Testimony of Louis J. Freeh,
Director, FBI
Before the Senate
Committee on Judiciary, Subcommittee for the Technology, Terrorism,
and Government Information
March 28, 2000
"Cybercrime"
Good morning, Mr. Chairman,
Senator Feinstein, and Members of the Subcommittee. I am privileged
to have this opportunity to discuss cybercrime -- one of the
fastest evolving areas of criminal behavior and a significant
threat to our national and economic security.
Twelve years ago the "Morris
Worm" paralyzed half of the Internet, yet so few of us
were connected at that time that the impact on our society
was minimal. Since then, the Internet has grown from a tool
primarily in the realm of academia and the defense/intelligence
communities, to a global electronic network that touches nearly
every aspect of everyday life at the workplace and in our
homes. The recent denial of service attacks on leading elements
of the electronic economic sector, including Yahoo!, Amazon.com,
Buy.com, eBay, E*Trade, CNN, and others, had dramatic and
immediate impact on many Americans. As Senator Bennett recently
stated, "these attacks are only the tip of the iceberg.
They are the part of the iceberg that is visible above the
water-in clear view. But as everyone knows, the largest part
of the iceberg, and possibly the most dangerous, lies beneath
the surface of the water and is difficult to detect. This
is true also with the range of threats to the Internet and
those that rely upon it."
I would like to acknowledge
the strong support this Subcommittee has provided to the FBI
over the past several years for fighting cybercrime. Senator
Kyl's strong support for vital cyber crime legislation such
as the National Infrastructure Protection Act of 1996 and
the Schumer-Kyl bill strengthening 18 U.S.C. 1030, is greatly
appreciated. Senator Kyl and this committee have also been
the strongest supporters of our National Infrastructure Protection
Center. For that support, I would like to say thank you.
In my testimony today, I would
like to first discuss the nature of the threat that is posed
from cybercrime and highlight some recent cases. Then I will
comment on our use of 18 U.S.C 1030 in fighting cybercrime
and say a few words about the Schumer-Kyl bill. Finally, I
would like to close by discussing several of the challenges
that cybercrime and technology present for law enforcement.
Cybercrime Threats Faced
by Law Enforcement
Before discussing the FBI's
programs and requirements with respect to cybercrime, let
me take a few minutes to discuss the dimensions of the problem.
Our case load is increasing dramatically. In FY 1998, we opened
547 computer intrusion cases; in FY 1999, that had jumped
to 1154. At the same time, because of the opening the National
Infrastructure Protection Center (NIPC) in February 1998,
and our improving ability to fight cyber crime, we closed
more cases. In FY 1998, we closed 399 intrusion cases, and
in FY 1999, we closed 912 such cases. However, given the exponential
increase in the number of cases opened, cited above, our actual
number of pending cases has increased by 39%, from 601 at
the end of FY 1998, to 834 at the end of FY 1999. In short,
even though we have markedly improved our capabilities to
fight cyber intrusions, the problem is growing even faster.
A few days ago the Computer
Security Institute released its fifth annual "Computer
Crime and Security Survey." The results only confirm
what we had already suspected given our burgeoning case load,
that more companies surveyed are reporting intrusions, that
dollar losses are increasing, that insiders remain a serious
threat, and that more companies are doing more business on
the Internet than ever before.
The statistics tell the story.
Ninety percent of respondents detected security breaches over
the last 12 months. At least 74 percent of respondents reported
security breaches including theft of proprietary information,
financial fraud, system penetration by outsiders, data or
network sabotage, or denial of service attacks. Information
theft and financial fraud caused the most severe financial
losses, put at $68 million and $56 million respectively. The
losses from 273 respondents totaled just over $265 million.
Losses traced to denial of service attacks were only $77,000
in 1998, and by 1999 had risen to just $116,250. Further,
the new survey reports on numbers taken before the high-profile
February attacks against Yahoo, Amazon and eBay,. Finally,
many companies are experiencing multiple attacks; 19% of respondents
reported 10 or more incidents.
Over the past several years
we have seen a range of computer crimes ranging from defacement
of websites by juveniles to sophisticated intrusions that
we suspect may be sponsored by foreign powers, and everything
in between. Some of these are obviously more significant than
others. The theft of national security information from a
government agency or the interruption of electrical power
to a major metropolitan area have greater consequences for
national security, public safety, and the economy than the
defacement of a web-site. But even the less serious categories
have real consequences and, ultimately, can undermine confidence
in e-commerce and violate privacy or property rights. A website
hack that shuts down an e-commerce site can have disastrous
consequences for a business. An intrusion that results in
the theft of credit card numbers from an online vendor can
result in significant financial loss and, more broadly, reduce
consumers' willingness to engage in e-commerce. Because of
these implications, it is critical that we have in place the
programs and resources to investigate and, ultimately, to
deter these sorts of crimes.
The following are some of the categories of cyber threats
that we confront today.
Insiders. The disgruntled insider (a current or former employee
of a company) is a principal source of computer crimes for
many companies. Insiders' knowledge of the target companies'
network often allows them to gain unrestricted access to cause
damage to the system or to steal proprietary data. The just-released
2000 survey by the Computer Security Institute and FBI reports
that 71% of respondents detected unauthorized access to systems
by insiders.
