[Senate Hearing 106-1092]
[From the U.S. Government Publishing Office]
S. Hrg. 106-1092
INTERNET SECURITY
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON COMMUNICATIONS
OF THE
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
__________
MARCH 8, 2000
__________
Printed for the use of the Committee on Commerce, Science, and
Transportation
78-382 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana DANIEL K. INOUYE, Hawaii
SLADE GORTON, Washington JOHN D. ROCKEFELLER IV, West
TRENT LOTT, Mississippi Virginia
KAY BAILEY HUTCHISON, Texas JOHN F. KERRY, Massachusetts
OLYMPIA J. SNOWE, Maine JOHN B. BREAUX, Louisiana
JOHN ASHCROFT, Missouri RICHARD H. BRYAN, Nevada
BILL FRIST, Tennessee BYRON L. DORGAN, North Dakota
SPENCER ABRAHAM, Michigan RON WYDEN, Oregon
SAM BROWNBACK, Kansas MAX CLELAND, Georgia
Mark Buse, Policy Director
Martha P. Allbright, General Counsel
Kevin D. Kayes, Democratic Staff Director
Moses Boyd, Democratic General Counsel
------
Subcommittee on Communications
CONRAD BURNS, Montana, Chairman
TED STEVENS, Alaska ERNEST F. HOLLINGS, South Carolina
SLADE GORTON, Washington DANIEL K. INOUYE, Hawaii
TRENT LOTT, Mississippi JOHN F. KERRY, Massachusetts
JOHN ASHCROFT, Missouri JOHN B. BREAUX, Louisiana
KAY BAILEY HUTCHISON, Texas JOHN D. ROCKEFELLER IV, West
SPENCER ABRAHAM, Michigan Virginia
BILL FRIST, Tennessee BYRON L. DORGAN, North Dakota
SAM BROWNBACK, Kansas RON WYDEN, Oregon
MAX CLELAND, Georgia
C O N T E N T S
----------
Page
Hearing held March 8, 2000....................................... 1
Statement of Senator Abraham..................................... 56
Statement of Senator Bryan....................................... 5
Prepared statement........................................... 5
Statement of Senator Burns....................................... 1
Prepared statement........................................... 2
Statement of Senator Hollings.................................... 3
Prepared statement........................................... 4
Statement of Senator Wyden....................................... 37
Witnesses
Fuhrman, Michael, Manager, Security Consulting, Cisco Systems.... 45
Prepared statement........................................... 48
Holder, Jr., Eric, Deputy Attorney General, U.S. Department of
Justice........................................................ 5
Prepared statement........................................... 7
Misener, Paul, Vice President, Global Public Policy, Amazon.com.. 42
Prepared statement........................................... 44
Reddy, Raj, Ph.D, Herbert A. Simon Professor of Computer Science
and Robotics, Carnegie Mellon University....................... 49
Prepared statement........................................... 52
Reinsch, William, Under Secretary of Commerce, Bureau of Export
Administration, U.S. Department of Commerce.................... 13
Prepared statement........................................... 16
Vatis, Michael A., Deputy Assistant Director, Federal Bureau of
Investigation, National Infrastructure Protection Programs..... 19
Prepared statement........................................... 23
Appendix
Cleland, Max, U.S. Senator from Georgia, prepared statement...... 63
INTERNET SECURITY
----------
WEDNESDAY, MARCH 8, 2000
U.S. Senate,
Subcommittee on Communications,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 9:35 a.m. in
room SR-253, Russell Senate Office Building, Hon. Conrad Burns,
Chairman of the Subcommittee, presiding.
OPENING STATEMENT OF HON. CONRAD BURNS,
U.S. SENATOR FROM MONTANA
Senator Burns. The Subcommittee on Communications of the
Commerce, Science, and Transportation Committee will come to
order. First, I would like to welcome everyone to today's
hearing, which is the first of a series of hearings that this
Subcommittee will hold on the critical issues of Internet
security and privacy facing our Nation.
Today's hearing will focus on the unprecedented and
apparently coordinated recent series of hacker attacks which
caused some of the most popular Web sites on the Internet to go
dark. The list of sites that were brought down include such
Internet mainstays as Amazon.com, eBay, my Auction Barn was
shut down, no telling how much money it cost me----
[Laughter.]
Senator Burns. --cnn.com and e-Trade and Yahoo.
These attacks are technically called ``distributed denial
of service attacks,'' which in plain English is like a
telephone system getting overwhelmed by more calls than it can
handle. It appears the hackers planned their attacks months in
advance, going so far as to set up software on many servers all
over the Internet that was capable of automatically flooding
targeted Web sites at a certain predetermined time.
I suppose it is no surprise that these malicious programs
are called ``daemons,'' spelled d-a-e-m-o-n-s. The hackers
involved in these attacks have yet to be caught, despite the
coordinated efforts of our Nation's top law enforcement
agencies.
While no consumer data was stolen, real damage was done,
especially to Internet user's confidence about the security
systems that they are using. The fear of future attacks was
enough to cause a massive sell-off in technology stocks in
early February, when the attacks took place, and the nature of
these attacks is particularly alarming, as they were
specifically designed to disrupt electronic commerce.
The growth of electronic commerce and the Internet has been
generally astounding. The number of small businesses on the Web
is doubling every year, and currently over 2 million small
businesses in the United States have Web sites. In my home
State of Montana, companies such as Vanns.com and Streaming
Solutions are showing that all their great work and great ideas
are coming to fruition. E-commerce potential of the Internet
still has tremendous up-side, while household spending online
last year doubled. It is still only about 1 percent of the
total retail dollars.
The growth in the Internet is a double-edged sword,
however. Unfortunately we now live in a world where there are
malicious criminals who can bring large parts of our Nation's
critical information infrastructure to a grinding halt. Given
the seriousness of these attacks, we must act not only quickly
but effectively. We must think it out and work in the best way.
In other words, we cannot out-force our enemies. We must out-
think them and be smarter than they are.
We need to do everything possible to foster better
coordination between Government and industry in protecting
Internet security, make sure that our national security and our
law enforcement agencies have the resources to do their job,
and to bring our Nation's criminal code up to date with the
recent development of the Internet. Clearly, the current level
of coordination between Government agencies and the private
sector needs to be as seamless and effective as possible.
A core component of achieving this cooperation is the
continuing development of the FBI's National Infrastructure
Protection Center, which was set up 2 years ago to deal with
the range of potential attacks on the Internet. I strongly
supported the creation of that center, and I will continue to
support its full funding. In fact, I want to make it even
stronger.
I am concerned, however, that the center is authorized for
133 employees. We are only up to about 100 now, 40 of whom are
detailees from other agencies, but I also understand the FBI is
still short of its goal of hiring 250 field agents to fight
cybercrime. While I realize that hiring top-level technical
experts to work in Government is difficult, given the lure of
Silicon Valley, these positions need to be filled as quickly as
possible, and that is what I have always argued in the past,
and I want to make a comment on that this morning.
Instead of putting a lid on technology we need to fully
fund and fully support our law enforcement agencies so they are
abreast of or half a step ahead and working with industry in
the technology so they can get their job done, so we need a lot
of work, and I am going to put the rest of my statement in
here, because I do want to hear from witnesses this morning.
[The prepared statement of Senator Burns follows:]
Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana
I would like to welcome everyone to today's hearing, which is the
first in a series of hearings this Subcommittee will be holding on the
critical issues of Internet security and privacy facing our nation.
Today's hearing will focus on the unprecedented and apparently
coordinated recent series of hacker attacks which caused some of the
most popular websites on the Internet to go dark. The list of sites
that were brought down included such Internet mainstays as Amazon.com,
eBay, cnn.com, e-Trade and Yahoo.
These attacks are technically called ``distributed denial of
service attacks'' which in plain English is like a telephone system
getting overwhelmed by more calls than it can handle. It appears the
hackers planned their attacks months in advance, going so far as to set
up software on many servers all over the Internet that was capable of
automatically flooding targeted websites at certain predetermined
times. I suppose it's no surprise that these malicious programs are
called ``daemons.'' The hackers involved in theses attacks have yet to
be caught, despite the coordinated efforts of our nation's top law
enforcement agencies.
While no consumer data was stolen, real damage was done-especially
to Internet users' confidence about the security of the systems they
are using. The fear of future attacks was great enough to cause a
massive selloff in technology stocks in early February when the attacks
took place. The nature of these attacks is particularly alarming, as
they were specifically designed to disrupt electronic commerce.
The growth of electronic commerce and the Internet in general has
been astounding. The number of small businesses on the Web is doubling
every year, and currently over 2 million small businesses in the United
States have websites. In my home state of Montana, companies such as
Vanns.com and Streaming Solutions are showing that all it takes is a
great idea and hard work to reach global markets through the Internet.
The e-commerce potential of the Internet still has tremendous upside--
while household spending online doubled last year, it still amounted to
less than 1 percent of total retail dollars.
The growth and reach of the Internet is a double-edged sword,
however. Unfortunately, we now live in a world where malicious
criminals can bring large parts of the nation's critical information
infrastructure to a grinding halt.
Given the seriousness of these attacks, we must act quickly and
effectively. We need to do everything possible to foster better
coordination between Government and industry in protecting Internet
security, make sure our national security and law enforcement agencies
have the resources to do their jobs and bring our nation's criminal
code up-to-date with the recent development of the Internet.
Clearly, the current level of coordination between Government
agencies and the private sector needs to be as seamless and effective
as possibe. A core component in achieving this cooperation is the
continuing development of the FBI's National Infrastructure Protection
Center, which was setup two years ago to deal with a range of potential
attacks on the Internet. I strongly supported the creation of the
Center and continue to support its full funding.
However, I am concerned that while the Center is authorized for 133
employees, its staff is still at only 100, 40 of whom are detailees
from other agencies. I also understand the FBI is still short of its
goal of hiring 250 field agents to fight cybercrime. While I realize
that hiring top-level technical experts to work in the Government is
difficult given the lure of Silicon Valley, these positions need to be
filled as quickly as possible.
I want to touch on the issue of criminal penalties on hackers. In
the recent past, many if not most ``hacker'' attacks were the product
of intellectual curiosity rather than malicious intent to cause damage.
Now, however, the vast majority of hacker attacks are done through
simply downloading pre-existing programs from hacker sites on the web
and using them to accomplish destructive aims. Rather than stemming
from misdirected teenage rebellion, current attacks are often engaged
in by adults who want to inflict the most damage possible. We need to
severely punish these criminals-and they are criminals. The destruction
of data belonging to innocent individuals is no less a crime than
property destruction of the more traditional type. In fact, it can in
many cases be far worse.
We are fortunate to have some of the foremost Government and
industry experts in the field of Internet security with us today. I
look forward to the testimony of the witnesses in addressing these
matters of critical importance to the continued development of e-
commerce and the Internet. Thank you.
Senator Burns. We are joined this morning by Senator
Hollings. Thank you for coming.
STATEMENT OF HON. ERNEST F. HOLLINGS,
U.S. SENATOR FROM SOUTH CAROLINA
Senator Hollings. Thank you, Mr. Chairman. If I heard you
correctly, you said we are going to have to be smarter than
they are. If we wait on Government to be smarter, that is quite
a charge.
Senator Burns.We are not asking for the impossible.
Senator Hollings. That is near it. We are back--history
repeats itself. You have got to think of David Sarnoff on the
Wannamaker Building and the sinking of the LUSITANIA. He picked
it up. The country went wild over wireless, and by the mid-
twenties everybody was jamming. Everybody in the so-called free
market of communications came crying to Government, please
regulate us. Now history repeats itself. They come crying to
Government, please give us security, please give us privacy,
because they cannot do it themselves. They say it takes two to
tango. You cannot have privacy without security.
So the Justice Department has been working diligently and I
might add, Mr. Chairman, the Justice Department has grown quite
a bit in recent years. Slightly over 10 years ago the budget in
the Justice Department was $4 billion. It is now $23 billion.
Everybody says cut spending, cut spending, cut spending, but
the Senators ought to know we have been increasing it like
gangbusters, and giving the Justice Department everything they
say they can possibly use, and they have been doing an
outstanding job.
In essence, the National Institute of Standards and
Technology is really onto the technology, and I am delighted to
hear from the witnesses, and I would ask the remainder of my
statement be included.
[The prepared statement of Senator Hollings follows:]
Prepared Statement of Hon. Ernest F. Hollings,
U.S. Senator from South Carolina
Senator Burns, thank you for holding this hearing today. It is the
first hearing in a series that the Committee intends to hold on the
subject of electronic privacy.
Internet security and hacking are not generally discussed in the
context of privacy, but I think that this is an important first topic
for consideration. No matter what we decide on the right policy to
protect consumers on the Internet is, no policy can work without a
secure infrastructure. A company can have the strongest privacy policy
in the world, but that policy is irrelevant if the company has not
adequately protected its systems from illegitimate users.
A month ago at this time, Mr. Misener's company, among others, was
under attack. That attack highlighted problems which have plagued the
users of the Internet for some time. Having been brought under the
media spotlight the question now is: How can we be sure that the
companies we are doing business with on the Internet are secure?
Additionally, what do businesses owe their consumers when they are
victims of computer break in?
In order to make consumer information safe from hackers, it will be
necessary to raise the security standards of Internet-based businesses
as a whole. As we try to craft public policy in this area, we need to
examine three constructive roles for Government: (1) fostering
constructive partnerships which enhance private sector security; (2)
pushing the technological envelope on information infrastructure
protection; and (3) being a role model through the implementation of
best security practices.
In other words, the Government must be prepared to form a
partnership with industry to share information on new attacks and how
to stop them. Our research agencies must invest in solving problems
which will bolster the security of the whole Internet rather than its
parts. Finally, the Government needs to do a better job of protecting
its own information. Right now, our departments and agencies are far
from a shining example of what Internet security can be. We need to
have in place the right policies, hardware, software, and trained
personnel to secure Government computer systems. I hope that our
witnesses will address these areas in their testimony today.
Already, various agencies of the U.S. Department of Commerce are
doing important computer security work. Undersecretary Reinsch oversees
the Critical Infrastructure Assurance Office (CIAO) which is
coordinating partnerships with the private sector to examine attack
prevention. The National Institute of Standards and Technology (NIST)
is a leader in computer security research and, through the 1987
Computer Security Act, sets standards for securing unclassified
Government computer systems. The FY 2001 budget request for information
security would enhance these capabilities at Department of Commerce and
in other agencies of Government.
Again, I look forward to hearing the testimony of today's witnesses
on how we can improve Internet security in this nation and what the
role of the Government should be in achieving that goal.
Senator Burns. Thank you, Senator Hollings. Senator Bryan.
STATEMENT OF HON. RICHARD H. BRYAN,
U.S. SENATOR FROM NEVADA
Senator Bryan. Mr. Chairman, thank you very much for
convening this important and timely hearing this morning. As
Vice Chairman of the Intelligence Committee, we are very much
aware of the importance, in terms of our national security
concerns, of computer hacking. All of us have been mindful of
the recent successful attacks against some of the most
significant Web sites in the country, and so I will be looking
forward to hearing the testimony of our distinguished witnesses
this morning. I would ask unanimous consent that the rest of my
statement be made a part of the record.
Senator Burns. Without objection, it sure will.
[The prepared statement of Senator Bryan follows:]
Prepared Statement of Hon. Richard H. Bryan,
U.S. Senator from Neveda
As our society continues to become more reliant on the Internet to
conduct our daily affairs, the issue of Internet security becomes
increasingly important for both the public and private sector. As Vice
Chairman of the Intelligence Committee, I am very familiar with the
national security concerns confronting our intelligence community on a
daily basis that result from computer hacking. And as public agencies
at all levels of Government continue to do more and more of their
business online, Internet security becomes a paramount issue for
Government officials. I look forward to hearing from our Government
witnesses today, especially Deputy Attorney General Holder, on what
additional law enforcement tools and other measures are needed to
protect the integrity of the Federal Government's computer systems.
The recent denial of service attacks against a handful of the top
U.S. web sites was a good illustration of the vulnerabilities faced by
the private sector. Perhaps even more alarming, however, are the
privacy concerns associated with security breaches for companies that
gather large amounts of personally identifiable information about
consumers over the Internet. The issues related to online privacy and
Internet security are clearly interrelated, and I look forward to
hearing our witnesses comment on what role the Federal Government
should play in these areas.
Senator Burns. Our first panel this morning is Mr. Eric
Holder, Deputy Attorney General, U.S. Department of Justice,
Mr. William Reinsch, Under Secretary of Commerce for Bureau of
Export Administration, Department of Commerce, and Michael
Vatis, Deputy Assistant Director, Federal Bureau of
Investigation here in Washington, D.C.
Gentlemen, we welcome you to the table this morning. We
look forward to your testimony, and the dialog that we may
present this morning on this subject, and I will just start as
they are listed. Mr. Holder, thank you for coming this
morning. We look forward to your testimony.
STATEMENT OF ERIC HOLDER, JR., DEPUTY ATTORNEY GENERAL, U.S.
DEPARTMENT OF JUSTICE
Mr. Holder. Thank you, Mr. Chairman, Senator Hollings,
Senator Bryan, other members of the Subcommittee. I want to
thank you for the opportunity to testify on cybercrime,
including the recent Internet denial of service attacks. The
Department appreciates the support we have received from
Congress in providing significant resources and tools we need
to keep pace with the ever-changing kind of cybercrime. We look
forward to continuing our cooperation with Congress to ensure
that law enforcement, in cooperation with the private sector--
and that is very key, in cooperation with the private sector,
play an appropriate role in protecting American citizens and
businesses against cyber attacks while also safeguarding the
privacy rights we hold dear in our country.
I would be happy to address your questions on the recent
attacks to the extent that I can without compromising our
investigation. At this point, I would simply say we are taking
the attacks very seriously, and that we will do everything in
our power to identify those who are responsible and to bring
them to justice.
We are making, I think, progress in the investigation, and
in addition to the malicious disruption of the legitimate
commerce, so-called disruption attacks, they also involve the
unlawful intrusion into a number of computers. Thus, the number
of victims in these types of cases can be substantial, and the
loss and cost to respond to those attacks can run into the tens
of millions of dollars or more.
Computer crime investigators in a number of FBI field
offices and investigators from other agencies are investigating
these attacks. The agents are also working closely with our
network of specially trained computer crime prosecutors who are
available 24 hours a day, 7 days a week to provide legal advice
and to obtain whatever court orders are necessary. We are also
obtaining information from victim companies and security
experts who, like many in the Internet community, condemn these
recent attacks.
Now, while the Internet is providing wonderful benefits
that are transforming our society and countless beneficial
ways, from providing new high-wage jobs to our economy, to
improving health care, and in countless other ways, these
wonderful technologies also provide new opportunities for
criminals.
Online crime is rapidly increasing. We are seeing more pure
computer crime, that is, crimes where the computer is used as a
weapon to attack other computers, as we saw in the distributed
denial of service attacks I just spoke about, and in the spread
of malicious codes like viruses. These crimes not only affect
our financial well-being and our privacy, they also threaten
our Nation's critical infrastructure.
We are also seeing a migration of traditional crimes,
including threats, child pornography, fraud, gambling, and
extortion from the physical to the online world. When these
crimes are carried out online, perpetrators often find that
they can reach more victims quickly and quite easily, turning
what were once local scams into crimes that cross interstate
and even international borders.
Now, while the Internet has tremendous benefits to our
society, including greater freedom of expression and economic
growth, we must also recognize that investigators and
prosecutors at all levels, international, Federal, State, and
local, are encountering unique challenges, and these include
technical challenges that hinder law enforcement's ability to
find and to prosecute criminals operating online, legal
challenges resulting from laws, and legal tools needed to
investigate cybercrime lagging behind technological,
structural, and social changes.
And third, we face resource challenges that limit our
ability to focus adequate investigative, prosecutorial, and
technical resources on cybercrime. Now, in this regard, the
Department is seeking an additional $37 million in fiscal year
2001 to bolster our cybercrime program, including additional
resources for the FBI, specially trained cyber prosecutors and
assistants to State and local law enforcement agencies, but we
recognize that Government will not be able to solve all of
these problems.
In fact, we believe that the private sector should take the
lead in protecting private computer networks through more
vigilant security efforts, information-sharing and, where
appropriate, cooperation with Government agencies. The private
sector can and should take the lead when improving security
practices, and the development of a more secure Internet
infrastructure.
Now, despite the technical, legal, and resource challenges
we face, the Department has made, we believe, strides in our
fight against cybercrime. We have and we will continue to
develop extensive investigatory and prosecutorial programs to
counter cybercrime. We have established the FBI's National
Infrastructure Protection Center, NIPC as we call it, and
specialized squads located in 16 field offices. From the
prosecutorial side, we have trained attorneys both at
headquarters and in the field who are experts in legal
technological and practical challenges involved in
investigating and prosecuting cybercrime.
As a result of these programs, the number of cases and
prosecutions by the Department is growing at a tremendous rate.
For example, in 1998, U.S. Attorneys Offices filed 85 computer
crime cases against 116 defendants, and this represents a 29-
percent increase in the number of cases filed and a 51-percent
increase in the number of defendants compared to the previous
year. From the same period of time a total of 62 cases against
72 defendants were terminated, with 78 percent of those
defendants being convicted.
On behalf of the Department, I again want to thank Congress
for the support it has given to our efforts to combat
cybercrime. Advancements in technology indicate that our
efforts are really only just beginning. We look forward to
working with Congress and the private sector to ensure that we
have a robust and effective long-term plan for combatting
cybercrime, protecting our Nation's infrastructure,
safeguarding privacy, and ensuring the Internet reaches its
full potential for expanding communications, facilitating
commerce, and bringing countless other benefits to our society.
I look forward to responding to your questions.
[The prepared statement of Mr. Holder follows:]
Prepared Statement of Eric Holder, Jr., Deputy Attorney General,
U.S. Department of Justice
Mr. Chairman, Senator Hollings, and other Members of the
Subcommittee, I want to thank you for this opportunity to testify on
the recent Internet ``denial of service'' attacks and the Federal
response to these incidents, with a particular focus on the challenges
facing the Department of Justice in its fight against cybercrime. At a
time where new technologies abound and our society becomes increasingly
reliant on computer networks and thus vulnerable to cybercrime, we look
forward to working with Congress to ensure that law enforcement, in
cooperation with the private sector, can play an appropriate and
critical role in protecting the well-being of Americans while also
respecting fundamental notions of individual privacy that we hold dear
in this country.
Comments on the Recent Attacks
I would be happy to address your questions on the recent attacks,
to the extent I can do so without compromising our investigation. At
this point, I would simply say that we are taking the attacks very
seriously and that we will do everything in our power to identify those
responsible and bring them to justice. In addition to the malicious
disruption of legitimate commerce, so-called ``denial of service''
attacks involve the unlawful intrusion into an unknown number of
computers, which are in turn used to launch attacks on the eventual
target computer, in this case the computers of Yahoo, eBay, and others.
Thus, the number of victims in these types of cases can be substantial,
and the collective loss and cost to respond to these attacks can run
into the tens of millions of dollars--or more.
