This statement is based upon comments first made before the Vermont Economic Progress Council on December 4, 1996 on behalf of the Telecommunications Resource Center. This expanded version was originally intended as a statement of support for Vermont's first efforts at computer crime legislation: House Bill 318 (H.318), introduced into the Vermont House on February 14, 1997 by Carolyn Yarnell (D-Chittenden 1-1 [Colchester]) and Senate Bill 205 (S.205), introduced into the Vermont Senate on January 6, 1998 by Ann Hallowell (D-Chittenden). Both of these bills died at the end of the 1997-1998 Legislative Session.
The computer crimes bill was reintroduced in both chambers for the 1999-2000 Legislative Session on January 14, 1999: H.39, sponsored by Kathy Keenan (D-Franklin 3-1 [St. Albans]), and S.38, sponsored by Richard Sears (D-Bennington). H.39 passed out of the House on 14 April and S.38 was passed by the Senate on 6 May. The bill was signed into law by Governor Howard Dean on May 26, 1999. The current legislation can be found in Title 13: Crimes and Criminal Procedure, Chapter 87: COMPUTER CRIMES.
Regardless of how we as individuals may feel about this, computers, and networks that allow computers to communicate, have become inextricably woven into our society and daily lives. But it is not the computers, per se, that are so valuable to us, but rather the information that they store. Without properly functioning information management and access systems, the national banking network, electric power grid, health care system, national defense, transportation systems, food and water supplies, communications systems including the Vermont Interactive Television network emergency services, most businesses, and the government could not survive.
Recognizing the importance of information as a critical resource, and computers as the repositories and access devices to that information, and networks as the avenue by which we access them, the federal government and every state in the nation have enacted computer crime legislation to protect these resources. Every state in the nation except Vermont [7,12].
In late-November and early-December, 1996, the Milton High School was subject to more than a half-dozen bomb threats, each of which resulted in the loss of a school day (but, thankfully, no explosion). The school experienced what can only be called a "terrorist denial-of-service" attack. What happened there, and subsequently at several other area schools, IBM, and Hannaford's Market, was a crime, both in the moral and legal sense. And after a lull in such events which made many think that they would happen no more similar events started again in late 1998 and early 1999.
But consider the impact of an analogous "cyberterrorist" attack. Suppose someone were to walk into a random business and delete all of the files from a corporate computer. That individual may have trespassed on private property but, according to current Vermont law, has committed no other punishable crime. In an even more realistic scenario, suppose an individual breaks into a company's computer systems through that company's own modems; in that case, no crime has been committed at all! Alternatively, a virus can be planted in a company's computer via e-mail, so that the perpetrator does not even have to come into direct contact with any of the victim's resources. As long as the damage done does not exceed a certain amount of money, or does not affect a U.S. government computer, financial or medical records, nuclear secrets, or a short list of other items, no federal law applies and neither the FBI nor the Secret Service has any jurisdiction. In those cases, we are left to Vermont's laws and police agencies.
Vermont has long touted its telecommunications network as an attraction to the "right kinds of businesses" i.e., service-oriented and light manufacturing rather than heavy industry. These businesses are absolutely dependent upon information and information systems. In the future, they will depend more and more on electronic commerce and electronic data interchange (EDI). As Nicholas Negroponte, head of MIT's Media Lab has observed, companies are increasingly in the business of shipping bits rather than atoms ; i.e., trading in information rather than in traditional hard goods.
Vermont currently has many laws that protect against theft, destruction, and vandalism of atoms; we also need such protection for bits. The inability of a potential victim of a computer crime to have legal recourse could send a chill over any potential for large-scale electronic commerce in the state and could adversely affect economic development. Basic computer crime legislation may be particularly important now that some members of the legislature are looking into the creation of Digital Signature legislation, which will be written specifically to aid electronic commerce. Digital signature legislation will be necessary for the long-term future of electronic commerce just as banking laws are essential for banking in the state. And to protect the repositories of digital signature information, basic computer crime statues must be in place.
There are several major types of computer attacks that do not appear to be crimes under current Vermont statutes, including:
One could argue that all computer and network systems should have security in place to protect themselves from these kinds of attacks and, therefore, laws are unnecessary; or, stated another way, "Why should the state protect someone who is too naive or ignorant to implement the correct level of protection?" The response to this line of reasoning is that no security system is perfect and one who purposely attacks another's computer system should be considered a criminal regardless of what the victim has done (or not done) to protect him or herself. The question, in fact, flies in the face of other Vermont laws that make crimes out of acts that could be prevented by the victim. For example, if I forget to lock the front door of my house, and someone enters during my absence and steals something, a crime has been committed, even though I could have prevented it by taking proper actions. Finally, I would simply observe that this "lack of necessity" or "blame the victim" argument is clearly not shared by the federal government nor the other 49 states.
