Frustrated lawmakers prod for accountability in worm and virus crimes
- By William Jackson
- Sep 22, 2003
'Terrorism, plain and simple,' is how Rep. Candice S. Miller (R-Mich.) describes the recent plague of Internet worms.
House lawmakers are taking aim at the government and industry over the recent spate of cyberattacks.
The Justice Department should do more to assure the capture of whoever is responsible for such attacks, House members said. And, software makers need to work with the government to make sure their products are as secure as possible, officials testified last month at a hearing of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
'Terrorism, plain and simple,' is how Rep. Candice S. Miller (R-Mich.) described the recent plague of Internet worms. The SoBig worm 'nearly crippled the House e-mail network,' she said.
Subcommittee members expressed frustration at not knowing just who is releasing the computer worms and viruses.
When deputy assistant attorney general John Malcolm could not supply a list of persons prosecuted for hacking, Rep. Adam Putnam (R-Fla.), the subcommittee's chairman, suggested that Justice is not paying enough attention to the problem of such attacks.
'I would reject that implication totally. These are unusually complicated investigations,' said Malcolm, who oversees the Computer Crimes and Intellectual Property Section in Justice's Criminal Division.
He called cybercrime a 'high, high, high priority' for the department.
The U.S. Judicial Conference is reviewing sentencing guidelines in the light of heightened concern about computer crime, and 'I expect the sentences and prosecutions to increase commensurately,' Malcolm said.
Philip Reitinger, a senior Microsoft Corp. security strategist and a former deputy chief of Justice's Computer Crime and Iintellectual Property Section, also called for beefing up law enforcement.
'We need increased funding for law enforcement personnel, training and equipment to prevent and investigate cybercrime,' Reitinger said.
He called law enforcement 'short-staffed, underfunded, undertrained and lacking state-of-the-art technology used by cybercriminals.'
As to industry, Putnam criticized guidelines for handling software security vulnerabilities published recently by the Organization for Internet Safety. The voluntary guidelines call for a 30-day waiting period after discovery of a flaw before it is announced, to give software vendors a chance to prepare a patch. Absent from the guidelines is any role for government.
'One reason we left them out is international concern,' OIS cofounder Christopher Wysopal responded.
A significant number of vulnerabilities are discovered overseas, including the vulnerability exploited by Blaster. 'We want to make sure people from foreign countries continue to report vulnerabilities and work within the process,' said Wysopal, who also is director of research and development for @Stake Inc. of Cambridge, Mass.
But Putnam insisted that government has a role to play in the disclosure.
'It is simply not acceptable for vendors to determine on their own who gets notified and when,' he said. 'It is imperative that the appropriate government entities be involved in this process from the very beginning.'
Wysopal said the guidelines are a first stab at an industrywide policy for handling disclosure of vulnerabilities.
'We don't know enough about how things will work to put it into law,' he said.
William Jackson is freelance writer and the author of the CyberEye blog.