[Senate Hearing 106-839]
[From the U.S. Government Publishing Office]
S. Hrg. 106-839
CYBER ATTACKS: REMOVING ROADBLOCKS TO INVESTIGATION AND INFORMATION
SHARING
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
AND GOVERNMENT INFORMATION
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
on
EXAMINING THE INCIDENCE OF CYBER ATTACKS ON THE NATION'S INFORMATION
SYSTEMS, FOCUSING ON REMOVING ROADBLOCKS TO INVESTIGATION AND
INFORMATION SHARING
__________
MARCH 28, 2000
__________
Serial No. J-106-72
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
69-358 CC WASHINGTON : 2001
COMMITTEE ON THE JUDICIARY
ORRIN G. HATCH, Utah, Chairman
STROM THURMOND, South Carolina PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire
Manus Cooney, Chief Counsel and Staff Director
Bruce A. Cohen, Minority Chief Counsel
______
Subcommittee on Technology, Terrorism, and Government Information
JON KYL, Arizona, Chairman
ORRIN G. HATCH, Utah DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio HERBERT KOHL, Wisconsin
Stephen Higgins, Chief Counsel
Neil Quinter, Minority Chief Counsel and Staff Director
(ii)
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Kyl, Hon. Jon, U.S. Senator from the State of Arizona............ 1
Feinstein, Hon. Dianne, U.S. Senator from the State of California 3
Schumer, Hon. Charles E., U.S. Senator from the State of New York 4
Leahy, Hon. Patrick J., U.S. Senator from the State of Vermont... 20
CHRONOLOGICAL LIST OF WITNESSES
Statement of Hon. Louis J. Freeh. Director, Federal Bureau of
Investigation, Washington, DC.................................. 7
Panel consisting of Richard D. Pethia, director, Computer
Emergency Response Team Centers, Software Engineering
Institute, Carnegie Mellon University, Pittsburgh, PA; and
Harris N. Miller, president, Information Technology Association
of America, Arlington, VA...................................... 35
ALPHABETICAL LIST AND MATERIAL SUBMITTED
Freeh, Louis J.:
Testimony.................................................... 7
Prepared statement........................................... 25
Miller, Harris N.:
Testimony.................................................... 46
Prepared statement........................................... 49
Pethia, Richard D.:
Testimony.................................................... 35
Prepared statement........................................... 38
Schumer, Hon. Charles E.: Letter from the Grand Lodge, Fraternal
Order of Police to Senator Schumer, dated Mar. 16, 2000........ 6
APPENDIX
Questions and Answers
Responses of Louis J. Freeh to Questions from Senators:
Kyl.......................................................... 61
Feinstein.................................................... 66
Grassley..................................................... 70
Leahy........................................................ 75
CYBER ATTACKS: REMOVING ROADBLOCKS TO INVESTIGATION AND INFORMATION
SHARING
----------
TUESDAY, MARCH 28, 2000
U.S. Senate,
Subcommittee on Technology, Terrorism,
and Government Information,
Committee on the Judiciary,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Jon Kyl
(chairman of the subcommittee) presiding.
Also present: Senators Grassley, Feinstein, Schumer, and
Bennett [ex officio.]
OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE
STATE OF ARIZONA
Senator Kyl. The subcommittee will please come to order.
Let me first welcome everyone to this hearing of the
Subcommittee on Technology, Terrorism, and Government
Information.
Today, we will examine various roadblocks to the protection
of our information systems from cyber attack. Using the recent
denial of service attacks as a backdrop, we will discuss some
of the things that inhibit swift investigation and prosecution
of cyber crimes, and the sharing of vulnerability and threat
information among the private sector and with organizations
affiliated with the Federal Government.
This is the sixth public hearing we have held in the past 3
years on the critical issue of securing our Nation's
information infrastructure. The issue is now beginning to
receive national attention.
The latest attacks on eight well-known Internet sites like
eBay, Yahoo and CNN raised public awareness and hopefully will
serve as a wakeup call about the need to protect our critical
computer networks. Uncertainty caused by the attacks
contributed to a 258-point drop in the Dow Jones Industrial
Average and halted a string of 3 days of consecutive record-
high closes of the technology-laden Nasdaq Composite Index.
As the New York Times noted in an editorial, ``Just when
Americans have begun to get accustomed to the pervasive
influence of the Internet, a wave of anonymous assaults on Web
sites has roiled the stability of the newly emerging cyber
world.'' What the Times didn't say was that although disruption
to these sites was substantial, the damage did not even
approach what it could have been, based on the Internet's known
vulnerabilities.
Catching and punishing those who commit cyber crimes is
essential for deterring future attacks. When a cyber attack
occurs, it is not initially apparent whether the perpetrator is
a mischievous teenager, a professional hacker, a terrorist
group, or even a hostile nation. Law enforcement must be
equipped with the resources and the authorities necessary to
swiftly trace a cyber attack back to its source and
appropriately prosecute.
Today, we will discuss some impediments to law enforcement
in cyber space and how the bill that I recently introduced with
Senator Schumer would remove some of these impediments. In
particular, the bill would modify the trap and trace authority
so that law enforcement will no longer need to obtain a warrant
in every jurisdiction through which a cyber attack traveled. It
will also remove the current $5,000 minimum in damages for a
case to be considered for Federal prosecution, and it will
remove the current 6-month minimum sentence for cyber crimes
that frankly has led to lesser serious attacks not being
prosecuted, and finally allows youths 15 or older to be
considered for Federal prosecution for committing serious
computer crimes.
The recent attacks also illustrated one crucial point that
must be understood when dealing with securing the information
infrastructure. We are only as strong as our weakest link. If
only one sector of society heeds warnings and fixes computer
vulnerabilities, that is not enough. The cyber criminal,
terrorist, or enemy nation will search for another sector that
has ignored warnings and not used proper computer security.
The February denial of service attackers first infected
university computers with programs and then launched massive
amounts of invalid inquiries to the victims, shutting them
down. Computer capacity is increasing so rapidly that
individuals with personal computers at home and work can now be
used for similar types of attacks. We must examine the best way
to secure all parts of our information infrastructure from
attack. In order to do that, all individuals, businesses, and
agencies with computer must get serious about security.
Last fall, Carnegie Mellon University's Computer Emergency
Response Team posted warnings about these types of denial of
service attacks. The FBI's National Infrastructure Protection
Center, NIPC, also posted warnings and even provided a tool for
anyone to download to check to see if their system was infected
with the attack program. Many people heeded those warnings and
used the tool, but not enough to prevent the attacks from
occurring. We need to encourage and perhaps even consider some
kind of mandate to individuals and systems administrators to
tap into the resources available to ensure their own security
and that of others connected to the Internet.
Finally, overall protection from attack necessitates that
information about cyber vulnerabilities, threats and attacks be
communicated among companies and with government agencies.
Cooperation among competitors, while adhering to underlying
antitrust laws, is necessary to create information sharing and
analysis centers in each portion of the private sector.
Additionally, the Freedom of Information Act may need to be
updated to encourage companies to share information with the
Federal Government. Communication is crucial for protection and
these roadblocks must be removed.
Our witnesses today are well suited to address these
issues. Director Louis Freeh of the FBI will discuss
limitations to effective investigation and prosecution of cyber
crimes under current law. He will explain how the Schumer-Kyl
bill brings some provisions of current law into the computer
age.
On our second panel, Mr. Rich Pethia, Director of the
Computer Emergency Response Team at the Carnegie Mellon
University, will testify about CERT's role in analysis of
computer vulnerabilities and better ways of getting the word
out and ensuring that warnings are heeded.
Mr. Harris Miller, president of the Information Technology
Association of America, will present industry's perspective on
impediments to information sharing of threats and
vulnerabilities among private sector companies and government
agencies.
Before we hear from the witnesses, I would now like to turn
to Senator Feinstein for any opening remarks that she would
like to make.
STATEMENT OF HON. DIANNE FEINSTEIN, A U.S. SENATOR FROM THE
STATE OF CALIFORNIA
Senator Feinstein. Thank you very much, Mr. Chairman, and
thanks for holding these hearings.
Welcome, Director Freeh, it is good to see you again.
The recent distributed denial of service attacks on Yahoo,
eBay, E*Trade, CNN and Amazon, I think, have brought home how
vulnerable the Internet is to electronic sabotage. Indeed, as
our first witness well knows, even the FBI's own website was
brought down last month by denial of service attack.
These attacks have not only disrupted electronic commerce,
but have also had a debilitating effect on public confidence in
the Internet. A recent poll by PC Data Online, for example,
showed that the attacks caused 37 percent of Internet users to
change their mind about the vulnerability of the Internet.
Moreover, over half of these users said that attacks had caused
them to alter their online behavior, with more than 80 percent
saying that they would be less likely to shop over the Internet
in the future.
These attacks really shouldn't have been a surprise to
anyone. Long before the attacks occurred last February, the
FBI, the National Institute of Standards and Technology, and
Carnegie Mellon's Emergency Response Team Center had all issued
alerts and even provided filtering or detection tools to help
prevent the attacks. Unfortunately, however, many companies
have not received these alerts or have ignored them.
We may not be able to prevent denial of service attacks
completely, but we must explore ways to encourage industry and
government to share information to prevent such attacks. We
must also look into means of removing obstacles to investigate
and prosecute perpetrators of these attacks.
I hope the hearings this subcommittee has been having will
help us better understand the nature of cyber attacks and
suggest possible legislative or private sector solutions to
remove these obstacles, and also to suggest deterrent actions
and comment on whether our penalty structure is, in fact,
adequate. I also hope that the hearings will raise the profile
of the problem of cyber attacks, encouraging people to take
precautions to prevent their computers from being hijacked or
part of a DDOS attack, and if they run a website, to look into
filtering or detection technology to stop DDOS attacks when
they occur.
So thanks very much, Mr. Chairman, and I look forward to
working with you on this issue.
Senator Kyl. Thank you, Senator Feinstein.
Senator Grassley, do you have any opening remarks?
Senator Grassley. No.
Senator Kyl. Senator Schumer, incidentally I am not sure
you were here when I referred to the Schumer-Kyl bill, a
strange phenomenon in Washington.
Senator Feinstein. In that order, too.
Senator Kyl. But I did that in recognition of your
leadership in helping to put it together.
STATEMENT OF HON. CHARLES E. SCHUMER, A U.S. SENATOR FROM THE
STATE OF NEW YORK
Senator Schumer. Well, I thank you, Mr. Chairman, and I was
going to thank you for that generosity. In fact, we were in a
meeting on the asset forfeiture bill and Henry Hyde, when I
walked into the room, said--when I was subcommittee chairman,
he came up to me and said there was a great idea about dealing
with children who were transported across State lines. And Hyde
said to me, well, you carry the bill and I will cosponsor it
and we will move it, because that is how things were done in
the House. And I said to Henry, why don't you carry it and I
will cosponsor it? And he said when he became chairman, that is
why he always treated me so well on the committee.
So I thank you. It is returning of a good deed, and I know
you wouldn't wish this, Mr. Chairman, but if I ever become
chairman of this subcommittee, I will repay the favor many
times over. I also want to thank you for your leadership on
this subcommittee and in so many different areas where we do
work together, particularly in areas like this involving crime
and terrorism and things like that.
I also want to thank Director Freeh for being here, as well
as our other witnesses, and would ask that my entire statement
be put in the record.
We all know, as Senator Feinstein mentioned, last month's
denial of service attacks on companies like Amazon.com and
ZDNet underscore the new threats to our security and our
economy that are posed by online crime in an increasingly
networked society. These DOS attacks show how easy it is to
break into the country's most prized computer networks and how
hamstrung law enforcement can be in apprehending them.
To me, the problem is threefold. First, most computer
systems are not secure, and security was a relatively low
priority in the development of computer software and Internet
systems. I hope and believe that is changing.
Second, hacking is sometimes still considered more of a
prank than a crime, even though hacking can cost billions of
dollars to the economy.
And, third, our laws, even our computer laws, are set up
for a world that travels at subsonic speed, while hacking
crimes move at the speed of light.
Now, we can't solve all of these problems through
legislation or government action. The private sector has to
take the lead, and while government can provide some help with
research and a market for secure systems by purchasing only
hackproof computers and software, we all know that private
companies have to take the lead in making systems more secure.
What Senator Kyl and I are trying to do here is make it
possible for law enforcement to catch hackers in the act by
modernizing our laws, making the crime of hacking a more
serious offense befitting the serious damage that it can cause.
I have also become convinced that many of the best
solutions are far-reaching and require, among other things,
significant cooperation from foreign governments. We shouldn't
fool ourselves into thinking Congress alone can solve this
problem even from a law enforcement perspective and that we can
do it right away.
So last month Senator Kyl and I introduced the Schumer-Kyl,
for which I thank you again, high-tech crime bill, S. 2092,
that for the first time provides law enforcement with
nationwide trap and trace authority. As you know, Mr. Chairman,
under current law investigators who are trying to track a
hacker must obtain a trap and trace order in each jurisdiction
through which an electronic communication is made.
For example, to trace an online communication between two
cyber terrorists that starts at a computer in New York, goes
through a server in New Jersey, bounces off a computer in
Wisconsin, and then ends up in San Francisco, under current law
investigators are forced to go to court in each jurisdiction
permitting the trace. And if one court slows them down, they
are way behind the eight ball.
What our bill does is amend current law to authorize the
issuance of a single order to completely trace online
communications to its source, regardless of how many
intermediary sites it passes through. Law enforcement still
must meet the same burden to obtain such an order. The only
difference is they don't have to repeat the process over and
over again.
Our bill, as you may have mentioned, Mr. Chairman, also
makes several other changes. One deficiency of the present law
is its requirement of proof of damages in excess of $5,000. In
several cases, prosecutors have found that while computer
intruders had attempted to harm computers vital to our critical
infrastructure, it was very difficult to prove the $5,000 in
damages. Our legislation unambiguously permits Federal
jurisdiction at the outset of an unauthorized intrusion into
critical infrastructure systems rather than having
investigations wait for any damage assessment. Crimes that
exceed $5,000 will be prosecuted as felonies, and crimes below
that amount will be defined as misdemeanors. Those are the two
main provisions of the bill.
Just finally, Mr. Chairman, I would like to note and add to
the record a letter received from the Fraternal Order of Police
supporting our bill, which described these provisions as
important changes to existing law which will empower law
enforcement to deal appropriately with the new computer
criminal.
Mr. Chairman, in conclusion, the creation of a more secure
environment in cyberspace is good for everyone but criminals.
The denial of service attacks have boosted the prominence of
the issue, but the real key will be whether we can come up with
appropriate solutions that will deter and punish crime without
impinging on the rights of individuals and without slowing down
the booming growth of the Internet.
Again, I thank you for holding these hearings. I know how
deeply you care about these issues and I hope we will continue
to work closely together on many more of them.
[The above mentioned letter follows:]
Grand Lodge, Fraternal Order of Police,
Legislative Office,
Washington, DC, March 16, 2000.
The Hon. Charles E. Schumer,
U.S. Senate, Washington, DC.
Dear Senator Schumer, I am writing this letter on behalf of the
more than 285,000 members of the Fraternal Order of Police to advise
you of our support for S. 2092. This legislation aims to help law
enforcement fight high tech computer crime by amending Federal law.
Computers and high tech gadgetry are the newest tools of today's
criminal, and law enforcement has not kept pace with the latest
advances in crime. Your legislation will provide law enforcement with
nationwide trap and trace authority, obviating the need to obtain a tap
and trace order in each jurisdiction through which an electronic
communication is made. Current technology, which can bounce electronic
messages all around the world, often makes this an impossible task.
This bill would reduce the requirement to a single order, allowing law
enforcement to completely trace the communication to its source.
Currently law requires proof of damages in excess of $5,000 before
Federal jurisdiction can be asserted. Your bill would amend the
Computer Fraud and Abuse Act, allowing Federal prosecution of criminals
from the outset--without having to wait for an assessment as to the
amount of the damage inflicted. Any unauthorized, intrusion into
critical infrastructure systems pose a significant risk to public
safety and should be handled expeditiously as serious crimes.
This legislation also modifies an earlier directive to the
sentencing commission, which required a six month mandatory prison
sentence for certain violations of 18 U.S.C. 1030. While the F.O.P.
believes all violations should be punished, the sentence requirement
applies to some misdemeanor charges, even when the attack caused no
damage. For this reason, prosecutors are often reluctant to bring any
charges. The bill also amends section 1030 to give Federal law
enforcement authorities the power to investigate and prosecute juvenile
offenders for computer crimes when the. U.S. Attorney General certifies
that such prosecution is appropriate.
These are modest but important changes to existing, law which will
empower law enforcement to deal appropriately with the new computer
criminal. I would like to commend for your leadership on this important
issue and look forward to working with you and your staff to get this
bill passed. If I can be of any further assistance, please do not
hesitate to contact me or Executive Director Jim Pasco at my Washington
office.
Sincerely,
Gilbert G. Gallegos,
National President.
Senator Kyl. Thank you very much, Senator Schumer.
Our first witness today, as I said, is Louis Freeh, the
Director of the Federal Bureau of Investigation. He is the
principal administration official responsible for coordinating
Federal law enforcement's efforts to protect our Nation's
critical information infrastructure. This coordination takes
place at the National Infrastructure Protection Center, or
NIPC.
Director Freeh, we will place your full written statement
in the record and invite you to make any summary remarks you
would like at this time. We are honored to have you here.
STATEMENT OF HON. LOUIS J. FREEH, DIRECTOR, FEDERAL BUREAU OF
INVESTIGATION, WASHINGTON, DC
Mr. Freeh. Thank you very much, Mr. Chairman, Senator
Feinstein, and Senators Schumer and Grassley. It is a pleasure
and a privilege to be here before you. I can't think of a more
timely and more critical inquiry for this Congress and for this
country than all of the issues which you have collectively and
correctly identified. Let me also thank you, Senator Kyl,
Senator Feinstein, and Senator Schumer, for your leadership in
this area.
A couple of points I would like to make, if I might,
please, and you have a much more detailed statement for the
record. I think Senator Schumer's point deserves some
repetition. We are in a period of extraordinary change. We had
a presentation given to my senior staff last week by the senior
vice president of the largest manufacturer of technical
computer equipment in the world, and what he said was that
their company is now on an 18-month cycle of change; that is,
every 18 months not only their equipment but the networks that
support it and the corresponding infrastructures are changing,
which means getting ready for the next 18 months is too late to
prepare for these changes.
The FBI agents who are graduating from our academy now, in
addition to receiving their firearms and their badge and
credentials, receive a laptop computer. It is symptomatic of
the venues in which they are going to work, a place and time of
extraordinary change.
And if I could just, by illustration, give a couple of
examples--some of them you know well--a subject in Russia, in
St. Petersburg, using a laptop computer breaks into the largest
U.S. bank, moves $10 million out of other people's accounts
into his own accounts before the bank or anyone else is aware
of that particular movement; $400,000 is lost. Thanks to our
liaison in Russia and the United Kingdom--Senator, you
mentioned the necessity of foreign cooperation--we were able to
deal with that and resolve the matter.
Another individual in Sweden, 17 years old, breaks into
Florida networks and shuts down 911 systems in a series of
towns, depriving people of public safety as well as basic
ambulatory concerns.
Three weeks ago, our office in New Haven notices on an
Internet bulletin board the following statement made by an
unidentified subscriber, ``Sometimes I feel like shooting up my
school.'' The office in New Haven communicated that information
back to our headquarters. Working with the tools and abilities
that you have given us and the legal authorities that we have,
we traced the message and messenger back to a small town in
Canada. Using our liaison with our Canadian authorities, they
seek out under their own laws and find and interview a 14-year-
old subject who says, among other things, that he has access to
explosives. They do, in fact, find dynamite, firearms, and in
the words of the Canadian authorities, this particular
situation was very, very grave and discovered by using tools
and using expertise transferred to an area of great change.
We have, since 1998, as you probably know, doubled the
number of computer intrusion cases worked and opened in the
FBI, from 547 to 1,154. In some of the areas where we work in
cyber crime, such as the Innocent Images project which, as you
know, is a project devoted to identifying and apprehending
pedophiles who use the Internet not just to send child
pornography, but more egregiously make arrangements directly
with minors all over the world to meet them for illicit sexual
purposes and travel interstate, violating our Federal statutes
in that process, 497 new cases opened just in 1999, 193
arrests, 108 convictions, one typical area where, again, the
people in the FBI, using these tools and resources, are dealing
with a completely new phenomenon.
The National Infrastructure Protection Center, as you
noted, Mr. Chairman, opened in February 1998. We have
experienced a 39-percent increase in pending cases just in the
computer intrusion area. A few days ago, the Computer Security
Institute released its fifth annual Computer Crime and Security
Survey. Ninety percent of its respondents report intrusions in
the last 12 months, 74 percent reporting theft of property,
intellectual information, commissions of intellectual property
theft, financial fraud to the tune of $56 million, information
theft to the tune of $68 million.
We are looking at the entire menu of computer crime,
including the hacking phenomenon. We find that most of the
unauthorized access cases are, in fact, done by insiders in
companies, universities, government agencies. Seventy-one
percent of the unauthorized access cases are committed, in
fact, by insiders.
We had in 1997 a case where an individual who was
disgruntled shut down the Forbes, Incorporated, computer
systems for several days, causing extensive damage. In January
and February 1999, the National Library of Medicine computer
system which is relied upon by hundreds of thousands of doctors
and medical professionals around the world was shut down again
due to the sabotage of an insider. The FBI investigation
identified the subject who was convicted in December.
With respect to the hacker phenomenon, several of you have
mentioned the February 7 attacks, which demonstrated really the
ease and the availability of such a devastating attack done
still by very, very difficult and complex means, subject to the
investigation that we are now trying to use to unravel it.
Politically-motivated attacks are also a large phenomenon.
We have seen that, as you mentioned, Senator, in the Department
of Justice, at the FBI, in fact. We have seen it at numerous
companies and institutions all across the United States. The
virus writers have also been an instrumental part of this
comprehensive compromise of computer systems and networks. The
Melissa Macro Virus case is a very, very good example of that.
That investigation began with the virus spreading into our
country's computer networks.
The Infrastructure Protection Center sent out warnings as
soon as we had solid information about the virus and its
impacts. These warnings, in fact, helped to alert the public
and reduce the potential destructive impact of the virus. We
received a tip from the New Jersey State Police, which in turn
received a tip from America Online, and that followup resulted
in the arrest of a subject, David Smith, on April 1, 1999, who
has pled guilty and stipulated to actions which affected 1
million computer systems, causing $80 million in damages, and
that is typical of the potential damage in these types of
cases.
With respect to criminal groups, a whole separate sub-
category of computer crime and hacking activities. We saw in
the Phonemasters case, which was an FBI case worked last year,
the ability of a small group of technically sophisticated
criminals penetrating computer systems at MCI, Sprint, AT&T,
Equifax, and even our own National Crime Information Center.
Under judicially-approved electronic surveillance orders,
our office in Dallas was able to use intercept technology to
monitor their calling activity, unravel their network, and was
able finally to result in arrests and prosecutions. The
methodology used by this group was called dumpster diving,
gathering old phone books and technical manuals for computer
systems and using that information then to break into the
victims' systems--old-fashioned tools used in a new
environment. I mentioned the Levin case, which was the theft
and movement of $10 million out of our largest U.S. bank
resulting in a loss of over $400,000.
We have seen terrorists using this technology and this
venue to launch attacks. The Director of the Central
Intelligence Agency testified recently that terrorist groups,
including Hizbollah, Hamas, the Abu Nidal organization and, of
course, Bin Laden's Qa'ida organization, are using computerized
files, e-mail, and encryption to support their operations.
In the prosecution of Ramzi Yousef, who was convicted for
the attack against the World Trade Center, as well as a plan to
blow up American airliners in the Western Pacific, part of his
very detailed plans to destroy those airliners was found on a
laptop computer he used in the Philippines which was in an
encrypted file and it made it very, very difficult to retrieve.
Foreign intelligence services are using this particular
technology very effectively against the United States as well
as our friends. The whole information warfare area which is
being worked on by not just the FBI but our Department of
Defense and the entire Government, as well as the governments
of our allies, presents whole new challenges to national
security. Internet fraud and all of the other aspects of this
technology are becoming much more challenging than anybody
contemplated a very short time ago.
We have taken some steps to deal with these issues and give
us the ability to remain competent in this area. The one point
I would like to make, echoing Senator Schumer remarks, is
although we are in a period of extraordinary change and
challenge with respect to technology, we are not asking for
extraordinary powers. We are not asking for any more
authorities than are currently contemplated under the
Constitution and the Bill of Rights.
What we would like to do is maintain the balance that the
Framers struck in 1792 when the fourth amendment was passed,
which means that the expectation and the privacy of people in
their homes and papers has to be secure, has to be paramount.
But that privacy can be breached when a neutral and detached
magistrate finds by probable cause that a person or the place
the person is using is committing a crime or about to commit a
crime, and the constable on that finding is allowed to use
authorized powers and authorities to protect public safety and
enforce the laws.
We are seeking to maintain that balance and those
authorities in a very complex and a very changing environment,
but we are not asking for extraordinary powers. Indeed, nothing
in the Schumer-Kyl bill does anything except keep us really at
pace with these enormous and phenomenal changes.
We are working very closely with the private sector. This
is a key area of our success. As you have mentioned, a lot of
the response and a lot of the responsibility for dealing with
these issues will fall to the private sector, the potential
victims of many of these crimes.
I spoke very recently to the head of one of the largest
police organizations in the world outside the United States and
what he told me was somewhat sobering. He said that they did
not have within his organization, a very sophisticated police
organization, the means to do forensic computer investigations,
analysis, and warning. And when the national companies were
coming to him asking for help, he would say to them, ``You go
conduct the investigation, bring us the results, and then we
will look at it in terms of making a prosecution decision or a
charging decision.''
I think that is a very bad policy for a government, and I
think that it is incumbent upon the law enforcement authorities
to have the capability and the competence to conduct those
investigations under our authorities and to make the decisions
and initiate work that will allow us to protect people and
business in this critical area.
We should not be relegated to using contractors outside the
Government for the basic investigative competence that we need,
which is one of the reasons we have partnered, for instance,
with the National White Collar Crime Center to set up an
Internet fraud complaints center, which is an online complaints
center where we can receive from the public and from industry
complaints, referrals, and then make sure that if it is not a
matter to be worked by the Federal Government or the FBI, we
can delegate that to the State and local authorities that have
that responsibility. We should be open and fully operational by
May 8 of this year.
With respect to the distributed denial of service attacks,
again, those are cases of immense importance to the country and
to the FBI. We have a number of our major field offices
directly and completely engaged in that investigation,
coordinated by the National Infrastructure Protection Center
back in Washington.
We are asking to set up an intellectual property protection
center which would be partnered between the FBI and the Customs
Service to again provide another channel for dealing with these
complaints and effectively discharging our responsibilities in
terms of investigations.
With respect to the legal authorities, you have all
commented very eloquently on the aspects of the current state
of the law which are impeding us and those very modest changes
which would give us the advantages of technology to fight
technology-type crimes. The jurisdictional limit with respect
to the pen registers is obviously a critical aspect of that
modification.
It wouldn't make any sense, particularly in a Federal
system, to go from State to State or county to county following
a fugitive, getting a new fugitive warrant in each of those
jurisdictions as the fugitive transitted the United States. We
would have one Federal warrant and that would be good and
viable in any parts of the U.S. jurisdiction where that person
could be found or could be located.
With respect to pen registers and trap and trace orders,
again I think the technology certainly was not contemplated
under the current authorities, and that is, I think, a very
modest but very critical improvement that would give us the
ability to pursue things.
With respect to the damage limit, I think aggregating the
damages and not looking for one single instance of a $5,000
limitation will greatly improve our ability. The use of
administrative subpoenas, as we have found in other cases,
particularly the health fraud cases, would give us the ability,
under the supervision of the U.S. Attorneys' Offices, to
conduct inquiries in a much more efficient manner, and one
which is particularly suitable to cyberspace and crimes
involving computers as well as the Internet.
The other aspects of the bill, I think, are not only
prudent but necessary if we are to have a viable and effective
response to what is a huge proliferation in hacking cases and
crimes generally committed using the Internet and using the
facilities of computers. We believe that these are modest
changes not giving us any extraordinary powers, but giving us,
we think, the power and the ability to remain effective and
remain competent.
With respect to the other matters that the committee has
been looking at in the context of that bill, again I want to
just commend you, Mr. Chairman and the members of this
committee, for your leadership in this area. We need to strive
particularly in the years ahead to maintain our competence and
our capability in an area which is changing faster than anybody
contemplated a short time ago. So I very much appreciate your
time and your attention and your leadership here, as well as
the availability of this forum to discuss these very important
issues.
Thank you.
Senator Kyl. Thank you very much, Director Freeh. There is
much in your written statement that you haven't commented on
orally, but you noted many other examples in your written
statement of attacks on our information infrastructure in a
whole variety of situations and those bear our attention as
well.
You noted, for example, that a Kevin Mitnick evaded
attempts to trace his calls by moving around the country and by
using cellular telephones which routed calls through multiple
carriers on their way to a final destination, and it was
impossible to get orders in each of those places quickly enough
in order to trace the calls. So it is not as if people who are
intending to violate the law don't understand fully the hoops
that the law enforcement people have to jump through in order
to trace them.
Let me just begin by asking you a question about resources.
Attorney General Reno testified earlier this year that the
Administration was requesting $37 million in funding
enhancements for cyber crime prosecution and investigation. But
given the increasing workload that you face that you have
testified to here today, is this funding level sufficient, or
should Congress look to increase this level in the annual
funding bills that we are going to be debating soon?
Mr. Freeh. I think it is a good initiative and a good
start, but not adequate to deal with the comprehensive nature
of this problem, as well as the accelerated growth. For
instance, part of that funding which is very, very critical for
us is an increase by 100 of our computer examiners; we call
them our card examiners. These are the men and women in the FBI
who go to the hard drives, who extract forensically evidence
and maintain it in a way that is presentable in a court of law.
The number of examinations have gone from 1,800 a year ago
to what we estimate next year will be 6,000 examinations. Half
of our cases now routinely have computer examination
requirements, and that is likely to accelerate. But the total
package that you refer to does not begin to address the
National Infrastructure Protection Center enhancements, issues
regarding encryption, issues regarding computer squads, 16 of
them now active throughout the FBI, Los Angeles, CA, being an
example, but squads which are now in huge demand not just in
the FBI but on State and local requests.
We spoke before the hearing, Senator Feinstein and I, about
an initiative which we put forward in San Diego which was the
first establishment of a computer forensic lab which is staffed
not just by FBI examiners but by State and local scientists.
And the reason for that is quite simple. First, to bring
everything back to Washington for examination just doesn't make
any sense, particularly in an electronic age dealing with
electronic evidence.
Second, it is important that we begin to grow and cultivate
State and local expertise in these areas. The laboratory in San
Diego was stood up at a very, very modest cost, but gives
tremendous capability to the law enforcement community, not
just the Federal community, in that area. There is a whole
bunch of other places around the country where this is in huge
demand, and those are some of the resources that could
certainly be well used.
Senator Kyl. Thank you very much. Senator Feinstein notes
that the air conditioning here is obviously not working. If you
would like to shed your jacket, as I did, you are welcome to do
that. I know you are very warm.
Let me just ask you one other question, in deference to the
other people who are on the dais, and I note that Senator
Bennett from Utah has joined us. Senator Bennett, of course,
chaired the Y2K Committee and has maintained his leadership as
one of the people called upon by our leadership to coordinate
efforts of the various committees with jurisdiction to deal
with the variety of issues that we are facing. I am glad,
Senator Bennett, that you have joined us here.
Director Freeh, in your testimony you noted your desire for
the FBI to have the authority to issue administrative
subpoenas. As I noted earlier, companies are reluctant to share
information on cyber crimes with law enforcement officials
because public disclosure of such intrusions could lead to lost
sales and a decline in a company's stock price.
What checks and balances would be used to ensure that
information acquired through administrative subpoenas would
remain confidential and that such subpoena power would not be
abused by the FBI?
Mr. Freeh. Several things, Mr. Chairman. First of all, a
lot of the information that would be obtained from
administrative subpoenas would be part and parcel of the
criminal investigation, which would also in most cases at least
at a certain stage become part of a grand jury process. The
administrative subpoena process would be ancillary to, in most
cases, a grand jury process, which would give it adequate
secrecy and afford confidentiality.
The discovery of that particular material, at least in
terms of litigation or prosecution, would really be equivalent
to any information or testimony actually taken in a grand jury.
The same discovery process under rule 16 would have to occur.
Protective orders could be sought and routinely would be sought
during that discovery process.
