|
[Congressional Record: April 13, 2000 (Senate)] [Page S2729-S2771] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr13ap00pt2-155] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS [Excerpt] By Mr. LEAHY: S. 2430. A bill to combat computer hacking through enhanced law enforcement and to protect the privacy and constitutional rights of Americans, and for other purposes; to the Committee on the Judiciary. Internet Security Act of 2000 Mr. LEAHY. Mr. President, as we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack. The legislation I am introducing today will help law enforcement investigate and prosecute those who jeopardize the integrity of our computer systems and the Internet. Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, congressional buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners, and security guards to protect the physical space. These security steps and others have become ubiquitous in the private sector as well. Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the recent hacker attacks on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security-- questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense. We have learned that even law enforcement is not immune. Just recently we learned of a denial of service attack successfully perpetrated against a FBI web site, shutting down that site for several hours. The cybercrime problem is growing. The reports of the CERT Coordination Center (formerly called the ``Computer Emergency Response Team''), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by the computer security incidents in 1999 alone by damaging computer viruses, with names like ``Melissa,'' ``Chernobyl,'' ``ExploreZip,'' and by the other ways that remote intruders have found to exploit system vulnerabilities. Even before the recent headline- grabbing ``denial-of-service'' attacks, CERT documented that such incidents ``grew at rate around 50% per year'' which was ``greater than the rate of growth of Internet hosts.'' CERT has tracked recent trends in severe hacking incidents on the Internet and made the following observations, First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have ``become increasingly difficult to locate and identify.'' These criminals are operating in many different locations and are using techniques that allow them to operate in ``nearly total obscurity.'' We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely ``hardening'' our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems. Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such a Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress earlier this year when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging--and not restraining--the use of strong encryption and other technical solutions to protecting our computer systems. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley, and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. [[Page S2739]] In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime. Computer crime is a problem nationwide and in Vermont. I recently released a survey on computer crime in Vermont. My office surveyed 54 law enforcement agencies in Vermont--43 police departments and 11 State's attorney offices--on their experience investigating and prosecuting computer crimes. The survey found that more than half of these Vermont law enforcement agencies encounter computer crime, with many police departments and state's attorney offices handling 2 to 5 computer crimes per month. Despite this documented need, far too many law enforcement agencies in Vermont cannot afford the cost of policing against computer crimes. Indeed, my survey found that 98% of the responding Vermont law enforcement agencies do not have funds dedicated for use in computer crime enforcement. My survey also found that few law enforcement officers in Vermont are properly trained in investigating computer crimes and analyzing cyber- evidence. According to my survey, 83% of responding law enforcement agencies in Vermont do not employ officers properly trained in computer crime investigative techniques. Moreover, my survey found that 52% of the law enforcement agencies that handle one or more computer crimes per month cited their lack of training as a problem encountered during investigations. Proper training is critical to ensuring success in the fight against computer crime. This bill will help our computer crime laws up to date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens. The bill I offer today will make it more efficient for law enforcement to use tools that are already available--such as pen registers and trap and trace devices--to track down computer criminals expeditiously. It will ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It will implement criminal forfeiture provisions to ensure that cybercriminals are forced to relinquish the tools of their trade upon conviction. It will also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, this legislation will assist state and local police departments in their parallel efforts to combat cybercrime, in recognition of the fact that this fight is not just at the federal level. The key provisions of the bill are: Jurisdictional and Definitional Changes to the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. Sec. 1030, is the primary federal criminal statute prohibiting computer frauds and hacking. This bill would amend the statute to clarify the appropriate scope of federal jurisdiction. First, the bill adds a broad definition of ``loss'' to the definitional section. Calculation of loss is important both in determining whether the $5,000 jurisdictional hurdle in the statute is met, and, at sentencing, in calculating the appropriate guideline range and restitution amount. Second, the bill amends the definition of ``protected computer,'' to expressly include qualified computers even when they are physically