attacks even when perpetrators use foreign-based 
computers to facilitate their crimes. It will implement criminal 
forfeiture provisions to ensure that cybercriminals are forced to 
relinquish the tools of their trade upon conviction. It will also close 
a current loophole in our wiretap laws that prevents a law enforcement 
officer from monitoring an innocent-host computer with the consent of 
the computer's owner and without a wiretap order to track down the 
source of denial-of-service attacks. Finally, this legislation will 
assist state and local police departments in their parallel efforts to 
combat cybercrime, in recognition of the fact that this fight is not 
just at the federal level.
  The key provisions of the bill are:
  Jurisdictional and Definitional Changes to the Computer Fraud and 
Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. Sec. 1030, is 
the primary federal criminal statute prohibiting computer frauds and 
hacking. This bill would amend the statute to clarify the appropriate 
scope of federal jurisdiction. First, the bill adds a broad definition 
of ``loss'' to the definitional section. Calculation of loss is 
important both in determining whether the $5,000 jurisdictional hurdle 
in the statute is met, and, at sentencing, in calculating the 
appropriate guideline range and restitution amount.
  Second, the bill amends the definition of ``protected computer,'' to 
expressly include qualified computers even when they are physically 
located outside of the United States. This clarification will preserve 
the ability of the United States to assist in international hacking 
cases. A ``Sense of Congress'' provision specifies that federal 
jurisdiction is justified by the ``interconnected and interdependent 
nature of computers used in interstate or foreign commerce.''
  Finally, the bill expands the jurisdiction of the United States 
Secret Service to encompass investigations of all violations of 18 
U.S.C. Sec. 1030. Prior to the 1996 amendments to the Computer Fraud 
and Abuse Act, the Secret Service was authorized to investigate any and 
all violations of section 1030, pursuant to an agreement between the 
Secretary of Treasury and the Attorney General. The 1996 amendments, 
however, concentrated Secret Service jurisdiction on certain specified 
subsections of section 1030. The current amendment would return full 
jurisdiction to the Secret Service and would allow the Justice and 
Treasury Departments to decide on the appropriate work-sharing balance 
between the two.
  Elimination of Mandatory Minimum Sentence for Certain Violations of 
Computer Fraud and Abuse Act: Currently, a directive to the Sentencing 
Commission requires that all violations, including misdemeanor 
violations, of  certain provisions of the Computer Fraud and Abuse Act 
be punished with a term of imprisonment of at least six months. The 
bill would change this directive to the Sentencing Commission so that 
no such mandatory minimum would be required.

  Additional Criminal Forfeiture Provisions: The bill adds a criminal 
forfeiture provision to the Computer Fraud and Abuse Act, requiring 
forfeiture of physical property used in or to facilitate the offense as 
well as property derived from proceeds of the offense. It also 
supplements the current forfeiture provision in 18 U.S.C. 2318, which 
prohibits trafficking in, among other things, counterfeit computer 
program documentation and packaging, to require the forfeiture of 
replicators and other devices used in the production of such 
counterfeit items.
  Pen Registers and Trap and Trace Devices: The bill makes it easier 
for law enforcement to use these investigative techniques in the area 
of cybercrime, and institutes corresponding privacy protections. On the 
law enforcement side, the bill gives nationwide effect to pen register 
and trap and trace orders obtained by Government attorneys, thus 
obviating the need to obtain identical orders in multiple federal 
jurisdictions. It also clarifies that such devices can be used on all 
electronic communication lines, not just telephone lines. On the 
privacy side, the bill provides for greater judicial review of 
applications for pen registers and trap and trace devices and 
institutes a minimization requirement for the use of such devices. The 
bill also amends the reporting requirements for applications for such 
devices by specifying the information to be reported.
  Denial of Service Investigations: Currently, a person whose computer 
is accessed by a hacker as a means for the hacker to reach a third 
computer cannot simply consent to law enforcement monitoring of his 
computer. Instead, because this person is not technically a party to 
the communication, law enforcement needs wiretap authorization under 
Title III to conduct such monitoring. The bill will close this loophole 
by explicitly permitting such monitoring without a wiretap if prior 
consent is obtained from the person whose computer is being hacked 
through and used to send ``harmful interference to a lawfully operating 
computer system.''
  Encryption Reporting: The bill directs the Attorney General to report 
the number of wiretap orders in which encryption was encountered and 
whether such encryption precluded law enforcement from obtaining the 
plaintext of intercepted communications.
  State and Local Computer Crime Enforcement: The bill directs the 
Office of Federal Programs to make grants to assist State and local law 
enforcement in the investigation and prosecution of computer crime.
  Legislation must be balanced to protect our privacy and other 
constitutional rights. I am a strong proponent

