Cybercrime and Digital Law Enforcement Conference
New Haven, Connecticut
I want to talk this evening about both an emerging threat against our security, cyber-terrorism, and an abiding threat against our liberty, the powerful impulse that has emerged throughout our history to combat national crises with restrictions on our civil rights and civil liberties. And I want to propose measures for dealing with the former in a muscular and aggressive way, without relying on those methods which restrict our liberties without enhancing our security. The American people are impatient to be protected, but we do not need to lull them into a false sense of security by ineffective ideas that make them less free.
The dangers we face are among the most complex and terrifying that our law enforcement and intelligence communities have ever encountered. The three thousand innocent lives lost on September 11 are stark reminders of our ongoing battle against an enemy that kills indiscriminately and inflicts pain and suffering as widely as possible; an enemy whose rage is rooted in a reaction to modernity, but whose methods are as complex and modern as they are dangerous.
Former counterterrorism official Richard Clarke reminded us this week that a sense of urgency is needed to counter effectively the immediate threats we face from terrorist groups like al Qaeda. We also face other emerging threats, like the proliferation of weapons of mass destruction that require the same sense of urgency – threats that must be addressed before they become tragedies.
Cyberterrorism, and the closely-related problem of cybersecurity, is such an emerging threat. Terrorists who turned our commercial airplanes into lethal bombs may now be turning our vast computer networks against us. We should work now not only to prevent these attacks from occurring in the first place, but to do so in a way that avoids sacrificing our civil liberties in the process.
We must be vigilant in two, mutually reinforcing respects: vigilant in our reaction to threats against our national security, and vigilant in the activity of safeguarding our liberties.
Unfortunately, when it comes to cyberterrorism, this administration seems to have it backwards. Rather than enhancing our security while protecting our liberties, they have violated our civil liberties without providing much additional security.
We should not be too surprised by this. We have a long history of sacrificing civil liberties instead of pursuing effective law enforcement strategies. So it may be worth reflecting for a few minutes on that history to help us avoid repeating the mistakes of our past.
Of course, in any discussion of historical abuses of our civil liberties, one name leaps to mind — J. Edgar Hoover — whose undeclared war on subversives, communists, and civil rights advocates went on for decades. But a new name may be emerging to rival Hoover for this dubious distinction. Of course, I’m talking about Attorney General John Ashcroft whose unilateral assertions of government power and pursuit of immigrant communities seem disturbingly reminiscent of Hoover’s unfortunate record.
A brief look at recent history indicates just how strong the parallels between Hoover and Ashcroft are. J. Edgar Hoover, whose name adorns the FBI’s headquarters in Washington D.c= to this day, worked as a young aide to President Wilson’s Attorney General Mitchell Palmer. Hoover and Palmer exploited a series of bombings by anarchists to round up thousands of suspected communists – most members of labor unions who were guilty only by association – on trumped up charges based on the recently-enacted Espionage and Sedition Acts. The Palmer Raids, as they became known, left a deep impression on Hoover of just how powerful an impact the government can have on people’s lives.
During World War II, Hoover deployed a “custodial detention list,” which was nothing more than a listing of foreign nationals based on ethnic identity, not individualized behavior — a tactic John Ashcroft may have studied when he required thousands of adult males to register with the government solely because they were from predominately Muslim countries.
After World War II, Hoover developed a list of allegedly dangerous persons that grew to 25,000 names by 1954. As the decades wore on, wiretapping without suspicion or a court-approved warrant became common.
Eventually files on more than half a million individuals and organizations were compiled by Hoover’s FBI, while Operation COINTELPRO and the CIA’s Operation CHAOS targeted thousands of dangerous individuals like John Kerry, John Lennon, and Jane Fonda — all of whom I have no doubt will end up together in a doctored photo splashed across the Drudge Report days before the election.
Thankfully, some positive developments did result from these abuses of civil liberties — the Palmer Raids gave rise to the ACLU and modern First Amendment doctrine. And after Hoover’s excesses came to light in the mid-1970s, strong reforms were enacted. Attorney General Levi issued guidelines requiring the FBI to investigate actual criminal conduct and not simply monitor the constitutionally protected speech of organizations and individuals. The Foreign Intelligence Surveillance Court was created to impose some judicial review on domestic spying related to foreign intelligence gathering. And a few years later, Congress passed the Electronic Communications and Privacy Act, which brought modern communication technologies under the umbrella of federal wiretap laws. These protections ended many of the extra-constitutional activities of law enforcement and intelligence officials.