It would have the protections of the Privacy Act and the
Freedom of Information Act. So, that information would be used
in a confidential manner ancillary to a criminal inquiry and in
many cases would become part and parcel of a grand jury. It
would be supervised and controlled by the U.S. attorney and the
availability of that information, in my view, is limited in
many respects as the grand jury information.
Senator Kyl. I think that is an extremely important point
because there is some reluctance on the part of some people in
the private sector to acknowledge intrusions into their systems
and to share information with law enforcement because of their
fear that this could hurt them commercially.
My own view is that they need to understand that the
involvement of law enforcement is their biggest protection, for
precisely the reason that you just noted. Once it is in that
context, the information can, in fact, be protected from public
disclosure, in the interest of that commercial enterprise, and
also in the interest of the prosecution. So I think this is an
important point for all of us to stress as we urge greater
cooperation with the private sector and our law enforcement.
Mr. Freeh. Senator, I might also mention that under the
Economic Espionage Act which this Congress passed in 1996,
there are particular and specific provisions for
confidentiality in the process of a criminal prosecution or
discovery. That is very important for corporations to
understand because if their proprietary information is at risk
or in some cases has been taken, of course, there is a
corporate fear, as there should be, that reporting that to the
FBI is going to make matters worse because the trade secret is
going to become disclosed in the course of the investigation.
But that statute, the economic espionage statute,
particularly, even beyond the grand jury protections of rule
6(e), gives specific and court-ordered protection to those
trade secrets so they are not compromised in the course of a
prosecution, and we pay very, very close attention to that.
Senator Kyl. A very, very important point.
Senator Feinstein.
Senator Feinstein. Thanks very much, Mr. Chairman.
Mr. Freeh, in your written remarks you mention that
technology has moved so fast and yet our laws have not been
able to keep up with that technology. You point out on page 9
that you are working with Justice to propose a legislative
package for our review to keep laws in step. I wanted to ask
you when that would be ready.
You also point out that the FBI does not have the authority
to issue administrative subpoenas while conducting
investigations involving Internet fraud, and you detail why an
administrative subpoena would be useful and also protect due
process of law. You also point out that many laws were not
drafted in a technologically neutral way and don't make a lot
of sense, and that goes into the pen register trap and trace
statutes, et cetera, et cetera.
When will you have that package ready? I was looking at
some of the sentences in the cases, particularly the
Phonemasters case as well as the St. Petersburg case. I mean,
really, this is major robbery--well, it is not robbery because
I guess it is not a crime against a person. But you have $10
million thefts that occur, with a lot of criminal conspiracy,
and yet individuals will get in terms of a sentence maybe just
3 years.
Are you looking at a revision of the codes with respect to
this, and when will your recommendations be available?
Mr. Freeh. Senator, I will get back to you, if I might, on
the date. I know this is a matter being worked not only by the
Department of Justice but we have certainly contributed some
input to that.
My view is--and I have testified about this before--that
the penalties really need to be reviewed, and reviewed exactly
along the lines that you suggest in your question. Under the
racketeering statute which is used, I think, very judiciously
by the Government in a criminal context, two acts of mail or
wire fraud could constitute under the appropriate circumstances
an enterprise engaged in racketeering activity, which would
then make the convicted subjects eligible to very severe
penalties--20 years in prison, forfeitures, damages, et cetera,
et cetera.
If you overlay that set of requirements with the type of
cases that we have seen here and cases where literally you
could crash not only a number of Internet companies but cause
millions of dollars in damages, and you could crash power
grids, hospital records, and actually cause great injury or
death or extreme damage to individuals or property, I think
again the statutes that are drafted with a 3- to 5-year penalty
in mind just don't contemplate, nor could they when they were
enacted, I think, the scope and the potential of the damage.
So I think that that is a fair matter for the Congress to
review and I think, as with the racketeering statute, you can
set guidelines and requirements, including specific Department
of Justice review procedures, so this is not used willy-nilly.
This is not something that I am suggesting should be used in
even routine or
nonroutine hacking cases. But it occurs to me, given some of
the matters that we are looking at, that there is an area of
extreme damage and threat here that really can't be properly or
even fairly compared with a 3- to 5-year criminal exposure.
Senator Feinstein. So in other words, what you do is amend
the predicate statutes and add some of these crimes. Having
just done this in the Gang Abatement Act in our juvenile
justice bill, and looking at a lot of predicate statutes, they
really don't relate to this. So you would have to add, I think,
those statutes to apply the RICO statutes.
Mr. Freeh. Yes, that could be done. The Congress has done
that consistently since 1968 as new crimes have become
important to deal with.
Senator Feinstein. Right.
Mr. Freeh. And I think this is a very appropriate one to
consider.
Senator Feinstein. I would be most interested in that
because I don't think our criminal statutes keep up at all with
the kind of conspiracy that is involved with this, and also the
literal power that it is to take down entire institutions. I
think that has to be taken into consideration when drafting
criminal codes.
Could you comment on the need for administrative subpoenas?
Mr. Freeh. Yes; we use them now. Let me just give you one
example where the Congress has authorized us to use them, going
back now to 1996 in the healthcare fraud area. And in that area
of investigation, it is very similar to cyber crime where huge
amounts of materials have to be reviewed, particularly logs in
the computer case; in the healthcare fraud area, literally
hundreds of thousands of records and documents.
It is very important in many cases that not just the
criminal investigators view these materials but that the
noncriminal investigators, the scientists in the healthcare
area, doctors and medical professionals, are able to get access
to that information in a very controlled setting, but to get
the information quickly, to get it comprehensively, to be able
to review very rapidly a fast-moving criminal or noncriminal
event using computers in cyberspace.
So I think what it does is it gives the Government
investigators more efficiency, more speed, without compromising
the confidentiality as well as the security that that
information would receive. But it has been used very
effectively in the healthcare area. It could probably be used
more effectively in this area because the volumes of logs that
are required to be reviewed and the number of different experts
that need to look at that, including people who are not
criminal investigators, really lends itself to an
administrative subpoena context which I think would be
appropriate here.
Senator Feinstein. Some in the industry have argued that
companies will not share information with law enforcement
regarding cyber attacks because much of the information is
proprietary and sensitive in that regard, and they are afraid
that the Government will leak or otherwise disclose that
information which would benefit competitors.
Do you support a FOIA exemption for industry, say one
prohibiting public access to information that companies provide
the National Information Protection Center regarding cyber
attacks?
Mr. Freeh. I would certainly tend to favor it in the
limited area of trade secrets, proprietary information,
intellectual property, much like my comments about the Economic
Espionage Act where that is carved out as an area that protects
things that are critical to conduct an investigation but would
be devastating economically and otherwise to the owner of that
property if it was disclosed or made publicly available. It
would defeat the purpose of the investigation, which is to
protect that property if, in fact, that process leads to the
disclosure to competitors and others of trade secrets,
legitimate intellectual property that needs to be protected. So
I would think that is a very fair and traditional area to carve
out protections for.
Senator Feinstein. Would that be part of the package that
you will submit?
Mr. Freeh. It will certainly be part of our
recommendations, but I haven't seen the final workout because
the Department of Justice has the lead in drafting that. But
let me see if I can get back to you and inform you on that.
Senator Feinstein. I appreciate that. Thank you. Thanks
very much.
Senator Kyl. Thank you, Senator Feinstein.
Senator Grassley.
Senator Grassley. Thank you, Director Freeh, for your
appearance here and, most importantly, keeping ahead of the
problems that law enforcement faces. I know with a high-tech
society it is very difficult.
I want to refer to the presidential directive that
established the National Infrastructure Protection Center. It
stated that the Center would include representatives of the
FBI, Secret Service, and other investigators experienced in
computer crimes and infrastructure protection, as well as
representatives from the Department of Defense, intelligence
community, and lead agencies.
It is my understanding, Director Freeh, that there are
about 19 agencies that were originally assigned to the NIPC as
partners with the FBI. Is it true that there are only five
agencies now remaining in the NIPC, and why are there only
five?
Mr. Freeh. We have about 11 agencies that are currently
participating with detailees, but you are correct; we do not
have all of the representation contemplated in the order. Most
importantly, we are still trying to obtain representatives from
the Department of the Treasury and the Department of Commerce,
two very key components in this sector, and that is a process
that continues. But we do have the participation of the other
agencies that I mentioned and they have been working on a full-
time basis to further the goals of that Center.
Senator Grassley. You didn't say this, but is there an
inference that you are working to get the cooperation of these
agencies, that there are turf problems or some foot-dragging on
the part of other departments and bureaucracies that ought to
be cooperating with you and aren't cooperating with you?
Mr. Freeh. I think part of it, Senator, is the high premium
that these resources have. The Department of the Treasury and
the Department of Commerce have their own computer centers,
their own obligations and requirements in terms of
investigations. So they have had trouble providing resources to
what is a brand new initiative and one which is different from
their own individual responsibilities. So we need to work
better to bring this Center to fruition.
Senator Grassley. Maybe we shouldn't assume that there
might be some sort of lack of cooperation on the part of those
departments.
Let me ask you this. If those departments were fully
cooperating with you so that all 19, or at least a larger
number of agencies would be cooperating with the NIPC, would
that be a better rallying of resources of our Government than
having the 11 agencies you have and then having 2 or 3 others
out here concerned about it in another way?
Mr. Freeh. I believe that consolidating these resources and
this expertise in one place, as the PDD you referred to
contemplated, makes the most sense because this is the Center
that not only conducts the investigations, but it is
responsible for the threat warnings. The chairman mentioned one
that was sent out last year in advance of the distributed
attacks.
It does training, it does liaison with the private sector.
It makes much more sense for a large corporate actor to hear
from one representative, from the NIPC, than from three or four
different government agencies or components. So it makes a lot
of sense to consolidate it.
Senator Grassley. Well, I know you haven't said this and I
don't want to put words in your mouth, but I think that
Congress' oversight responsibility to see that the laws are
faithfully enforced and that the mandates are carried out as
intended--that part of our oversight ought to be showing some
concern because all of these resources aren't being brought
under the same directorship. That is my statement. I am not
asking you to agree with it, but if you would say you would
agree, that would help us. It might help you, too.
Mr. Freeh. I think we have to make a better effort to
consolidate these resources and put them in one place. There is
no question but that that is a more efficient way to do what is
very difficult to do just on its own terms, but to do it
without all of the assets at one table makes it very, very
burdensome.
Senator Grassley. I want to go on now to your written
testimony and, ``The number of pending cases has increased from
39 percent, from 610 at the end of fiscal year 1998 to 834 at
the end of fiscal year 1999.'' So my question: of the 834
pending cases, what percentage are being investigated by your
partner agencies?
Mr. Freeh. I think those are the cases that are in the
Center, in the NIPC itself. So what I would say is that the--
and Mike Vatis will correct me if I am not accurate--that those
are the cases which are subject to the Center's investigation,
which is the collective effort of the agencies represented
there.
Senator Grassley. So then there might be some cases being
investigated that you wouldn't know about by the agencies that
are not cooperating under your directorship at this point?
Mr. Freeh. Yes; throughout the Government, I would assume
that there would be other matters that are not known to the
Center.
Senator Grassley. Of your 1999 pending cases, how many
would you say had a direct impact on national critical
infrastructure protection and ability to predict indications of
an attack, as compared to pending cases that are for the
purpose of monitoring for study and possible future impact on
the critical infrastructure?
Mr. Freeh. May I consult with Mr. Vatis on that?
Mr. Vatis, who is actually the director of the Center, says
that we probably don't have that breakdown for you right here,
but he thinks he can work on some analysis for you along those
lines and get it back to you quickly.
Senator Grassley. Thank you. I am done with my questioning.
Senator Kyl. Thank you, Senator Grassley.
Senator Schumer.
Senator Schumer. Thank you, Mr. Chairman, and you have
covered almost all the questions I wanted to ask. I have two,
one just elaborating a little bit on the international issue
which we both touched on.
Cyber criminals, as you know, can cruise over international
borders with complete ease, making the need for cooperation
with foreign governments on crime matters greater than they
have been in the past. I know you have been thinking about
this, as has the Department of Justice. Can you give us your
take on what holds for the future in this area? Are we talking
to other governments? What kind of cooperation are we getting?
What are the barriers, et cetera?
Mr. Freeh. We are talking to them, Senator, continuously
and very, very comprehensively. In many of the cases that I
have cited, and others which I have not cited, we would not
have been able to get out of the starting gate without the
assistance of our partners.
For instance, over the millennial periods, there were a
series of events not just in the northwest United States but in
the Mideast and even in the Far East that required the
deployment of FBI agents, FBI computer examiners, who hooked up
with our partners, liaison services in a number of different
countries that gave us direct access to computer hard drives
which in some cases were the actual plans of terrorists to
murder large numbers of Americans.
Those methods of coordination and liaison are critical
because the Internet has no sovereignty, has no boundaries, as
we all know. We work very regularly with our partners overseas.
We have had many of our liaison partners back to the United
States. We have done extensive training through the NIPC to our
foreign counterparts. They have set up similar computer
centers. The idea will be to have these centers hooked up on a
realtime basis and have standard protocols, as well as forensic
examination standards.
So this is an area that is being pressed very hard not just
by our agency but by our counterpart agencies around the world.
I just came back from a trip to the Persian Gulf and I visited
six countries there. Every one of the countries asked about
computer crimes, looking for help and assistance in conducting
investigations. We do international training to a large degree
along these particular lines. So it is a huge area of growth
and potential liaison.
Senator Schumer. So, overall, you are getting the
cooperation you need from foreign governments in this?
Mr. Freeh. Yes.
Senator Schumer. Are there any particular governments or
any regions where we are not getting that kind of cooperation,
and do you get them not only on major cases like terrorism but
on things that they might still regard as minor, such as DOS-
type invasions?
Mr. Freeh. We get them on the terrorism cases, which are
probably the most active component of that liaison. We get them
also on the financial crimes cases. The Bank of New York case,
which you are familiar with, is being worked not only by the
United States as well as Russian authorities, but there are
computer links and leads and evidence with respect to that
matter which literally go all around the world which we are
following up on. So it transcends terrorism into financial
crimes, into even organized crime and drug trafficking areas.
It has become part and parcel of what we do on a routine basis.
Senator Schumer. Any particular places, countries,
governments where you are not getting cooperation--major ones?
Mr. Freeh. Not really. On a case-by-case basis, we have
gotten extremely good cooperation.
Senator Schumer. My only other question is could you
address the problem of juveniles committing computer crimes?
Are there unique solutions we should be working on, are the
laws adequate, et cetera?
Mr. Freeh. You know, it is a very serious problem. The case
that I mentioned before, of course, involves a 14-year-old.
Many of the matters that we are currently looking at in this
area--cyber crime, the hacking cases--involve juveniles who are
very adept and in many cases surprisingly competent in the acts
that they commit and achieve.
I think what has to be done is two things. No. 1, there has
got to be a strong educational component to what we do in terms
of computer training and education. The whole notion of ethics
as well as lawfulness with respect to the computer and the
potential damage that this technology can cause in the wrong
hands has to be something which becomes regularly instructed
and part and parcel of our whole educational process, not just
for juveniles, by the way. I think that we probably do a better
job across the board in that area.
In the prevention area as well as the enforcement area, I
think looking at the number of juveniles active in this area is
going to require some adjustments or modifications, at least a
serious review of the current statutory authorities which in
most cases were written 50, 60 years ago, and the whole notion
of juveniles in this type of endeavor and activity clearly not
contemplated. So I think it is a combination of education and
also some modification of the laws because there has to be some
deterrent and some ability to achieve some results in that
area.
Senator Schumer. Would you get to us some specific--or I
guess you will have to work it through DOJ, but maybe you and
they together, some specific recommendations on juvenile issues
that are needed?
Mr. Freeh. Yes, I will.
Senator Schumer. Thank you. Thank you, Mr. Chairman.
Senator Kyl. Thank you, Senator Schumer.
Senator Feinstein.
Senator Feinstein. Mr. Chairman, may I have unanimous
consent to place a statement by the ranking member in the
record, please?
Senator Kyl. Without objection, so ordered.
[The prepared statement of Senator Leahy follows:]
Prepared Statement of Hon. Patrick J. Leahy, A U.S. Senator From
the State of Vermont
As we head into the twenty-first century, computer-related crime is
one of the greatest challenges facing law enforcement. Many of our
critical infrastructures and our government depend upon the reliability
and security of complex computer systems. We need to make sure that
these essential systems are protected from all forms of attack.
Whether we work in the private sector or in government, we
negotiate daily through a variety of security checkpoints designed to
protect ourselves from being victimized by crime or targeted by
terrorists. For instance, Congressional buildings like this one use
cement pillars placed at entrances, photo identification cards, metal
detectors, x-ray scanners and security guards to protect the physical
space. These security steps and others have become ubiquitous in the
private sector as well.
Yet all these physical barriers can be circumvented using the wires
that run into every building to support the computers and computer
networks that are the mainstay of how we communicate and do business.
This plain fact was amply demonstrated by the recent hacker attacks on
E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet
sites. These attacks raise serious questions about Internet security--
questions that we need to answer to ensure the long-term stability of
electronic commerce. More importantly, a well-focused and more malign
cyber-attack on computer networks that support telecommunications,
transportation, water supply, banking, electrical power and other
critical infrastructure systems could wreak havoc on our national
economy or even jeopardize our national defense. We have learned that
even law enforcement is not immune. Last month we learned of a denial
of service attack successfully perpetrated against a FBI web site,
shutting down that site for several hours.
The cybercrime problem is growing. The reports of the CERT
Coordination Center (formerly called the ``Computer Emergency Response
Team''), which was established in 1988 to help the Internet community
detect and resolve computer security incidents, provide chilling
statistics on the vulnerabilities of the Internet and the scope of the
problem. Over the last decade, the number of reported computer security
incidents grew from 6 in 1988 to more than 8,000 in 1999. But that
alone does not reveal the scope of the problem. According to CERT's
most recent annual report, more than four million computer hosts were
affected by computer security incidents in 1999 alone by damaging
computer viruses, with names like ``Melissa,'' ``Chernobyl,''
``ExploreZip,'' and by other ways that remote intruders have found to
exploit system vulnerabilities. Even before the recent headline-
grabbing ``denial-of-service'' attacks, CERT documented that such
incidents ``grew at a rate around 50 percent per year'' which was
``greater than the rate of growth of Internet hosts.''
CERT has tracked recent trends in severe hacking incidents on the
Internet and made the following observations. First, hacking techniques
are getting more sophisticated. That means law enforcement is going to
have to get smarter too, and we need to give them the resources to do
this. Second, hackers have ``become increasingly difficult to locate
and identify.'' These criminals are operating in many different
locations and are using techniques that allow them to operate in
``nearly total obscurity.''
I commend the FBI Director for establishing the Pittsburgh High
Tech Computer Crimes Task Force to take advantage of the technical
expertise at CERT to both solve and prevent newly emerging forms of
computer network attacks. Senator Hatch and I are working together on
legislation that would encourage the development of such regional task
forces.
Cybercrime is not a new problem. We have been aware of the
vulnerabilities to terrorist attacks of our computer networks for more
than a decade. It became clear to me, when I chaired a series of
hearings in 1988 and 1989 by the Subcommittee on Technology and the Law
in the Senate Judiciary Committee on the subject of high-tech terrorism
and the threat of computer viruses, that merely ``hardening'' our
physical space from potential attack would only prompt committed
criminals and terrorists to switch tactics and use new technologies to
reach vulnerable softer targets, such as our computer systems and other
critical infrastructures. The government has a responsibility to work
with those in the private sector to assess those vulnerabilities and
defend them. That means making sure our law enforcement agencies have
the tools they need, but also that the government does not stand in the
way of smart technical solutions to defend our computer systems.
Encryption helps prevent cybercrime. That is why, for years, I have
advocated and sponsored legislation to encourage the widespread use of
strong encryption. Encryption is an important tool in our arsenal to
protect the security of our computer information and networks. The
Administration made enormous progress when it issued new regulations
relaxing export controls on strong encryption. Of course, encryption
technology cannot be the sole source of protection for our critical
computer networks and computer-based infrastructure, but we need to
make sure the government is encouraging--and not restraining--the use
of strong encryption and other technical solutions to protecting our
computer systems.
The private sector must assume primary responsibility for
protecting its computer systems. Targeting cybercrime with up-to-date
criminal laws and tougher law enforcement is only part of the solution.
While criminal penalties may deter some computer criminals, these laws
usually come into play too late, after the crime has been committed and
the injury inflicted. We should keep in mind the adage that the best
defense is a good offense. Americans and American firms must be
encouraged to take preventive measures to protect their computer
information and systems. Just recently, internet providers and
companies such as Yahoo! and Amazon.com Inc., and computer hardware
companies such as Cisco Systems Inc., proved successful at stemming
attacks within hours thereby limiting losses.
Prior legislative efforts were designed to deter cybercrime.
Congress has responded again and again to help our law enforcement
agencies keep up with the challenges of new crimes being executed over
computer networks. In 1984, we passed the Computer Fraud and Abuse Act,
and its amendments, to criminalize conduct when carried out by means of
unauthorized access to a computer. In 1986, we passed the Electronic
Communications Privacy Act (ECPA), which I was proud to sponsor, to
criminalize tampering with electronic mail systems and remote data
processing systems and to protect the privacy of computer users. In the
104th Congress, Senators Kyl, Grassley and I worked together to enact
the National Information Infrastructure Protection Act to increase
protection under federal criminal law for both government and private
computers, and to address an emerging problem of computer-age blackmail
in which a criminal threatens to harm or shut down a computer system
unless their extortion demands are met.
In this Congress, I have introduced a bill with Senator DeWine, the
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant
program within the U.S. Department of Justice for states to tap for
improved education, training, enforcement and prosecution of computer
crimes. All 50 states have now enacted tough computer crime control
laws. These state laws establish a firm groundwork for electronic
commerce and Internet security. Unfortunately, too many state and local
law enforcement agencies are struggling to afford the high cost of
training and equipment necessary for effective enforcement of their
state computer crime statutes. Our legislation, the Computer Crime
Enforcement Act, as well as the legislation that Senator Hatch and I
are crafting, would help state and local law enforcement join the fight
to combat the worsening threats we face from computer crime.
Our computer crime laws must be kept up-to-date as an important
backstop and deterrent. I believe that our current computer crime laws
can be enhanced and that the time to act is now. We should pass
legislation designed to improve our law enforcement efforts while at
the same time protecting the privacy rights of American citizens. Such
legislation should make it more efficient for law enforcement to use
tools that are already available--such as pen registers and trap and
trace devices--to track down computer criminals expeditiously. It
should ensure that law enforcement can investigate and prosecute hacker
attacks even when perpetrators use foreign-based computers to
facilitate their crimes. It should implement criminal forfeiture
provisions to ensure that hackers are forced to relinquish the tools of
their trade upon conviction. It should also close a current loophole in
our wiretap laws that prevents a law enforcement officer from
monitoring an innocent-host computer with the consent of the computer's
owner and without a wiretap order to track down the source of denial-
of-service attacks. Finally, such legislation should assist state and
local police departments in their parallel efforts to combat
cybercrime, in recognition of the fact that this fight is not just at
the federal level.
I have been working with Senator Hatch on legislation to accomplish
all of these goals and look forward to discussing these proposals with
law enforcement and industry leaders.
Civil Fraud Laws May Also Need Strengthening. There is no question
that fraud is one of the most pressing problems facing the Internet.
According to the Director of the FBI, frauds have tainted Internet
sales of merchandise, auctions, sweepstakes and business opportunities
and the North American Securities Administrators Association estimates
that Internet-related stock fraud alone results in billions of dollars
of loss to investors each year. I understand that the FBI and the
National White Collar Crime Center are jointly sponsoring the Internet
Fraud Complaint Center, which will help assist in the investigation of
fraudulent schemes on the Internet and will compile data on cyber-
frauds. I applaud this endeavor.
In looking for ways to combat Internet fraud, we should consider
whether the Justice Department's authority to use civil enforcement
mechanisms against those engaged in frauds on the Internet should be
enhanced.
Legislation must be balanced to protect our privacy and other
constitutional rights. I am a strong proponent of the Internet and a
defender of our constitutional rights to speak freely and to keep
private our confidential affairs from either private sector snoops or
unreasonable government searches. These principles can be respected at
the same time we hold accountable those malicious mischief makers and
digital graffiti sprayers, who use computers to damage or destroy the
property of others. I have seen Congress react reflexively in the past
to address concerns over anti-
social behavior on the Internet with legislative proposals that would
do more harm than good. A good example of this is the Communications
Decency Act, which the Supreme Court declared unconstitutional. We must
make sure that our legislative efforts are precisely targeted on
stopping destructive acts and that we avoid scattershot proposals that
would threaten, rather than foster, electronic commerce and sacrifice,
rather than promote, our constitutional rights.
Technology has ushered in a new age filled with unlimited potential
for commerce and communications. But the Internet age has also ushered
in new challenges for federal, state and local law enforcement
officials. Congress and the Administration need to work together to
meet these new challenges while preserving the benefits of our new era.
I thank Senators Kyl, Feinstein and Schumer for their attention to
this important issue.
Senator Kyl. Senator Bennett.
Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman, and I appreciate
your courtesy and willingness to let me come in and participate
in this with you. It is a matter of great personal interest. I
realize that you, Mr. Chairman, and this subcommittee have done
perhaps more in this particular issue than any other group in
the Congress, with the possible exception of the efforts being
expended in the Armed Services Committee as they deal with DOD
issues. Most of the questions that I would have, have already
been touched on.
Mr. Freeh, I would like to get your reaction to one issue.
We as a Nation spent $15 million setting up the information
coordinating center to deal with Y2K. It turned out to be a
nonevent as far as the ICC was concerned, and a lot of people
said, ``Gee, why did you go to all that trouble? That is a
fairly significant investment. The wiring is in the floor, the
computers are in place,'' and so on.
Do you have any suggestions as to the future of that
facility? Should it be dismantled and packed away, and say,
``Gee, that was a bullet that missed us, so we can forget it?''
Or do you see any utility for that facility long term in
dealing with cyber crimes or even cyber warfare?
Mr. Freeh. Senator, I think, first of all, it was a good
investment and a prudent one, given the threats that you
particularly and others were responsible for analyzing and
dealing with and predicting.
I would like to, if I might, just consider that a little
bit and get back to you. I don't have any concerns about
continuing the activity to the extent that it would complement
and support other activities. I guess my concern, which was
reflected in my answer to Senator Grassley, is that this is
such a huge challenge and a huge burden that we don't want to
split our forces before we then fielded our team.
And if we are going to be bifurcating responsibilities and
taking what the PDD said the NIPC should be doing and assigning
it to another facility because the facility is available
without some coordination or some overall administrative
control by the people responsible for not just the criminal
investigations but analysis, threat warning, training, liaison;
the worse thing to do right now would be to split our forces
because our forces are quite meager, given the challenges that
we need to get geared up for.
Senator Bennett. Well, I would appreciate any response that
you might have. Some of us in the Congress have written to OMB
and said that we think this facility should be maintained and
turned over to CIAO. OMB thinks it should be dismantled and
those portions that might be of some value should be handed
over to FEMA.
I do not see the protection of critical infrastructure as a
FEMA responsibility, and I think CIAO comes the closest as an
agency to deal with that and one with whom you could coordinate
very closely. So I don't seem to be able to influence OMB and I
am putting you on something of a spot to ask your opinion on
this, but I think the facility represents a relatively, if
there is such a thing, unique asset, certainly a very rare
asset.
It is unique in that nothing else has been created quite
like it, and I want to see it utilized if there is any
possibility that it can be utilized with respect to cyber
crimes or cyber terrorism. So if you would respond, I would
appreciate that.
Mr. Freeh. I will be happy to do that, Senator.
Senator Bennett. Now, looking ahead at the testimony of the
next witness, there is a paragraph that I would like to read to
you out of his written testimony and just give you an
opportunity to respond while you are here because very often
you come, you leave, then he speaks and you don't get a chance
to comment.
So in Mr. Harris Miller's testimony he says, ``Few high-
tech companies are interested in being perceived by their
customers as active agents of law enforcement. Agencies,
meanwhile, are often viewed as demanding this type of
information from the private sector, but giving little back in
return. Let me be blunt: information sharing cannot be a one-
way street.''
Would you like to comment on that statement? That is pretty
blunt and I think opens the dialog in a useful way.
Mr. Freeh. Well, I certainly agree that in the
responsibilities that we have as a law enforcement agency vis-
a-vis the private sector, you cannot have a one-way street. The
information can't just be flowing from the private sector to
constable. It just doesn't make any sense.
What I would say is that in a general and maybe broader
context--and this has been echoed by other members of the
committee--law enforcement and public safety and protection of
property in this area, except for the technology, is really not
different from what law enforcement traditionally has done for
a long time, over 200 years just in this country.
We cannot unilaterally protect these companies, the
information, the people who work there, the jobs, as well as
the economic security that flows from a robust private sector
without their assistance, no more than they can protect in the
course of civil litigation or injunctions or market leverage--
they can't protect their property without the help, when
appropriate, of the enforcement agencies and the power of the
State or the criminal courts.
So it is a necessary marriage. There is a critical need for
there to be not only information sharing but cooperation. Now,
that requires work on both sides. We have to respect, as we
mentioned before, the confidentiality as well as the value of
the information and secrets that they may give to us to do our
job.
On the other hand, they have to be willing to report to the
authorities incidents of crime, as banks are required to do by
statute. They have to come to us when they are the subjects of
an extortion or a threat, when someone steals their trade
secret, rather than just trying to work on it themselves. It
can't be done unless information is flowing in both directions,
which is why the Information Infrastructure Protection Center
as one of its primary responsibilities under the PDD is to have
an active, robust and credible liaison with the private sector.
We can't operate without that.
Senator Bennett. Thank you. I think that is useful and I
appreciate your adding that to the record. Following up with
one specific of the questions that Senator Schumer raised, the
Toronto Star reported on Sunday that approximately 80 percent
of the foreign attacks on U.S. computer networks either
originate in or pass through Canada.
You talked about your relationships in the world generally.
Could you give us an update on the status of United States and
Canadian cooperation in this area?
Mr. Freeh. Yes; I would say the status of that cooperation
is really excellent. During the millennial period, particularly
when we were working with respect to the events out in the
Northwest, both from the criminal justice point of view but
also from the intelligence and investigative point of view, you
would not find anyplace in the world a closer integration or
cooperation.
FBI agents were in Canada, RCMP officers were in the United
States, in many cases drafting applications for court
authorities in both countries together; realtime feedback of
information, sharing of information obtained from searches with
appropriate court disclosure orders. That relationship is
almost a seamless one not only in the cyber areas but in
generally all criminal justice areas, in the counterterrorism
area, and that is probably one of the best relationships
between countries on those issues as anyplace I have seen.
Senator Bennett. Thank you very much, and thank you, Mr.
Chairman, for allowing me to participate. I appreciate it.
Senator Kyl. Thank you, Senator Bennett. As always, your
intervention is very helpful.
Director Freeh, we could question you all morning, I am
sure, and be much better edified than we are, but we have
another panel and I think we will call upon them. We appreciate
very much your continued diligence in dealing with this area.
We will try to help get the resources to you that you need. You
have certainly helped to create the case for further
legislation that we want to pursue here, and so we thank you
very, very much for being with us this morning and wish you
well.
Mr. Freeh. Thank you, Mr. Chairman, and thank you both for
your leadership in this area.
[The prepared statement of Mr. Freeh follows:]
Prepared Statement of Louis J. Freeh
Good morning, Mr. Chairman, Senator Feinstein, and Members of the
Subcommittee. I am privileged to have this opportunity to discuss
cybercrime--one of the fastest evolving areas of criminal behavior and
a significant threat to our national and economic security.
Twelve years ago the ``Morris Worm'' paralyzed half of the
Internet, yet so few of us were connected at that time that the impact
on our society was minimal. Since then, the Internet has grown from a
tool primarily in the realm of academia and the defense/intelligence
communities, to a global electronic network that touches nearly every
aspect of everyday life at the workplace and in our homes. The recent
denial of service attacks on leading elements of the electronic
economic sector, including Yahoo!, Amazon.com, Buy.com, Ebay, E*Trade,
CNN, and others, had dramatic and immediate impact on many Americans.
As Senator Bennett recently stated, ``these attacks are only the tip of
the iceberg. They are the part of the iceberg that is visible above the
water-in clear view. But as everyone knows, the largest part of the
iceberg, and possibly the most dangerous, lies beneath the surface of
the water and is difficult to detect. This is true also with the range
of threats to the Internet and those that rely upon it.''
