Testimony of Louis J. Freeh, Director, FBI
Before the
Senate Committee on Appropriations
Subcommittee for the Departments of Commerce, Justice,
State, the Judiciary, and Related Agencies
February 16, 2000
"Cybercrime"
Good morning,
Mr. Chairman and members of the Subcommittee. I am privileged
to join Attorney General Reno in this opportunity to discuss
cybercrime -- one of the fastest evolving areas of criminal
behavior and a significant threat to our national and
economic security.
Twelve years ago the "Morris
Worm" paralyzed half of the Internet, yet so few of us
were connected at that time that the impact on our society
was minimal. Since then, the Internet has grown from a tool
primarily in the realm of academia and the defense/intelligence
communities, to a global electronic network that touches nearly
every aspect of everyday life at the workplace and in our
homes. There were over 100 million Internet users in the United
States in 1999. That number is projected to reach 177 million
in the United States and 502 million worldwide by the end
of 2003. Electronic commerce has emerged as a new sector of
the American economy, accounting for over $100 billion in
sales during 1999, more than double the amount in 1998. By
2003, electronic commerce is projected to exceed $1 trillion.
The recent denial of service attacks on leading elements of
the electronic economic sector, including Yahoo!, Amazon.com,
Ebay, E*Trade, and others, had dramatic and immediate impact
on many Americans.
I would like to acknowledge
the strong support this Subcommittee has provided to the FBI
over the past several years for fighting cybercrime. This
Subcommittee was the first to support resources -- back in
FY 1997 -- for establishing a computer intrusion investigative
capability within the FBI. You have generously provided support
for our efforts against on-line sexual exploitation of children
and child pornography -- the Innocent Images initiative, as
well as to develop our Computer Analysis Response Team (CART)
program, and the creation of computer crime squads in our
field offices. For that support, I would like to say thank
you.
In my testimony today, I would
like to first discuss the nature of the threat that is posed
from cybercrime and then describe the FBI's current capabilities
for fighting cybercrime. Finally, I would like to close by
discussing several of the challenges that cybercrime and technology
present for law enforcement.
Cybercrime Threats Faced
by Law Enforcement
Before discussing the FBI's
programs and requirements with respect to cybercrime, let
me take a few minutes to discuss the dimensions of the problem.
Our case load is increasing dramatically. In FY 1998, we opened
547 computer intrusion cases; in FY 1999, that had jumped
to 1154. At the same time, because of the opening the National
Infrastructure Protection Center (NIPC) in February 1998,
and our improving ability to fight cybercrime, we closed more
cases. In FY 1998, we closed 399 intrusion cases, and in FY
1999, we closed 912 such cases. However, given the exponential
increase in the number of cases opened, cited above, our actual
number of pending cases has increased by 39%, from 601 at
the end of FY 1998, to 834 at the end of FY 1999. In short,
even though we have markedly improved our capabilities to
fight cyber intrusions, the problem is growing even faster
and thus we are falling further behind. These figures do not
even include other types of crimes committed by a computer
such as Internet fraud or child pornography on-line.
As part of our efforts to counter
the mounting cyber threat, the FBI uses both full National
Infrastructure Protection and Computer Intrusion squads located
in 16 field offices and is developing baseline computer intrusion
team capabilities in non-squad field offices. Further, we
are establishing partnerships with state and local law enforcement
through cybercrime task forces.
Cyber Threats Facing the
United States
The numbers above do not provide
a sense of the wide range in the types of cases we see. Over
the past several years we have seen a range of computer crimes
ranging from simple hacking by juveniles to sophisticated
intrusions that we suspect may be sponsored by foreign powers,
and everything in between. A website hack that takes an e-commerce
site off-line or deprives a citizen of information about the
workings of her government or important government services
she needs, these are serious matters. An intrusion that results
in the theft of credit card numbers or proprietary information
or the loss of sensitive government information can threaten
our national security and undermine confidence in e-commerce.
A denial-of-service attack that can knock e-commerce sites
off-line, as we've seen over the last week, can have significant
consequences, not only for victim companies, but also for
consumers and the economy as a whole. Because of these implications,
it is critical that we have in place the programs and resources
to confront this threat. The following is a breakdown of types
of malicious actors and the seriousness of the threat they
pose.
Insider Threat. The disgruntled insider is a principal source
of computer crimes. Insiders do not need a great deal of knowledge
about computer intrusions, because their knowledge of victim
systems often allows them to gain unrestricted access to cause
damage to the system or to steal system data. The 1999 Computer
Security Institute/FBI report notes that 55% of respondents
reported malicious activity by insiders.
There are many cases in the
public domain involving disgruntled insiders. For example,
Shakuntla Devi Singla used her insider knowledge and another
employee's password and logon identification to delete data
from a U.S. Coast Guard personnel database system. It took
115 agency employees over 1800 hours to recover and reenter
the lost data. Ms. Singla was convicted and sentenced to five
months in prison, five months home detention, and ordered
to pay $35,000 in restitution.
In January and February 1999
the National Library of Medicine (NLM) computer system, relied
on by hundreds of thousands of doctors and medical professionals
from around the world for the latest information on diseases,
treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passwords were obtained,
hundreds of files were downloaded which included sensitive
medical "alert" files and programming files that
kept the system running properly. The intrusions were a significant
threat to public safety and resulted in a monetary loss in
excess of $25,000. FBI investigation identified the intruder
as Montgomery Johns Gray, III, a former computer programmer
for NLM, whose access to the computer system had been revoked.
Gray was able to access the system through a "backdoor"
he had created in the programming code. Due to the threat
to public safety, a search warrant was executed for Gray's
computers and Gray was arrested by the FBI within a few days
of the intrusions. Subsequent examination of the seized computers
disclosed evidence of the intrusion as well as images of child
pornography. Gray was convicted by a jury in December 1999
on three counts for violation of 18 U.S.C. 1030. Subsequently,
Gray pleaded guilty to receiving obscene images through the
Internet, in violation of 47 U.S.C. 223.
Hackers. Hackers are also a common threat. They sometimes crack
into networks simply for the thrill of the challenge or for
bragging rights in the hacker community. More recently, however,
we have seen more cases of hacking for illicit financial gain
or other malicious purposes. While remote cracking once required
a fair amount of skill or computer knowledge, hackers can
now download attack scripts and protocols from the World Wide
Web and launch them against victim sites. Thus while attack
tools have become more sophisticated, they have also become
easier to use. The recent denial-of-service attacks are merely
illustrations of the disruption that can be caused by tools
now readily available on the Internet. Hacks can also be mistaken
for something more serious. This happened initially in the
Solar Sunrise case, discussed below.
Hactivism. Recently we have seen a rise in what has been
dubbed "hacktivism"-- politically motivated attacks
on publicly accessible web pages or e-mail servers. These
groups and individuals overload e-mail servers and hack into
web sites to send a political message. While these attacks
generally have not altered operating systems or networks,
they still damage services and deny the public access to websites
containing valuable information and infringe on others' rights
to communicate. One such group is called the "Electronic
Disturbance Theater," which promotes civil disobedience
on-line in support of its political agenda regarding the Zapatista
movement in Mexico and other issues. This past spring they
called for worldwide electronic civil disobedience and have
taken what they term "protest actions" against White
House and Department of Defense servers. In addition, during
the recent conflict in Yugoslavia, hackers sympathetic to
Serbia electronically "ping" attacked NATO web servers.