Overview of Investigative Efforts and Coordination
Computer crime investigators in a number of FBI field offices and
investigators from other agencies are investigating these attacks. They
are coordinating information with the National Infrastructure
Protection Center (NIPC) of the FBI. The agents are also working
closely with our network of specially trained computer crime
prosecutors who are available 24 hours a day/7 days a week to provide
legal advice and obtain whatever court orders are necessary. Attorneys
from the Criminal Division's Computer Crime and Intellectual Property
Section (CCIPS) are coordinating with the Assistant United States
Attorneys in the field. We are also obtaining information from victim
companies and security experts, who, like many in the Internet
community, condemn these recent attacks. We are also working closely
with our counterparts in other nations. I am proud of the efforts being
made in this case, including the assistance we are receiving from a
number of Federal agencies.
The Emergence of Cybercrime
It is worth remembering that just ten years ago, the Internet was
largely unknown and unavailable to the average person. There was no e-
commerce, no eBay, no Amazon.com. At that time, the Internet was a
collection of military, academic, and research networks serving a small
community of trusted users. That world is history. The far-reaching,
ever-expanding, and ever more rapid advances in computer and software
technology over the last ten years have combined with the explosive
growth of the Internet to change the world forever. For the most part,
the Internet and other technologies are providing wonderful benefits to
our society--from providing new, high-wage jobs to our economy, to
expanding educational opportunities, improving health care, and
allowing family and friends to keep in touch in ways that were simply
impossible a decade ago.
Unfortunately, these wonderful technologies also provide new
opportunities for criminals. Online crime is rapidly increasing. We are
seeing more ``pure'' computer crimes, that is, crimes where the
computer is used as a weapon to attack other computers, as we saw in
the distributed denial of service attacks I just spoke about, and in
the spread of malicious code, like viruses. Our vulnerability to this
type of crime is astonishingly high--it was only this past December
that a defendant admitted, when he pled guilty in Federal and state
court to creating and releasing the Melissa virus, that he caused over
80 million dollars in damage. These crimes also include computer
intrusions designed to obtain information of the most sensitive sort--
such as credit cards, companies' trade secrets, or individuals' private
information.
These crimes not only affect our financial well-being and our
privacy; they also threaten our nation's critical infrastructure. Our
banking system, the stock market, the electricity and water supply,
telecommunications networks, and critical Government services, such as
emergency and national defense services, all rely on computer networks.
For a real-world terrorist to blow up a dam, he would need tons of
explosives, a delivery system, and a surreptitious means of evading
armed security guards. For a cyberterrorist, the same devastating
result could be achieved by hacking into the control network and
commanding the computer to open the floodgates.
We are also seeing a migration of ``traditional'' crimes--including
threats, child pornography, fraud, gambling, and extortion--from the
physical to the online world. When these crimes are carried out online,
perpetrators often find that the can reach more victims quickly and
quite easily, turning what were once ``local'' scams into crimes that
cross interstate and international borders. Computers and computer
networks provide a cheap and powerful means of communications, and
criminals take advantage of this just like everyone else. In addition,
sophisticated criminals can readily use the easy anonymity that the
Internet provides to hide their crimes.
Challenges of Cybercrime
The Internet and computers have brought tremendous benefits to our
society, including greater freedom of expression and economic growth.
But we must also recognize that as a result of our society's increasing
reliance on technology, investigators and prosecutors at all levels--
international, Federal, state, and local--are encountering unique
challenges. These challenges generally can be divided into three
categories:
(1) Technical challenges that hinder law enforcement's ability
to find and prosecute criminals operating online;
(2) Legal challenges resulting from laws and legal tools needed
to investigate cybercrime lagging behind technological,
structural, and social changes; and
(3) Resource challenges to ensure we have satisfied critical
investigative and prosecutorial needs at all levels of
Government.
Before I discuss each of these challenges, let me say that we
recognize that we in Government will not be able to solve all of these
problems. In fact, we believe strongly that the private sector should
take the lead in protecting private computer networks, through more
vigilant security efforts, information sharing, and, where appropriate,
cooperation with Government agencies. The private sector has the
resources, the technical ability, and the trained personnel to ensure
that, as technology continues to develop and change rapidly, the
Internet is a safer place for all of us. The private sector can and
should take the lead on improving security practices and the
development of a more secure Internet infrastructure.
However, even assuming that private sector, and the broader
Internet community as a whole, take steps to provide a safe, secure,
and vibrant Internet, there will be instances where the practices and
safeguards fail. Criminals rob banks even though banks use numerous
security measures. In such cases, law enforcement must be prepared and
equipped to investigate and prosecute cybercriminals in order to stop
their criminal activity, to punish them, and to deter others who might
follow the same path. This is the reason that it is so important that
we work together to address the challenges I am about to discuss.
Technical Challenges
When a hacker disrupts air traffic control at a local airport, when
a child pornographer sends computer files, when a cyberstalker sends a
threatening e-mail to a public school or a local church, or when credit
card numbers are stolen from a company engaged in e-commerce,
investigators must locate the source of the communication. Everything
on the Internet is communications, from an e-mail to an electronic
heist. Finding an electronic criminal means that law enforcement must
determine who is responsible for sending anelectronic threat or
initiating an electronic robbery. To accomplish this, law enforcement
must in nearly every case trace the ``electronic trail'' leading from
the victim back to the perpetrator.
Tracking a criminal online is not necessarily an impossible task,
as demonstrated last year when Federal and state law enforcement
agencies were able to track down the creator of the Melissa virus and
the individual who created a false Bloomburg News Service website in
order to drive up the stock price of PairGain, a telecommunications
company in California. In both cases, technology enabled us to find the
individuals who were engaging in criminal activity.
Unfortunately, despite our successes in the Melissa and PairGain
cases, we still face significant challenges as online criminals become
more sophisticated, often wearing the equivalent of Internet electronic
gloves to hide their fingerprints and their identity.
It doesn't take a master hacker to disappear on a network.
Ironically, while the public is justifiably worried about protecting
the legitimate electronic privacy of individuals who use networks, a
criminal using tools and other information easily available over the
Internet can operate in almost perfect anonymity. By weaving his or her
communications through a series of anonymous remailers; by creating a
few forged e-mail headers with powerful, point-and-click tools readily
downloadable from many hacker web sites; or by using a ``free-trial''
account or two, a hacker, online pornographer, or web-based fraud
artist can often effectively hide the trail of his or her
communications.
As we consider the challenge created by anonymity, we must also
recognize that there are legitimate reasons to allow anonymity in
communications networks. A whistleblower, a resistance fighter in
Kosovo, a battered woman's support group--all of these individuals may
understandably wish to use the Internet and other new technologies to
communicate with others without revealing their identities.
In addition to problems related to the anonymous nature of the
Internet, we are being challenged to investigate and prosecute
criminals in an international arena. The Internet is a global medium
that does not recognize physical and jurisdictional boundaries. A
criminal no longer needs to be at the actual scene of the crime to prey
on his or her victims. As a result, a computer server running a web
page designed to defraud U.S. senior citizens might be located in
Europe or Asia. A child pornographer may distribute photographs or
videos via e-mail, sending the e-mails through the communications
networks of several countries before they reach their intended
recipients. With more than 190 Internet-connected countries in the
world, the coordination challenges facing law enforcement are
tremendous. And any delay in an investigation is critical, as a
criminal's trail might, in certain circumstances, end as soon as he or
she disconnects from the Internet.
Likewise, evidence of a crime can be stored at a remote location,
either for the purpose of concealing the crime from law enforcement and
others, or simply because of the design of the network. In certain
circumstances, the fact that the evidence is stored and held by a third
party, such as an Internet service provider, might be helpful to law
enforcement agencies who might be able to use lawful process to get
that information. However, storing information remotely can also create
a challenge to law enforcement, which cannot ignore the real-world
limits of local, state, and national sovereignty and jurisdiction.
Obtaining information from foreign countries, especially on an
expedited basis, can be a daunting task, especially when a country may
be in a different time zone, use a different language, have different
legal rules, and may not have trained experts available. Consequently,
even as the Internet and other new technologies have given us new
abilities to find criminals remotely, our abilities can be hindered if
we cannot obtain the necessary legal cooperation from our counterparts
in other countries.
The vast majority of Internet companies are good corporate citizens
and are interested in the safety of our citizens. In fact, several
companies have been engaged in discussions with law enforcement
regarding our concerns. Despite these efforts, we have learned that we
cannot take for granted the nature of any Internet service provider's
services, its record-keeping practices, and its ability or willingness
to cooperate with us. We have encountered a handful of companies
involved in criminal activity. In addition, even those companies that
are not involved in criminal activities might not be able to assist us
because of business reasons or privacy concerns that have resulted in
them not keeping the records that will assist in the investigation of a
particular crime.
Moreover, users connect to the Internet from anywhere in the world
over old-fashioned telephone lines, wireless phones, cable modems, and
satellite systems. Each of these telecommunications systems has its own
protocols for addressing and routing traffic, which means that tracking
all the way back to the criminal at his or her computer will require
agents to be fluent in each technical language. Gathering this evidence
from so many kinds of providers is a very different proposition from
the days when we simply obtained an order for a telephone company to
trace a threatening call.
Legal Challenges
Deterring and punishing computer criminals requires a legal
structure that will support detection and successful prosecution of
offenders. Yet the laws defining computer offenses, and the legal tools
needed to investigate criminals using the Internet, can lag behind
technological and social changes, creating legal challenges to law
enforcement agencies.
We may be able to correct some of the legal challenges we encounter
through legislative action. For example, the Computer Fraud and Abuse
Act, 18 U.S.C. Sec. 1030, arguably does not reach a computer hacker who
causes a large amount of damage to a network of computers if no
individual computer sustains over $5,000 worth of damage. The
Department of Justice has encountered several instances in which
intruders have gained unauthorized access to protected computers
(whether publicly or privately owned) used in the provision of
``critical infrastructure'' systems and services--such as those that
hospitals use to store sensitive information and to treat patients, and
those that the military uses to defend the nation--but where proof of
damage in excess of $5000 has not been readily available.
The laws under which we are able to identify the origin and
destination of telephone calls and computer messages also need to be
reviewed. For example, under current law we may have to obtain court
orders in multiple jurisdictions to trace a single communication.
Obtaining court orders in multiple jurisdictions does not advance any
reasonable privacy safeguard, yet it can be a substantial impediment to
a fast-paced investigation. As the Attorney General testified recently,
it might be extremely helpful, for instance, to provide nationwide
effect for trap and trace orders.
Another concern focuses on the problem of online threats and
serious harassment--that is, cyberstalking. Current Federal law does
not address those situations where a cyberstalker uses unwitting third
parties to bombard a victim with messages, transmits personal data
about a person--such as the route by which the victim's children walk
to school--in order to place such person or his family in fear of
injury, or sends an e-mail or other communications under someone else's
name with the intent to abuse, harass, or threaten that person. We
believe Federal law may need to be amended to address this gap.
These aren't hypothetical changes that we are proposing to address.
Just ask the California woman who was awakened six times in the middle
of the night to find men knocking on her door offering to rape her. She
discovered that a man whom she had told she was not romantically
interested in had posted personal advertisements on a variety of
Internet services pretending to be her. Each posting, which contained
her home address and telephone number, claimed that she fantasized
about being raped. We need to ensure that laws against harassment
clearly prohibit such horrific actions, particularly since access to
the Internet means immediate access to a wide audience.
While we believe changes in Federal law may be necessary to address
these challenges, we also want to emphasize that any such legislation
should be tailored to address the challenges we face and should avoid
unnecessary infringement on personal privacy. We recognize the
importance the public attaches to individual privacy, and any
legislation must be carefully balanced to avoid unnecessary
infringement on the privacy rights we hold dear in this country.
Resource Challenges
In addition to technical and legal challenges, we face significant
resource challenges. Simply stated, we need an adequate number of
prosecutors and agents--at the Federal, state and local level--trained
with the necessary skills and properly equipped to effectively fight
all types of cybercrime.
While Congress has been very supportive of the Department's
cybercrime efforts, we need additional resources to ensure we are
adequately equipped to continue our battle against cybercriminals. The
President has requested $37 million in new money in FY 2001 to expand
our staffing, training and technological capabilities to continue the
fight against computer crime. Together, these enhancements will
increase the Department's 2001 funding base for computer crime to $138
million, 28 percent more than in 2000.
Last, the Department of Justice would like to work with Congress to
develop a comprehensive, five-year plan--with FY 2001 as our baseline--
to prevent cybercrime and, when it does occur, to locate, identify,
apprehend and bring to justice those responsible for these types of
crimes. On February 16th, the Attorney General testified before
Congress regarding a proposed a 10-point plan to identify the key areas
we need to develop for our cybercrime capability. The key points of
this plan she touched upon include:
Developing a round-the-clock network of Federal,
state and local law enforcement officials with expertise in,
and responsibility for, investigating and prosecuting
cybercrime.
Developing and sharing expertise--personnel and
equipment--among Federal, state and local law enforcement
agencies.
Dramatically increasing our computer forensic
capabilities, which are so essential in computer crime
investigations--both hacking cases and cases where computers
are used to facilitate other crimes, including drug
trafficking, terrorism, and child pornography.
Reviewing whether we have adequate legal tools to
locate, identify, and prosecute cybercriminals. In particular,
we may need new and more robust procedural tools to allow state
authorities to more easily gather evidence located outside
their jurisdictions. We also need to explore whether we have
adequate tools at the Federal level to effectively investigate
cybercrime.
Because of the borderless nature of the Internet, we
need to develop effective partnerships with other nations to
encourage them to enact laws that adequately address cybercrime
and to provide assistance in cybercrime investigations. A
balanced international strategy for combating cybercrime should
be at the top of our national security agenda.
We need to work in partnership with industry to
address cybercrime and security. This should not be a top-down
approach through excessive Government regulation or mandates.
Rather, we need a true partnership, where we can discuss
challenges and develop effective solutions that do not pose a
threat to individual privacy.
And we need to teach our young people about the
responsible use of the Internet. The Department of Justice and
the Information Technology Association of America have already
taken steps to do so through the development of the
Cybercitizen Partnership, but more needs to be done.
Efforts Against Cybercrime
Despite the technical, legal, and resource challenges, the
Department has made strides in our fight against cybercrime. We have
and will continue to develop extensive investigatory and prosecutorial
programs to counter cybercrime. Let me take a few moments to details
some of our efforts to date.
On the investigatory side, we have the FBI's National
Infrastructure Protection Center (NIPC) and specialized squads located
in 16 field offices.
On the prosecutorial side, we have trained attorneys, both in
headquarters and in the field, who are experts in the legal,
technological, and practical challenges involved in investigating and
prosecuting cybercrime. The cornerstone of our prosecutor cybercrime
program is the Computer Crime and Intellectual Property Section. CCIPS,
which currently has 18 attorneys, was founded in 1991 as the Computer
Crime Unit and was elevated to Section status in 1996. CCIPS works
closely on computer crime cases with Assistant United States Attorneys
known as ``Computer and Telecommunications Coordinators'' (CTC's) in
U.S. Attorneys' Offices around the country. Each CTC is given special
training and equipment, and serves as the district's expert in computer
crime cases. As a result of these programs, the number of cases and
prosecutions by the Department is growing at a tremendous rate. For
example, in 1998, U.S. Attorneys' Offices filed 85 computer crime cases
against 116 defendants. This represents a 29 percent increase in the
number of cases filed and a 51 percent increase in the number of
defendants, compared to the previous year. During that same period of
time, a total of 62 cases against 72 defendants were terminated, with
78 percent of those defendants being convicted.
At the same time, our prosecutors are working with numerous other
Federal, state, and local investigators and prosecutors, providing
assistance in any case involving computers and other high technology,
such as computer searches and seizure. In sum, the Department and, in
particular, its investigators and prosecutors take seriously our
responsibility to protect the nation's computers and the Internet from
computer crime.
In addition to the Department's efforts, other agencies including
the Customs Service, the Secret Service, the Securities and Exchange
Commission, and the U.S. Postal Service's Inspectors General, have
played a role in the investigation and prosecution of computer crimes.
Infrastructure Protection
The Department is also a full partner in ongoing efforts to assure
our nation's critical infrastructures and to make them less vulnerable
to the emerging risks of the information age.
I mentioned before that we believe strongly that the private sector
should take the lead in protecting private computer networks, through
more vigilant security efforts, information sharing, and, where
appropriate, cooperation with Government agencies. Within this
framework, and apart from prosecuting those who launch criminal attacks
on our infrastructure (which is our critical responsibility), the
Department can make important contributions. In the information sharing
arena, we have continued some of the groundwork started by the
President's Commission on Critical Infrastructure Protection by more
closely examining the issues that may impede robust sharing of risk-
related information between private sector entities, between
Governmental entities, and between Government and the private sector.
As the private sector protects its networks, so must the
Government. Therefore, the Department of Justice is working to ensure
that its own networks are secure. We are also involved in efforts,
under the auspices of the Critical Infrastructure Coordinating Group of
the National Security Council, to help Federal agencies expedite and
simplify the process of performing ``vulnerability assessments,'' in
order to uncover hidden vulnerabilities of critical Government systems
before others try to do that for us.
Finally, the Justice Department also is involved in efforts to
ensure that all programs arising out of the Federal Government's
``infrastructure assurance'' efforts are implemented in way entirely
respects long-standing protections for the privacy rights of
individuals.
Conclusion
On behalf of the Department of Justice, I want to thank Congress
for all the support it has given to our efforts to combat cybercrimes.
Advancements in technology indicate that our efforts are only just
beginning. We look forward to working with Congress and the private
sector to ensure that we have a robust and effective long-term plan for
combating cybercrime, protecting our nation's infrastructure,
safeguarding privacy, and ensuring that the Internet reaches its full
potential for expanding communications, facilitating commerce, and
bringing countless other benefits to our society.
Senator Burns. Thank you very much, Mr. Holder. I
appreciate that. Now we have Mr. William Reinsch, and Bill,
thank you for coming back today. We have been across the table
many times on different issues, and I appreciate your openness
and your willingness to come down and visit with us on issues
such as this. We are looking forward to your statement.
STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY OF COMMERCE,
BUREAU OF EXPORT ADMINISTRATION,
U.S. DEPARTMENT OF COMMERCE
Mr. Reinsch. Thank you, Mr. Chairman. It is always a
pleasure to be here, particularly a pleasure to be here and not
talk about encryption, so I am delighted to have the
opportunity to have a different subject at hand.
My statement begins with some comments about the importance
of computer networks and the Internet, and there is no
committee that knows more about it than you all, so I think I
will just get right into the meat of what I want to tell you
this morning, Mr. Chairman.
Senator Burns. Your complete statement will be made a part
of the record, however, Mr. Secretary.
Mr. Reinsch. I appreciate that. Protecting our critical
infrastructure requires that we draw on various assets of the
Government. When specific incidents or cyber events occur, the
Government needs the capacity to issue warnings, investigate
the incident, and develop a case to punish the offenders. The
National Information Protection Center at the FBI is organized
to deal with such events as they occur. Over the long term, the
Government also has a duty to be proactive to ensure that our
computer systems are protected from attack.
Critical infrastructure protection involves assets of both
the Government and the private sector. A number of agencies
have responsibilities with respect to Government computer
systems. The Department of Defense is well on its way to
securing its critical systems, and OMB and NIST have
responsibility for information resources management of computer
systems in Federal agencies.
I want to make clear, Mr. Chairman, the Federal
Government's responsibility in this area. The commission of
crimes is only part of the equation. The infrastructures at
risk are owned and operated by the private sector. The use of
information technology is so embedded in the core operations
and customer service delivery systems of industry that
inevitably it will be they who must work together to take the
steps necessary to protect themselves. However, we can help.
The first major step is the elevation of awareness across
industry of the business case for action for leaders within
industry. They have a commercial interest in maintaining a
secure business environment that assures public confidence in
their institutions. We can also help identify problems,
identify good practices and management practices and
strategies, publicize them, encourage planning, promote
research and development, and convene meetings, which is not a
small matter.
In short, we can act as a catalyst for industry to
mobilize. That is precisely the role the Commerce Department is
playing in several ways. NTIA is a lead agency for the
communications information sector. In February 1999, NTIA
created a private sector coordinator consortium. The consortium
is filled by representatives from the Information Technology
Association of America, the Telecommunications Industry
Association, and the U.S. Telecom Association, all groups I am
sure you are familiar with.
Among their initiatives, the consortium has been raising
awareness among industry through the exchange of information on
threats and vulnerabilities, conducting information security
surveys across sectors, and developing and assessing critical
infrastructure-related standards and best practices. Perhaps
our most important area right now is the development of what we
are calling the Partnership for Critical Infrastructure
Security. The partnership is a collaborative effort between
industry and Government. It brings representatives of the
infrastructure sector together in a dialog with each other and
with other stakeholders, including the risk management and
investment communities, mainstream businesses, and also State
and local Governments.
Secretary Daley, Greg Rohde and I met with senior members
of over 80 partnership companies in New York in December. We
met again last month in Washington with over 220 senior members
of more than 120 partnership companies to encourage business
leaders to adopt information security as an integral business
practice.
The partnership agreed to address such important issues as
cross-sector vulnerability assessments, information-sharing,
and R&D requirements. It set up working groups in those areas
which are continuing to meet throughout the spring, and the
next meeting of the full partnership will be this summer. The
Department's Critical Infrastructure Assurance Office, or CIAO,
also is assisting Federal agencies in conducting analyses of
their dependencies on critical infrastructures.
CIAO has just finished an ambitious pilot program that
identifies the critical assets of the Commerce Department and
maps out dependencies on Governmental and private sector
infrastructures. This program will provide important input to
managers and security officials as they seek to assure their
critical assets against cyber attacks. The Commerce Department
through the CIAO also coordinated the development of the
national plan for information systems protection. President
Clinton announced the release of version 1.0 of the plan on
January 7. This is it. If you do not have any, I would be
pleased to provide you with thousands of them.
It represents the first attempt by any national Government
to design a way to protect those infrastructures essential to
the delivery of electric power, oil and gas, communications,
transportation services, banking and financial services, and
vital human services. Increasingly, these infrastructures are
being operated and controlled through the use of computers and
computer networks. My full statement, Mr. Chairman, has
substantial information about the details of the plan that I
will pass over in the interest of time.
Finally, let me make a comment about funding. President
Clinton has proposed increases for critical infrastructure
protection substantially over the past 3 years, including a 15
percent increase in his fiscal year 2001 budget to $2.01
billion. He has also developed and funded new initiatives to
defend the Nation's systems from cyber attack. For example,
establishing a permanent export review team at NIST that will
help agencies conduct vulnerability analyses and develop
critical infrastructure protection plans, working to recruit,
train, and retrain Federal information technology experts.
We have developed and provided fiscal year 2001 funding for
a Federal cyber services training and education initiative led
by OPM and the National Science Foundation, which calls for two
programs. The first is an ROTC-like program, where we pay for
information technology education in exchange for Federal
service, and the second is a program to establish competencies
and to certify our existing IT work force. As I think you, Mr.
Chairman, or Senator Hollings commented that obtaining and
retraining information technology workers in the Federal
Government, whether it is in the law enforcement area or on the
civilian side, is an extremely difficult thing to do.
We think this program will be an important first step, in
addition to funding seven public key infrastructure model pilot
programs in fiscal year 2001 at different Federal agencies,
designing a Federal intrusion detection network, or FIDNET, to
protect vital systems in Federal civilian agencies, and
ensuring the rapid implementation of system patches for known
software defects. FIDNET will operate in full compliance with
all existing privacy laws.