I would like to acknowledge the strong support this Subcommittee
has provided to the FBI over the past several years for fighting
cybercrime. Senator Kyl's strong support for vital cyber crime
legislation such as the National Infrastructure Protection Act of 1996
and the Schumer-Kyl bill strengthening 18 U.S.C. Sec. 1030, is greatly
appreciated. Senator Kyl and this committee have also been the
strongest supporters of our National Infrastructure Protection Center.
For that support, I would like to say thank you.
In my testimony today, I would like to first discuss the nature of
the threat that is posed from cybercrime and highlight some recent
cases Then I will comment on our use of 18 U.S.C. Sec. 1030 in fighting
cybercrime and say a few words about the Schumer-Kyl bill. Finally, I
would like to close by discussing several of the challenges that
cybercrime and technology present for law enforcement.
cybercrime threats faced by law enforcement
Before discussing the FBI's programs and requirements with respect
to cybercrime, let me take a few minutes to discuss the dimensions of
the problem. Our case load is increasing dramatically. In fiscal year
1998, we opened 547 computer intrusion cases; in fiscal year 1999, that
had jumped to 1154. At the same time, because of the opening the
National Infrastructure Protection Center (NIPC) in February 1998, and
our improving ability to fight cyber crime, we closed more cases. In
fiscal year 1998, we closed 399 intrusion cases, and in fiscal year
1999, we closed 912 such cases. However, given the exponential increase
in the number of cases opened, cited above, our actual number of
pending cases has increased by 39 percent from 601 at the end of fiscal
year 1998, to 834 at the end of fiscal year 1999 In short, even though
we have markedly improved our capabilities to fight cyber intrusions,
the problem is growing even faster.
A few days ago the Computer Security Institute released its fifth
annual ``Computer Crime and Security Survey.'' The results only confirm
what we had already suspected given our burgeoning case load, that more
companies surveyed are reporting intrusions, that dollar losses are
increasing, that insiders remain a serious threat, and that more
companies are doing more business on the Internet than ever before.
The statistics tell the story. Ninety percent of respondents
detected security breaches over the last 12 months. At least 74 percent
of respondents reported security breaches including theft of
proprietary information, financial fraud, system penetration by
outsiders, data or network sabotage, or denial of service attacks.
Information theft and financial fraud caused the most severe financial
losses, put at $68 million and $56 million respectively. The losses
from 273 respondents totaled just over $265 million. Losses traced to
denial of service attacks were only $77,000 in 1998, and by 1999 had
risen to just $116,250. Further, the new survey reports on numbers
taken before the high-profile February attacks against Yahoo, Amazon
and eBay. Finally, many companies are experiencing multiple attacks; 19
percent of respondents reported 10 or more incidents.
Over the past several years we have seen a range of computer crimes
ranging from defacement of websites by juveniles to sophisticated
intrusions that we suspect may be sponsored by foreign powers, and
everything in between. Some of these are obviously more significant
than others. The theft of national security information from a
government agency or the interruption of electrical power to a major
metropolitan area have greater consequences for national security,
public safety, and the economy than the defacement of a web-site. But
even the less serious categories have real consequences and,
ultimately, can undermine confidence in e-commerce and violate privacy
or property rights. A website hack that shuts down an e-commerce site
can have disastrous consequences for a business. An intrusion that
results in the theft of credit card numbers from an online vendor can
result in significant financial loss and, more broadly, reduce
consumers' willingness to engage in
e-commerce. Because of these implications, it is critical that we have
in place the programs and resources to investigate and, ultimately, to
deter these sorts of crimes.
The following are some of the categories of cyber threats that we
confront today.
Insiders. The disgruntled insider (a current or former employee of
a company) is a principal source of computer crimes for many companies.
Insiders' knowledge of the target companies' network often allows them
to gain unrestricted access to cause damage to the system or to steal
proprietary data. The just-released 2000 survey by the Computer
Security Institute and FBI reports that 71 percent of respondents
detected unauthorized access to systems by insiders.
One example of an insider was George Parente. In 1997, Parente was
arrested for causing five network servers at the publishing company
Forbes, Inc., to crash. Parente was a former Forbes computer technician
who had been terminated from temporary employment. In what appears to
have been a vengeful act against the company and his supervisors,
Parente dialed into the Forbes computer system from his residence and
gained access through a co-worker's log-in and password. Once online,
he caused five of the eight Forbes computer network servers to crash,
and erased all of the server volume on each of the affected servers. No
data could be restored. Parente's sabotage resulted in a 2-day shut
down in Forbes' New York operations with losses exceeding $100,000.
Parente pleaded guilty to one count of violating of the Computer Fraud
and Abuse Act, Title 18 U.S.C. Sec. 1030.
In January and February 1999 the National Library of Medicine (NLM)
computer system, relied on by hundreds of thousands of doctors and
medical professionals from around the world for the latest information
on diseases, treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passswords were obtained,
hundreds of files were downloaded which included sensitive medical
``alert'' files and programming files that kept the system running
properly. The intrusions were a significant threat to public safety and
resulted in a monetary loss in excess of $25,000 FBI investigation
identified the intruder as Montgomery Johns Gray, III, a former
computer programmer for NLM, whose access to the computer system had
been revoked. Gray was able to access the system through a ``backdoor''
he had created in the programming code. Due to the threat to public
safety, a search warrant was executed for Gray's computers and Gray was
arrested by the FBI within a few days of the intrusions. Subsequent
examination of the seized computers disclosed evidence of the intrusion
as well as images of child pornography. Gray was convicted by a jury in
December 1999 on three counts for violation of 18 U.S.C. Sec. 1030.
Subsequently, Gray pleaded guilty to receiving obscene images through
the Internet, in violation of 47 U.S.C. Sec. 223.
Hackers. Hackers (or ``crackers'') are also a common threat. They
sometimes crack into networks simply for the thrill of the challenge or
for bragging rights in the hacker community. Recently, however, we have
seen more cases of hacking for illicit financial gain or other
malicious purposes.
While remote cracking once required a fair amount of skill or
computer knowledge, hackers can now download attack scripts and
protocols from the World Wide Web and launch them against victim sites.
Thus while attack tools have become more sophisticated, they have also
become easier to use. The distributed denial-of-service (DDOS) attacks
last month are only the most recent illustration of the economic
disruption that can be caused by tools now readily available on the
Internet.
Another recent case illustrates the scope of the problem. On Friday
authorities in Wales, acting in coordination with the FBI, arrested two
individuals for alleged intrusions into e-commerce sites in several
countries and the theft of credit card information on over 26,000
accounts. One subject used the Internet alias ``CURADOR.'' Losses from
this case could exceed $3,000,000. The FBI cooperated closely with the
Dyfed-Powys Police Service in the United Kingdom, the Royal Canadian
Mounted Police in Canada, and private industry. This investigation
involved the Philadelphia Division, seven other FBI field offices, our
Legal Attache in London, and the NIPC. This case demonstrates the close
partnerships that we have built with our foreign law enforcement
counterparts and with private industry.
We have also seen a rise recently in politically motivated attacks
on web pages or e-mail servers, which some have dubbed ``hacktivism.''
In these incidents, groups and individuals overload e-mail servers or
deface websites to send a political message. While these attacks
generally have not altered operating systems or networks, they have
disrupted services, caused monetary loss, and denied the public access
to websites containing valuable information, thereby infringing on
others' rights to disseminate and receive information. Examples of
``hacktivism'' include a case in 1996, in which an unknown subject
gained unauthorized access to the computer system hosting the
Department of Justice Internet web site. The intruders deleted over 200
directories and their contents on the computer system and installed
their own pages. The installed pages were critical of the
Communications Decency Act (CDA) and included pictures of Adolf Hitler,
swastikas, pictures of sexual bondage scenes, a speech falsely
attributed to President Clinton, and fabricated CDA text.
Virus Writers. Virus writers are posing an increasingly serious
threat to networks and systems worldwide. Last year saw the
proliferation of several destructive computer viruses or ``worms,''
including the Melissa Macro Virus, the Explore.Zip worm, and the CIH
(Chernobyl) Virus. The NIPC frequently sends out warnings or advisories
regarding particularly dangerous viruses, which can allow potential
victims to take protective steps and minimize the destructive
consequences of a virus.
The Melissa Macro Virus was a good example of our two-fold
response--encompassing both warning and investigation--to a virus
spreading in the networks. The NIPC sent out warnings as soon as it had
solid information on the virus and its effects; these warnings helped
alert the public and reduce the potential destructive impact of the
virus. On the investigative side, the NIPC acted as a central point of
contact for the field offices who worked leads on the case. A tip
received by the New Jersey State Police from America Online, and their
follow-up investigation with the FBI's Newark Division, led to the
April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one
count of violating 18 U.S.C. Sec. 1030 in Federal Court, and to four
state felony counts. As part of his guilty plea, Smith stipulated to
affecting one million computer systems and causing $80 million in
damage. Smith is awaiting sentencing.
Criminal Groups. We are also seeing the increased use of cyber
intrusions by criminal groups who attack systems for purposes of
monetary gain. In September, 1999, two members of a group dubbed the
``Phonemasters'' were sentenced after their conviction for theft and
possession of unauthorized--access devices (18 USC Sec. 1029) and
unauthorized access to a federal interest computer (18 USC Sec. 1030).
The ``Phonemasters'' were an international group of criminals who
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even
the National Crime Information Center. Under judicially-approved
electronic surveillance orders, the FBI's Dallas Division made use of
new data intercept technology to monitor the calling activity and modem
pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded
thousands of Sprint calling card numbers, which he sold to a Canadian
individual who passed them on to someone in Ohio. These numbers made
their way to an individual in Switzerland and eventually ended up in
the hands of organized crime groups in Italy. Cantrell was sentenced to
2 years as a result of his guilty plea, while one of his associates,
Cory Lindsay, was sentenced to 41 months.
The Phonemasters' methods included ``dumpster diving'' to gather
old phone books and technical manuals for systems. They used this
information to trick employees into giving up their logon and password
information. The group then used this information to break into victim
systems. It is important to remember that often ``cyber crimes'' are
facilitated by old fashioned guile, such as calling employees and
tricking them into giving up passwords. Good cyber security practices
must therefore address personnel security and ``social engineering'' in
addition to instituting electronic security measures.
Another example of cyber intrusions used to implement a criminal
conspiracy involved Vladimir L. Levin and numerous accomplices who
illegally transferred more than $10 million in funds from three
Citibank corporate customers to bank accounts in California, Finland,
Germany, the Netherlands, Switzerland, and Israel between June and
October 1994. Levin, a Russian computer expert, gained access over 40
times to Citibank's cash management system using a personal computer
and stolen passwords and identification numbers. Russian telephone
company employees working with Citibank were able to trace the source
of the transfers to Levin's employer in St. Petersburg, Russia. Levin
was arrested in March 1995 in London and subsequently extradited to the
U.S. On February 24, 1998, he was sentenced to three years in prison
and ordered to pay Citibank $240,000 in restitution. Four of Levin's
accomplices pleaded guilty and one was arrested but could not be
extradited. Citibank was able to recover all but $400,000 of the $10
million illegally transferred funds.
Beyond criminal threats in cyber space, we also face a variety of
significant national security threats.
Terrorists. Terrorists groups are increasingly using new
information technology and the Internet to formulate plans, raise
funds, spread propaganda, and to communicate securely. In his statement
on the worldwide threat in 2000, Director of Central Intelligence
George Tenet testified that terrorists groups, ``including Hizbollah,
HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida
organization are using computerized files, e-mail, and encryption to
support their operations.'' In one example, convicted terrorist Ramzi
Yousef, the mastermind of the World Trade Center bombing, stored
detailed plans to destroy United States airliners on encrypted files on
his laptop computer. While we have not yet seen these groups employ
cyber tools as a weapon to use against critical infrastructures, their
reliance on information technology and acquisition of computer
expertise are clear warning signs. Moreover, we have seen other
terrorist groups, such as the Internet Black Tigers (who are reportedly
affiliated with the Tamil Tigers), engage in attacks on foreign
government web-sites and e-mail servers. ``Cyber terrorism''--by which
I mean the use of cyber tools to shut down critical national
infrastructures (such as energy, transportation, or government
operations) for the purpose of coercing or intimidating a government or
civilian population--is thus a very real, though still largely
potential, threat.
Foreign intelligence services. Not surprisingly, foreign
intelligence services have adapted to using cyber tools as part of
their espionage tradecraft. Even as far back as 1986, before the
worldwide surge in Internet use, the KGB employed West German hackers
to access Department of Defense systems in the well-known ``Cuckoo's
Egg'' case. While I cannot go into specifics about more recent
developments in an open hearing it should not surprise anyone to hear
that foreign intelligence services increasingly view computer
intrusions as a useful tool for acquiring sensitive U.S. government and
private sector information.
Information Warfare. The prospect of ``information warfare'' by
foreign militaries against our critical infrastructures is perhaps the
greatest potential cyber threat to our national security. We know that
several foreign nations are developing information warfare doctrine,
programs, and capabilities for use against the United States or other
nations. Knowing that they cannot match our military might with
conventional or ``kinetic'' weapons, nations see cyber attacks on our
critical infrastructures or military operations as a way to hit what
they perceive as America's Achilles heel--our growing dependence on
information technology in government and commercial operations. For
example, two Chinese military officers recently published a book that
called for the use of unconventional measures, including the
propagation of computer viruses, to counterbalance the military power
of the United States. And a Russian official has also commented that an
attack on a national infrastructure could, ``by virtue of its
catastrophic consequences, completely overlap with the use of [weapons]
of mass destruction.''
The categories described above involve computers used as weapons
and as targets of a crime. We are also seeing computers used to
facilitate more traditional forms of crime.
Internet Fraud. One of the most critical challenges facing the FBI
and law enforcement in general, is the use of the Internet for
fraudulent purposes. Understanding and using the Internet to combat
Internet fraud is essential for law enforcement. The accessibility of
such an immense audience coupled with the anonymity of the subject,
require a different approach. The Internet is a perfect medium to
locate victims and provide an environment where victims do not see or
speak to the ``fraudsters.'' Anyone in the privacy of their own home
can create a very persuasive vehicle for fraud over the Internet.
Internet fraud does not have traditional boundaries as seen in the
traditional schemes. The traditional methods of detecting, reporting,
and investigating fraud fail in this environment. By now it is common
knowledge that the Internet is being used to host criminal behavior.
The top ten most frequently reported frauds committed on the Internet
include Web auctions, Internet services, general merchandise, computer
equipment/software, pyramid schemes, business opportunities/franchises,
work at home plans, credit card issuing, prizes/sweepstakes and book
sales.
Let me provide you with some specific examples. Securities offered
over the Internet have added an entirely new dimension to securities
fraud investigations. Investors are able to research potential
investments and actually invest over the Internet with ease through
electronic linkage to a number of services that provide stock and
commodity quotations, as well as, critical financial information. The
North American Securities Administrators Association has estimated that
Internet-related stock fraud results in approximately $10 billion per
year (or $1 million per hour) loss to investors, this is currently the
second most common form of investment fraud.
On April 7, 1999, visitors to an online financial news message
board operated by Yahoo!, Inc. got a scoop on PairGain, a
telecommunications company based in Tustin, California. An e-mail
posted on the message board under the subject line ``Buyout News'' said
that PairGain was being taken over by an Israeli company. The e-mail
also provided a link to what appeared to be a website of Bloomberg News
Service, containing a detailed story on the takeover. As news of the
takeover spread, the company's publicly-traded stock shot up more than
30 percent, and the trading volume grew to nearly seven times its norm.
There was only one problem: the story was false, and the website on
which it appeared was not Bloomberg's site, but a counterfeit site.
When news of the hoax spread, the price of the stock dropped sharply,
causing significant financial losses to many investors who purchased
the stock at artificially inflated prices.
Within a week after this hoax appeared, the FBI arrested a Raleigh
North Carolina man for what was believed to be the first stock
manipulation scheme perpetrated by a fraudulent Internet site. The
perpetrator was traced through an Internet Protocol address that he
used, and he was charged with securities fraud for disseminating false
information about a publicly-traded stock.
In another example, on March 5, 2000 nineteen people were charged
in a muitimillion-dollar New York-based inside trading scheme. In one
of the first cases of its kind, the Internet took a starring role as
allegedly about $8.4 million was illegally pocketed from secrets traded
in cyberspace chat rooms. Richard Walker, director of enforcement for
the Securities and Exchange Commission, called the case ``one of the
most elaborate insider trading schemes in history.'' At the core of the
scheme, a disgruntled part-time computer graphics worker allegedly went
online and found other disgruntled investors of the company in America
Online chat rooms. He soon was passing inside information on clients of
Goldman Sachs and Credit Suisse First Boston to two other individuals
in exchange for a percentage of any profits they earned by acting on
it. For 2\1/2\ years, this employee passed inside information,
communicating almost solely through online chats and instant messages.
The part-time computer graphics worker received $170,000 in kickbacks
while his partners made $500,000.
Other individuals also became involved as the three defendants who
hatched the scheme passed the inside information. More and more
individuals became aware of the insider information. For instance, one
individual allegedly opened a brokerage account and told his broker,
that he had inside information, and the broker then tipped off three of
his customers, allowing them to earn more than $2.6 million.
There is a need for a proactive approach when investigating
Internet fraud. There is an essential need to establish a central
repository for complaints of Internet Fraud. The FBl and the National
White Collar Crime Center (NW3C) are addressing this need by
cosponsoring the Internet Fraud Complaint Center (IFCC). This
partnership will ensure that lnternet fraud is addressed at all levels
of law enforcement (local, state and federal). The IFCC is necessary to
adequately identify, track, and investigate new fraudulent schemes on
the Internet on a national and international level. IFCC personnel will
collect analyze, evaluate, and disseminate Internet fraud complaints to
the appropriate law enforcement agency. The IFCC will provide a
mechanism by which Internet fraud schemes are identified and addressed
through a criminal investigative effort. The IFCC will provide
analytical support, and aid in the development of a training module to
address Internet fraud. The information obtained from the data
collected will provide the foundation for the development of a national
strategic plan to address Internet fraud. The IFCC will be open and
fully operational on May 8, 2000.
Intellectual Property Rights. Intellectual property is the driver
of the 21st century American economy. In many ways it has become what
America does best. The United States is the leader in the development
of creative, technical intellectual property. Violations of
Intellectual Property Rights, therefore, threaten the very basis of our
economy. Of primary concern is the development and production of trade
secret information. The American Society of Industrial Security
estimated the potential losses at $2 billion per month in 1997. Pirated
products threaten public safety in that many are manufactured to
inferior or non-existent quality standards. A growing percentage of IPR
violations now involve the Internet. There are thousands of web sites
solely devoted to the distribution of pirated materials. The FBI has
recognized, along with other federal agencies, that a coordinated
effort must be made to attack this problem. The FBI along with the
Department of Justice, U.S. Customs Service, and other agencies with
IPR responsibilities, will be opening an IPR Center this year to
enhance our national ability to investigate and prosecute IPR crimes
through the sharing of information among agencies.
distributed denial of service attacks
The recent distributed denial of service (DDOS) attacks have
garnered a tremendous amount of interest in the public and in the
Congress. Because we are actively investigating these attacks, I cannot
provide a detailed briefing on the status of our efforts. However, I
can provide an overview of our activities to deal with the DDOS threat
beginning last year and of our investigative efforts over the last
several weeks.
In the fall of 1999, the NIPC began receiving reports about a new
threat on the Internet--Distributed Denial of Service Attacks. In these
cases, hackers plant tools such as Trinoo, Tribal Flood Net (TFN),
TFN2K, or Stacheldraht (German for barbed wire) on a number of
unwitting victim systems. Then when the hacker sends the command, the
victim systems in turn begin sending messages against a target system.
The target system is overwhelmed with the traffic and is unable to
function. Users trying to access that system are denied its services.
Because of its concern about this new threat, the NIPC issued
warnings to government agencies, private companies, and the public in
December 1999. Moreover, in late December, the NIPC determined that a
detection tool that it had developed for investigative purposes might
also be used by network operators to detect the presence of DDOS agents
or masters on their operating systems, and thus would enable them to
remove an agent or master and prevent the network from being
unwittingly utilized in a DDOS attack. Moreover, at that time there
was, to our knowledge, no similar detection tool available
commercially. The NIPC therefore decided to take the unusual and
innovative step of releasing the tool to other agencies and to the
public in an effort to reduce the level of the threat. The NIPC made
the first variant of its software available on the NIPC web site on
December 30, 1999. To maximize the public awareness of this tool the
FBI's National Press Office announced its availability in an FBI press
release that same date. Since the first posting of the tool, the NIPC
has posted three updated versions that have perfected the software and
made it applicable to different operating systems.
The public has downloaded these tools tens of thousands of times
from the web site, and has responded by reporting many installations of
the DDOS software, thereby preventing their networks from being used in
attacks and leading to the opening of criminal investigations both
before and after the widely-publicized attacks of the last few weeks.
The NIPC's work with private companies has been so well received that
the trade group SANS awarded their yearly Security Technology
Leadership Award to members of the NIPC's Special Technologies
Applications Unit.
Last month, the NIPC received reports that a new variation of DDOS
tools was being found on Windows operating systems. One victim entity
provided us with the object code to the tool found on its network. On
February 18, the NIPC made the binaries available to anti-virus
companies (through an industry association) and the Computer Emergency
Response Team (CERT) at Carnegie Mellon University for analysis and so
that commercial vendors could create or adjust their products to detect
the new DDOS variant. Given the attention that DDOS tools have received
in recent weeks, there are now numerous detection and security products
to address this threat, so the NIPC determined that it could be most
helpful by giving them the necessary code rather than deploying a
detection tool itself.
Unfornately, the warnings that the WIPC and others in the security
community had issued about DDOS tools last year, while alerting many
potential victims and reducing the threat, did not eliminate the
threat. Quite frequently, even when a threat is known and patches or
detection tools are available, network operators either remain unaware
of the problem or fail to take necessary protective steps. In addition,
in the cyber equivalent of an arms race, exploits evolve as hackers
design variations to evade or overcome detection software and filters.
Even security-
conscious companies that put in place all available security measures
therefore are not invulnerable. And, particularly with DDOS tools, one
organization might be the victim of a successful attack despite its
best efforts, because another organization failed to take steps to keep
itself from being made the unwitting participant in an attack.
On February 7, 2000, the FBI received reports that Yahoo had
experienced a denial of service attack. In a display of the close
cooperative relationship the NIPC has developed with the private
sector, in the days that followed, several other companies also
reported denial of service outages. These companies cooperated with our
National Infrastructure Protection and Computer Intrusion squads in the
FBI field offices and provided critical logs and other information.
Still, the challenges to apprehending the suspects are substantial In
many cases, the attackers used ``spoofed'' IP addresses, meaning that
the address that appeared on the target's log was not the true address
of the system that sent the messages.
The resources required in these investigations can be substantial.
Several FBI field offices have opened investigations and almost all of
our other offices are supporting these cases. The NIPC is coordinating
the nationwide investigative effort, performing technical analysis of
logs from victims sites and Internet Service Providers, and providing
all-source analytical assistance to field offices. While the crime may
be high tech, investigating it involves a substantial amount of
traditional police work as well as technical work. For example, in
addition to following up leads, SIPC personnel need to review an
overwhelming amount of log information received from the victims. Much
of this analysis needs to be done manually. Analysts and agents
conducting this analysis have been drawn off other case work. In the
coming years we expect our case load to substantially increase.
the legal landscape
To deal with this crime problem, we must look at whether changes to
the legal procedures governing investigation and prosecution of cyber
crimes are warranted. The problem of Internet crime has grown at such a
rapid pace that the laws have not kept up with the technology. The FBI
is working with the Department of Justice to propose a legislative
package for your review to help keep our laws in step with these
advances.
One example of some of the problems law enforcement is facing is
the jurisdictional limitation of pen registers and trap-and-trace
orders issued by federal district courts. These orders allow only the
capturing of tracing information, not the content of communications.
Currently, in order to track back a hacking episode in which a single
communication is purposely routed through a number of Internet Service
Providers that are located in different states, we generally have to
get multiple court orders. This is because, under current law, a
federal court can order communications carriers only within its
district to provide tracing information to law enforcement. As a result
of the fact that investigators typically have to apply for numerous
court orders to trace a single communication, there is a needless waste
of time and resources, and a number of important investigations are
either hampered or derailed entirely in those instances where law
enforcement gets to a communications carrier after that carrier has
already discarded the necessary information. For example, Kevin Mitnick
evaded attempts to trace his calls by moving around the country and by
using cellular phones, which routed calls through multiple carriers on
their way to the final destination. It was impossible to get orders
quickly enough in all the jurisdictions to trace the calls.
With regards to additional legal mechanisms needed by law
enforcement to help maintain our abilities to obtain usable evidence in
an encrypted world, last September the Administration announced a ``New
Approach to Encryption.'' This new approach included significant
changes to the nation's encryption export policies and, more
importantly, recommended public safety enhancement to ensure ``that law
enforcement has the legal tools, personnel, and equipment necessary to
investigate crime in an encrypted world.'' Specifically, the President,
on behalf of law enforcement, transmitted to Congress a legislative
proposal entitled the ``Cyberspace Electronic Security Act of 1999''
(CESA). CESA, if enacted would: (1) protect sensitive investigative
techniques and industry trade secrets from unnecessary disclosure in
litigation or criminal trials involving encrypted evidence; (2)
authorize $80 million for the FBI's Technical Support Center (TSC),
which will serve as a centralized technical resource for federal, state
and local law enforcement in responding to the increased use of
encryption in criminal cases; and (3) ensure that law enforcement
maintains its ability to access decryption information stored with
third parties, while protecting such information from inappropriate
release. The enactment of the CESA legislative proposal is supported by
the law enforcement community, to include the International Association
of Chiefs of Police, the National Sheriffs' Association and the
National District Attorneys Association and I strongly encourage its
favorable consideration by Congress.
Finally, we should consider whether current sentencing provisions
for computer crimes provide an adequate deterrence. Given the degree of
harm that can be caused by a virus, intrusion, or a denial of service--
in terms of monetary loss to business and consumers, infringement of
privacy, or threats to public safety when critical infrastructures are
affected--it would be appropriate to consider, as S. 2092 does, whether
penalties established years ago remain adequate.
Evaluation of the effectiveness of 18 U.S.C. Sec. 1030 and the tools to
enforce it under both current law and under S. 2092
Generally, 18 U.S.C. Sec. 1030 has enabled the FB1 and other law
enforcement agencies to investigate and prosecute persons who would use
the power of the Internet and computers for criminal purposes.
Nonetheless, just as computer crime has evolved and mutated over the
years, so too must our laws and procedures evolve to meet the changing
nature of these crimes.
One persistent problem is the need under current law to demonstrate
at least $5,000 in damage for certain hacking offenses enumerated by 18
U.S.C. Sec. 1030(a)(5). In some of the cases investigated by the FBI,
damages in excess of $5,000 on a particular system are difficult to
prove. In other cases, the risk of harm to individuals or to the public
safety posed by breaking into numerous systems and obtaining root
access, with the ability to destroy the confidentiality or accuracy of
crucial--perhaps lifesaving information--is very real and very serious
even if provable monetary damages never approach the $5,000 mark. In
investigations involving the dissemination or importation of a virus or
other malicious code, the $5,000 threshold could potentially delay or
hinder early intervention by Federal law enforcement.
S. 2092 significantly adjusts the $5,000 threshold impediment and
other provisions in the current law by: (1) creating a misdemeanor
offense for those cases where damages are below $5,000, while
simultaneously adjusting the minimum mandatory sentences under the
Sentencing Guidelines; and (2) moving the aggravating factors
previously included in the definition of ``damage'' under 18 U.S.C.
Sec. 1030(e)(8) (such as impairment of medical diagnosis, physical
injury to any person, threat to public health or safety or damage to
national security, national defense or administration of justice
computers) to the general sentencing provisions of Sec. 1030(c) (where
they will be on par in serious cases with the existing $5,000 threshold
requirement and will expose offenders to an enhanced ten-year period of
imprisonment up from the current maximum of five years). The critical
element here is that the criminal intended to cause damage, not the
specific amount of damage he intended to cause.
Another issue involves the alarming number of computer hackers
encountered in our investigations who are juveniles. Under current law,
Federal authorities are not able to prosecute juveniles for any
computer violations of 18 U.S.C. Sec. 1030. S. 2092 would authorize,
but not require, the Attorney General to certify for juvenile
prosecution in Federal court youthful offenders who commit the more
serious felony violations of section Sec. 1030. Recognizing that this
change will, over time, result in the prosecution of repeat offenders,
S. 2092 also defines the term ``conviction'' under Sec. 1030 to include
prior adjudications of juvenile delinquency for violations of that
section.
Similarly, a majority of the States have enacted criminal statutes
prohibiting unauthorized computer access analogous to the provisions of
section 1030. As State prosecutions for these offenses increase, the
likelihood of encountering computer offenders in Federal investigations
who have prior State convictions will similarly rise. The Justice
Department is studying whether prior state adult convictions for
comparable computer crimes justify enhanced penalties for violations of
section 1030, just as prior State convictions for drug offenses trigger
enhanced penalties for comparable Federal drug violations.
Law enforcement also needs updated tools to investigate, identify,
apprehend and successfully prosecute computer offenders. Today's
electronic crimes, which occur at the speed of light, cannot be
effectively investigated with procedural devices forged in the last
millennium during the infancy of the information technology age.
Statutes need to be rendered technology neutral so that they can be
applied regardless of whether a crime is committed with pen and paper,
e-mail, telephone or geosynchronous orbit satellite personal
communication devices.
As discussed above, a critical factor in the investigation of
computer hacking cases is law enforcement's ability to swiftly identify
the source and the direction of a hacker's communications. Like all law
enforcement agencies, the FBI relies upon the pen register and trap and
trace provisions contained in 18 U.S.C. Sec. 3121 et seq. to seek court
approval to acquire data identifying non-content information relating
to a suspect's communications. Our ability to identify the perpetrators
of crimes like computer hacking is directly proportional to our ability
to quickly acquire the necessary court orders and quickly serve them
upon one or more service providers in a communications chain. Under
current law, however, valuable time is consumed in acquiring individual
court orders in the name of each communications company for each newly
discerned link in the communications chain even though the legal
justification for the disclosure remains unchanged and undiminished. S.
2092 would amend 18 U.S.C. Sec. 3123(a) to authorize Federal courts to
issue one nation-wide order, which may then be served upon one or more
service providers, thereby substantially reducing the time necessary to
identify the complete pathway of a suspect's communication. Second, S.
2092 makes the statute more technology neutral by, among other things,
inserting the terms ``or other facility'' wherever ``telephone''
appears. This change codifies Federal court decisions that apply the
statute's provisions not merely to traditional telephone, but to an
ever expanding array of other, communications facilities. Together,
these are important changes that do not alter or lower the showing
necessary for the issuance of the court order but which do enhance the
order's usefulness to law enforcement.
We support the goal of S. 2092 to strengthen the general deterrence
aspects of the Computer Fraud and Abuse Act, and to provide some needed
procedural enhancements to help us confront the expanding criminal
threat in this dynamic and important part of our national economy while
continuing to protect individual privacy interests. The FBI looks
forward to working with the Committee on this important legislation.
keeping law enforcement on the cutting edge of cyber crime
As Internet use continues to soar, cyber crime is also increasing,
exponentially. As I mentioned earlier, our case load reflects this
growth. In fiscal year 1998, we opened 547 computer intrusion cases; in
fiscal year 1999, that number jumped to 1154. Similarly, the number of
pending cases increased from 206 at the end of fiscal year 1997, to 601
at the end of fiscal year 1998, to 834 at the end of fiscal year 99,
and to over 900 currently. These statistics include only computer
intrusion cases, and do not account for computer facilitated crimes
such as Internet fraud, child pornography, or e-mail extortion efforts.
In these cases, the NIPC and NIPCI squads often provide technical
assistance to traditional investigative programs responsible for these
categories of crime.
We can clearly expect these upward trends to continue. To meet this
challenge, we must ensure that we have adequate resources, including
both personnel and equipment, both at the NIPC and in FBI field
offices. Those personnel need specialized training to be effective.
Like many programs, the NIPC computer intrusion program is squeezing
the most out of every taxpayer dollar.
At the NIPC, we currently have 101 personnel on board, including 82
FBI employees and 19 detailees from other government agencies. This
cadre of investigators, computer scientists, and analysts perform the
numerous and complex tasks outlined above, and provide critical
coordination and support to field office investigations. As the crime
problem grows, we need to make sure that we keep pace by maintaining a
full complement of authorized staff, including both FBI personnel and
detailees from other agencies and the private sector. Although expert
personnel in this area are scarce, it is imperative that our partner
agencies participate in the NIPC to enhance our ability to coordinate
interagency activities and share information effectively.