Russians, as well as other individuals supporting the Serbs,
attacked websites in NATO countries, including the United
States, using virus-infected e-mail and hacking attempts.
Supporters of Kevin Mitnick
hacked into the Senate webpage and defaced it in May and June
of last year. Mitnick had pled guilty to five felony counts
and was sentenced in August 1999 to 46 months in federal prison
and ordered to pay restitution. Mitnick was released from
custody in January 2000 after receiving credit for time served
on prior convictions.
The Internet has enabled new
forms of political gathering and information sharing for those
who want to advance social causes; that is good for our democracy.
But illegal activities that disrupt e-mail servers, deface
web-sites, and prevent the public from accessing information
on U.S. Government and private sector web sites should be
regarded as criminal acts that deny others their First Amendment
rights to communicate rather than as an acceptable form of
protest.
Virus Writers. Virus writers are posing an increasingly serious
threat to networks and systems worldwide. As noted above,
we have had several damaging computer viruses this year, including
the Melissa Macro Virus, the Explore.Zip worm, and the CIH
(Chernobyl) Virus. The NIPC frequently sends out warnings
or advisories regarding particularly dangerous viruses.
The Melissa Macro Virus was
a good example of our response to a virus spreading in the
networks. The NIPC sent out warnings as soon as it had solid
information on the virus and its effects. On the investigative
side, the NIPC acted as a central point of contact for the
field offices who worked leads on the case. A tip received
by the New Jersey State Police from America Online, and their
follow-up investigation with the FBI's Newark Field Office,
led to the April 1, 1999 arrest of David L. Smith. Search
warrants were executed in New Jersey by the New Jersey State
Police and FBI Special Agents from the Newark Field Office.
Mr. Smith pleaded guilty to one count of violating Title 18,
U.S.C. 1030 in Federal Court. Smith stipulated to affecting
one million computer systems and causing $80 million in damage.
Criminal Groups. We are also seeing the increased use of cyber
intrusions by criminal groups who attack systems for purposes
of monetary gain. In September, 1999, two members of a group
dubbed the "Phonemasters" were sentenced after their
conviction for theft and possession of unauthorized access
devices (18 USC §1029) and unauthorized access to a federal
interest computer (18 USC §1030). The "Phonemasters"
were an international group of criminals who penetrated the
computer systems of MCI, Sprint, AT&T, Equifax, and even
the FBI's National Crime Information Center. Under judicially
approved electronic surveillance orders, the FBI's Dallas
Field Office made use of new data intercept technology to
monitor the calling activity and modem pulses of one of the
suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands
of Sprint calling card numbers, which he sold to a Canadian
individual, who passed them on to someone in Ohio. These numbers
made their way to an individual in Switzerland and eventually
ended up in the hands of organized crime groups in Italy.
Mr. Cantrell was sentenced to two years as a result of his
guilty plea, while one of his associates, Cory Lindsay, was
sentenced to 41 months.
The "Phonemaster's"
methods included "dumpster diving" to gather old
phone books and technical manuals for systems. They then used
this information to trick employees into giving up their logon
and password information. The group then used this information
to break into victim systems. It is important to remember
that often "cyber crimes" are facilitated by old
fashioned guile, such as calling employees and tricking them
into giving up passwords. Good "cyber security"
practices must therefore address personnel security and "social
engineering" in addition to instituting electronic security
measures.
Distributed Denial of Service
Attacks. In the fall
of 1999, the NIPC began receiving reports about a new threat
on the Internet--Distributed Denial of Service Attacks. In
these cases, hackers plant tools such as Trinoo, Tribal Flood
Net (TFN), TFN2K, or Stacheldraht (German for barbed wire)
on a number of unwitting victim systems. Then when the hacker
sends the command, the victim systems in turn begin sending
messages against a target system. The target system is overwhelmed
with the traffic and is unable to function. Users trying to
access that system are denied its services. The NIPC issued
an alert regarding these tools in December 1999 in order to
notify the private sector and government agencies about this
threat. Moreover, the NIPC's Special Technologies and Applications
Unit (STAU) created and released to the public a software
tool that enables system administrators to identify DDOS software
installed on victimized machines. The public has downloaded
these tools tens of thousands of times from the web site,
and has responded to the FBI by reporting many intrusions
and installations of the DDOS software. The public received
the NIPC tool so well that the computer security trade group
SANS awarded their yearly Security Technology Leadership Award
to members of the STAU. The availability of this tool has
helped facilitate our investigations of ongoing criminal activity
by uncovering evidence on victim computer systems.
On February 8, 2000, the FBI
received reports that Yahoo had experienced a denial of service
attack. In a display of the close cooperative relationship
the NIPC has developed with the private sector, in the days
that followed, several other companies also reported denial
of service outages. These companies cooperated with our National
Infrastructure Protection and Computer Intrusion squads in
the FBI field offices and provided critical logs and other
information. Still, the challenges to apprehending the suspects
are substantial. In many cases, the attackers used "spoofed"
IP addresses, meaning that the address that appeared on the
target's log was not the true address of the system that sent
the messages.
The resources required in these
investigations can be substantial. Already we have five FBI
field offices with cases opened: Los Angeles, San Francisco,
Atlanta, Boston, and Seattle. Each of these offices has victim
companies in its jurisdiction. In addition, so far seven field
offices are supporting the five offices that have opened investigations.
The NIPC is coordinating the nationwide investigative effort,
performing technical analysis of logs from victims sites and
Internet Service Providers, and providing all-source analytical
assistance to field offices. Agents from these offices are
following up literally hundreds of leads. While the crime
may be high tech, investigating it involves a substantial
amount of traditional police work as well as technical work.
For example, in addition to following up leads, NIPC personnel
need to review an overwhelming amount of log information received
from the victims. Much of this analysis needs to be done manually.
Analysts and agents conducting this analysis have been drawn
off other case work. In the coming years we expect our case
load to substantially increase.
Terrorists. Terrorists are known to use information technology
and the Internet to formulate plans, raise funds, spread propaganda,
and to communicate securely. For example, convicted terrorist
Ramzi Yousef, the mastermind of the World Trade Center bombing,
stored detailed plans to destroy United States airliners on
encrypted files on his laptop computer. Moreover, some groups
have already used cyber attacks to inflict damage on their
enemies' information systems. For example, a group calling
itself the Internet Black Tigers conducted a successful "denial
of service" attack on servers of Sri Lankan government
embassies. Italian sympathizers of the Mexican Zapatista rebels
attacked web pages of Mexican financial institutions. Thus,
while we have yet to see a significant instance of "cyber
terrorism" with widespread disruption of critical infrastructures,
all of these facts portend the use of cyber attacks by terrorists
to cause pain to targeted governments or civilian populations
by disrupting critical systems.