Developing Federal R&D efforts. R&D investments in computer
security will grow by 31 percent in the President's fiscal year
2001 budget. Part of that includes establishing an Institute
for Information Infrastructure Protection in NIST, as
recommended by the President's Committee of Advisors on Science
and Technology, or PiCAST.
The institute would identify and address serious R&D gaps
that neither the private sector nor the Government's national
security community would otherwise address, but that are
necessary to ensure the robust, reliable operation of the
national information infrastructure. The President's 2001
budget provides $150 million for the institute.
Finally, the National Infrastructure Assurance Council,
NIAC. The President signed an executive order creating this
advisory council last year. Its members are now being recruited
from the senior ranks of the critical infrastructure
industries, including the information technology, State and
local Governments, and we expect an announcement about that
shortly.
In addition, the President has announced a number of new
initiatives designed to support efforts for enhancing computer
security, including the $9 million fiscal year 2000 budget
supplemental that jump starts several of the key elements of
next year's budget that I just mentioned.
In closing, Mr. Chairman, let me simply say that in early
February Secretary Daley met with the President and 25 senior
executives concerned about the recent disruptions to the
Internet. This meeting reinforced the need for further
cooperation between Government and industry to help the private
sector to develop its action agenda for cyber security. The
incidents of early February are not cause, in our judgment, for
pushing the panic button, but they are a wake-up call for
action.
As the President said, I think there is a way that we can
clearly promote security. The President submitted a budget
proposal that funds a number of initiatives that address
critical information systems protection. If we are to reap the
benefits of the information age, we need to take action to
maintain public confidence in a secure business environment
that ensures both our national security and the growth of our
economy.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Reinsch follows:]
Prepared Statement of William Reinsch, Under Secretary of Commerce,
Bureau of Export Administration, U.S. Department of Commerce
Mr. Chairman, I welcome this opportunity to appear before you to
discuss the Federal Government's efforts to protect the nation's
critical infrastructures.
Interdependent computer networks are an integral part of doing
business in the Information Age. America is increasingly dependent upon
computer networks for essential services, such as banking and finance,
emergency services, delivery of water, electricity and gas,
transportation, and voice and data communications. New ways of doing
business in the 21st century are rapidly evolving. Business is
increasingly relying on E-commerce for its commercial transactions as
well as for its critical operations. At the same time, recent hacking
attempts at some of the most popular commercial Web sites underscore
that America's information infrastructure is an attractive target for
deliberate attack or sabotage. These attacks can originate from a host
of sources, such as terrorists, criminals, hostile nations, or the
equivalent of car thief ``joyriders.'' Regardless of the source,
however, the potential for cyber damage to our national security and
economy is evident.
Protecting our critical infrastructures requires that we draw on
various assets of the Government. When specific incidents or cyber
events occur, the Government needs a capacity to issue warnings,
investigate the incident, and develop a case to punish the offenders.
The National Information Protection Center at the FBI is organized to
deal with such events as they occur.
Over the long term, the Government also has a duty to be proactive
to ensure that our computer systems are protected from attack. Critical
infrastructure protection involves assets of both the Government and
the private sector. A number of agencies have responsibilities with
respect to Government computer systems. The Department of Defense is
well on its way to securing its critical systems, and the Office of
Management and Budget (OMB) and the National Institute of Standards and
Technology at the Department of Commerce (NIST) have responsibility for
information resources management of computer systems in Federal
agencies.
I want to make clear that the Federal Government's responsibility
in this area with respect to the commission of crimes is only part of
the equation. The infrastructures at risk are owned and operated by the
private sector. The use of information technology is so embedded in the
core operations and customer service delivery systems of industry that
inevitably, it will be they who must work together to take the steps
necessary to protect themselves. We can help. The first major step is
the elevation of awareness across industry of the ``business case for
action'' for leaders within industry. They have a commercial interest
in maintaining a secure business environment that assures public
confidence in their institutions. We can also help identify problems,
good practices in management policies and strategies, and publicize
them, encourage planning, promote research and development, convene
meetings. In short, we can act as a catalyst for industry to mobilize.
That is precisely the role the Commerce Department is playing in
several ways.
First, the National Telecommunications and Information
Administration (NTIA) is lead agency for the communications and
information sector. In February, 1999, NTIA created a Private Sector
Coordinator Consortium. This role is filled by representatives from the
Information Technology Association of America (ITAA), the
Telecommunications Industry Association (TIA), and the U.S. Telecom
Association (USTA). Among their initiatives, the consortium has been
raising awareness among industry through the exchange of information on
threats and vulnerabilities, conducting information security surveys
across sectors, and developing and asessing CIP-related standards and
best practices.
Another active area is the development of the Partnership for
Critical Infrastructure Security. The Partnership is a collaborative
effort between industry and Government. This undertaking brings
representatives of the infrastructure sectors together in a dialogue
with each other and with other stakeholders, including the risk
management and investment communities, mainstream businesses, and state
and local Governments.
The Partnership complements the work of the Federal lead agencies
responsible for working directly with the industry sectors in
developing their critical infrastructure plans, including NTIA's work
with the communications and information technology industries. It also
complements the NIPC's focus on cyber-terrorism by encouraging industry
to collaborate on information security issues.
Secretary Daley, Assistant Secretary for Communications and
Information Gregory Rohde, and I met with senior members of over 80
Partnership companies in December in New York. We met again last month
in Washington, D.C., with over 220 senior members of more than 120
Partnership companies to encourage business leaders to adopt
information security as an integral business practice. The Partnership
agreed to address such important issues as, cross-sector vulnerability
assessments, information sharing, and R&D requirements.
The Commerce Department's Critical Infrastructure Assurance Office
(CIAO) also is assisting Federal agencies in conducting analyses of
their own dependencies on critical infrastructures. CIAO has just
finished an ambitious pilot program that identifies the critical assets
of the Commerce Department and maps out dependencies on Governmental
and private sector infrastructures. This program will provide important
input to managers and security officials as they seek to assure their
critical assets against cyber attacks.
The Commerce Department, through the CIAO, coordinated the
development of the National Plan for Information Systems Protection.
President Clinton announced the release of Version 1.0 of the Plan on
January 7.
It represents the first attempt by any national Government to
design a way to protect those infrastructures essential to the delivery
of electric power, oil and gas, communications, transportation
services, banking and financial services, and vital human services.
Increasingly, these infrastructures are being operated and controlled
through the use of computers and computer networks.
The current version of the Plan focuses mainly on the domestic
efforts being undertaken by the Federal Government to protect the
Nation's critical cyber-based infrastructures. Later versions will
focus on the efforts of the infrastructure owners and operators, as
well as the risk management and broader business community. Subsequent
versions will also reflect to a greater degree the interests and
concerns expressed by Congress and the general public based on their
feedback. That is why the Plan is designated Version 1.0 and subtitled
An Invitation to a Dialogue--to indicate that it is still a work in
progress and that a broader range of perspectives must be taken into
account if the Plan is truly to be ``national'' in scope and treatment.
II. The Plan: Overview and Highlights.
President Clinton directed the development of this Plan to chart
the way toward the attainment of a national capability to defend our
critical infrastructures by the end of 2003. To meet this ambitious
goal, the Plan establishes 10 programs for achieving three broad
objectives. They are:
Objective 1: Prepare and Prevent: Undertake those steps necessary
to minimize the possibility of a significant and successful attack on
our critical information networks, and build an infrastructure that
remains effective in the face of such attacks.
Program 1 calls for the Government and the private sector to identify
significant assets, interdependencies, and vulnerabilities of critical
information networks from attack, and to develop and implement
realistic programs to remedy the vulnerabilities, while continuously
updating assessment and remediation efforts.
Objective 2: Detect and Respond: Develop the means required to
identify and assess attacks in a timely way, contain such attacks,
recover quickly from them, and reconstitute those systems affected.
Program 2 will install multi-layered protection on sensitive computer
systems, including advanced fire walls, intrusion detection monitors,
anomalous behavior identifiers, enterprise-wide management systems, and
malicious code scanners. To protect critical Federal systems, computer
security operations centers will receive warnings from these detection
devices, as well as Computer Emergency Response Teams (CERTs) and other
means, in order to analyze the attacks, and assist sites in defeating
attacks.
Program 3 will develop robust intelligence and law enforcement
capabilities to protect critical information systems, consistent with
the law. It will assist, transform, and strengthen U.S. law enforcement
and intelligence agencies to be able to deal with a new kind of threat
and a new kind of criminal--one that acts against computer networks.
Program 4 calls for a more effective nationwide system to share attack
warnings and information in a timely manner. This includes improving
information sharing within the Federal Government and encouraging
private industry, as well as, state and local Governments, to create
Information Sharing and Analysis Centers (ISACs), which would share
information among corporations and state and local Governments, and
could receive warning information from the Federal Government. Program
4 additionally calls for removal of existing legal barriers to
information sharing.
Program 5 will create capabilities for response, reconstitution, and
recovery to limit an attack while it is underway and to build into
corporate and agency continuity and recovery plans the ability to deal
with information attacks. The goal for Government and the
recommendation for industry is that every critical information system
have a recovery plan in place that includes provisions for rapidly
employing additional defensive measures (e.g., more stringent firewall
instructions), cutting off or shutting down parts of the network under
certain predetermined circumstances (through.enterprise-wide management
systems), shifting minimal essential operations to ``clean'' systems,
and to quickly reconstitute affected systems.
Objective 3: Build Strong Foundations: Take all actions necessary
to create and support the Nation's commitment to Prepare and Prevent
and to Detect and Respond to attacks on our critical information
networks.
Program 6 will systematically establish research requirements and
priorities needed to implement the Plan, ensure funding, and create a
system to ensure that our information security technology stays abreast
with changes in the threat environment.
Program 7 will survey the numbers of people and the skills required for
information security specialists within the Federal Government and the
private sector, and takes action to train current Federal IT workers
and recruit and educate additional personnel to meet shortfalls.
Program 8 will explain publicly the need to act now, before a
catastrophic event, to improve our ability to defend against deliberate
cyber-based attacks.
Program 9 will develop the legislative framework necessary to support
initiatives proposed in other programs. This action requires intense
cooperation within the Federal Government, including Congress, and
between the Government and private industry.
Program 10 builds mechanisms to highlight and address privacy issues in
the development of each and every program. Infrastructure assurance
goals must be accomplished in a manner that maintains, and even
strengthens, American's privacy and civil liberties. The Plan outlines
nine specific solutions, which include consulting with various
communities; focusing on and highlighting the impact of programs on
personal information; committing to fair information practices and
other solutions developed by various working groups in multiple
industries; and working closely with Congress to ensure that each
program meets standards established in existing Congressional
protections.
With respect to funding, President Clinton has proposed increases
for critical infrastructure protection substantially over the past
three years, including a 15 percent increase in his FY 2001 budget to
$2.01 billion. He has also developed and funded new initiatives to
defend the nation's systems from cyber attack:
Establishing a permanent Expert Review Team (ERT) at NIST
that will help agencies conduct vulnerability analyses and develop
critical infrastructure protection plans. ($5 million).
Working to recruit, train, and retrain Federal IT Experts. We
have developed and provided FY2001 funding for a Federal Cyber Services
Training and Education initiative led by OPM and NSF which calls for
two programs: the first is an ROTC-like program where we pay for IT
education (B.S. or M.S.) in exchange for Federal service; and the
second is a program to establish competencies and certify our existing
IT workforce. ($25 million).
Funding seven Public Key Infrastructure model pilot programs
in FY 2001 at different Federal agencies. ($7 million).
Designing a Federal Intrusion Detection Network (FIDNET) to
protect vital systems in Federal civilian agencies, and in ensuring the
rapid implementation of system ``Apaches'' for known software defects.
FIDNET will operate in full compliance with all existing privacy laws.
($10 million).
Developing Federal R&D Efforts. R&D investments in computer
security will grow by 31 percent in the FY 2001 budget. ($606 million).
Establishing an Institute for Information Infrastructure
Protection. The Institute would identify and address serious R&D gaps
that neither the private sector nor the Government's national security
community would otherwise address, but that are necessary to ensure the
robust, reliable operation of the national information infrastructure.
The President's FY2001 budget provides funding of $50 million for the
Institute. Funding would be provided through the Commerce Department's
National Institute of Standards and Technology (NIST) to this
organization. The Institute was first proposed by the scientists and
corporate officials who served on the President's Committee of Advisors
on Science and Technology, and supported by leading corporate Chief
Technology officers. ($50 million).
National Infrastructure Assurance Council (NIAC). The
President signed an Executive order creating this Advisory Council last
year. Its members are now being recruited from senior ranks of the
critical infrastructure industries, including the information
technology, and state and local Governments.
In addition, the President announced a number of new initiatives
designed to support efforts for enhancing computer security, including
a $9 million FY 2000 budget supplemental to jump-start key elements of
next year's budget.
In early February, Secretary Daley met with the President and 25
senior executives concerned about the recent disruptions to the
Internet. This meeting reinforced the need for further cooperation
between Government and industry to help the private sector develop its
action agenda for cyber security. The incidents of early February are
not cause for pushing the panic button, but they are a wake up call for
action. As the President said, ``I think there is a way that we can
clearly promote security.'' The President has submitted a budget
proposal that funds a number of initiatives that address critical
information systems protection. If we are to reap the benefits of the
Information Age, we need to take action to maintain public confidence
in a secure business environment that ensures both our national
security and the growth of our economy.
Senator Burns. Thank you, Mr. Secretary. Now we hear from
Mr. Michael Vatis, Deputy Assistant Director of the FBI here in
Washington, D.C. It is nice to have you with us this morning.
STATEMENT OF MICHAEL A. VATIS, DEPUTY ASSISTANT
DIRECTOR, FEDERAL BUREAU OF INVESTIGATION,
NATIONAL INFRASTRUCTURE PROTECTION PROGRAMS
Mr. Vatis. Thank you, Mr. Chairman, Senator Hollings and
members of the Subcommittee. I want to thank you for inviting
me here to discuss the growing problem of cybercrime and its
impact on commerce. Our ability in law enforcement to deal with
this growing crime problem will require the support of
Congress, and I greatly appreciate your support, Mr. Chairman,
and this Committee's support for the work that we have been
about these last 2 years.
The recent denial of service attacks have thrust the
security of our information infrastructure into the spotlight,
but they are really only the most recent example of a large and
growing problem of criminal activity in cyberspace. The cyber
revolution has permeated many aspects, if not all aspects, of
our lives, and we see its effects all around us, in the way we
do business, in the way we communicate, and even in the way
that Government agencies operate.
Unfortunately, that revolution has a downside, as you
mentioned in your own statement, Mr. Chairman, and that
downside is the effect that cyberspace and the new information
technologies have on criminal activity, because criminals are
increasingly seeing the utility of cyber tools both to
facilitate traditional sorts of crimes like fraud schemes and
extortion, and also to engage in new types of crimes, where
computers and the information stored on them are seen as the
targets of the criminal activity, rather than just facilitators
of that activity.
Thus, we have seen criminals intruding into computers to
steal credit cards, to steal money, to abscond with proprietary
information, and to shut down e-commerce sites. And this is not
just a crime problem. It is also a national security problem.
That is because our Nation's critical infrastructures--
including things such as telecommunications, electrical energy,
and banking and finance, those things that are vital to our
national security as well as our national economy--are all
dependent on computer technology. But that very dependence
makes them vulnerable to sorts of attacks that did not exist 10
or 15 years ago.
So the same basic types of cyber tools that are attractive
now to criminals who are interested in illicit financial gain
are also attractive to foreign intelligence services who might
be seeking ways to obtain sensitive Government or private
sector information, and also to terrorists or hostile foreign
nations who are bent on attacking United States interests.
The difficulty of dealing with this challenge stems from
the nature of the cyber environment itself. That environment is
borderless. It affords easy anonymity and methods of
concealment to bad actors, and it provides new tools that allow
remote access to targeted computers. A criminal sitting on the
other side of the planet is just as capable of stealthily
infiltrating a computer network, or shutting an e-commerce site
down, as is somebody sitting across the street from his target.
To deal with this problem in all its novel aspects, law
enforcement must retool its work force, forge new partnerships
with private industry and other agencies, and also work closely
with our international counterparts, because so many of these
events transcend national boundaries.
We have been doing all of these things for the last two
years at the NIPC, but we must ensure that we can continue to
build on our progress to ensure that we can protect the
Nation's public safety and national security in the information
age.
As you know, the NIPC is an interagency center located at
the FBI, and we serve as a focal point for the Government's
efforts, on the one hand, to warn of imminent or impending
attacks, and also, on the other hand, to respond to any attacks
that do occur. Regarding the number of our personnel, we have
94 authorized FBI positions at the NIPC, and we have 82 of
those 94 people on board, with the other dozen people in the
pipeline and scheduled to come on board shortly.
We have a target of 40 detailees from other Government
agencies--which is simply a target, since we are left, really,
to the beneficence of other agencies to send people over to us
to work with us, and we have got about half of our target on
board, with some candidates in the pipeline as well that will
come from those other agencies. But one of our challenges is to
work with other agencies to get some people who have the right
skills. Unfortunately there is a limited supply of those people
in the Government, but we are working effectively with other
agencies to ensure that they are represented at the Center, so
we can build a good operational partnership.
We also have, in addition to the Center itself, an
investigative program across the FBI field offices around the
Nation, which consists of 193 special agents who are trained in
conducting network investigations and who also engage in
critical liaison with the private sector, and, very
importantly, with State and local law enforcement, since they
obviously must bear a large share of the load in dealing with
this crime problem.
My written statement has a lengthy summary of examples of
the many different types of cybercrime that we have dealt with
over the last two years. I will mention here just two recent
examples which I think point out the challenge and also the
effects of cybercrime on e-commerce. Last Fall, we had the
Melissa virus, which was a very quickly disseminating virus
that affected numerous, customers and businesses. Within
several days, working with AOL and the New Jersey State police,
we were able to track down the propagator of that virus, and he
recently pled guilty to both Federal and State charges. In his
guilty plea, he admitted to affecting over a million computers
and causing $80 million in damage from that one virus.
Then in February of this year, we had the distributed
denial of service (DDOS) attacks on some of the most popular e-
commerce sites, as the Deputy Attorney General mentioned. I,
too, am limited in what I can say here about this pending
investigation, but I can make a couple of points. First, even
before the investigation, at the end of last year, when we had
information that some of the malicious DDOS software was being
implanted in universities and other private sector networks
that would allow a hacker to take over those systems and use
them to attack another target, we issued warnings to Government
agencies and to the private sector so that people could take
steps to see whether their own networks had been taken over
without their knowledge, and so that they could remove any
malicious code.
We also released a detection tool that we had created
mainly for investigative uses, but which we also realized had
possible utility for network protection. We made that tool
available to private companies and Government agencies so that
they could determine whether their networks had been taken over
by a hacker.
Unfortunately, those efforts did not totally eliminate the
threat, and at the beginning of last month we did see numerous
sites being taken offline for several hours. As a result, we
have initiated several investigations across the country. We
have numerous special agents following leads. We are also
working very closely with several international counterparts to
follow leads in their countries. Although I cannot go into
detail, I can say we are making excellent progress. I am very
satisfied with the progress we are making, and I am optimistic
about the likelihood of having a successful resolution of at
least some of these investigations.
Addressing the threat of cybercrime requires teamwork. That
is the bottom line. We have to have good teamwork among Federal
agencies, good teamwork between Federal and State and local law
enforcement, and good teamwork between the Government and
private sector.
We have developed partnerships with all of those other
sectors over the last two years, and the one with the private
sector is particularly important. Most of the victims of
cybercrime are private companies, so successful investigation
really depends on private companies letting us know when they
have been victimized and working with us to provide us with
incident information, and sometimes with technical assistance
so that we can pursue investigations to the end.
The network administrator in a private company is
oftentimes in many ways the lead investigator, because he or
she is the one who really knows how his or her network is set
up, and can lead an agent through the thicket of the network
and come up with the important information that is necessary to
an investigation.
I think the number of companies that have reported to us
and have cooperated with us in the DDOS investigations is proof
of the fact that private companies are realizing that they have
to deal with law enforcement, and they are willing to engage in
a good, cooperative venture with us. One of the keys to having
a successful relationship with the private sector is for us to
be able to demonstrate that we are capable of investigating
these sorts of crimes. I think our track record over the last
two years has shown that competence, and shown that we know how
to investigate these cases, and our training efforts are
enhancing our ability to do that.
We also need to show that we are willing to give
information back to the private sector. We do not just want
them to report to us. We are capable and willing to give them
warnings when we have relevant information, and also to give
them information about the nature of the threat and some of the
technical exploits that we are seeing bad guys use. We have a
number of programs that are geared toward sharing that
information back to the private sector, which in turn is
helping us to generate the confidence on the private sector's
part that they can work with us.
I think it is a truism that commerce does not thrive in
anarchy, and as Internet use soars, and e-commerce becomes a
more significant part of our overall economy, it is in our
national interest to ensure that the conditions exist that will
foster the further growth of e-commerce. One of the conditions
for that growth is enhancing the security of e-commerce sites
so that customers can be confident that their privacy will be
protected and that their credit cards will not be stolen, and
so that businesses can be assured that they will not be knocked
offline or robbed by cyber criminals.
Law enforcement has a significant role to play in fostering
that security and ensuring that that confidence exists in
cyberspace just as in the physical world. It is important that
we maintain and enhance our investigation capabilities to help
establish that confidence and raise the level of security. We
are only a part of the task, and the private sector bears the
lion's share of the load in establishing better security on
their own systems. But our role is a significant one, and we
are very much tending to the business of ensuring that we can
meet the challenge. I look forward to working with you, Mr.
Chairman, and this Subcommittee to ensure that we continue to
meet that threat.
Thank you very much.
[The prepared statement of Mr. Vatis follows:]
Prepared Statement of Michael A. Vatis, Deputy Assistant Director,
Federal Bureau of Investigation, National Infrastructure Protection
Programs
Introduction
Mr. Chairman, Senator Hollings, and Members of the Subcommittee:
Thank you for inviting me to discuss the threats to our Nation's
critical infrastructures and the NIPC's approach to meeting those
challenges. In 1998 the National Infrastructure Protection Center
(NIPC) was established as a focal point for the Federal Government's
efforts to protect the critical infrastructures. Much has happened
since then to demonstrate both the wisdom of establishing such a Center
and the seriousness of the problem it was designed to address. In the
last two years we have seen the spread of destructive computer viruses
affecting millions of users, a major international intrusion into
Government computer networks, and denial-of-service attacks against
some of the most popular e-commerce websites. Today I will focus on the
nature of the national security and criminal threats we face in
cyberspace, the progress we have made with our interagency partners in
meeting those threats, and the continuing challenges we face.
The NIPC
The NIPC is an interagency Center located at the FBI. Created in
1998, the NIPC serves as the focal point for the Government's efforts
to warn of and respond to cyber attacks, particularly those that are
directed at our nation's ``critical infrastructures.'' These
infrastructures include telecommunications and information, energy,
banking and finance, transportation, Government operations, and
emergency services. In Presidential Decision Directive (PDD) 63, the
President directed that the NIPC serve as a ``national critical
infrastructure threat assessment, warning, vulnerability, and law
enforcement investigation and response entity.'' The PDD further states
that the mission of the NIPC ``will include providing timely warnings
of intentional threats, comprehensive analyses and law enforcement
investigation and response.''