One example of an insider was
George Parente. In 1997, Parente was arrested for causing
five network servers at the publishing company Forbes, Inc.,
to crash. Parente was a former Forbes computer technician
who had been terminated from temporary employment. In what
appears to have been a vengeful act against the company and
his supervisors, Parente dialed into the Forbes computer system
from his residence and gained access through a co-worker's
log-in and password. Once online, he caused five of the eight
Forbes computer network servers to crash, and erased all of
the server volume on each of the affected servers. No data
could be restored. Parente's sabotage resulted in a two day
shut down in Forbes' New York operations with losses exceeding
$100,000. Parente pleaded guilty to one count of violating
of the Computer Fraud and Abuse Act, Title 18 U.S.C. 1030.
In January and February 1999
the National Library of Medicine (NLM) computer system, relied
on by hundreds of thousands of doctors and medical professionals
from around the world for the latest information on diseases,
treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passwords were obtained,
hundreds of files were downloaded which included sensitive
medical "alert" files and programming files that
kept the system running properly. The intrusions were a significant
threat to public safety and resulted in a monetary loss in
excess of $25,000. FBI investigation identified the intruder
as Montgomery Johns Gray, III, a former computer programmer
for NLM, whose access to the computer system had been revoked.
Gray was able to access the system through a "backdoor"
he had created in the programming code. Due to the threat
to public safety, a search warrant was executed for Gray's
computers and Gray was arrested by the FBI within a few days
of the intrusions. Subsequent examination of the seized computers
disclosed evidence of the intrusion as well as images of child
pornography. Gray was convicted by a jury in December 1999
on three counts for violation of 18 U.S.C. 1030. Subsequently,
Gray pleaded guilty to receiving obscene images through the
Internet, in violation of 47 U.S.C. 223.
Hackers. Hackers (or "crackers") are also a common threat.
They sometimes crack into networks simply for the thrill of
the challenge or for bragging rights in the hacker community.
Recently, however, we have seen more cases of hacking for
illicit financial gain or other malicious purposes.
While remote cracking once required
a fair amount of skill or computer knowledge, hackers can
now download attack scripts and protocols from the World Wide
Web and launch them against victim sites. Thus while attack
tools have become more sophisticated, they have also become
easier to use. The distributed denial-of-service (DDOS) attacks
last month are only the most recent illustration of the economic
disruption that can be caused by tools now readily available
on the Internet.
Another recent case illustrates
the scope of the problem. On Friday authorities in Wales,
acting in coordination with the FBI, arrested two individuals
for alleged intrusions into e-commerce sites in several countries
and the theft of credit card information on over 26,000 accounts.
One subject used the Internet alias "CURADOR." Losses
from this case could exceed $3,000,000. The FBI cooperated
closely with the Dyfed-Powys Police Service in the United
Kingdom, the Royal Canadian Mounted Police in Canada, and
private industry. This investigation involved the Philadelphia
Division, seven other FBI field offices, our Legal Attache
in London, and the NIPC. This case demonstrates the close
partnerships that we have built with our foreign law enforcement
counterparts and with private industry.
We have also seen a rise recently
in politically motivated attacks on web pages or email servers,
which some have dubbed "hacktivism. In these incidents,
groups and individuals overload e-mail servers or deface web
sites to send a political message. While these attacks generally
have not altered operating systems or networks, they have
disrupted services, caused monetary loss, and denied the public
access to websites containing valuable information, thereby
infringing on others' rights to disseminate and receive information.
Examples of "hacktivism" include a case in 1996,
in which an unknown subject gained unauthorized access to
the computer system hosting the Department of Justice Internet
web site. The intruders deleted over 200 directories and their
contents on the computer system and installed their own pages.
The installed pages were critical of the Communications Decency
Act (CDA) and included pictures of Adolf Hitler, swastikas,
pictures of sexual bondage scenes, a speech falsely attributed
to President Clinton, and fabricated CDA text.
Virus Writers. Virus writers are posing an increasingly serious
threat to networks and systems worldwide. Last year saw the
proliferation of several destructive computer viruses or "worms,"
including the Melissa Macro Virus, the Explore.Zip worm, and
the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings
or advisories regarding particularly dangerous viruses, which
can allow potential victims to take protective steps and minimize
the destructive consequences of a virus.
The Melissa Macro Virus was
a good example of our two-fold response -- encompassing both
warning and investigation -- to a virus spreading in the networks.
The NIPC sent out warnings as soon as it had solid information
on the virus and its effects; these warnings helped alert
the public and reduce the potential destructive impact of
the virus. On the investigative side, the NIPC acted as a
central point of contact for the field offices who worked
leads on the case. A tip received by the New Jersey State
Police from America Online, and their follow-up investigation
with the FBI's Newark Division, led to the April 1, 1999 arrest
of David L. Smith. Mr. Smith pleaded guilty to one count of
violating 18 U.S.C. § 1030 in Federal Court, and to four
state felony counts. As part of his guilty plea, Smith stipulated
to affecting one million computer systems and causing $80
million in damage. Smith is awaiting sentencing.
Criminal Groups. We are also seeing the increased use of cyber
intrusions by criminal groups who attack systems for purposes
of monetary gain. In September, 1999, two members of a group
dubbed the "Phonemasters" were sentenced after their
conviction for theft and possession of unauthorized access
devices (18 USC § 1029) and unauthorized access to a
federal interest computer (18 USC § 1030). The "Phonemasters"
were an international group of criminals who penetrated the
computer systems of MCI, Sprint, AT&T, Equifax, and even
the National Crime Information Center. Under judicially approved
electronic surveillance orders, the FBI's Dallas Division
made use of new data intercept technology to monitor the calling
activity and modem pulses of one of the suspects, Calvin Cantrell.