We currently have 193 agents in FBI field offices nationwide
assigned to investigate computer intrusions (criminal and national
security), denial of service, and virus cases, and to work
infrastructure protection matters generally (which includes outreach to
industry and state and local law enforcement, our Key Asset Initiative,
and support to other investigative programs). Additional agents can be
called in on investigations as required. In order to maximize
investigative resources the FBI has taken the approach of creating
regional squads in 16 field offices that have sufficient size to work
complex intrusion cases and to assist those field offices without a
NIPCI squad. In those field offices without squads, the FBI is building
a baseline capability by having one or two agents to work NIPC matters.
In an effort to better use our resources and leverage the expertise
of other agencies, we are creating cyber crime task forces in FBI field
offices. Last week we unveiled the Pittsburgh High Tech Computer Crimes
Task Force, a new task force aimed at fighting cyber crimes. The task
force, one of the first in the nation, pools experts from local
agencies such as the Pittsburgh police with federal agencies such as
the FBI, Secret Service and the Internal Revenue Service into one room
to combat the rapid growth of cyber crimes. The task force will use
each agency's resources and obtain technical assistance from Carnegie
Mellon's Computer Emergency Response Team (CERT).
In addition to putting in place the requisite number of agents,
analysts, and computer scientists in the NSC and in FBI field offices,
we must fill those positions by recruiting and retaining personnel who
have the appropriate technical, analytical, and investigative skills.
This includes personnel who can read and analyze complex log files,
perform all-source analysis to look for correlations between events or
attack signatures and glean indications of a threat, develop technical
tools to address the constantly changing technological environment, and
conduct complex network investigations.
Training and continuing education are also critical, and we have
made this a top priority at the NIPC. In fiscal year 1999, we trained
383 FBI and other-government-agency students in NIPC sponsored training
classes on network investigations and infrastructure protection. The
emphasis for 2000 is on continuing to train federal personnel while
expanding training opportunities for state and local law enforcement
personnel. During fiscal year 2000, we plan to train approximately 740
personnel from the FBI, other federal agencies, and state and local law
enforcement.
The technical challenges of fighting crime in this arena are vast.
We can start just by looking at the size of the Internet and its
exponential growth. Today it is estimated that more than 60,000
individual networks with 40 million users are connected to the
Internet. Thousands of more sites and people are coming on line every
month. In addition, the power of personal computers is vastly
increasing. The FBI's Computer Analysis Response Team (CART) examiners
conducted 1,260 forensic examinations in 1998 and 1,900 in 1999. With
the anticipated increase in high technology crime and the growth of
private sector technologies, the FBI expects 50 percent of its caseload
to require at least one computer forensic examination. By 2001, the FBI
anticipates the number of required CART examinations to rise to 6,000.
Developing and deploying state-of-the-art equipment in support of
the NIPC's mission is also very important. Conducting a network
intrusion or denial-of-service investigation often requires
investigative analysis of voluminous amounts of data. For example, one
network intrusion case involving an espionage matter currently being
investigated has required the analysis of 17.5 Terabytes of data. To
place this into perspective, the entire collection of the Library of
Congress, if digitized, would comprise only 10 Terabytes. The Yahoo
DDOS attack involved approximately 630 Gigabytes of data, which is
equvalent to enough printed pages to fill 630 pickup trucks with paper.
The NIPC's technical analysis requires high capacity equipment to
store, process, analyze, and display data. Again, as the crime problem
grows, we must ensure that our technical capacity keeps pace.
Clearly, the FBI needs engineering personnel to develop and deploy
sophisticated electronic surveillance capabilities in an increasingly
complex and technica] investigative environment, skilled CART personnel
to conduct the computer forensics examinations to support an
increasingly diverse set of cases involving computers, as well as
expert NIPCI personnel to examine network log files to track the path
an intruder took to his victim.
Moreover, thc power of personal computers in increasing. During the
last part of 1998, most computers on the market had hard drives of 6-8
gigabytes (GB). Very soon 13-27 GB hard drives will become the norm. By
the end of 2000, we will be seeing 60-80 GB hard drives. All this
increase in storage capacity means more data that must be searched by
our forensics examiners, since even if these hard drives are not fill,
the CART examiner must review every bit of data and every area of the
media to search for evidence.
Over the past three years, the FBI's Laboratory Division (LD) has
been increasingly requested to provide data interception support for
such investigative programs as: Infrastructure Protection, Violent
Crimes (Exploitation of Children, Extortion), Counterterrorisrn, and
Espionage. In fact, since 1997, the LD has seen a dramatic increase in
field requests for assistance with interception of data communications.
Unless the FBI increases its data interception capabilities,
investigators and prosecutors will be denied timely access to valuable
evidence that will solve crimes and support the successfull
prosecutions of child pornographers, drug traffickers, corrupt
officials, persons committing fraud, terrorists, and other criminals.
Finally, one of the largest challenges to FBI computer
investigative capabilities lies in the increasingly widespread use of
strong encryption. The widespread use of digitally-based
telecommnunications technologies, and the unprecedented expansion of
computer networks incorporating privacy features/capabilities through
the use of cryptography (i.e encryption), has placed a tremendous
burden on the FBI's electronic surveillance technologies. Today the
most basic communications employ layers of protocols, formatting,
compression and proprietary coding that were non-existent only a few
years ago. New cryptographic systems provide robust security to
conventional and cellular telephone conversations, facsimile
transmissions, local and wide area networks, Internet communications,
personal computers, wireless transmissions, electronically stored
information, remote keyless entry systems, advanced messaging systems,
and radio frequency communications systems. The FBI is already
encountering the use of strong encryption. In 1999, 53 new cases
involved the use of encryption.
It is imperative that the FBI, on behalf of the law enforcement
commnunity, enhance its technical capabilities in the area of plaintext
access to encrypted evidence. In order to do this, law enforcement
needs Congressional support, both in terms of additional funding and
authorizations, for developing, maintaining, and deploying technical
capabilities that will provide law enforcement with these urgently
needed technical capabilities and meet the public safety challenges
posed by the criminal use of encryption. Included in the
Administration's ``New Approach to Encryption'' announcement last
September was support for the creation of the FBI's Technical Support
Center, which will serve as a centralized technical resource for
federal, state and local law enforcement with the necessary technical
capabilities to respond to the increased use of encryption in criminal
cases. The Technical Support Center is envisioned as an expansion of
the FBI's Engineering Research Facility (ERF) to take advantage of
ERF's existing institutional and technical expertise in this area. The
Administration's ``Cyberspace Electronic Security Act of 1999''
legislative propossl includes a provision authorizing $80 million over
four years for the Technical Support Center. The President's fiscal
year 2001 budget includes a $7 million enhancement for this effort.
CONCLUSION
I want to thank thc subcommittees again for giving me the
opportunity to testify here today. The cyber crime problem is real, and
growing. The NIPC is moving aggressively to meet this challenge by
trailing FBI agents and investigators from other agencies on how to
investigate computer intrusion cases, equipping them with the latest
technology and technical assistance, developing our analytic
capabilities and warning mechanisms to head off or mitigate attacks,
and closely cooperating with the private sector. We have already had
significant successes in the fight. I look forward to working with
Congress to ensure that we continue to be able to meet the threat as it
evolves and grows. Thank you.
Senator Kyl. Mr. Miller and Mr. Pethia will be our next
panel, and I will wait until everyone has had a chance to take
their seats here. We will operate under the 5-minute rule from
now on.
Our next panel will look at some roadblocks to better
analysis and sharing of information on cyber vulnerabilities
and threats. The first witness is Mr. Rich Pethia, director of
the Computer Emergency Response Team Centers at Carnegie Mellon
University's Software Engineering Institute in Pittsburgh.
These centers have provided a central response and coordination
facility for computer incidents since 1988.
Last fall, CERT publicized many warnings about the
potential for denial of service attacks, as we witnessed in
February. They analyzed the vulnerabilities of some systems to
being infected with malicious code and used as third-party
attackers. Many people heeded CERT's warnings and took steps to
protect their computer networks.
Mr. Pethia, thank you for joining us. We will place your
full written statement in the record, and in view of the time
we would ask for everyone, both questioning and presenting, to
limit remarks to 5 minutes, if you would. Thank you very much.
PANEL CONSISTING OF RICHARD D. PETHIA, DIRECTOR, COMPUTER
EMERGENCY RESPONSE TEAM CENTERS, SOFTWARE ENGINEERING
INSTITUTE, CARNEGIE MELLON UNIVERSITY, PITTSBURGH, PA; AND
HARRIS N. MILLER, PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION
OF AMERICA, ARLINGTON, VA
STATEMENT OF RICHARD D. PETHIA
Mr. Pethia. Mr. Chairman and members of the committee,
thanks for the opportunity to speak to you on the issue of
cyber defense. My perspective comes from the work that we do at
the CERT Coordination Center which was established in 1988 and
chartered to respond to security emergencies on the Internet.
In total, since then, we have handled well over 24,000 separate
security incidents and analyzed more than 1,500 computer
vulnerabilities.
The recently published rash of attacks on Internet e-
commerce sites reminds us once again of the fragility of many
of our sites on the Internet. Managing the risk that comes from
an ever-expanding use and dependence on information technology
will require an evolving strategy that stays abreast of changes
in the technology, changes in the ways we use the technology,
and changes in the way people attack us through our systems and
networks.
It is also going to require expanded research programs that
lead to fundamental advances in computer security, new
information technology products with better security
mechanisms, a larger number of technical specialists, improved
abilities to investigate and prosecute cyber criminals, and
increased and ongoing awareness and understanding of cyber
security issues. In the short time I have today, I will focus
on this last issue, building awareness and understanding.
The overall picture of vulnerability of threat is complex
and it requires collection and analysis of information on
vulnerabilities in information technology, evolving attack
technology, cyber attacks and cyber attackers, and the
effectiveness of defensive practices. And using this
understanding requires moving this data to technology producers
and system operators and convincing them to act on the
information.
Today, these tasks are largely being conducted by a loose-
knit network of investigative organizations, security response
teams, government and private sector research centers, system
and network operators, security product and service vendors,
and Government agencies chartered to conduct security
improvement efforts. The work of these organizations would be
facilitated, I think, if some of the following roadblocks were
removed.
First of all, the ongoing Federal debate over who is in
charge and the advantages or disadvantages of centralized
analysis capabilities. I believe that this problem is a
distributed problem. We have distributed the technology, we
have distributed the use of the technology, we have distributed
the management of technology, and we must distribute the
solution to this problem as well.
I don't believe it is possible to have a single analysis
center that serves the needs of all the various organizations
that need help. If you build it, people won't come. Trust
relationships are fragile; they build slowly and they cannot be
reassigned. It is simply not possible to build an overall,
comprehensive picture of activity on the networks. They are too
big, they are growing too quickly, and they are literally being
reconfigured and reengineered on the fly.
All of the talent that is needed to perform the various
kinds of analysis--and people have to come to this from
different perspectives--simply cannot be collected in one
place. It is much more effective and cost-efficient to
distribute the data rather than trying to collect the people.
Second, I don't believe that centralization is necessarily
going to be more efficient. Any central organization can only
perform analysis tasks at a certain generic high level of
activity, and the detailed work that helps people understand
how to apply the results of the analysis still has to happen.
We are not going to replace all of these organizations that
have operational responsibility. What we need to do is not
focus on how to pull data together, but focus on how to push it
out to all the people who must use it.
The second obstacle, I believe, is that we have been
talking about, and the Federal Government has been talking
about and studying this problem for years, but there hasn't
been a significant increase in funding over the years to deal
with the problem. Using my own organization as an example,
since 1988 our budget has increased by a factor of 5, but yet
the workload has increased by a factor of 80.
I don't know of any other organization that is dealing with
this security problem who hasn't had the same experience. Every
organization out there today is strained because the problem is
effectively doubling every year and we simply can't keep up
with the problem. Progress will come when analysis centers are
funded, when information sharing infrastructures are
established, and when we begin to move this data out to the
people who need to use it.
Another issue has already been discussed this morning: lack
of protection for sensitive and company proprietary data.
Information sharing between the private sector and the Federal
Government must receive protection from FOIA and other forms of
mandatory disclosure not just for trade secrets and other kinds
of company proprietary information, but to move information
assurance form the ad hoc art that it is today to a real
engineering discipline.
We need a detailed understanding of organizations' systems,
their policies, their practices, the kinds of information that
would make an organization vulnerable. This has to come through
Federal organizations as well as federally-funded research
programs and that information has to be protected.
Finally, the last thing that I think is central to this, is
a better understanding of threats. Today, we are literally
awash in a sea of information about vulnerability. We know
plenty about the vulnerability in our technologies and in our
infrastructures, but we have little real awareness and
understanding of the real threats.
Senior executives in Government and industry are going to
continue to resist investment in improving information
assurance until they have some hard data that convinces them
that there are real criminals, real terrorists, real people who
are out there to do damage. Incidents like the attacks against
e-commerce sites will have an effect, but that effect will be
short term; it won't last for more than a few more months.
We seem to deal with crisis situations when they come up,
but what we really need to understand--and we need help from
the investigative and the intelligence community to do this--is
to get better information about the threat that we are all
facing and what kinds of real damage might be done. We
understand the vulnerability. In the absence of a smoking gun,
I think it is unlikely that many organizations will have the
motivation to invest in and improve cyber defense.
Thank you.
[The prepared statement of Mr. Pethia follows:]
Prepared Statement of Richard D. Pethia
INTRODUCTION
Mr. Chairman and Members of the Senate Judiciary Subcommittee on
Technology, Terrorism, and Government Information:
My name is Rich Pethia. I am the director of the CERT
Centers, which include the CERT Coordination Center and the
CERT Analysis Center. The centers are part of the Software Engineering
Institute (SEI) at Carnegie Mellon University. Thank you for the
opportunity to speak to you on the issue of cyber defense. Today I will
describe a number of issues that have impact on security on the
Internet and outline some of the steps I believe are needed to
effectively manage the increasing risk of damage from cyber attacks.
My perspective comes from the work we do at the CERT Centers. The
CERT Coordination Center (CERT/CC) was established in 1988,
after an Internet ``worm'' stopped 10 percent of the computers
connected to the Internet. This program--the first Internet security
incident to make headline news--was the wake-up call for network
security. In response, the CERT/CC was established at the SEI. The
center was chartered to respond to security emergencies on the Internet
and to work with both technology producers and technology users to
facilitate response to emerging security problems. In the first full
year of operation, 1989, The CERT/CC responded to 132 computer security
incidents. In 1999, the staff responded to more than 8,000 incidents.
In total, the CERT/CC staff has handled well over 24,000 incidents and
analyzed more than 1,500 computer vulnerabilities. More details about
our work are attached to the end of this testimony (see Meet the CERT
Coordination Center).
The recently established CERT Analysis Center (CERT/AC)
addresses the threat posed by rapidly evolving, technologically
advanced forms of cyber attacks. Working with sponsors and associates,
the CERT Analysis Center collects and analyzes information assurance
data to develop detection and mitigation strategies that provide high-
leverage solutions to information assurance problems, including
countermeasures for new vulnerabilities and emerging threats. The CERT
Analysis Center builds upon the work of the CERT Coordination Center.
The CERT Analysis Center extends current incident response capabilities
by developing and transitioning protective measures and mitigation
strategies to defend against advanced forms of attack before they are
launched. Additionally, it provides the public and private sectors with
opportunities for much-needed collaboration and information sharing to
improve cyber attack defenses.
AN EVER-CHANGING PROBLEM
The recently publicized rash of attacks on Internet e-commerce
sites reminds us once again of the fragility of many sites on the
Internet and of our ongoing need to improve our ability to assure the
integrity, confidentiality, and availability of our data and systems
operations. While it is important to react to crisis situations when
they occur, it is just as important to recognize that cyber defense is
a long-term problem. The Internet and other forms of communication
systems will continue to grow and interconnect. More and more people
and organizations will conduct business and become otherwise dependent
on these networks. More and more of these organizations and individuals
will lack the detailed technical knowledge and skill that is required
to effectively protect systems today. More and more attackers will look
for ways to take advantage of the assets of others or to cause
disruption and damage for personal or political gain. The network and
computer technology will evolve and the attack technology will evolve
along with it. Many information assurance solutions that work today
will not work tomorrow.
Managing the risks that come from this expanded use and dependence
on information technology requires an evolving strategy that stays
abreast of changes in technology, changes in the ways we use the
technology, and changes in the way people attack us through our systems
and networks. The strategy must also recognize that effective risk
management in any network like the Internet is unlikely to come from
any central authority, but can only be accomplished through the right
decisions and actions being made at the end points: the organizations
and individuals that build and use our interconnected information
infrastructures. Consider this:
We have distributed the development of the technology--
today's networks are made up of thousands of products from hundreds of
vendors.
We have distributed the management of the technology--
management of information technology in today's organizations is most
likely distributed, and the trend toward increased collaborations and
mergers will make that more likely in the future.
We have distributed the use of the technology--the average
computer user today has little in-depth technical skill and is properly
focused on ``getting the job done'' rather than learning the nuances
and idiosyncrasies of the technology.
We must distribute the solution to the information
assurance problem as well--the technology producers, organization and
systems managers, and systems users are the only ones that can
implement effective risk management programs.
In the long run, effective cyber defense will require:
expanded research programs that lead to fundamental
advances in computer security;
new information technology products with security
mechanisms that are better matched to the knowledge, skills, and
abilities of today's system managers, administrators, and users;
a larger number of technical specialists who have the
skills needed to secure large, complex systems;
improved abilities to investigate and prosecute cyber
criminals; and
increased and ongoing awareness and understanding of
cyber-security issues, vulnerabilities, and threats by all stakeholders
in cyber space.
With the short time I have with you today, I will focus on removing
barriers to the last of these: building an ongoing awareness and
understanding of cyber-security issues.
BUILDING AWARENESS AND UNDERSTANDING
Information technology is evolving at an ever-increasing rate with
thousands of new software products entering the market each month.
Increasingly, cyber security depends not just on the security
characteristics and vulnerabilities of basic networking and operating
system software, but also on the characteristics and vulner-
abilities of software used to implement large, distributed applications
(e.g., the World Wide Web). In addition, attack technology is now being
developed in an open source environment where a community of interest
is evolving this technology at a rapid pace. Several significant new
forms of attack have appeared in just the past year (for example, the
Melissa virus, which exploits the widespread use of electronic mail to
spread at network speeds, and distributed denial-of-service tools that
harness the power of thousands of vulnerable systems to launch
devastating attacks on major Internet sites). It is likely that attack
technology will continue to evolve in this ``public'' forum and that
the evolution will accelerate to match the pace of change in
information technology. Once developed, this attack technology can be
picked up and used by actors with significant resources to hone and
advance the technology, making it a much more serious threat to
national security and the effective operation of government and
business.
The overall picture of vulnerability and threat is complex, but it
must be understood to develop effective cyber-defense strategies.
Building this understanding requires:
Collection and analysis of information on the security
characteristics and vulnerabilities of information technology;
Collection and analysis of information on evolving attack
technology;
Collection and analysis of information on cyber attacks;
Collection and analysis of information on cyber attackers;
and
Collection and analysis of information on the
effectiveness of defensive practices and technologies.
Using this understanding to develop effective defense strategies
requires:
Providing technology producers and the rapidly growing
community of system operators with information from the analysis
activities; and
Convincing this community to act on this information to
reduce serious vulner-
abilities and implement effective security controls.
The tasks described above are currently being conducted by a loose-
knit network of cooperating organizations. Each organization focuses on
its area of expertise and the needs of its customers or constituents.
Each organization shares as much information as it can with others.
Many varied organizations participate in this network, including
federal, state, and local investigative organizations, security
incident response teams, government labs and federally-funded research
and development centers, security researchers in universities and
industry, technology producing organizations, security product and
service vendors, system and network operators, and government agencies
chartered to conduct security improvement efforts. The work of these
organizations would be facilitated if the roadblocks described below
were removed.
The federal debate over who's in charge.--The ongoing federal
debate over who's in charge and whether or not the grand analysis
center in the sky should be established is only detracting from the
real work that is going on in the qualified organizations listed above.
The Department of Defense must conduct data collection and analysis
activities to operate and protect its networks. The FBI and NIPC must
conduct data collection and analysis activities to carry out their
missions of criminal investigation and infrastructure defense. GSA and
NIST must conduct data collection and analysis activities to carry out
their missions of dealing with incidents and improving security in the
civilian agencies. University and industry researchers are among the
best resources available to understand the evolution of information
technology, attack technology and the interplay between them. The other
organizations listed above must conduct data collection and analysis
activities to meet the needs of their customers and sponsors. Attempts
to replace these activities with one central data collection and
analysis activity are misguided and seemingly miss the following
realities.
If you build it, they won't come--Sharing of sensitive
security information is dependent on the trust relationship established
between the information sender and receiver. These relationships are
fragile, often take years to establish, and cannot be replaced by
changing mandates or reassigning responsibilities.
It is not possible to build an overall, comprehensive
picture of activity on the networks--In spite of the strong desire to
``see it all'' so we can ``understand it all,'' it is simply not
possible to build a comprehensive view of activity on the networks.
They are too big; they are growing too quickly; they lack the needed
sensors; and they are literally being reconfigured and re-engineered on
the fly. The challenge is not to pull all the data together, but to
ensure that the right data is at the right place at the right time to
allow local decision-makers to take effective action.
All the talent needed to perform the analysis cannot be
collected in one place--The detailed analysis work that must be done
requires a combination of talents and skills and the best people that
we can find. Organizations are not willing to give up their best people
to other organizations, and the people are not willing move. It is much
more effective and efficient to move the data than to move the people.
What is needed is an information-sharing network where data can be
shared among organizations and analysis conducted at different sites
for different reasons. The challenge is not to pull all data together,
but to push it out to meet the varying needs of the various audiences.
Centralization is not more efficient--Any central
organization, unfamiliar with the operational needs of any particular
network operator, technology developer, or researcher, will only be
able to perform generic analysis tasks that yield high-level results.
The detailed work must still be done to develop the detailed strategies
and plans needed to build an effective cyber defense. Centralization is
more likely to increase costs rather than decrease them. What is needed
is increased collaboration among all players able to contribute to and
draw from a growing body of data and knowledge.
Inadequate resources for the work that must be done.--The federal
government has studied and debated the cyber-security problem for
years. The newest flurry of activity began with the Presidential
Commission on Critical Infrastructure Protection in 1996 and has led to
the establishment of the National Infrastructure Protection Center and
the creation of the National Plan for Information System Protection.
However, many of the views being discussed and debated today are echoes
of earlier studies and conclusions. The 1989 DARPA-funded study,
Computers at Risk *, reached many of the same conclusions and
recommended many of the same actions as the more recent studies. What
has been missing is action and funding to take the steps needed to deal
with this problem effectively. In spite of the nearly exponential
growth of security incidents and security vulnerabilities over the last
ten years, there has been little increase in budget to deal with these
problems. Analysis centers must be resourced, information-sharing
infrastructures must be established, and transition activities that
move needed information and security solutions their eventual users
must be staffed. We will make progress when we invest in making
progress.
---------------------------------------------------------------------------
* Computers at Risk: Safe Computing in the Information Age,
National Research Council. Washington, D.C.: National Academy Press,
1991.
---------------------------------------------------------------------------
Lack of protection for sensitive and company proprietary data.--
Information sharing between the private sector and the federal
government is impeded by the lack of protection from FOIA and other
forms of disclosure. Organizations that are the victims of cyber
attacks can contribute greatly to the understanding of cyber defense by
providing detailed information regarding the security incidents they
have suffered: losses, methods of attack, configurations of systems
that were successfully attacked, processes used by the organization
that were vulnerable, etc. Much of this information is extremely
sensitive and could be used to damage the corporation if it became
public. In addition, corporations often have more to lose from damaged
reputations than from the attacks themselves. These organizations will
not share security incident or loss information unless they have a high
degree of confidence that this information will be protected from
public disclosure. The federal government must take steps to protect
the sensitive data as a precursor to information sharing. Only then
will it be possible to form the trust relationships and begin data-
sharing activities.
Lack of information on threats.--Any effective risk management
strategy requires an understanding of three things:
1. The value of the assets that must be protected and the
consequences of loss of confidentiality or operational capability
2. The vulnerabilities that could be exploited to bring about the
losses
3. The threats that exist--the actors that would exploit the
vulnerabilities and some indication of the probability that they would
do so
Today we are awash in information regarding vulnerabilities in our
technologies and our networked systems. Computer security incident
response teams warn their constituents of vulnerabilities that are
being exploited. Internet news groups routinely publish descriptions of
vulnerabilities and methods to exploit them. Technology vendors alert
their customers to vulnerabilities in their products and provide
software upgrades to correct them. Conferences and training courses
abound that focus on corrections to vulnerabilities.
At the same time, system and network operators are becoming
increasingly aware of the value of their information assets and of
their growing dependence on the Internet and other communications
infrastructures. The current emphasis on electronic commerce and use of
the Internet as a powerful marketing and sales tool is sure to
accelerate this understanding.
With all this focus on value and vulnerability, why are so many
organizations taking so little action to improve their cyber-security?
Because they have little hard data that convinces them that there are
real threats to their operations. We all know that we are vulnerable to
many things. Our cars are vulnerable to certain forms of attack. Our
homes and places of business are vulnerable to certain forms of attack.
As individuals, we are vulnerable to certain forms of attack yet we are
not all driven to distraction by this sea of vulnerability. We first
focus not on vulnerability but on threat. We act to correct
vulnerabilities when we believe there is a significant probability that
someone will take advantage of them. The same is true in cyber space.
Operational managers know that they cannot afford to eliminate every
vulnerability in their operations. They need data to help them
understand which ones are most critical; and which ones are likely to
be exploited.
Our law enforcement and intelligence organizations must find ways
to release threat data to the operational mangers of information
infrastructures to motivate these managers to take action and to help
them understand how to set their priorities. In the absence of a
smoking gun, it is unlikely that many organizations will have the
motivation to invest in improved cyber defense.
Job title
Manager, Networked Systems Survivability (NSS) Program
Key responsibilities
Provide strategic direction for the Networked Systems Survivability
Program and its CERT Coordination Center activity.
Professional background
Mr. Pethia has managed the NSS Program since 1995. The NSS program
improves both practices and understanding of security and survivability
issues relating to critical information infrastructures. The NSS
program draws heavily on the security incident and vulnerability data
gained from its CERT Coordination Center (CERT/CC) to further
applied research and development efforts. The SEI has operated the
CERT/CC since 1988, and has provided a central response and
coordination facility for global information security incident response
and countermeasures for threats and vulnerabilities.
Prior to joining the SEI, Mr. Pethia was director of engineering at
Decision Data Computer Company, a computer system manufacturer in
Philadelphia, Pennsylvania. There he was responsible for engineering
functions and resource management in support of new product
development.
Mr. Pethia also was manager of operating systems development for
Modular Computer Corporation in Fort Lauderdale, Florida. While there
he lead development efforts focused on real-time operating systems,
networks, and other system software in the application areas of
industrial automation, process control, data acquisition, and
telecommunications.
Contact information
Electronic mail address: [email protected]
Phone: (412) 268-7739
Fax: (412) 268-6989
Room 4108
______
Meet the CERT Coordination Center
overview
The CERT Coordination Center (CERT/CC) is located at the Software
Engineering Institute (SEI), a federally-funded research and
development center at Carnegie Mellon University in Pittsburgh,
Pennsylvania. Following the Internet Worm incident, which brought 10
percent of Internet systems to a halt in November 1988, the Defense
Advanced Research Projects Agency (DARPA) charged the SEI with setting
up a center to coordinate communication among experts during security
emergencies and to help prevent future incidents. Since then, the CERT/
CC has helped to establish other response teams and our incident
handling practices have been adopted by more than 80 response teams
around the world.
While we continue to respond to security incidents and analyze
product vulnerabilities, our role has expanded over the years. Each
year, commerce, government, and individuals grow increasingly dependent
on networked systems. Along with the rapid increase in the size of the
Internet and its use for critical functions, there have been
progressive changes in intruder techniques, increased amounts of
damage, increased difficulty of detecting an attack, and increased
difficulty of catching the attackers. To better manage these changes,
the CERT/CC is now part of the larger SEI Networked Systems
Survivability Program, whose primary goals are to ensure that
appropriate technology and systems management practices are used to
resist attacks on networked systems and to limit damage and ensure
continuity of critical services in spite of successful attacks
(``survivability'').
To accomplish our goals, we focus our efforts on the following
areas of work: survivable network management, survivable network
technology, incident response, incident and vulnerability analysis,
knowledgebase development, and courses and seminars.
We are also committed to increasing awareness of security issues
and helping organizations improve the security of their systems.
Therefore, we disseminate information through several channels.
AREAS OF WORK
Survivable network management
Our survivable network management effort focuses on publishing
security improvement practices, developing a self-directed method for
organizations to improve the security of their network computing
systems, and defining an adaptive security improvement process.
Security improvement practices provide concrete, practical guidance
that will help organizations improve the security of their networked
computer systems. These practices are published as security improvement
modules and focus on best practices that address important problems in
network security. We have published seven modules, incorporating more
than 80 recommended practices and technology-specific implementations.
A complete list of the modules, practices, and implementations can be
found on the CERT/CC Web site at: http://www.cert.org/security-
improvement/
Our self-directed security evaluation method will give
organizations a comprehensive, repeatable technique that can be used to
identify risk in their networked systems and keep up with changes over
time. The method takes into consideration assets, threats, and
vulnerabilities (both organizationally and technologically) so that the
organization gains a comprehensive view of the state of its systems'
security.
Additionally, the adaptive security management process, that we
have under development, builds on and incorporates our work on security
practices and self-directed security evaluations. The adaptive process
presents a structure that an organization can use to develop and
execute a plan for continuously improving the security of its networked
systems.
Survivable network technology
In the area of survivable network technology, we are concentrating
on the technical basis for identifying and preventing security flaws
and for preserving essential services if a system is penetrated and
compromised. Approaches that are effective at securing bounded systems
(systems that are controlled by one administrative structure) are not
effective at securing unbounded systems such as the Internet.
Therefore, new approaches to system security must be developed. They
include design and implementation strategies, recovery tactics,
strategies to resist attacks, survivability trade-off analysis, and the
development of security architectures. This work draws on the vast
collection of incident data collected by the CERT/CC. For introductory
information, technical reports, and more, see: http://www.cert.org/
research
Incident response
We provide assistance to computer system administrators in the
Internet community who report security problems. When a security breach
occurs, we help the administrators of the affected sites to identify
and correct the vulnerabilities that allowed the incident to occur. We
will also coordinate the response with other sites affected by the same
incident. When a site specifically requests, we will facilitate
communication with law enforcement agencies.
Since our inception in 1988, we have received more than 260,000
email messages and 17,600 hotline calls reporting computer security
incidents or requesting information. We have handled more than 24,300
computer security incidents and received more than 1,500 vulnerability
reports.
The scale of emerging networks and the diversity of user
communities make it impractical for a single organization to provide
universal support for addressing computer security issues. Therefore,
the CERT/CC staff regularly works with sites to help them form incident
response teams and provides guidance to newly formed teams.
FedCIRC.--We are responsible for the day-to-day operations of
FedCIRC, the Federal Computer Incident Response Capability, an
organization that provides incident response and other security-related
services to Federal civilian agencies. FedCIRC is managed by the
General Services Administration (GSA).
More information about FedCIRC is available from http://
www.fedcirc.gov/. Federal agencies can contact FedCIRC by sending email
to [email protected] or by calling the FedCIRC Management Center
at (202) 708-5060. To report an incident, affected sites should send
email to [email protected] or phone the FedCIRC hotline at (888) 282-
0870.
Incident and vulnerability analysis
Our ongoing computer security incident response activities help the
Internet community to deal with its immediate problems while allowing
us to understand the scope and nature of the problems and of the
community's needs. Our understanding of current security problems and
potential solutions comes from first-hand experience with compromised
sites on the Internet and subsequent analysis of security incidents,
intrusion techniques, configuration problems, and software
vulnerabilities.
The CERT/CC has become a major reporting center for incidents and
vulner-
abilities because we have an established reputation for discretion and
objectivity. Organizations trust us with sensitive information about
security compromises and network vulnerabilities because we have proven
our ability to keep their identities and other sensitive information
confidential. Our connection with the Software Engineering Institute
and Carnegie Mellon University contributes to our ability to be
neutral, enabling us to work with commercial competitors and government
agencies without bias. As a result of the community's trust, we are
able to obtain a broad view of incident and vulnerability trends and
characteristics.
When we receive a vulnerability report, our vulnerability experts
analyze the potential vulnerability and work with technology producers
to inform them of security deficiencies in their products and to
facilitate and track their response to these problems. Another source
of vulnerability information comes from incident analysis. Repeated
incidents of the same type often point to the existence of a
vulnerability and, often, the existence of public information or
automated tools for exploiting the vulnerability.