Foreign intelligence services. Foreign intelligence services have adapted to
using cyber tools as part of their information gathering and
espionage tradecraft. In a case dubbed "the Cuckoo's
Egg," between 1986 and 1989 a ring of West German hackers
penetrated numerous military, scientific, and industry computers
in the United States, Western Europe, and Japan, stealing
passwords, programs, and other information which they sold
to the Soviet KGB. Significantly, this was over a decade ago
-- ancient history in Internet years. While I cannot go into
specifics about the situation today in an open hearing, it
is clear that foreign intelligence services increasingly view
computer intrusions as a useful tool for acquiring sensitive
U.S. Government and private sector information.
Sensitive Intrusions. In the last two years we have seen a series
of intrusions into numerous Department of Defense computer
networks as well as networks of other federal agencies, universities,
and private sector entities. Intruders have successfully accessed
U.S. Government networks and taken enormous amounts of unclassified
but sensitive information. In investigating these cases, the
NIPC has been coordinating with FBI Field Offices, Legats,
the Department of Defense (DOD), and other government agencies,
as circumstances require. The investigation has determined
that these intrusions appear to originate in Russia. The NIPC
has also supported other very sensitive investigations, including
the possible theft of nuclear secrets from Los Alamos National
Laboratory in New Mexico. It is important that the Congress
and the American public understand the very real threat that
we are facing in the cyber realm, not just in the future,
but now.
Information Warfare. One of the greatest potential threats to our
national security is the prospect of "information warfare"
by foreign militaries against our critical infrastructures.
We know that several foreign nations are already developing
information warfare doctrine, programs, and capabilities for
use against each other and the United States or other nations.
Foreign nations are developing information warfare programs
because they see that they cannot defeat the United States
in a head-to-head military encounter and they believe that
information operations are a way to strike at what they perceive
as America's Achilles Heel -- our reliance on information
technology to control critical government and private sector
systems. For example, two Chinese military officers recently
published a book that called for the use of unconventional
measures, including the propagation of computer viruses, to
counterbalance the military power of the United States. A
serious challenge we face is even recognizing when a nation
may be undertaking some form of information warfare. If another
nation launched an information warfare attack against the
United States, the NIPC would be responsible to gather information
on the attack and work with the appropriate defense, intelligence,
and national command authorities.
Traditional Threats to Society
Moved to the Cyber Realm
Computers and networks are not
just being used to commit new crimes such as computer intrusions,
denial of service attacks, and virus propagation, but they
are also facilitating some traditional criminal behavior such
as extortion threats, fraud and the transmission of child
pornography. For example, the NIPC recently supported an investigation
involving e-mail threats sent to a Columbine High School student
threatening violence.
Child Pornography and Exploitation. While the Internet has been a tremendous boon
for information sharing and for our economy, it unfortunately
has also become a zone where predators prey on the weakest
and most vulnerable members of our society, our children.
The sex offender using a computer is not a new type of criminal.
Rather it is simply a case of modern technology being combined
with an age old problem. The use of computers has made child
pornography more available now than at any time since the
1970s. An offender can use a computer to transfer, manipulate,
or even create child pornography. Images can be stored, transferred
from video tape or print media, and transmitted via the Internet.
With newer technology, faster processors and modems, moving
images can now also be transmitted. In addition, the information
and images stored and transmitted can be encrypted to deter
or avoid detection. As computers and technological enhancements,
such as faster modems and processors, become less expensive
and more sophisticated, the potential for abuse will grow.
Challenges to Law Enforcement
in Investigating Cybercrime
The burgeoning problem of cuber
crime poses unique challenges to law enforcement. These challenges
require novel solutions, close teamwork among agencies and
with the private sector, and adequate numbers of trained and
experienced agents and analysts with sophisticated equipment.
Identification and Jurisdictional
Challenges
Identifying the Intruder. One major difficulty that distinguishes cyber
threats from physical threats is determining who is attacking
your system, why, how, and from where. This difficulty stems
from the ease with which individuals can hide or disguise
their tracks by manipulating logs and directing their attacks
through networks in many countries before hitting their ultimate
target. The now well know "Solar Sunrise" case illustrates
this point. Solar Sunrise was a multi-agency investigation
(which occurred while the NIPC was being established) of intrusions
into more than 500 military, civilian government, and private
sector computer systems in the United States, during February
and March 1998. The intrusions occurred during the build-up
of United States military personnel in the Persian Gulf in
response to tension with Iraq over United Nations weapons
inspections. The intruders penetrated at least 200 unclassified
U.S. military computer systems, including seven Air Force
bases and four Navy installations, Department of Energy National
Laboratories, NASA sites, and university sites. Agencies involved
in the investigation included the FBI, DOD, NASA, Defense
Information Systems Agency, AFOSI, and the Department of Justice
(DOJ).
The timing of the intrusions
and links to some Internet Service Providers in the Gulf region
caused many to believe that Iraq was behind the intrusions.
The investigation, however, revealed that two juveniles in
Cloverdale, California, and several individuals in Israel
were the culprits. Solar Sunrise thus demonstrated to the
interagency community how difficult it is to identify an intruder
until facts are gathered in an investigation, and why assumptions
cannot be made until sufficient facts are available. It also
vividly demonstrated the vulnerabilities that exist in our
networks; if these individuals were able to assume "root
access" to DOD systems, it is not difficult to imagine
what hostile adversaries with greater skills and resources
would be able to do. Finally, Solar Sunrise demonstrated the
need for interagency coordination by the NIPC.
Jurisdictional Issues. Another significant challenge we face is hacking
in multiple jurisdictions. A typical hacking investigation
involves victim sites in multiple states and often many countries.
This is the case even when the hacker and victim are both
located in the United States. In the United States, we can
subpoena records and execute search warrants on suspects'
homes, seize evidence, and examine it. We can do none of those
things ourselves overseas, rather, we depend on the local
authorities. In some cases the local police forces simply
do not understand or cannot cope with the technology. In other
cases, these nations simply do not have laws against computer
intrusions. Our Legats are working very hard to build bridges
with local law enforcement to enhance cooperation on cybercrime.
The NIPC has held international computer crime conferences
with foreign law enforcement officials to develop liaison
contacts and bring these officials up to speed on cybercrime
issues. We have also held cybercrime training classes for
officers from partner nations.
Despite the difficulties, we
have had some success in investigating and prosecuting these
crimes. In 1996 and 1997, the National Oceanic and Atmospheric
Administration (NOAA) suffered a series of computer intrusions
that were linked to a set of intrusions occurring at the National
Aeronautics and Space Administration (NASA). Working with
the Canadian authorities, it was determined that the subject
resided in Canada. In April 1999, Jason G. Mewhiney was indicted
by Canadian authorities. In January 2000, he pled guilty to
12 counts of computer intrusions and the Canadian Superior
Court of Justice sentenced him to 6 months in jail for each
of the counts, with the sentences running concurrently. In
another case, Peter Iliev Pentchev, a Princeton University
student, was identified as an intruder on an e-commerce system.