Mr. Cantrell downloaded thousands of Sprint calling card numbers,
which he sold to a Canadian individual, who passed them on
to someone in Ohio. These numbers made their way to an individual
in Switzerland and eventually ended up in the hands of organized
crime groups in Italy. Cantrell was sentenced to two years
as a result of his guilty plea, while one of his associates,
Cory Lindsay, was sentenced to 41 months.
The Phonemasters' methods included
"dumpster diving" to gather old phone books and
technical manuals for systems. They used this information
to trick employees into giving up their logon and password
information. The group then used this information to break
into victim systems. It is important to remember that often
"cyber crimes" are facilitated by old fashioned
guile, such as calling employees and tricking them into giving
up passwords. Good cyber security practices must therefore
address personnel security and "social engineering"
in addition to instituting electronic security measures.
Another example of cyber intrusions
used to implement a criminal conspiracy involved Vladimir
L. Levin and numerous accomplices who illegally transferred
more than $10 million in funds from three Citibank corporate
customers to bank accounts in California, Finland, Germany,
the Netherlands, Switzerland, and Israel between June and
October 1994. Levin, a Russian computer expert, gained access
over 40 times to Citibank's cash management system using a
personal computer and stolen passwords and identification
numbers. Russian telephone company employees working with
Citibank were able to trace the source of the transfers to
Levin's employer in St. Petersburg, Russia. Levin was arrested
in March 1995 in London and subsequently extradited to the
U.S. On February 24, 1998, he was sentenced to three years
in prison and ordered to pay Citibank $240,000 in restitution.
Four of Levin's accomplices pleaded guilty and one was arrested
but could not be extradited. Citibank was able to recover
all but $400,000 of the $10 million illegally transferred
funds.
Beyond criminal threats in cyber
space, we also face a variety of significant national security
threats
Terrorists. Terrorists groups are increasingly using new
information technology and the Internet to formulate plans,
raise funds, spread propaganda, and to communicate securely.
In his statement on the worldwide threat in 2000, Director
of Central Intelligence George Tenet testified that terrorists
groups, "including Hizbollah, HAMAS, the Abu Nidal organization,
and Bin Laden's al Qa'ida organization are using computerized
files, e-mail, and encryption to support their operations."
In one example, convicted terrorist Ramzi Yousef, the mastermind
of the World Trade Center bombing, stored detailed plans to
destroy United States airliners on encrypted files on his
laptop computer. While we have not yet seen these groups employ
cyber tools as a weapon to use against critical infrastructures,
their reliance on information technology and acquisition of
computer expertise are clear warning signs. Moreover, we have
seen other terrorist groups, such as the Internet Black Tigers
(who are reportedly affiliated with the Tamil Tigers), engage
in attacks on foreign government web-sites and email servers.
"Cyber terrorism" by which I mean the use
of cyber tools to shut down critical national infrastructures
(such as energy, transportation, or government operations)
for the purpose of coercing or intimidating a government or
civilian population is thus a very real, though still
largely potential, threat.
Foreign intelligence services. Not surprisingly, foreign intelligence services
have adapted to using cyber tools as part of their espionage
tradecraft. Even as far back as 1986, before the worldwide
surge in Internet use, the KGB employed West German hackers
to access Department of Defense systems in the well-known
"Cuckoo's Egg" case. While I cannot go into specifics
about more recent developments in an open hearing, it should
not surprise anyone to hear that foreign intelligence services
increasingly view computer intrusions as a useful tool for
acquiring sensitive U.S. government and private sector information.
Information Warfare. The prospect of "information warfare"
by foreign militaries against our critical infrastructures
is perhaps the greatest potential cyber threat to our national
security. We know that several foreign nations are developing
information warfare doctrine, programs, and capabilities for
use against the United States or other nations. Knowing that
they cannot match our military might with conventional or
"kinetic" weapons, nations see cyber attacks on
our critical infrastructures or military operations as a way
to hit what they perceive as America's Achilles heel
our growing dependence on information technology in government
and commercial operations. For example, two Chinese military
officers recently published a book that called for the use
of unconventional measures, including the propagation of computer
viruses, to counterbalance the military power of the United
States. And a Russian official has also commented that an
attack on a national infrastructure could, "by virtue
of its catastrophic consequences, completely overlap with
the use of [weapons] of mass destruction."
The categories described above
involve computers used as weapons and as targets of a crime.
We are also seeing computers used to facilitate more traditional
forms of crime.
Internet Fraud. One of the most critical challenges facing the
FBI and law enforcement in general, is the use of the Internet
for fraudulent purposes. Understanding and using the Internet
to combat Internet fraud is essential for law enforcement.
The accessibility of such an immense audience coupled with
the anonymity of the subject, require a different approach.
The Internet is a perfect medium to locate victims and provide
an environment where victims do not see or speak to the "fraudsters."
