Since its passage in October last year, everyone (in the U.S. at least) has heard of the Patriot Act (USAPA). It is 342 pages of reform extending the powers of international intelligence agencies and law enforcement organizations.
Although the intent was to facilitate in the fight against terrorism, this act also contains changes that affect non-violent domestic computer crime. Many of the changes are due for congressional review and possible sunset in 2005. However, some of them have no sunset clause at all.
In reaction to the egregious events of September 11, this act was passed without extensive debate, inter-agency reviews, or the committee and hearing processes that are standard for bills. Although most people would agree that this was a refreshing example of congress putting aside political differences and agendas to meet the security needs of the nation, many are now questioning the results of that action.
It seems now that the initial relief gained from the passing of the bill has diminished, it is coming under intense scrutiny from all sectors. I have recently heard it both lauded as a logical and much needed extension of law enforcement capabilities into the modern electronic communications arena, and reviled as a rebirth of McCarthyism and the restriction of civil liberties as embodied in the Smith Act of 1940.
Regardless of which view will eventually become the accepted opinion of the majority; one of the most pressing issues for organizations today is if, and how, the provisions of the bill might affect daily operations. Although there is not yet enough data to know the results with any certainty, it is possible to identify some areas of concern.
Of the 15 different statutes changed by provisions of the bill, one that a corporation may encounter, if unfortunate enough to have an employee engaged in seditious activity, is the more widespread authorization of wiretaps known as the pen/trap statute (Section 216). The statute now includes not just regular phones as in previous laws, but cell phones, Internet user accounts, and computer network addresses known in the statue as "line or other facility."
These pen/trap devices are to collect "non-content" information about electronic communications such as phone calls and email. This includes phone numbers dialed, and the routing and signaling information for email, such as To and From header information, IP addresses and port numbers. Critics say that as long as a judge approves the wiretap request, even web surfing and Internet keyword searches could be monitored. The monitoring device does not have to be physically located at the target facility for this to work.
The other twist to the new wiretap measures is that once a judge grants permission for a wiretap on a crime under his or her jurisdiction, the wiretap can take place in any jurisdiction (Section 216). This measure is intended to help investigators cope with a technological environment in which many carriers may handle a communication before it reaches the recipient, and where disposable and cell phones may confuse the trail.
In other words, if the surveillance of an employee of an organization may lead to "relevant information" in an investigation, all of their communications may be monitored, even if the employee is not the target of the investigation. It also allows wiretapping of any phone a target (suspected terrorist) might use; this may include one or more that belong to the corporation where the target is working. We may as well get used to this one, it doesn't sunset.
Another interesting note is that USAPA 215 provides for business records to be subpoenaed in Foreign Intelligence Surveillance Act (FISA) investigations. USAPA 505 extends the subpoena power to include both credit records and bank records. Unless renewed, this will sunset December 31, 2005.
The USAPA also changes some statues that may have little or nothing to do with terrorism, such as hacking (Section 814). These acts are considered to be those that exceed authority concerning access and use of a computer connected to the Internet. This section makes the penalties the same for an attempted offense as for one that was actually perpetrated, and the penalties are now much greater. Even more serious are the penalties for damaging computers that are used by any government organization engaged in national security, defense or the administration of justice.
This may provide a needed respite for the organizations after coping with the series of Internet attacks and intrusions that occurred over the last few years. Another plus for business seeking prosecution for malicious computer acts is that the definition of "loss" now encompasses the total cost incurred. This cost includes figures for lost revenue and the time spent assessing, responding, and recovering from an attack (Section 814).
Section 217 provides for victims of computer attacks to authorize persons "acting under the color of the law" and engaged in an ongoing investigation to monitor intruders on their systems. If the investigator has a reasonable belief that communications from the hacker may be relevant to the ongoing investigation, the investigator (with authorization of the computer owner) may intercept any communications from that intruder that are sent to, from, or through the protected computer. Under certain conditions, this allows "computer owners" and law enforcement to collaborate in the investigation of attacks.
When, and if, a business or other organization is involved in an action taken against a hacker under USAPA, it would probably be advantageous to have already implemented a clear-cut, detailed set of security policies, including "acceptable use" and "authorization" matrices.
Another change that will enhance the prosecution ability of organizations investigating computer fraud is USAPA Section 815, which provides for development and support of computer forensic laboratories and training. This should enable organizations to get the help they need to facilitate the investigation and prosecution of intruders for either civil or criminal actions.
Although the preponderance of the USAPA deals with terrorism, the items discussed above are among those that may be encountered at some time by typical organizations during the course of their daily activities. The USAPA is a complex body of laws and should be reviewed in order to fully understand its implications. Information and various perspectives regarding the USAPA are still in development. Current references include:
Thresa Lang ([email protected]) is a security and training consultant, who also teaches information systems protection at the George Washington University. She is a Cisco certified network associate (CCNA), a systems analyst and a CISSP instructor.