[[Page S2740]]

of the Internet and a defender of our constitutional rights to speak 
freely and to keep private our confidential affairs from either private 
sector snoops or unreasonable government searches. These principles can 
be respected at the same time we hold accountable those malicious 
mischief makers and digital graffiti sprayers, who use computers to 
damage or destroy the property of others. I have seen Congress react 
reflexively in the past to address concerns over anti-social behavior 
on the Internet with legislative proposals that would do more harm than 
good. A good example of this is the Communications Decency Act, which 
the Supreme Court declared unconstitutional. We must make sure that our 
legislative efforts are precisely targeted on stopping destructive acts 
and that we avoid scattershot proposals that would threaten, rather 
than foster, electronic commerce and sacrifice, rather than promote, 
our constitutional rights.
  Technology has ushered in a new age filled with unlimited potential 
for commerce and communications. But the Internet age has also ushered 
in new challenges for federal, state and local law enforcement 
officials. Congress and the Administration need to work together to 
meet these new challenges while preserving the benefits of our new era. 
The legislation I offer today is a step in that direction.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2430

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Internet Security Act of 
     2000''.

     SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT.

       Section 1030 of title 18, United States Code, is amended--
       (1) in subsection (a)--
       (A) in paragraph (5)--
       (i) by inserting ``(i)'' after ``(A)'' and redesignating 
     subparagraphs (B) and (C) as clauses (ii) and (iii), 
     respectively;
       (ii) in subparagraph (A)(iii), as redesignated, by adding 
     ``and'' at the end; and
       (iii) by adding at the end the following:
       ``(B) the conduct described in clause (i), (ii), or (iii) 
     of subparagraph (A)--
       ``(i) caused loss aggregating at least $5,000 in value 
     during a 1-year period to 1 or more individuals;
       ``(ii) modified or impaired, or potentially modified or 
     impaired, the medical examination, diagnosis, treatment, or 
     care of 1 or more individuals;
       ``(iii) caused physical injury to any person; or
       ``(iv) threatened public health or safety;''; and
       (B) in paragraph (6), by adding ``or'' at the end;
       (2) in subsection (c)--
       (A) in paragraph (2)--
       (i) in subparagraph (A), by striking ``and'' at the end; 
     and
       (ii) in subparagraph (B), by inserting ``or an attempted 
     offense'' after ``in the case of an offense''; and
       (B) by adding at the end the following:
       ``(4) forfeiture to the United States in accordance with 
     subsection (i) of the interest of the offender in--
       ``(A) any personal property used or intended to be used to 
     commit or to facilitate the commission of the offense; and
       ``(B) any property, real or personal, that constitutes or 
     that is derived from proceeds traceable to any violation of 
     this section.'';
       (3) in subsection (d)--
       (A) by striking ``subsections (a)(2)(A), (a)(2)(B), (a)(3), 
     (a)(4), (a)(5), and (a)(6) of''; and
       (B) by striking ``which shall be entered into by'' and 
     inserting ``between'';
       (4) in subsection (e)--
       (A) in paragraph (2)(B), by inserting ``, including 
     computers located outside the United States'' before the 
     semicolon;
       (B) in paragraph (4), by striking the period at the end and 
     inserting a semicolon;
       (C) in paragraph (7), by striking ``and'' at the end;
       (D) in paragraph (8), by striking ``, that'' and all that 
     follows through ``; and'' and inserting a semicolon;
       (E) in paragraph (9), by striking the period at the end and 
     inserting ``; and''; and
       (F) by adding at the end the following:
       ``(10) the term `loss' includes--
       ``(A) the reasonable costs to any victim of--
       ``(i) responding to the offense;
       ``(ii) conducting a damage assessment; and
       ``(iii) restoring the system and data to their condition 
     prior to the offense; and
       ``(B) any lost revenue or costs incurred by the victim as a 
     result of interruption of service.'';
       (5) in subsection (g), by striking ``Damages for violations 
     involving damage as defined in subsection (c)(8)(A)'' and 
     inserting ``losses specified in subsection (a)(5)(B)(i)''; 
     and
       (6) by adding at the end the following:
       ``(i) Provisions Governing Forfeiture.--Property subject to 
     forfeiture under this section, any seizure and disposition 
     thereof, and any administrative or judicial proceeding in 
     relation thereto, shall be governed by subsection (c) and 
     subsections (e) through (p) of section 413 of the 
     Comprehensive Drug Abuse Prevention and Control Act of 1970 
     (21 U.S.C. 853).''.