That is until our current Attorney General came along. In short order, General Ashcroft has turned the clock back at least 30 years, to a time when the government regularly violated the rights of individuals, and when law enforcement and intelligence communities acted with impunity.
Attorney General Ashcroft has steadfastly defended intrusions on Fourth Amendment protections and judicial independence. He launched a nationwide tour, complete with a website and tour dates, to defend the Patriot Act — probably the first time an Attorney General has done a road show to talk up retention of a federal statute.
He personally directed that hundreds of immigrants — of Arab, Middle Eastern, and South Asian descent — be rounded up and detained on pretextual charges, or sometimes no charges at all. Some were beaten, and while many were charged with relatively minor immigration charges, not a single individual was charged with having anything to do with the 9/11 attacks. After the Department of Justice’s own Inspector General’s report criticizing these detentions drew bi-partisan praise for its even-handed analysis, Ashcroft offered only this, “We make no apologies.”
Even Homeland Security Secretary Tom Ridge earlier this month conceded that the post-9/11 crackdown had crossed the line. But the only apology Attorney General Ashcroft has issued so far occurred after a federal judge cited him for an ethics violation after he deliberately commented on a pending court case.
For John Ashcroft, the record is clear. He will be remembered, like Hoover, as a law enforcement official who chose to mislead the public by playing on our fears and sacrificing our nation’s most valued principles in the process. In the weeks after the attacks of September 11th, he infamously declared: “To those who scare peace-loving people with phantoms of lost liberty; my message is this: Your tactics only aid terrorists—for they erode our national unity and diminish our resolve. They give ammunition to America’s enemies, and pause to America’s friends. They encourage people of good will to remain silent in the face of evil.”
Of course Mr. Ashcroft’s actions are emblematic of an entire Administration that has consistently used tragedy as an excuse to expand its power, operate in secret and justify its civil liberties excesses.
They ramrodded through the Patriot Act, which granted broad new powers to law enforcement and intelligence communities. You might be surprised to hear me say this, but many of the provisions of the Act addressed real problems with our criminal law. The sections related to electronic surveillance are efforts to update our laws to reflect the fact we live in a digital age. With over 2 billion e-mails changing hands every day through hundreds of millions of computers, it made sense to address the installation of devices that can record all routing, addressing, and signaling information, under appropriate court supervision. And permitting “roving wiretaps” in foreign intelligence gathering corrected a loophole in the pre-2001 law.
That terrorists lived undetected within our borders illustrated another problem the Patriot Act addressed—the “wall” prohibiting information to be shared between domestic law enforcement and foreign intelligence investigations. Whether this wall was real or perceived, the lack of cooperation between the FBI and the CIA complicated our counterterrorism efforts. Provisions of the Act like Section 203, permitting information from domestic criminal investigations to be shared with the intelligence community addresses a real problem.
These new powers, however, have created a potential for abuse, invasion of privacy, and profiling of citizens. In its haste to enact the Act, the administration chose to rely on executive branch supervision, rather than meaningful review by the judiciary, to ensure abuses do not occur. The administration has said in effect: “Trust us.” But our system relies on checks and balances for a reason—one branch of government cannot justify its actions based solely on its word alone.
For example, a recent report by TRAC, the Transactional Records Access Clearinghouse, analyzed Department of Justice prosecution data, revealing that from September 2001 to 2003, more than 6,400 individuals were recommended for prosecution regarding terror-related crimes. Yet the median sentence for those convicted of international terrorism was 14 days, and 1,800 cases were closed without conviction. In this Administration, labeling a case to be terrorism-related, regardless of the facts, has become tantamount to prosecuting terrorism.
Patriot Act powers are also being used for a host of non-terrorism purposes, including white-collar crime, blackmail, and child pornography. In a well-publicized case, the Justice Department used the Act to pursue Operation G-String, a Nevada bribery investigation involving alleged payments to local politicians in order to loosen regulations on nude dancing in strip clubs. Private Internet communications unrelated to terrorism investigations have also been monitored under Patriot Act powers.