located outside of the United States. This clarification will preserve the ability of the United States to assist in international hacking cases. A ``Sense of Congress'' provision specifies that federal jurisdiction is justified by the ``interconnected and interdependent nature of computers used in interstate or foreign commerce.'' Finally, the bill expands the jurisdiction of the United States Secret Service to encompass investigations of all violations of 18 U.S.C. Sec. 1030. Prior to the 1996 amendments to the Computer Fraud and Abuse Act, the Secret Service was authorized to investigate any and all violations of section 1030, pursuant to an agreement between the Secretary of Treasury and the Attorney General. The 1996 amendments, however, concentrated Secret Service jurisdiction on certain specified subsections of section 1030. The current amendment would return full jurisdiction to the Secret Service and would allow the Justice and Treasury Departments to decide on the appropriate work-sharing balance between the two. Elimination of Mandatory Minimum Sentence for Certain Violations of Computer Fraud and Abuse Act: Currently, a directive to the Sentencing Commission requires that all violations, including misdemeanor violations, of certain provisions of the Computer Fraud and Abuse Act be punished with a term of imprisonment of at least six months. The bill would change this directive to the Sentencing Commission so that no such mandatory minimum would be required. Additional Criminal Forfeiture Provisions: The bill adds a criminal forfeiture provision to the Computer Fraud and Abuse Act, requiring forfeiture of physical property used in or to facilitate the offense as well as property derived from proceeds of the offense. It also supplements the current forfeiture provision in 18 U.S.C. 2318, which prohibits trafficking in, among other things, counterfeit computer program documentation and packaging, to require the forfeiture of replicators and other devices used in the production of such counterfeit items. Pen Registers and Trap and Trace Devices: The bill makes it easier for law enforcement to use these investigative techniques in the area of cybercrime, and institutes corresponding privacy protections. On the law enforcement side, the bill gives nationwide effect to pen register and trap and trace orders obtained by Government attorneys, thus obviating the need to obtain identical orders in multiple federal jurisdictions. It also clarifies that such devices can be used on all electronic communication lines, not just telephone lines. On the privacy side, the bill provides for greater judicial review of applications for pen registers and trap and trace devices and institutes a minimization requirement for the use of such devices. The bill also amends the reporting requirements for applications for such devices by specifying the information to be reported. Denial of Service Investigations: Currently, a person whose computer is accessed by a hacker as a means for the hacker to reach a third computer cannot simply consent to law enforcement monitoring of his computer. Instead, because this person is not technically a party to the communication, law enforcement needs wiretap authorization under Title III to conduct such monitoring. The bill will close this loophole by explicitly permitting such monitoring without a wiretap if prior consent is obtained from the person whose computer is being hacked through and used to send ``harmful interference to a lawfully operating computer system.'' Encryption Reporting: The bill directs the Attorney General to report the number of wiretap orders in which encryption was encountered and whether such encryption precluded law enforcement from obtaining the plaintext of intercepted communications. State and Local Computer Crime Enforcement: The bill directs the Office of Federal Programs to make grants to assist State and local law enforcement in the investigation and prosecution of computer crime. Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent [[Page S2740]] of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights. Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era. The legislation I offer today is a step in that direction. Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 2430 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Internet Security Act of 2000''. SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT. Section 1030 of title 18, United States Code, is amended-- (1) in subsection (a)-- (A) in paragraph (5)-- (i) by inserting ``(i)'' after ``(A)'' and redesignating subparagraphs (B) and (C) as clauses (ii) and (iii), respectively; (ii) in subparagraph (A)(iii), as redesignated, by adding ``and'' at the end; and (iii) by adding at the end the following: ``(B) the conduct described in clause (i), (ii), or (iii) of subparagraph (A)-- ``(i) caused loss aggregating at least $5,000 in value during a 1-year period to 1 or more individuals; ``(ii) modified or impaired, or potentially modified or impaired, the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) caused physical injury to any person; or ``(iv) threatened public health or safety;''; and (B) in paragraph (6), by adding ``or'' at the end; (2) in subsection (c)-- (A) in paragraph (2)-- (i) in subparagraph (A), by striking ``and'' at the end; and (ii) in subparagraph (B), by inserting ``or an attempted offense'' after ``in the case of an offense''; and (B) by adding at the end the following: ``(4) forfeiture to the United States in accordance with subsection (i) of the interest of the offender in-- ``(A) any personal property used or intended to be used to commit or to facilitate the commission of the offense; and ``(B) any property, real or personal, that constitutes or that is derived from proceeds traceable to any violation of this section.''; (3) in subsection (d)-- (A) by striking ``subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of''; and (B) by striking ``which shall be entered into by'' and inserting ``between''; (4) in subsection (e)-- (A) in paragraph (2)(B), by inserting ``, including computers located outside the United States'' before the semicolon; (B) in paragraph (4), by striking the period at the end and inserting a semicolon; (C) in paragraph (7), by striking ``and'' at the end; (D) in paragraph (8), by striking ``, that'' and all that follows through ``; and'' and inserting a semicolon; (E) in paragraph (9), by striking the period at the end and inserting ``; and''; and (F) by adding at the end the following: ``(10) the term `loss' includes-- ``(A) the reasonable costs to any victim of-- ``(i) responding to the offense; ``(ii) conducting a damage assessment; and ``(iii) restoring the system and data to their condition prior to the offense; and ``(B) any lost revenue or costs incurred by the victim as a result of interruption of service.''; (5) in subsection (g), by striking ``Damages for violations involving damage as defined in subsection (c)(8)(A)'' and inserting ``losses specified in subsection (a)(5)(B)(i)''; and (6) by adding at the end the following: ``(i) Provisions Governing Forfeiture.--Property subject to forfeiture under this section, any seizure and disposition thereof, and any administrative or judicial proceeding in relation thereto, shall be governed by subsection (c) and subsections (e) through (p) of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''. SEC. 3. SENSE OF CONGRESS. It is the sense of Congress that-- (1) acts that damage or attempt to damage computers used in the delivery of critical infrastructure services such as telecommunications, energy, transportation, banking and financial services, and emergency and government services pose a serious threat to public health and safety and cause or have the potential to cause losses to victims that include costs of responding to offenses, conducting damage assessments, and restoring systems and data to their condition prior to the offense, as well as lost revenue and costs incurred as a result of interruptions of service; and (2) the Federal Government should have jurisdiction to investigate acts affecting protected computers, as defined in section 1030(e)(2)(B) of title 18, United States Code, as amended by this Act, even if the effects of such acts occur wholly outside the United States, as in such instances a sufficient Federal nexus is conferred through the interconnected and interdependent nature of computers used in interstate or foreign commerce or communication. SEC. 4. MODIFICATION OF SENTENCING COMMISSION DIRECTIVE. Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines to ensure that any individual convicted of a violation of paragraph (4) or (5) of section 1030(a) of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. SEC. 5. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE COUNTERFEITING. Section 2318(d) of title 18, United States Code, is amended by-- (1) inserting ``(1)'' before ``When''; (2) inserting ``, and any replicator or other device or thing used to copy or produce the computer program or other item to which the counterfeit label was affixed, or was intended to be affixed'' before the period; and (3) by adding at the end the following: ``(2) The forfeiture of property under this section, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 (other than subsection (d) of that section) of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''. SEC. 6. CONFORMING AMENDMENT. Section 492 of title 18, United States Code, is amended by striking ``or 1720,'' and inserting ``, 1720, or 2318''. SEC. 7. PEN REGISTERS AND TRAP AND TRACE DEVICES. Section 3123 of title 18, United States Code is amended-- (1) by striking subsection (a) and inserting the following: ``(a) Issuance of Order.-- ``(1) Requests from attorneys for the government.--Upon an application made under section 3122(a)(1), the court may enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device if the court finds, based on the certification by the attorney for the Government, that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation. Such order shall apply to any entity providing wire or electronic communication service in the United States whose assistance is necessary to effectuate the order. ``(2) Requests from state investigative or law enforcement officers.--Upon an application made under section 3122(a)(2), the court may enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device within the jurisdiction of the court, if the court finds, based on the certification by the State law enforcement or investigative officer, that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.''; and (2) in subsection (b)-- (A) in paragraph (1)-- (i) in subparagraph (C), by inserting ``authorized under subsection (a)(2)'' after ``in the case of a trap and trace device''; and (ii) in subparagraph (D), by striking ``and'' at the end; (B) in paragraph (2), by striking the period at the end and inserting ``; and''; and (C) by adding at the end the following: ``(3) shall direct that the use of the pen register or trap and trace device be conducted in such a way as to minimize the recording or decoding of any electronic or other impulses that are not related to the dialing and signaling information utilized in processing by the service provider upon whom the order is served.''. SEC. 8. TECHNICAL AMENDMENTS TO PEN REGISTER AND TRAP AND TRACE PROVISIONS. (a) Issuance of an Order.--Section 3123 of title 18, United States Code, is amended-- (1) by inserting ``or other facility'' after ``line'' each place that term appears; [[Page S2741]] (2) by inserting ``or applied'' after ``attached'' each place that term appears; (3) in subsection (b)(1)(C), by inserting ``or other identifier'' after ``the number''; and (4) in subsection (d)(2), by striking ``who has been ordered by the court'' and inserting ``who is obligated by the order''. (b) Definitions.