     SEC. 3. SENSE OF CONGRESS.

       It is the sense of Congress that--
       (1) acts that damage or attempt to damage computers used in 
     the delivery of critical infrastructure services such as 
     telecommunications, energy, transportation, banking and 
     financial services, and emergency and government services 
     pose a serious threat to public health and safety and cause 
     or have the potential to cause losses to victims that include 
     costs of responding to offenses, conducting damage 
     assessments, and restoring systems and data to their 
     condition prior to the offense, as well as lost revenue and 
     costs incurred as a result of interruptions of service; and
       (2) the Federal Government should have jurisdiction to 
     investigate acts affecting protected computers, as defined in 
     section 1030(e)(2)(B) of title 18, United States Code, as 
     amended by this Act, even if the effects of such acts occur 
     wholly outside the United States, as in such instances a 
     sufficient Federal nexus is conferred through the 
     interconnected and interdependent nature of computers used in 
     interstate or foreign commerce or communication.

     SEC. 4. MODIFICATION OF SENTENCING COMMISSION DIRECTIVE.

       Pursuant to its authority under section 994(p) of title 28, 
     United States Code, the United States Sentencing Commission 
     shall amend the Federal sentencing guidelines to ensure that 
     any individual convicted of a violation of paragraph (4) or 
     (5) of section 1030(a) of title 18, United States Code, can 
     be subjected to appropriate penalties, without regard to any 
     mandatory minimum term of imprisonment.

     SEC. 5. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE 
                   COUNTERFEITING.

       Section 2318(d) of title 18, United States Code, is amended 
     by--
       (1) inserting ``(1)'' before ``When'';
       (2) inserting ``, and any replicator or other device or 
     thing used to copy or produce the computer program or other 
     item to which the counterfeit label was affixed, or was 
     intended to be affixed'' before the period; and
       (3) by adding at the end the following:
       ``(2) The forfeiture of property under this section, 
     including any seizure and disposition of the property, and 
     any related judicial or administrative proceeding, shall be 
     governed by the provisions of section 413 (other than 
     subsection (d) of that section) of the Comprehensive Drug 
     Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''.

     SEC. 6. CONFORMING AMENDMENT.

       Section 492 of title 18, United States Code, is amended by 
     striking ``or 1720,'' and inserting ``, 1720, or 2318''.

     SEC. 7. PEN REGISTERS AND TRAP AND TRACE DEVICES.

       Section 3123 of title 18, United States Code is amended--
       (1) by striking subsection (a) and inserting the following:
       ``(a) Issuance of Order.--
       ``(1) Requests from attorneys for the government.--Upon an 
     application made under section 3122(a)(1), the court may 
     enter an ex parte order authorizing the installation and use 
     of a pen register or a trap and trace device if the court 
     finds, based on the certification by the attorney for the 
     Government, that the information likely to be obtained by 
     such installation and use is relevant to an ongoing criminal 
     investigation. Such order shall apply to any entity providing 
     wire or electronic communication service in the United States 
     whose assistance is necessary to effectuate the order.
       ``(2) Requests from state investigative or law enforcement 
     officers.--Upon an application made under section 3122(a)(2), 
     the court may enter an ex parte order authorizing the 
     installation and use of a pen register or a trap and trace 
     device within the jurisdiction of the court, if the court 
     finds, based on the certification by the State law 
     enforcement or investigative officer, that the information 
     likely to be obtained by such installation and use is 
     relevant to an ongoing criminal investigation.''; and
       (2) in subsection (b)--
       (A) in paragraph (1)--
       (i) in subparagraph (C), by inserting ``authorized under 
     subsection (a)(2)'' after ``in the case of a trap and trace 
     device''; and
       (ii) in subparagraph (D), by striking ``and'' at the end;
       (B) in paragraph (2), by striking the period at the end and 
     inserting ``; and''; and
       (C) by adding at the end the following:
       ``(3) shall direct that the use of the pen register or trap 
     and trace device be conducted in such a way as to minimize 
     the recording or decoding of any electronic or other impulses 
     that are not related to the dialing and signaling information 
     utilized in processing by the service provider upon whom the 
     order is served.''.