Anyone in the privacy of their own home can create a very
persuasive vehicle for fraud over the Internet. Internet fraud
does not have traditional boundaries as seen in the traditional
schemes. The traditional methods of detecting, reporting,
and investigating fraud fail in this environment. By now it
is common knowledge that the Internet is being used to host
criminal behavior. The top ten most frequently reported frauds
committed on the Internet include Web auctions, Internet services,
general merchandise, computer equipment/software, pyramid
schemes, business opportunities/franchises, work at home plans,
credit card issuing, prizes/sweepstakes and book sales.
Let me provide you with some
specific examples. Securities offered over the Internet have
added an entirely new dimension to securities fraud investigations.
Investors are able to research potential investments and actually
invest over the Internet with ease through electronic linkage
to a number of services that provide stock and commodity quotations,
as well as, critical financial information. The North American
Securities Administrators Association has estimated that Internet-related
stock fraud is results in approximately $10 billion per year
(or $1 million per hour) loss to investors, this is currently
the second most common form of investment fraud.
On April 7, 1999, visitors to
an online financial news message board operated by Yahoo!,
Inc. got a scoop on PairGain, a telecommunications company
based in Tustin, California. An e-mail posted on the message
board under the subject line "Buyout News" said
that PairGain was being taken over by an Israeli company.
The e-mail also provided a link to what appeared to be a website
of Bloomberg News Service, containing a detailed story on
the takeover. As news of the takeover spread, the company's
publicly traded stock shot up more than 30 percent, and the
trading volume grew to nearly seven times its norm. There
was only one problem: the story was false, and the website
on which it appeared was not Bloomberg's site, but a counterfeit
site. When news of the hoax spread, the price of the stock
dropped sharply, causing significant financial losses to many
investors who purchased the stock at artificially inflated
prices.
Within a week after this hoax
appeared, the FBI arrested a Raleigh, North Carolina man for
what was believed to be the first stock manipulation scheme
perpetrated by a fraudulent Internet site. The perpetrator
was traced through an Internet Protocol address that he used,
and he was charged with securities fraud for disseminating
false information about a publicly traded stock.
In another example, on March
5, 2000 nineteen people were charged in a multimillion-dollar
New York-based inside trading scheme. In one of the first
cases of its kind, the Internet took a starring role as allegedly
about $8.4 million was illegally pocketed from secrets traded
in cyberspace chat rooms. Richard Walker, director of enforcement
for the Securities and Exchange Commission, called the case
"one of the most elaborate insider trading schemes in
history." At the core of the scheme, a disgruntled part-time
computer graphics worker allegedly went online and found other
disgruntled investors of the company in America Online chat
rooms. He soon was passing inside information on clients of
Goldman Sachs and Credit Suisse First Boston to two other
individuals in exchange for a percentage of any profits they
earned by acting on it. For 2-1/2 years, this employee passed
inside information, communicating almost solely through online
chats and instant messages. The part-time computer graphics
worker received $170,000 in kickbacks while his partners made
$500,000.
Other individuals also became
involved as the three defendants who hatched the scheme passed
the inside information. More and more individuals became aware
of the insider information. For instance, one individual allegedly
opened a brokerage account and told his broker, that he had
inside information, and the broker then tipped off three of
his customers, allowing them to earn more than $2.6 million.
There is a need for a proactive approach when investigating
Internet fraud. There is an essential need to establish a
central repository for complaints of Internet fraud. The FBI
and the National White Collar Crime Center (NW3C) are addressing
this need by cosponsoring the Internet Fraud Complaint Center
(IFCC). This partnership will ensure that Internet fraud is
addressed at all levels of law enforcement (local, state and
federal). The IFCC is necessary to adequately identify, track,
and investigate new fraudulent schemes on the Internet on
a national and international level. IFCC personnel will collect,
analyze, evaluate, and disseminate Internet fraud complaints
to the appropriate law enforcement agency. The IFCC will provide
a mechanism by which Internet fraud schemes are identified
and addressed through a criminal investigative effort. The
IFCC will provide analytical support, and aid in the development
of a training module to address Internet fraud. The information
obtained from the data collected will provide the foundation
for the development of a national strategic plan to address
Internet fraud. The IFCC will be open and fully operational
on May 8, 2000.
Intellectual Property Rights. Intellectual property is the driver of the 21st
century American economy. In many ways it has become what
America does best. The United States is the leader in the
development of creative, technical intellectual property.
Violations of Intellectual Property Rights, therefore, threaten
the very basis of our economy. Of primary concern is the development
and production of trade secret information. The American Society
of Industrial Security estimated the potential losses at $2
billion per month in 1997. Pirated products threaten public
safety in that many are manufactured to inferior or non-existent
quality standards. A growing percentage of IPR violations
now involve the Internet. There are thousands of web sites
solely devoted to the distribution of pirated materials. The
FBI has recognized, along with other federal agencies, that
a coordinated effort must be made to attack this problem.
The FBI, along with the Department of Justice, U.S. Customs
Service, and other agencies with IPR responsibilities, will
be opening an IPR Center this year to enhance our national
ability to investigate and prosecute IPR crimes through the
sharing of information among agencies.
Distributed Denial of Service
Attacks.
The recent distributed denial
of service(DDOS) attacks have garnered a tremendous amount
of interest in the public and in the Congress. Because we
are actively investigating these attacks, I cannot provide
a detailed briefing on the status of our efforts. However,
I can provide an overview of our activities to deal with the
DDOS threat beginning last year and of our investigative efforts
over the last several weeks.