To achieve long-term benefit from vulnerability analysis, we have
begun to identify the underlying software engineering and system
administration practices that lead to vulnerabilities and, conversely,
practices that prevent vulnerabilities. We will broadly disseminate
this information to practitioners and consumers and influence educators
to include it in courses for future software engineers and system
administrators. Only when software is developed and installed using
defensive practices will there be a decrease in the expensive, and
often haphazard, reactive use of patches and workarounds.
Knowledgebase development
We are developing a knowledgebase that will help to capture and
effectively use information related to network survivability and
security. The work includes developing processes and tools to support
the increasing complexity of handling incidents, analyzing
vulnerabilities, and managing the volume of information that is
essential to the CERT/CC mission. We are forming collaborative
relationships with other organizations to support this work.
Education and training
We offer public training courses for technical staff and managers
of computer security incident response teams (CSIRTs) as well as for
system administrators and other technical personnel interested in
learning more about network security. In addition, several CERT/CC
staff members teach courses in the Information Security Management
specialization of the Master of Information Systems Management program
in the H. J. Heinz III School of Public Policy and Management at
Carnegie Mellon University. For more information, see:
http://www.cert org/training/index.html
information dissemination
To increase awareness of security issues and help organizations
improve the security of their systems, we collect and disseminate
information through multiple channels:
L telephone and email; hotline: (412) 268-7090; email:
[email protected]; mailing list: [email protected]
L USENET newsgroup: comp.security.announce
LWorld Wide Web: http://www.cert.org
Lanonymous FTP: ftp://ftp.cert.org/pub/
Since beginning operation in 1988, we have handled more than 17,600
hotline calls and 260,600 mail messages. We have published 290 security
alerts (advisories, vendor-initiated bulletins *, incident notes,
vulnerability notes, and CERT summaries).
---------------------------------------------------------------------------
* Publication of vendor-initiated bulletins was discontinued in
1999.
---------------------------------------------------------------------------
Publications
Advisories.--CERT/CC advisories address Internet security problems.
They offer an explanation of the problem, information that helps you
determine if your site has the problem, fixes or workarounds, and
vendor information. Among the criteria for developing an advisory are
the urgency of the problem, potential impact of intruder exploitation,
and the existence of a software patch or workaround. On the day of
release, we send advisories to a mailing list, post them to the USENET
newsgroup comp.security.announce and make them available on the CERT
Web site at
http://www.cert.org/advisories/.
CERT Summaries.--We publish the CERT Summary as part of our ongoing
efforts to disseminate timely information about Internet security
issues. The summary is typically published four to six times a year.
The primary purpose of the summary is to call attention to the types of
attacks currently being reported to the CERT/CC. Each summary includes
pointers to advisories or other publications that explain how to deal
with the attacks. Summaries are distributed in the same way as
advisories.
Incident Notes and Vulnerability Notes.--We publish two web
documents, Incident Notes and Vulnerability Notes, as an informal means
for giving the Internet community timely information relating to the
security of its sites. Incident Notes describe current intruder
activities that have been reported to the CERT/CC incident response
team. Vulnerability Notes describe weaknesses in Internet-related
systems that could be exploited but that do not meet the criteria for
advisories.
Security Improvement Modules.--Security Improvement Modules address
an important but narrowly defined problem in network security. They
provide concrete, practical guidance that will help organizations
improve the security of their network computer systems. The modules are
available on the CERT Web site at http://www.cert.org/security-
improvement/. We have published, in Web form only, technology-specific
implementation details for the modules.
Other Security Information.--We capture lessons learned from
incident handling and vulnerability analysis and make them available to
users of the Internet through a web site archive of security
information and products. These include answers to frequently asked
questions, a security checklist, ``tech tips'' for system
administrators, research and technical reports, and a handbook for new
computer security incident response teams (CSIRTs).
ADVOCACY AND OTHER INTERACTIONS WITH THE COMMUNITY
The CERT/CC has the opportunity to advocate high-level changes that
improve Internet security and network survivability. Additionally,
CERT/CC staff members are invited to give presentations at conferences,
workshops, and meetings. These activities enhance the understanding of
Internet security and related issues.
Forum of Incident Response and Security Teams (FIRST).--FIRST is a
coalition of individual response teams around the world. Each response
team builds trust within its constituent community by establishing
contacts and working relationships with members of that community.
These relationships enable response teams to be sensitive to the
distinct needs, technologies, and policies of their constituents. FIRST
members collaborate on incidents that cross boundaries, and they cross-
post alerts and advisories on problems relevant to their constituents.
The CERT/CC was a founding member of FIRST, and staff members
continue to be active participants in FIRST. A current list of FIRST
members is available from www.first.org/team-info/. More than 80 teams
belonged to FIRST, and membership applications for additional teams are
pending.
Internet Engineering Task Force
Members of our staff influence the definition of Internet protocols
through participation in the Internet Engineering Task Force (IETF); a
member of our staff sits on the Security Area Advisory Group to ensure
that the CERT/CC perspective is brought to bear on all new standards
activities.
Vendor relations
We work closely with technology producers to inform them of
security deficiencies in their products and to facilitate and track
their response to these problems. Staff members have worked to
influence the vendors to improve the basic, as shipped, security within
their products and to include security topics in their standard
customer training courses. We interact with more than 100 vendors, as
well as developers of freely available software such as sendmail and
BIND.
Vendors often provide information to the CERT/CC for inclusion in
advisories.
External events
CERT/CC staff members are regularly invited to give presentations
at conferences, workshops, and meetings. We have found this to be an
excellent tool to educate attendees in the area of network information
system security and incident response.
Media relations
Internet security issues increasingly draw the attention of the
media. The headlines, occasionally sensational, report only a small
fraction of the events that are reported to the CERT/CC. Even so,
accurate reporting on security issues can raise the awareness of a
broad population to the risks they face on the Internet and steps they
can take to protect themselves. Ultimately, the increased visibility of
security issues may lead consumers to demand increased security in the
computer systems and network services they buy.
In the course of a year, the CERT/CC is referred to in major U.S.
newspapers and in a variety of other publications, from the Chronicle
of Higher Education to IEEE Computer. Our staff gives interviews to a
selected number of reporters, under the guidance of the SEI public
affairs manager.
In 1999, the CERT/CC has been covered in radio, television, print,
and online media around the world, including US News and World Report,
USA Today, the San Jose Mercury News, The New York Times, The Wall
Street Journal, The Washington Post, the Chicago Sun-Times, The Toronto
Star, the Ottowa Citizen, Agence Eqrance Presse, Deutsche Presse-
Agentur, the Xinhua News Agency, MSNBC, Ziff-Davis ZDNET, BBC London,
National Public Radio, ABC, CNN, NBC, and more.
______
Appendix A: The CERT/CC Charter
The CERT/CC is chartered to work with the Internet community in
detecting and resolving computer security incidents, as well as taking
steps to prevent future incidents. In particular, our mission is to
Provide a reliable, trusted, 24-hour, single point of
contact for emergencies.
Facilitate communication among experts working to solve
security problems.
Serve as a central point for identifying and correcting
vulnerabilities in computer systems.
Maintain close ties with research activities and conduct
research to improve the security of existing systems.
Initiate proactive measures to increase awareness and
understanding of information security and computer security issues
throughout the community of network users and service providers.
______
Appendix B: The CERT/CC and the Internet Community
The CERT/CC operates in an environment in which intruders form a
well-connected community and use network services to quickly distribute
information on how to maliciously exploit vulnerabilities in systems.
Intruders dedicate time to developing programs that exploit
vulnerabilities and to sharing information. They have their own
publications, and they regularly hold conferences that deal
specifically with tools and techniques for defeating security measures
in networked computer systems.
In contrast, the legitimate, often overworked, system
administrators on the network often find it difficult to take the time
and energy from their normal activities to stay current with security
and vulnerability information, much less design patches, workarounds
(mitigation techniques), tools, policies, and procedures to protect the
computer systems they administer.
In helping the legitimate Internet community work together, we face
policy and management issues that are perhaps even more difficult than
the technical issues. For example, one challenge we routinely face
concerns the dissemination of information about security
vulnerabilities. Our experience suggests that the best way to help
members of the network community to improve the security of their
systems is to work with a group of technology producers and vendors to
develop workarounds and repairs for security vulnerabilities disclosed
to the CERT/CC. To this end, in the absence of a major threat, we do
not publicly disclose vulnerabilities until a repair or workaround has
been developed.
Copyright 2000 Carnegie Mellon University. Conditions for use,
disclaimers, and sponsorship information can be found in http://
www.cert.org/legal--stuff/legal--stuff.html.
* CERT is registered in the U.S. Patent and Trademark Office
Last updated February 16, 2000
Senator Kyl. Well, that is sobering and we will get to some
questions here in just a bit.
Our next witness is Mr. Harris Miller, president of the
Information Technology Association of America. ITAA is the
oldest and largest information technology trade association,
representing 26,000 software services, Internet,
telecommunications, electronic commerce, and systems
integration companies. Mr. Miller is also president of the
World Information Technology and Services Alliance,
representing 41 high-tech trade groups around the world.
Thank you, Mr. Miller, for joining us. We will place your
full written statement in the record as well, and invite you to
make a summary statement at this time.
STATEMENT OF HARRIS N. MILLER
Mr. Miller. Thank you, Senator Kyl and Senator Feinstein,
and my commendations to you for holding this hearing. The title
of this hearing, ``Cyber Attacks'' ``Removing Roadblocks to
Investigation and Information Sharing,'' itself is very
encouraging because the roadblocks and the potholes are real.
But I continue to believe that the road to common ground and
information sharing can be navigated and we can achieve
information sharing, with some qualifications.
Assessing the ultimate InfoSec responsibility and roles for
the Government agencies and for the private sector is really
very simple. Our new information-based assets both domestically
and globally must be protected and preserved. We at ITAA have
been working for several years to execute a multifaceted plan
designed to improve cooperation on information security.
However, it is important to point out that it is not just
the IT industry, it is not just government, it is everyone. We
must work across industry, we must work industry with
government. To think of it metaphorically, if the Public Health
Service put out a warning and only a certain percentage of the
population got that warning to cover their mouths when they
cough, two bad things would happen. No. 1, all the people who
didn't get that warning would all cough over each other and
they would get sick, plus they would cough all over the people
who did cover their mouths and they would get sick, too.
The uniqueness of the Internet that it is so open is its
blessing and its curse. So solving the problem uniquely in the
IT industry or within the banking industry or within government
will not solve the problem. We must all work together.
We have a unique role as an association because we have
been appointed as the sector coordinator for the information
and communications sector by the Department of Commerce, along
with the Telecommunications Industry Association and the U.S.
Telephone Association. We are exploring all aspects of this
problem. Our overall plan includes awareness, education,
training, developing best practices, research and development,
international coordination, and the major topic of today's
hearing, information sharing.
It is important to note that in this information sharing
focus, difficulties exist sharing information not just between
industry and government, but, Senators, sharing information
within the industry and across industries. This is not a slam
dunk on any front, and so the committee should not think that
the only challenge is getting cooperation between industry and
government. Getting information sharing even within industry
itself is a major challenge.
Why are companies reluctant to share information? You have
already heard many of them come forward in the earlier
questions. The possibility of negative publicity; the loss of
confidence of customers, of shareholders; the possible exposure
of major vulner- abilities--all these are reasons. Customers
are fearful of revealing trade secrets. They fear that
information that does go to the Government, notwithstanding the
well-intentioned reassurances of Director Freeh, will, in fact,
end up in the public news.
So whether, again, we are talking about information sharing
within industry, across industries, or between industry and
government, the concern about trust--and I keep coming back to
that word because I think it is so key, Senator--is something
that we must overcome.
We also, of course, must be concerned, and companies are
very concerned about protecting customers' privacy. We believe
security and privacy are necessarily interlinked, but industry
is concerned that if they share information, they may run into
situations where inadvertently individual privacy is breached
and they run into the bad side of that whole issue.
How do we deal with this challenge? How do we work on
developing the trust? Well, in terms of the overall approach,
Senator, our simple comment at the top is we must find industry
leadership. Industry controls over 90 percent of the assets
which you were discussing, and you and Senator Schumer and
Senator Feinstein mentioned in your opening comments that
industry leadership is key. Regulation is not the answer.
So what do these industry leadership structures look like?
Well, we have been working very closely with the Department of
Justice, the National Security Council, the NIPC, the
Department of Commerce, the Critical Information Assurance
Office and the whole melange of agencies within the Government
to increase trust and communication.
For example, we are holding a major meeting between many of
our member companies and Attorney General Janet Reno next week
in California, followed by a meeting here on the East Coast in
May, to increase the communication and to discuss how to
increase the trust. As another example, we have brought FBI
agents forward through their InfoGuard program to meet with
many of our local associations to make sure that they can help
build the trust and communication.
We also believe that the issues that were raised before,
about the Freedom of Information Act, have to be addressed
because that could become an obstacle. Another issue we must
face is developing trust internationally. As Senator Schumer
and others discussed, that is very important, and therefore we
are organizing a global information security summit this fall
which will be modeled on the Partnership for Critical
Infrastructure Protection which is existing domestically to
make sure that industry shares information across industries,
not just again between industry and Government.
We also believe that the International Information and
Coordination Center that Senator Bennett referred to should be
maintained for a period of time to determine whether it can
play some role in solving information-sharing and trust.
Another issue we are focusing on is young people, which
Senator Schumer brought up in his questions. We are in a
collaborative partnership with the Department of Justice in
what is called a cyber citizen partnership to teach ethics to
young people. They have all the technology skills. What they
frequently don't have is the basic behavioral rules of the
road.
We also believe that there is a need for more money for
research and development, and support for the initiative coming
out of the Administration for an institute for information
infrastructure protection. And another funding source that
Congress should look at is more money for training. The
problems that Director Freeh outlined in terms of a shortage of
people within the Government to do this kind of analysis and
forensic exercises--a similar problem exists in the private
sector. To put it simply, Senator, we do not have enough
skilled people in the IT industry generally, and we certainly
don't have enough people with the overall skills to be
specialists in information security.
In conclusion, we at ITAA face daunting job of convincing
the IT industry and other industries to both work with each
other and to work with the Federal Government even under the
best of circumstances. So we must do more to build the trust
and the confidence. We must increase the communication. We must
work closely with each other and industry and with law
enforcement and the national security community, but we must do
it in an open and frank dialog where information is shared both
ways.
We believe we have made progress over the last 3 years in
this dialog. We believe a lot more progress must be made, but
we must not underestimate the challenge that lies before us.
Thank you very much.
[The prepared statement of Mr. Miller follows:]
Prepared Statement of Harris N. Miller
INTRODUCTION
Chairman Kyl and Members of this Senate Subcommittee, thank you for
inviting me here to testify today on Information Security and
Information Sharing. My name is Harris N. Miller, and as President of
the largest information technology trade association, the Information
Technology Association of America, I am proud that ITAA has emerged as
the leading association on the issue of information security. ITAA
represents over 26,000 direct and affiliate members who have a vested
economic interest in protecting our nation's information security needs
since almost 90 percent of the world's information infrastructure,
including the Internet, is run by industry. I am also President of the
World Information Technology and Services Alliance (WITSA) an
association of 41 global IT organizations, so I also have experience in
the topic from a global perspective.
The title of this hearing, ``Cyber Attacks: Removing Roadblocks to
Investigation and Information Sharing,'' is encouraging. I commend this
Subcommittee for holding this hearing and recognizing that in order for
industry and government to work together to combat security threats,
there are some obstacles, not insurmountable but real, that must be
overcome. I continue to believe that though the road to common ground
on information sharing contains potholes and detours, it is still
navigable.
Information technology represents over 6 percent of global gross
domestic product (GDP), a spending volume of more than $1.8 trillion,
and over 8 percent of US GDP, according to Digital Planet, a report
released by WITSA. Further, a recent US Department of Commerce report
indicated that an incredible 35 percent of the nation's real economic
growth from 1995 to 1998 came from IT producers. Chairman Alan
Greenspan of the US Federal Reserve Board recently credited large
investments in high-tech products for the dramatic boost in the
nation's productivity. Even previously skeptical economists now concede
that IT-driven productivity increases have enabled our country to have
what they said we could not have: high growth, low unemployment, low
inflation, growth in real wages.
If IT is the engine behind this growth, the Internet and E-commerce
are the rocket fuel. Forrester, a respected market research firm,
forecasts that the U.S. business-to-business marketplace is worth $290
billion this year and will grow to $2.7 trillion by 2004. The Internet
is rewriting economic history.
THE RISE OF ``INFOSEC'' AS A POLICY ISSUE
Along with the blessings of this new prosperity comes a challenge--
new vulnerabilities exhibited by this evolving infrastructure. If we
are to continue building our New Economy on this digital foundation, we
must meet the security and policy challenges that it poses:
Stakeholders must be able to trust that the Internet is a
safe and secure environment;
Industry owns and operates most of this infrastructure
and, therefore, is its natural steward for safety and security issues;
Government and industry share an interest in the health
and growth of the Internet and E-commerce and must find common ground
on which to coordinate on critical information infrastructure
protection issues;
``Cyberethics'' must become a regular and understandable
part of the Internet lexicon. Ethical on-line behavior must be taught
at home, in school and in the workplace. Safe and efficient on-line
business operations demand the investment by schools, community groups,
IT and non-IT companies and organizations. It is everyone's
responsibility to become part of a deterrence solution, working
together to establish and embrace a reasonable set of information
security practices and procedures;
Because the Internet is a global medium, which means
national boundaries are transparent, information security is an issue
that must be pursued on a global basis. The nature of the cybercrime
threat is dynamic; information security requires on-going commitment,
attention, and cooperation of industry and law enforcement worldwide.
Assessing the ultimate InfoSec responsibility and roles for
government agencies and the private sector is really very simple: our
new information-based assets must be protected and preserved.
INDUSTRY PLAN FOR CYBER SECURITY
ITAA and its members have been working to execute a multi-faceted
plan designed to improve U.S. cooperation on issues of information
security. However, Mr. Chairman, we would all be remiss if we believed
it was just the IT industry that must cooperate within its own
industry--we must work cross industry, and industry with government.
Protecting our infrastructure is a collective responsibility, not just
the IT community's role.
We are working on multiple fronts to improve the current mechanisms
for combating threats and responding to attacks through our role as
Sector Coordinator for the Information and Communications sector,
appointed by the U.S. Department of Commerce. Through ITAA's InfoSec
Committee, our member companies also are exploring joint research and
development activities, international issues, and security workforce
needs. Elements of the plan include Awareness, Education, Training,
Best Practices, Research and Development, International Coordination,
and Information Sharing.
Awareness: ITAA and its member companies are raising awareness of
the issue within the IT industry and through partnership relationships
with other vertical industries, including finance, telecommunications,
energy, transportation, and health services. We are developing regional
events, conferences, seminars and surveys to educate all of these
industries on the importance of addressing information security. An
awareness raising campaign targeting the IT industry and vertical
industries dependent on information such the financial sector,
insurance, electricity, transportation and telecommunications is being
overlaid with a targeted community effort directed at CEOs, end users
and independent auditors. The goal of the awareness campaign is to
educate the audiences on the importance of protecting a company's
infrastructure, and instructing on steps they can take to accomplish
this. The message is that information security must become a top tier
priority for businesses and individuals.
Education: In an effort to take a longer-range approach to the
development of appropriate conduct on the Internet, the Department of
Justice and the Information Technology Association of America have
formed the Cybercitizen Partnership. The Partnership is a public/
private sector venture formed to create awareness, in children, of
appropriate on-line conduct. This effort extends beyond the traditional
concerns for children's safety on the Internet, a protective strategy
and focuses on developing an understanding of the ethical behavior and
responsibilities that accompany use of this new and exciting medium.
The Partnership will develop focused messages, curriculum guides and
parental information materials aimed at instilling a knowledge and
understanding of appropriate behavior on-line. Ultimately, a long
range, ongoing effort to insure proper behavior is the best defense
against the growing number of reported incidents of computer crime.
Training: ITAA long has been an outspoken organization on the
impact of the shortage of IT workers--whether in computer security or
any of the other IT occupations. Our groundbreaking studies on the IT
workforce shortage--``Help Wanted''--have defined the debate and
brought national attention to the need for new solutions to meet the
current and projected shortages of IT workers. We believe it is
important to assess the need for and train information security
specialists, and believe it is equally important to train every worker
about how to protect systems. We know from the recent denial of service
attacks last month that systems are only as strong as the weakest link-
whether it's people or technology.
We have planned a security skills set study to determine what the
critical skills are, and will then set out to compare those needs with
courses taught at the university level in an effort to determine which
programs are strong producers. We encourage the development of
``university excellence centers'' in this arena, and also advocate
funding for scholarships to study information security.
The challenge to find InfoSec workers is enormous, because they
frequently require additional training and education beyond what is
normally achieved by IT workers. Many of the positions involving
InfoSec require US citizenship, particularly those within the federal
government, so using immigrants or outsourcing the projects to other
countries is not an option.
Best Practices: We are committed to promoting best practices for
information security, and look to partners in many vertical sectors in
order to leverage existing work in this area. In addition, our industry
is committed to working with the government--whether at the federal,
state or local levels. For example, we are working with the Federal
Government's CIO Council on efforts to share industry's best
information security practices with CIOs across departments and
agencies. At the same time, industry is listening to best practices
developed by the government. This exchange of information will help
industry and government alike in creating solutions without reinventing
the wheel.
While we strongly endorse best practices, we strongly discourage
the setting of ``standards.'' Why?
Broadly, the IT industry often sees standards as a snapshot of
technology at a given moment, creating the risks that technology
becomes frozen in place, or that participants coalesce around the
``wrong'' standards. It is also critical that best practices are
developed the way much of the Internet and surrounding technologies
have progressed--through ``de facto'' standards being established
without burdensome technical rules or regulations. While ITAA
acknowledges the desire within the Federal government to achieve
interoperability of products and systems through standard-setting
efforts, we believe that the IT industry can address this simply by
responding to the marketplace demand. The market place has allowed the
best technologies to rise to the top, and there is no reason to treat
information security practices differently.
Research and Development: While the information technology industry
clearly is spending hundreds of millions if not billions on research
and development efforts-maintaining our nation's role as the leader in
information technology products and services-there are gaps in R&D.
Industry clearly focuses on R&D projects that are likely to lead to
real products. Government, mainly in the Department of Defense, focuses
its information security R&D spending on defense and national security
issues. We believe that in between industry's market-driven R&D and
government's defense-oriented R&D projects, gaps may be emerging that
no market forces or government mandates will address.
ITAA and our member companies actively support the President's call
for an Institute for Information Infrastructure Protection. This
institute, under consideration by the President's Committee of Advisors
on Science and Technology, will focus limited government funding on
targeted R&D projects conducted through consortia of industry, academia
and government. We continue to support the creation of the Institute
and hope the Congress will approve the $50 million fiscal year 2001
request for its establishment.
International: In our work with members of the information
technology industry and other industries, including financial services,
banking, energy, transportation, and others, one clear message
constantly emerges: information security must be addressed as an
international issue. American companies increasingly are global
corporations, with partners, suppliers and customers located around the
world. This global business environment has only been accented by the
emergence of on-line commerce--business-to-business and business-to-
consumer alike.
Addressing information security on a global level clearly raises
questions. Many within the defense, national security and intelligence
communities rightly raise concerns about what international actually
means. Yet, we must address these questions with solutions and not
simply ignore the international arena. Again, we are only as strong as
our weakest link. To enable the dialogue that is needed in this area,
ITAA will be announcing soon the first Global Information Security
Summit to be held this fall. This event will bring together industry,
government and academia representatives from around the world to begin
the process of addressing these international questions.
Information Sharing: Last month, I and numerous executives from my
industry met with President Clinton to discuss solutions to combating
security threats. We committed to the President that we would create a
mechanism for sharing information.
There are still unanswered questions as to what the mechanism will
look like--how formal will it be? With whom will we share information?
How will such a mechanism be funded and operated? These are important
questions, which need answers.
One other issue is important to raise concerning information
sharing. During the Y2K rollover, the Federal government's Information
Coordination Center (ICC) played a critical role in ensuring a smooth
process. At the ICC, government and industry stood side-by-side in an
unprecedented effort to ensure the continuity of operations of
America's critical infrastructures and the sustained health of our
national economy.
As we begin to share information within our industry and develop
the process for sharing across industries and with government, we see a
potential role for the ICC in enabling this collaboration. Yet, the
Federal government's approximate $40 million investment in the ICC is
at high-risk of being discarded. As we speak, the OMB is moving quickly
to dismantle the ICC, divvy up the ``goods,'' and leave nothing behind.
We have asked OMB Director Lew to reconsider this plan to dismantle.
The plan moves forward. We now ask you to help us ask OMB to ensure it
has clearly identified all possibilities for the ICC-particularly in an
information security capacity--before the ICC is gone.
Which brings us to the question today's hearing asks.
BARRIERS TO INFOSEC IMPLEMENTATION
Companies are understandably reluctant to share sensitive
proprietary information about prevention practices, intrusions, and
actual crimes with either government agencies or competitors.
Information sharing is a risky proposition with less than clear
benefits. No company wants information to surface that they have given
in confidence that may jeopardize their market position, strategies,
customer base, or capital investments. Nor would they risk voluntarily
opening themselves up to bogus but costly and time-consuming
litigation. Releasing information about security breaches or
vulnerabilities in their systems presents just such risks. Negative
publicity or exposure as a result of reports of information
infrastructure violations could lead to threats to investor--or worse--
consumer confidence in a company's products. Companies also fear
revealing trade secrets to competitors, and are understandably
reluctant to share such proprietary information. They also fear sharing
this information, particularly with government, may lead to increased
regulation of the industry or of Electronic Commerce in general.
These concerns are relevant whether we are talking about inter-
industry, cross-industry, or industry/government information sharing.
Combine this with a historic lack of trust towards law enforcement, or
a concern that company systems may become caught up in an investigation
and thus lose production/development time, and many companies find it
easier to keep quiet and absorb the pain inflicted by intrusions, even
at substantial cost. I also would be remiss if I did not remind the
committee of a company's need to protect individual customers' privacy.
Industry fears that privacy breaches on innocent customers might
inadvertently occur during investigations.
Few high tech companies are interested in being perceived by their
customers as the active agents of law enforcement. Agencies, meanwhile,
are often viewed as demanding this type of information from the private
sector but giving little back in return. Let me be blunt. Information
sharing cannot be a one-way street.
TARGETED SOLUTIONS ARE POSSIBLE
In many ways, solutions to information security challenges are no
different than any other Internet-related policy issue. Regulation is
not the answer. Industry leadership has been the hallmark of the
ubiquitous success of our sector, and we firmly support the current
beliefs held by most in Congress and outlined in the Administration's
1997 plan, ``A Framework for Electronic Commerce,'' which advocates
market-driven, industry led, free market approach to the Internet and
E-Commerce. These same principles must be applied in the realm of
information security.
Over the past two years, ITAA, its members and the IT industry have
begun to develop collegial and constructive relationships with the
leadership and staff of the Department of Justice (DOJ), the National
Security Council (NSC), the National Security Agency (NSA), the
National Information Protection Center (NIPC), the Critical Information
Assurance Office (CIAO), the Commerce Department (DOC), NTIA and the
Critical Information Infrastructure Assurance Program Office (CIIAP) at
NTIA in their capacity as the lead agency for our industry. While
significant, positive levels of trust, cooperation and communication
have been developing; the important work that must be done has barely
started. This is not because of any lack of desire or ability on behalf
of NTIA or the CIIAP Office, but because they have been asked to do
their job without the necessary resources. They lack even the minimum
funding and support that is necessary for them to carry out their
mission. ITAA and our members will continue to look forward to
cooperating with all agencies and elements of government to meet the
Infosec challenges. Yet we feel that NTIA is the proper representative
to work with our industry to begin to build the necessary levels of
cooperation to help develop the National Infrastructure Protection
Plan. Within DOC, NTIA has the knowledge of and experience and
relationships with the IT and Communications industries that are
necessary. It is essential that the necessary programmatic funding for
lead agency activities be appropriated to the NTIA to carry out its
mission. $3.5 million (amount of current request for NTIA lead agency
activities) is a small price to pay for getting these important
programs moving down the track.
Part of the answer will require new approaches to the Freedom of
Information Act (FOIA), one of the biggest roadblocks. Companies worry
that if information sharing with government really becomes a two-way
street, FOIA requests for information they have provided to an agency
could prove embarrassing and probably costly. Many in industry believe
that freedom from FOIA concerns is the most formidable obstacle, and
that an exemption for this type of information sharing is the only
option.
ITAA's collaborative partnership with the Department of Justice,
the ``Cybercitizen Partnership'' is developing an educational program
to teach children that ethical, moral responsibility exists in the
virtual world as it does in the real world. The efforts of the
Partnership will reduce the potential of children to engage in
cybercrime. A modest amount of funding for this type of awareness
campaign would go a long way towards teaching the first generation of
true cybercitizens, and our future workforce, about the realities and
consequences of misbehavior online.
Funding will also help in the areas of workforce development and
research. We have a critical shortage of information technology
professionals generally and information security specialists
specifically. The $25 million set aside in the fiscal year 2001 budget
for the Federal Cyber Services Training and Education Initiative should
prove most helpful. The fellowship program outlined in HR 2413, the
Computer Security Enhancement Act of 1999, to increase the number of IT
skilled workers in the workforce, is something we also support.
The President's proposed Institute for Information Infrastructure
Protection, a federal research and development facility, should
likewise prove beneficial to the extent that it is responsive to the
marketplace. The best way to assure the Institute's relevance is to
build it on a broad collaboration between government and industry,
focusing on technology certainly but not losing sight of the critical
importance of people and processes to the information security
equation.
CONCLUSION
In all honesty, we at ITAA face a daunting job of convincing the IT
industry to work with federal agencies on these initiatives, even under
the best of circumstances. The most important aspect of successful
information sharing lies in the breadth and depth of the sharing. We
must do more than industry only communications. There must be inter-
industry, cross-industry and industry/government cooperation on
InfoSec. Nothing less will get the job done. It is a challenge we must
step up to if we are to achieve any degree of success in opening lines
of communication. Our industry continues to have reservations about
working too closely with the federal law enforcement and national
security community, and has concerns about jeopardizing business
concerns by sharing information on security issues.
Without overstepping its boundaries, there are ways the government
can create a friendlier atmosphere for information sharing as well as
increase our successes in this arena.
Thank you and I would welcome any questions from the Committee.
Senator Kyl. Well, both of you have certainly summarized
the issues well. Let me begin, Mr. Miller, by asking a couple
of very specific questions.
As you know, the FBI is the primary law enforcement entity
charged with the investigation and prosecution of crimes in
this case. Is the NIPC's placement in the FBI, from your
perspective, a show-stopper for the partnership that you
testified we need to create between government and industry?
Mr. Miller. I would recommend it not be within the FBI.
Show-stopper may be too strong a term, Senator, but I think
that as much respect as the business community has for the FBI,
they are clearly more comfortable working with other agencies.
For example, we work very closely with the Department of
Commerce. That is the sector coordinator position we were given
that came out of the Department of Commerce.
So perhaps in terms of information sharing, while we
receive that law enforcement and national security officials
will always be a central part of it, as long as this remains
within the FBI, then it will be seen exclusively by most
people, rightly or wrongly, as a law enforcement agency, not as
an information sharing organization.
And as Senator Grassley pointed out in his comments,
particularly when you don't have major agencies such as the
Department of the Treasury and the Department of Commerce even
currently playing a role within the NIPC, then again the
perception from the outside, Senator, is this is purely a law
enforcement organization, not a general information sharing
organization. My guess is that industry would be more
comfortable if it were not located within the FBI.
Senator Kyl. Of course, to the extent that is a law
enforcement function, the FBI has got to be involved, and you
are not suggesting otherwise.
Mr. Miller. Absolutely not.
Senator Kyl. I think part of the problem is the
Administration has frankly not been encouraging enough of
Treasury and Commerce to participate in this. Perhaps more
encouragement there could bring a larger role for Commerce and
Treasury and some of the other agencies of the Government.
Mr. Miller. Well, one of the things I have suggested,
Senator, in testimony on the other side of Capitol Hill is the
need for an InfoSec czar similar to the role that John Koskinen
played, a small, lean, mean organization reporting directly
into the President and Vice President and the National Economic
Council who would be able to more clearly rationalize the
Government agencies.
Frankly, from the outside, it looks very, very confusing.
In fact, we could probably fill up the whole wall behind you
with charts about everybody inside the Government who is
dealing with information security not just internally, but also
to the external audience, the business community, the average
citizen, consumers, State and local governments.