In addition to its overuse of the Patriot Act, the Bush administration has also revived Hoover’s practice of maintaining secret lists. The FBI and the CIA have compiled “no-fly” lists that in many cases, have targeted political activists engaged in lawful civil disobedience. Of course, for those of you who are frequent flyers of Jet Blue or Northwest Airlines, your personal information is likely already in government hands—which sure gives a whole new meaning to “World Perks” and “True Blue.”
Soon after September 11, the FBI released a massive list of individual names to hundreds of companies, including rental car agencies, data collection companies, and casinos in an effort called Project Lookout. The list was riddled with so many inaccuracies, and changed hands so many times that differing versions ended up all over the country and the world. Soon after releasing the list, the FBI determined that it was obsolete, but thanks to the Internet, it was too late to put the genie back in the bottle.
Well, notwithstanding all these incursions into our civil rights and civil liberties, the administration has done precious little to create greater security against cyberterrorism. Perhaps their attitude about the topic can be seen in their attacks on Dick Clarke. One of the elements of the White House’s attack on Clarke’s credibility is that he was disgruntled because he had been demoted to merely being the nation’s czar on protecting our critical infrastructure and promoting cybersecurity. That speaks volumes about where the White House places these issues on its priority list.
Cyberterrorism thankfully remains mostly an emerging threat — we have yet to experience the debilitating terrorist attack that some experts have long predicted. Our widespread reliance on technology demands that we secure our computer networks and cyberspace itself while developing adequate civil liberties safeguards.
Despite the uncertainty of when, or if, a cyberterrorist attack will occur, we do know that various cyberattacks cause large-scale damage on a daily basis. Poor cybersecurity is estimated to cost the global economy approximately $15 billion each year.
We also know that al Qaeda and other terrorist operatives have researched our extensive computer networks, perhaps aiming to plan a large-scale cyberterrorist attack either in isolation or in combination with a conventional physical attack. Although serious questions have been raised about al Qaeda’s technological capacity and ability to execute an act of cyberterrorism, terrorists generally gravitate to our largest vulnerabilities.
And highly computerized societies such as ours are undoubtedly vulnerable. Poor cybersecurity has the potential to harm millions of people, affecting critical infrastructure as varied as dams, airports, chemical plants, and power plants. Complicating protection, some 80 percent of our nation’s critical infrastructure is owned not by the government, but by the private sector. In the second half of 2002 alone, 60 percent of power and energy companies experienced at least one severe cyberattack, but thankfully none were catastrophic.
I worked on these issues directly during my time in the Clinton administration. Although the questions surrounding cyberterrorism were undoubtedly difficult — and remain so today — we recognized cyberterrorism, and the safeguarding of civil liberties, as a serious problem and a primary component of our national security strategy. The President’s Commission on Critical Infrastructure Protection led to Presidential Directive 63, which committed the federal government to secure its information systems and address critical vulnerabilities, and establish a cyberterrorism command structure in the federal government.
We also established the Cyber Corps program, in which top students are paid to study computer security for two years in exchange for their commitment to work for the government upon completion of their studies. Of course when we launched the initiative, our biggest problem was finding IT workers who would work for government wages, but now there are so few job opportunities for aspiring computer scientists that the Cyber Corps program has too many students and too few slots. I guess that’s the one problem Bush’s economic policies have actually solved.
We recognized the essential role of the private sector in combating cyberterrorism, encouraging both the government and the private sector to elevate the low priority often given to cybersecurity. Before he became a household name, Richard Clarke was fond of saying that the typical company spends one-quarter of one percent of its IT budget on cybersecurity — slightly less than it spends on coffee. According to a recent survey, only 17 percent of CEOs from small to midsized companies take steps to secure their information systems.
But quite frankly, before September 11, cooperation with the private sector was not always easy. We were told repeatedly that the networked world moves too fast, competition is too fierce, and that industry simply could not collaborate with government on security and safety.
And then came September 11, which made the previously abstract threat of a terrorist attack all too real. Government and industry alike realized the need to move at warp speed to assess new threats, evaluate vulnerabilities, and build on steps already taken. September 11 provided a tragic opportunity to make badly needed reforms.
