Good afternoon, Chairman Thurmond, Chairman McCollum, and members of the subcommittees. I am pleased to be testifying today before this special joint hearing. Addressing the problem of cyber crime requires dynamic new working relationships in both the government and private sector. This joint meeting symbolizes in part those new relationships. Our ability in law enforcement to deal with this crime problem will also require the support of Congress, and I want to express my appreciation for your subcommittees' longstanding support for the work of the FBI, and for your acknowledgment of the importance of the issue of cyber crime. The recent denial-of-service attacks against Yahoo!, Amazon.com, E-bay, CNN, Buy.com, and other e-commerce web sites have thrust the security of our information infrastructure into the spotlight. I look forward to discussing the steps we have taken to tackle this issue to date, and the measures that are necessary to ensure that we retain the ability to deal with this problem in the future.

The changes wrought by the Internet to our society -- including business, education, government, and personal communication -- are evident all around us, and still very much in flux. The cyber revolution has permeated virtually every facet of our lives. Unfortunately, that revolution has entered the criminal arena as well. For just as millions of people around the globe have incorporated the Internet and advanced information technology into their daily endeavors, so have criminals, terrorists, and adversarial foreign nations. Whether we like it or not, cyber crime presents the most fundamental challenge for law enforcement in the 21st Century. By its very nature, the cyber environment is borderless, affords easy anonymity and methods of concealment to bad actors, and provides new tools to engage in criminal activity. A criminal sitting on the other side of the planet is now capable of stealthily infiltrating a computer network in this country to steal money, abscond with proprietary information, or shut down e-commerce sites. To deal with this problem, law enforcement must retool its work force, its equipment, and its own information infrastructure. It must also forge new partnerships with private industry, other agencies, and our international counterparts. We have been doing all of these things for the last two years. But we must continue to build upon our progress to ensure that we can perform our responsibilities to protect public safety and national security in the Information Age. These are some of the issues I would like to focus on today.

The NIPC

Let me begin with some background about the National Infrastructure Protection Center, or "NIPC." The NIPC is an interagency Center located at the FBI. Created in 1998, the NIPC serves as the focal point for the government's efforts to warn of and respond to cyber attacks, particularly those that are directed at our nation's "critical infrastructures." These infrastructures include telecommunications and information, energy, banking and finance, transportation, government operations, and emergency services. In Presidential Decision Directive (PDD) 63, the President directed that the NIPC serve as a "national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity." The PDD further states that the mission of the NIPC "will include providing timely warnings of intentional threats, comprehensive analyses and law enforcement investigation and response."

To accomplish its goals, the NIPC is organized into three sections:

• The Computer Investigations and Operations Section (CIOS) is the operational response arm of the Center. It supports and, where necessary, coordinates computer investigations conducted by FBI field offices throughout the country, provides expert technical assistance to network investigations, and provides a cyber emergency response capability to coordinate the response to a national-level cyber incident.
  
• The Analysis and Warning Section (AWS) serves as the "indications and warning" arm of the NIPC. It provides tactical analytical support during a cyber incident, and also develops strategic analyses of threats for dissemination to both government and private sector entities so that they can take appropriate steps to protect themselves.. Through its 24/7 watch and warning operation, it maintains a real-time situational awareness by reviewing numerous governmental and "open" sources of information and by maintaining communications with partner entities in the government and private sector. Through its efforts, the AWS strives to acquire indications of a possible attack, assess the information, and issue appropriate warnings to government and private sector partners as quickly as possible
  
• The Training, Outreach and Strategy Section (TOSS) coordinates the vital training of cyber investigators in the FBI field offices, other federal agencies, and state and local law enforcement. It also coordinates outreach to private industry and government agencies to build the partnerships that are key to both our investigative and our warning missions. In addition, this section manages our efforts to catalogue information about individual "key assets" across the country which, if successfully attacked, could have significant repercussions on our economy or national security. Finally, the TOSS handles the development of strategy and policy in conjunction with other agencies and the Congress.

Beyond the NIPC at FBI Headquarters, we have also created a cyber crime investigative program in all FBI Field Offices called the National Infrastructure Protection and Computer Intrusion (NIPCI) Program. This program, managed by the NIPC, consists of special agents in each FBI Field Office who are responsible for investigating computer intrusions, viruses, or denial of service attacks, for implementing our key asset initiative, and for conducting critical liaison activities with private industry. They are also developing cyber crime task forces in partnership with state and local law enforcement entities within their jurisdiction to leverage the limited resources in this area.