An estimated 1800 credit card numbers, customer names, and
user passwords were stolen. The company had to shut down its
web servers for five days to repair the damages estimated
at $100,000. Pentchev has fled to his native Bulgaria and
the process is being determined to return Pentchev to the
United States to face charges.
In 1994-95, an organized crime
group headquartered in St. Petersburg, Russia, transferred
$10.4 million from Citibank into accounts all over the world.
After investigation by the FBI's New York field office, all
but $400,000 of the funds were recovered. Cooperation with
Russian authorities helped bring Vladimir Levin, the perpetrator,
to justice. In another case, the FBI investigated Julio Cesar
Ardita, an Argentine computer science student who gained unauthorized
access to Navy and NASA computer systems. He committed these
intrusions from Argentina, and Argentine authorities cooperated
with the FBI on the investigation. While he could not be extradited
for the offenses, he returned voluntarily to the United States
and was sentenced to three years probation.
In all of these cases, Legats have been essential to the investigation.
As the Internet spreads to even more countries, we will see
greater demand placed on the Legats to support computer intrusion
investigations.
Human and Technical Challenges
The threats we face are compounded
by human and technical challenges posed by these types of
investigations. The first problem is, of course, having enough
positions for agents, computer scientists, and analysts to
work computer intrusions. Once we have the authorized positions,
we face the issue of recruiting people to fill these positions,
training them in the rapidly changing technology, and retaining
them. There is a very tight market out there for information
technology professionals. The Federal Government needs to
be able to recruit the very best people into its programs.
Fortunately, we can offer exciting, cutting-edge work in this
area and can offer agents, analysts, and computer scientists
the opportunities to work on issues that no one else addresses,
and to make a difference to our national security and public
safety.
Our current resources are stretched
paper thin. We only have 193 agents assigned to NIPC squads
and teams nationwide. Major cases, such as the recent DDOS
attacks on Yahoo, draw a tremendous amount of personnel resources.
Most of our technical analysts will have to be pulled from
other work to examine the log files received from the victim
companies. Tracking down hundreds of leads will absorb the
energy of a dozen field offices. And this is all reactive.
My goal is for the FBI to become proactive in this area just
as we have in other areas such as drugs and violent crime.
In a few minutes I'll discuss what we need to do to improve
our cybercrime fighting capabilities to become proactive in
fighting cybercrime.
The technical challenges of
fighting crime in this arena are equally vast. We can start
just by looking at the size of the Internet and its exponential
growth. Today it is estimated that more than 60,000 individual
networks with 40 million users are connected to the Internet.
Thousands of more sites and people are coming on line every
month. In addition, the power of personal computers is vastly
increasing. The FBI's Computer Analysis Response Team (CART)
examiners conducted 1,260 forensic examinations in 1998 and
1,900 in 1999. With the anticipated increase in high technology
crime and the growth of private sector technologies, the FBI
expects 50 percent of its caseload to require at least one
computer forensic examination. By 2001, the FBI anticipates
the number of required CART examinations to rise to 6,000.
It is important to note that
personnel resources with very specific technical skills are
required not only for computer and Internet based crimes such
as the DDOS incidents, but are increasingly necessary for
more traditional matters as well. Examples of this type of
problem include the approximately 6000 man hours that the
NIPC was required to expend investigating a recent computer-based
espionage case. The NIPC's Special Technologies and Applications
Unit (STAU) received approximately one million raw files from
CART, and was required by the investigators to reproduce the
activities of individuals over a period of years from that
raw data. The amount of information which was required to
be processed by STAU, and is still necessary to process, would
fill the Library of Congress nearly twice. This type of case
illustrates where technical analysis of the highest order
has become necessary in sophisticated espionage matters. A
recent extortion and bombing illustrate how traditional violent
criminals are also turning to high technology. In this extortion
case, the bomber's demands included that the victim post their
responses to his requirements on their web site. The STAU
was required to sort through millions of web site "hits"
to discern which entries may have come from the bomber. Based
on information generated by the STAU's efforts, agents were
able to trace the bomber to a specific telephone line to his
home address.
Clearly, the FBI needs engineering
personnel to develop and deploy sophisticated electronic surveillance
capabilities in an increasingly complex and technical investigative
environment, skilled CART personnel to conduct the computer
forensics examinations to support an increasingly diverse
set of cases involving computers, as well as expert NIPC personnel
to examine network log files to track the path an intruder
took to his victim. In cases such as Los Alamos or Columbine,
both NIPC and CART personnel were called in to bring their
unique areas of expertise to bear on the case.
During the last part of 1998,
most computers on the market had hard drives of 6-8 gigabytes
(GB). Very soon 13-27 GB hard drives will become the norm.
By the end of 2000, we will be seeing 60-80 GB hard drives.
All this increase in storage capacity means more data that
must be searched by our forensics examiners, since even if
these hard drives are not full, the CART examiner must review
every bit of data and every area of the media to search for
evidence.
The FBI has an urgent requirement
for improved tools, techniques and services for gathering,
processing, and analyzing data from computers and computer
networks to acquire critical intelligence and evidence of
criminal activity. Over the past three years, the FBI's Laboratory
Division (LD) has been increasingly requested to provide data
interception support for such investigative programs as: Infrastructure
Protection, Violent Crimes (Exploitation of Children, Extortion),
Counterterrorism, and Espionage. In fact, since 1997, the
LD has seen a dramatic increase in field requests for assistance
with interception of data communications. Unless the FBI increases
its capability and capacity for gathering and processing computer
data, investigators and prosecutors will be denied timely
access to valuable evidence that will solve crimes and support
the successful prosecutions of child pornographers, drug traffickers,
corrupt officials, persons committing fraud, terrorists, and
other criminals.
One of the largest challenges
to FBI computer investigative capabilities lies in the increasingly
widespread use of strong encryption. The widespread use of
digitally-based telecommunications technologies, and the unprecedented
expansion of computer networks incorporating privacy features/capabilities
through the use of cryptography (i.e. encryption), has placed
a tremendous burden on the FBI's electronic surveillance technologies.
Today the most basic communications employ layers of protocols,
formatting, compression and proprietary coding that were non-existent
only a few years ago. New cryptographic systems provide robust
security to conventional and cellular telephone conversations,
facsimile transmissions, local and wide area networks, Internet
communications, personal computers, wireless transmissions,
electronically stored information, remote keyless entry systems,
advanced messaging systems, and radio frequency communications
systems. The FBI is already encountering the use of strong
encryption. In 1999, 53 new cases involved the use of encryption.
The FBI is establishing a centralized
capability for development of investigative tools which support
the law enforcement community's technical needs for cybercrime
investigations, including processing and decrypting lawfully
intercepted digital communications and electronically stored
information. A centralized approach is appropriate since state
and local law enforcement have neither the processing power
nor trained individuals to assume highly complex analysis
or reverse engineering tasks. The FY 2001 budget includes
$7,000,000 for this effort.