To accomplish its goals, the NIPC is organized into three sections:
The Computer Investigations and Operations Section (CIOS) is the
operational response arm of the Center. It supports and, where
necessary, coordinates computer investigations conducted by FBI field
offices and other agencies throughout the country, provides expert
technical assistance to network investigations, and provides a cyber
emergency response capability to coordinate the response to a national-
level cyber incident.
The Analysis and Warning Section (AWS) serves as the ``indications
and warning'' arm of the NIPC. It provides tactical analytical support
during a cyber incident, and also develops strategic analyses of
threats for dissemination to both Government and private sector
entities so that they can take appropriate steps to protect themselves.
Through its 24/7 watch and warning operation, it maintains a real-time
situational awareness by reviewing numerous Governmental and ``open''
sources of information and by maintaining communications with partner
entities in the Government and private sector. Through its efforts, the
AWS strives to acquire indications of a possible attack, assess the
information, and issue appropriate warnings to Government and private
sector partners as quickly as possible
The Training, Outreach and Strategy Section (TOSS) coordinates the
vital training of cyber investigators in the FBI field offices, other
Federal agencies, and state and local law enforcement. It also
coordinates outreach to private industry and Government agencies to
build the partnerships that are key to both our investigative and our
warning missions. In addition, this section manages our efforts to
catalogue information about individual ``key assets'' across the
country which, if successfully attacked, could have significant
repercussions on our economy or national security. Finally, the TOSS
handles the development of strategy and policy in conjunction with
other agencies and the Congress.
Beyond the NIPC at FBI Headquarters, we have also created a
cybercrime investigative program in all FBI Field Offices called the
National Infrastructure Protection and Computer Intrusion (NIPCI)
Program. This program, managed by the NIPC, consists of special agents
in each FBI Field Office who are responsible for investigating computer
intrusions, viruses, or denial of service attacks, for implementing our
key asset initiative, and for conducting critical liaison activities
with private industry. They are also developing cybercrime task forces
in partnership with state and local law enforcement entities within
their jurisdiction to leverage the limited resources in this area.
The Broad Spectrum of Threats
Over the past several years we have seen a wide range of cyber
threats ranging from defacement of websites by juveniles to
sophisticated intrusions that we suspect may be sponsored by foreign
powers, and everything in between. Some of these are obviously more
significant than others. The theft of national security information
from a Government agency or the interruption of electrical power to a
major metropolitan area would have greater consequences for national
security, public safety, and the economy than the defacement of a web-
site.
But even the less serious categories have real consequences and,
ultimately, can undermine confidence in e-commerce and violate privacy
or property rights. A web site hack that shuts down an e-commerce site
can have disastrous consequences for a business. An intrusion that
results in the theft of credit card numbers from an online vendor can
result in significant financial loss and, more broadly, reduce
consumers' willingness to engage in e-commerce. Recent surveys confirm
this point. According to a poll of Internet users by PC Data Online, 90
percent of those surveyed are concerned about the recent denial of
service attacks. One in three surveyed said they were affected by the
DDOS attacks. Further, over 40 percent of those surveyed said that they
would be less likely to send credit card information over the Internet
in the future.
Such surveys demonstrate the simple fact that the Internet has
become a major aspect of everyday life for many Americans and is fast
becoming a major part of our economy. There were over 100 million
Internet users in the United States in 1999. That number is projected
to reach 177 million in the United States and 502 million worldwide by
the end of 2003. Electronic commerce has emerged as a new sector of the
American economy, accounting for over $100 billion in sales during
1999, more than double the amount in 1998. By 2003, electronic commerce
is projected to exceed $1 trillion. It should be no surprise, then,
that as Internet use and e-commerce continue to grow at a rapid pace,
the rate of cybercrime is also rising dramatically.
A significant part of the problem is the lack of adequate security
on the Internet. As Lou Gerstner, the CEO of IBM said in a speech at
Boston College on Monday, ``No brick-and-mortar company would ever
consider opening its doors without locks, video cameras and a security
staff. Yet every day hundreds of Web enterprises do just that.'' A
fundamental need, therefore, is to raise the level of security on the
Internet. This is clearly the role of the private sector. The
Government has neither the responsibility nor the expertise to act as
the private sector's system administrator. We can help, however, by
providing information to the private sector about concrete threats and
the latest techniques being utilized by cyber criminals, so that
private companies can take steps to secure their systems against those
threats. We also need to ensure that law enforcement has the
capabilities to investigate cybercrime that does occur.
The following are some of the categories of cyber threats that we
confront today.
Insiders. The disgruntled insider (a current or former employee of
a company) is a principal source of computer crimes for many companies.
Insiders' knowledge of the target companies' network often allows them
to gain unrestricted access to cause damage to the system or to steal
proprietary data. The 1999 Computer Security Institute/FBI report notes
that 55 percent of respondents reported malicious activity by insiders.
One example of an insider was George Parente. In 1997, Parente was
arrested for causing five network servers at the publishing company
Forbes, Inc., to crash. Parente was a former Forbes computer technician
who had been terminated from temporary employment. In what appears to
have been a vengeful act against the company and his supervisors,
Parente dialed into the Forbes computer system from his residence and
gained access through a co-worker's log-in and password. Once online,
he caused five of the eight Forbes computer network servers to crash,
and erased all of the server volume on each of the affected servers. No
data could be restored. Parente's sabotage resulted in a two day shut
down in Forbes' New York operations with losses exceeding $100,000.
Parente pleaded guilty to one count of violating of the Computer Fraud
and Abuse Act, Title 18 U.S.C. 1030.
Hackers. Hackers (or ``crackers'') are also a common threat. They
sometimes crack into networks simply for the thrill of the challenge or
for bragging rights in the hacker community. Recently, however, we have
seen more cases of hacking for illicit financial gain or other
malicious purposes. While remote cracking once required a fair amount
of skill or computer knowledge, hackers can now download attack scripts
and protocols from the World Wide Web and launch them against victim
sites. Thus while attack tools have become more sophisticated, they
have also become easier to use. The distributed denial-of-service
(DDOS) attacks earlier this month are only the most recent illustration
of the economic disruption that can be caused by tools now readily
available on the Internet.
We have also seen a rise recently in politically motivated attacks
on web pages or email servers, which some have dubbed ``hacktivism.''
In these incidents, groups and individuals overload e-mail servers or
deface web sites to send a political message. While these attacks
generally have not altered operating systems or networks, they have
disrupted services, caused monetary loss, and denied the public access
to websites containing valuable information, thereby infringing on
others' rights to disseminate and receive information.
Virus Transmitters. Virus transmitters are posing an increasingly
serious threat to networks and systems worldwide. Last year saw the
proliferation of several destructive computer viruses or ``worms,''
including the Melissa Macro Virus, the Explore.Zip worm, and the CIH
(Chernobyl) Virus. The NIPC frequently sends out warnings or advisories
regarding particularly dangerous viruses, which can allow potential
victims to take protective steps and minimize the destructive
consequences of a virus.
The Melissa Macro Virus was a good example of our two-fold
response--encompassing both warning and investigation--to a virus
spreading in the networks. The NIPC sent out warnings as soon as it had
solid information on the virus and its effects; these warnings helped
alert the public and reduce the potential destructive impact of the
virus. On the investigative side, the NIPC acted as a central point of
contact for the field offices who worked leads on the case. A tip
received by the New Jersey State Police from America Online, and their
follow-up investigation with the FBI's Newark Division, led to the
April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one
count of violating 18 U.S.C. Sec. 1030 in Federal Court, and to four
state felony counts. As part of his guilty plea, Smith stipulated to
affecting one million computer systems and causing $80 million in
damage. Smith is awaiting sentencing.
Criminal Groups. We are also seeing the increased use of cyber
intrusions by criminal groups who attack systems for purposes of
monetary gain. In September, 1999, two members of a group dubbed the
``Phonemasters'' were sentenced after their conviction for theft and
possession of unauthorized access devices (18 USC Sec. 1029) and
unauthorized access to a Federal interest computer (18 USC Sec. 1030).
The ``Phonemasters'' were an international group of criminals who
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even
the National Crime Information Center. Under judicially approved
electronic surveillance orders, the FBI's Dallas Division made use of
new data intercept technology to monitor the calling activity and modem
pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded
thousands of Sprint calling card numbers, which he sold to a Canadian
individual, who passed them on to someone in Ohio. These numbers made
their way to an individual in Switzerland and eventually ended up in
the hands of organized crime groups in Italy. Cantrell was sentenced to
two years as a result of his guilty plea, while one of his associates,
Cory Lindsay, was sentenced to 41 months.
The Phonemasters' methods included ``dumpster diving'' to gather
old phone books and technical manuals for systems. They used this
information to trick employees into giving up their logon and password
information. The group then used this information to break into victim
systems. It is important to remember that often ``cybercrimes'' are
facilitated by old fashioned guile, such as calling employees and
tricking them into giving up passwords. Good cyber security practices
must therefore address personnel security and ``social engineering'' in
addition to instituting electronic security measures.
Another example of cyber intrusions used to implement a criminal
conspiracy involved Vladimir L. Levin and numerous accomplices who
illegally transferred more than $10 million in funds from three
Citibank corporate customers to bank accounts in California, Finland,
Germany, the Netherlands, Switzerland, and Israel between June and
October 1994. Levin, a Russian computer expert, gained access over 40
times to Citibank's cash management system using a personal computer
and stolen passwords and identification numbers. Russian telephone
company employees working with Citibank were able to trace the source
of the transfers to Levin's employer in St. Petersburg, Russia. Levin
was arrested in March 1995 in London and subsequently extradited to the
U.S. On February 24, 1998, he was sentenced to three years in prison
and ordered to pay Citibank $240,000 in restitution. Four of Levin's
accomplices pleaded guilty and one was arrested but could not be
extradited. Citibank was able to recover all but $400,000 of the $10
million illegally transferred funds.
Unfortunately, cyberspace provides new tools not only for
criminals, but for national security threats as well. These include
terrorists, foreign intelligence agencies, and foreign militaries.
Director of Central Intelligence George Tenet testified in February
2000, before the Senate Armed Services Committee, that many of the
tools and weapons that can be used for information warfare purposes are
``available on the open market at relatively little cost.'' The DCI
went on to note that the critical threat of IW lies in its potential as
a ``force multiplier'' for an adversary of the United States.
Three major categories of threat actors pose a national security
challenge to the United States in cyberspace.
Terrorists. Terrorists groups are increasingly using new
information technology and the Internet to formulate plans, raise
funds, spread propaganda, and to communicate securely. In his statement
on the worldwide threat in 2000, Director of Central Intelligence
George Tenet testified that terrorists groups, ``including Hizbollah,
HAMAS, the Abu Nidal organization, and Bin Laden's al Qaeda
organization are using computerized files, e-mail, and encryption to
support their operations.'' In one example, convicted terrorist Ramzi
Yousef, the mastermind of the World Trade Center bombing, stored
detailed plans to destroy United States airliners on encrypted files on
his laptop computer. While we have not yet seen these groups employ
cyber tools as a weapon to use against critical infrastructures, their
reliance on information technology and acquisition of computer
expertise are clear warning signs. Moreover, we have seen other
terrorist groups, such as the Internet Black Tigers (who are reportedly
affiliated with the Tamil Tigers), engage in attacks on foreign
Government web-sites and email servers. ``Cyber terrorism''--by which I
mean the use of cyber tools to shut down critical national
infrastructures (such as energy, transportation, or Government
operations) for the purpose of coercing or intimidating a Government or
civilian population--is thus a very real, though still largely
potential, threat.
Foreign intelligence services. Not surprisingly, foreign
intelligence services have adapted to using cyber tools as part of
their espionage tradecraft. Even as far back as 1986, before the
worldwide surge in Internet use, the KGB employed West German hackers
to access Department of Defense systems in the well-known ``Cuckoo's
Egg'' case. While I cannot go into specifics about more recent
developments in an open hearing, it should not surprise anyone to hear
that foreign intelligence services increasingly view computer
intrusions as a useful tool for acquiring sensitive U.S. Government and
private sector information.
Information Warfare. The prospect of ``information warfare'' by
foreign militaries against our critical infrastructures is perhaps the
greatest potential cyber threat to our national security. We know that
several foreign nations are developing information warfare doctrine,
programs, and capabilities for use against the United States or other
nations. Knowing that they cannot match our military might with
conventional or ``kinetic'' weapons, nations see cyber attacks on our
critical infrastructures or military operations as a way to hit what
they perceive as America's Achilles heel--our growing dependence on
information technology in Government and commercial operations. For
example, two Chinese military officers recently published a book that
called for the use of unconventional measures, including the
propagation of computer viruses, to counterbalance the military power
of the United States. And a Russian official has also commented that an
attack on a critical infrastructure could, ``by virtue of its
catastrophic consequences, completely overlap with the use of [weapons]
of mass destruction.''
Distributed Denial of Service Tools
The recent distributed denial of service (DDOS) attacks on e-
commerce sites have garnered a tremendous amount of interest in the
public and in the Congress. While we do not yet have official damage
estimates, the Yankee Group, a research firm, estimates the impact of
the attacks at $1.2 billion due to lost capitalization losses, lost
revenues, and security upgrades. Because we are actively investigating
these attacks, I cannot provide a detailed briefing on the status of
our efforts. However, I can provide an overview of our activities to
deal with the DDOS threat beginning last year and of our investigative
efforts over the last three weeks. These attacks illustrate the growing
availability of destructive, yet easy-to-use, exploits that are widely
available on the Internet. They also demonstrate the NIPC's two-fold
mission: sharing information with the private sector and warning of
possible threats, and responding to actual attacks.
In the fall of last year, the NIPC began receiving reports about a
new set of ``exploits'' or attack tools collectively called distributed
denial of service (or DDOS) tools. DDOS variants include tools known as
``Trin00,'' ``Tribal Flood Net'' (TFN), ``TFN2K,'' and ``Stacheldraht''
(German for ``barbed wire''). These tools essentially work as follows:
hackers gain unauthorized access to a computer system(s) and place
software code on it that renders that system a ``master'' (or a
``handler''). The hackers also intrude into other networks and place
malicious code which makes those systems into agents (also known as
``zombies'' or ``daemons'' or ``slaves''). Each Master is capable of
controlling multiple agents. In both cases, the network owners normally
are not aware that dangerous tools have been placed and reside on their
systems, thus becoming third-party victims to the intended crime.
The ``Masters'' are activated either remotely or by internal
programming (such as a command to begin an attack at a prescribed time)
and are used to send information to the agents, activating their DDOS
ability. The agents then generate numerous requests to connect with the
attack's ultimate target(s), typically using a fictitious or
``spoofed'' IP (Internet Protocol) address, thus providing a falsified
identity as to the source of the request. The agents act in unison to
generate a high volume of traffic from several sources. This type of
attack is referred to as a SYN flood, as the SYN is the initial effort
by the sending computer to make a connection with the destination
computer. Due to the volume of SYN requests the destination computer
becomes overwhelmed in its efforts to acknowledge and complete a
transaction with the sending computers, degrading or denying its
ability to complete service with legitimate customers--hence the term
``Denial of Service''. These attacks are especially damaging when they
are coordinated from multiple sites--hence the term Distributed Denial
of Service.
An analogy would be if someone launched an automated program to
have hundreds of phone calls placed to the Capitol switchboard at the
same time. All of the good efforts of the staff would be overcome. Many
callers would receive busy signals due to the high volume of telephone
traffic.
In November and December, the NIPC received reports that
universities and others were detecting the presence of hundreds of
agents on their networks. The number of agents detected clearly could
have been only a small subset of the total number of agents actually
deployed. In addition, we were concerned that some malicious actors
might choose to launch a DDOS attack around New Year's Eve in order to
cause disruption and gain notoriety due to the great deal of attention
that was being payed to the Y2K rollover. Accordingly, we decided to
issue a series of alerts in December to Government agencies, industry,
and the public about the DDOS threat.
Moreover, in late December, we determined that a detection tool
that we had developed for investigative purposes might also be used by
network operators to detect the presence of DDOS agents or masters on
their operating systems, and thus would enable them to remove an agent
or master and prevent the network from being unwittingly utilized in a
DDOS attack. Moreover, at that time there was, to our knowledge, no
similar detection tool available commercially. We therefore decided to
take the unusual step of releasing the tool to the Department of
Defense, other Government agencies, and to the public in an effort to
reduce the level of the threat. We made the first variant of our
software available on the NIPC web site on December 30, 1999. To
maximize the public awareness of this tool, we announced its
availability in an FBI press release that same date. Since the first
posting of the tool, we have posted three updated versions that have
perfected the software and made it applicable to different operating
systems.
The public has downloaded these tools tens of thousands of times
from the web site, and has responded by reporting many installations of
the DDOS software, thereby preventing their networks from being used in
attacks and leading to the opening of criminal investigations both
before and after the widely publicized attacks of the last few weeks.
Our work with private companies has been so well received that the
trade group SANS awarded their yearly Security Technology Leadership
Award to members of the NIPC's Special Technologies Applications Unit.
Last month, we received reports that a new variation of DDOS tools
was being found on Windows operating systems. One victim entity
provided us with the object code to the tool found on its network. On
February 18 we made the binaries available to anti-virus companies
(through an industry association) and the Computer Emergency Response
Team (CERT) at Carnegie Mellon University for analysis and so that
commercial vendors could create or adjust their products to detect the
new DDOS variant. Given the attention that DDOS tools have received in
recent weeks, there are now numerous detection and security products to
address this threat, so we determined that we could be most helpful by
giving them the necessary code rather than deploying a detection tool
ourselves.
Unfortunately, the warnings that we and others in the security
community had issued about DDOS tools last year, while alerting many
potential victims and reducing the threat, did not eliminate the
threat. Quite frequently, even when a threat is known and patches or
detection tools are available, network operators either remain unaware
of the problem or fail to take necessary protective steps. In addition,
in the cyber equivalent of an arms race, exploits evolve as hackers
design variations to evade or overcome detection software and filters.
Even security-conscious companies that put in place all available
security measures therefore are not invulnerable. And, particularly
with DDOS tools, one organization might be the victim of a successful
attack despite its best efforts, because another organization failed to
take steps to keep itself from being made the unwitting participant in
an attack.
On February 7, 2000, the NIPC received reports that Yahoo had
experienced a denial of service attack. In a display of the close
cooperative relationship that we have developed with the private
sector, in the days that followed, several other companies (including
Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also
reported denial of service outages to the NIPC or FBI field offices.
These companies cooperated with us by providing critical logs and other
information. Still, the challenges to apprehending the suspects are
substantial. In many cases, the attackers used ``spoofed'' IP
addresses, meaning that the address that appeared on the target's log
was not the true address of the system that sent the messages. In
addition, many victims do not keep complete network logs.
The resources required in an investigation of this type are
substantial. Companies have been victimized or used as ``hop sites'' in
numerous places across the country, meaning that we must deploy special
agents nationwide to work leads. We currently have seven FBI field
offices with cases opened and all the remaining offices are supporting
the offices that have opened cases. Agents from these offices are
following up literally hundreds of leads. The NIPC is coordinating the
nationwide investigative effort, performing technical analysis of logs
from victims sites and Internet Service Providers (ISPs), and providing
all-source analytical assistance to field offices. Moreover, parts of
the evidentiary trail have led overseas, requiring us to work with our
foreign counterparts in several countries through our Legal Attaches
(Legats) in U.S. embassies.
While the crime may be high tech, investigating it involves a
substantial amount of traditional investigative work as well as highly
technical work. Interviews of network operators and confidential
sources can provide very useful information, which leads to still more
interviews and leads to follow-up. And victim sites and ISPs provide an
enormous amount of log information that needs to be processed and
analyzed by human analysts.
Despite these challenges, I am optimistic that the hard work of our
agents, analysts, and computer scientists; the excellent cooperation
and collaboration we have with private industry and universities; and
the teamwork we are engaged in with foreign partners will in the end
prove successful.
Interagency Cooperation
The broad spectrum of cyber threats described earlier, ranging from
hacking to foreign espionage and information warfare, requires not just
new technologies and skills on the part of investigators, but new
organizational constructs as well. In most cyber attacks, the identity,
location, and objective of the perpetrator are not immediately
apparent. Nor is the scope of his attack--i.e., whether an intrusion is
isolated or part of a broader pattern affecting numerous targets. This
means it is often impossible to determine at the outset if an intrusion
is an act of cyber vandalism, organized crime, domestic or foreign
terrorism, economic or traditional espionage, or some form of strategic
military attack. The only way to determine the source, nature, and
scope of the incident is to gather information from the victim sites
and intermediate sites such as ISPs and telecommunications carriers.
Under our constitutional system, such information typically can be
gathered only pursuant to criminal investigative authorities. This is
why the NIPC is part of the FBI, allowing us to utilize the FBI's legal
authorities to gather and retain information and to act on it,
consistent with constitutional and statutory requirements.
But the dimension and varied nature of the threats also means that
this is an issue that concerns not just the FBI and law enforcement
agencies, but also the Department of Defense, the Intelligence
Community, and civilian agencies with infrastructure-focused
responsibility such as the Departments of Energy and Transportation. It
also is a matter that greatly affects state and local law enforcement.
This is why the NIPC is an interagency center, with representatives
detailed to the FBI from numerous Federal agencies and representation
from state and local law enforcement as well. These representatives
operate under the direction and authority of the FBI, but bring with
them expertise and skills from their respective home agencies that
enable better coordination and cooperation among all relevant agencies,
consistent with applicable laws.
We have had many instances in the last two years where this
interagency cooperation has proven critical. As mentioned earlier, the
case of the Melissa virus was successfully resolved with the first
successful Federal prosecution of a virus propagator in over a decade
because of close teamwork between the NIPCI squad in the FBI's Newark
Division and other field offices, the New Jersey State Police, and the
NIPC.
The ``Solar Sunrise'' case is another example of close teamwork
with other agencies. In 1998, computer intrusions into U.S. military
computer systems occurred during the Iraq weapons inspection crisis.
Hackers exploited known vulnerabilities in Sun Solaris operating
systems. Some of the intrusions appeared to be coming from the Middle
East. The timing, nature, and apparent source of some of the attacks
raised concerns in the Pentagon that this could be a concerted effort
by Iraq to interfere with U.S. troop deployments. NIPC coordinated a
multi-agency investigation which included the FBI, the Air Force Office
of Special Investigations, the National Aeronautics and Space
Administration, the Department of Justice, the Defense Information
Systems Agency, the National Security Agency, and the Central
Intelligence Agency. Within several days, the investigation determined
that the intrusions were not the work of Iraq, but of several teenagers
in the U.S. and Israel. Two juveniles in California pleaded guilty to
the intrusions, and several Israelis still await trial. The leader of
the Israeli group, Ehud Tenenbaum, has been indicted and is currently
scheduled for trial in Israel in April.