The Broad Spectrum of Cyber Threats

Over the past several years we have seen a range of computer crimes ranging from defacement of websites by juveniles to sophisticated intrusions that we suspect may be sponsored by foreign powers, and everything in between. Some of these are obviously more significant than others. The theft of national security information from a government agency or the interruption of electrical power to a major metropolitan area would have greater consequences for national security, public safety, and the economy than the defacement of a web-site. But even the less serious categories have real consequences and, ultimately, can undermine confidence in e-commerce and violate privacy or property rights. A website hack that shuts down an e-commerce site can have disastrous consequences for a business. An intrusion that results in the theft of credit card numbers from an online vendor can result in significant financial loss and, more broadly, reduce consumers' willingness to engage in e-commerce. Because of these implications, it is critical that we have in place the programs and resources to investigate and, ultimately, to deter these sorts of crimes.

The following are some of the categories of cyber threats that we confront today.

Insiders. The disgruntled insider (a current or former employee of a company) is a principal source of computer crimes for many companies. Insiders' knowledge of the target companies' network often allows them to gain unrestricted access to cause damage to the system or to steal proprietary data. The 1999 Computer Security Institute/FBI report notes that 55% of respondents reported malicious activity by insiders.

One example of an insider was George Parente. In 1997, Parente was arrested for causing five network servers at the publishing company Forbes, Inc., to crash. Parente was a former Forbes computer technician who had been terminated from temporary employment. In what appears to have been a vengeful act against the company and his supervisors, Parente dialed into the Forbes computer system from his residence and gained access through a co-worker's log-in and password. Once online, he caused five of the eight Forbes computer network servers to crash, and erased all of the server volume on each of the affected servers. No data could be restored. Parente's sabotage resulted in a two day shut down in Forbes' New York operations with losses exceeding $100,000. Parente pleaded guilty to one count of violating of the Computer Fraud and Abuse Act, Title 18 U.S.C. 1030.

Hackers. Hackers (or "crackers") are also a common threat. They sometimes crack into networks simply for the thrill of the challenge or for bragging rights in the hacker community. Recently, however, we have seen more cases of hacking for illicit financial gain or other malicious purposes. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the World Wide Web and launch them against victim sites. Thus while attack tools have become more sophisticated, they have also become easier to use. The distributed denial-of-service (DDOS) attacks earlier this month are only the most recent illustration of the economic disruption that can be caused by tools now readily available on the Internet.

We have also seen a rise recently in politically motivated attacks on web pages or email servers, which some have dubbed "hacktivism. In these incidents, groups and individuals overload e-mail servers or deface web sites to send a political message. While these attacks generally have not altered operating systems or networks, they have disrupted services, caused monetary loss, and denied the public access to websites containing valuable information, thereby infringing on others' rights to disseminate and receive information. Examples of "hacktivism" include a case in 1996, in which an unknown subject gained unauthorized access to the computer system hosting the Department of Justice Internet web site. The intruders deleted over 200 directories and their contents on the computer system and installed their own pages. The installed pages were critical of the Communications Decency Act (CDA) and included pictures of Adolf Hitler, swastikas, pictures of sexual bondage scenes, a speech falsely attributed to President Clinton, and fabricated CDA text.

Virus Writers. Virus writers are posing an increasingly serious threat to networks and systems worldwide. Last year saw the proliferation of several destructive computer viruses or "worms," including the Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The NIPC frequently sends out warnings or advisories regarding particularly dangerous viruses, which can allow potential victims to take protective steps and minimize the destructive consequences of a virus.

The Melissa Macro Virus was a good example of our two-fold response -- encompassing both warning and investigation -- to a virus spreading in the networks. The NIPC sent out warnings as soon as it had solid information on the virus and its effects; these warnings helped alert the public and reduce the potential destructive impact of the virus. On the investigative side, the NIPC acted as a central point of contact for the field offices who worked leads on the case. A tip received by the New Jersey State Police from America Online, and their follow-up investigation with the FBI's Newark Division, led to the April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one count of violating 18 U.S.C. § 1030 in Federal Court, and to four state felony counts. As part of his guilty plea, Smith stipulated to affecting one million computer systems and causing $80 million in damage. Smith is awaiting sentencing.