The need for a law enforcement
centralized civilian resource for processing and decrypting
lawfully intercepted digital communications and electronically
stored information is well documented in several studies,
including:
- The National Research Council's
Committee Report entitled "Cryptography's Role in Securing
the Information Society." Specifically, the Committee
recommended that high priority be given to the development
of technical capabilities, such as signal analysis and decryption,
to assist law enforcement in coping with technological challenges.
- In 1996, Public Law 104-132
Section 811, the 104th Congress acknowledged the critical
need and authorized the Attorney General to "...support
and enhance the technical support [capabilities]..."
of the FBI.
- The Administration policy
position as set forth in the September 16, 1998, press release
acknowledges that "The Administration intends to support
FBI's establishment of a technical support [capability]
to help build the technical capacity of law enforcement
- Federal, State, and local - to stay abreast of advancing
communications technology."
It has been the position of
the FBI that law enforcement should seek the voluntary cooperation
of the computer hardware and software industry as a means
of attempting to address the public safety issues associated
with use of encryption in furtherance of serious criminal
activity. Over the past year and a half, the FBI has initiated
an aggressive industry outreach strategy to inform industry
of law enforcement's needs in the area of encryption, to continue
to encourage the development of recoverable encryption products
that meet law enforcement's needs, and to seek industry's
assistance regarding the development of law enforcement plain
text access "tools" and capabilities when non-recoverable
encryption products are encountered during the course of lawful
investigations.
The FBI will be meeting this
year with industry in an environment wherein various computer
and software industry representatives can exchange technical
and business information regarding encryption and encryption
products with law enforcement. This information will assist
law enforcement agencies with establishing development and
operational strategies to make the most effective use of limited
resources.
State and Local Assistance
Just as with other crimes, often
the state and local authorities are going to be the first
ones on the scene. The challenge for these law enforcement
officers is even greater than the one the Federal Government
faces in that state and local law enforcement is less likely
to have the expertise to investigate computer intrusions,
gather and examine cyber media and evidence. The challenge
for the federal government is to provide the training and
backup resources to the state and local levels so that they
can successfully conduct investigations and prosecutions in
their jurisdictions. This sort of cooperation is already showing
results. For example, the FBI worked with the New Jersey State
Police on the Melissa Macro Virus case that resulted in the
arrest of David L. Smith by the New Jersey authorities. In
addition, the NIPC and our Training Division are working together
to provide training to state and local law enforcement officers
on cybercrime. In FY 1999 over 383 FBI Agents, state and local
law enforcement and other government representatives have
taken NIPC sponsored or outside training on computer intrusion
and network analysis, energy and telecommunications key assets.
We have made great strides in developing our training program
for state and local law enforcement officials. More NIPC training
than ever before is being conducted outside of Washington,
DC, meaning that more state and local officers should have
the opportunity to attend these classes with less disruption
to their schedules and less travel. One of the main responsibilities
of the NIPC Training and Continuing Education Unit is to develop
and manage the state and local Law Enforcement Training Program.
This program trains state and local law enforcement officials
in a myriad of state-of-the-art cyber courses.
Building on the success of the
San Diego Regional Computer Forensic Laboratory, the Attorney
General asked the FBI and the Office of Justice Programs,
to work in partnership to develop a series of regional laboratories.
These facilities will provide computer forensic services as
joint ventures among federal, state and local law enforcement.
Six million dollars is requested in the Office of Justice
Programs to establish several regional computer forensic laboratories.
Working together, we are identifying geographical areas where
the establishment of such partnerships could make significant
impact.
The NIPC is supporting the Attorney
General's proposal to create a network of federal, state,
and local law enforcement personnel for combating cybercrimes.
We are instructing each field office to have a point of contact
at the appropriate investigative agencies regarding their
area of jurisdiction and to provide this information to NIPC
at FBIHQ.
Presidential Decision Directive
(PDD) 63 identified the Emergency Law Enforcement Services
Sector (ELES) as one of the eight critical infrastructures.
PDD 63 further designated the Federal Bureau of Investigation
as the lead agency with protecting the ELES. The NIPC is currently
working on a strategic plan for this sector and holding meetings
with sector representatives. This involves developing and
implementing a plan to help law enforcement protect its own
systems from attack so it will be able to deliver vitally
needed services to the public.
Success of the NIPC requires
building on proven mechanisms to develop and maintain long-term
relationships with state and local law enforcement agencies.
NIPC oversees outreach programs, coordinates training, shares
information and coordinates interagency efforts to plan for,
deter, and respond to cyber attacks.
Currently, the NIPC is sharing
information with state and local governments via Law Enforcement
On-line (LEO) and the National Law Enforcement Telecommunications
System. Timely coordination and sharing of information with
other law enforcement agencies is essential in combating the
cyber threat in the Information Age. Local law enforcement
is also encouraged to join the InfraGard chapters in their
area.
State and local agencies investigate
and prosecute cyber crimes based on violations of local laws.
By sharing investigative data with the NIPC, emerging trends
can be identified, analyzed and further shared with other
agencies to share investigative responsibilities with their
local FBI field office and the NIPC. The cross-jurisdictional
nature of cyber crimes, in which attacks occur outside the
state or even national borders, means that investigative efforts
must be coordinated among local, state and federal agencies
to ensure effective prosecution.
FBI Cybercrime Investigation
Capabilities
National Infrastructure Protection
Center
Under PDD-63, the NIPC's mission
is to detect, warn of, respond to, and investigate computer
intrusions and unlawful acts that threaten or target our critical
infrastructures. The Center not only provides a reactive response
to an attack that has already occurred, but proactively seeks
to discover planned attacks and issues warnings before they
occur. This large and difficult task requires the collection
and analysis of information gathered from all available sources
(including law enforcement investigations, intelligence sources,
data voluntarily provided by industry and open sources) and
dissemination of analyses and warnings of possible attacks
to potential victims, whether in the government or the private
sector. To accomplish this mission, the NIPC relies on the
assistance of, and information gathered by the FBI's 56 field
offices, other federal agencies, state and local law enforcement,
and perhaps most importantly, the private sector.
The NIPC, while located at the
FBI, is an interagency center, with representatives from many
other agencies, including DOD, the U.S. Intelligence Community,
and other federal agencies. The NIPC at FBI Headquarters currently
has 79 FBI personnel, with an authorized ceiling of 94. There
are 22 representatives from Other Government Agencies (OGAs),
the private sector, state and local law enforcement, and our
international partners at the Center. Our target for OGA and
private sector participation is 40.
To accomplish its goals, the
NIPC is organized into three sections:
The Computer Investigations
and Operations Section (CIOS) is the operational response
arm of the Center. It program manages computer intrusion investigations
conducted by FBI field offices throughout the country: provides
subject matter experts, equipment, and technical support to
cyber investigators in federal, state and local government
agencies involved in critical infrastructure protection; and
provides a cyber emergency response capability to help resolve
a cyber incident.
The Analysis and Warning Section
(AWS) serves as the "indications and warning arm of the
NIPC. It provides analytical support during computer intrusion
investigations and long-term analyses of vulnerability and
threat trends. Through its 24/7 watch and warning capability,
it distributes tactical warnings and analyses to all the relevant
partners, informing them of potential vulnerabilities and
threats and long-term trends. It also reviews numerous government
and private sector databases, media, and other sources daily
to gather information that may be relevant to any aspect of
our mission, including the gathering of indications of a possible
attack.