     SEC. 8. TECHNICAL AMENDMENTS TO PEN REGISTER AND TRAP AND 
                   TRACE PROVISIONS.

       (a) Issuance of an Order.--Section 3123 of title 18, United 
     States Code, is amended--
       (1) by inserting ``or other facility'' after ``line'' each 
     place that term appears;

[[Page S2741]]

       (2) by inserting ``or applied'' after ``attached'' each 
     place that term appears;
       (3) in subsection (b)(1)(C), by inserting ``or other 
     identifier'' after ``the number''; and
       (4) in subsection (d)(2), by striking ``who has been 
     ordered by the court'' and inserting ``who is obligated by 
     the order''.
       (b) Definitions.--Section 3127 of title 18, United States 
     Code is amended--
       (1) by striking paragraph (3) and inserting the following:
       ``(3) the term `pen register'--
       ``(A) means a device or process that records or decodes 
     electronic or other impulses that identify the telephone 
     numbers or electronic address dialed or otherwise transmitted 
     by an instrument or facility from which a wire or electronic 
     communication is transmitted and used for purposes of 
     identifying the destination or termination of such 
     communication by the service provider upon which the order is 
     served; and
       ``(B) does not include any device or process used by a 
     provider or customer of a wire or electronic communication 
     service for billing, or recording as an incident to billing, 
     for communications services provided by such provider or any 
     device or process by a provider or customer of a wire 
     communication service for cost accounting or other like 
     purposes in the ordinary course of its business;''; and
       (2) in paragraph (4)--
       (A) by inserting ``or process'' after ``means a device'';
       (B) by inserting ``or other identifier'' after ``number''; 
     and
       (C) by striking ``or device'' and inserting ``or other 
     facility''.

     SEC. 9. PEN REGISTER AND TRAP AND TRACE REPORTS.

       Section 3126 of title 18, United States Code, is amended by 
     inserting before the period at the end the following: ``, 
     which report shall include information concerning--
       ``(1) the period of interceptions authorized by the order, 
     and the number and duration of any extensions of the order;
       ``(2) the offense specified in the order or application, or 
     extension of an order;
       ``(3) the number of investigations involved;
       ``(4) the number and nature of the facilities affected; and
       ``(5) the identity, including district, of the applying 
     investigative or law enforcement agency making the 
     application and the person authorizing the order''.

     SEC. 10. ENHANCED DENIAL OF SERVICE INVESTIGATIONS.

       Section 2511(2)(c) of title 18, United States Code, is 
     amended to read as follows:
       ``(c)(i) It shall not be unlawful under this chapter for a 
     person acting under color of law to intercept a wire, oral, 
     or electronic communication, if such person is a party to the 
     communication or 1 of the parties to the communication has 
     given prior consent to such interception.
       ``(ii) It shall not be unlawful under this chapter for a 
     person acting under color of law to intercept a wire or 
     electronic communication, if--
       ``(I) the transmission of the wire or electronic 
     communication is causing harmful interference to a lawfully 
     operating computer system;
       ``(II) any person who is not a provider of service to the 
     public and who is authorized to use the facility from which 
     the wire or electronic communication is to be intercepted has 
     given prior consent to the interception; and
       ``(III) the interception is conducted only to the extent 
     necessary to identify the source of the harmful interference 
     described in subclause (I).''.

     SEC. 11. ENCRYPTION REPORTING REQUIREMENTS.

       Section 2519(2)(b) of title 18, United States Code, is 
     amended by striking ``and (iv)'' and inserting ``(iv) the 
     number of orders in which encryption was encountered and 
     whether such encryption prevented law enforcement from 
     obtaining the plain text of communications intercepted 
     pursuant to such order, and (v)''.

     SEC. 12. STATE AND LOCAL COMPUTER CRIME ENFORCEMENT.