Criminal Groups. We are also seeing the increased use of cyber intrusions by criminal groups who attack systems for purposes of monetary gain. In September, 1999, two members of a group dubbed the "Phonemasters" were sentenced after their conviction for theft and possession of unauthorized access devices (18 USC § 1029) and unauthorized access to a federal interest computer (18 USC § 1030). The "Phonemasters" were an international group of criminals who penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even the National Crime Information Center. Under judicially approved electronic surveillance orders, the FBI's Dallas Division made use of new data intercept technology to monitor the calling activity and modem pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card numbers, which he sold to a Canadian individual, who passed them on to someone in Ohio. These numbers made their way to an individual in Switzerland and eventually ended up in the hands of organized crime groups in Italy. Cantrell was sentenced to two years as a result of his guilty plea, while one of his associates, Cory Lindsay, was sentenced to 41 months.

The Phonemasters' methods included "dumpster diving" to gather old phone books and technical manuals for systems. They used this information to trick employees into giving up their logon and password information. The group then used this information to break into victim systems. It is important to remember that often "cyber crimes" are facilitated by old fashioned guile, such as calling employees and tricking them into giving up passwords. Good cyber security practices must therefore address personnel security and "social engineering" in addition to instituting electronic security measures.

Another example of cyber intrusions used to implement a criminal conspiracy involved Vladimir L. Levin and numerous accomplices who illegally transferred more than $10 million in funds from three Citibank corporate customers to bank accounts in California, Finland, Germany, the Netherlands, Switzerland, and Israel between June and October 1994. Levin, a Russian computer expert, gained access over 40 times to Citibank's cash management system using a personal computer and stolen passwords and identification numbers. Russian telephone company employees working with Citibank were able to trace the source of the transfers to Levin's employer in St. Petersburg, Russia. Levin was arrested in March 1995 in London and subsequently extradited to the U.S. On February 24, 1998, he was sentenced to three years in prison and ordered to pay Citibank $240,000 in restitution. Four of Levin's accomplices pleaded guilty and one was arrested but could not be extradited. Citibank was able to recover all but $400,000 of the $10 million illegally transferred funds.

Unfortunately, cyberspace provides new tools not only for criminals, but for national security threats as well. These include terrorists, foreign intelligence agencies, and foreign militaries.

Terrorists. Terrorists groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and to communicate securely. In his statement on the worldwide threat in 2000, Director of Central Intelligence George Tenet testified that terrorists groups, "including Hizbollah, HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida organization are using computerized files, e-mail, and encryption to support their operations." In one example, convicted terrorist Ramzi Yousef, the mastermind of the World Trade Center bombing, stored detailed plans to destroy United States airliners on encrypted files on his laptop computer. While we have not yet seen these groups employ cyber tools as a weapon to use against critical infrastructures, their reliance on information technology and acquisition of computer expertise are clear warning signs. Moreover, we have seen other terrorist groups, such as the Internet Black Tigers (who are reportedly affiliated with the Tamil Tigers), engage in attacks on foreign government web-sites and email servers. "Cyber terrorism" – by which I mean the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian population – is thus a very real, though still largely potential, threat.

Foreign intelligence services. Not surprising, foreign intelligence services have adapted to using cyber tools as part of their espionage tradecraft. Even as far back as 1986, before the worldwide surge in Internet use, the KGB employed West German hackers to access Department of Defense systems in the well-known "Cuckoo's Egg" case. While I cannot go into specifics about more recent developments in an open hearing, it should not surprise anyone to hear that foreign intelligence services increasingly view computer intrusions as a useful tool for acquiring sensitive U.S. government and private sector information.

Information Warfare. The prospect of "information warfare" by foreign militaries against our critical infrastructures is perhaps the greatest potential cyber threat to our national security. We know that several foreign nations are developing information warfare doctrine, programs, and capabilities for use against the United States or other nations. Knowing that they cannot match our military might with conventional or "kinetic" weapons, nations see cyber attacks on our critical infrastructures or military operations as a way to hit what they perceive as America's Achilles heel – our growing dependence on information technology in government and commercial operations.

Distributed Denial of Service Attacks.

The recent distributed denial of service(DDOS) attacks have garnered a tremendous amount of interest in the public and in the Congress. Because we are actively investigating these attacks, I cannot provide a detailed briefing on the status of our efforts. However, I can provide an overview of our activities to deal with the DDOS threat beginning last year and of our investigative efforts over the last three weeks.