And perhaps a Koskinen-like individual--John Koskinen
served that role, of course, for Y2K, who would be seen and
trusted both inside the Government and also outside, again not
to set up his or her own bureaucracy but as a primary point of
contact externally with the various parts of the private
sector, State and local government and internationally, and
then internally could help to at least--to the outside world--
paint a clearer face as to what the position would be, might be
very helpful.
Senator Kyl. OK; I take your suggestion. Two other very
specific questions. Do you see a need for modifications to
antitrust legislation to encourage sharing among competitors?
Mr. Miller. Our legal committee at ITAA is examining that.
We do believe that probably it will be necessary. As you know,
Senator, during the Y2K debate over the past several years,
Congress did pass the Information Readiness and Disclosure Act
which did relieve any lingering concerns that legal departments
and general counsels and outside counsels had about firms
sharing information, under your leadership and many members of
this committee. That was an important bill that helped to
promote information sharing.
Even though companies were told by the Department of
Justice they could industry by industry go in for an exemption,
and some industries did, that turned out to be a long,
laborious process. So legislation was very key. So we are now
in our legal committee examining the possibility and have had
some dialog with the Administration and would be glad to carry
on a dialog with you and your staff on that also.
Senator Kyl. We are eager to get your recommendation on
that.
Then a final question, and this will be a bridge to Mr.
Pethia. With respect to the Freedom of Information Act, is it
fair to say that we won't have adequate information sharing
until we offer an exemption to FOIA for critical information
infrastructure protection?
Mr. Miller. Absolutely. As long as companies believe that
by cooperating with government they are facing the risk of very
sensitive and confidential information about proprietary
secrets or about customer records, while however well-
intentioned end up in the public record, that is going to be,
to use your phrase, a show-stopper.
Senator Kyl. Now, Mr. Pethia, we have heard about market
forces that help private companies secure networks, but a lot
of the attacks have been through universities due to their
traditional high-capacity, low-security networks. What do you
suggest we do to encourage or hold accountable universities to
take security more seriously?
Mr. Pethia. An interesting question. I think overall
universities are certainly a piece of this, but I think they
are just the beginning of what we are going to see over the
next few years, which is going to be hundreds of thousands of
organizations that are vulnerable to this kind of attack.
I think overall we have to begin to help people understand,
first of all, the liability that these organizations have if
they leave their systems open and repeatedly can be used as
platforms to launch new forms of attack. And I think more than
anything else, that will eventually bring the kinds of controls
that we need to have. I don't know how to do it any other way.
Until individual organizations begin to see that there is some
price to pay for lax security, I think we are going to have
that problem.
The bigger problem I see, however, is on the other side,
and that is on the technology producer side. I think the fact
is today many of the systems we have out there today are simply
too complex for today's user environment to effectively deal
with.
One of the things I would like to say is that the Internet
was originally built by the technical wizards for the technical
wizards, and we still have a lot of the old software, the same
mechanisms in place today that we had 10 years ago. Today,
computers, even sophisticated devices like firewalls and
routers, are becoming consumer items.
We don't expect everyone who drives an automobile to be a
master mechanic, and we shouldn't expect everyone who uses a
computer that could be used as an attack platform to be a
master systems engineer. So what we need to fix this problem
long term is better technology, technology that is matched to
the capability of today's users.
Senator Kyl. And I think the question that, Mr. Miller,
your folks are going to have to grapple with is the issue of
whether or not, going back to the weakest link notation, a
university, a company, an individual who knowingly or willingly
avoids known fixes in a system allows that system to be used
for malicious purposes that significantly injures others--
whether there is a potential liability there, and therefore
whether there is going to be some obligation to take some
reasonable steps.
Do either of you have a comment on where that whole thing
is headed?
Mr. Miller. I think it is a combination of both. No. 1, it
is education. At the meeting that Mr. Pethia and I attended
with the President at the White House, for example, following
the initial denial of service attacks, one of the major
companies reported that every time they did a major
installation they went in 60 days later to see how the
installation was working and they found that in over 35 percent
of the cases the customer never turned on the security they had
been given, which the President then analogized to people who
buy briefcases that have 000 locks on them and never change the
lock from 000.
So in that case, education is important. Maybe the customer
thought it was too difficult, which Mr. Pethia is suggesting
might be the case, or maybe they just didn't give it any
priority and therefore they didn't do it. So education which is
important is there.
But, No. 2, there are going to be negative incentives, too,
I think, as you are suggesting, Senator. I think there are
going to be down the road, maybe sooner than we think--
lawsuits, various liability issues raised, shareholder
lawsuits, et cetera, that may arise. Now, it is interesting
that one of the organizations, I think, very positive, by the
way, that has gotten involved is the Institute of Internal
Auditors. They have become very involved in this issue.
In fact, they are going to be holding a series of briefings
and meetings around the country that is being organized in
conjunction with the CIAO office, in which we are also
participating. Clearly, an auditor has a lot of impact on a
company. If an auditor says, I am not going to sign off on your
audit or I am not going to approve your audit until I am
convinced that you have instituted the appropriate security
mechanisms, that is important.
Similarly, the insurance industry. Many insurance companies
were writing service interruption insurance for Web-based
companies without ever asking the tough question: by the way,
have you done anything to be secure? And then there is some
business interruption because someone takes down their website.
The insured comes forward to file a claim and the risk managers
says, ``Oh, we forgot to ask you, didn't we, whether you really
had any protection?'' So the insurance companies are now
starting to change their tune and putting pressure on
companies.
So I think, similar to Y2K, you are seeing a lot of outside
pressures in the marketplace--insurance, lawyers, auditors,
customers. Obviously, if customers go back to certain well-
known online websites and they are down all the time,
eventually the customers will move away, the investors will
move away. So all those market forces are starting to work, but
it is going to be a slow process because I would say that maybe
for most companies up until the recent denial of service
attacks, information security was number 11 on the 10 critical
things they had to do.
I think maybe now it is number 6 or number 5. It has moved
up the food chain, but it isn't up to number 2 or number 3 yet
where it needs to be. And what that is going to take, Senator,
just as Y2K did, is CEO and COO and CFO commitment, board of
directors commitment. It is not the MIS director, it is not the
technical person, it is not the chief technology officer. Those
people are important in terms of figuring out the correct
technological solution, as Mr. Pethia was suggesting.
But in terms of putting the dollars on the table in terms
of the commitment of resources in terms of the priority, that
has to come from the top, whether you are talking about a
university president, whether you are talking about a
corporation, whether you are talking about a nonprofit, whether
you are talking about State and local government. The
commitment has to come from the top for information security to
rise to the level where it needs to be.
Mr. Pethia. I would like to build on Harris' statement for
just a minute.
Senator Kyl. Sure.
Mr. Pethia. The real scary thing about the distributed
denial of service attacks in February is not that they caused
damage, but for the first time in the history of the Internet
it became crystal clear that there is nothing that an
organization can do to protect itself from this kind of attack.
So for the first time we have taken the traditional risk
management model and stood it on its head. No matter what I do
within my organization, no matter how much I invest in
security, no matter how strong the doors are to my
organization, I am still vulnerable to an attack from some 15-
year-old who picks up a piece of technology off the network.
That can't be the right technical answer. We simply cannot
manage risk in any effective way.
So what we need to push toward is better underlying
technology in the Internet. There are groups like the Internet
Engineering Task Force that are developing improved security
standards, but yet industry is very slow to adopt them.
Internet Protocol Version 6 which has been available now for
well over a year has a lot of real strong security controls
that could help us deal with a lot of this problem, but its
deployment is probably still 2 or 3 years away because industry
is simply not picking up the banner and running forward.
There is the place where I think the community has already
come together. They have vetted the solution. It is a solution
that is acceptable to all of them. That is how the Internet
Engineering Task Force works, and here is the place where I
think government perhaps could exert some influence to try to
accelerate the deployment of what industry has already agreed
is an effective new standard.
Senator Kyl. How could government do that?
Mr. Pethia. Well, I don't know the exact mechanism to do
that, but there again certainly within the Federal Government,
as the Federal Government is a purchaser of large amounts of
information technology, it could begin to demand that as it
buys new products those new products incorporate these new
features.
Senator Kyl. Well, that is certainly true. The confusing
thing to me is from my own perspective I would rather see the
private sector evolve legally as well as technologically to put
its own numerous kinds of pressure on businesses to do business
in a proper way that recognizes industry standards to which
people are held accountable for not availing themselves of
equipment to meet those standards. The Government's primary
role is when there is a national security type of issue
involved, and that is where the Government could actually
mandate something.
The problem is that you have here a highway used by
everybody. The worldwide Internet is basically open to anybody
and you could have anything from a terrorist attack to a very
specific attack on some national security component of the
country, either government or nongovernment, as well as
financial crimes and just plain hacking, all using the same
medium, in effect.
So it is kind of hard to clearly define when the
Government's mandating role is appropriate and when instead it
should just rely on the private sector itself to evolve the
legal mechanisms to provide the enforcement.
Mr. Miller.
Mr. Miller. I would agree with you, Senator. I am very,
very reluctant to see government try to set standards, but let
me give you a couple of examples of where collaboration may
work out well.
Our association is working currently with the Federal Chief
Information Officer Council of the Federal Government, which is
the CIO's of the 24 largest Federal agencies established under
the Clinger-Cohen legislation several years back. They have
decided within their leadership role within the Government IT
sector to try to develop best practices so that they, as
customers, can be smarter about how to do that.
They have come to us to be an information sharing resource,
not that we are going to dictate to the Government what their
best practices are, but they want to learn and educate
themselves by establishing a very open and frank dialog between
industry and government, which by the way is going to have to
be ongoing because today's countermeasure is frequently
overcome by some new threat and it becomes an escalating arms
race.
So we are having a couple of meetings upcoming with the
Federal CIO Council and other CIO's. It is quite possible that
those best practices will get more widely adopted than just
within the Federal Government, for instance. Similarly, in the
meeting we had with President Clinton on February 15, we in
industry committed to setting up a more effective information
sharing mechanism within the IT industry and across industries,
trying to expand on the excellent work that Mr. Pethia's
organization does. But we also committed to the President to
work on best practices.
So I think that you are going to see this accelerating
toward best practices. Is it going to be standards that someone
can go pull down off the shelf and say, ``OK, I know exactly
how big, how tall, how small?'' No, but I think you are seeing
a lot more pressure toward realizing that because we are all in
this together, as you suggested, we are living in the same
Internet world, we have to have some best practices.
One final point, Mr. Chairman, in this area is a lot of
these challenges are not technological, they are personnel. If
I install a security system at your house and you don't punch
in those four digits before you go to sleep at night, I might
as well have not installed it. Similarly, the example I gave
before: if companies have security installed and they never
turn it on, they might as well not have it.
As Director Freeh reported, a huge percentage of the
information security problems come internally, not from
external threats, not from terrorists or criminals, but
internally. So personnel and human resource factors here are
exceptionally important, and those are the kinds of things that
industry also needs to work on collaboratively together.
We, for example, are working with Marymount University here
in northern Virginia on a program in early September which is
going to try to figure out how to better educate college
students on basic procedures. Whether you are going to be a
computer specialist or just someone who uses the computer for
word processing and spread sheets, you have to practice good
cyber hygiene the same way that the MIS director does or the
same way that someone who has a much more sensitive role in
government does. Otherwise, the whole system can be threatened.
Senator Kyl. One idea, too, with regard to the universities
is because of the Federal funding link to the universities,
there could be requirements placed to adhere to at least
certain protocols or standards in connection with the use of
those university computer systems.
There is much more we could get into. I would invite both
of you to continue to communicate with our subcommittee because
we are going to be developing legislation. We will need your
continued input and advice. We will maintain that communication
because you both emphasized the need for that. I totally agree
with it.
The only thing I would say in closing, and it goes back to
a point I made with the Director, is my first 20 years were in
the private sector and I am very private sector-oriented, but
there are some trust barriers that need to be breached here on
both sides. And I would just suggest that you think about how
to communicate to some of the folks in the private sector how
sometimes actually being involved in a law enforcement aspect
of something provides better protection than before that
process actually begins. So it is not something necessarily to
be feared.
But, of course, we all appreciate the other concerns about
snooping and all of that kind of thing. In any event, it is
just one more way to try to break down the barriers for that
two-way communication that we have all been searching for.
Mr. Miller. Well, we would be glad, Senator, to work with
you and your colleagues to even have a dialog not just with
Attorney General Reno and others but with your committee, if
you thought that would be appropriate, where you could help to
deliver that message.
One of the ways that I got a commitment from my board of
directors to focus on this issue so much was 2 years ago I
asked a senior official from the FBI to come out and do a
confidential briefing for my board of directors. And it got
their attention when they heard close up and personal what was
going on in the industry. So perhaps not just our dialoging
with the Attorney General and the Department of Commerce, but
maybe with leaders in Congress would be helpful. And I would be
glad to facilitate such a meeting if you and your subcommittee
would be interested.
Senator Kyl. I, for one, would be delighted to do that, and
I would just encourage both of you. Any suggestions, proactive,
please get them to us because in many ways this is a very
exciting challenge and there are some wonderful opportunities
here. But we have got to attend to them soon or we are going to
continue to face significant risk.
Mr. Pethia. We work closely with the FBI and the NIPC. In
fact, we have representatives from the FBI actually physically
located in our facility, and we always encourage people who
report incidents to us to report to law enforcement as well. I
think lack of trust is part of it, but there is also a
tremendous lack of understanding.
We recently met with Michael Vatis, the director of the
NIPC. They will be working with us to really help people,
inform people, produce documents and seminars that we can do
together to inform people of what they can expect to have
happen when they do report to the FBI.
One of the things that I think is important to remember is
that the Internet today in this country alone is growing by
hundreds of thousands of users everyday, and that is a huge
population of people to pull up a learning curve and to make
them feel comfortable with this new world that they are in and
dealing with law enforcement organizations that they probably
have near dealt with before. I think that is the big challenge,
pulling all those people up that learning curve.
Senator Kyl. Well, you have both made excellent points. I
appreciate your testimony here. We will look forward to
continuing dialog with you.
I would note that the subcommittee record will be kept open
for a week if any of you would like to submit anything else or
if any members of the panel would like to submit any additional
questions for the record.
With that, I thank you and adjourn this hearing.
[Whereupon, at 11:52 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions and Answers
----------
Responses of Louis J. Freeh to Question From Senator Jon Kyl
Question 1. Is the NIPC able to provide indications and warnings of
an attack? For example, does the Center have the ability to detect
anomalous activity or patterns in key communications nodes that might
indicate something is about to happen?
Answer 1. The NIPC's ability to perform ``indications and warning''
is dependent first and foremost on its ability to quickly gather
information from multiple sources about an ongoing or imminent attack
(whether an intrusion, a virus, a denial of service, or other form of
attack). The NIPC does not operate any detection mechanisms on any
government or civilian systems. Thus, we do not get ``indications'' in
an automated sense from any detection devices. In this sense, I&W in
the cyber world is very different from I&W in the nuclear missile or
conventional weapons world, where radars and other devices can provide
advanced warning of an attack. Rather, we get relevant information from
intelligence sources, criminal investigations, ``open sources'' (such
as media and the Internet), and from industry and government contacts.
We ``detect'' anomalous activity in key communications nodes only if
the owner/operator of that node detects it and informs the NIPC, an FBI
Field Office, or another agency, or if we learn through criminal
investigation or intelligence sources that the node is being attacked.
The key to the NIPC's ability to do this is the development of
connectivity and close interaction with numerous Defense and
Intelligence Watch centers, FBI Field Offices, other Law Enforcement
organizations, computer anti-virus association groups, private and
public Computer Incident Response Teams (CIRTs) and Computer Emergency
Response Teams (CERTs), foreign law enforcement agencies, and private
industry (both individual companies and information sharing
organizations). Over the past two years, the NIPC has made substantial
progress in developing these relationships, but this is a continuing
task and more work remains to be done. One of the main reasons for our
extensive outreach programs is to build trust and willingness on the
part of private companies to report cyber incidents to us, and these
efforts are bearing fruit. In addition, PDD-63 directs other federal
agencies to report incidents to the NIPC directly. Many agencies are
doing this, but there is room for improvement with others. In addition
to reports from companies and agencies, the NIPC Watch actively scans
all available governmental and private sector sources for reports or
information regarding cyber activity, and interacts throughout each day
with other watch centers to share information.
Once information (or ``indications'') of an attack is received and
analyzed, the NIPC can issue a warning, alert, or advisory through
numerous means, depending on the appropriate audience. Warnings can be
issued to specific targeted companies through FBI Field Offices or by
the watch directly; other federal agencies can be notified by e-mail,
secure facsimile, and telex; state and local law enforcement can be
warned by NLETS; industry can be warned through InfraGard secure email
and website and through ANSIR (an e-mail system that reaches tens of
thousands of companies); and the general pubic can be warned via the
NIPC webpage and the news media. All of these mechanisms have been used
numerous times (as discussed in the answer to the next question).
Senator Kyl's question goes to the heart of I&W in the cyber world:
should the Nation have the capability to detect intrusions into
government or private sector systems in an automated fashion, without
having to rely on human detection and reporting? The controversy
attending the Administration's recent ``FIDNET'' initiative, which is a
limited proposal to place automated intrusion detection devices on
federal agency networks, identified many of the privacy and other
issues such a system would raise, particularly if it were extended to
privately owned networks. The government's approach at the present time
is to encourage industry to protect and monitor its own systems, and to
report anomalous activity voluntarily. The NIPC works within that
overall policy to encourage private sector reporting as a critical part
of its I&W. Examples of this include InfraGard and the incident
reporting pilot program we have developed with the energy sector
through the North American Electrical Reliability Council (NERC).
Question 2. How many warnings has the NIPC issued which were
developed through the Centers's own analysis of activity?
Answer 2. Of the 54 tactical warning products disseminated since
the NIPC was established in February 1998, all were developed in whole
or in part through the Center's organic analytical capability and
analysis of activity. Some of these products were initiated by the NIPC
(e.g., the BAT/Firkin Worm, also known as the ``911'' Worm), while
others built upon basic analysis initiated elsewhere (e.g., the NIPC
assessments of Distributed Denial of Service tools). We cannot put a
precise figure on the relative contributions, since these are all
community-collaborative products. In performing analyses and issuing
warnings, the NIPC works closely with other government agencies,
private sector organizations such as CERT (which is an FBI contractor),
and the SANS institute, and academic institutions.
In addition to warning products, the Center has produced hundreds
of non-warning informational products. Since 1998 the NIPC has produced
301 daily reports, 30 CyberNotes (a summary and analysis of technical
exploits and vulnerabilities), 51 Critical Infrastructure Developments
reports (a report on recent cyber-related issues and incidents), and
five IP Digests (a periodic, in-depth analysis of cyber threats and
vulnerabilities). Versions of these analytical products go to private
industry, to the Intelligence Community, other federal agencies
(including law enforcement), and to criminal investigators.
Question 3. What-other agencies do you see playing a significant
role in the area of computer crime investigations?
Answer 3. Cyber crime is an issue that concerns not just the FBI,
and, not just law enforcement generally. Indeed, ``cyber crime'' in
itself should be seen as part of a broader array of cyber threats,
including cyber terrorism, cyber espionage, and information warfare,
since all are closely related and often difficult to distinguish at the
outset of an incident. As a result, cyber threats are of great concern
to numerous federal agencies, including the Defense, Intelligence, and
Law Enforcement Communities and to civilian ``Lead Agencies'' under
PDD-63; to state and local governments, including law enforcement; and,
of course, to the private sector. It is because of this wide-ranging
interest that the NIPC was established as an interagency center. The
NIPC provides a locus and mechanism for coordinating the expertise and
roles of many agencies, and facilitates information sharing and
operational coordination. The NIPC works closely on investigative
matters with many law enforcement agencies, including: the Secret
Service, Internal Revenue Service (IRS), Air Force Office of Special
Investigations (AFOSI), Naval Criminal Investigative Service (NCIS),
United States Air Force Office of Special Investigations (AFOSI),
Defense Criminal Investigative Service (DCIS), National Aeronautics and
Space Administration Office of Inspector General (NASA OIG), Department
of Energy (DOE), state and local law enforcement, the Intelligence
Community, as well as foreign law enforcement agencies through FBI
Legal Attaches (LEGATS).
Question 4. Are there reasons, other than funding, which have
caused other agencies to pull their personnel out of the NIPC? For
example does FBI management at the Center recognize the expertise of
the other agencies and allow them to fully participate?
Answer 4. One of the difficulties in attempting to operate an
interagency Center is ensuring that all relevant agencies participate.
Agencies have not received direct funding to participate in the Center,
and so must take detailees to the NIPC out of existing personnel
resources. In addition, personnel with cyber expertise are
unfortunately in very short supply, meaning that agencies must commit
to take scarce resources and send them outside their agencies. Despite
these impediments, numerous agencies have sent detailees to the NIPC,
including: Defense/Office of the Secretary of Defense; Central
Intelligence Agency; National Security Agency; Air Force Office of
Special Investigations; U.S. Navy; U.S. Army; U.S. Postal Service;
Defense Criminal Investigative Service; General Services
Administration; U.S. Air Intelligence Agency; Department of Commerce,
and the Tuscaloosa, AL Sheriff's office. In addition, we have foreign
liaison representatives from two allied countries who assist in
coordinating international activities with our counterparts. A
representative from FAA is also scheduled to start at the end of June.
Additional representative from DoD, CIA, and NSA are also slated to
arrive in the near future. We are also expecting representatives from
local Washington area police departments on a part-time basis.
Some agencies were represented earlier but do not currently have
representatives. Circumstances necessitated the recall of the first
State Department representative. State agreed to do so, and has
committed to NIPC that it would replace him with two new
representatives. DoE's first representative rotated back after more
than two years. NIPC's understanding as to why this representative
rotated back is that he was at NIPC for a lengthy time and was needed
at DoE headquarters to assist in a DoE reorganization. DoE has
committed to replacing that detailee.
Secret Service earlier had two detailees to the NIPC, but recalled
those detailees and has not yet committed to replacing them. Secret
Service has not provided any written explanation for this, but in oral
discussions, Secret Service officials stated that USSS was not getting
additional funding for its electronic crimes program despite its
participation in NIPC; the FBI was receiving more media attention in
the cyber crime area; and NIPC had not ``referred'' cases to Secret
Service for investigation. NIPC offered any support it could give to
Secret Service in addressing budget requests; noted that NIPC public
statements often referred to partnership with USSS; and offered to do
more to support USSS initiatives with public statements and case
analyses. NIPC also stated (as discussed further below) that its role
is not to create and ``refer' 'cases; rather, cases generally originate
in Field Offices, and FBI and Secret Service field offices frequently
work computer crime cases together.
NIPC fully recognizes the value other agencies bring to the cyber
crime and infrastructure protection mission. That is why NIPC is an
interagency Center, and has senior managers from other agencies in
addition to investigators and analysts. For instance, the NIPC Deputy
Director is from DoD/OSD; the Section Chief of the Analysis and Warning
Section is from CIA; the Assistant Section Chief of the Computer
Investigations and Operations Section is from Air Force OSI; the Unit
Chief of the Analysis and Information Sharing Unit is from NSA; and the
Unit Chief of the Watch and Warning Unit is from the U.S. Navy. Secret
Service formally occupied the position of Assistant Section Chief of
the Training, Outreach, and Strategy Section. Recognition of the need
for other agency participation is also what drives NIPC to continually
seek additional representatives from other agencies. It is also
reflected in the numerous joint investigations that NIPC and FBI Field
Offices have been involved in with other agencies (as discussed further
below).
Question 5. How many criminal investigations have been referred
from the NIPC to these other agencies? Does the Center have operating
procedures to refer a case to another agency?
Answer 5. As a general matter, the NIPC does not ``refer'' cases.
Cases are normally initiated by a field office, whether a Field Office
of the FBI, the Secret Service, another federal agency, or a state or
local law enforcement agency. NIPC is the ``program manager'' of the
FBI's computer intrusion investigative program, and so receives
information about cases directly from the FBI Field Offices. Under PDD
63, other agencies are also supposed to report information about cyber
incidents to the NIPC. Sometimes, NIPC will receive the first report of
a cyber incident from a private company, a government agency, or
another source, and contact the appropriate FBI Field Office. If
another agency has concurrent investigative jurisdiction or some other
non-investigative interest, that agency will also be contacted (either
by the FBI Field Office of the NIPC. Where joint jurisdiction exists,
the FBI field office may work jointly with the relevant other agencies
(as discussed further below).
If an inquiry determines the complaint does not fall within the
investigative guidelines of the FBI, it may be referred by the field
office to another federal agency or to a state or local law enforcement
agency which has the authority to conduct such investigations. FBI
field offices develop liaison contacts with federal, state and local
agencies investigating similar violations under federal or state
statutes and complaints are disseminated through these liaison
contacts. There is no system established to track how many complaints
have been sent from FBI field offices to other law enforcement
agencies.
There have been, however, several instances in which the NIPC or an
FBI field office has contacted another agency to determine if that
agency wanted to conduct an investigation either jointly or separately,
but that agency declined. A couple of examples are listed below.
In May 2000, the FBIs Detroit Field Office referred a complaint to
the local Secret Service office regarding a denial of service attack
against NHL.com, going so far as to transfer the call from the FBI
field office to the Secret Service field office. The Secret Service
told the complainant that no one was in the office to receive the
complaint due to a visit of Texas Governor George W. Bush to Michigan.
The complainant then called the FBI again and the Detroit Field Office
took the complaint and assigned the matter for investigation.
Also in May 2000, based on FBI source information, the NIPC
notified the USSS headquarters that there may be a vulnerability with
the White House Webpage that gave the public access to all the files on
that server. The USSS advised that the system administrator may already
be aware of this. Neither the NIPC nor the FBI's Washington Field
Office has heard back from the USSS regarding this matter.
In another instance, the FBI's Williamsport, Resident Agency, part
of the Philadelphia Field Office, opened an investigation into a series
of computer intrusion into 10 companies resulting in the loss of
approximately 28,000 credit card numbers. During the initial
investigation, the FBI discovered that one of the victims located in
Buffalo, NY, had contacted the Secret Service and the USSS had opened a
case pertaining to the intrusion against the single victim company, but
was not investigating the larger set of thefts. The FBI contacted the
Secret Service Division in Buffalo, NY to coordinate the case, since
USSS already had a pending investigation. The FBI was told that due to
the Security Detail Duties for the First Lady, the USSS would be unable
to coordinate at the present time with the FBI on the case.
Question 6. In previous testimony before this subcommittee Mr.
Vatis has stated that the NIPC has referred approximately 800 cases for
criminal investigation. How many of these 800 cases actually involved a
real threat to our nation's critical infrastructure? Would you
categorize the recent Denial of Service attacks launched last month as
an attack on our nation's critical infrastructure?
Answer 6. In previous testimony before the subcommittee, the
approximate 800 number of cases that Mr. Vatis referenced were not
cases the NIPC ``referred,'' but was the number of computer intrusion,
denial of service, or virus cases pending in FBI field offices at the
time of testimony. As of May 1, 2000 there were 1,072 pending
investigative cases.
The nation's ``critical infrastructures'' are those physical and
cyber-based systems essential to the minimum operations of the economy
and government, including telecommunications, energy, banking and
finance, transportation, water systems and emergency services, both
governmental and private. One of the most difficult aspects of cyber
investigations is that it is not clear at the outset what the extent of
the threat, or the potential damage to networks, is. Each case must be
thoroughly investigated to determine the level of threat and
compromise. What seems like a relatively minor incident might turn out
to be very significant, and vice versa. This means that it is much more
difficult for field investigators to use traditional investigative
thresholds in determining how to utilize scarce resources. Moreover,
computer systems and networks employ trusted relationships between
other computer system and networks, based upon the users' privileges.
If a computer system or network is root-level (or super user) access
compromised, the threat potential is substantial, and could
theoretically pose a major threat to other trusted systems. This means
that ``critical infrastructure'' systems are often connected with, and
affected by, systems that are in and of themselves not critical.
The existing NIPC database does not classify cases by critical
infrastructure at this time. Thus of these 1,072 cases, there is no
methodology to determine which ultimately constitute a threat to our
nation's critical infrastructure. However, we can cite several
examples.
The Distributed Denial of Service (DDOS) attacks launched in
February of this year are a good example of the difficulty of
categorizing an attack as an ``infrastructure'' attack or some lesser
sort of attack. In a Distributed Denial of Services attack, not only
are the ``victim'' systems affected, but also the thousands of computer
systems and networks that were, unknowingly, infiltrated and used to
carry out the attack, and Internet Service Providers that were heavily
trafficked during the attack. All of the computer systems and networks
that participated in the attack were compromised. Moreover, even though
the effect of the attacks was relatively ephemeral and brief, the
knowledge gained by analyses of these attacks is critical to our
ability to protect against more devastating attacks in the future. If
the DDOS attacks had been directed against the major Internet hubs
rather than against primarily e-commerce companies, traffic on the
Internet could have been paralyzed, disrupting several of the critical
infrastructures that rely on the Internet for communication.
Question 7. Besides Solar Sunrise and Moonlight Maze, what other
joint investigations can you point to that demonstrate successful
interagency cooperation?
Answer 7. Since the founding of the NIPC in February 1998, there
are numerous cases which have demonstrated successful interagency
cooperation other than the significant Solar Sunrise and Moonlight Maze
cases. The importance of these two cases should not be overlooked,
however. Both represent significant milestones in building awareness of
the cyber threat among federal agencies and policymakers, demonstrated
significant vulnerabilities in DoD and other government systems, and
provided opportunities to test and improve the NIPC's processes for
interagency coordination.
The following cases represent a small sample of these cases which
have been successfully worked with other agencies:
DDOS: Numerous Internet commerce sites have been victimized by DDOS
attacks since February 7, 2000. These DDOS attacks prevented the
victims from offering their web services on the Internet to legitimate
users. A DDOS attack uses compromised computer networks to ``flood'' a
victim's computer network with massive amounts of data, which causes
the victim's computer network to become overwhelmed and to stop
operating. The DDOS attack investigation are investigations in seven
FBI field offices, five overseas Legal Attache offices, other
government agencies such as NASA, as well as the Royal Canadian Mounted
Police. Reflecting the extraordinary level of cooperation on these
investigations, on April 15, 2000, the Canadian officials arrested a
juvenile charging him with one of the attacks.
Curador: On March 1, 2000, a computer hacker using the name,
``Curador'', allegedly compromised multiple E-commerce websites in the
U.S., Canada, Thailand, Japan and the United Kingdom, and apparently
stole as many as 28,000 credit card numbers. Thousands of credit card
numbers and expiration dates were posted to various Internet websites.
On March 9, 2000, InternetNews reported that Curador stated, ``Law
enforcement couldn't hack their way out of a wet paper bag. They're
people who get paid to do nothing. They never actually catch anybody.''
After an extensive international investigation, on March 23, 2000, the
FBI assisted the Dyfed Powys (UK) Police Service in a search at the
residence of Curador; Curador, age 18, was arrested in the UK, along
with an apparent co-conspirator under the Computer Misuse Act 1990.
Under United Kingdom law, both males have been dealt with as adults.
Loss estimates are still being determined.
This case was predicated on the investigative work by the Dyfed
Powys Police Service, the Federal Bureau of Investigation, Internet
security consultants, the Royal Canadian Mounted Police, and the
international banking and credit card industry. This case illustrates
the benefits of law enforcement and private industry, around the world,
working together in partnership on computer crime investigations.
Burns: In August 1998, the FBI initiated an investigation on an
individual only known as ``zyklon,'' who conducted numerous computer
intrusions to various computer systems causing damages to websites, and
system files. The case was worked in cooperation with the Virginia
State Police. The investigation identified zyklon to be Eric Burns of
Shoreline, Washington. In February 1999, following an execution of a
search warrant, Burns confessed to the intrusions. In May 1999, Burns
also gained unauthorized access and defaced the webpage for the White
House website. At that point the FBI began working with the U.S. Secret
Service on the case. In September 1999, Burns pleaded guilty to one
count for violation of Title 18 USC Section 1030 (Computer Fraud and
Abuse) for one of the 1998 intrusions. In the plea agreement, Burns
also admitted his criminal activity into several other intrusions
including the White House website. In November 1999, Burns was
sentenced to 15 months in prison, 3 years supervised release and
$36,240 in restitution and a $100 fine.