More recently, we observed a series of intrusions into numerous
Department of Defense and other Federal Government computer networks
and private sector entities. Investigation last year determined that
the intrusions appear to have originated in Russia. The intruder
successfully accessed U.S. Government networks and took large amounts
of unclassified but sensitive information, including defense technical
research information. The NIPC coordinated a multi-agency
investigation, working closely with FBI field offices, the Department
of Defense, and the Intelligence Community. While I cannot go into more
detail about this case here, it demonstrates the very real threat we
face in the cyber realm, and the need for good teamwork and
coordination among Government agencies responsible for responding to
the threat.
Private Sector Cooperation
Our success in battling cybercrime also depends on close
cooperation with private industry. This is the case for several
reasons. First, most of the victims of cybercrimes are private
companies. Therefore, successful investigation and prosecution of
cybercrimes depends on private victims reporting incidents to law
enforcement and cooperating with the investigators. Contrary to press
statements by cyber security companies that private companies won't
share information with law enforcement, many private companies have
reported incidents and threats to the NIPC or FBI field offices. The
number of victims who have voluntarily reported DDOS attacks to us over
the last few weeks is ample proof of this. While there are undoubtedly
companies that would prefer not to report a crime because of fear of
public embarrassment over a security lapse, the situation has improved
markedly. Companies increasingly realize that deterrence of crime
depends on effective law enforcement, and that the long-term interests
of industry depend on establishing a good working relationship with
Government to prevent and investigate crime.
Testimony two weeks ago before the Senate Appropriations
Subcommittee for Commerce, State, and Justice by Robert Chesnut,
Associate General Counsel for eBay, illustrates this point:
Prior to last week's attacks, eBay had established a close
working relationship with the computer crimes squad within the
Northern California office of the Federal Bureau of
Investigation (``FBI''). eBay has long recognized that the best
way to combat cybercrime, whether it's fraud or hacking, is by
working cooperatively with law enforcement. Therefore, last
year we established procedures for notifying the FBI in the
event of such an attack on our web site. As result of this
preparation, we were able to contact the FBI computer intrusion
squad during the attack and provide them with information that
we expect will assist in their investigation. In the aftermath
of the attack, eBay has also been able to provide the FBI with
additional leads that have come to our attention.
Second, the network administrator at a victim company or ISP is
critical to the success of an investigation. Only that administrator
knows the unique configuration of her system, and she typically must
work with an investigator to find critical transactional data that will
yield evidence of a criminal's activity.
Third, the private sector has the technical expertise that is often
critical to resolving an investigation. It would be impossible for us
to retain experts in every possible operating system or network
configuration, so private sector assistance is critical. In addition,
many investigations require the development of unique technical tools
to deal with novel problems. Private sector assistance has been
critical there as well.
We have several other initiatives devoted to private sector
outreach that bear mentioning here. The first is called ``InfraGard.''
This is an initiative that we have developed in concert with private
companies and academia to encourage information-sharing about cyber
intrusions, exploited vulnerabilities, and physical infrastructure
threats. A vital component of InfraGard is the ability of industry to
provide information on intrusions to the local FBI field office using
secure e-mail communications in both a ``sanitized'' and detailed
format. The local FBI field offices can, if appropriate, use the
detailed version to initiate an investigation; while NIPC Headquarters
can analyze that information in conjunction with other information we
obtain to determine if the intrusion is part of a broader attack on
numerous sites. The NIPC can simultaneously use the sanitized version
to inform other members of the intrusion without compromising the
confidentiality of the reporting company. The key to this system is
that whether, and what, to report is entirely up to the reporting
company. A secure web site also contains a variety of analytic and
warning products that we make available to the InfraGard community. The
success of InfraGard is premised on the notion that sharing is a two-
way street: the NIPC will provide threat information that companies can
use to protect their systems, while companies will provide incident
information that can be used to initiate an investigation and to warn
other companies.
Our Key Asset Initiative (KAI) is focused more specifically on the
owners and operators of critical components of each of the
infrastructure sectors. It facilitates response to threats and
incidents by building liaison and communication links with the owners
and operators of individual companies and enabling contingency
planning. The KAI began in the 1980s and focused on physical
vulnerabilities to terrorism. Under the NIPC, the KAI has been
reinvigorated and expanded to focus on cyber vulnerabilities as well.
The KAI currently involves determining which assets are key within the
jurisdiction of each FBI Field Office and obtaining 24-hour points of
contact at each asset in cases of emergency. Eventually, if future
resources permit, the initiative will include the development of
contingency plans to respond to attacks on each asset, exercises to
test response plans, and modeling to determine the effects of an attack
on particular assets. FBI field offices are responsible for developing
a list of the assets within their respective jurisdictions, while the
NIPC maintains the national database. The KAI is being developed in
coordination with DOD and other agencies. Currently the database has
about 2600 entries. This represents 2600 contacts with key private
sector nodes made by the NIPC and FBI field offices.
A third initiative is a pilot program we have begun with the North
American Electrical Reliability Council (NERC). Under the pilot
program, electric utility companies and other power entities transmit
cyber incident reports in near real time to the NIPC. These reports are
analyzed and assessed to determine whether an NIPC warning, alert, or
advisory is warranted. Electric power participants in the pilot program
have stated that the information and analysis provided by the NIPC back
to the power companies fully justify their participation in the
program. It is our expectation that the Electrical Power Indications
and Warning System will provide a full-fledged model for the other
critical infrastructures.
Much has been said over the last few years about the importance of
information sharing. Since our founding, the NIPC has been actively
engaged in building concrete mechanisms and initiatives to make this
sharing a reality, and we have built up a track record of actually
sharing useful information. These efforts belie the notions that
private industry won't share with law enforcement in this area, or that
the Government won't provide meaningful threat data to industry. As
companies continue to gain experience in dealing with the NIPC and FBI
field offices, as we continue to provide them with important and useful
threat information, and as companies recognize that cybercrime requires
a joint effort by industry and Government together, we will continue to
make real progress in this area.
Meeting the Growing Cyber Threat
As Internet use continues to soar, the number of cyber attacks is
also increasing exponentially. Our case load reflects this growth. In
FY 1998, we opened 547 computer intrusion cases; in FY 1999, that
number jumped to 1154. Similarly, the number of pending cases increased
from 206 at the end of FY 1997, to 601 at the end of FY 1998, to 834 at
the end of FY 99, and to over 900 currently. These statistics include
only computer intrusion cases, and do not account for computer
facilitated crimes such as Internet fraud, child pornography, or e-mail
extortion efforts. In these cases, the NIPC and NIPCI squads often
provide technical assistance to traditional investigative programs
responsible for these categories of crime.
We can clearly expect these upward trends to continue, and for the
threats to become more serious. While insiders, hackers, and criminal
groups make up much of our case load at the moment, we can anticipate a
growing number of national security cases in the near future. To meet
this challenge, we must ensure that we have adequate resources,
including both personnel and equipment, both at the NIPC and in FBI
field offices. We currently have 193 agents nationwide dedicated to
investigating computer intrusion and virus cases. In order to maximize
investigative resources the FBI has taken the approach of creating
regional squads in 16 field offices that have sufficient size to work
complex intrusion cases and to assist those field offices without a
NIPCI squad. In those field offices without squads, the FBI is building
a baseline capability by having one or two agents to work NIPC matters,
i.e. computer intrusions (criminal and national security), viruses,
InfraGard, state and local liaison, etc.
At the NIPC, we currently have 101 personnel on board, including 82
FBI employees and 19 detailees from other Government agencies. This
cadre of investigators, computer scientists, and analysts perform the
numerous and complex tasks outlined above, and provide critical
coordination and support to field office investigations. As the crime
problem grows, we need to make sure that we keep pace by bringing on
board additional personnel, including from other agencies and the
private sector.
In addition to putting in place the requisite number of agents,
analysts, and computer scientists in the NIPC and in FBI field offices,
we must fill those positions by recruiting and retaining personnel who
have the appropriate technical, analytical, and investigative skills.
This includes personnel who can read and analyze complex log files,
perform all-source analysis to look for correlations between events or
attack signatures and glean indications of a threat, develop technical
tools to address the constantly changing technological environment, and
conduct complex network investigations. There is a very tight market
for information technology professionals. The Federal Government needs
to be able to recruit the very best people into its programs.
Fortunately, we can offer exciting, cutting-edge work in this area and
can offer agents, analysts, and computer scientists the opportunities
to work on issues that no one else addresses, and to make a difference
to our national security and public safety. In addition, Congress
provided the FBI with a pilot program that exempts certain technical
personnel from the Title V civil service rules, which allows us to pay
more competitive salaries and recruit and retain top notch personnel.
Unfortunately, this pilot is scheduled to expire in November unless
extended.
Training and continuing education are also critical, and we have
made this a top priority at the NIPC. In FY 1999, we trained 383 FBI
and other-Government-agency students in NIPC sponsored training classes
on network investigations and infrastructure protection. The emphasis
for 2000 is on continuing to train Federal personnel while expanding
training opportunities for state and local law enforcement personnel.
During FY 2000, we plan to train approximately 740 personnel from the
FBI, other Federal agencies, and state and local law enforcement.
Developing and deploying the best equipment in support of the
mission is also very important. Not only do investigators and analysts
need the best equipment to conduct investigations in the rapidly
evolving cyber system but the NIPC must be on the cutting edge of cyber
research and development. Conducting a network intrusion or denial-of-
service investigation often requires analysis of voluminous amounts of
data. For example, one network intrusion case involving an espionage
matter currently being investigated has required the analysis of 17.5
Terabytes of data. To place this into perspective, the entire
collection of the Library of Congress, if digitized, would comprise
only 10 Terabytes. The Yahoo DDOS attack involved approximately 630
Gigabytes of data, which is equivalent to enough printed pages to fill
630 pickup trucks with paper. Technical analysis requires high capacity
equipment to store, process, analyze, and display data. Again, as the
crime problem grows, we must ensure that our technical capacity keeps
pace. We are also working closely with other agencies to ensure that we
leverage existing resources to the fullest extent possible.
Challenges in Combating Cyber Intrusions
The burgeoning problem of cyber intrusions, viruses, and denial of
service attacks poses unique challenges to the NIPC. These challenges
require novel solutions, close teamwork among agencies and with the
private sector, and adequate human and technical resources.
Identifying the Intruder. One major difficulty that distinguishes
cyber threats from physical threats is determining who is attacking
your system, why, how, and from where. This difficulty stems from the
ease with which individuals can hide or disguise their tracks by
manipulating logs and directing their attacks through networks in many
countries before hitting their ultimate target. The ``Solar Sunrise''
case illustrates this point. This will continue to pose a problem as
long as the Internet remains rife with vulnerabilities and allows easy
anonymity and concealment.
Jurisdictional Issues. Another significant challenge we face is
intrusions involving multiple jurisdictions. A typical investigation
involves victim sites in multiple states and often many countries. This
is the case even when the hacker and victim are both located in the
United States. In the United States, we can subpoena records, engage in
judicially approved electronic surveillance, and execute search
warrants on suspects' homes, seize evidence, and examine it. We can do
none of those things ourselves overseas; rather, we depend on the local
authorities to assist us. In some cases the local police forces simply
do not understand or cannot cope with the technology. In other cases,
these nations simply do not have laws against computer intrusions and
are therefore limited in their ability to help us. FBI Legal Attaches
in 35 embassies abroad provide critical help in building bridges with
local law enforcement to enhance cooperation on cybercrime and in
working leads on investigations. As the Internet spreads to even more
countries, we will see greater demands placed on the Legats to support
computer crime investigations. The NIPC also has held international
computer crime conferences and offered cybercrime training classes to
foreign law enforcement officials to develop liaison contacts and bring
these officials up to speed on cybercrime issues.
The most difficult situation will arise, however, in which a
foreign country with interests adverse to our own simply refuses to
cooperate. In such a situation, we could find that an investigation is
stymied unless we find an alternative method of tracing the activity
back to its source.
The Role of Law Enforcement
Finally, I would like to conclude by emphasizing two key points.
The first is that our role in combating cybercrime is essentially two-
fold: (1) preventing cyber attacks before they occur or limiting their
scope by disseminating warnings and advisories about threats so that
potential victims can protect themselves; and (2) responding to attacks
that do occur by investigating and identifying the perpetrator. This is
very much an operational role. Our role is not to determine what
security measures private industry should take, or to ensure that
companies or individuals take them. It is the responsibility of
industry to ensure that appropriate security tools are made available
and are implemented. We certainly can assist industry by alerting them
to the actual threats that they need to be concerned about, and by
providing information about the exploits that we are seeing criminals
use. But network administrators, whether in the private sector or in
Government, are the first line of defense.
Second, in gathering information as part of our warning and
response missions, we rigorously adhere to constitutional and statutory
requirements. Our conduct is strictly limited by the Fourth Amendment,
statutes such as Title III and ECPA, and the Attorney General
Guidelines. These rules are founded first and foremost on the
protection of privacy inherent in our constitutional system. Respect
for privacy is thus a fundamental guidepost in all of our activities.
Conclusion
I want to thank the Subcommittee again for giving me the
opportunity to testify here today. The cyber threat is real,
multifarious, and growing. The NIPC is moving aggressively to meet this
challenge by training investigators and analysts to investigate
computer intrusion cases, equipping them with the latest technology,
developing our analytic capabilities and warning mechanisms to head off
or mitigate attacks, and closely cooperating with the private sector.
We have already made considerable progress in developing our
capabilities to protect public safety and national security in the
Information Age. I look forward to working with Congress to ensure that
we continue to be able to meet the threat as it evolves and grows.
Thank you.
Senator Burns. Thank you very much, Mr. Vatis.
We have been joined by Senator Wyden. Do you have a
statement, Senator?
Senator Wyden. Thank you, Senator. I will just wait for
questions.
Senator Burns. Thank you.
I want to preface my line of thinking here just a little
bit. We have an economic thing that is happening right now in
the American business world, and in fact our whole economics,
and we have this terrific increase in energy prices, which is
going to create a little more pressure, I think, on the
Internet, the way we move information, the way we do business,
because of the cost of transportation to be right honest with
you.
I think before the summer is out you are going to see we
are going to be in a crisis situation. I cannot imagine right
now my farmers, and this is a long way from what we are talking
about, but I cannot imagine doubling the cost of fuel and
trying to sell a product off the farm now that is not making
any money under the conditions of last year, and now we are
going to double our input cost and expect the same price this
year.
I cannot imagine me even cranking the first flywheel on a
tractor, to be right honest with you, but we have that moving,
and I have a feeling this is going not only in the way we move
information but also our e-commerce is going to have new
pressures, as far as volume is concerned, in the upcoming year
as we face this energy situation for the rest of the year, so I
want to preface that, and that is what I am kind of concerned
about.
Then we talk about security. Mr. Holder, with the exception
to formal hearings, have you been in any communications with
any of the Members of Congress regarding this situation to
describe to them what your concerns are and the needs we are
going to have?
Now, the representative from the Federal Bureau of
Investigation says it is going to take a lot of teamwork
between industry, Government, between Government agencies
within the Government, and I am saying that I do not think I
have had one call from one agency saying we have got a
phenomenon out here that is working and some way or another we
are going to have to deal with this.
And Congress I think will play a role and has to play a
role in the future, but have you had any kind of meetings with
Congress to bring us, Senator Hollings or whoever, up to date
on the role that we should be playing, and especially your
concerns about security and these kinds of situations?
Mr. Holder. To my knowledge there has been work, I think,
at the staff level. I have not convened any meetings with any
Members of Congress, but I think we have had meetings at the
staff level to talk about the needs we have identified both
with regard to legislation and resources.
The Attorney General has talked about the creation of a 5-
year plan starting in the next fiscal year to figure out
exactly what challenges we think we are going to face, what
resources we think we are going to need to face those
challenges, and we think in that regard, in the formulation of
that plan in particular, that interaction with Congress on the
Senate side and the House side would be particularly important.
Senator Burns. I say that because sometimes in these
situations we are kind of behind the curve, even though you may
have some facts that maybe we can prevent--and I am not saying
that we have got the answers, but I am saying, though, that
Congress finally has to play a role somewhere along the line in
consultation between the agencies and Congress.
It would certainly help us, some of us--and even on the
security side, can you give me, any of you can give me a
profile of what kind of personalities engage in these
destructive and senseless attacks like we have experienced?
Mr. Vatis. I am actually reluctant to state any one profile
because there is a tremendous range of different types of
actors that we see, ranging from the insider, an employee or a
former employee at a company who wants to take revenge against
his employer and so steals information to give to a competitor,
or shuts down the system just to spite his employer. Teenage
hackers who are breaking into systems just for bragging rights
in the hacker community, or for the challenge of doing it.
More and more, organized groups of often young people but
not necessarily juveniles who are breaking into systems to
steal things for financial gain, and then all the way on the
other end of the spectrum, foreign intelligence services that
we are seeing looking at these new tools as a new mechanism for
gathering information, so it really runs the gamut across that
broad range.
Senator Burns. Senator Hollings.
Senator Hollings. I am encouraged by the appearance of each
of you, and particularly Mr. Vatis, that the FBI is on top of
it. We have had the Appropriations Committee hearings on this,
and topic currently, under Senator Gregg's leadership we have
been getting into child pornography and other internet-related
issues.
The grasp of these subjects is necessary, but I would
dissent from the idea expressed, and the timidity, about how
the private sector should do this. Look here, if the private
sector could do it they would find money in it and do it.
We got into the Internet to secure our communications. We
said back in the late sixties, suppose they drop a bomb on the
Pentagon and we have got all the troops out there--divisions
and tanks and planes--but nobody can communicate. So then we
started tying together research endeavors on the various
university campuses, and ergo, the Internet. Now it is our
responsibility of the infrastructure to get the security.
I have got to go, Mr. Chairman, right down to the
conference on the FAA authorization bill. Before I go, let me
note that we have to make sure that our transportation systems
line air transportation are secure. You would not want somebody
to muck up the radar and everything else at Reagan National and
suddenly have the planes start crashing all around. None of us
wants to go to an interview and say, ``well, you know, we just
had a hearing on it, and we all agreed it is the private
sector's responsibility. Let the planes crash.'' I mean, come
on.
Let's get away from this argument that security is a
private sector responsibility. After all this industry is
developing pell-mell into oligopolies where two or three more
or less control the market and whereby no one else can get in.
We find Microsoft, for example, buying up some 200
different individual little endeavors, anytime anybody comes in
with a new idea, the oligopoly comes in and says, whoopee, we
will pay you so much or we will extinguish it. So you take the
money, and that ends that.
The Government has a fundamental role in the Internet.
Let's stop waiting on the partnerships and let's face our
responsibility to secure our own infrastructure. We need to
protect our own departments, communications, power,
transportation, and otherwise. Can we do it? Is it possible?
Who can answer that? Can we really make it secure, do you
think?
Mr. Vatis. I will just briefly address that. I think we
absolutely can. I think the technology exists, and is being
developed, to secure our systems. I think there has been a rush
to market with new features for competitive reasons, and
security has lagged behind as a concern of the manufacturers.
Senator Hollings. What you are telling me, and you can
interrupt me, is if I can make it secure, then I can certainly
guarantee the privacy, because I can make certain that that
security is not invaded, is that right, and logical?
Mr. Vatis. I think the means exist to protect privacy, to
protect the operability of systems, and I think we are seeing
some significant strides in that direction.
I think I agree with you that the Federal Government does
have primary responsibility, certainly for securing its own
systems, and certainly for carrying out law enforcement
responsibilities. which is a fundamental task of Government,
and for issuing warnings about attacks.
But the one place I think that the private sector does have
the primary responsibility is for ensuring its own security. If
a business goes into e-commerce and puts out a Web site through
which it transacts business with customers, it cannot be our
responsibility in the Government to tell them how to secure
that system, or to regulate how they do that. That is what I
mean by security being primarily the private sector's
responsibility.
Senator Hollings. At DARPA, we gave all our research
technology over to Boeing and Lockheed, and they are going like
gangbusters. There is a similar situation at the National
Institute of Standards and Technology. We farm out all of that
technology. We are not trying to hold it, but we are trying to
find it.
It is very interesting, Mr. Chairman, because your bill got
this gentleman, Mr. Reinsch--it is interesting that he is from
the Export Administration. He is not from any security--he is
not from any technology. He is from exports, and here he
appears from the Export Administration. Now, correct me, and
tell me about your technology.
Mr. Reinsch. What my bureau does, Senator Hollings, is
control the export of critical technology products for national
security reasons.
Senator Hollings. That is how you got in it, and that is
the only reason that we woke up here, at the congressional
level, because of the export of the technology. It was not
because of the import, the use, the development, the securing,
or the infrastructure of the U.S. Government.
Mr. Reinsch. Well, if I could comment on several of your
points, that part I think has proven to be an area of much
broader agreement, and typically in a debate environment, there
is less attention paid to it. If you will look at the plan, you
will find most of it and most of the Government's resources
right now, in fact, are devoted to precisely what you are
talking about, which is the protection of Federal Government
critical systems and assets.
Senator Hollings. Is there any need otherwise in what you
have outlined? I like the President's plan, but you know from
experience you have got all the resources. You are heading it
up. Do you need any help, and do we need to pass any law or
fund any policy that you can think of?
Mr. Reinsch. Let me say tactfully, Senator Hollings, that
the Appropriations Committees have been very generous to law
enforcement and national security, and less generous to the
Commerce Department and civilian agencies that have some of
these same responsibilities.
Senator Hollings. How much more do you need at the Commerce
Department?
Mr. Reinsch. Well, we support the President's request, for
2001.
Senator Hollings. How about your request? What else would
you like to have?
Mr. Reinsch. For my particular bureau? You do not want me
to start on that.
[Laughter.]
Senator Hollings. In all fairness, tell us what you need to
do the job.
Mr. Reinsch. For this function, we have requested and could
use actually sooner than next year an additional $3\1/2\
million, which is peanuts compared to the whole thing.
Senator Hollings. I worry about it, because you three have
got a grasp on exactly what my concern is, that the Government
gets in here and gets on top of infrastructure security that
these functions are properly funded and properly coordinated.
From your presentations here this morning, the coordination
seems to be there, but it is a mammoth task. If industry could
do it, they would have already done it and sold it, you know
what I mean?
Thank you very much, Mr. Chairman.
Mr. Reinsch. There are areas, Mr. Chairman, if I could
comment, where we think industry is not going to do it,
frankly, because there is not any money in it.
Senator Hollings. Thank you. We have had a hearing.
[Laughter.]
Mr. Reinsch. That is the genesis in part of the NIST
request for its institute.
Senator Hollings.
Senator Burns. Is the hearing over?
[Laughter.]
Senator Hollings. No. We finally got what we wanted.
Senator Burns. Senator Wyden.
STATEMENT OF HON. RON WYDEN,
U.S. SENATOR FROM OREGON
Senator Wyden. Thank you, Mr. Chairman. A couple of
questions for you if I could, Mr. Holder. My judgment is that
the challenge here is more one of enforcement of existing law,
rather than trying to develop a whole lot of new laws to deal
with that threat. Would you agree with that?
Mr. Holder. I think there are some changes we might want to
consider with regard to existing law. There are problems, for
instance, with the current jurisdictional limit, where Federal
jurisdiction, criminal jurisdiction begins there is a $5,000
limit we have to meet. We think that is an artificially high
limit.