In the fall of 1999, the NIPC
began receiving reports about a new threat on the Internet--Distributed
Denial of Service Attacks. In these cases, hackers plant tools
such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht
(German for barbed wire) on a number of unwitting victim systems.
Then when the hacker sends the command, the victim systems
in turn begin sending messages against a target system. The
target system is overwhelmed with the traffic and is unable
to function. Users trying to access that system are denied
its services.
Because of its concern about this new threat, the NIPC issued
warnings to government agencies, private companies, and the
public in December 1999. Moreover, in late December, the NIPC
determined that a detection tool that it had developed for
investigative purposes might also be used by network operators
to detect the presence of DDOS agents or masters on their
operating systems, and thus would enable them to remove an
agent or master and prevent the network from being unwittingly
utilized in a DDOS attack. Moreover, at that time there was,
to our knowledge, no similar detection tool available commercially.
The NIPC therefore decided to take the unusual and innovative
step of releasing the tool to other agencies and to the public
in an effort to reduce the level of the threat. The NIPC made
the first variant of its software available on the NIPC web
site on December 30, 1999. To maximize the public awareness
of this tool, the FBI's National Press Office announced its
availability in an FBI press release that same date. Since
the first posting of the tool, the NIPC has posted three updated
versions that have perfected the software and made it applicable
to different operating systems.
The public has downloaded these
tools tens of thousands of times from the web site, and has
responded by reporting many installations of the DDOS software,
thereby preventing their networks from being used in attacks
and leading to the opening of criminal investigations both
before and after the widely publicized attacks of the last
few weeks. The NIPC's work with private companies has been
so well received that the trade group SANS awarded their yearly
Security Technology Leadership Award to members of the NIPC's
Special Technologies Applications Unit.
Last month, the NIPC received reports that a new variation
of DDOS tools was being found on Windows operating systems.
One victim entity provided us with the object code to the
tool found on its network. On February 18, the NIPC made the
binaries available to anti-virus companies (through an industry
association) and the Computer Emergency Response Team (CERT)
at Carnegie Mellon University for analysis and so that commercial
vendors could create or adjust their products to detect the
new DDOS variant. Given the attention that DDOS tools have
received in recent weeks, there are now numerous detection
and security products to address this threat, so the NIPC
determined that it could be most helpful by giving them the
necessary code rather than deploying a detection tool itself.
Unfortunately, the warnings
that the NIPC and others in the security community had issued
about DDOS tools last year, while alerting many potential
victims and reducing the threat, did not eliminate the threat.
Quite frequently, even when a threat is known and patches
or detection tools are available, network operators either
remain unaware of the problem or fail to take necessary protective
steps. In addition, in the cyber equivalent of an arms race,
exploits evolve as hackers design variations to evade or overcome
detection software and filters. Even security-conscious companies
that put in place all available security measures therefore
are not invulnerable. And, particularly with DDOS tools, one
organization might be the victim of a successful attack despite
its best efforts, because another organization failed to take
steps to keep itself from being made the unwitting participant
in an attack.
On February 7, 2000, the FBI received reports that Yahoo had
experienced a denial of service attack. In a display of the
close cooperative relationship the NIPC has developed with
the private sector, in the days that followed, several other
companies also reported denial of service outages. These companies
cooperated with our National Infrastructure Protection and
Computer Intrusion squads in the FBI field offices and provided
critical logs and other information. Still, the challenges
to apprehending the suspects are substantial. In many cases,
the attackers used "spoofed" IP addresses, meaning
that the address that appeared on the target's log was not
the true address of the system that sent the messages.
The resources required in these
investigations can be substantial. Several FBI field offices
have opened investigations and almost all of our other offices
are supporting these cases. The NIPC is coordinating the nationwide
investigative effort, performing technical analysis of logs
from victims sites and Internet Service Providers, and providing
all-source analytical assistance to field offices. While the
crime may be high tech, investigating it involves a substantial
amount of traditional police work as well as technical work.
For example, in addition to following up leads, NIPC personnel
need to review an overwhelming amount of log information received
from the victims. Much of this analysis needs to be done manually.
Analysts and agents conducting this analysis have been drawn
off other case work. In the coming years we expect our case
load to substantially increase.
The Legal Landscape
To deal with this crime problem,
we must look at whether changes to the legal procedures governing
investigation and prosecution of cyber crimes are warranted.
The problem of Internet crime has grown at such a rapid pace
that the laws have not kept up with the technology. The FBI
is working with the Department of Justice to propose a legislative
package for your review to help keep our laws in step with
these advances.
One example of some of the problems
law enforcement is facing is the jurisdictional limitation
of pen registers and trap-and-trace orders issued by federal
district courts. These orders allow only the capturing of
tracing information, not the content of communications. Currently,
in order to track back a hacking episode in which a single
communication is purposely routed through a number of Internet
Service Providers that are located in different states, we
generally have to get multiple court orders. This is because,
under current law, a federal court can order communications
carriers only within its district to provide tracing information
to law enforcement. As a result of the fact that investigators
typically have to apply for numerous court orders to trace
a single communication, there is a needless waste of time
and resources, and a number of important investigations are
either hampered or derailed entirely in those instances where
law enforcement gets to a communications carrier after that
carrier has already discarded the necessary information. For
example, Kevin Mitnick evaded attempts to trace his calls
by moving around the country and by using cellular phones,
which routed calls through multiple carriers on their way
to the final destination. It was impossible to get orders
quickly enough in all the jurisdictions to trace the calls.