Although I know of no major computer intrusions or data thefts in the state, the threat is real and such incidents may have already taken place. Companies do not typically advertise these occurrences, partially out of embarrassment but primarily because they do not want to undermine their customers' confidence. A recent Government Accounting Office (GAO) report, for example, suggested that less than 1 in 150 attacks on Department of Defense (DoD) computers were actually detected and reported, and that 65% of attempted attacks on DoD systems successfully resulted in a user gaining unauthorized access ; and there is no reason to believe that the statistics are significantly different for businesses, in general. In fact, the vast majority of computer crimes are committed by insiders who have authorized access to the systems [1,7]. The FBI reports that computer crime costs U.S. businesses between $200 million and $5 billion annually , suggesting that a) the cost is very high and b) no one really knows how high! Indeed, in March 1997, the FBI again encouraged companies to report computer crimes but companies in Vermont actually have a disincentive to make such reports in the absence of supportive legislation. Indeed, a white paper on computer crime statistics from the International Computer Security Association  seems to confirm the difficulty in accurately assessing the damage done from computer crime.
It is also worth noting that there is no absence of training material for hackers just go down to the local Barnes & Noble and check out 2600 Magazine or Secrets of a Super Hacker . By the same token, there is no lack of people willing to try breaking into systems at their schools or elsewhere, and the number of books describing such individuals around the world could fill a small library [2,3,4,6,10,11,15,16,17,18].
Finally, acts of computer cracking are not just harmless pranks to be ignored or laughed off. They are, in fact, the training ground for potentially worse damage. Every book describing these activities shows that the big-time attackers were caught or identified at an early stage of their "career" (while the activities were still relatively local) and given either a slap on the wrist or stern warning. Either response resulted in the individual being emboldened to maintain the activity and not make the same mistakes again. And the continued activities can be far-reaching. Attacks on U.S. military and government sites are favorite targets. Attackers on a hospital database in late 1997 changed medical records resulting in several patients receiving chemotherapy for cancers that they did not have. Assaults on NASA in early 1998 were used by a "hacker club" to demonstrate their ability to take down the U.S. electrical power grid and disrupt communication to the space shuttle.
These events and others prompted President Clinton, in a speech early in 1998, to call for a public-private partnership to protect against these kinds of events in the future . The result was the establishment of the National Infrastructure Protection Center (NIPC), a cooperative of federal, state, and local government agencies, the FBI, and the private sector. Their charter can be best understood by this quote from their Web site: "No computer or networked system can be one-hundred percent attack proof and the job of securing a system against an illegal intrusion will never be complete." The lesson here is that all members of the networked community are best served when working in concert.
The bottom-line is this: Vermont needs to join the rest of the country and play an active role in providing basic protections against computer- and network-based crimes. Vermont needs to enact legislation that, quite simply, makes unauthorized access to any computer system or network a crime. Access to, theft of, alteration of, and/or destruction of information; unauthorized storage or alteration of computer files; and any purposeful system or network degradation, including denial-of-service, should have legal consequences.
Gary C. Kessler is currently an Associate Professor at Champlain College in Burlington, VT, where he is program director of the Computer & Digital Forensics program. At the time of the initial version of this statement (Dec.,1996), he was a Senior Consultant at BBN Systems & Technologies, where he acted as Program Manager for CommerceNet's Public Key Infrastructure (PKI) and Electronic Data Interchange (EDI) Task Forces, a consortium of over 200 companies involved in electronic commerce over the Internet. At the time the bill was passed into law, he was the Director of Information Technology and Senior Member of Technical Staff at Hill Associates, a telecommunications training firm in Colchester, VT. Gary's other areas of interest include network security, Internet and TCP/IP applications and protocols, ISDN, and fast packet telecommunications technologies. Gary is a well-known writer and speaker in the telecommunications industry, has written two books and over 60 articles, has given talks at many local and national industry conferences. Gary holds a B.A. in Mathematics and an M.S. in Computer Science. More information can be found at his personal Web page at http://www.garykessler.net.
Gary can be reached by 802-879-5242, or via e-mail at firstname.lastname@example.org.
This statement is the personal opinion of Gary C. Kessler, given on behalf of the Vermont Telecommunications Resource Center, and does not reflect any official position of any company with which he is or has been associated.