The question of how we are able to use our technology to
detect who is actually perpetrating these crimes, we have to,
for instance, go from court to court to court as we are trying
to trace back who engages in these kinds of attacks, and every
time we go to a different State or a different jurisdiction we
have to come up with a new court order, and the thought about
maybe having a national court order that would allow us to get
access to that information, I mean, there are a number of
things that we are thinking about.
In terms of legislation we might propose, any legislation
we propose would have to be balanced between the investigative
needs that we have and the privacy interests that are really
paramount in this area.
Senator Wyden. I can tell you, I think the American people
are going to be real concerned about the discussion about
national court orders, legislation in that area. As you know,
there is enormous concern right now about privacy, and it has
now emerged as one of the two or three most important concerns
to people.
And the reason I asked you the question about whether you
think this is more of an enforcement issue rather than a
question of needing new laws is that the whole history of these
kinds of debates is that we have these threats, and
particularly now, where we are clearly dealing with people who
are not technologically simpletons--these are very, very
sophisticated people--is that we have these attacks, and the
call goes out for a variety of new laws, and very often I think
there is the potential to have the cure worse than the ailment.
I guess I would ask next, what would you say to those who
are troubled by the prospects that there could be further
encroachments on privacy as a result of some of these ideas
that you are advancing, and I was not familiar in detail with
this national court order, and I follow this area pretty
closely. What would you say to those who are concerned about
the prospect that this could further erode privacy rights, and
what assurance would you want to provide to them this morning?
Mr. Holder. Well, I would say first off the requests that
we are considering are really ones that are, I think, very
modest in scope. The notion, for instance, about the court
order that would have Nation-wide effect, as we try to track
these things down--somebody in New Jersey does something that
attacks a network, a computer Web site in Oregon and runs it
through Wisconsin and Texas.
As we go to try to trace this thing back, and time is
important in trying to find out who is the perpetrator of this,
we get to Wisconsin, we get to Texas, and each time we want to
go back we have to get yet another court order.
Our proposal, one we are thinking about, is that we would
have the ability to go to a judge and ask for an order that
would allow us, as we get to these different States, not to
have to go to get another judge to get essentially what the
first judge has already given us.
I do not think that really encroaches on privacy, and I
think that to assure people, I think everyone should understand
that the proposals we are making are, as I said, very modest in
scope, and are made by people who are very sensitive to the
concerns that people have raised about privacy. The reality is,
the Internet really can only be successful if those privacy
interests are considered and, in fact, if they are protected.
Senator Wyden. But understand as well that you are asking
for powers that the Federal Government would have that largely
expand the privacy threats to people already who are concerned
about it in the private sector. Now, your obligation is
obviously different than the obligations in the private sector,
and I recognize that, but at the same time I think you are
going to have to be very vigilant in terms of addressing these
privacy issues.
And let me suggest a model that I talked about when we had
the encryption debate, and one of the things that concerns me
is that I do not want to see this discussion go the same route
as that debate, where essentially we were gridlocked for years
in terms of how to address both national security and the
desire for companies to be able to export these products.
If the focus is primarily on enforcement, rather than the
passage of new laws, I think having ongoing discussion with
people in the private sector so that they can try to tell you
how to get out in front of the innovation curve, so to speak,
where the criminals are always more inventive and always more
innovative, is the best way to deal with this, rather than to
go out and try to advance new laws, which any way I look at it
seem to give the Federal Government more power in areas that
will raise privacy questions.
Mr. Holder. Well, I agree with you, we have to have that
interaction with private industry and, as I have indicated, I
think in terms of protecting the Internet, at least with regard
to the initial parts of it, I think the responsibility should
lie with private industry, but in terms of legislation, we have
also thought about the proposal that what we would like to do
is have electronic communications subject to the same
consideration, the same kinds of privacy safeguards as oral and
wire communications, so we would actually enhance the privacy
considerations.
Senator Wyden. I think those kinds of things will be well-
received. Senator Burns and I have a privacy bill, and if that
is the kind of thing you are interested in, I think we would be
very open to looking at something like that.
Even in the context of the privacy discussion it may not be
solely within the province of our committee, but we are very
hopeful. We have spent well over a year trying to develop a
bipartisan privacy bill. We are very hopeful that we are going
to be able to see progress on this and get it out on the floor
of the Senate, given the public concern, and that is the kind
of idea that I think makes a lot of sense, because in effect
you do advance privacy rights.
You are addressing what is a concern of law enforcement,
but I can tell you that if you stand up at a town hall meeting
in my home State and start talking about national court orders
and some of the other things that I have seen discussed, I
think we may well end up with the same sort of gridlock we had
on the encryption issue, and I do not want to see us go that
route. There is too much goodwill, I think, in both the law
enforcement community and in the private sector for us to just
go back to that sort of encryption model, where everybody is
gridlocked for years and years.
I felt for a long time that we were pursuing in the
encryption area an approach that instead of a win-win was a
lose-lose. It was not getting you what you needed in terms of
law enforcement, and we were losing out in terms of
international markets because we had this outdated standard in
terms of the bit measure and the like for exports.
So let's pursue a different model. You give us ideas about
the oral and written communication that make it easier for you
to do your job and for us to be able to say in Montana and
Oregon we are advancing people's privacy, and I think we are on
our way to a winner, but some of these other suggestions I
would urge you to be pretty cautious about.
Mr. Holder. I really think there is an ability, if we
really talk with one another--there are I think sometimes
instinctive reactions, negative reactions to the notion that we
want to have additional legislation, and yet when we have
interacted with industry and specifically told them these are
the kinds of things we are thinking about, the reaction we have
had has actually been pretty favorable, and people seem
somewhat surprised when we say we also want to do things on the
privacy side and have requirements that apply to wire and oral
communications also apply to electronic communications.
I think that shows the necessary sensitivity that I think
we have in the Government as we formulate these proposals.
Senator Wyden. Clearly, a prospect that we can start
bringing to the online world some of these approaches that we
have used offline is a very, very promising orientation, and I
like that.
What I think is going to raise the decibel level and
generate much more controversy are some of these issues
relating to court orders, the evidentiary standards that have
been talked about concering how to gather some of this
information, and the techniques for gathering it.
That is what I want us to be cautious about, because in
that area I think we might harm privacy rights and, set back
the legitimate businesses that you are understandably concerned
about, as I am. The unintended consequences prospect is very
much alive when you talk about things involving evidence,
techniques for gathering information, the court orders and the
like. I appreciate your sensitivity and look forward to talking
with you.
Thank you, Mr. Chairman.
Senator Burns. Thank you.
You know, going along this same line, this may be the wrong
question to the wrong panel, but instead of asking for new laws
and new ways of pursuit of people who would hack, I go back
to--we were raised--I bet every one of us sitting in here
today, we were raised in a culture that even though we had open
mail boxes out on the farm, you just did not touch another
man's mail box because there was a Government warning there
that you are violating the mails.
Do we have any way of posting warnings--FBI warnings on
dubbing old VCR's, you know. Do we have any way of putting up
there, it is a violation, a Federal violation to wander even
into cyberspace in areas where you are unauthorized? I do not
know, I am just thinking about it as he was talking about it.
You know, the direction we are going, how do we know these
people think that they are in violation of doing something and
there are severe penalties for doing so?
Mr. Holder. I suppose there are technical ways to do that.
I would really defer to industry as to how effective they think
those kinds of things might be and whether, frankly, there
might be some chilling effect in having those kinds of
warnings, but again, it is not something I have really thought
about.
Mr. Vatis. We do have banners on Federal computers that
warn people who are coming into a system that if they are
intruding without authorization, that constitutes a Federal
crime, and that their activities that are subject to being
monitored and investigated.
There are not, as far as I know, similar banners on all
private sector systems, but it would certainly be technically
feasible and fully legal for someone to put such a banner on a
private sector system and say, ``If you intrude into my system
I will report the incident to law enforcement and I will seek
to have you prosecuted if you violate Federal law.''
Senator Burns. Well, I am just saying, you know, even
though we walked by our neighbor's mail boxes every day, you
just did not fiddle around with another man's mail, and there
was a post--every mail box we ever bought there was a
Government message there, even though it was never locked or
anything like that, and we were raised in that culture. You
were taught that when you were a little child in your
neighborhoods.
Mr. Holder. I think that is an important point, and a very
good one, in that we need to do something with our young people
in particular, but I think people more generally--people tend
not to take the kinds of lessons that we learn with other
things and apply them to the Internet.
There are privacy concerns that people have. There are
certain things that you would not do in the material, the real
world that people seem to do when it gets to the cyber world,
or to the Internet, and we need to train people to make them
more sensitive, make them aware that the kinds of don'ts,
things you would not do in the real world you should also not
do when it comes to the cyber world, so it is a question, I
think, of educating people and training them.
Senator Burns. I was just thinking, in the conversation,
the culture you were raised in, and that if you did monkey with
somebody else's mailbox, they would usually beat you home and
they called your mom and dad up and you got quite a beating
when you got home.
But I just wonder if there is some way, even when signing
on, if the operating bed or the operating system that you have
got, there is not a warning that you have a certain
responsibility, you are licensed to use this, but you have a
certain responsibility that goes along with it. And I am
wondering if something like that can be done and would scare
off maybe some of the folks who would tend to wander into areas
where they are not supposed to be.
We want to thank you for your testimony this morning. The
industry comes up next. I want to beg of you to let us know,
Members of Congress. It does not hurt, even in the security
area, where we cannot discuss things maybe in an open forum,
but we can in a private forum, either in your office or, it
does not make any difference. But keep us abreast, if you
would, of what is going on out here.
I am going to ask a question. How serious is this business?
Extortion is a terrible, terrible thing that happens in any
society. Is it a big problem in the Internet world?
Mr. Vatis. There have been numerous instances of extortion
plots carried out via e-mail, and threats delivered by e-mail.
There have also been specifically computer-related extortion
efforts, where criminals have said, ``Unless you pay me a
certain amount of money, I am going to shut down your system or
I am going to do something else to harm you.''
Before these denial of service attacks took place, the last
highly publicized example of a cybercrime was exactly that sort
of extortion attempt, where somebody broke into a company
called CD Universe (which sells CD's online), stole numerous
credit card numbers from that company, and then threatened the
company by saying that, unless CD Universe paid a certain
amount of money, the hacker would post those credit card
numbers on a Web site--which he subsequently did. That is
another case that we have under investigation, but it is only
one example of a rising trend in that sort of extortion scheme.
Senator Burns. Well, that does not scare me much, because
my wife keeps our credit cards right up to the limit, so they
are not going to be OKed anyway. [Laughter.]
No, not really. She is coming back to town. We have got to
clear that from the record. [Laughter.]
But I just wondered how bad that situation was, because I
know that is a terrible, terrible, terrible crime. And thank
you again this morning for your time and your testimony. We
appreciate that very much. And if other Senators do have
questions, I will direct them to you. And if you could respond
to them and the committee, it would certainly help. And your
full statements will be made part of the record. And we thank
you for coming this morning.
We move now to the second panel, made up of Mr. Michael
Fuhrman, who is Manager, Security Consulting, Cisco Systems,
out of San Jose, California; Paul Misener, who is Vice
President of Amazon, out of Seattle; and Raj Reddy, from
Herbert A. Simon Professor of Computer Science and Robotics,
Carnegie Mellon University, out of Pittsburgh, Pennsylvania.
Gentlemen, we appreciate you coming this morning and
sharing your information with us. Again, you can summarize your
statements, and rest assured that your full statements will be
made a part of the record. Again, I thank you for coming this
morning.
Mr. Misener, we will start off with you this morning.
STATEMENT OF PAUL MISENER, VICE PRESIDENT,
GLOBAL PUBLIC POLICY, AMAZON.COM
Mr. Misener. Good morning, Chairman Burns. It is very good
to see you again, in particular. I thank you very much for
inviting me.
My name is Paul Misener, and I am Amazon.com's Vice
President for Global Public Policy. Amazon.com opened its
virtual doors in July 1995, with a mission to use the Internet
to transform book buying into the fastest, easiest, and most
enjoyable shopping experience possible. Today, Amazon.com also
offers consumer electronics, toys, CD's, videos, DVD's, home
improvement tools, and much more. Seventeen million people in
more than 160 countries have made us the leading online
shopping site. And we also have a thriving auctionsite, Mr.
Chairman.
Amazon.com greatly appreciates the opportunity to testify
before your Subcommittee.
Senator Burns. You are starving us old auctioneers to
death.
[Laughter.]
Mr. Misener. Please join us there.
Amazon.com greatly appreciates this opportunity to testify
before your Subcommittee on the recent distributed denial of
service attacks. We look forward to working with Congress to
address these incidents and other important Internet policy
issues.
Because the Internet and electronic commerce is the driving
factor in the current booming economy, our Nation's economic
well-being depends in part on stopping illegal activity that
impedes e-commerce. We particularly support the Federal
Government's involvement in fighting criminal behavior on the
Internet. And we recognize and appreciate, however, your
Subcommittee's important role in overseeing communications
commerce.
Mr. Chairman, although the distributed denial of service
incidents that occurred last month have been described many
times in the press and elsewhere, a short description of what
specifically happened to Amazon.com bears repeating. In
essence, for about an hour on February 8, 2000, a large amount
of so-called junk traffic was directed to our Internet site.
This junk traffic degraded the technical quality of service at
the site. To be clear, this was not a break-in at our online
premises, but rather a deliberate and illegitimate crowding of
virtual driveways and sidewalks around our online store. This
crowding somewhat hinders our customers' ability to visit and
shop.
At all times during this crowding, however, our customers'
information was safe and secure, and many customers were able
to enter our store and shop. Nonetheless, for about an hour,
our customers experienced congestion-related delays when
visiting the site. For Amazon.com customers', who have come to
expect the world's best online shopping experience, even such a
relatively minor inconvenience was frustrating.
This is a key point for these hearings, Mr. Chairman.
Consumers are the ones inconvenienced by distributed denial of
service attacks. Indeed, millions of consumers have come to
rely on the Internet to communicate, shop, invest, obtain news,
and learn online. The denial of service attacks last month
interrupted these important consumer activities and, thus, it
is on behalf of consumers that all of us must work to prevent
these attacks in the future.
So what can the Federal Government do about denial of
service attacks? Amazon.com believes the Government's key role
should be to prosecute the perpetrators of these and other
online criminal activities. Currently laws have been used
successfully in recent cases. In addition, some have suggested
extending existing laws or enacting new laws, and others have
suggested establishing stiffer penalties under existing
statutes.
On behalf of our current and future customers, Amazon.com
would be happy to work with Congress on any new legislation to
address Internet crime issues.
Successful prosecutions, of course, also rely on adequate
resources with which to conduct investigations. Amazon.com
believes that additional resources should be applied in at
least four areas: law enforcement training, personnel
retention, public education, and agency coordination.
Let me say a few things about each area. First, continuous
training of law enforcement personnel in the latest digital
forensic techniques, as well as current Internet technologies,
should be at the top of any list for additional funding. In
particular, additional training in electronic evidence handling
is necessary, for preservation of digital evidence is as
important for cybercrime prosecutions as preservation of
fingerprints is for physical crimes.
Second, given the strong demand for information technology
experts, both within and outside of Government, law enforcement
agencies need additional resources to retain senior IT
professionals and attract new ones.
Third, Federal law enforcement agencies should have
sufficient resources to help educate private industry and
consumers on preventing Internet-related crime.
Finally, better coordination and communication among
Federal, State, local, and international law enforcement
agencies is needed. The recent incidents were not
geographically localized, and there is no reason to expect
future Internet crime to be.
In all of these areas, increased Government interaction
with private industry would help. Amazon.com already is engaged
in this sort of informal partnership. In addition to existing
ongoing investigations, our technologists are working with
various law enforcement personnel on the latest developments in
Internet technology and techniques. We believe it would be
premature, however, to formalize this partnership.
Absent from our suggested Federal response is a role for
the Federal Communications Commission. The reason is
straightforward: The distributed denial of service attacks
involved coordinated and criminal transmission of content over
the Internet. It is hard to see how the FCC has statutory
authority over such matters. And even if it had or were given
such authority, the agency currently lacks the resources and
expertise to do what is necessary at this point; namely, to
fight the criminal activity.
Simply put, useful FCC involvement would require statutory
changes, additional resources and additional expertise to
succeed. This is work better left to law enforcement agencies.
In conclusion, Mr. Chairman, we applaud your effort to
address these denial of service attacks and to formulate an
appropriate Federal response. As indicated, we believe the
situation currently is best handled using law enforcement
mechanisms. But we would appreciate your Subcommittee's
continued interest in the matter.
On behalf of our current and future customers, Amazon.com
stands ready to help. Thank you very much for the opportunity
to testify before your Subcommittee. I would be pleased to
answer your questions and I look forward to working with you.
[The prepared statement of Mr. Misener follows:]
Prepared Statement of Paul Misener, Vice President,
Global Public Policy, Amazon.com
My name is Paul Misener, and I am Amazon.com's Vice President for
Global Public Policy. Amazon.com opened its virtual doors in July 1995
with a mission to use the Internet to transform book buying into the
fastest, easiest, and most enjoyable shopping experience possible.
Today, Amazon.com also offers consumer electronics, toys, CDs, videos,
DVDs, home improvement tools, and much more. Seventeen million people
in more than 160 countries have made us the leading online shopping
site.
Amazon.com greatly appreciates the opportunity to testify before
your Subcommittee on the recent distributed denial of service attacks.
We look forward to working with Congress to address these incidents and
other important Internet policy issues. Because electronic commerce is
the driving factor in the current booming economy, our nation's
economic well-being depends in part on stopping illegal activity that
impedes e-commerce.
We particularly support the Federal Government's involvement in
fighting criminal behavior on the Internet. We recognize and
appreciate, however, your Subcommittee's important role in overseeing
communications commerce.
Mr. Chairman, although the distributed denial of service incidents
that occurred last month have been described many times in the press
and elsewhere, a short description of what specifically happened to
Amazon.com bears repeating.
In essence, for about an hour on February 8, 2000, a large amount
of so-called ``junk traffic'' was directed to our Internet site. This
junk traffic degraded the technical quality of service at the site.
To be clear: this was not a break-in at our online premises but,
rather, a deliberate and illegitimate crowding of the virtual
``driveways and sidewalks'' around our online store. This crowding
somewhat hindered our customers' ability to visit and shop.
At all times during this crowding, however, our customers'
information was safe and secure, and many customers were able to enter
and shop at our store. Nonetheless, for about an hour, our customers
experienced congestion-related delays when visiting the site. For
Amazon.com's customers, who have come to expect the world's best online
shopping experience, even such a relatively minor inconvenience was
frustrating.
This is a key point for these hearings: consumers are the ones
inconvenienced by distributed denial of service attacks. Indeed,
millions of consumers have come to rely on the Internet to communicate,
shop, invest, obtain news, and learn online. The denial of service
attacks last month interrupted these important consumer activities and,
thus, it is on behalf of consumers that all of us must work to prevent
these attacks in the future.
So what can the Federal Government do about denial of service
attacks? Amazon.com believes the Government's key role should be to
prosecute the perpetrators of these and other online criminal
activities. Current laws have been used successfully in recent cases.
In addition, some have suggested extending existing law or enacting new
laws, and others have suggested establishing stiffer penalties under
existing statutes.
On behalf of our current and future customers, Amazon.com would be
happy to work with Congress on any new legislation to address Internet
crime issues.
Successful prosecutions, of course, also rely on adequate resources
with which to conduct investigations. Amazon.com believes that
additional resources should be applied in at least four areas: law
enforcement training, personnel retention, public education, and agency
coordination. Let me say a few things about each area.
First, continuous training of law enforcement personnel in the
latest digital forensic techniques, as well as current Internet
technologies, should be at the top of any list for additional funding.
In particular, additional training in electronic evidence handling is
necessary, for preservation of digital evidence is as important for
cybercrime prosecutions as preservation of fingerprints is for physical
crimes.
Second, given the strong demand for information technology experts,
both within and outside of Government, law enforcement agencies need
additional resources to retain senior IT professionals and attract new
ones.
Third, Federal law enforcement agencies should have sufficient
resources to help educate private industry and consumers on preventing
Internet-related crime.
Finally, better coordination and communication among Federal,
state, local, and international law enforcement agencies is needed. The
recent incidents were not geographically localized, and there is no
reason to expect future Internet crime to be.
In all of these areas, increased Government interaction with
private industry would help. Amazon.com already is engaged in this sort
of informal partnership: in addition to assisting the ongoing
investigations, our technologists are working with various law
enforcement personnel on the latest developments in Internet technology
and techniques. We believe it would be premature, however, to formalize
this partnership.
Absent from our suggested Federal response is a role for the
Federal Communications Commission. The reason is straightforward: the
distributed denials of service attacks involve coordinated and criminal
transmission of content over the Internet. It is hard to see how the
FCC has statutory authority over such matters. Yet even if it had, or
were given, such authority, the agency currently lacks the resources
and expertise to do what is necessary at this point, namely, to fight
the criminal activity. Simply put, useful FCC involvement would require
statutory changes, additional resources, and additional expertise to
succeed. This is work better left to law enforcement agencies.
In conclusion, Mr. Chairman, we applaud your effort to address
these denials of service attacks and to formulate an appropriate
Federal response. As indicated, we believe the situation currently is
best handled using law enforcement mechanisms, but we would appreciate
your Subcommittee's continued interest in the matter. On behalf of our
current and future customers, Amazon.com stands ready to help.
Thank you very much for the opportunity to testify before your
Subcommittees. I would be pleased to answer your questions and I look
forward to working with you.
Senator Burns. Thank you very much, Mr. Misener.
Now we have Michael Fuhrman, who is Manager, Security
Consulting, Cisco Systems. Welcome before the Subcommittee. We
look forward to your testimony.
STATEMENT OF MICHAEL FUHRMAN, MANAGER,
SECURITY CONSULTING, CISCO SYSTEMS
Mr. Fuhrman. Thank you, Chairman Burns.
I am Michael Fuhrman of Cisco Systems. As you know,
Chairman, we are the largest manufacturer of equipment that
connects people and businesses to the Internet. We are based in
San Jose, California, and we have large operations in
Massachusetts, North Carolina and Texas.
Senator Burns. Did you ever consider Montana?
[Laughter.]
Mr. Fuhrman. We do have sales offices in Montana, yes.
In particular, I manage our company's Security Consulting
Services Group, which helps to ensure the security of some of
the best known sites on the Internet. My team of engineers and
specialists evaluate the protective measures being employed by
our customers. We help them respond to anyone or anything that
threatens the integrity of their systems. And as last month's
hacker attacks on some of the world's busiest Web sites
graphically demonstrated, this is a task that requires constant
vigilance.
Cisco security specialists were among those who responded
to the denial of service attacks that temporarily blocked
access to several sites, beginning on February 7th. I am happy
to tell you that we were able to help some of our customers
quickly identify the technology being used in the attacks,
employ effective countermeasures, and beat back repeat efforts
by hackers to obstruct access.
Now, in a nutshell, the hackers initially were able to
briefly shut customers out of some targeted Web sites, as Mr.
Misener said, by bombarding these sites with more information
than they could process at the time. In a way, we liken it to
the Internet equivalent of trying to go shopping the day after
Thanksgiving. The crowds are overwhelming and the parking lots
are full. The difference in this case is, however, that people
were not prepared for this activity.
