MOUNTAIN VIEW, California -- Though he smiles often, Attorney General John Ashcroft comes across as a stern man. When he speaks, it's in a slow and menacing fashion, and every now and then he flashes a Dirty-Harry grin which says you'd be wise not to cross him.
So on Friday afternoon, when Ashcroft announced a tough-on-hacking initiative to combat the people of "poor and evil motivations" who seek to bring down the world's precious computers, did cyber-punks flinch and ask themselves if they felt lucky?
Not likely. Though Ashcroft's program devotes significant resources to tackling "cybercrime," and though it might result in increased prosecutions for such misdeeds, computer security experts and "hackers" said it would make little difference to the strength of the world's networks. And they also worried about the possible adverse effects that Ashcroft's proposal might have on civil liberties.
The new program will create a cadre of specialized cybercrime attorneys -- called "computer hacking and intellectual property" units, or, stupidly, CHIPs. They'll be based at 10 field offices around the country, from which, Ashcroft promised, they'll be able to respond like lightning to any digital threats.
"The new teams will prosecute vigorously those responsible for cybercrime," he said. "As a result, we hope to reinforce the message to would-be criminals that there are no free passes here."
But that's all the program consists of -- lawyers. Though he cited several statistics to prove to the assembled media how big a problem computer crime is, Ashcroft's was a gospel of prosecution, not of cyber security. His message, peppered as it was with such misnomers as "hacker" to mean "cyber-criminal," indicated a fundamental ignorance of the computer security community and their ethic.
For example, Ashcroft cited the "Melissa" and "I love you" viruses, which pestered computer users worldwide in 1999 and 2000, as being indicative of the growing "sophistication and cost" of computer crime.
Of course, this ain't true, as any security expert will tell you. Those viruses and the dozens of their clones are idiot-simple to create, and they were only made possible by the weak systems that pervade the current computing landscape. (For those viruses, the culprit was Microsoft Outlook.)
The CHIPs program will do nothing to solve this part of the problem.
One member of the security community -- "Cancer Omega," of attrition.org -- had this to say, via e-mail: "Consider, for example, if Fort Knox were managed by leaving all vault doors open and wholly unattended. Were someone to walk in and take all the gold they could carry, we would certainly consider that person as unscrupulous; but the public and government outcry would be totally focused on the mismanagement of the Fort Knox staff. So why is it that the lazy and incompetent admins are so readily let off the hook when they leave their systems wide open to attack?"
Consequently, Cancer wrote, "The money spent on creating these "centers" and enacting these punitive measures is wholly misguided. The money could be far better spent by providing meaningful budgets that would enable admins to get the security education and tools they so desperately need in order to adequately function on the 'net."
Ashcroft, who was flanked by several nodding tech execs, said that he hoped the industry would take it upon itself to make their systems more "robust." But the emphasis was clearly on punishment.
The Attorney General's announcement came during a frenzied week in computer security: Two different viruses -- one called Sircam, the other Code Red -- sloshed around on the Internet; a Russian "hacker", having been nabbed by the FBI for "breaking" Adobe's e-Book format, sat ruminating in jail; and somewhere out in the world, a couple hundred of the FBI's laptops were stolen (actually, they were stolen a long time ago, but the bureau only discovered it last week).
Ashcroft didn't comment on any of these issues. When asked about the Digital Millennium Copyright Act, which allowed for the federal prosecution of Dmitry Sklyarov, that Russian hacker, he said that it was his duty to "defend the acts of Congress."
But that act is draconian, the folks in computer security say, citing its restrictions on fair use and allowances for strict criminal prosecutions.
Ryan Russell, of SecurityFocus.com, said that the CHIP program will only increase those prosecutions.
"The big industries that would like to get more intellectual property rights that they have in the past," he said. "And the problem is that the hackers don't have a very good lobby -- we've got the (Electronic Frontier Foundation) and 2600 Magazine, and not a whole lot beyond that. And because of these prosecutions, it's extremely painful to make yourself the straw man to protest a bad law. I've got a wife and four kids who depend on me, and I can't spend any time in jail. I can't afford it."
