TCG analysis of the ATA of 2001

["Keith.Morgan" <Keith.Morgan () Terradon com>]

Exerpts of Terradon Communications Group's letter to Represenative Shelly
Moore Capito (R) WV.

Quotes from law or proposed legislation will be denoted with *****

Again, no further comment will come from me regarding our analysis. I don't
wish to discourage discussion on the matter, but to simply state that I
won't be involved in it.

<snip> would like to address some serious concerns in the proposed
"Anti-Terrorism Act of 2001."  As you are aware, <snip> is a West Virginia
information technology and information security firm. In particular, two
sections of the legislation raise some major red flags.  Additionally, the
retroactive nature of this legislation raises some concerns relative to the
"expert advice or assistance" language in section 306.

Section 309. Definition.

Section 309 defines USC Title 18, Chapter 47, Section 1030 (a)(1), (a)(4),
(a)(5)A, and (a)(7) as terrorist acts, punishable by life in prison without
the possibility of parole.  Upon close examination of section 1030, it
becomes very clear that all possible violations of this statute could not
possibly be considered terrorist acts.

******
Sec. 1030. Fraud and related activity in connection with computers 

    (a) Whoever - 
        (1) having knowingly accessed a computer without authorization 
        or exceeding authorized access, and by means of such conduct 
        having obtained information that has been determined by the 
        United States Government pursuant to an Executive order or 
        statute to require protection against unauthorized disclosure for 
        reasons of national defense or foreign relations, or any 
        restricted data, as defined in paragraph y. of section 11 of the 
        Atomic Energy Act of 1954, with reason to believe that such 
        information so obtained could be used to the injury of the United 
        States, or to the advantage of any foreign nation willfully 
        communicates, delivers, transmits, or causes to be communicated, 
        delivered, or transmitted, or attempts to communicate, deliver, 
        transmit or cause to be communicated, delivered, or transmitted 
        the same to any person not entitled to receive it, or willfully 
        retains the same and fails to deliver it to the officer or 
        employee of the United States entitled to receive it; 
******

This section seems reasonable.  It limits the definition of a terrorist act
to breach of information or unauthorized access to systems containing
national secrets.

(a)(4) begins to broaden the definition of a terrorist act.

******
        knowingly and with intent to defraud, accesses a protected 
        computer without authorization, or exceeds authorized access, and 
        by means of such conduct furthers the intended fraud and obtains 
        anything of value, unless the object of the fraud and the thing 
        obtained consists only of the use of the computer and the value 
         of such use is not more than $5,000 in any 1-year period; 
******


This effectively defines any unauthorized access as a terrorist act,
regardless of intention to damage or steal information relative to attacks
against the american people or the telecommunications infrastructure.

(a)(5) covers virii or other malicious programs such as worms or trojans.
 


******
    (A) knowingly causes the transmission of a program, 
           information, code, or command, and as a result of such conduct, 
           intentionally causes damage without authorization, to a protected

           computer; 
******


What is particularly disturbing, and far too broadly defines terrorist acts,
are the definitions found in (a)(7).  (a)(7) is in direct reference to
(a)(6) which reads:


******
        knowingly and with intent to defraud traffics (as defined 
        in section 1029) in any password or similar information through 
        which a computer may be accessed without authorization, if - 
           (A) such trafficking affects interstate or foreign commerce; 
           or 
           (B) such computer is used by or for the Government of the 
           United States; [1] 
******



Virtually every computer connected to the internet falls under the
jurisdiction of (a)(6)(A) as defined by affecting interstate commerce.
Almost all computer crimes currently fall under the jurisdiction of the FBI
for investigation and prosecution under the Interstate Commerce Act.  (a)(7)
covers making threats regarding the defined activities.

This statute provides no provision for scope or terroristic intention.
Under the proposed legislation, a hacker or cracker who breaks into and
defaces any website, could be prosecuted as a terrorist and face a life
prison term without the possibility of parole.  Though <snip> certainly does
not condone such activity, defacing a website could, and should be analogous
to climbing a fence, and spray-painting a slogan on a wall.  This is quite a
far cry from slamming a fully loaded 767 into a crowded sky-scraper.  This
legislation intends to make no such distinction.    

The language in the proposed "Anti-Terrorism Act" (Section 306, Support of
Terrorism Through Expert Advice or Assistance) references section 2339A of
USC title 18.  This would read: 



******
    Offense. - Whoever, within the United States, provides material support
or resources or conceals or disguises the
    nature, location, source, or ownership of material support or resources,
knowing or intending that they are to be used in
    preparation for, or in carrying out, any Federal terrorism offense, or
in preparation for, or in carrying out, the concealment or an    
    escape  from the commission of any such offense, shall be fined under
this title, imprisoned not more than 10 years, or both. 

    (b) Definition. - In this section, the term ''material support or
resources'' means currency or other financial securities,
    financial services, lodging, training, expert advice or assistance,
safehouses, false documentation or identification, communications         
    equipment,  facilities, weapons, lethal substances, explosives,
personnel, transportation, and other physical assets, except medicine
    or religious materials.  
******



This could define anyone who places computer security, or security related
information in public view, on the web, or publicly available via other
media as terrorists.  This could in-fact, label almost every computer
security firm in the world, and most information technology related firms as
terrorists.  The information technology industry should be quaking in their
boots.  Not only could this make future publishing of such information a
terrorist act, but any past publication of such material that is normally
designed to improve systems security and systems security awareness a
terrorist act, but it would be retroactive under the "Anti-Terrorism Act" to
include those firms that have ever published such information.

301 ( c ) of the "Anti-Terrorism Act" would amend USC Title 18, Chapter 213,
section 3286 to read:



******
Notwithstanding section 3282, no person shall be prosecuted, tried, or
punished for any non-capital offense involving a violation of section 32
(aircraft destruction), section 37 (airport violence), section 112 (assaults
upon diplomats), section 351 (crimes against Congressmen or Cabinet
officers), section 1116 (crimes against diplomats), section 1203 (hostage
taking), section 1361 (willful injury to government property), section 1751
(crimes against the President), section 2280 (maritime violence), section
2281 (maritime platform violence), section 2332 (terrorist acts abroad
against United States nationals), section 2332a (use of weapons of mass
destruction), 2332b (acts of terrorism transcending national boundaries), or
section 2340A (torture) of this title or section 46502, 46504, 46505, or
46506 of title 49, unless the indictment is found or the information is
instituted within 8 years after the offense was committed. 

Notwithstanding any other provision of law, an indictment may be found or an
information instituted for any Federal terrorism offense at any time without
limitation. 

(b) CONFORMING AMENDMENT.-The analysis for chapter 213 of title 18, United
States Code, is amended by amending the item relating to section 3286 to
read as follows

(c) APPLICATION.--The amendments made by this section shall apply to the
prosecution of any offense committed before, on, or after the date of
enactment of this section.
******




This would abolish the statute of limitations, and institute a retroactive
policy towards acts defined throughout the bill as terrorist acts.  With
regards to most aspects of computer crime at least, this could certainly be
constitutionally questionable under the Ex Post Facto Clause of the
constitution, which prohibits changing legal consequences of an action,
after an action has occurred.

 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/