In the fall of last year, the NIPC began receiving reports about a new set of "exploits" or attack tools collectively called distributed denial of service (or DDOS) tools. DDOS variants include tools known as "Trinoo," "Tribal Flood Net" (TFN), "TFN2K," and "Stacheldraht" (German for "barbed wire"). These tools essentially work as follows: hackers gain unauthorized access to a computer system(s) and place software code on it that renders that system a "master" (or a "handler"). The hackers also intrude into other networks and place malicious code which makes those systems into agents (also known as "zombies" or "daemons" or "slaves"). Each Master is capable of controlling multiple agents. In both cases, the network owners normally are not aware that dangerous tools have been placed and reside on their systems, thus becoming third-party victims to the intended crime.

The "Masters" are activated either remotely or by internal programming (such as a command to begin an attack at a prescribed time) and are used to send information to the agents, activating their DDOS ability. The agents then generate numerous requests to connect with the attack's ultimate target(s), typically using a fictitious or "spoofed" IP (Internet Protocol) address, thus providing a falsified identity as to the source of the request. The agents act in unison to generate a high volume of traffic from several sources. This type of attack is referred to as a SYN flood, as the SYN is the initial effort by the sending computer to make a connection with the destination computer. Due to the volume of SYN requests the destination computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers, degrading or denying its ability to complete service with legitimate customers – hence the term "Denial of Service". These attacks are especially damaging when they are coordinated from multiple sites – hence the term Distributed Denial of Service.

An analogy would be if someone launched an automated program to have hundreds of phone calls placed to the Capitol switchboard at the same time. All of the good efforts of the staff would be overcome. Many callers would receive busy signals due to the high volume of telephone traffic.

In November and December, the NIPC received reports that universities and others were detecting the presence of hundreds of agents on their networks. The number of agents detected clearly could have been only a small subset of the total number of agents actually deployed. In addition, we were concerned that some malicious actors might choose to launch a DDOS attack around New Year's Eve in order to cause disruption and gain notoriety due to the great deal of attention that was being payed to the Y2K rollover. Accordingly, we decided to issue a series of alerts in December to government agencies, industry, and the public about the DDOS threat.

Moreover, in late December, we determined that a detection tool that we had developed for investigative purposes might also be used by network operators to detect the presence of DDOS agents or masters on their operating systems, and thus would enable them to remove an agent or master and prevent the network from being unwittingly utilized in a DDOS attack. Moreover, at that time there was, to our knowledge, no similar detection tool available commercially. We therefore decided to take the unusual step of releasing the tool to other agencies and to the public in an effort to reduce the level of the threat. We made the first variant of our software available on the NIPC website on December 30, 1999. To maximize the public awareness of this tool, we announced its availability in an FBI press release that same date. Since the first posting of the tool, we have posted three updated versions that have perfected the software and made it applicable to different operating systems.

The public has downloaded these tools tens of thousands of times from the web site, and has responded by reporting many installations of the DDOS software, thereby preventing their networks from being used in attacks and leading to the opening of criminal investigations both before and after the widely publicized attacks of the last few weeks. Our work with private companies has been so well received that the trade group SANS awarded their yearly Security Technology Leadership Award to members of the NIPC's Special Technologies Applications Unit.

Recently, we received reports that a new variation of DDOS tools was being found on Windows operating systems. One victim entity provided us with the object code to the tool found on its network. On February 18 we made the binaries available to anti-virus companies (through an industry association) and the Computer Emergency Response Team (CERT) at Carnegie Mellon University for analysis and so that commercial vendors could create or adjust their products to detect the new DDOS variant. Given the attention that DDOS tools have received in recent weeks, there are now numerous detection and security products to address this threat, so we determined that we could be most helpful by giving them the necessary code rather than deploying a detection tool ourselves.

Unfortunately, the warnings that we and others in the security community had issued about DDOS tools last year, while alerting many potential victims and reducing the threat, did not eliminate the threat. Quite frequently, even when a threat is known and patches or detection tools are available, network operators either remain unaware of the problem or fail to take necessary protective steps. In addition, in the cyber equivalent of an arms race, exploits evolve as hackers design variations to evade or overcome detection software and filters. Even security-conscious companies that put in place all available security measures therefore are not invulnerable. And, particularly with DDOS tools, one organization might be the victim of a successful attack despite its best efforts, because another organization failed to take steps to keep itself from being made the unwitting participant in an attack.