--Section 3127 of title 18, United States Code is amended-- (1) by striking paragraph (3) and inserting the following: ``(3) the term `pen register'-- ``(A) means a device or process that records or decodes electronic or other impulses that identify the telephone numbers or electronic address dialed or otherwise transmitted by an instrument or facility from which a wire or electronic communication is transmitted and used for purposes of identifying the destination or termination of such communication by the service provider upon which the order is served; and ``(B) does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business;''; and (2) in paragraph (4)-- (A) by inserting ``or process'' after ``means a device''; (B) by inserting ``or other identifier'' after ``number''; and (C) by striking ``or device'' and inserting ``or other facility''. SEC. 9. PEN REGISTER AND TRAP AND TRACE REPORTS. Section 3126 of title 18, United States Code, is amended by inserting before the period at the end the following: ``, which report shall include information concerning-- ``(1) the period of interceptions authorized by the order, and the number and duration of any extensions of the order; ``(2) the offense specified in the order or application, or extension of an order; ``(3) the number of investigations involved; ``(4) the number and nature of the facilities affected; and ``(5) the identity, including district, of the applying investigative or law enforcement agency making the application and the person authorizing the order''. SEC. 10. ENHANCED DENIAL OF SERVICE INVESTIGATIONS. Section 2511(2)(c) of title 18, United States Code, is amended to read as follows: ``(c)(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, if such person is a party to the communication or 1 of the parties to the communication has given prior consent to such interception. ``(ii) It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire or electronic communication, if-- ``(I) the transmission of the wire or electronic communication is causing harmful interference to a lawfully operating computer system; ``(II) any person who is not a provider of service to the public and who is authorized to use the facility from which the wire or electronic communication is to be intercepted has given prior consent to the interception; and ``(III) the interception is conducted only to the extent necessary to identify the source of the harmful interference described in subclause (I).''. SEC. 11. ENCRYPTION REPORTING REQUIREMENTS. Section 2519(2)(b) of title 18, United States Code, is amended by striking ``and (iv)'' and inserting ``(iv) the number of orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted pursuant to such order, and (v)''. SEC. 12. STATE AND LOCAL COMPUTER CRIME ENFORCEMENT. (a) In General.--Subject to the availability of amounts provided in advance in appropriations Acts, the Assistant Attorney General for the Office of Justice Programs of the Department of Justice shall make a grant to each State, which shall be used by the State, in conjunction with units of local government, State and local courts, other States, or combinations thereof, to-- (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement in educating the public to prevent and identify computer crime; (3) assist in educating and training State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (b) Use of Grant Amounts.--Grants under this section may be used to establish and develop programs to-- (1) assist State and local law enforcement agencies in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement agencies in educating the public to prevent and identify computer crime; (3) educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (c) Assurances.--To be eligible to receive a grant under this section, a State shall provide assurances to the Attorney General that the State-- (1) has in effect laws that penalize computer crime, such as penal laws prohibiting-- (A) fraudulent schemes executed by means of a computer system or network; (B) the unlawful damaging, destroying, altering, deleting, removing of computer software, or data contained in a computer, computer system, computer program, or computer network; or (C) the unlawful interference with the operation of or denial of access to a computer, computer program, computer system, or computer network; (2) an assessment of the State and local resource needs, including criminal justice resources being devoted to the investigation and enforcement of computer crime laws; and (3) a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading ``Violent Crime Reduction Programs, State and Local Law Enforcement Assistance'' of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105-119)). (d) Matching Funds.--The Federal share of a grant received under this section may not exceed 90 percent of the total cost of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection. (e) Authorization of Appropriations.-- (1) In general.--There is authorized to be appropriated to carry out this section $25,000,000 for each of fiscal years 2000 through 2003. (2) Limitations.--Of the amount made available to carry out this section in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses. (3) Minimum amount.--Unless all eligible applications submitted by any State or units of local government within a State for a grant under this section have been funded, the State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this section not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this section, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent. (f) Grants to Indian Tribes.--Notwithstanding any other provision of this section, the Attorney General may use amounts made available under this section to make grants to Indian tribes for use in accordance with this section. ______