+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
ACM WASHINGTON UPDATE
U.S. Office of Public Policy of the Association for Computing Machinery
 
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
January 9, 2001 Volume 5.1
 
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
CONTENTS
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
INTRODUCTION
 
POLICY BRIEFS:
CFP 2001
Portscanning Not Found to Legally Damage Networks
Tempest Docs Released
Topical Legislation
John Hopkins Security Study Announced
Final CERIAS/Accenture Report Released
Cybercrime Treaty Opposed, Revised
 

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
INTRODUCTION
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
 
The Association for Computing Machinery is an international
professional society whose 80,000 members (60,000 in the U.S.)
represent a critical mass of computer scientists in education,
industry, and government. The USACM provides a means for promoting
dialogue on technology policy issues with United States policy makers
and the general public. The WASHINGTON UPDATE reports on activities
in Washington, which may be of interest to those in the computing and
information policy communities and will highlight USACM's involvement
in many of these issues.
 
To subscribe to the ACM WASHINGTON UPDATE send an e-mail to
listserv@acm.org with "subscribe WASHINGTON-UPDATE" (no quotes) in the
body of the message. Back issues are available at:
http://www.acm.org/usacm
 
For information about joining the Association for Computing Machinery,
see: http://www.acm.org/membership/join.html
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
POLICY BRIEFS
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
CFP 2001

CFP 2001 is being held in Cambridge, MA, March 6-9, in the Hyatt
Regency. The deadline for reduced rates for hotel rooms is February 5.
To obtain the special rate for the CFP2001 conference, please call
+1 617 492 1234 or +1 800 633 7313 (or the reservation office nearest
you).

More information about CFP 2001 is available at:
http://www.cfp2001.org/

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
PORTSCANNING NOT FOUND TO LEGALLY DAMAGE NETWORKS

A celebrated decision for the United States District Court of Georgia
found that the act of portscanning did not constitute "damage" to a
network which would trigger liability under both Georgia's computer
fraud laws and the federal Computer Fraud and Abuse Act. Port scanning
is the act of sending packets to various network protocol ports on the
target machine and then analyzing the (lack of) responses. This is
often done to determine which ports are reachable by outsiders, and
which ones may be running vulnerable software.

Moulton v. VC3 concerned two computer consultants. Moulton, president
of NICS, provided network services for the Cherokee County 911
service, while VC3 provided network services to the city of Canton.
During the course of providing services, Moulton performed "access
checks," including portscanning VC3's servers and performing
throughput tests. After discovering the portscan and finding that
Moulton lacked authorization for the portscan, a criminal
investigation was initiated. Moulton sued VC3 for various claims
(found to be meritless.) VC3 countersued under Georgia's computer
crime laws and the federal Computer Fraud and Abuse Act. These laws
have a damage requirement for civil liability (and criminal liability
in the case of the CFAA.) The court further reputed VC3's argument
that the time and money spent investigating the portscan could be
counted towards the total damages caused by Moulton.
 
They are in the minority in American legislature; the majority of
state computer fraud laws punish unauthorized access without any
requirement for damage. On the other hand, the court also found that
portscanning did not constitute damage to a network because "network
security was never actually compromised" since Moulton never
"accessed" VC3's network. The court apparently resisted the notion
that portscanning accesses a network or compromises security.

Moulton v. VC3 is available at:
http://pub.bna.com/eclr/00434.htm

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
TEMPEST DOCS RELEASED

The publisher of Cryptome, John Young, has received and posted
National Security Agency documents received under FOIA on the TEMPEST
phenomenon, which includes electromagnetic emaninations from computer
equipment that can be used to covertly monitor computer users.

The documents include Tempest Fundamentals, Specification for Shielded
Enclosures, and the Red/Black installation guide. Tempest Fundamentals
is a publication discussing the technical details of Tempest, the
setup of the NSA's program to prevent Tempest attacks on national
security, Tempest testing, technical details on the suppression of
Tempest signals. The last two documents discuss the installation of
Tempest-shielded equipment.