On February 7, 2000, the NIPC received reports that Yahoo had experienced a denial of service attack. In a display of the close cooperative relationship that we have developed with the private sector, in the days that followed, several other companies (including Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also reported denial of service outages to the NIPC or FBI field offices. These companies cooperated with us by providing critical logs and other information. Still, the challenges to apprehending the suspects are substantial. In many cases, the attackers used "spoofed" IP addresses, meaning that the address that appeared on the target's log was not the true address of the system that sent the messages. In addition, many victims do not keep complete network logs.

The resources required in an investigation of this type are substantial. Companies have been victimized or used as "hop sites" in numerous places across the country, meaning that we must deploy special agents nationwide to work leads. We currently have seven FBI field offices with cases opened and all the remaining offices are supporting the offices that have opened cases. Agents from these offices are following up literally hundreds of leads. The NIPC is coordinating the nationwide investigative effort, performing technical analysis of logs from victims sites and Internet Service Providers (ISPs), and providing all-source analytical assistance to field offices. Moreover, parts of the evidentiary trail have led overseas, requiring us to work with our foreign counterparts in several countries through our Legal Attaches (Legats) in U.S. embassies.

While the crime may be high tech, investigating it involves a substantial amount of traditional investigative work as well as highly technical work. Interviews of network operators and confidential sources can provide very useful information, which leads to still more interviews and leads to follow-up. And victim sites and ISPs provide an enormous amount of log information that needs to be processed and analyzed by human analysts.

Despite these challenges, I am optimistic that the hard work of our agents, analysts, and computer scientists; the excellent cooperation and collaboration we have with private industry and universities; and the teamwork we are engaged in with foreign partners will in the end prove successful.

Interagency Cooperation

The broad spectrum of cyber threats described earlier, ranging from hacking to foreign espionage and information warfare, requires not just new technologies and skills on the part of investigators, but new organizational constructs as well. In most cyber attacks, the identity, location, and objective of the perpetrator are not immediately apparent. Nor is the scope of his attack -- i.e., whether an intrusion is isolated or part of a broader pattern affecting numerous targets. This means it is often impossible to determine at the outset if an intrusion is an act of cyber vandalism, organized crime, domestic or foreign terrorism, economic or traditional espionage, or some form of strategic military attack. The only way to determine the source, nature, and scope of the incident is to gather information from the victim sites and intermediate sites such as ISPs and telecommunications carriers. Under our constitutional system, such information typically can be gathered only pursuant to criminal investigative authorities. This is why the NIPC is part of the FBI, allowing us to utilize the FBI's legal authorities to gather and retain information and to act on it, consistent with constitutional and statutory requirements.

But the dimension and varied nature of the threats also means that this is an issue that concerns not just the FBI and law enforcement agencies, but also the Department of Defense, the Intelligence Community, and civilian agencies with infrastructure-focused responsibility such as the Departments of Energy and Transportation. It also is a matter that greatly affects state and local law enforcement. This is why the NIPC is an interagency center, with representatives detailed to the FBI from numerous federal agencies and representation from state and local law enforcement as well. These representatives operate under the direction and authority of the FBI, but bring with them expertise and skills from their respective home agencies that enable better coordination and cooperation among all relevant agencies, consistent with applicable laws.

We have had many instances in the last two years where this interagency cooperation has proven critical. As mentioned earlier, the case of the Melissa virus was successfully resolved with the first successful federal prosecution of a virus propagator in over a decade because of close teamwork between the NIPCI squad in the FBI's Newark Division and other field offices, the New Jersey State Police, and the NIPC.

The "Solar Sunrise" case is another example of close teamwork with other agencies. In 1998, computer intrusions into U.S. military computer systems occurred during the Iraq weapons inspection crisis. Hackers exploited known vulnerabilities in Sun Solaris operating systems. Some of the intrusions appeared to be coming from the Middle East. The timing, nature, and apparent source of some of the attacks raised concerns in the Pentagon that this could be a concerted effort by Iraq to interfere with U.S. troop deployments. NIPC coordinated a multiagency investigation which included the FBI, the Air Force Office of Special Investigations, the National Aeronautics and Space Administration, the Department of Justice, the Defense Information Systems Agency, the National Security Agency, and the Central Intelligence Agency. Within several days, the investigation determined that the intrusions were not the work of Iraq, but of several teenagers in the U.S. and Israel. Two juveniles in California pleaded guilty to the intrusions, and several Israelis still await trial. The leader of the Israeli group, Ehud Tenenbaum, has been indicted and is currently scheduled for trial in Israel in April.