The Training, Outreach and Strategy
Section (TOSS) coordinates the training and education of cyber
investigators within the FBI field offices, state and local
law enforcement agencies, and private sector organizations.
It also coordinates outreach to private sector companies,
state and local governments, other government agencies, and
the FBI's field offices. In addition, this section manages
collection and cataloguing of information concerning "key
assets" across the country. Finally, it handles our strategic
planning and administrative functions with FBI and DOJ, the
National Security Counsel, other agencies and Congress.
Through these, the Center brings
its unique perspective as the only national organization devoted
to investigation, analysis, warning, and response to attacks
on the infrastructures. Further, as an interagency entity,
the NIPC takes a broad view of infrastructure protection,
looking not just at reactive investigations but also at proactive
warnings and prevention. Finally, through the FBI, the Center
has a national reach to implement policy. The Center is working
closely on policy initiatives with its Federal partners and
meets regularly with the other Federal lead agencies on policy
issues.
National Infrastructure Protection
and Computer Intrusion Squads/Teams
In October 1998, the National
Infrastructure Protection and Computer Intrusion Program (NIPCP)
was approved as an investigative program and resources were
created and placed in each FBI field office with the NIPC
at FBI Headquarters acting as program manager.
By the end of this fiscal year,
there will be 16 FBI Field Offices with regional NIPC squads.
Each of these squads will be staffed with 7 to 8 agents. Nationwide,
there are 193 agents dedicated to investigating NIPC matters.
In order to maximize investigative resources the FBI has taken
the approach of creating regional squads that have sufficient
size to work difficult major cases and to assist those field
offices without an NIPC squad. In those field offices without
squads, the FBI is building a baseline capability by having
one or two agents to work NIPC matters, i.e. computer intrusions
(criminal and national security), viruses, InfraGard, state
and local liaison etc.
Computer Analysis and Response
Teams (CART)
An essential element in the
investigation of computer crime is the recovery of evidence
from electronic media. In a murder investigation, the detectives
investigate the case but the coroner examines the body for
evidence of how the crime was committed. The CART personnel
serve this function in cyber investigations. CART examiners
perform three essential functions. First, they extract data
from computer and network systems, and conduct forensic examinations
and on-site field support to all FBI investigations and programs
where computers and storage media are required as evidence.
Second, they provide technical support and advice to field
agents conducting such investigations. Finally, they assist
in the development of technical capabilities needed to produce
timely and accurate forensic information.
Currently the FBI has 26 full
time CART personnel at FBI Headquarters and 62 full-time and
54 part-time CART personnel in the field, for a total of 142
trained CART personnel. CART resources are used in a variety
of investigations ranging from sensitive espionage cases to
health care fraud. For example, on September 12, 1998, the
FBI executed the arrest of individuals who were involved in
an espionage ring trying to penetrate U.S. military bases
on behalf of the Cuban government. During the arrest of these
individuals CART conducted the seizure of 35 Gb of digital
evidence to include personal computers containing twelve (12)
hard drives, 2,500 floppy diskettes, and assorted CD-ROMs.
The FBI deployed more than 30 CART field examiners during
the search and examination which consumed thousands of hours
of their time.
In order to process the vast
quantities of information required, the CART program needs
to purchase or develop new ways of handling digital evidence.
One program used by the FBI is the Automated Computer Examination
System (ACES), a data exploration tool developed by the FBI
Laboratory, to scan thousands of files for identification
of known format and executable program files. ACES verifies
that certain program, batch or executable files are for computer
operation and do not represent a file in which potential evidentiary
material is stored. Results from an ACES examination can be
passed to other analytical utilities used in examining a computer.
The FBI is also working with
other federal agencies as well as state and local law enforcement
to share data and forensic expertise. In San Diego, a regional
computer forensic capability has been established that is
staffed by the FBI, the Navy, and the San Diego police department,
among others. This lab serves as a resource for the entire
region. The vast majority of all computer related seizures
in San Diego County are currently being made through the RCFL.
During the start-up period (Summer 1999 to December 1999),
although all participating agencies had been co-located, each
examiner had been working on his own agencies's cases. As
of January 3, 2000, the San Diego lab started receiving submissions
as a joint facility and jointly tracking those submissions.
As of February 3, the lab had received 26 cases, including
three federal cases consisting of large scale networks, and
local cases including a death threat to a Judge, a poisoning
case, and a child molestation case. We recognize that state
and local law enforcement often will not have the resources
for complex computer forensics, and we hope that the San Diego
model can be expanded.
Technical Investigative Support
The FBI has long had capabilities
regarding the interception of conventional phone lines and
modems. The rapid advance of data technologies and the unregulated
nature of the Internet has resulted in a myriad of technologies
and protocols which make the interception of data communications
extremely difficult. It is critical that the FBI properly
equip investigators with technical capabilities for utilizing
the critical investigative tools on lawfully authorized Title
III and Title 50 interception.
Innocent Images Initiative/Child
Pornography
The FBI has moved aggressively
against child pornographers. In 1995 the FBI's first undercover
operation, code name Innocent Images, was initiated. Almost
five years later, Innocent Images is an FBI National Initiative,
supported by annual funding of $10 million, with undercover
operations in eleven FBI field offices -- Baltimore, Birmingham,
Cleveland, Dallas, Houston, Las Vegas, Los Angeles, Newark,
Phoenix, San Francisco, and Tampa -- being worked by task
forces that combine the resources of the FBI with other federal,
state and local law enforcement officers from Maryland, Virginia,
the District of Columbia, Alabama, Ohio, Texas, Nevada, California,
New Jersey, Arizona, and Florida. Investigations developed
by the National Initiative's undercover operations are being
conducted by every field office and information has been referred
to foreign law enforcement agencies through the FBI's Legal
Attache Offices.
During Fiscal Year 1999 a total
of 1,497 new cases were opened. Every one of these investigations
has digital evidence and requires the assistance of a CART
examiner. Additionally, 188 search warrants and 57 consent
searches were executed, and 193 arrests, 125 indictments,
29 information and 108 convictions were obtained as a result
of the Innocent Images National Initiative. Also in Fiscal
Year 1999, the IINI provided 227 presentations to 17,522 individuals
from foreign and domestic law enforcement and government officials,
civilian groups, and private citizens in an effort to raise
awareness about child pornography/child sexual exploitation
issues and increase coordination between federal, state and
local law enforcement.
Intellectual Property Rights/Internet
Fraud
Intellectual property is the
driver of the 21st century American economy. In many ways
it has become what America does best. The United States is
the leader in the development of creative, technical intellectual
property. Violations of Intellectual Property Rights, therefore,
threaten the very basis of our economy. Of primary concern
is the development and production of trade secret information.