But sadly, this historic opportunity seems to have been missed, and unfortunately, it is not clear we are much safer from the threat of cyberterrorism today than we were three years ago.
The President’s National Strategy to Secure Cyberspace, released with little fanfare last year, originally contained important mandates on the private sector. But these were pulled at the last minute in order to give more time for “industry input” — an example of the administration’s unwillingness to prod businesses to improve cybersecurity. The administration has also not effectively used the procurement process to spur change despite a $60 billion technology budget, nor is it effectively leveraging government contractors to raise their security standards.
It appears that cyberterrorism may become another example like global warming, where accepted wisdom is turned on its head based on industry demands. The administration has already bowed to the long-standing industry wish to exempt documents from Freedom of Information Act requirements merely by stamping them as “critical infrastructure information,” even if they do not contain anything related to critical infrastructure vulnerabilities.
The administration has also stumbled in creating effective governmental mechanisms dealing with cyberterrorism. The one agency within Homeland Security dedicated to cybersecurity faces serious questions about its authority and efficacy. People well-versed in cybersecurity have passed up critical staff positions, which have remained vacant for long periods.
And critical expertise from other government agencies battling cybersecurity has been lost. The Administration announced that nearly 800 people were scheduled to transfer from the FBI to work on cybersecurity in Homeland Security, only 22 did. Confusion remains on how government agencies will respond to a cyberattack, and whether an adequate cyberterrorism threat assessment had been conducted.
As for protecting civil liberties and privacy in cyberspace, you will have heard more from me in this speech than the Bush administration has offered in three years. It is not that the administration has been silent on the importance of protecting liberties in the digital age; worse, it has used the national crisis as a pretext for violating civil liberties in the service of its rights-restricting agenda.
It is in the realm of technology and datamining, perhaps, where the Bush administration has demonstrated its greatest willingness to exploit our fears of terrorism when it violates civil liberties. Many technologies in place long before September 11 have morphed into bigger, more intrusive versions of their former selves.
Perhaps foreshadowing the many threats to come was the FBI’s Carnivore system which made the news in the late 1990s. Actually, I’m not sure whether Carnivore cast more doubt on the FBI’s lack of software security capabilities or PR capabilities. Carnivore was designed to permit the segregation and seizure of header information — the “To,” and “From,” lines — on e-mail messages of criminal suspects. But concerns soon emerged regarding Carnivore’s ability to capture the contents of messages, and that the system’s security and audit functions were not adequate. After these questions were raised, the FBI did the honorable thing — changed the name to something less sinister — and continued the project.
The airline passenger screening system, known as CAPPS, was first developed to identify suspicious patterns among air travelers—a system which obviously failed to prevent the hijackings of September 11. Despite this, the dministration is developing CAPPS II, which will include much more personalized information about travelers, assigning risk levels to passengers using a color-coded system. (No word on whether duct tape will be involved.) Errors with the system have prompted Congress to withhold funding for deployment and implementation. A promising alternative approach is an identification card that would permit “trusted travelers” to bypass long security lines in exchange for their voluntary submission of personal information — a pilot program doing just that begins in June.
Total Information Awareness, perhaps the most notorious of government datamining projects, was launched during the Bush administration by Admiral John Poindexter. Poindexter you will recall was President Reagan’s former national security adviser who was convicted of lying to Congress, conspiracy, obstruction of justice, and destroying evidence in connection with Iran/Contra, a conviction later overturned on procedural grounds. T.I.A. promised to be the grand database that searched all other databases, tracking all our information – credit card transactions, travel reservations, e-mail, medical care – so the government could anticipate and thwart terrorist plots and activities. After a public outcry, Total Information Awareness became Terrorism Information Awareness, despite keeping the same focus and scope. Luckily, TIA was too much even for Congress, which cut funding for domestic use, but left the door open for foreign activities.
These initiatives have something in common. They make clear that this administration has yet to grasp one of the fundamental lessons of September 11. We rarely need more information; we need better analysis of the information we already have. As former National Security Adviser Sandy Berger described this week, the problem before 9/11 was not so much what we didn’t know — it’s that we didn’t know what we did know. Rather than effectively use technology to facilitate effective use of the information we have, the Administration has used technology to gather information indiscriminately – a telling sign of its inability to counter the threats posed in the digital world.