More recently, we observed a series of intrusions into numerous Department of Defense and other federal government computer networks and private sector entities. Investigation last year determined that the intrusions appear to have originated in Russia. The intruder successfully accessed U.S. Government networks and took large amounts of unclassified but sensitive information, including defense technical research information. The NIPC coordinated a multiagency investigation, working closely with FBI field offices, the Department of Defense, and the Intelligence Community. While I cannot go into more detail about this case here, it demonstrates the very real threat we face in the cyber realm, and the need for good teamwork and coordination among government agencies responsible for responding to the threat.

Private Sector Cooperation

Most importantly, however, our success in battling cyber crime depends on close cooperation with private industry. This is the case for several reasons. First, most of the victims of cyber crimes are private companies. Therefore, successful investigation and prosecution of cyber crimes depends on private victims reporting incidents to law enforcement and cooperating with the investigators. Contrary to press statements by companies offering security services that private companies won't share information with law enforcement, private companies have reported incidents and threats to the NIPC or FBI field offices. The number of victims who have voluntarily reported DDOS attacks to us over the last few weeks is ample proof of this. While there are undoubtedly companies that would prefer not to report a crime because of fear of public embarrassment over a security lapse, the situation has improved markedly. Companies increasingly realize that deterrence of crime depends on effective law enforcement, and that the long-term interests of industry depend on establishing a good working relationship with government to prevent and investigate crime.

Testimony two weeks ago before the Senate Appropriations Subcommittee for Commerce, State, and Justice by Robert Chesnut, Associate General Counsel for E-bay, illustrates this point:

Prior to last week's attacks, eBay had established a close working relationship with the computer crimes squad within the Northern California office of the Federal Bureau of Investigation ("FBI"). E-Bay has long recognized that the best way to combat cyber crime, whether it's fraud or hacking, is by working cooperatively with law enforcement. Therefore, last year we established procedures for notifying the FBI in the event of such an attack on our web site. As result of this preparation, we were able to contact the FBI computer intrusion squad during the attack and provide them with information that we expect will assist in their investigation. In the aftermath of the attack, eBay has also been able to provide the FBI with additional leads that have come to our attention.

Second, the network administrator at a victim company or ISP is critical to the success of an investigation. Only that administrator knows the unique configuration of her system, and she typically must work with an investigator to find critical transactional data that will yield evidence of a criminal's activity.

Third, the private sector has the technical expertise that is often critical to resolving an investigation. It would be impossible for us to retain experts in every possible operating system or network configuration, so private sector assistance is critical. In addition, many investigations require the development of unique technical tools to deal with novel problems. Private sector assistance has been critical there as well.

To encourage private sector cooperation, we have engaged in a concerted outreach effort to private industry, providing threat briefings, issuing analyses and threat warnings, and speaking at industry conferences. In another example of cooperation, the Attorney General and the Information Technology Association of America announced a set of initiatives last year as part of a "Cybercitizens Partnership" between the government and the information technology (IT) industry. One initiative involves providing IT industry representatives to serve in the NIPC to enhance our technical expertise and our understanding of the information and communications infrastructure.

We have several other initiatives devoted to private sector outreach that bear mentioning here. The first is called "InfraGard." This is an initiative that we have developed in concert with private companies and academia to encourage information-sharing about cyber intrusions, exploited vulnerabilities, and physical infrastructure threats. A vital component of InfraGard is the ability of industry to provide information on intrusions to the local FBI field office using secure e-mail communications in both a "sanitized" and detailed format. The local FBI field offices can, if appropriate, use the detailed version to initiate an investigation; while NIPC Headquarters can analyze that information in conjunction with other information we obtain to determine if the intrusion is part of a broader attack on numerous sites. The NIPC can simultaneously use the sanitized version to inform other members of the intrusion without compromising the confidentiality of the reporting company. The key to this system is that whether, and what, to report is entirely up to the reporting company. A secure website also contains a variety of analytic and warning products that we make available to the InfraGard community. The success of InfraGard is premised on the notion that sharing is a two-way street: the NIPC will provide threat information that companies can use to protect their systems, while companies will provide incident information that can be used to initiate an investigation and to warn other companies.

