|Assuring Security And Trust In Cyberspace |
Assuring Security And Trust In Cyberspace
White House Chief of Staff John Podesta, in a speech delivered July 17, has proposed new measures to assure security on the Internet. Source: Washington File, distributed by the Office of International Information Programs, U.S. Department of State. EUR113, July 17, 2000.
Following is the text of a White House release highlighting the main points made by Podesta: Assuring Security And Trust In Cyberspace, July 17, 2000.
White House Chief of Staff John Podesta, in a speech today at the National Press Club, proposed important new measures to assure the security and trust of Americans in cyberspace. His speech emphasized the themes of updating law enforcement authorities for the Internet age, harmonizing the rules that apply to different technologies such as telephones and e-mail, and balancing important values. He proposed legislation that would give law enforcement important new tools to pursue criminals through cyberspace while also boosting citizens' fundamental rights to privacy in the electronic age. Mr. Podesta also announced new rules that will update encryption export controls.
A Framework for security and trust in Cyberspace
-- Private sector leadership. As emphasized at the White House Cyber Security Summit in February, the private sector, which owns and operates most of the computers that Americans rely upon, has the responsibility to lead in computer and network security.
-- Government as a model citizen. The federal government will continue to make itself a model for information security and privacy practices.
-- Public-private partnership. The federal government will continue to work in partnership with the private sector to build security and trust in online activities, as set forth in the National Plan for Information Systems Protection issued earlier this year.
-- Preserving fundamental values, even as technology changes. These values include protecting public safety, privacy and civil liberties; improving the quality of life for all Americans, such as through the promotion of electronic commerce and elimination of the digital divide; and furthering the educational and free speech potential of the Internet.
Updating Telephone-era laws for the Internet Age
In certain specific instances, laws written for the telephone era will need to be updated for the Internet age. Key provisions of the legislation:
-- Modernize outdated telephone-era language. Current law uses outmoded terms such as "phone lines" and hardware "devices." The proposed legislation would apply to other forms of electronic communication and apply equally to hardware and software.
-- Harmonize the standards for intercepting electronic, wire, and cable communications. Current law has widely varying rules for when law enforcement can intercept a communication, depending on whether an individual uses e-mail, a phone call, or a cable modem. The proposal would raise the legal standard for intercepting e-mails to the longstanding and strict rules that apply to intercepting telephone calls. For the first time, court orders authorizing interceptions of e-mails could be applied for only after high-level approval and only for serious crimes. Violations of these rules would lead to suppression of evidence in court. At the same time, the rules that apply to the growing use of cable modems would also be harmonized to the telephone standard, while preserving the current, especially strict rules limiting government access to cable television viewing records.
-- Create a balanced updating for "trap and trace" orders. "Trap and trace" orders allow law enforcement to identify who is calling or using an electronic means to contact an individual. The proposal would allow law enforcement to respond more effectively to computer attacks by stating that only one such order is needed to trace a call or Internet session back to its source through multiple carriers. (Just as today, such an order could not be used to intercept the contents of communications protected by the wiretap statute.) Tracing would be permitted without prior approval by a court in an emergency, such as when a computer system is actually under attack. On the other hand, to assure that such orders are issued only when appropriate, federal and state judges for the first time would independently review the factual basis for issuing such orders.
-- Strengthen the computer hacking law. The Computer Fraud and Abuse Act should be strengthened to take account of the full range of damages caused by computer attacks. Multiple small attacks should also be treated as one large attack. To match the punishment to the crime, mandatory jail time should be eliminated for less serious attacks. Violations of the Act could result in civil or criminal forfeiture.
-- Improve sanctions against illegal wiretapping. The proposal would increase penalties for violations of wiretapping laws. Illegally intercepted communications could be used in court, but only to prove the guilt or innocence of a person accused of illegal wiretapping activity.
-- Juvenile offenders. For serious computer attacks, federal prosecutors should have jurisdiction over juvenile offenders. In such cases, offenders would still be treated as juveniles.
Updating encryption export policy
Today, the Administration is updating its policy for encryption exports to the European Union and other key trading partners to assure continued competitiveness of U.S. industry in international markets.
-- License exception. Under the new policy, U.S. companies can export under license exception (i.e., without a license) any encryption product to any end user in the 15 nations of the European Union as well as Australia, Norway, Czech Republic, Hungary, Poland, Japan, New Zealand and Switzerland. Previous distinctions between government and non-government end users are removed for these countries. Further, U.S. exporters will be permitted to ship their products to these nations immediately after submitting a commodity classification request to the Department of Commerce, instead of waiting for a completed technical review or incurring a 30-day delay.