Were a cyberattack to occur, it is likely the administration’s intrusions on our rights and liberties in the physical world would continue their expansion in cyberspace, perhaps in the form of unnecessary, intrusive surveillance measures, massive information sharing, and continued expansion of datamining technologies.
The administration’s lack of urgency in implementing real security strategies in the face of a gathering storm is dangerous. We can either be proactive about the cyberthreats that face us, or be reactive — courting possible disaster.
The Center for American Progress has detailed dozens of specific legislative and regulatory recommendations, many of which were contained in our report released last October, “Strengthening America By Defending Our Liberties,” that will enhance national security and our civil liberties.
Let me wind up by just very briefly describing several of the most important. We should:
- Create a Commission on Privacy, Personal Liberty, and Homeland Security. A thorough public debate on these topics is needed, particularly in light of the one-year anniversary of the Department of Homeland Security and next year’s reauthorization of select provisions of the Patriot Act;
- We should tighten up the authority on roving wiretaps, which I mentioned earlier, require the identification of the targeted person and ascertain that the targeted person is using the particular device. Without these changes, the government could have unchecked authority to conduct widespread surveillance, including, for example, the innocent online activities of computer users at a public terminals;
- We should require the Attorney General to report publicly to Congress appropriate data regarding delays in notification of the search and seizure of property, and the use of the surveillance authorities in the Foreign Intelligence Surveillance Act.
- We should strengthen meaningful judicial oversight of law enforcement and intelligence investigations carried out under the new Patriot Act authorities, particularly with regard to web surfing and the use of grand jury information and wiretap take by intelligence authorities. Judicial oversight provides an important check on potentially unconstitutional actions, improves the quality of investigations, and ensures confidence in the legal system;
- We should require that surveillance and monitoring of South Asian-, Middle Eastern-, and Arab-American communities be tied to suspicion of actual criminal conduct. Crude racial and ethnic profiling creates a culture of fear and suspicion in the very communities needed for cooperation with counterterrorism efforts and actually undermines our law enforcement efforts.
These recommendations build on our experience in addressing threats in the past. Just four years ago, the federal government tackled a threat of unknown dimensions when we averted a Y2K crisis. Although we did not know how serious a threat Y2K actually posed, we did the responsible thing and mobilized the government to work with industry to avert possible disaster. How did we accomplish this? Not by pushing for draconian regulations or statutory mandates, but simply by requiring businesses disclose their Y2K efforts to their shareholders. The right incentives were created by government; market forces took it from there.
More innovation along these lines is needed. The state of California enacted a law requiring government agencies and private companies to give timely notice to consumers when personal data is stolen from government or company databases. Requiring notice — without mandating substantive measures — incentivizes both companies and the government to improve security and respect the privacy of consumers. Senator Feinstein has proposed similar legislation that would expand California’s law to the nation.
Such disclosure could be extended to internet service providers, requiring them to disclose in SEC filings when they have been hacked. This would be a win-win: consumers would have more information about the services and privacy protections for which they pay, and companies would likely take swift steps to reduce their vulnerabilities in order to maintain consumer confidence and avoid legal liability. Lack of disclosure has been one of the chief obstacles to improved cybersecurity. After all, as Justice Brandeis wrote decades ago, “Sunlight is said to be the best of disinfectants.”
I want to close with one final suggestion, let’s remove J. Edgar Hoover’s name from the FBI Building in Washington, D.C. The FBI is the very agency charged with protecting us from terrorism and safeguarding our liberties, yet it was led for decades by a man who arguably did as much to erode constitutional freedoms as any other American of the 20th Century. Removing his name would be a powerful symbol that the government no longer treats civil liberties as expendable in times of crisis.
We have faced many threats in our past, and while we have overcome all of them, on more than one occasion we have done so while unnecessarily and regrettably infringing on civil liberties and civil rights. As the war on terror expands from our airports and highways to cyberspace and the digital world, we face a fundamental choice: to learn from the mistakes of the past, or to repeat them.
I trust our nation will make the right decision.