Our Key Asset Initiative (KAI) is focused more specifically on the owners and operators of critical components of each of the infrastructure sectors. It facilitates response to threats and incidents by building liaison and communication links with the owners and operators of individual companies and enabling contingency planning. The KAI began in the 1980s and focused on physical vulnerabilities to terrorism. Under the NIPC, the KAI has been reinvigorated and expanded to focus on cyber vulnerabilities as well. The KAI currently involves determining which assets are key within the jurisdiction of each FBI Field Office and obtaining 24-hour points of contact at each asset in cases of emergency. Eventually, if future resources permit, the initiative will include the development of contingency plans to respond to attacks on each asset, exercises to test response plans, and modeling to determine the effects of an attack on particular assets. FBI field offices are responsible for developing a list of the assets within their respective jurisdictions, while the NIPC maintains the national database. The KAI is being developed in coordination with DOD and other agencies. Currently the database has about 2400 entries. This represents 2400 contacts with key private sector nodes made by the NIPC and FBI field offices.

A third initiative is a pilot program we have begun with the North American Electrical Reliability Council (NERC). Under the pilot program, electric utility companies and other power entities transmit cyber incident reports in near real time to the NIPC. These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory is warranted. Electric power participants in the pilot program have stated that the information and analysis provided by the NIPC back to the power companies fully justify their participation in the program. It is our expectation that the Electrical Power Indications and Warning System will provide a full-fledged model for the other critical infrastructures.

Much has been said over the last few years about the importance of information sharing. Since our founding, the NIPC has been actively engaged in building concrete mechanisms and initiatives to make this sharing a reality, and we have built up a track record of actually sharing useful information. These efforts belie the notions that private industry won't share with law enforcement in this area, or that the government won't provide meaningful threat data to industry. As companies continue to gain experience in dealing with the NIPC and FBI field offices, as we continue to provide them with important and useful threat information, and as companies recognize that cyber crime requires a joint effort by industry and government together, we will continue to make real progress in this area.

Keeping Law Enforcement on the Cutting Edge of Cyber Crime

As Internet use continues to soar, cyber crime is also increasing exponentially. Our case load reflects this growth. In FY 1998, we opened 547 computer intrusion cases; in FY 1999, that number jumped to 1154. Similarly, the number of pending cases increased from 206 at the end of FY 1997, to 601 at the end of FY 1998, to 834 at the end of FY 99, and to over 900 currently. These statistics include only computer intrusion cases, and do not account for computer facilitated crimes such as Internet fraud, child pornography, or e-mail extortion efforts. In these cases, the NIPC and NIPCI squads often provide technical assistance to traditional investigative programs responsible for these categories of crime.

We can clearly expect these upward trends to continue. To meet this challenge, we must ensure that we have adequate resources, including both personnel and equipment, both at the NIPC and in FBI field offices. We currently have 193 agents nationwide dedicated to investigating computer intrusion and virus cases. In order to maximize investigative resources the FBI has taken the approach of creating regional squads in 16 field offices that have sufficient size to work complex intrusion cases and to assist those field offices without a NIPCI squad. In those field offices without squads, the FBI is building a baseline capability by having one or two agents to work NIPC matters, i.e. computer intrusions (criminal and national security), viruses, InfraGard, state and local liaison, etc.

At the NIPC, we currently have 101 personnel on board, including 82 FBI employees and 19 detailees from other government agencies. This cadre of investigators, computer scientists, and analysts perform the numerous and complex tasks outlined above, and provide critical coordination and support to field office investigations. As the crime problem grows, we need to make sure that we keep pace by bringing on board additional personnel, including from other agencies and the private sector.

In addition to putting in place the requisite number of agents, analysts, and computer scientists in the NIPC and in FBI field offices, we must fill those positions by recruiting and retaining personnel who have the appropriate technical, analytical, and investigative skills. This includes personnel who can read and analyze complex log files, perform all-source analysis to look for correlations between events or attack signatures and glean indications of a threat, develop technical tools to address the constantly changing technological environment, and conduct complex network investigations.

Training and continuing education are also critical, and we have made this a top priority at the NIPC. In FY 1999, we trained 383 FBI and other-government-agency students in NIPC sponsored training classes on network investigations and infrastructure protection.

The emphasis for 2000 is on continuing to train federal personnel while expanding training opportunities for state and local law enforcement personnel. During FY 2000, we plan to train approximately 740 personnel from the FBI, other federal agencies, and state and local law enforcement.