With regards to additional legal
mechanisms needed by law enforcement to help maintain our
abilities to obtain usable evidence in an encrypted world,
last September the Administration announced a "New Approach
to Encryption." This new approach included significant
changes to the nation's encryption export policies and, more
importantly, recommended public safety enhancement to ensure
"that law enforcement has the legal tools, personnel,
and equipment necessary to investigate crime in an encrypted
world." Specifically, the President, on behalf of law
enforcement, transmitted to Congress a legislative proposal
entitled the "Cyberspace Electronic Security Act of 1999"
(CESA). CESA, if enacted would: 1) protect sensitive investigative
techniques and industry trade secrets from unnecessary disclosure
in litigation or criminal trials involving encrypted evidence;
2) authorize $80 million for the FBI's Technical Support Center
(TSC), which will serve as a centralized technical resource
for federal, state and local law enforcement in responding
to the increased use of encryption in criminal cases; and
3) ensure that law enforcement maintains its ability to access
decryption information stored with third parties, while protecting
such information from inappropriate release. The enactment
of the CESA legislative proposal is supported by the law enforcement
community, to include the International Association of Chiefs
of Police, the National Sheriffs' Association and the National
District Attorneys Association and I strongly encourage its
favorable consideration by Congress.
Finally, we should consider
whether current sentencing provisions for computer crimes
provide an adequate deterrence. Given the degree of harm that
can be caused by a virus, intrusion, or a denial of service
-- in terms of monetary loss to business and consumers, infringement
of privacy, or threats to public safety when critical infrastructures
are affected -- it would be appropriate to consider, as S2092
does, whether penalties established years ago remain adequate.
Evaluation of the effectiveness
of 18 U.S.C.§ 1030 and the tools to enforce it under
both current law and under S. 2092.
Generally, 18 U.S.C. §1030
has enabled the FBI and other law enforcement agencies to
investigate and prosecute persons who would use the power
of the Internet and computers for criminal purposes. Nonetheless,
just as computer crime has evolved and mutated over the years,
so too must our laws and procedures evolve to meet the changing
nature of these crimes.
One persistent problem is the
need under current law to demonstrate at least $5,000 in damage
for certain hacking offenses enumerated by 18 U.S.C. §1030(a)(5).
In some of the cases investigated by the FBI, damages in excess
of $5,000 on a particular system are difficult to prove. In
other cases, the risk of harm to individuals or to the public
safety posed by breaking into numerous systems and obtaining
root access, with the ability to destroy the confidentiality
or accuracy of crucial -- perhaps lifesaving information --
is very real and very serious even if provable monetary damages
never approach the $5,000 mark. In investigations involving
the dissemination or importation of a virus or other malicious
code, the $5,000 threshold could potentially delay or hinder
early intervention by Federal law enforcement.
S. 2092 significantly adjusts
the $5,000 threshold and other provisions in the current law
by: 1) creating a misdemeanor offense for those cases where
damages are below $5,000, while simultaneously adjusting the
minimum mandatory sentences under the Sentencing Guidelines;
and 2) moving the aggravating factors previously included
in the definition of "damage" under 18 U.S.C. §1030(e)(8)
(such as impairment of medical diagnosis, physical injury
to any person, threat to public health or safety or damage
to nation security, national defense or administration of
justice computers) to the general sentencing provisions of
§1030© (where they will be on par in serious cases
with the existing $5,000 threshold requirement and will expose
offenders to an enhanced ten year period of imprisonment up
from the current maximum of five years). The critical element
here is that the criminal intended to cause damage, not the
specific amount of damage he intended to cause.
Another issue involves the alarming
number of computer hackers encountered in our investigations
who are juveniles. Under current law, Federal authorities
are not able to prosecute juveniles for any computer violations
of 18 U.S. C. §1030. S. 2092 would authorize (but not
require) the Attorney General to certify for juvenile prosecution
in Federal court youthful offenders who commit the more serious
felony violations of section 1030. Recognizing that this change
will, over time, result in the prosecution of repeat offenders,
S. 2092 also defines the term "conviction" under
§1030 to include prior adjudications of juvenile delinquency
for violations of that section. This is intended to provide
greater specific deterrence to juveniles for are adjudicated
delinquent for computer hacking. Similarly, a majority of
the States have enacted criminal statutes prohibiting unauthorized
computer access analogous to the provisions of section 1030.
As State prosecutions for these offenses increase, the likelihood
of encountering computer offenders in Federal investigations
who have prior State convictions will similarly rise. , The
Department is studying whether prior state adult convictions
for comparable computer crimes justify enhanced penalties
for violations of section 1030, just as prior State convictions
for drug offenses trigger enhanced penalties for comparable
Federal drug violations
Law enforcement also needs updated
tools to investigate, identify, apprehend and successfully
prosecute computer offenders. Today's electronic crimes, which
occur at the speed of light, cannot be effectively investigated
with procedural devices forged in the last millennium during
the infancy of the information technology age. Statutes need
to be rendered technology neutral so that they can be applied
regardless of whether a crime is committed with pen and paper,
e-mail, telephone or geosynchronous orbit satellite personal
communication devices.