Trifero: This investigation was worked jointly with the Middletown
Rhode Island Police Department, the state Office of the Inspector
General (OIG), National Aeronautics and Space Administration (NASA),
and the FBI. Sean Trifero compromised various company and University
computer systems, including systems maintained by Harvard University,
Amherst College, Internet Services of Central Florida, Aliant
Technologies, Arctic Slope Regional Corporation and Barrows Cable
Company. He would utilize these compromised systems to establish web
pages, E-Mail and Internet Relay Chat (IRC) Groups in the background of
the victim's computer system. Trifero would also provide others with
access to these compromised systems. On 10/6/1998, Trifero entered a
guilty plea in the District of Rhode Island, in connection with this
matter. On 2/22/1999, Trifero was sentenced in connection with his
guilty plea to five counts of violating Title 8 United States Code,
Section 1030. He was sentenced to: 12 months plus 1 day in jail;
$32,650.54 in restitution; $500 special assessment; three years
supervised release; five hours/wk community service for 36 months; use
of the Internet, but no contact with members of any hacking/cracking
group.
Mewhiney: Throughout 1996, National Oceanic and Atmospheric
Administration (NOAA) suffered several computer intrusions which were
also linked to intrusions occurring at the National Aeronautics and
Space Administration (NASA). These computer intrusions continued
through 1997. The FBI worked the case jointly with NOAA, NASA, and the
Canadian authorities and identified the subject, Jason G. Mewhiney, who
resided in Canada. The original damage assessment that Mewhiney had
caused, exceeded $40,000. In April 1999, Jason G. Mewhiney was indicted
by Canadian authorities. In January 2000, Mewhiney pleaded guilty to 12
counts of intrusions which included violations spanning from May 1996
through April 1997, of destroyed/altered data and intrusions with the
intent to damage. In the Canadian Superior Court of Justice, Mewhiney
was sentenced to 6 months in jail for each of the counts to run
concurrently.
Bliss: In February, 1998, the FBI opened an investigation to assist
the U.S. Air Force and U.S. Navy regarding multiple computer
intrusions. The case was worked jointly with the U.S. Naval Criminal
Investigative Service and Florida State Attorney's Office in
Jacksonville, FL. The subject was identified as Jesse Le Bliss, a
student of the University of North Florida. On August 21, 1998, Bliss
pleaded guilty to one felony count for violation of Florida State
Statute 815.06 entitled, Offenses Against Computer Users. On September
19, 1998, Bliss was sentenced in the Fourth Judicial Circuit, State of
Florida, to six months house arrest followed by three years probation,
200 hours of community service, and a written letter of apology to the
Commandant of the United States Marine Corps.
CD Universe: One pending case being worked by the FBI's New Haven
Division and the U.S. Secret Service has been widely reported in the
press, due to statements made to reporters by the alleged perpetrator.
In December 1999, the FBI's New Haven Division opened a case into the
intrusions into the computers of CD Universe, an on-line music seller,
and the theft of customers' credit card numbers and a related extortion
attempt. Because of the credit card aspect, the FBI called the USSS to
ask if USSS wanted to investigate jointly. The USSS declined. In
January 8, 2000, the New York Times ran a front page story about the
case, based on conversations between the reporter and the alleged
perpetrator. Subsequently, USSS called the FBI back and requested to
work the case jointly. That case is still pending.
OTHER
There are other investigations that are being conducted with other
agencies, however further details may adversely impact the
investigation due to their pending status. There are currently 47
pending investigative cases which are being worked jointly between the
FBI and the multiple entities of the Department of Defense. An
additional 58 cases were investigated jointly with other entities that
are now in closed status.
______
Responses of Louis J. Freeh to Questions From Senator Dianne Feinstein
Question 1. Under Presidential Decision Directive 63 (PDD 63), the
* * * [sic * * * NIPC] * * * is supposed to take the lead in warning
of, investigating, and responding to threats to or attacks on this
country's critical infrastructures. NIPC includes representatives from
the FBI and other law enforcement agencies. You testified that the NIPC
has improved the FBI's ability to right cybercrime and that the FBI
closed 912 cybercrime cases in the Fiscal Year 1999 and had 834 pending
cybercrime cases that year.
How many of the 912 closed cases involved threats to or attacks on
our nations's critical infrastructures? Were these cases really a
threat to our national security? What about the pending cases? How many
involved threats to or attacks on our nation's critical
infrastructures?
Answer 1. The nation's ``critical infrastructure'' are those
physical and cyber-based systems essential to the minimum operations of
the economy and government, including telecommunications, energy,
banking and finance, transportation, water systems and emergency
services, both governmental and private. One of the most difficult
aspects of cyber investigations is that it is not clear at the outset
what the extent of the threat, or the potential damage to networks, is.
Each case must be thoroughly investigated to determine the level of
threat and compromise. What seems like a relatively minor incident
might turn out to be very significant, and vice versa. This means that
it is much more difficult for field investigators to use traditional
investigative thresholds in determining how to utilize scarce
resources. Moreover, computer systems and networks employ trusted
relationships between other computer system and networks, based upon
the users' privileges. If a computer system or network is root-level
(or super user) access compromised, the threat potential is
substantial, and could theoretically pose a major threat to other
trusted systems. This means that ``critical infrastructure'' systems
are often connected with, and affected by, systems that are in and of
themselves not critical.
The existing NIPC database does not classify cases by critical
infrastructure at this time. Thus, there is no methodology to determine
which cases ultimately constitute a threat to our nation's critical
infrastructure.
The Distributed Denial of Service (DDOS) attacks launched in
February of this year are a good example of the difficulty of
categorizing an attack as an ``infrastructure'' attack or some lesser
sort of attack. In a Distributed Denial of Services attack, not only
are the ``victim'' systems affected, but also the thousands of computer
systems and networks that were, unknowingly, infiltrated and used to
carry out the attack, and Internet Service Providers that were heavily
trafficked during the attack. All of the computer systems and networks
that participated in the attack were compromised. Moreover, even though
the effect of the attacks was relatively ephemeral and brief, the
knowledge gained by analyses of these attacks is critical to our
ability to protect against more devastating attacks in the future. If
the DDOS attacks had been directed against the major Internet hubs
rather than against primarily e-commerce companies, traffic on the
Internet could have been paralyzed, disrupting several of the critical
infrastructures that rely on the Internet for communication.
Question 2. In testimony last February 16, you said that the FBI
was producing ``fast-developing leads'' and that a break in the case
was imminent. A couple of weeks later, Michael Vatis, director of NIPC,
suggested that in fact agents were making slow progress in the case.
How would you assess progress in the case now?
Answer 2. In fact, the testimonies of FBI Director Freeh and NIPC
Director Vatis were entirely consistent. Both cited the difficulties in
conducting cyber crime investigations, but both also expressed optimism
about the prospects for a successful resolution of the case. Director
Freeh's February 16 testimony for the record contained the following
remarks about the DDOS investigation:
On February 8, 2000, the FBI received reports that Yahoo had
experienced a denial of service attack. In a display of the
close cooperative relationship the NIPC has developed with the
private sector, in the days that followed, several other
companies also reported denial of service outages. These
companies cooperated with our National Infrastructure
Protection and Computer Intrusion squads in the FBI field
offices and provided critical logs and other information.
Still, the challenges to apprehending the suspects are
substantial. In many cases, the attackers used ``spoofed'' IP
addresses, meaning that the address that appeared on the
target's log was not the true address of the system that sent
the messages.
The resources required in these investigations can be
substantial. Already we have five FBI field offices with cases
opened: Los Angeles, San Francisco, Atlanta, Boston, and
Seattle. Each of these offices has victim companies in its
jurisdiction. In addition, so far seven field offices are
supporting the five offices that have opened investigations.
The NIPC is coordinating the nationwide investigative effort,
performing technical analysis of logs from victims sites and
Internet Service Providers, and providing all-source analytical
assistance to field offices. Agents from these offices are
following up literally hundreds of leads. While the crime may
be high tech, investigating it involves a substantial amount of
traditional police work as well as technical work. For example,
in addition to following up leads, NIPC personnel need to
review an overwhelming amount of log information received from
the victims. Much of this analysis needs to be done manually.
Analysts and agents conducting this analysis have been drawn
off other case work. In the coming years we expect our case
load to substantially increase. (Emphases added.)
NIPC Director Vatis' February 29 testimony for the record contained
the following statement about the DDOS investigation:
On February 8, 2000, the NIPC received reports that Yahoo had
experienced a denial of service attack. In a display of the
close cooperative relationship that we have developed with the
private sector, in the days that followed, several other
companies (including Cable News Network, eBay, Amazon.com,
Buy.com, and ZDNET), also reported denial of service outages to
the NIPC or FBI field offices. These companies cooperated with
us by providing critical logs and other information. Still, the
challenges to apprehending the suspects are substantial. In
many cases, the attackers used ``spoofed'' IP addresses,
meaning that the address that appeared on the target's log was
not the true address of the system that sent the messages. In
addition, many victims do not keep complete network logs.
The resources required in an investigation of this type are
substantial. Companies have been victimized or used as ``hop
sites'' in numerous places across the country, meaning that we
must deploy special agents nationwide to work leads. We
currently have seven FBI field offices with cases opened and
all the remaining offices are supporting the offices that have
opened cases. Agents from these offices are following up
literally hundreds of leads. The NIPC is coordinating the
nationwide investigative effort, performing technical analysis
of logs from victims sites and Internet Service Providers
(ISPs), and providing all-source analytical assistance to field
offices. Moreover, parts of the evidentiary trail have led
overseas, requiring us to work with our foreign counterparts in
several countries through our Legal Attaches (LEGATs) in U.S.
embassies.
While the crime may be high tech, investigating it involves a
substantial amount of traditional investigative work as well as
highly technical work. Interviews of network operators and
confidential sources can provide very useful information, which
leads to still more interviews and leads to follow-up. And
victim sites and ISPs provide an enormous amount of log
information that needs to be processed and analyzed by human
analysts.
Despite these challenges, I am optimistic that the hard work
of our agents, analysts, and computer scientists; the excellent
cooperation and collaboration we have with private industry and
universities; and the teamwork we are engaged in with foreign
partners will in the end prove successful. (Emphases added.)
Indeed, the FBI's investigation, conducted in close coordination
with the Royal. Canadian Mounted Police, very quickly had resulted in
the identification of one subject in Canada. Because additional
evidence needed to be gathered by the RCMP in the DDOS case and in
another matter that came to light during the RCMP's investigation, the
subject could not be immediately arrested, and the investigation's
progress could not be discussed publicly. However, on April 15, the
RCMP executed a search warrant and arrested a juvenile charging him
with one of the attacks.
We would therefore assess the progress in this case as substantial
and, indeed, unprecedented in a case of this scope and nature. The
investigation continues into the attacks on DDOS victims, and we
believe good progress continues to be made.
Question 3. In testimony last February 16, you suggested that the
FBI's resources ``are stretched paper-thin'' because of the lack of
high-caliber government forensic computer experts. How much has this
contributed to the government's lack of success in catching the
perpetrators of the February cyber attacks?
Answer 3. As discussed above, substantial progress in fact has been
made in the DDOS investigation, with one subject already identified in
Canada.
That said, given the explosive growth in computer crimes, our
existing resources both in the Computer Analysis Response Team and in
the NIPC and the related field office National Infrastructure
Protection and Computer Intrusion Program are indeed stretched paper
thin.
The Laboratory Division's CART team supports the investigation of
any sort of criminal investigation in which evidence might be found on
a computer (such as a drug trafficker's accounts) by conducting
computer forensic examinations on seized media. The Lab's technically
trained agents develop, deploy, and support equipment to perform Title
III and FISA interceptions of data communications on the Internet.
Staff in both of these areas (forensics and engineering support) is
extremely stretched because these agents are tasked with providing
support not only for cyber crimes, but all traditional crimes in which
digital evidence may be present or data interception required.
The FBI's CART program, consisting of agents and analysts who
examine digital medial in order to gather evidence, is not able to keep
up with the increasing workload. The following is a summary of current
and future trends assuming that the FBI Laboratory is funded for all
pending budget requests:
CART Capacity and Backlog
----------------------------------------------------------------------------------------------------------------
Backlog
Year FTE Capacity Exam Case Time
Staffing Requests Backlog (Months)
----------------------------------------------------------------------------------------------------------------
1999........................................... 95 1900 3500 1600 10.1
2000........................................... 104 2080 5000 2920 16.8
2001........................................... 154 3080 6000 2920 11.4
2002........................................... 213 4260 8500 4240 11.9
----------------------------------------------------------------------------------------------------------------
In addition, the FBIs Laboratory Division currently provides
support not only for FBI cases, but also for the Drug Enforcement
Administration and the Immigration and Naturalization Service.
The NIPC and the field office NIPCIP squads are responsible for
conducting investigations of cyber attacks, including computer
intrusions, viruses, and denials of service. The NIPC currently has 193
FBI Special Agents in the field offices investigating approximately
1200 computer intrusion and other ``NIPCIP'' cases. Only 16 Field
Offices have full squads of seven or more agents. The other field
offices have only 1 to 5 agents, who are responsible for not only cyber
investigations, but also for industry liaison, the InfraGard
Initiative, the Key Asset Initiative, and support to other
investigative programs. Further, the NIPC lacks sufficient computer
scientists and analysts to support the field office investigations. For
instance, it has only 7 network analysts/electrical engineers to
support investigations such as DDOS attacks.
The NIPC's and Field Office resources have remained relatively
static. The NIPC Headquarters budget for fiscal years 99-01 has been as
follows:
Fiscal Year Budget Authority
1999...................................... 29,057,000 (included one-
year funding of $10 million
for special contingencies
in Attorney General's
Counter-terrorism Fund)
2000...................................... 19,855,000
2001 requested............................ 20,396,000
Meanwhile, our pending case load has grown rapidly.
Fiscal Year Pending Case Load at End of
Fiscal Year
1998...................................... 601
1999...................................... 801
2000 (as of May 1)........................ 1072
Clearly, then, resources have not kept pace with the crime problem.
Evidence gathering for computer intrusions mandates a prompt
response because the digital evidence trail can disappear so quickly.
The complexity of documenting, examining and analyzing the tremendous
amount of information that is necessarily collected in these types of
cases and its very technical nature requires investigators, examiners,
and analysts with extremely specific skills and experience. Because of
the technical nature of this crime, it is difficult, if not impossible,
to temporarily assign additional Special Agents to an investigation
since a special technical skill set is required to investigate such
matters.
Staff shortages impede not only our ability to conduct
investigations adequately, but also to quickly obtain information,
conduct analyses, and craft and issue appropriate warnings and alerts.
This makes the Indications and Warning mission much more difficult to
perform.
Question 4. Some have argued that the high-profile February attacks
on Yahoo, eBay, and other companies were just a diversion, allowing the
hackers to focus on making smaller, intrusive attacks on smaller sites.
Have you found any evidence for this contention?
Answer 4. No. There are individuals and groups who do focus on
planning and executing more intrusive attacks, often for the sake of
stealing information or money, but we have not seen any correlation
between such intrusions and the February DDOS attacks.
Question 5. Why don't you think industry can solve this problem
itself?
Answer 5. The Internet was not designed with security as the
foremost consideration. Moreover, until very recently, security was not
a major priority of either hardware/software manufacturers or
consumers. As a result, networks are still rife with vulnerabilities.
Improving security on the Internet is thus first and foremost the
responsibility of industry. Government must protect its own systems,
and can assist industry by providing information about threats and
vulnerabilities that we are aware of, and the NIPC does that. But it is
industry's responsibility to secure privately owned systems.
Even if systems were more secure, however, there would inevitably
be some amount of computer crime committed on the Internet--including
not just intrusions, denials of service, and viruses, but also
traditional crimes perpetrated over the Internet such as fraud and
dissemination of child pornography. As long as crime exists, the public
will expect law enforcement to investigate and apprehend the
perpetrators. And effective law enforcement is a key element in any
strategy to deter further criminal activity. Thus, industry and law
enforcement must work closely together.
Question 6. How big a problem is this for the FBI? Do you believe
that there are important cyber attacks that are never investigated by
law enforcement because the attacked companies refuse to report them?
Answer 6. The vulnerabilities that permeate the industry are a big
problem for the FBI and other law enforcement agencies because they
make it so easy for crimes to be committed. This accounts in part for
the tremendous growth in our case load. For us to be able adequately to
address this still growing crime problem, our resources must keep pace.
Otherwise, we will not be able to meet the public's demand for
effective law enforcement online.
It is impossible to know how many cases have not been reported by
companies. We do believe, however, that our outreach efforts are
resulting in greater trust by industry in law enforcement's ability to
successfully investigate cases while preserving confidentiality and
allowing continued business operations. This, in turn, leads more
companies to report incidents to law enforcement. We continue to work
hard at building that trust, which is critical to our ability to
address the crime problem.
Question 6a. How much cooperation do you get from industry? What
can Congress do to improve cooperation and coordination between
industry and, law enforcement?
Answer 6a. As discussed above, we are making substantial progress
in our relations with industry. Despite the oft-repeated remarks of
``security experts'' in the media, who are interested in having
companies report to them instead of to law enforcement, more and more
companies are reporting incidents to the FBI. The good cooperation we
received from DDOS victims in February is a good example of this. One
reason why this cooperation is not well known is that the FBI maintains
the confidentiality of those who desire it. The FBI is also building
its InfraGard program to promote dialogue and cooperation among
industry players and between industry and the government. These
chapters are based around the FBI field offices. Congress can best
support these endeavors by providing the resources necessary to support
and expand our various initiatives.
Question 6b. Do you support a FOLA exemption for industry?
Answer 6b. The FBI has been informed by many in industry that they
fear that FOIA does not provide the clear, concise and explicit
protection from disclosure of information they might provide to the
government relative to cybercrime incidents. The FBI's review of both
the statute and its case law interpretation supports the reasonable
belief that existing FOIA provisions do provide some significant
protections against disclosure of such information such as data which
is classified in the interests of national security, information
compiled for law enforcement purposes and commercial proprietary
information voluntarily submitted to the government by industry with
the expectation that it remain confidential. Still, it must be
acknowledged that, if the objective is to encourage increased
information sharing between the private and public sectors, perception
may be more important than reality. For this reason alone, the FBI
favors clarifying FOIA law to any extent necessary to provide industry
with the confidence it needs to encourage its voluntarily disclosure of
critical infrastructure information to federal, state and local
governments.
______
Responses of Louis J. Freeh to Questions From Senator Charles E.
Grassley
Question 1. Of the 800 cases referred for criminal investigation in
fiscal year 1999 from the NIPC, what percentage of these cases were
referred to other agencies, other than the FBI, for continued
investigation and possible criminal prosecution?
Answer 1. As a general matter, the NIPC does not ``refer'' cases.
Cases are normally initiated by a field office, whether a Field Office
of the FBI, the Secret Service, another federal agency, or a state or
local law enforcement agency. NIPC is the ``program manager'' of the
FBI's computer intrusion investigative program, and so receives
information about cases directly from the FBI Field Offices. Under PDD
63, other agencies are also supposed to report information about cyber
incidents to the NIPC. Sometimes, NIPC will receive the first report of
a cyber incident from a private company, a government agency, or
another source, and contact the appropriate FBI Field Office. If
another agency has concurrent investigative jurisdiction or some other
non-investigative interest, that agency will also be contacted (either
by the FBI Field Office of the NIPC). Where joint jurisdiction exists,
the FBI field office may work jointly with the relevant other agencies
(as discussed further below).
If an inquiry determines the complaint does not fall within the
investigative guidelines of the FBI, it may be referred by the field
office to another federal agency or to a state or local law enforcement
agency which has the authority to conduct such investigations. FBI
field offices develop liaison contacts with federal, state and local
agencies investigating similar violations under federal or state
statutes and complaints are disseminated through these liaison
contacts. There is no system established to track how many complaints
have been sent from FBI field offices to other law enforcement
agencies.
There have been, however, several instances in which the NIPC or an
FBI field office has contacted another agency to determine if that
agency wanted to conduct an investigation either jointly or separately,
but that agency declined. A couple of examples are listed below.
In May 2000, the FBI's Detroit Field Office referred a complaint to
the local Secret Service office regarding a denial of service attack
against NHL.com, going so far as to transfer the call from the FBI
field office to the Secret Service field office. The Secret Service
told the complainant that no one was in the office to receive the
complaint due to a visit of Texas Governor George W. Bush to Michigan.
The complainant then called the FBI again and the Detroit Field Office
took the complaint and assigned the matter for investigation.
Also in May 2000, based on FBI source information, the NIPC
notified the USSS headquarters that there may be a vulnerability with
the White House Webpage that gave the public access to all the files on
that server. The USSS advised that the system administrator may already
be aware of this. Neither the NIPC nor the FBI's Washington Field
Office has heard back from the USSS regarding this matter.
In another instance, the FBI's Williamsport, Resident Agency, part
of the Philadelphia Field Office, opened an investigation into a series
of computer intrusion into 10 companies resulting in the loss of
approximately 28,000 credit card numbers. During the initial
investigation, the FBI discovered that one of the victims located in
Buffalo, NY, had contacted the Secret Service and the USSS had opened a
case pertaining to the intrusion against the single victim company, but
was not investigating the larger set of thefts. The FBI contacted the
Secret Service Division in Buffalo, NY to coordinate the case, since
USSS already had a pending investigation. The FBI was told that due to
the Security Detail Duties for the First Lady, the USSS would be unable
to coordinate at the present time with the FBI on the case.
In addition, the FBI has worked, and continues to work, many
investigations jointly with other agencies. Two notable examples
include Solar Sunrise and Moonlight Maze. Both cases involved extensive
intrusions into Department of Defense and other government agency
computer networks. The investigations involved an NIPC-coordinated
investigation involving numerous law enforcement, intelligence, and
defense agencies, as well as foreign law enforcement agencies.
Beyond those examples, the following are other instances of joint
investigations.
DDOS: Numerous Internet commerce sites have been victimized by DDOS
attacks since February 7, 2000. These DDOS attacks prevented the
victims from offering their web services on the Internet to legitimate
users. A DDOS attack uses compromised computer networks to ``flood'' a
victim's computer network with massive amounts of data, which causes
the victim's computer network to become overwhelmed and to stop
operating. The DDOS attack investigation are investigations in seven
FBI field offices, five overseas Legal Attache offices, other
government agencies such as NASA, as well as the Royal Canadian Mounted
Police. Reflecting the extraordinary level of cooperation on these
investigations, on April 15, 2000, the Canadian officials arrested a
juvenile charging him with one of the attacks.
Curador: On March 1, 2000, a computer hacker using the name,
``Curador'', allegedly compromised multiple E-commerce websites in the
U.S., Canada, Thailand, Japan and the United Kingdom, and apparently
stole as many as 28,000 credit card numbers. Thousands of credit card
numbers and expiration dates were posted to various Internet websites.
On March 9, 2000, InternetNews reported that Curador stated, ``Law
enforcement couldn't hack their way out of a wet paper bag. They're
people who get paid to do nothing. They never actually catch anybody.''
After an extensive international investigation, on March 23, 2000, the
FBI assisted the Dyfed Powys (UK) Police Service in a search at the
residence of Curador; Curador, age 18, was arrested in the UK, along
with an apparent co-conspirator under the Computer Misuse Act 1990.
Under United Kingdom law, both males have been dealt with as adults.
Loss estimates are still being determined.
This case was predicated on the investigative work by the Dyfed
Powys Police Service, the Federal Bureau of Investigation, Internet
security consultants, the Royal Canadian Mounted Police, and the
international banking and credit card industry. This case illustrates
the benefits of law enforcement and private industry, around the world,
working together in partnership on computer crime investigations.
Burns: In August 1998, the FBI initiated an investigation on an
individual only known as ``zyklon,'' who conducted numerous computer
intrusions to various computer systems causing damages to websites and
system files. The case was worked in cooperation with the Virginia
State Police. The investigation identified zyklon to be Eric Burns of
Shoreline, Washington. In February 1999, following an execution of a
search warrant, Burns confessed to the intrusions. In May 1999, Burns
also gained unauthorized access and defaced the webpage for the White
House website. At that point the FBI began working with the U.S. Secret
Service on the case. In September 1999, Burns pleaded guilty to one
count for violation of Title 18 USC Section 1030 (Computer Fraud and
Abuse) for one of the 1998 intrusions. In the plea agreement, Burns
also admitted his criminal activity into several other intrusions
including the White House website. In November 1999, Burns was
sentenced to 15 months in prison, 3 years supervised release and
$36,240 in restitution and a $100 fine.
Trifero: This investigation was worked jointly with the Middletown
Rhode Island Police Department, the state Office of the Inspector
General (OIG), National Aeronautics and Space Administration (NASA),
and the FBI. Sean Trifero compromised various company and University
computer systems, including systems maintained by Harvard University,
Amherst College, Internet Services of Central Florida, Aliant
Technologies, Arctic Slope Regional Corporation and Barrows Cable
Company. He would utilize these compromised systems to establish web
pages, E-Mail and Internet Relay Chat (IRC) Groups in the background of
the victim's computer system. Trifero would also provide others with
access to these compromised systems. On 10/6/1998, Trifero entered a
guilty plea in the District of Rhode Island, in connection with this
matter. On 2/22/1999, Trifero was sentenced in connection with his
guilty plea to five counts of violating Title 18 United States Code,
Section 1030. He was sentenced to: 12 months plus 1 day in jail;
$32,650.54 in restitution; $500 special assessment; three years
supervised release; five hours/wk community service for 36 months; use
of the Internet, but no contact with members of any hacking/cracking
group.
Mewhiney: Throughout 1996, National Oceanic and Atmospheric
Administration (NOAA) suffered several computer intrusions which were
also linked to intrusions occurring at the National Aeronautics and
Space Administration (NASA). These computer intrusions continued
through 1997. The FBI worked the case jointly with NOAA, NASA, and the
Canadian authorities and identified the subject, Jason G. Mewhiney, who
resided in Canada. The original damage assessment that Mewhiney had
caused, exceeded $40,000. In April 1999, Jason G. Mewhiney was indicted
by Canadian authorities. In January 2000, Mewhiney pleaded guilty to 12
counts of intrusions which included violations spanning from May 1996
through April 1997, of destroyed/altered data and intrusions with the
intent to damage. In the Canadian Superior Court of Justice, Mewhiney
was sentenced to 6 months in jail for each of the counts to run
concurrently.
Bliss: In February, 1998, the FBI opened an investigation to assist
the U.S. Air Force and U.S. Navy regarding multiple computer
intrusions. The case was worked jointly with the U.S. Naval Criminal
Investigative Service and Florida State Attorney's Office in
Jacksonville, FL. The subject was identified as Jesse Le Bliss, a
student of the University of North Florida. On August 21, 1998, Bliss
pleaded guilty to one felony count for violation of Florida State
Statute 815.06 entitled, Offenses Against Computer Users. On September
19, 1998, Bliss was sentenced in the Fourth Judicial Circuit, State of
Florida, to six months house arrest followed by three years probation,
200 hours of community service, and a written letter of apology to the
Commandant of the United States Marine Corps.
CD Universe: One pending case being worked by the FBI's New Haven
Division and the U.S. Secret Service has been widely reported in the
press, due to statements made to reporters by the alleged perpetrator.
In December 1999, the FBI's New Haven Division opened a case into
intrusions into the computers of CD Universe, an on-line music seller,
and the theft of customers' credit card numbers and a related extortion
threat. Because of the credit card aspect, the FBI called the USSS to
ask if USSS wanted to investigate jointly. The USSS declined. In
January 2000, the New York Times ran a front page story about the case,
based on conversations between the reporter and the alleged
perpetrator. Subsequently, USSS called the FBI back and requested to
work the case jointly. That case is still pending.
OTHER
There are other investigations that are being conducted with other
agencies, however further details may adversely impact the
investigation due to their pending status. There are currently 47
pending investigative cases which are being worked jointly between the
FBI and the multiple entities of the Department of Defense. An
additional 58 cases were investigated jointly with other entities that
are now in closed status.
Question 2. If some of the referred cases are potential violations
that are traditionally enforced and investigated by other agencies,
please describe your mechanisms and procedures that allow for cyber
investigations to be conducted by those particular law enforcement
agencies (other than the FBI).
Answer 2. The primary statute used by the FBI in computer intrusion
investigations is Title 18, USC, 1030. Under this statute, the FBI has
broad authority to investigate computer crime offenses. In instances
where the computer crime does not meet FBI jurisdiction, the local FBI
field office will refer the complainant to the appropriate law
enforcement agency (federal, state, or local) which has authority to
conduct the investigation. On other occasions, the FBI may continue to
work a matter jointly with another law enforcement agency, even if they
do not have primary jurisdiction, to provide needed resources and
technical expertise. FBI field offices develop liaison contacts with
state and local agencies investigating similar violations under state
statutes and complaints are disseminated through these liaison
contacts. The above cited credit card case is an example of how the FBI
field offices make direct contact with their counterpart field offices,
such as US Secret Service, to coordinate aspects of an investigation.
Question 3. Please specifically cite the number of NIPC referred
cases that have a direct impact or posed a threat on the nation's
critical infrastructures.
Answer 3. The nation's ``critical infrastructures'' are those
physical and cyber-based systems essential to the minimum operations of
the economy and government, including telecommunications, energy,
banking and finance, transportation, water systems and emergency
services, both governmental and private. One of the most difficult
aspects of cyber investigations is that it is not clear at the outset
what the extent of the threat, or the potential damage to networks, is.
Each case must be thoroughly investigated to determine the level of
threat and compromise. What seems like a relatively minor incident
might turn out to be very significant, and vice versa. This means that
it is much more difficult for field investigators to use traditional
investigative thresholds in determining how to utilize scarce
resources. Moreover, computer systems and networks employ trusted
relationships between other computer system and networks, based upon
the users' privileges. If a computer system or network is root-level
(or super user) access compromised, the threat potential is
substantial, and could theoretically pose a major threat to other
trusted systems. This means that ``critical infrastructure'' systems
are often connected with, and affected by, systems that are in and of
themselves not critical.
The existing NIPC database does not classify cases by critical
infrastructure at this time. Thus, there is no methodology to determine
which cases ultimately involve a threat to our nation's critical
infrastructure.
The Distributed Denial of Service (DDOS) attacks launched in
February of this year are a good example of the difficulty of
categorizing an attack as an ``infrastructure'' attack or some lesser
sort of attack. In a Distributed Denial of Services attack, not only
are the ``victim'' systems affected, but also the thousands of computer
systems and networks that were, unknowingly, infiltrated and used to
carry out the attack, and Internet Service Providers that were heavily
trafficked during the attack. All of the computer systems and networks
that participated in the attack were compromised. Moreover, even though
the effect of the attacks was relatively ephemeral and brief, the
knowledge gained by analyses of these attacks is critical to our
ability to protect against more devastating attacks in the future. If
the DDOS attacks had been directed against the major Internet hubs
rather than against primarily e-commerce companies, traffic on the
Internet could have been paralyzed, disrupting several of the critical
infrastructures that rely on the Internet for communication.
Question 4. Please describe the job description and agency of any
state and local law enforcement officials currently assigned to NIPC on
a full time basis at FBI Headquarters.
Answer 4. The FBI currently has one local law enforcement officer
assigned to the NIPC. He is from the Tuscaloosa County Sheriffs
Department and his principal job is to work on outreach initiatives to
state and local law enforcement as part of the FBI'S responsibility as
the ``Lead Agency'' to work with the ``Emergency Law Enforcement
Services Sector'' under PDD-63. He has also participated in the
delivery of training to field investigators under our Key Asset
Initiative. This representative replaced an earlier representative from
the Oregon State Police, who rotated back to his home agency. The NIPC
is also in discussions with several Washington, D.C. area police
departments about having officers detailed to the NIPC on a full- or
part-time basis.
Question 5. Please describe any private sector representatives,
past or present, who voluntarily participate in the Center to
facilitate sharing of information between NIPC and the private
infrastructure owners and operators.
Answer 5. The NIPC works on a daily basis with private sector
representatives to share information. This occurs through such
initiatives as InfraGard, which provides information to infrastructure
owners and operators on a daily basis, and the pilot project for
Indications and Warning that the NIPC has established with the
electrical power sector under the auspices of NERC, and the Key Asset
Initiative. It also occurs on a case by case basis as we disseminate
targeted or general alerts or warnings to industry. The NIPC also works
closely with private sector contractors who assist with technical
analysis and information sharing.
In addition, the NIPC is working with the Information Technology
Association of America to bring private sector representatives into the
Center for a period of time as ``detailees.'' That is part of a
cybercrime initiative sponsored by the ITAA and the Attorney General.
Question 6. Please describe any private sector representatives that
are hired and paid by NIPC funds.
Answer 6. The NIPC has hired contractors to support our work in
analyzing cyber intrusions into the infrastructures as well as to
provide technical support to our investigations. In addition, a
representative from Sandia National Laboratories, has been working at
the Center. The NIPC has been reimbursing the Department of Energy
under the Interagency Personnel Act for the cost of this detailee's
contract.