Now, after these assaults, there was some heated
speculation about whether the public can depend on the Internet
as a reliable means of doing business and sharing information.
Now, the lesson to be learned from the attacks is not that the
hackers have some sort of technological edge. On the contrary,
the technology that is employed in these attacks is well-known
to those of us in the systems security field. Proper defenses
for a majority of these, the technology does exist.
The lesson is that events like this can be anticipated and
managed with the proper diligence and planning. The technology
community showed that it can respond swiftly and effectively,
taking steps to quickly mitigate the attacks and to make it
harder for future attacks in the future.
Now, it is important to note, in all of these assaults,
targeted Web sites were interrupted only for relatively brief
periods. It is also important to note, again, as Mr. Misener
stated, these attacks blocked access to some systems, but did
not penetrate into the internal systems of these companies.
The technology community has already joined with the
Federal Government to respond more effectively should attacks
like these be repeated in the future. The community and the
Government are forming an organization that will disseminate
critical information quickly and widely if the Internet is
threatened.
We at Cisco keenly understand the importance of this task.
We will conduct $12 billion of business over our Web site this
year. Our employees perform 95 percent of their tasks on our
Web site. My consulting group in particular recently conducted
a 6-month survey of 33 businesses connected to the Internet,
where we measured their state of security. We found that, on
average, one out of every three of the companies' devices
connected to the Internet were vulnerable to some form of
attack or another.
We also found, however, that 90 percent of the
vulnerabilities could be solved with technology that was
readily available today, if the technology is properly employed
and consistently updated. Now, this, of course, is easy to say
and extraordinarily difficult to do.
We have to remember that a decade ago the Internet was
little more than a clunky mechanism that a few educational
research institutions used to trade messages we now all know as
E-mail. The blazing speed at which the Internet has developed
and the equally rapid pace at which threats to the Internet's
security have evolved make it hard even for those who build and
maintain Web sites to keep pace.
But businesses and others who operate Web sites are
learning that security must become an ever more important
concern. The number of companies who come to Cisco, for
instance, in assistance in securing their networks has grown by
over 50 percent over the last 12 months alone--a very
encouraging statistic. And we have all learned that one thing
the technology can do collectively is to increase the sharing
of information about up-to-the-minute developments in security.
We believe that this public/private partnership is the most
effective response to the recent attacks. In the private
sector, incentives must be put into place to encourage all Web
sites to deploy security technologies, to protect themselves
and their customers from hacker attacks. In the public sector,
we are grateful that the Federal Bureau of Investigation has
devoted significant resources to investigating these attacks.
And we hope that the perpetrators will be prosecuted to the
fullest extent of the law.
We encourage the Federal Government to serve as a role
model for private industry, by equipping its own computer
systems with the best security measures possible. This, too, of
course, will not be easy. Both the Government and private
enterprise are having difficulty attracting and retaining
enough skilled professionals in the field of systems security.
I am happy to tell you that the private sector has joined with
the Office of Personnel Management to help the Government in
the area by developing training and mentoring programs. Again,
we regard this as an excellent example of public/private
partnership.
At this time, however, we do not ask Congress for new laws
in the area of Internet security. Cooperation, not regulation,
not legislation, will ensure that the Internet remains secure
and, at the same time, open to the broadest public access. The
Internet is and always should remain an open medium. No one can
insulate the Internet and everything connected to it from all
threats, or guarantee that no attack on any particular Internet
site will succeed.
Even our oldest, most established public infrastructures
pause on occasion. Power and telephone lines come down, water
mains break, highways become clogged. And like them, the
Internet will occasionally have localized difficulties. These
are but potholes on the information superhighway, which we will
fill in as fast as they appear, learning how to prevent similar
potholes in the future.
The recent attacks actually demonstrated that the
technology community can quickly identify threats to the
Internet, quickly act to eliminate them, and quickly take
measures that will reduce the impact of similar threats in the
future. This spirit of innovation and rapid development propels
the Internet's exponential growth and ensures that the Internet
will remain secure as it continues to grow.
Thank you. I look forward to your questions.
[The prepared statement of Mr. Fuhrman follows:]
Prepared Statement of Michael Fuhrman, Manager,
Security Consulting, Cisco Systems
Chairman Burns and distinguished senators, I am Mike Fuhrman of
Cisco Systems. As you may know, Cisco is the world's largest
manufacturer of equipment that connects people and businesses to the
Internet. We are based in San Jose, California and have substantial
operations in Massachusetts, North Carolina and Texas.
I manage our company's Secure Consulting Services Group, which
helps ensure the security of some of the best-known sites on the
Internet. My team of engineers and specialists evaluates the protective
measures being employed by our customers and helps them respond to
anyone or anything that threatens the integrity of their systems. As
last month's hacker attacks on some of the world's busiest web sites
graphically demonstrated, this is a task that requires constant
vigilance.
Cisco's security specialists were among those who responded to the
so-called ``denial of service attacks'' that temporarily blocked access
to several web sites beginning Feb. 7. I'm happy to tell you that we
were able to help some of our customers quickly identify the technology
being used in these attacks, employ effective countermeasures and beat
back repeat efforts by hackers to obstruct access.
In a nutshell, hackers initially were able to briefly shut
customers out of some targeted web sites by bombarding those sites with
more information, some of it more false or misleading, than they were
able to process. In a way, it was the Internet equivalent of trying to
shop on the day after Thanksgiving, when the crowds are overwhelming.
But in this case, the problem was nobody knew the rush was coming and
therefore we weren't quite prepared to handle it.
After these assaults, there was some overheated speculation about
whether the public can depend on the Internet as a reliable means of
doing business and sharing information. The lesson to be learned from
these attacks is not that hackers have some kind of technological edge
that enabled them to do what they did. On the contrary, the technology
employed in these attacks is well known to those of us in the systems
security field and proper defenses against that technology are widely
available.
The lesson is that events like these can be anticipated and managed
with diligence and proper planning. The technology community showed
that it can respond swiftly and effectively, taking steps to quickly
mitigate the attacks and to make it harder for similar assaults to
succeed in the future.
It's important to note that, in all of these assaults, service to
targeted web sites was interrupted only for relatively brief periods.
It's also important to note that while these attacks blocked access to
some targeted computer systems, they do not appear to have penetrated
the outer defenses of these systems. We know of no case in which
hackers obtained access to confidential customer information, such as
credit card numbers, or did lasting damage to any of the targeted
sites.
And it's important to note that the technology community has
already joined with the Federal Government to respond more effectively
should attacks like these be repeated in the future. The community and
the Government are forming an organization that will disseminate
critical information quickly and widely if the Internet is threatened.
We at Cisco Systems keenly understand the importance of this task.
We will conduct $12 billion worth of business over our own web site
this year, and our employees are able to perform about 95 percent of
their work on the site.
Cisco Secure Consulting Services recently conducted a six-month
survey of 33 businesses connected to the Internet and measured their
``state of security.'' We found that, on average, one out of every
three devices connected to the Internet was vulnerable to some form of
attack. But we also found that over 90 percent of the vulnerabilities
could be solved with technology that is readily available, if the
technology is properly employed and constantly updated.
This is easy to say and extraordinarily difficult to do. A decade
ago, the Internet was little more than a clunky mechanism that a few
educational and research institutions used to trade messages we now
know as email. The blazing speed at which the Internet has developed--
and the equally rapid pace at which threats to Internet security have
evolved--make it hard even for those who build and operate web sites to
keep pace.
But businesses and others who operate web sites are learning that
security must become an ever-more-important concern. The number of
companies who have come to Cisco for assistance in securing their
networks has grown by over 50 percent during the last 12 months alone--
a very encouraging statistic. And we have all learned that one thing
the technology community can do collectively to increase is to share
information about up-to-the-minute developments in systems security.
The community has joined with the Federal Government to do just
this. Even before last month's attacks, industry leaders had joined to
form the Partnership for Critical Infrastructure Security. The PCIS is
a voluntary organization that is working to share information about
threats to the Internet and other crucial networks, and determine how
best to respond to those threats. About 120 companies are cooperating
in this effort.
And last month at the White House information technology summit,
Cisco was one of about 40 Internet companies that agreed to develop a
structured mechanism to react to events like the recent hacker attacks.
As with the PCIS, industry is coordinating its activities with the
Federal Government.
We believe that this public-private partnership is the most
effective response to these recent attacks. In the private sector,
incentives must be put into place to encourage all web sites to deploy
security technologies to protect themselves and their customers from
hacker attacks.
In the public sector, we are grateful that the Federal Bureau of
Investigation has devoted significant resources to investigating these
attacks and we hope the perpetrators will be prosecuted to the fullest
extent of the law. We encourage the Federal Government to serve as a
model for private industry by equipping its own computer systems with
the best security measures possible.
This, too, will not be easy. Both the Government and private
enterprise are having difficulty attracting and retaining enough
skilled professionals in the field of systems security. I'm happy to
tell you that the private sector has joined with the Office of
Personnel Management to help the Government in this area by developing
training and mentoring programs. Again, we regard this as an excellent
example of public-private partnership.
At this time, however, we do not ask Congress for new laws in the
area of Internet security. Cooperation, not regulation or legislation,
will insure that the Internet remains secure and at the same time open
to the broadest possible public access.
The Internet is, and should always remain, an open medium. No one
can insulate the Internet and everything connected to it from all
threats or guarantees that no attack on any particular Internet site
will succeed. Even our oldest, most established public infrastructures
pause on occasion--power and telephone lines come down, water mains
break, highways become clogged--and, like them, the Internet will
occasionally have localized difficulties. These are but potholes on the
information superhighway, which we will fill in as fast as they
appear--learning how to prevent similar potholes in the future.
These recent attacks actually demonstrated that the technology
community can quickly identify threats to the Internet, quickly act to
eliminate them and quickly take measures that will reduce the impact of
similar threats in the future. This spirit of innovation and rapid
development propels the Internet's exponential growth and ensures that
the Internet will remain secure as it continues to grow.
Thank you. I look forward to your questions.
Senator Burns. Thank you, Mr. Fuhrman.
Dr. Reddy, welcome to our Subcommittee.
And can I get your statement right after this?
Senator Abraham. Why do we not let him go.
Senator Burns. I think that is wise. Thank you.
Dr. Reddy, thank you very much for coming this morning. We
look forward to your testimony.
STATEMENT OF RAJ REDDY, PH.D., HERBERT A. SIMON
PROFESSOR OF COMPUTER SCIENCE AND ROBOTICS,
CARNEGIE MELLON UNIVERSITY
Dr. Reddy. Thank you, Mr. Chairman. This is a great
opportunity for us to testify before the Subcommittee.
My name is Raj Reddy. I am the Herbert A. Simon Professor
of Computer Science and Robotics at Carnegie Mellon University.
I also serve as the Co-Chair of the President's Information and
Technology Advisory Committee, commonly known as PITAC.
In the PITAC February 1999 report to the President, labeled
``Information Technology: Investing in our Future,'' we
highlighted the need for increased investments in national
security--about 15 months ago--as well as a number of other
research areas.
Today, on behalf of PITAC, I will provide you with insights
into the state of the Internet security in our country and
outline some of the PITAC recommendations that will help our
Nation to build and support a more reliable, available, secure,
and scalable Internet. I will also provide some personal
observations on, besides legal and administrative remedies,
what research and technology remedies might exist to solve this
problem of denial of service.
While advances in information technology have created
unprecedented economic growth and transformed our lives in
thousands of positive ways, weaknesses still remain that enable
malicious hackers to disrupt Internet service and overload
popular Web sites. An analysis of these highly visible
disruptions to the Internet reveals a wide range of causes,
including denial of service from hackers.
The PITAC shares Congress' concern about these recent
hacker attacks. In our February 1999 report, we observed that
the Internet has grown well beyond the intent of its original
designers 25 years ago, and that our ability to extend its use
has created enormous challenges. In our report, we recommended
a research agenda to help ensure the survivability of our
information infrastructure in the face of malicious attacks,
equipment and software failures, and legal overload, where a
large number of people call in a Schwab account site on a busy
stock market day.
We concluded that the support for critical, long-term
fundamental research in IT is diminishing, and that the current
research is too focused on near-term problems related to agency
missions. To help maintain the U.S. leadership in IT,
information technology, and restore a commitment to high-risk,
high-return research, we recommended that the Federal
Government create a strategic initiative in long-term R&D
funding, and increase the funding for R&D over the next 5 years
by $1.4 billion.
Our report recommended a balanced research agenda in
software, scalable information infrastructure, high-end
computing, and work force implications. Specifically, we
recommended research to support scalable information
infrastructure, authentication and security mechanisms,
mechanisms for detecting system intrusion, mechanisms for
detecting mitigating and responding and recovering from human
error in the creation and the use of the infrastructure,
mechanisms for assuring information quality, and a number of
others.
PITAC is encouraged by the strong bipartisan support for
the information technology research and development and by the
$235 million increased appropriation this year for the Federal
IT R&D programs. Based largely on our recommendations, the
administration proposal for the fiscal year 2001 budget
includes a $600 million increase in investments for a balanced
information technology R&D program, which includes funding for
networking and software research to enable more secure,
reliable, dependable networks.
We applaud the Senate's past leadership in supporting this
information technology R&D, and we hope you will support the
full set of research priorities we recommended in our report.
Now I would like to make some personal observations on the
specific problem of Internet security. Remedies to the problems
of denial of service attacks and security loopholes and insider
risks, there are a number of different ways of skinning this
cat. One is legal; the other is administrative; and, finally,
there is also an opportunity to use research and technology to
stop many of these problems. And I would like to share with you
some ideas on that topic.
I propose that we establish a national network test bed
that can be used to develop and demonstrate what I will refer
to as an ultra-dependable, self-healing Internet. The purpose
of this test bed is to try out new approaches without
disrupting the crucial production infrastructure. It is an R&D
vehicle. The proposed test bed will be similar to the ultra
high-speed network test bed, NGI, Next Generation Internet,
that has been funded in the last few years.
It will include attributes such as reliability,
availability, scalability, in addition to security. The
operative issue is not security alone, as interpreted narrowly,
but how to create a dependable Internet that we can all trust,
like we trust the telephone system today. The ultra-dependable
Internet would be used to develop technologies to enable self-
healing networks.
A self-healing network would work similar to the human
immune system. It would continuously monitor the system--in
this case, the network--analyze what is happening in the
system, what packets are going through, and it would detect
abnormal patterns automatically and immediately begin actions
to remedy this problem. It would use software agents, capable
of self-monitoring, self-diagnosing, and self-repair, much as
the human immune system uses distributed antibodies to disable
antigens and restore balance in the human body.
Just as in the human system, where a few people may
occasionally get sick but the society as a whole continues to
function, we may accept an occasional denial of Internet
service in a particular location, as long as most of the users
are able to access most of the Web sites most of the time
without any degradation of service. The proposed self-healing
network will increase the packet handling overhead and perhaps
make the system slower. We believe, with the exponential growth
in technology, this will not be a serious problem in the
future.
In addition to the research needed to develop the faster
networks, we will also need research in data warehousing of
meta-data contained in the packet headers, data mining of the
statistical parameters that would classify normal and abnormal
traffic, and repair strategies for generating signals that
would make abnormal requests detectable.
In conclusion, I believe the creation of a dependable
Internet infrastructure, as dependable as the telephone
service, is essential to the future of the economic growth and
security of this Nation. To accomplish this, we need bold new
research initiatives and uniform application of ideas across
the international Internet infrastructure. Support for the
increased Federal investments in IT R&D is a positive first
step. But continued dialog among Federal researchers, industry
and academia is essential to create bold new ideas like a self-
healing, dependable information infrastructure.
In summary, Mr. Chairman, it is estimated that the market
capitalization of the Internet-based industries created since
1990 exceeds $1 trillion, resulting in capital gains taxed paid
to the Nation of over $200 billion. Investing a small fraction
of this national income in research toward creating an ultra-
dependable, self-healing Internet will help ensure the
continuation of this engine of growth.
Thank you.
[The prepared statement of Dr. Reddy follows:]
Prepared Statement of Raj Reddy, Ph.D., Herbert A. Simon Professor of
Computer Science and Robotics, Carnegie Mellon University
Introduction
Mr. Chairman and Members of the Subcommittee, thank you for this
opportunity to testify about important research and development efforts
aimed at increasing Internet security and protecting our Nation's
Information Infrastructure.
My name is Raj Reddy, and I am the Herbert A. Simon University
Professor of Computer Science and Robotics at Carnegie Mellon
University. I also serve as Co-Chair of the President's Information
Technology Advisory Committee, commonly known as PITAC. In the PITAC's
February 1999 report to the President, ``Information Technology
Research: Investing in Our Future,'' we highlighted the need for
increased investment in network security, as well as other important
research areas. Today, on behalf of PITAC, I will provide you with
insight into the state of Internet security in our country and outline
some of the PITAC recommendations that will help our Nation build and
support a more reliable, available, secure, and scalable Internet. I
will also present my personal views on an R&D strategy for developing
and demonstrating highly dependable networks.
Background
While advances in information technology have created unprecedented
economic growth and transformed our lives in thousands of positive
ways, weaknesses still exist that enable malicious hackers to disrupt
Internet service and overload popular Web sites. An analysis of the
highly visible disruptions to Internet access reveals a wide range of
causes, including denial of service attacks from malicious hackers
using insecure hosts infected with ``zombie'' diseases (Yahoo!),
software bugs (Ameritrade), insecure configurations (Schwab), change
management (E-trade), and security loopholes (Hotmail, Melissa).
PITAC shares Congress' concern about these recent hacker attacks.
In our report to the President, we observed that ``the Internet is
growing well beyond the intent of its original designers and our
ability to extend its use has created enormous challenges. As the size,
capability, and complexity of the Internet grows, it is imperative that
we do the necessary research to learn how to build and use large,
complex, highly-reliable, and secure systems . . . It is therefore
important that the Federal Government undertake research on topics
ranging from network reliability and bandwidth, to robust, reliable,
secure ways to deliver and to protect critical information.'' In our
report, we recommended a research agenda to help ensure the
survivability of our information infrastructure in the face of
malicious attacks or viruses, equipment or software failures, and
overload. Before I discuss the specifics of the R&D agenda for Internet
security, I would first like to briefly summarize the findings and
recommendations of our report.
The PITAC Report Findings and Recommendations
The PITAC was established pursuant to the High Performance
Computing Act of 1991 and was tasked to look at a number of issues in
high performance computing and communications. After a detailed review
of the Federal IT R&D programs, we concluded that U.S. leadership in IT
provides an essential foundation for promoting economic growth,
education and research, environmental stewardship, public health, and
national security. We also concluded that there has been an erosion of
support for long-term fundamental research in IT and that current
research is too focused on near-term problems linked to agency
missions. Our Committee recommended that the Federal Government create
a strategic initiative for long-term R&D and increase funding for IT
R&D by $1.4 billion by fiscal year 2004 over the fiscal year 1999 base
programs funding level. Our report recommended a balanced research
agenda, with priority for the following areas:
Software: Methods for efficiently creating and
maintaining high-quality software of all kinds and for ensuring
the reliability of the complex software systems that now
provide the infrastructure for much of our Government and our
economy.
Scalable Information Infrastructure: Techniques for
ensuring that the National Information Infrastructure
consisting of communications systems, the Internet, large data
repositories, and other emerging systems is reliable and
secure, and can grow gracefully to accommodate the massive
numbers of new users (perhaps billions) and applications
expected over the coming two decades.
High End Computing : Continued invention and
innovation in the development of fast, powerful computing
systems and the accompanying communication systems are needed
to implement critical science, engineering, and business
applications ranging from aircraft design to weather and
climate modeling.
Social, Economic, and Workforce Implications of IT:
Research directed towards better understanding the sociological
and economic impacts of innovations in information technology
and toward growing the workforce to meet the national need for
information technology professionals.
Our recommendation for research to support a scalable information
infrastructure included topics to enable the survivability of our
networks and information. Survivability means that services will be
available when needed and information will be delivered in a timely
fashion. The recommended research agenda includes:
Authentication and security mechanisms for a large,
heterogeneous, and evolving infrastructure
Mechanisms for detecting system intrusion and
information software corruption
Mechanisms for detecting, mitigating, responding to,
and recovering from, or for preventing, human error in the
creation and use of the infrastructure
Mechanisms for assuring information quality
Scalable information and service replication
strategies
Mechanisms for monitoring services to ensure correct
operation within given quality-of-service bounds
Repositories for guaranteed long-term preservation of
information
Our report recommendations have received strong bi-partisan support
and we were encouraged by the $235 million increase for IT R&D
appropriated in this year's budget. The President's fiscal year 2001
budget proposes an increase of nearly $600 million in IT R&D in a
balanced research program that addresses the recommendations in the
PITAC report. Proposed funding includes networking and software
research directed towards technologies to enable more secure, reliable,
and dependable networks. The PITAC applauds the Senate's past support
and leadership for IT R&D and hopes the Senate will support the full
set of research priority areas recommended in our report.
The PITAC report provides broad concepts for a balanced IT R&D
program. While we recognized the importance of network security,
reliability, and dependability, we did not develop a detailed R&D
agenda for Internet security. Our recommendations cover a range of
important topics to be addressed, rather than proposals for specific
research projects.
The Impact of Internet Downtime on Businesses and Society
Denial of service happens when the network fabric is overloaded
through intentional and unintentional (``legal'') overloading of the
system with too many requests. This is analogous to a large number of
people calling California in the event of an earthquake report, or a
computer calling a phone continuously thereby blocking anyone else
getting through in case of an emergency. The cost of denial of service
and overloading can be substantial. The Yankee Group estimates that the
online industry may have lost $1.2 billion in revenue from the Web site
attacks earlier this month. (WSJ, Feb 24, 2000). A Gartner Group study
showed that the average cost of downtime in brokerage operations is
about $6.5 million per hour! According to the Boston-based market
research firm, $29 million in refunds were paid out by MCI to customers
affected by the 10 day outage of its frame relay network in August
1999. Three thousand companies were affected. (Online News, 10/28/99).
eBay paid $3.9 million in credits to its customers for the service
outage that halted bidding completely at its popular service for an
unprecedented 22 hours in June 1999. Distributed network sites can lose
$20,000 to $80,000 per hour. (Computer Reseller News, 1998). At a cost
of $80,000 per hour, the average company will lose $7.1 million per
year in centralized network downtime.
These costs are expected to increase as companies incur indirect
costs in the form of lawsuits, regulatory scrutiny, impact on brand
name and public image, loss of customer base, lower employee morale and
productivity, and higher employee stress.
The impact on businesses of system outage can be even more
devastating. In an April 1999 survey of consumers, research firm
Jupiter Communications found that 46 percent leave a preferred site if
they experience technical or performance problems. Statistics from
McGladrey and Pullen show that for every five organizations affected by
a disaster, two will be unable to maintain their critical business
functions and make a recovery. Of the remaining three, one will not
survive the next two years. In fact, a company that experiences a
computer outage lasting more than 10 days will never fully recover
financially (``Disaster Recovery Planning: Managing Risk and
Catastrophe in Information Systems'' by Jon Toigo).