As discussed above, a critical
factor in the investigation of computer hacking cases is law
enforcement's ability to swiftly identify the source and the
direction of a hacker's communications. Like all law enforcement
agencies, the FBI relies upon the pen register and trap and
trace provisions contained in 18 U.S.C. §3121 et seq.
to seek court approval to acquire data identifying non-content
information relating to a suspect's communications. Our ability
to identify the perpetrators of crimes like computer hacking
is directly proportional to our ability to quickly acquire
the necessary court orders and quickly serve them upon one
or more service providers in a communications chain. Under
current law, however, valuable time is consumed in acquiring
individual court orders in the name of each communications
company for each newly discerned link in the communications
chain even though the legal justification for the disclosure
remains unchanged and undiminished. S. 2092 would amend 18
U.S.C. §3123(a) to authorize Federal courts to issue
one nation-wide order which may then be served upon one or
more service providers thereby substantially reducing the
time necessary to identify the complete pathway of a suspect's
communication. Second, S.2092 makes the statute more technology
neutral by, among other things, inserting the terms "or
other facility" wherever "telephone" appears.
This change codifies Federal court decisions that apply the
statute's provisions not merely to traditional telephone,
but to an ever expanding array of other, communications facilities.
Together, these are important changes that do not alter or
lower the showing necessary for the issuance of the court
order but which do enhance the order's usefulness to law enforcement.
We support the goal of S.2092
to strengthen the general deterrence aspects of the Computer
Fraud and Abuse Act, and to provide some needed procedural
enhancements to help us confront the expanding criminal threat
in this dynamic and important part of our national economy
while continuing to protect individual privacy interests.
The FBI looks forward to working with the Committee on this
important legislation.
Keeping Law Enforcement on
the Cutting Edge of Cyber Crime
As Internet use continues to
soar, cyber crime is also increasing exponentially. As I mentioned
earlier, our case load reflects this growth. In FY 1998, we
opened 547 computer intrusion cases; in FY 1999, that number
jumped to 1154. Similarly, the number of pending cases increased
from 206 at the end of FY 1997, to 601 at the end of FY 1998,
to 834 at the end of FY 99, and to over 900 currently. These
statistics include only computer intrusion cases, and do not
account for computer facilitated crimes such as Internet fraud,
child pornography, or e-mail extortion efforts. In these cases,
the NIPC and NIPCI squads often provide technical assistance
to traditional investigative programs responsible for these
categories of crime.
We can clearly expect these
upward trends to continue. To meet this challenge, we must
ensure that we have adequate resources, including both personnel
and equipment, both at the NIPC and in FBI field offices.
Those personnel need specialized training to be effective.
Like many programs, the NIPC computer intrusion program is
squeezing the most out of every taxpayer dollar. Unfortunately,
the NIPC and related field office program are not scheduled
to receive any additional resources in FY.
At the NIPC, we currently have
101 personnel on board, including 82 FBI employees and 19
detailees from other government agencies. This cadre of investigators,
computer scientists, and analysts perform the numerous and
complex tasks outlined above, and provide critical coordination
and support to field office investigations. As the crime problem
grows, we need to make sure that we keep pace by whatever
means necessary, including maintaining a full complement of
authorized staff, consisting of both FBI personnel and detailees
from other agencies and the private sector. Although expert
personnel in this areas are scarce, it is imperative that
our partner agencies participate in the NIPC to enhance our
ability to coordinate interagency activities and share information
effectively.
We currently have 193 agents
in FBI field offices nationwide assigned to investigate computer
intrusions (criminal and national security), denial of service,
and virus cases, and to work infrastructure protection matters
generally (which includes outreach to industry and state and
local law enforcement, our Key Asset Initiative, and support
to other investigative programs). Additional agents can be
called in on investigations as required. In order to maximize
investigative resources the FBI has taken the approach of
creating regional squads in 16 field offices that have sufficient
size to work complex intrusion cases and to assist those field
offices without a NIPCI squad. In those field offices without
squads, the FBI is building a baseline capability by having
one or two agents to work NIPC matters.
In an effort to better use our
resources and leverage the expertise of other agencies, we
are creating cyber crime task forces in FBI field offices.
Last week we unveiled the Pittsburgh High Tech Computer Crimes
Task Force, a new task force aimed at fighting cyber crimes.
The task force, one of the first in the nation, pools experts
from local agencies such as the Pittsburgh police with federal
agencies such as the FBI, Secret Service and the Internal
Revenue Service into one room to combat the rapid growth of
cyber crimes. The task force will use each agency's resources
and obtain technical assistance from Carnegie Mellon's Computer
Emergency Response Team (CERT). We plan to deploy similar
task forces in every FBI field office.
In addition to putting in place
the requisite number of agents, analysts, and computer scientists
in the NIPC and in FBI field offices, we must fill those positions
by recruiting and retaining personnel who have the appropriate
technical, analytical, and investigative skills. This includes
personnel who can read and analyze complex log files, perform
all-source analysis to look for correlations between events
or attack signatures and glean indications of a threat, develop
technical tools to address the constantly changing technological
environment, and conduct complex network investigations.
Training and continuing education
are also critical, and we have made this a top priority at
the NIPC. In FY 1999, we trained 383 FBI and other-government-agency
students in NIPC sponsored training classes on network investigations
and infrastructure protection. The emphasis for 2000 is on
continuing to train federal personnel while expanding training
opportunities for state and local law enforcement personnel.