Question 7. On page 16 of your written testimony, you state: ``the
FBI, on behalf of the law enforcement community should enhance its
technical capabilities (encrypted evidence).'' Shouldn't all law
enforcement agencies, from federal to state require this capability to
accomplish the NIPC mission?
Answer 7. As noted on page 16 of the written testimony, the law
enforcement community is extremely concerned about the serious public
safety threat posed by the proliferation and use of strong,
commercially-available encryption products that do not allow for law
enforcement access to the plaintext of encrypted, criminally-related
evidence obtained through court-authorized electronic surveillance and/
or search and seizure. The potential use of such non-recoverable
encryption products by a vast array of criminals and terrorists to
conceal their criminally-related communications and/or electronically
stored information poses an extremely serious threat to public safety
and national security.
In order to address this serious threat and as noted in the written
testimony, it is imperative that law enforcement enhance it technical
capabilities in the area of plaintext access to encrypted evidence. As
part of the government's approach to the encryption issue, the
Administration has expressed support for and has proposed the creation
of a law enforcement Technical Support Center within the FBI for the
purpose of providing the entire law enforcement community with urgently
needed plaintext access technical capabilities necessary to fulfill its
investigative responsibilities in light of the proliferation of strong,
commercially-available encryption products within the U.S. In fact,
included in the Administration's Cyberspace Electronic Security Act of
1999 which was forwarded to the Congress last September is a provision
that authorizes to be appropriated $80 million to the FBI for the
creation of the Technical Support Center, which will serve as a
centralized technical resource for federal, state and local law
enforcement in responding to the ever increasing use of encryption by
subjects of criminal cases.
The TSC is envisioned as an expansion of the FBI's Engineering
Research Facility (ERF) to take advantage of ERFs existing
institutional and technical expertise in this area. This approach
represents a cost effective, non-duplicative and efficient means of
provide every U.S. law enforcement agency with access to technical
capabilities needed to address lawfully seized encrypted evidence and
is supported by the International Association of Chiefs of Police, the
National Sheriffs Association and the National District Attorney
Association as well as the Information technology industry.
Question 8. Please describe which agencies were in the past
participating in the NIPC, but are no longer members. Describe the
reasons given by those agencies to the FBI for their withdrawal from
participation.
Answer 8. One of the difficulties in attempting to operate an
interagency Center is ensuring that all relevant agencies participate.
Agencies have not received direct funding to participate in the Center,
and so must take detailees to the NIPC out of existing personnel
resources. In addition, personnel with cyber expertise are
unfortunately in very short supply, meaning that agencies must commit
to take scarce resources and send them outside their agencies. Despite
these impediments, numerous agencies have sent detailees to the NIPC,
including: Defense/Office of the Secretary of Defense; Central
Intelligence Agency; National Security Agency; Air Force Office of
Special Investigations; U.S. Navy; U.S. Army; U.S. Postal Service;
Defense Criminal investigative Service; General Services
Administration; U.S. Air Intelligence Agency; Department of Commerce,
and the Tuscaloosa, AL Sheriff's office. In addition, we have foreign
liaison representatives from two allied countries who assist in
coordinating international activities with our counterparts. A
representative from FAA is also scheduled to start at the end of June.
Additional representative from DoD, CIA, and NSA are also slated to
arrive in the near future. We are also expecting representatives from
local Washington area police departments on a part-time basis.
Some agencies were represented earlier but do not currently have
representatives. Circumstances necessitated the recall of the first
State Department representative. State agreed to do so, and has
committed to NIPC that it would replace him with two new
representatives. DoE's first representative rotated back after more
than two years. NIPC's understanding as to why this representative
rotated back is that he was at NIPC for a lengthy time and was needed
at DoE headquarters to assist in a DOE reorganization. DoE has
committed to replacing that detailee.
Secret Service earlier had two detailees to the NIPC, but recalled
those detailees and has not yet committed to replacing them. Secret
Service has not provided any written explanation for this, but in oral
discussions, Secret Service officials stated that USSS was not getting
additional funding for its electronic crimes program despite its
participation in NIPC; the FBI was receiving more media attention in
the cyber crime area; and NIPC had not ``referred'' cases to Secret
Service for investigation. NIPC offered any support it could give to
Secret Service in addressing budget requests; noted that NIPC public
statements often referred to partnership with USSS; and offered to do
more to support USSS initiatives with public statements and case
analyses. NIPC also stated (as discussed further below) that its role
is not to create and ``refer'' cases; rather, cases generally originate
in Field Offices, and FBI and Secret Service field offices frequently
work computer crime cases together.
NIPC fully recognizes the value other agencies bring to the cyber
crime and infrastructure protection mission. That is why NIPC is an
interagency Center, and has senior managers from other agencies in
addition to investigators and analysts. For instance, the NIPC Deputy
Director is from DoD/OSD; the Section Chief of the Analysis and Warning
Section is from CIA; the Assistant Section Chief of the Computer
Investigations and Operations Section is from Air Force OSI; the Unit
Chief of the Analysis and Information Sharing Unit is from NSA; and the
Unit Chief of the Watch and Warning Unit is from the U.S. Navy. Secret
Service formally occupied the position of Assistant Section Chief of
the Training, Outreach, and Strategy Section. Recognition of the need
for other agency participation is also what drives NIPC to continually
seek additional representatives from other agencies. It is also
reflected in the numerous joint investigations that NIPC and FBI Field
Offices have been involved in with other agencies (as discussed further
below).
______
Responses of Louis J. Freeh to Question From Senator Patrick J. Leahy
Question 1. Can an attempt to commit a violation of 18 U.S.C.
Sec. 1030 (a)(5) currently be prosecuted under the attempt provision
found in 18 U.S.C. Sec. 1030(b), even if the attempt does not result in
loss of at least $5,000 or cause one of the other results listed in
Sec. 1030 (e)(8)?
Answer 1. The question calls for an answer interpreting prosecution
authority under statute, and as such, is more appropriately propounded
to the Department of Justice. As a general rule, however, the FBI
understands that, under certain factual circumstances, 18 U.S.C.
Sec. 1030(b) does allow for the prosecution of violations of 18 U.S.C.
Sec. 1030(a)(5) even if the attempt does not result in a loss of at
least $5,000 where evidence demonstrates the offender's specific intent
was to cause a loss in excess of $5,000.
Question 2. If an attempt cannot be so prosecuted, would amending
the statute so that the aggravating factors included in the definition
of ``damage'' in 18 U.S.C. Sec. Sec. 1030 (e)(8)(A)-(D) are instead
moved to be elements of the offense under Sec. 1030 (a)(5) change that
result?
Answer 2. The question calls for a hypothetical interpretation of a
statutory amendment as applied through the substantive case law of
``attempt,'' and should be directed to the Department of Justice for a
more detailed and definitive response. As a general matter, however,
the FBI does not understand that elevating the definitional elements of
the term ``damage'' to become substantive elements of section 1030
offenses will, in all circumstances, resolve the attempted offense
issues generated by the facts of most investigations. Instead, the FBI
favors an approach which would combine a restructuring of the elements
of the definition of ``damage'' into the penalty provisions of section
1030(c) with the creation of a lesser offense for those circumstances
where damages of $5,000 or more cannot be substantiated. The FBI
believes that some unauthorized access intrusions into computers
affecting interstate commerce (i.e., protected computers) are so
inherently violative as to justify Federal criminal sanctions even
where there is no change affecting the integrity or availability of
data or where the actual damages suffered do not attain the $5,000
threshold. The intentional unauthorized computer intrusion into the
privileged and private medical records of citizens is but one such
example. Such a statutory approach as has been suggested by DoJ's
Computer Crime and Intellectual Property Section (CCIPS) would create a
lesser included misdemeanor offense where the $5,000 threshold is not,
in fact, demonstrated and would provide jurors in cases involving
damages close to the threshold a legitimate alternative for otherwise
violative behavior.
Question 3. If a definition of ``loss'' were added to Sec. 1030(e)
to define loss as ``the reasonable cost to any victim of responding to
the offense, conducting a damage assessment, restoring data, programs,
systems or information to their condition prior to the offense and any
revenue lost or costs incurred by the victim as a result of
interruption of service,'' would the $5,000 threshold be easier to meet
than under current law?
Answer 3. The FBI favors any amendments which allow for the
increased inclusion of any costs, losses or other expenditures that a
victim would not have reasonably incurred but for the violation
regardless of whether those losses resulted from an actual interruption
of service. The FBI favors such a definition which would also include,
if reasonable, the cost of system reconfiguration related to deterring
or eliminating similar future violations.
Question 4. With respect to violations of Sec. 1030(a)(5)(A), is it
your understanding that each separate ``transmission'' could form the
basis of a separate count? Similarly, with respect to violations of
Sec. Sec. 1030(a)(5) (B)-(C), is it your understanding that each
separate ``intentional access[] could form the basis of a separate
count?
Answer 4. The question calls for an interpretation of a statute
applying the substantive case law of what constitutes ``criminal
episode,'' and related concepts of what constitutes appropriate
``joinder,'' or ``severance'' under the Federal Rules of Criminal
Procedure and should more appropriately be directed to the Department
of Justice for a detailed and definitive response. As a general matter,
however, the FBI understands that whether a single computer
transmission of malicious code under section 1030(a)(5) may form the
basis for a single count under an indictment will, in large measure,
turn upon the unique facts of any given investigation. Whether a single
transmission of a self-replicating, self transmitting destructive
computer virus constitutes one transmission, and therefore one count or
thousands of transmissions intentionally effectuated by chain reaction,
and therefore thousands of counts, may turn upon an evaluation of
numerous factors not the least of which would include the object and
intent of the offender/transmitter, the design of the code, the
reasonable foreseeability of re-transmission and, as a practical
matter, the ability to track, gauge and prove the re-transmission.
Similarly, whether, in a computer network environment, the repeated
unauthorized accessing of a computer in violation of section 1030(a)(5)
(B)-(C), which accessing is temporally related, will, as a practical
matter, frequently turn upon the configuration of the network and its
security and banner system, to name but a few factors.
Question 5. Are you aware of any cases in which the current
statutory maximum terms of imprisonment under 18 U.S.C. Sec. 1030 were
insufficient to effect the sentence called for by the Sentencing
Guidelines, including using the provisions of U.S.S.G. Sec. 5G1.2,
which provide that sentences on multiple counts may be imposed
consecutively to the extent necessary to produce a combined sentence
equal to the total punishment called for by the guidelines?
Answer 5. The NIPC referred this question to the Department of
Justice Computer Crimes and Intellectual Property Section for input.
The Department reported that it could recall no cases in which the
current statutory maximum terms of imprisonment under 18 U.S.C.
Sec. 1030 were insufficient to effect the sentence called for by the
Sentencing Guidelines, including using the provisions of U.S.S.G.
Sec. 5GI.2.
Question 6. Please explain the reason, if any, to continue the
codification of the work-sharing agreement between the Secret Service
and the Federal Bureau of Investigation found in Sec. 1030(d)?
Answer 6. In 1996, Congress specifically limited the Secret
Service's authority to investigate crimes under 18 U.S.C. Sec. 1030 to
those offenses under subsections (a)(2) (A) and (B), (a)(3), (a)(4),
(a)(5) and (a)(6). The Senate Report accompanying the 1996 amendment
explained that:
[t]he new crimes proposed in the bill, however, do not fall
under the Secret Service's traditional jurisdiction.
Specifically, proposed subsection 1030(a)(2)(C) addresses gaps
in 18 U.S.C. 2314 (interstate transportation of stolen
property), and proposed section 1030(a)(7) addresses gaps in 18
U.S.C. 1951 (the Hobbs Act) and 875 (interstate threats). These
statutes are within the jurisdiction of the Federal Bureau of
Investigation, which should retain exclusive jurisdiction over
these types of offenses, even when they are committed by
computer.
S. Rep. No. 357, 104th Cong., 2d Sess. 13 (1996).
Inherent in the 1996 changes was the recognition that the statute
was being amended to reflect the respective investigative
jurisdictional limits existing at that time. It was clear at that time
that the jurisdiction of the Secret Service, found at 18 U.S.C.
Sec. 3056, did not encompass the types of offenses described in Section
1030 (a)(1), (a)(2)(C), or (a)(7).\1\ Given that there have been no
additional grants of general investigative jurisdiction to the USSS
since that amendment, it is not clear why the USSS's jurisdiction over
computer crimes under Section 1030 should be expanded. The theft of
National Security information which is the type of information Section
1030(a)(1) was intended to address has never been the subject of USSS
jurisdiction. In addition, the types of crimes contemplated by 1030
(a)(2)(C) and (a)(7), as recognized by the legislative history, have
traditionally been investigations solely in the province and expertise
of the FBI.
---------------------------------------------------------------------------
\1\ ``Under the direction of the Secretary of the Treasury, the
Secret Service is authorized to detect and arrest any person who
violates--
(1) section 508, 509, 510, 871, or 879 of this title or, with
respect to the Federal Deposit Insurance Corporation, Federal land
banks, and Federal land bank associations, section 213, 216, 433, 493,
657, 709, 1006, 1007, 1011, 1013, 1014, 1907, or 1909 of this title;
(2) any of the laws of the United States relating to coins,
obligations, and securities of the United States and of foreign
governments; or
(3) any of the laws of the United States relating to electronic
fund transfer frauds, credit and debit card frauds, and false
identification documents or devices; except that the authority
conferred by this paragraph shall be exercised subject to the agreement
of the Attorney General and the Secretary of the Treasury and shall not
affect the authority of any other Federal law enforcement agency with
respect to those laws.
---------------------------------------------------------------------------
The 1996 provision is an explicit effort by Congress to address the
criminal offenses at issue through a division of labor primarily
determined by investigative responsibility and expertise. Any reversion
to the pre-1996 jurisdictional provisions raises serious issues and
concerns about the utilization of resources and proper coordination.
Concurrent jurisdiction would result in a duplication of efforts that
would waste resources and encourage independent investigations by
separate agencies at the expense of coordinated joint efforts. Indeed,
given the decision by Secret Service to refrain from participation in
the National Infrastructure Protection Center (NIPC) (both by detailing
personnel and providing investigative information from its cases)
despite a mandate from the President to do so under PDD-63, expanding
USSS's cyber jurisdiction at this time would result in a fractured
approach to sensitive intrusion investigations involving espionage,
extortion, and other serious matters.
Question 7. The FBI has limited authority to issue administrative
subpoenas in certain cases, such as federal health care fraud or sexual
exploitation or other abuse of children. Since cybercrime cases are
criminal in nature, is the FBI able to obtain documents relevant to the
investigation with grand jury subpoena? To the extent that documents
obtained with a grand jury subpoena need to be shared with third-party
experts, can permission be obtained to do so under Federal Rule of
Criminal Procedure 6(e)(3)?
Answer 7. Generally speaking, a ``governmental entity'' is
authorized under 18 U.S.C. 2703(b)(1)(B) to obtain the contents of an
electronic communication in remote computer storage with prior notice,
as delimited in 18 U.S.C. 2703(b)(2), by using an administrative or
grand jury subpoena. A governmental entity is also authorized under 18
U.S.C. 2703(c)(1)(C) to obtain certain subscriber or customer
information from a provider of electronic communication services or
remote computing service, by using an administrative, grand jury, or
trial subpoena, or as otherwise permitted under 18 U.S.C.
2703(c)(1)(B). The Electronic Communications Privacy Act (ECPA) does
not itself identify which federal agencies qualify as ``government
entities'' authorized to issue administrative subpoenas. Currently, the
FBI is authorized to issue administrative subpoenas in cases involving
health care fraud under 18 U.S.C. Sec. 3486 and in cases involving
child pornography and sexual solicitation under 18 U.S.C. Sec. 3486A.
Unfortunately, there does not currently exist a statute authorizing or
designating the FBI as a ``governmental entity'' authorized to issue
administrative subpoenas for violations of 18 U.S.C. Sec. 1030 or other
crimes of fraud increasingly committed by or facilitated through the
use of a computer. The absence of such a statute impedes FBI efforts to
accelerate an effective response to cyber crime.
While helpful, the use of grand jury subpoena to acquire minimally
intrusive transactional information (e.g., so-called ``header
information'' such as ``to'' or ``from'') or subscriber information
(e.g., the name and address of the owner of an Internet screen name) is
frequently a cumbersome and time consuming process especially in
investigations where time is of the essence or where the information
sought is from an unusually large number of providers. Some
circumstances may dictate seeking express court authorization under the
provisions of Federal Rule of Criminal Procedure 6(e)(3)(C) for
disclosure to non-government experts who may not qualify as personnel
assisting the attorney for the government in the investigation before
the grand jury. In many cases, the practical concerns of delay and
coordination with other agencies and courts further stymies
government's ability to provide a timely response to imminent criminal
behavior.
The FBI supports an expansion of its statutory authority to issue
administrative subpoena under the Electronic Communications Privacy Act
for any violation of law within the FBI's existing criminal
investigative jurisdiction. The FBI's experience to date in the
issuance of administrative subpoena in the areas of health care fraud
and child exploitation crimes demonstrates that it can responsibly
limit and control the exercise of this authority.
Question 8. Denial of service attacks are increasing exponentially.
According to the FBI, these attacks involve the placement of tools such
[as] Trinoo, Tribal Flood net, TFN2K or Stechenldraht on unwitting
victim systems, which then send messages upon remote command to a
targeted computer system until that system is overwhelmed and
essentially shut[s] down. In order to document in real-time the remote
command being given and the triggering of the message flood to the
target system, is law enforcement currently required to obtain a
wiretap order since the unwitting victim system is not a ``party to the
communication'' authorized to grant consent to electronic surveillance?
Would an exception to the wiretap law to allow the unwitting victim
system operator to grant consent to electronic surveillance be helpful
to law enforcement?
Answer 8. The question calls for an interpretation of a statute
which would more appropriately be directed to the Department of Justice
for a more detailed and definitive response. As a general matter,
however, the FBI understands that:
(1) the provisions of 18 U.S.C. Sec. 2511(1)(a) prohibit all
interceptions unless expressly authorized elsewhere in the Act;
(2) the provisions of 18 U.S.C. Sec. 2511(2)(a)(i) authorize a
provider of wire or electronic communication services to intercept
communications on their system, not because they are parties to
those communications, but as ``is a necessary incident to the
rendition of [that] service or to the protection of the rights or
property of the provider * * *;''
(3) many providers (especially start-up Internet services) may not
have the necessary tools or expertise to adequately track, document
or halt an intruder in their system and, more perhaps more
significantly, no providers have compulsory process to facilitate
disclosure of transaction and subscriber information from other
providers which is necessary to identify the source of an attack;
(4) 18 U.S.C. Sec. 2511(2)(a)(i) does not permit law enforcement to
conduct an interception (without a court order) even upon a
provider's express request when the provider's system has been
invaded or trespassed upon by a hacker, and
(5) as a result of this quandary, and in order to ensure that
evidence obtained will subsequently be held admissible, law
enforcement is required to obtain a court order in order to enable
it to actively work in conjunction with the provider.
Given the high level DOJ approval that is required for Title III
Interception applications, the necessary generation of paperwork, and
the time needed by the reviewing court, significant delay can occur
before law enforcement can provide an effective response to a hacker or
DDOS event. This anomaly in the law creates an untenable situation
whereby providers are sometimes forced to sit idly by as they witness
hackers enter and, in some situations, destroy or damage their systems
and networks while law enforcement begins the detailed process of
seeking court authorization to assist them. In the real world, the
situation is akin to a homeowner being forced to helplessly watch a
burglar or vandal while police seek a search warrant to enter the
dwelling. For these reasons, the FBI favors enactment of a statutory
exception under 18 U.S.C. Sec. 2511 which would expressly authorize law
enforcement to assist such providers by intercepting the communications
of a computer user/trespasser (the transmissions to and from the user/
trespasser) BUT ONLY upon the voluntary, written consent of a service
provider after that provider has made an initial determination that the
user/trespasser is, in fact, not authorized to be on the system or
network. Such an exception to the general interception prohibition
would accelerate exponentially law enforcement's ability to respond to
such hacker incidents and would be a significant step toward ensuring
the security and integrity of the Nation's critical infrastructure.
Question 8a. Is law enforcement currently required to obtain a
wiretap in order to document in realtime the remote commands being
given to a target system?
Answer 8a. Although the FBI respectfully refers questions of
statutory construction to the Department of Justice, the federal code
at 18 U.S.C. 2511(2)(b) states that ``a person or entity providing
electronic communication service to the public may divulge the contents
of any such communication * * * which were inadvertently obtained by
the service provider and which appear to pertain to the commission of a
crime, if such divulgence is made to a law enforcement agency.'' In
that manner, it is possible for law enforcement, without a wiretap
order, to obtain from a service provider remote commands, documented in
realtime, that appear to pertain to the commission of a crime. Another
manner in which law enforcement, without a wiretap order, might obtain
in realtime the remote commands being given to a target system is
pursuant to the consent provision of the federal code, 18 U.S.C.
2511(2)(a), which permits ``a person acting under color of law to
intercept a wire, oral, or electronic communication, where such person
is a party to the communication or one of the parties to the
communication has given prior consent to such interception.'' Many
target systems include banners warning that use of the system depends
on a person's consent to all of their activities being monitored,
recorded and/or disseminated at the discretion of the systems
administrator, to include if appropriate direct monitoring by law
enforcement.
Question 8b. Would an exception to the wiretap law allowing victim
system admins to grant consent be helpful to law enforcement?
Answer 8b. The FBI believes that it would be helpful to law
enforcement to add an exception to the wiretap law to allow the
unwitting victim system operator to grant consent to electronic
surveillance for the limited purpose of monitoring a computer
trespasser.
Question 9. The Department of Justice objected to the Clone Pager
Authorization Act, which passed the Senate in the last Congress, on
grounds that clone numeric pagers ``obtain all of the information
transmitted after a phone call is connected to the called party * * *
in the form of electronic impulses. * * * These electronic impulses are
the ``contents'' of the call: They are not used to direct or process
the call, but instead convey certain messages to the recipient.'' For
this reason, the Department advised Chairman Henry Hyde, by letter
dated May 20, 1998, that capturing the messages transmitted by clone
numeric pagers implicated Fourth Amendment and privacy interests.
Do pen register devices capture all electronic impulses transmitted
by the facility on which they are attached, including such impulses
transmitted after a phone call is connected to the called party?
Answer 9. Law enforcements pen register devices (or dialed number
recorders) utilized with regard to telephony services do capture all
electronic impulses transmitted by the facility on which they are
attached, including such impulses transmitted after a phone call is
connected to the called party. (A potential exception to this would be
certain pen register-based approaches employed by service providers in
switch-based solutions, where post-cut-through dialing (including post-
cut-through signaling) may not be provided to law enforcement. This
circumstance is currently a subject of review by the FCC under rule
making implementing CALEA, and regarding which we anticipate a
resolution in the near future.) The distinction between a pen register
device on a telephony service and a clone pager (or pager interception)
is that a pen register is employed to capture dialed numbers which are
used to set up a call. Hence, in the overwhelming majority of instances
where pen registers are used the information captured is simply
signaling information used to set up a call. By comparison, pager
interceptions are employed to capture the information received by a
pager which, in all instances, constitute the content or message of the
call. Consequently, the law has historically distinguished the legal
processes required for these two types of acquisitions (i.e., pen
register authority vs Title III authority, respectively).
Pen register efforts in the data network area work somewhat
differently. The most basic reason for this is because the services
(e.g., email, web-based mail, voice over IP) and applications (e.g.,
Internet Chat, File Transfer) transmitted over data networks are
somewhat different. Some of these services and applications lend
themselves to precise ways of capturing (i.e., recording) call
identifying and signaling information only while others make the
process of differentiating signaling information from call content more
difficult.
Question 9a. Section 3121(c) of title 18, United States Code,
requires government agencies authorized to use pen registers to ``use
technology reasonably available * * * that restricts the recording or
decoding of electronic or other impulses to the dialing and signaling
information utilized in call processing.'' Please describe the
technology and methodology currently employed to comply with this
statutory requirement.
Answer 9a. Pen Register devices on telephony services continue to
operate as they have for decades. Stated differently, since the
enactment of CALEA, there has been no change in technology or pen
register equipment for telephony that would better restrict the
recording or decoding of electronic or other impulses to the dialing
and signaling information utilized in call processing.
As stated above, pen register efforts in the data network area work
somewhat differently, and there, where technology that restricts the
recording or decoding of electronic or other impulses to the dialing
and signaling information is reasonably available, it is employed. For
example, the FBI employs pen register devices to capture Internet
Protocol (IP) addresses. Since data networks typically use well-
established layered protocols, FBI tools are capable of restricting the
information captured to the IP address.
Question 10. Section 3121(a) of title 18, United States Code,
requires a court to authorize the use of a pen register if the court
finds that the government attorney has certified that the information
likely to be obtained by ``such use is relevant to an ongoing criminal
investigation.'' The certification by the government attorney is, in
turn, made under oath and penalty of perjury, under section 3122.
Is the government attorney required to describe to the court in the
application for a pen register the factual basis for the attorney's
certification that ``such use is relevant to an ongoing criminal
investigations''?
As a matter of regular practice, do government attorneys or State
law enforcement or investigative officers making applications for pen
registers describe for the court the factual basis for the
certification that ``such use is relevant to an ongoing criminal
investigation'' or does this practice vary?
What procedures, including audits or internal reviews, are in place
to ensure that government attorneys and State law enforcement or
investigative officers comply with the statutory standard and have the
necessary factual basis for making the application, particularly in
those districts where the practice in applying for pen register orders
is not to describe for the court the factual basis for certification?
Should the court, rather than governmental attorneys or State law
enforcement or investigative officers, be given the authority to make
the factual finding that ``information likely to be obtained by such
installation and use [of a pen register] is relevant to an ongoing
criminal investigation,'' and if not, please explain why?
Answer 10. Several of the questions call for or implicate an
interpretation of statute which would more appropriately be directed to
the Department of Justice for a more detailed and definitive response.
As a general matter, however, the FBI understands the Supreme Court has
expressly ruled that ``the installation of a pen register * * * [is]
not a ``search'' within the meaning of the Fourth Amendment and
therefore its use does not violate the Constitution.'' Smith v.
Maryland, 442 U.S. 735, 745-46, 99 S.Ct. 2577, 2583 (1979). Given the
lack of an expectation of privacy at stake in the limited, non-content
information garnered through the use of pen registers, the Courts have
held that the limited judicial review role delineated by 18 U.S.C.
Sec. 3121 et seq. is Constitutional and is intended to safeguard
against the purely random use of pep register devices by ensuring
compliance with the statutory requirements established by Congress. See
United States v. Hallmark, 911 F.2d 399, 401-402 (10th Cir. 1990).
Pen Register certifications by government attorneys are drafted and
filed by attorneys of the Department of Justice and not, at the Federal
1evel, by Special Agents of the FBI. Questions regarding the substance
of such certifications would more appropriately be directed to the
Department of Justice for a more definitive response. As a general
matter, however, it is the FBI's experience that the degree to which a
pen register application to the Court discloses the underlying factual
basis for the attorney's certification turns, in large measure, upon
the nature of the statutory offense which is the focus of the
investigation. Whereas section 3123(b)(1)(D) requires that all pen
register orders contain a ``statement of the offense to which the
information likely to be obtained by the pen register or trap and trace
device relates,'' it follows that the application required by section
3122(b)(2) contain such a statement within the attorney's certification
and it is the FBI's experience that this is commonly the case.
Depending upon the nature of the offense described in the
certification, the underlying basis for the certification can, and in
most instances will be readily apparent. Thus, in telemarketing fraud
investigations, the obvious underlying basis is that the offenders are
using the telephone to solicit victims. Similarly in narcotics and
conspiracy to commit narcotics violations, the reliable and common
sense inference is clearly that telecommunications are being used to
facilitate the possession, distribution and sale of controlled
substances in violation of Title 21 of the United States Code. Even in
investigations involving computer hacking in violation of the Computer
Fraud and Abuse Act (18 U. S.C. Sec. Sec. 1030 et seq.), it requires
little thought or imagination to understand the underlying basis for
the request.
The FBI also understands that the sole basis for obtaining a pen
register order is to further a criminal investigation by generating
reliable admissible evidence. An attorney who falsely or recklessly
certifies an application under oath pursuant to 18 U.S.C.
Sec. 3122(b)(2) does so at his/her peril subject to sanction,
disbarment and prosecution. Furthermore, an attorney who so falsely
certifies such an application has no way of knowing the subsequent
course and outcome of the investigation. Frequently, information
received from a pen register is consolidated with other investigative
information and is submitted in subsequent, more detailed applications
to the Court such as search warrant applications or wiretap
applications. In the unlikely event that an attorney for the government
were to submit a false certification to the court in support of a pen
register application, the lack of any nexus between the named subjects
of the investigation, the ``statement of the offense,'' and the
attorney's certification that the information likely to be obtained
from the devise's use is relevant to an ongoing criminal investigation
would, in many instances, reveal itself either in subsequent
applications to the Court for search warrants or wiretaps, or in
discovery incident to prosecution. The dearth of such empirical or
anecdotal evidence demonstrating inappropriate or false certification
of applications by attorneys for the government demonstrates that the
certification obligation is conscientiously fulfilled.
Question 11. You have testified that information theft and
financial fraud perpetrated online have caused the most severe
financial losses, ``put at $68 million and $56 million respectively.''
In fact, you have identified ``use of the Internet for fraudulent
purposes'' as ``one of the most critical challengers facing the FBI and
law enforcement in general.: Appreciating this challenge, I have urged
that the Congress be careful in considering legislation, such as H.R.
1714, ``The Electronic Signatures in Global and National Commerce
Act,'' to ensure that consumers are adequately protected in the online
environment. This bill has passed the House of Representatives and is
currently the subject of a conference with the Senate.
The National Association of Attorneys General has commented on H.R.
1714, stating that the bills provisions permitting storage of only
synopses of documents that ``accurately reflect'' originals, even where
the law otherwise requires retention of original documents, ``has the
strong potential to negatively impact law enforcement discovery of
document.'' Do you agree and, if not, please explain why?
H.R. 1714 would require that state enactments of the Uniform
Electronic Transactions Act (UETA) ``be consistent with'' the House
bill, resulting in federal preemption of any state exemption from the
presumption of validity of electronic signatures and transactions that
is not authorized in the House bill. The National Association of
Attorneys General has opined that this broad federal preemption would
``unduly hinder the ability of the states to protect their citizens
against consumer fraud.'' If States are hindered in combating consumer
fraud, would the FBI's job in protecting the public from fraudulent
online practices be made more difficult?
Answer 11. On its face, the provisions of H.R. 1714 which allow for
the electronic storage of contracts, agreements and records are
unrelated to earlier provisions of the bill delineating what types of
legal documents may be executed by electronic signature. To the extent
that Section 101(c)(1)(c) could be interpreted as allowing for the
electronic imaging and storage as an electronic record of written
contracts or agreement, the tangible originals of which would otherwise
be required by law to be maintained in tangible form, then, there could
exist the potential to negatively impact certain law enforcement
investigations relating to such documents. At a minimum, the
supplanting of tangible originals (otherwise legally required to be
maintained in tangible form) with electronic images depicting the
originals, when coupled with destruction of the originals, would
eliminate or complicate handwritten signature analysis and render null
the possibility of recovering fingerprints or other trace evidence from
the surface of originals. By the same token, the provisions of section
101(c)(2) which exempt from retention data relating to the
communication or receipt of any contract, agreement or record
electronically recorded, could, in the context of electronically
executed contracts, complicate or eliminate law enforcement efforts in
tracing the source of transmission of fraudulent transactions or the
location and identity of co-conspirators or even other victims. The
continued trend toward electronic, paperless execution of commercial
transactions (which is admittedly so critical to the continued
evolution and expansion of the Internet) when coupled with (1) the
growing ability of criminals to utilize encryption to restrict law
enforcement's ability to recover crucial inculpatory evidence, and (2)
the absence of any preeminent public key, or private signature
verification entity or procedure complicates the efforts of the FBI and
state law enforcement to protect the public from online fraud.
SYNOPSES ONLY OF DOCUMENTS CAN NEGATIVELY IMPACT LAW ENFORCEMENT?
The review of complete and accurate records is often necessary in
law enforcement's effort to help investigate crime. All records
management and retention policies therefore can be said to have an
effect on law enforcement, and those policies which do not require that
information be maintained, at least in theory, can negatively impact
law enforcements discovery of that information.
IF STATES ARE HINDERED * * *
The FBI believes that since States are the primary responders to
crime in our country, if the States are hindered in combating consumer
fraud, then the FBI's job in protecting the public from fraudulent
online practices would be made more difficult.