According to Cahners in-stat group, Internet downtime hits
businesses financially, (http://www.instat.com/abstracts/ia/1999/
is9906sp--abs.htm), affecting direct revenue/customer base,
compensatory payments, inventory cost, and depreciation of capital. It
also affects business in ways not seen on the balance sheet, such as
market capitalization loss, employee downtime, and delays to market
items that may prove more financially damaging than the explicit losses
associated with an outage. The report ``Data Failure: The Financial
Impact on Internet Business'' quantifies the real-cost damages for site
outages based on SEC filings and publicly released information. The
report compares two e-commerce business models and illustrates how much
is at stake in the event of data failure.
Steps Towards a Secure and Dependable Internet
Many of the problems of Internet access can be avoided by taking
some simple common sense precautions. For example:
Online businesses can:
Educate users on cyber hygiene, security tools, and
procedures such as use of the firewalls, intrusion detection
systems, anti-virus software, automatic daily disinfecting
tools, etc.
Discourage masquerading and spoofing attacks by
ensuring that network traffic exiting from the local area
network of an organization carries the address consistent with
the valid set of addresses for that organization.
Protect against inside hacker risk by providing
backup and retrieval from an off-site storage service provider.
Disaster tolerance backup facilities are offered by many
suppliers. Such services guarantee constant availability of
data in the face of technical or natural catastrophe, including
surge capabilities for unplanned swells in site traffic.
Provide 24 hour-per-day, 7 day-a-week physical
security to central facilities and server farms. Alternatively,
use the backup and retrieval from an off-site storage service
as described in the previous bullet.
Industry can:
Release hardware and software that prevents insecure
configurations, and provide tools for intrusion detection.
Re-engineer operating systems and applications to
make them immune to the effects of viruses and other forms of
malicious code.
Identify and close the security loopholes and
backdoors by working with major vendors to provide access to
the source code and encourage open source movement.
Develop and deploy a secure communications
infrastructure that can be used by network operators and
Internet service providers to enable real-time collaboration
when dealing with attacks.
Many of the common sense measures listed above depend on the
voluntary compliance of more than a 100 million Internet users and
organizations that provide Internet service. However, history has shown
us that compliance failures will occur, either unintentionally or
maliciously. Rather than leaving the Internet vulnerable because a few
persons or organizations are careless or reckless, we should develop an
information infrastructure that is not dependent on voluntary
compliance of security practices and policies.
Personal Views on a Strategy for a National Self Healing Network
Testbed
I would now like to make some personal observations and make a
specific recommendation for creating a national self healing network
testbed. The PITAC recommended an aggressive new program in networking
research, including network security. We also recommended expanded
research to explore ways that laws protecting privacy, intellectual
property, and other rights are extended effectively into this new
media. We continue to support increased funding in these critical
areas.
The PITAC is currently reviewing Federal research plans and will be
issuing new recommendations later this year. Since these new
recommendations are not available, I would like to present my personal
views on logical next steps.
By now we understand the sources of highly publicized Internet
crashes: malicious hacker attacks and ``legal'' users overloading
popular web sites. Many of the remedies require straightforward
implementation of known solutions, either administrative or legal.
However, herein lies the problem--we simply cannot depend on every
system to be properly administered or every person to behave as
desired. Instead, we should strive to develop an Internet
infrastructure in which it does not matter if someone is careless or
reckless. In my view, one of the key goals of networking research over
the next few years should be development of a ``self healing'' network.
A self healing network would work similar to the human immune system.
It would constantly monitor the system (in this case, the network),
analyze what is in the system, and if it finds something wrong within
the system, immediately begin actions to remedy the problem. A self
healing network would be capable of self-monitoring, self-diagnosing
and self-repairing. To accomplish this, we should establish a national
network testbed that can be used to develop and demonstrate what I will
refer to as an ``ultra-dependable Internet.'' This is similar to an
ultra-high speed network, but with the focus on dependability rather
than speed.
I will use the phrase ``dependable Internet'' to specifically
include attributes such as reliability, availability, and scalability
in addition to security. The operative issue is not ``security'' as
interpreted narrowly in the research circles but rather ``how to create
a dependable Internet Infrastructure'' that is as reliable as the
current telephone system. By dependable, I mean a system (``as if my
life depended on it'') that is:
reliable, i.e., always up, accessible, accurate, and
consistent,
available, i.e., a system with no world-wide-wait and
a response time of under 200 milliseconds most of the time,
scalable, i.e. an infrastructure capable of scaling
to a billion simultaneous users and a trillion inter-connected
devices, and
secure, i.e. no fear of loss of privacy and immunity
to sniffing and spoofing.
The goal of a self healing network is to provide mechanisms for
detecting unauthorized use of networking equipment, tracking
inappropriate uses, and identifying the individuals using networks for
malicious intent, without compromising individual rights to privacy and
security on the network. Over the years we have found ways to balance
privacy and security in traditional commerce. Applying these precedents
to the new networked world will require combining the skills of
technologists and people knowledgeable of the legal, economic, and
social issues. Clearly this is an enormous challenge, but I believe it
is a critical national research challenge and deserves an appropriate
response.
A Self Healing Network
A self healing network is one which continuously monitors all the
traffic within the system (every packet entering the system is
validated before it can proceed) with a view to detect and disable
abnormal traffic patterns. It is predicated on using ``software
agents'' capable of self-monitoring, self-diagnosis, and self-repair
much as the human immune system uses (distributed) anti-bodies to
disable antigens and restore balance in the human body. Just as in
human systems where a few people may get sick some of the time, but
society as a whole continues to function, we may accept an occasional
denial of service as long as most users are able to access most of the
web sites without any degradation of service.
Self monitoring within the Internet core fabric requires agents
capable of continuous and autonomous monitoring of ``packet'' traffic
using ``software sensors.'' ``Self repair agents'' undertake a set of
autonomous corrective actions against the offending source that is
generating the unusual traffic by dropping the packets or limiting it
to a ``fair share'' the number of packets entering the fabric. The work
of these agents and the humans tracking network security could be
helped if the new generation of routers add information packets that
make it easier to detect malicious patterns of use and to track the
attacks to their source.
The proposed self healing network will add to the packet handling
overhead at each router in the fabric and has the potential to make the
system slower, waste bandwidth, and compromise privacy. At first blush,
this requirement appears to be impractical, as the Internet is expected
to handle trillions of packets every day and would require expensive
retrofitting of the existing commercial Internet Service Providers
(ISPs). However, such a transition is not only essential to the future
economic growth and security of the nation, but also practical given
the expected exponential advances in processor, memory, and optical
networking technologies. The expected additional overhead in packet
handling will be ameliorated by better algorithms, exponential
improvements in processor (predicted by Moore's law), memory, and
bandwidth technologies and increasing locality of Internet traffic
patterns (``Internet is global and the traffic is local'').
In addition to the research needed to develop terabit networks,
faster routers, efficient algorithms, and distributed computation
techniques, research will also be needed for data warehousing of meta-
data contained in packet headers, data mining of this data to establish
statistical parameters that can be used to classify normal and abnormal
traffic requests, and repair strategies for generating a signal
(analogous to the busy signal used in voice telephony) to sites making
abnormal requests without prior arrangement for surge capacity.
Conclusion
In conclusion, creating a dependable Internet infrastructure that
is as dependable as telephone service is essential to the future
economic growth and security of the nation. It is possible to create a
system capable of achieving these goals while ensuring absolute
protection of personal privacy and without major reductions in
networking speed. Indeed, rapid advances in computing power and
networking speed should make the new security systems nearly invisible
to users. The main challenge is to find the right balance between
having a dependable Internet infrastructure without compromising the
ease of use by non-experts and protecting the privacy of the
individuals connected to the infrastructure. To accomplish this will
require both new research ideas and the uniform application of known
and new ideas across the Internet infrastructure. It makes sense to
apply the creative energies of academe to these social problems.
Development of networks capable of meeting our goals for security
and privacy will only happen with a concerted research investment
supported by both Government and industry. One strategy would be to
support a network testbed designed with the specific goal of evaluating
innovative strategies for network protection--including commercial
concepts. Such a testbed would provide useful networking services and
at the same time let commercial operators and Government research
organizations evaluate advanced networking security concepts.
It is estimated that market capitalization of Internet based
industries created since 1990 is more than a trillion dollars resulting
in capital gains taxes of more than $200 billion to the nation.
Investing a small fraction of this national income in research towards
creating a self healing Internet will ensure the continuation of this
engine of growth!
Acknowledgements
This paper has benefited from the comments and suggestions from
several PITAC members: Jim Gray, Irving Wladawsky-Berger, Vint Cerf and
Bob Kahn and from other colleagues: Anish Arora, V.S. Arunachalam, Ed
Lazowska, and Rich Pethia. Please send comments to [email protected].
Senator Burns. Thank you, Doctor. Those are interesting
comments.
I am going to move to Senator Abraham, who has joined us
now. If you would like to either make your statement or
summarize or present it for the record, and if you have
questions for this panel, we would entertain those at this
time. And then I will followup.
STATEMENT OF HON. SPENCER ABRAHAM,
U.S. SENATOR FROM MICHIGAN
Senator Abraham. Thank you very much, Senator Burns. And
thank you for your leadership on the Subcommittee level and on
the full committee level on these issues. We appreciate what
you do on a variety of these key topics.
I just will make a brief statement. I have got two or three
conflicting hearings this morning and other events, but I
wanted to come by because I think this is a really important
topic for us to focus on.
I drew from this panel conclusions similar to ones I
reached based on some meetings I had immediately in the wake of
the recent spate of hacker activity. I was out in the Bay Area,
Silicon Valley, and met with representatives from about 20
companies at that time, which was just in the week afterward,
and with a group of businesses in my own State. Although
Michigan is not as well-known as a high-tech center perhaps as
other parts of the country, we actually do have a real growing
industry there. And I came away with conclusions very similar
to the ones expressed by the panelists.
I do not think there is any question that we need to
proceed in a careful way here. We have to recognize the extent
to which Government regulations are going to be effective are
limited. I do think that we need to continue to focus on some
of the things we can do with respect to penalties that can be
invoked against people who commit computer-related crimes. I am
not sure the current penalty structure really is adequate based
on what I studied.
I think the panels at the current time are kind of low. I
think we need to establish Federal and civil criminal penalties
against electronic identify theft, attacking one of the tools
which is often used by cyber-terrorists and techno-thieves. I
think we also need to examine Federal, civil and criminal
penalties with respect to unauthorized access to information
systems. I think these are areas where we can do some things
that do not put such impediments in place that we constrict the
development of the Internet and the development of e-commerce
activities that are going to be going on.
I also think that we need to encourage Governmentwide
policies to improve the security of Federal information
systems. That is not so much under our domain in this
particular committee, but I think it is an area that we need
to, based on these recent developments, that we need to perhaps
as a Congress focus more attention on. And I know that Senator
Thompson, in his committee, has focused on this and begun to
introduce legislation along that line.
And then I also serve on the Judiciary Committee, and we
have looked at ways that we could create Federal grant programs
to assist State and local law enforcement agencies in
deterring, investigating and prosecuting computer crimes.
Because obviously some of the resources available at the local
level tend to maybe not be adequate to meet some of the
challenges that the high-tech criminals pose. And I think that
that is a reasonable area for us to both be part of and to look
into.
So these are some of the things I am going to be working
on. But I think we also have to appreciate that there is sort
of, obviously, a need to recognize the proprietary nature of
information that is accumulated by industries, of technologies
that are developed. And this is where I think some of the
comments made in your earlier statements are particularly
relevant. We have to appreciate that and understand that we can
always come up with, I think, anti-crime legislation that can
potentially be effective, but sometimes it is so effective that
it completely inhibits normal human discourse and activity.
I was saying in my meetings in Michigan, we could
presumably stop most, if not all, bank robberies if we strip
searched everybody who went into a bank. But that probably
would mean that very few people went into banks. Similarly, we
can probably come up with a variety of processes that would
minimize the potential for Internet crime or cyber-terrorism,
but at such a level that there would be no more activity of an
e-commerce nature or anything else.
We can always overreach. I think we have to be very careful
not to. And so I appreciate what you are trying to accomplish
today. I look forward to working with you. And I thank the
panel. I appreciate very much their participation.
Senator Burns. Thank you, Senator.
I have just a couple of questions, and then we will just
start the dialog. I am concerned. I think Senator Hollings kind
of hit on it a while ago, and even the panel on law enforcement
or those people who are in charge of monitoring these kind of
activities. While I realize that you have got to watch the
bottom line--I mean, we are all in business, we have to make a
living and we have an obligation to our board of directors and
our obligations to our own industry--and given the
competitiveness of this industry so far, and we have tried to
maintain this to be very open, very competitive, let
entrepreneurialship and imagination and ingenuity flow, it
seems like we have not really given an extra measure to
security until we had this incident happened with this
information.
Business and security should be complementary, not mutually
exclusive. And I am wondering if you could comment on this.
They say you have run out of interest after a while in
discussions about security. How can we increase this dialog?
And how can we heighten the interest in security and the
working between Government and law enforcement?
I want you all to take a shot at this. So, Mr. Misener, if
you want to lead it off.
Mr. Misener. Certainly, Mr. Chairman. There is a need for
both locks and police. We spent a lot of time talking about the
police today and a little bit recently on the lock side. We at
Amazon.com take security very seriously, and it is very
important to us as a business and to our customers. As
indicated before, we did not experience a break-in at our
premises. Rather, it was this surrounding of the premises by
this junk traffic that was directed toward our site.
And so, to that extent, to the extent that there was this
criminal behavior, we do believe that in addition to the locks
that we put on our house, that we also need the police to help
enforce against the criminal activity or prosecute the
perpetrators of that criminal activity around the outside of
the house.
Senator Burns. Dr. Reddy.
Dr. Reddy. Mr. Chairman, besides the locks and the police,
there is a third option. Normally, when we build any
infrastructure, whether it is the interstate highway system or
anything else, the Government takes responsibility at certain
levels. Unfortunately, the Internet fabric, everybody has their
own sites and they can secure those, but no one person is
responsible for the Internet fabric. And that is by design.
That is the way it was designed in 1969, because we wanted it
to be scalable.
However, that particular design has run its course. I think
we need new research and new test beds to demonstrate an ultra-
dependable network which has all the same features, and it can
be shown and it can be used and demonstrated. And that is the
responsibility of the Government, in the sense of what Senator
Hollings was talking about and what you are also saying. It is
not a question of increasing police, or it is not a question of
telling private industry to put on more locks. There is another
piece in between, the Internet fabric, that no person is
responsible for. And therefore, the Government has to take
responsibility for it.
Senator Burns. Mr. Fuhrman.
Mr. Fuhrman. Thank you, Chairman. If I could add, if we
step back a second, everybody looks through their glasses on
life and their perspectives are built upon their experiences
that they have gone through or others that they have observed.
And so I think an unfortunate step that we have taken here at
this point is that we have had to wait, in essence, for some of
these attacks to occur for folks to wake up and go through the
experience and realize that this is now something that they
before had either discounted or just had not gotten to yet that
is now something to be added up to my priority list.
And I think, as we continue to step closer and we make
great progress as we go forward, we are going to see businesses
and customers start taking security even more seriously than
they have in the past.
Senator Burns. It is very interesting, the field called
biometrics, where users verify their identity through a pad
that scans either fingerprints or a monitor that scans retinas,
among other devices. Does biometrics have a role to play in
increasing security on the Internet in coming years? What is
the potential? Anybody can take a shot at that.
Dr. Reddy. Mr. Chairman, biometrics has the same privacy
problems. There is even a simpler solution than biometrics.
Intel has designed into every chip an I.D. So when a packet is
transmitted from a computer, you can add that I.D. But there
was a big hue and cry about the privacy issues, and the whole
thing stopped dead. Anybody that tries to put biometrics or
anything else which involves identification of the individual,
as opposed to just the machine that perpetrated the thing, will
probably cause the same kinds of issues. So I do not know what
the right answer is.
Senator Burns. Mr. Misener.
Mr. Misener. Mr. Chairman, I share the assessment that this
would cause perhaps a hue and cry if discussed as a viable
option, although I would recognize that biometrics and other
forms of personal identification are important to protecting
actual true security issues as opposed to sort of online e-
commerce issues.
Senator Burns. Mr. Fuhrman, you can comment on this. But I
was struck by the fact of what you said a while ago. I really
had not thought of it in the context that they did not actually
get into your shop, but they surrounded your shop, and
prevented anybody else from your normal daily activities. And
therein lies the problem, more than the security of gaining
entry into your shop.
Is that a correct assessment?
Mr. Misener. That is correct. But recognize also, sir, that
there were security breaches at other sites that allowed the
hack attacks to occur. For example, at some universities there
were security breaches, true intrusions of their systems, that
allowed these distributed denial of service attacks to take
place against other systems. And those systems were less well
protected than others on the in terms of.
Senator Burns. It was my understanding that it took several
computers to do all this. And if this person that perpetrated
this thing, if he had to buy all the computers, he probably
would not do it. But he could enter other computers and tell
them what to do.
Dr. Reddy. Mr. Chairman, there is a problem here. There is
also legal traffic that can demonstrate the same properties as
a hacker attack. For example, when Victoria's Secret announced
that they were going to have a Web site where they were showing
their new fashions, everybody and his brother wanted to see it.
And the same denial of service happened there. There is nothing
illegal there. It just happened.
It is like what happens when there is an earthquake in
California: everybody calls in to make sure that their loved
ones are safe. You cannot get through. So it is not just
illegal, malicious attacks. Legal things can also cause this
problem. That is why you need a self-monitoring, self-healing
network, which says, sorry, there is a lot of traffic going,
you cannot use it. There is a busy signal.
So some people at least get through, as much as the traffic
would permit, at Amazon.com. The rest of the people are not
able to get through. Rather than everybody being stopped.
Senator Burns. The other day I visited a facility that
monitors telephone traffic. It tells them where they have a
problem, they have a line outage. And it tells them that they
are rerouting. And also during particular times of day their
traffic is such that there is a potential that they have to add
another line or to reroute the traffic or then protect what 911
does and all of this. Are we saying that?
Dr. Reddy. The same thing.
Senator Burns. The same thing. We are going down the same
line.
Dr. Reddy. It is what is called a network management
system. We need an Internet network management system. And what
happens now is, as we heard from the previous panel, the
Government is somehow going to protect each of their sites. But
I can still disable people from getting through to your site.
And what we need is to stop it at the source, not at the
destination. And that requires a complete concept of knowing
exactly the overall well-being of the entire network all the
time. That is the kind of thing you saw in the telephone
systems. We do not have that.
Senator Burns. Do you envision an automatic thermostat, so
to speak?
Dr. Reddy. Yes, that is exactly it. The whole idea is to
build a dependable network in which there is a continuous
monitoring of the entire traffic from everybody, and knowing
where the abnormal behavior is happening, and then shut them
down at the source rather than letting them come all the way to
the Government site and there trying to block them from getting
in.
Senator Burns. It offers interesting challenges. It really
does. Any closing statements by any of you?
[No response.]
Senator Burns [continuing]. None at all. Well, we
appreciate your coming here today and sharing this information.
We will probably investigate this further.
Dr. Reddy, I am very interested in what your testimony is
here today, and I would hope that the rest of the Senators on
this Committee read it. And I think that they will, because you
offer several suggestions in there that I think we should take
note of. And all of you who have offered suggestions, I
appreciate that.
Again, industry, the teamwork thing has to happen. Because
I am not convinced right now that there has to be new laws or
anything like that. I am saying that we as an industry have to
come together. And it is like I said a while ago, in security,
we were all raised that you do not fool around with somebody
else's mailbox, but I do not see any warning out there like I
saw on a mailbox or our folks got on us about that. I know
those things have to be taken into account.
Thank you very much. These hearings are closed.
[Whereupon, at 11:20 a.m., the hearing was adjourned.]
APPENDIX
Prepared Statement of Max Cleland, U.S. Senator from Georgia
Good morning Mr. Chairman and distinguished guests. The tremendous
advances being made in the computer and telecommunications industries
are forever changing the way we do business in this country and abroad.
This new digital age in which we are living has ushered in the ability
to trade stock, shop for a car, buy air line tickets and to buy, sell
and trade just about anything else using the Internet. Many of the
firms that are engaging in this new way of doing business didn't exist
a few years or even months ago. The growth of e-commerce has been so
rapid that projections made about how much business will be conducted
over the Internet were often outdated as soon as they are published. On
March second of this year the Commerce Department released the first
ever estimate of retail e-commerce sales or e-tail sales. Reported e-
tail sales over the Internet and other electronic networks have reached
a historic $5.3 billion in the fourth quarter of 1999.
While there are now new opportunities for the good people of our
nation to gain greater productivity and have access to a wider
selection of goods and services, there is an attendant menace to on-
line businesses which threatens to disrupt the way commerce is
conducted over the Internet. This menace is HACKERs who are seeking to
gain unauthorized access to systems for the purpose of destroying,
corrupting, stealing or monitoring information vital to the operation
of computer systems owned by others.
These hackers have distinguishing screen names, or aliases, and are
apparently very bright, intelligent people with deviant, malicious
minds and a hankering for chaos. One suspected hacker is a 17 year-old
New England boy who told investigators that he has been using computers
since he was three and spends 16 hours a day on the Internet.
All businesses must be protected from the hackers, but no where is
it more important than the businesses and industries that are vital to
the nation's health, wealth and security and make up our nation's
critical infrastructure. These critical infrastructure businesses and
industries are engaged in information and communications, banking and
finance, basic utilities, aviation, mass transit, public health
services, and oil and gas production and storage. On the Government
side, the critical infrastructure consists of internal security,
Federal law enforcement, foreign intelligence, foreign affairs and
national defense. All of these activities must be protected from the
destructive, corruptive, stealing or monitoring of information by
unauthorized persons. Anyone attempting to hack into these systems must
be stopped because their actions threaten our country's security.
A GAO report released March second of this year provides commentary
on the proposed Government Information Security Act and cites some very
disturbing facts about the state of the Government's computer security:
The Environmental Protection Agency has had invasions of its
systems that resulted in damage and disruption to that agency's
operations.
The Department of Veterans Administration has been cited for
weaknesses in its computer systems that could compromise
sensitive medical and benefit payment information of our
nation's veterans.
A test on the National Aeronautics and Space Administration's
systems reveled that their systems could have been penetrated
posing serious threats to orbiting spacecraft and the
scientific data received from these spacecrafts.
The State Department's computers are also vulnerable to attack
and unauthorized access by hackers, terrorists or other
unauthorized individuals.
It appears that from this listing that there is a pressing need to
improve computer security planning and management and to make the cases
like these just cited the exception, not the rule in the Government's
systems.
Fear, mistrust and the uncertainties created by hackers can slow
the economic growth and prosperity that many public and private sector
experts envision for the Internet. As the Government sets out to
continue to protect our nation's critical infrastructure from domestic
and foreign intruders and e-businesses set out to reduce the costs of
theft and destruction of data and hardware by hackers, we must ensure
that people seeking to do business over the Internet are safe from
hackers, and that sufficient cooperation and coordination between the
Government and private industry is encouraged. Most recently this
cooperation resulted in a smooth transition to the year 2000. We can
and must replicate these results in the area of computer security.
I am very interested in hearing from the panel about your thoughts
with regard to the scope and magnitude of the hacker problem and what
your recommendations are for putting hackers out of business.