During FY 2000, we plan to train approximately 740 personnel
from the FBI, other federal agencies, and state and local
law enforcement.
The technical challenges of
fighting crime in this arena are vast. We can start just by
looking at the size of the Internet and its exponential growth.
Today it is estimated that more than 60,000 individual networks
with 40 million users are connected to the Internet. Thousands
of more sites and people are coming on line every month. In
addition, the power of personal computers is vastly increasing.
The FBI's Computer Analysis Response Team (CART) examiners
conducted 1,260 forensic examinations in 1998 and 1,900 in
1999. With the anticipated increase in high technology crime
and the growth of private sector technologies, the FBI expects
50 percent of its caseload to require at least one computer
forensic examination. By 2001, the FBI anticipates the number
of required CART examinations to rise to 6,000.
Developing and deploying state-of-the-art equipment in support
of the NIPC's mission is also very important. Conducting a
network intrusion or denial-of-service investigation often
requires investigative analysis of voluminous amounts of data.
For example, one network intrusion case involving an espionage
matter currently being investigated has required the analysis
of 17.5 Terabytes of data. To place this into perspective,
the entire collection of the Library of Congress, if digitized,
would comprise only 10 Terabytes. The Yahoo DDOS attack involved
approximately 630 Gigabytes of data, which is equivalent to
enough printed pages to fill 630 pickup trucks with paper.
The NIPC's technical analysis requires high capacity equipment
to store, process, analyze, and display data. Again, as the
crime problem grows, we must ensure that our technical capacity
keeps pace.
Clearly, the FBI needs engineering
personnel to develop and deploy sophisticated electronic surveillance
capabilities in an increasingly complex and technical investigative
environment, skilled CART personnel to conduct the computer
forensics examinations to support an increasingly diverse
set of cases involving computers, as well as expert NIPCI
personnel to examine network log files to track the path an
intruder took to his victim.
Moreover, the power of personal
computers in increasing. During the last part of 1998, most
computers on the market had hard drives of 6-8 gigabytes (GB).
Very soon 13-27 GB hard drives will become the norm. By the
end of 2000, we will be seeing 60-80 GB hard drives. All this
increase in storage capacity means more data that must be
searched by our forensics examiners, since even if these hard
drives are not full, the CART examiner must review every bit
of data and every area of the media to search for evidence.
Over the past three years, the
FBI's Laboratory Division (LD) has been increasingly requested
to provide data interception support for such investigative
programs as: Infrastructure Protection, Violent Crimes (Exploitation
of Children, Extortion), Counterterrorism, and Espionage.
In fact, since 1997, the LD has seen a dramatic increase in
field requests for assistance with interception of data communications.
Unless the FBI increases its data interception capabilities,
investigators and prosecutors will be denied timely access
to valuable evidence that will solve crimes and support the
successful prosecutions of child pornographers, drug traffickers,
corrupt officials, persons committing fraud, terrorists, and
other criminals.
Finally, one of the largest
challenges to FBI computer investigative capabilities lies
in the increasingly widespread use of strong encryption. The
widespread use of digitally-based telecommunications technologies,
and the unprecedented expansion of computer networks incorporating
privacy features/capabilities through the use of cryptography
(i.e. encryption), has placed a tremendous burden on the FBI's
electronic surveillance technologies. Today the most basic
communications employ layers of protocols, formatting, compression
and proprietary coding that were non-existent only a few years
ago. New cryptographic systems provide robust security to
conventional and cellular telephone conversations, facsimile
transmissions, local and wide area networks, Internet communications,
personal computers, wireless transmissions, electronically
stored information, remote keyless entry systems, advanced
messaging systems, and radio frequency communications systems.
The FBI is already encountering the use of strong encryption.
In 1999, 53 new cases involved the use of encryption.
It is imperative that the FBI,
on behalf of the law enforcement community, enhance its technical
capabilities in the area of plaintext access to encrypted
evidence. In order to do this, law enforcement needs Congressional
support, both in terms of additional funding and authorizations,
for developing, maintaining, and deploying technical capabilities
that will provide law enforcement with these urgently need
technical capabilities and meet the public safety challenges
posed by the criminal use of encryption. Included in the Administration's
"New Approach to Encryption" announcement last September
was support for the creation of the FBI's Technical Support
Center, which will serve as a centralized technical resource
for federal, state and local law enforcement with the necessary
technical capabilities to respond to the increased use of
encryption in criminal cases. The Technical Support Center
is envisioned as an expansion of the FBI's Engineering Research
Facility (ERF) to take advantage of ERF's existing institutional
and technical expertise in this area. The Administration's
"Cyberspace Electronic Security Act of 1999 legislative
proposal includes a provision authorizing $80 million over
four years for the Technical Support Center. The President's
FY 2001 budget includes $7 million enhancement for this effort.
Conclusion
I want to thank the subcommittees again for giving me the
opportunity to testify here today. The cyber crime problem
is real, and growing. The NIPC is moving aggressively to meet
this challenge by training FBI agents and investigators from
other agencies on how to investigate computer intrusion cases,
equipping them with the latest technology and technical assistance,
developing our analytic capabilities and warning mechanisms
to head off or mitigate attacks, and closely cooperating with
the private sector. We have already had significant successes
in the fight. I look forward to working with Congress to ensure
that we continue to be able to meet the threat as it evolves
and grows. Thank you.
|