The American Society of Industrial Security estimated the
potential losses at $2 billion per month in 1997. Pirated
products threaten public safety in that many are manufactured
to inferior or non-existent quality standards. A growing percentage
of IPR violations now involve the Internet. There are thousands
of web sites solely devoted to the distribution of pirated
materials. The FBI has recognized, along with other federal
agencies, that a coordinated effort must be made to attack
this problem. The FBI, along with the Department of Justice,
U.S. Customs Service, and other agencies with IPR responsibilities,
will be opening an IPR Center this year to enhance our national
ability to investigate and prosecute IPR crimes through the
sharing of information among agencies.
One of the most critical challenges
facing the FBI and law enforcement in general, is the use
of the Internet for criminal purposes. Understanding and using
the Internet to combat Internet fraud is essential for law
enforcement. The fraud being committed over the Internet is
the same type of white collar fraud the FBI has traditionally
investigated but poses additional concerns and challenges
because of the new environment in which it is located. Internet
fraud is defined as any fraudulent scheme in which one or
more components of the Internet, such as Web sites, chat rooms,
and E-mail, play a significant role in offering nonexistent
goods or services to consumers, communicating false or fraudulent
representations about the schemes to consumers, or transmitting
victims' funds, access devices, or other items of value to
the control of the scheme's perpetrators. The accessibility
of such an immense audience coupled with the anonymity of
the subject, require a different approach. The frauds range
from simple geometric progression schemes to complex frauds.
The Internet appears to be a perfect manner to locate victims
and provides an environment where the victims don't see or
speak to the fraud perpetrators. Anyone in the privacy of
their own home can create a very persuasive vehicle for fraud
over the Internet. In addition, the expenses associated with
the operation of a "home page" and the use of electronic
mail (E-mail) are minimal. Fraud perpetrators do not require
the capital to send out mailers, hire people to respond to
the mailers, finance and operate toll free numbers, etc. This
technology has evolved exponentially over the past few years
and will continue to evolve at a tremendous rate. By now it
is common knowledge that the Internet is being used to host
criminal behavior. The top ten most frequently reported frauds
committed on the Internet include Web auctions, Internet services,
general merchandise, computer equipment/software, pyramid
schemes, business opportunities/franchises, work at home plans,
credit card issuing, prizes/sweepstakes and book sales.
Improving FBI Cybercrime Capabilities
The last two years have seen
tremendous strides in the development of the National Infrastructure
Protection Center in both the Headquarters and field program.
We have directed our resources into developing our prevention,
detection, and response capabilities. This has meant recruiting
talented personnel from both inside and outside the FBI, training
those personnel, and developing investigative, analytic, and
outreach programs. Most of these programs had to be developed
from scratch, either because no program previously existed
or because the program had to be reinvigorated from an earlier
FBI incarnation.
The cyber crime scene is dynamic--
it grows, contracts, and can change shape. Determining whether
an intrusion is even occurring can often be difficult in the
cyber world, and usually a determination cannot be made until
after an investigation is initiated. The establishment of
the NIPC has greatly enhanced the FBI's investigative, analytic,
and case support capabilities. A few years ago, the NIPC would
have been limited in its ability to undertake some of the
sensitive investigations of computer intrusions that the FBI
has supported. While the FBI has been able to develop and
maintain its present response capability, the explosive nature
of the crime problem continues to challenge our capacities.
While much has been accomplished, much remains to be done.
Building Investigative Capacity
Trained personnel and resources
present the greatest challenges to the FBI critical infrastructure
protection mission. The FBI must make sure that the NIPC and
Field Office squads are fully staffed with technologically
competent investigators and analysts. It is also essential
that these professional have state of the art equipment and
connectivity they need to conduct their training.
To accomplish this, the FBI
must identify, recruit, and train personnel who have the technical,
analytical, investigative, and intelligence skills for engaging
in cyber investigations. This includes personnel to provide
early warnings of attacks, to read and analyze log files,
write analytic reports and products for the field and the
private sector, and to support other investigations with cyber
components. With such a configuration of selected personnel
skills, the FBI will be able to effectively and efficiently
investigate cyber threats, allegations, incidents, and violations
of the law that target and/or impact critical infrastructure
facilities, components, and key assets. Aggressive recruitment
of qualified specialists is critical. Targeting the right
people and providing hiring and educational incentives are
good steps in building this professional cadre.
Developing and deploying the
best equipment in support of the mission is very important.
Not only do investigators and analysts need the best equipment
to conduct investigations in the rapidly evolving cyber system
but the NIPC must be on the cutting edge of cyber research
and development. NIPC must not only keep abreast of the criminal
element but they must also accurately predict the next generation
of criminal activity.
In order to support state and
local law enforcement efforts, field offices will seek to
form cybercrime task forces. This should include assigning
a prosecutor to handle task force cases.
Building Partnerships with
Industry and Academia
NIPC is founded on the notion
of partnership. This partnership is critical to ensuring timely
information sharing about threats and incidents, new technologies,
and keeping our capabilities at the cutting edge. The FBI,
in conjunction with the private sector, has also developed
an initiative call "InfraGard" to expand direct
contacts with the private sector infrastructure owners and
operators and to share information about cyber intrusions,
exploited vulnerabilities, and physical infrastructure threats.
The initiative encourages the exchange of information by government
and private sector members through the formation of local
InfraGard chapters within the jurisdiction of each Field Office.
Chapter membership includes representatives from the FBI,
private industry, other government agencies, State and local
law enforcement, and the academic community. The initiative
provides four basic services to its members: an intrusion
alert network using encrypted e-mail; a secure website for
communication about suspicious activity or intrusions; local
chapter activities; and a help desk for questions. The critical
component of InfraGard is the ability of industry to provide
information on intrusions to the local FBI Field Office using
secure communications in both a "sanitized" and
detailed format. The local FBI Field Offices can, if appropriate,
use the detailed version to initiate an investigation; while
NIPC Headquarters can analyze that information in conjunction
with other law enforcement, intelligence, or industry information
to determine if the intrusion is part of a broader attack
on numerous sites. The Center can simultaneously use the sanitized
version to inform other members of the intrusion without compromising
the confidentiality of the reporting company. The secure website
will also contain a variety of analytic and warning products
that we can make available to the InfraGard community.
The NIPC has also developed
and is implementing an aggressive outreach program. We have
briefed a number of key critical infrastructure sector groups
including the North American Electric Reliability Council
and business groups such as the U.S. Chamber of Commerce.
We are also working closely with our international partners.
Much attention has been given
to the need to create mechanisms for sharing information with
the private sector. The NIPC has built up a track record for
doing this over the past 2 years with concrete results. Not
only has it provided early warnings and vulnerability threat
assessments but it has also developed unique detection tools
to help potential victims of DDOS attacks. And contrary to
press statements by companies offering security services that
private companies won't share information with law enforcement,
private companies have reported incidents and threats to the
NIPC or FBI. The cooperation we have received from victims
in the recent DDOS attacks is only the most recent example
of this. InfraGard will increase this capacity by providing
a secure two way mechanism for sharing information between
the government and the private sector.