       (a) In General.--Subject to the availability of amounts 
     provided in advance in appropriations Acts, the Assistant 
     Attorney General for the Office of Justice Programs of the 
     Department of Justice shall make a grant to each State, which 
     shall be used by the State, in conjunction with units of 
     local government, State and local courts, other States, or 
     combinations thereof, to--
       (1) assist State and local law enforcement in enforcing 
     State and local criminal laws relating to computer crime;
       (2) assist State and local law enforcement in educating the 
     public to prevent and identify computer crime;
       (3) assist in educating and training State and local law 
     enforcement officers and prosecutors to conduct 
     investigations and forensic analyses of evidence and 
     prosecutions of computer crime;
       (4) assist State and local law enforcement officers and 
     prosecutors in acquiring computer and other equipment to 
     conduct investigations and forensic analysis of evidence of 
     computer crimes; and
       (5) facilitate and promote the sharing of Federal law 
     enforcement expertise and information about the 
     investigation, analysis, and prosecution of computer crimes 
     with State and local law enforcement officers and 
     prosecutors, including the use of multijurisdictional task 
     forces.
       (b) Use of Grant Amounts.--Grants under this section may be 
     used to establish and develop programs to--
       (1) assist State and local law enforcement agencies in 
     enforcing State and local criminal laws relating to computer 
     crime;
       (2) assist State and local law enforcement agencies in 
     educating the public to prevent and identify computer crime;
       (3) educate and train State and local law enforcement 
     officers and prosecutors to conduct investigations and 
     forensic analyses of evidence and prosecutions of computer 
     crime;
       (4) assist State and local law enforcement officers and 
     prosecutors in acquiring computer and other equipment to 
     conduct investigations and forensic analysis of evidence of 
     computer crimes; and
       (5) facilitate and promote the sharing of Federal law 
     enforcement expertise and information about the 
     investigation, analysis, and prosecution of computer crimes 
     with State and local law enforcement officers and 
     prosecutors, including the use of multijurisdictional task 
     forces.
       (c) Assurances.--To be eligible to receive a grant under 
     this section, a State shall provide assurances to the 
     Attorney General that the State--
       (1) has in effect laws that penalize computer crime, such 
     as penal laws prohibiting--
       (A) fraudulent schemes executed by means of a computer 
     system or network;
       (B) the unlawful damaging, destroying, altering, deleting, 
     removing of computer software, or data contained in a 
     computer, computer system, computer program, or computer 
     network; or
       (C) the unlawful interference with the operation of or 
     denial of access to a computer, computer program, computer 
     system, or computer network;
       (2) an assessment of the State and local resource needs, 
     including criminal justice resources being devoted to the 
     investigation and enforcement of computer crime laws; and
       (3) a plan for coordinating the programs funded under this 
     section with other federally funded technical assistant and 
     training programs, including directly funded local programs 
     such as the Local Law Enforcement Block Grant program 
     (described under the heading ``Violent Crime Reduction 
     Programs, State and Local Law Enforcement Assistance'' of the 
     Departments of Commerce, Justice, and State, the Judiciary, 
     and Related Agencies Appropriations Act, 1998 (Public Law 
     105-119)).
       (d) Matching Funds.--The Federal share of a grant received 
     under this section may not exceed 90 percent of the total 
     cost of a program or proposal funded under this section 
     unless the Attorney General waives, wholly or in part, the 
     requirements of this subsection.
       (e) Authorization of Appropriations.--
       (1) In general.--There is authorized to be appropriated to 
     carry out this section $25,000,000 for each of fiscal years 
     2000 through 2003.
       (2) Limitations.--Of the amount made available to carry out 
     this section in any fiscal year not more than 3 percent may 
     be used by the Attorney General for salaries and 
     administrative expenses.
       (3) Minimum amount.--Unless all eligible applications 
     submitted by any State or units of local government within a 
     State for a grant under this section have been funded, the 
     State, together with grantees within the State (other than 
     Indian tribes), shall be allocated in each fiscal year under 
     this section not less than 0.75 percent of the total amount 
     appropriated in the fiscal year for grants pursuant to this 
     section, except that the United States Virgin Islands, 
     American Samoa, Guam, and the Northern Mariana Islands each 
     shall be allocated 0.25 percent.
       (f) Grants to Indian Tribes.--Notwithstanding any other 
     provision of this section, the Attorney General may use 
     amounts made available under this section to make grants to 
     Indian tribes for use in accordance with this section.
                                 ______