NACSIM 5000: Tempest Fundamentals is available at:
http://cryptome.org/nacsim-5000.htm

Specification for Shielded Enclosures is available at:
http://cryptome.org/nsa-94-106.htm

Red/Black Installation Guide is available at:
http://cryptome.org/tempest-2-95.htm

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
TOPICAL LEGISLATION

Departments of Labor, Health and Human Services, and Education, and
Related Agencies Appropriations Act (H.R. 4577) was signed into law
on December 21, 2000, becoming Public Law 106-554. Title VI of the
Act, the Children's Internet Protection Act, requires elementary or
secondary educational institutions receiving discount services from
the federal government to certify that the school has implemented
technological means to block access to child pornography and material
that is obscene.

The Public Safety Officer Medal of Valor Act of 1999 (H.R. 46) was
passed in the Senate on December 15, 2000 (having been passed in the
House the previous year). H.R. 46 created the post of Deputy Assistant
Attorney General for Computer Crime and Intellectual Property,
modifies the Computer Fraud Abuse Act (clarifiying the damage
threshold for liability), created criminal seizure and forfeiture
provisions for equipment possibly used in computer crimes and
intellectual property crimes and provided for the National Cyber Crime
Technical Support Center, an FBI-constructed information clearinghouse
for the enforcement federal, state and local computer crime-related
laws. Additionally, H.R. 46 provides for expanded wiretapping
procedures, as well as increased penalties for using encryptions in
crimes. It has yet to be signed into law.

H.R. 4577 is available at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d106:h.r.04577:

H.R. 46 is available at:
http://thomas.loc.gov/cgi-bin/bdquery/z?d106:h.r.00046:

Additional analysis on H.R. 46 is available at:
http://cryptome.org/hr46.htm

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
JOHN HOPKINS SECURITY STUDY ANNOUNCED

Johns Hopkins University, Baltimore, will establish an institute to
study technological, legal, ethical and public policy challenges of
securing data in computer systems. Supported with an anonymous $10
million gift, the Johns Hopkins University Information Security
Institute will draw on experts throughout the university, in industry
and in government. Among other services, the institute will test
software and hardware systems used in the private sector and
government for security vulnerabilities. One focus of the institute's
research will involve patient privacy in telemedicine programs and
medical databases. Other priority areas include the protection of
intellectual property and the security of electronic business
transactions. The institute will start operations with up to 50
researchers and faculty at the university, and may hire up to 30 more
staffers within three years. Initial services will begin in the
spring of 2001.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
FINAL CERIAS/ACCENTURE REPORT RELEASED

In October, a high-level summit of 15 security visionaries was
convened by Accenture and Purdue University's CERIAS to look at
future trends and issues in information security.  The final report of
that meeting has been released. It includes a Call to Action and a
list of the key trends affecting security over the next decade. One of
the conclusions of the group is that technological issues are not
likely to be the biggest challenges to security and privacy in the
next decade.

USACM Co-chair Gene Spafford is Director of CERIAS.

The full report may be found on-line at
http://www.cerias.purdue.edu/events/summit_4q2000.php

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
CYBERCRIME TREATY OPPOSED, REVISED

The Global Internet Liberty Campaign submitted another letter on
December 12 concerning the 24.2 draft. The letter criticized the
Cybercrime Treaty as promoting invasive measures and undue
extraterritoriality, among other problems.

The Council of Europe released the twenty fifth draft of the
Cybercrime Treaty during its latest meeting, December 11-15. The draft
was submitted to the Parlimentary Assembly for its opinion (expected
in April). The draft will be revised by the European Committee on
Crime Problems in light of the Assembly's opinion. The Committee is
then expected to approve the draft in the Plenary session in June 2001
and submit the draft to the Committee of Ministers.

The 25 Draft of the Cybercrime Treaty is available at:
http://conventions.coe.int/treaty/EN/projets/cybercrime25.htm

GILC's letter is available at:
http://www.gilc.org/privacy/coe-letter-1200.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Washington Update is a biweekly publication of the U.S. Public Policy
Office of the Association for Computing. http://www.acm.org/usacm.