Developing Forensic and Technical
Capabilities
As noted above, CART has developed
substantial capability to examine computer and network media
and storage devices. But the rapid change in technology and
the increasing use of computers in criminal activity necessitate
the on-going development of better investigative and forensic
tools and techniques for examiners. We fully expect that the
number of cases requiring CART examinations will increase
by over 50% in the next few years. In addition, as storage
media hold more information, each individual examination will
require more effort. To even attempt to keep pace with these
developments, we will need to increase our personnel base
in CART. For FY 2001, funding is proposed to add 100 new CART
examiners.
In addition, in order for our
ACES program to remain able to provide comprehensive analysis
of computer files, it needs to be continuously updated. After
all, how many iterations of Windows®, Microsoft Office®,
and other software and operating systems have we seen just
in the last two years? We need to ensure that ACES can perform
its function. The FY 2001 budget includes $2,800,000 for the
ACES program.
Improving our technical capabilities
to access plain text communications is a critical challenge
to the FBI. The ultimate objective is to provide field investigators
with an integrated suite of automated data collection systems,
operating in a low-cost and readily available personal computer
environment, which will be capable of identifying, intercepting
and collecting targeted data of interest from a broad spectrum
of data telecommunications transmissions mediums and networks.
Substantial resource enhancements are required to progress
development from current ad hoc, tactical data intercept systems
to integrated modular systems, providing the field investigators
with increased flexibility, simplicity and reliability and
to enhance training programs to enable field Technically Trained
Agents and Investigators to install and operate this complex
equipment. The most technically complex component of electronic
surveillance, has been and always will be the deciphering
of encrypted signals and data. In the past few years, growth
in electronic communications and the public demand for security
have increased the number of investigations which encounter
encrypted signals and data. With the convergence of digital
technologies in the very near future, all electronic communications
conducted using computers, the Internet, wireless and other
forms of communications, will inherently incorporate and apply
data security (i.e. encryption). The ability to gather evidence
from FBI electronic surveillance and seized electronic data
will significantly depend upon the development of and deployment
of signal analysis and decryption capabilities. Funding enhancements
are requested to step toward the fulfillment of a strategic
plan to ensure that collected signals, data and evidence can
be intercepted, interpreted and made usable in the prosecution
of crimes and the detection of national security offenses.
Failure to strategically prepare for the impending global
changes data and voice telecommunications, information security,
and the volumes of encrypted information collected by law
enforcement pursuant to lawful court orders, will ensure that
critical information and evidence will be unintelligible and
unusable in future investigations.
We are urgently trying to develop
our capabilities in this area through the acquisition of hardware
and software tools, technologies and systems, and support
services to work on a variety of research projects to meet
this problem. Last September, the Administration announced
a "New Approach to Encryption" which included significant
changes to the nation's encryption export policies and recommended
public safety enhancement to ensure "that law enforcement
has the legal tools, personnel, and equipment necessary to
investigate crime in an encrypted world."
Specifically, on September 16,
1999, the President, on behalf of law enforcement, transmitted
to Congress the "Cyberspace Electronic Security Act of
1999" which would: ensure that law enforcement maintains
its ability to access decryption information stored with third
parties, while protecting such information from inappropriate
release; protect sensitive investigative techniques and industry
trade secrets from unnecessary disclosure in litigation or
criminal trials involving encryption, consistent with fully
protecting defendants' rights to a fair trial; and authorize
$80 million over four years for the FBI's Technical Support
Center (TSC), which serves as a centralized technical resource
for federal, state and local law enforcement in responding
to the increased use of encryption in criminal cases. The
TSC is an expansion of the FBI's Engineering Research capabilities
that will take advantage of existing institutional and technical
expertise in this area. As indicated earlier, the FY 2001
budget proposes an increase of $7,000,000 for the FBI's counterencryption
program. We urge Congress to support us in these endeavors.
The law enforcement community
relies on lawfully-authorized electronic surveillance as an
essential tool for the investigation, disruption, and prevention
of serious and violent offenses. Technological advances have
taken a serious toll on law enforcement's ability to protect
the public through the use of lawfully-authorized electronic
surveillance. The Communications Assistance for Law Enforcement
Act (CALEA) was passed so that the telecommunications industry
would pro-actively address law enforcement's need and authority
to conduct lawfully-authorized electronic surveillance as
a basic element in providing service. CALEA clarifies and
further defines existing statutory obligations of the telecommunications
industry to assist law enforcement in executing lawfully-authorized
electronic surveillance.
The FBI developed a flexible
deployment strategy to minimize the costs and the operational
impact of installation of CALEA-compliant software on telecommunications
carriers. This strategy supports the carriers' deployment
of CALEA-compliant solutions in accordance with their normal
business cycles when this deployment will not delay implementation
of CALEA solutions in high-priority areas. The carriers will
provide projected CALEA-deployment schedules for all switches
in their network and information pertaining to recent lawfully
authorized electronic surveillance activity. Using this information,
the FBI and the carrier will develop a mutually agreeable
deployment schedule. The FBI provided the carriers with the
Flexible Deployment Assistance Guide to facilitate the carrier's
submission of information.
The FBI is negotiating with
telecommunications carriers and manufacturers of telecommunications
equipment for nationwide Right-to-Use (RTU) licenses to facilitate
the availability of CALEA-compliant software to carriers.
Also, the FBI is establishing a regional, nationwide law enforcement
liaison program. This team will facilitate developing consensus
law enforcement electronic surveillance requirements for all
telecommunications technologies and services required to comply
with CALEA; educate and inform Congress and the Federal Communications
Commission (FCC) to ensure law enforcement's ability to conduct
court-authorized electronic surveillance is not compromised
on any telecommunications technology or service required to
comply with CALEA; identify, publish, and ensure deployment
of capacity requirements in accordance with Section 104 of
CALEA; and develop a prioritized plan for the effective deployment
and tracking of CALEA solutions.
The FBI needs to conduct testing
and verification of manufacturer-proposed CALEA technical
solutions and to have the subject matter expertise necessary
to address new technologies that must comply with CALEA. Without
these capabilities, the FBI will be unable to conduct testing
and verification of manufacturer-proposed CALEA technical
solutions and complete the nationwide RTU license agreements.
The FY 2001 budget proposes a total of $240,000,000 for CALEA
RTU license agreements, including $120,000,000 under the Telecommunications
Carrier Compliance Fund and $120,000,000 under the Department
of Defense. Additionally, $2,100,000 is requested to support
the FBI's CALEA program management office.
Conclusion
Computer crime is one of the
most dynamic problems the FBI faces today. Just think about
how many computers you have owned and how many different software
packages you have learned over the past several years and
you can only begin to appreciate the scope of the problem
we are dealing with in the fast changing area. We need to
budget for and train on technology that often has not even
been invented when we begin the budget cycle some 18 months
prior to the beginning of the fiscal year. I am proud of the
progress that we have made in dealing with this problem. What
I have tried to do here today is give you a flavor of what
we are facing. I am confident that once the scope of the problem
is clear, we can work together to develop the capabilities
to meet the computer crime problem, in all its facets, head
on. Our economy and public safety depend on it.
|