Developing and deploying the best equipment in support of the mission is also very important. Not only do investigators and analysts need the best equipment to conduct investigations in the rapidly evolving cyber system but the NIPC must be on the cutting edge of cyber research and development. Conducting a network intrusion or denial-of-service investigation often requires analysis of voluminous amounts of data. For example, one network intrusion case involving an espionage matter currently being investigated has required the analysis of 17.5 Terabytes of data. To place this into perspective, the entire collection of the Library of Congress, if digitized, would comprise only 10 Terabytes. The Yahoo DDOS attack involved approximately 630 Gigabytes of data, which is equivalent to enough printed pages to fill 630 pickup trucks with paper. Technical analysis requires high capacity equipment to store, process, analyze, and display data. Again, as the crime problem grows, we must ensure that our technical capacity keeps pace.

Finally, we must look at whether changes to the legal procedures governing investigation and prosecution of cyber crimes are warranted. The problem of Internet crime has grown at such a rapid pace that the laws have not kept up with the technology. The FBI is working with the Department of Justice to propose a legislative package for your review to help keep our laws in step with these advances.

One example of some of the problems law enforcement is facing is the jurisdictional limitation of pen registers and trap-and-trace orders issued by federal district courts. These orders allow only the capturing of tracing information, not the content of communications. Currently, in order to track back a hacking episode in which a single communication is purposely routed through a number of Internet Service Providers that are located in different states, we generally have to get multiple court orders. This is because, under current law, a federal court can order communications carriers only within its district to provide tracing information to law enforcement. As a result of the fact that investigators typically have to apply for numerous court orders to trace a single communication, there is a needless waste of time and resources, and a number of important investigations are either hampered or derailed entirely in those instances where law enforcement gets to a communications carrier after that carrier has already discarded the necessary information.

Another laws may be in need of revision because they are decades old and did not anticipate current technology. Many laws were not drafted in a technology neutral way, and do not make much sense in today's world where telephone carriers, Internet service providers, and cable operators, are all providing ways to communicate both electronically and by voice over the Internet. We are reviewing the pen register, trap and trace statutes, the Computer Fraud and Abuse Act, and the Cable Communications Policy Act, to ensure that the laws make sense in the current environment.

There are also issues that we must readdress with respect to the need, under current law, to demonstrate at least $5,000 in damage for certain hacking crimes enumerated under 18 U.S.C. 1030(a)(5). In some of the cases we investigate, proof of damage in excess of $5,000 on a particular system is difficult to show, although the crime of breaking into numerous systems and obtaining root access, with the ability to destroy the confidentiality or accuracy of information, remains very real and extremely serious.

Finally, we should consider whether current sentencing provisions for computer crimes provide an adequate deterrence. Given the degree of harm that can be caused by a virus, intrusion, or a denial of service -- in terms of monetary loss to business and consumers, infringement of privacy, or threats to public safety when critical infrastructures are affected -- it would be appropriate to consider whether penalties established years ago remain adequate.

The Role of Law Enforcement

Finally, I would like to conclude by emphasizing two key points. The first is that our role in combating cyber crime is essentially two-fold: (1) preventing cyber attacks before they occur or limiting their scope by disseminating warnings and advisories about threats so that potential victims can protect themselves; and (2) responding to attacks that do occur by investigating and identifying the perpetrator. This is very much an operational role. Our role is not to determine what security measures private industry should take, or to ensure that companies or individuals take them. It is the responsibility of industry to ensure that appropriate security tools are made available and are implemented. We certainly can assist industry by alerting them to the actual threats that they need to be concerned about, and by providing information about the exploits that we are seeing criminals use. But network administrators, whether in the private sector or in government, are the first line of defense.

Second, in gathering information as part of our warning and response missions, we rigorously adhere to constitutional and statutory requirements. Our conduct is strictly limited by the Fourth Amendment, statutes such as Title III and ECPA, and the Attorney General Guidelines. These rules are founded first and foremost on the protection of privacy inherent in our constitutional system. Respect for privacy is thus a fundamental guidepost in all of our activities.

Conclusion

I want to thank the subcommittees again for giving me the opportunity to testify here today. The cyber crime problem is real, and growing. The NIPC is moving aggressively to meet this challenge by training FBI agents and investigators from other agencies on how to investigate computer intrusion cases, equipping them with the latest technology and technical assistance, developing our analytic capabilities and warning mechanisms to head off or mitigate attacks, and closely cooperating with the private sector. We have already had significant successes in the fight. I look forward to working with Congress to ensure that we continue to be able to meet the threat as it evolves and grows. Thank you.