Testimony of Ronald L. Dick, Director, National Infrastructure
Protection Center, FBI
Before the House
Energy and Commerce Committee, Oversight and Investigation
Subcommittee
April 5, 2001
"Issue of Intrusions into Government Computer Networks"
Representative Greenwood, Members
of the subcommittee, thank you for inviting me here today
to speak to the important issue of intrusions into government
computer networks. The problem is serious. The Department
of Defense reports thousands of potential cyber attacks launched
against DOD systems. GAO reports that "in 1999 and 2000,
the Air Force, Army, and Navy recorded a combined total of
600 and 715 [serious] cyber attacks, respectively." This
does not even consider attacks on civilian agencies. Two weeks
ago National Security Advisor Condoleezza Rice stated that
"The President himself is on record as stating that infrastructure
protection is important to our economy and to our national
security and therefore it will be a priority for this administration."
Dr. Rice also stated during
that same speech that, "We have to maximize our resources
and energies by making sure that they are focused, instead
of allowing them to be dissipated through dispersal."
The need for a coordinated interagency approach to address
intrusions into government networks was one of the principal
reasons for having established the National Infrastructure
Protection Center (NIPC). When the NIPC was founded three
years ago, it was during one of the largest intrusions ever
into U.S. government systems. The lessons learned from that
intrusion and from the response to it have helped shape the
NIPC.
Let me provide you with a snapshot
of our caseload on government intrusions. Currently we have
102 cases (of a current total of 1,219 pending cases) involving
computer intrusions into government systems. This includes
intrusions into federal, state and local systems, as well
as the military. It should be noted that a single case can
consist of hundreds of compromised systems that have experienced
thousands of intrusions. In addition, many agencies conduct
investigations concerning intrusions into their systems that
are not reported to the FBI. In short, this case load represents
a large number of incidents.
Several critical elements are
required to deal with intrusions into government computer
systems. There must be an interagency structure to deal with
this problem. No agency should or should have to address these
issues alone. Information must be shared with law enforcement
and the NIPC. We must work to ensure that any intrusions are
stemmed and the vulnerability that allowed the intrusion is
patched.
Interagency cooperation is essential
in dealing with intrusions into government systems. As I said
at the outset, that is why the NIPC was created. Currently
the NIPC has representatives from the following agencies at
the Center: FBI, Army, Navy, Air Force Office of Special Investigations,
Defense Criminal Investigative Service, National Security
Agency, United States Postal Service, Department of Transportation/Federal
Aviation Administration, Central Intelligence Agency, Department
of Commerce/Critical Infrastructure Assurance Office, and
the Department of Energy. This representation has given us
the unprecedented ability to reach back into the parent organizations
of our interagency detailees on intrusions and infrastructure
protection matters. In addition, we have formed an interagency
coordination cell at the Center which holds monthly meetings
with U.S. Secret Service, U.S. Customs Service, representatives
from DOD investigative agencies, the Offices of Inspector
General of NASA, Social security administration, Departments
of Energy, State, and Education, and the U.S. Postal Service,
to discuss topics of mutual concern.
This representation is not enough,
however. The PDD states that, " The NIPC will include
FBI, USSS, and other investigators experienced in computer
crimes and infrastructure protection, as well as representatives
detailed from the Department of Defense, the Intelligence
Community and Lead Agencies." The NIPC would like to
see all lead agencies represented in the Center. The more
broadly representative the NIPC is, the better job it can
do in responding to intrusions into government systems.
The NIPC is pursuing three sets
of activities that address computer intrusions into government
systems: prevention, detection, and response.
Prevention:
Our role in preventing cyber
intrusions into government systems is not to provide advice
on what hardware or software to use or to act as a federal
systems administrator. Rather our role is to provide information
about threats, ongoing incidents, and exploited vulnerabilities
so that government and private sector system administrators
can take the appropriate protective measures. The NIPC has
a variety of products to inform the private sector and other
domestic and international government agencies of the threat,
including: alerts, advisories, and assessments; biweekly CyberNotes;
monthly Highlights; and topical electronic reports.
These products are designed for tiered distribution to both
government and private sector entities consistent with applicable
law and the need to protect intelligence sources and methods,
and law enforcement investigations. For example, Highlights
is a monthly publication for sharing analysis and information
on critical infrastructure issues. It provides analytical
insights into major trends and events affecting the nation's
critical infrastructures. It is usually published in an unclassified
format and reaches national security and civilian government
agency officials as well as infrastructure owners. CyberNotes
is another NIPC publication designed to provide security and
information system professionals with timely information on
cyber vulnerabilities, hacker exploit scripts, hacker trends,
virus information, and other critical infrastructure-related
best practices. It is published twice a month on our website
and disseminated in hardcopy to government and private sector
audiences.
The NIPC has elements responsible
for both analysis and warning. What makes the NIPC unique
is that it has access to all-source intelligence from law
enforcement, the intelligence community, private sector, international
arena, and open sources. No other entity has this range of
information. Complete and timely reporting of incidents from
private industry and government agencies allows NIPC analysts
to make the linkages between government intrusions and private
sector activity. We are currently working on an integrated
database to allow us to more quickly make the linkages among
seemingly disparate intrusions. This database will leverage
both the unique information available to the NIPC through
FBI investigations and information available from the intelligence
community and open sources. Having these analytic functions
at the NIPC is a central element of its ability to carry out
its preventive mission.
This initiative expands direct
contacts with the private sector infrastructure owners and
operators and shares information about cyber intrusions and
exploited vulnerabilities through the formation of local InfraGard
chapters within the jurisdiction of each of the 56 FBI field
offices. This is critical to infrastructure protection, since
private industry owns most of the infrastructures. Further,
InfraGard's success belies the notion that private industry
will not share information with NIPC or law enforcement. All
56 FBI field offices have InfraGard chapters. There are currently
over 900 InfraGard members. The national InfraGard rollout
was held on January 5, 2001.
The NIPC is also working with
the Information Sharing and Analysis Centers established under
the auspices of PDD-63. For example, the North American Electric
Reliability Council (NERC) serves as the electric power ISAC.
We have developed a program with the NERC to develop an Indications
and Warning System for physical and cyber attacks. Under the
program, electric utility companies and other power entities
transmit incident reports to the NIPC. These reports are analyzed
and assessed to determine whether an NIPC alert, advisory,
or assessment is warranted to the electric utility community.
Electric power participants in the pilot program have stated
that the information and analysis provided by the NIPC back
to the power companies make this program especially worthwhile.
NERC has recently decided to expand this initiative nationwide.
This initiative will serve as a good example of government
and industry working together to share information and the
Electrical Power Indications and Warning System will provide
a model for the other critical infrastructures. Eventually
the NIPC will need to be able to have a comprehensive nation-wide
system for all the infrastructures.
The NIPC is the Sector Lead
Agency for the Emergency Law Enforcement Services sector.
As part of this mission, the Center has also been asked to
by ELES Sector the to have the NIPC Watch and Warning Unit
act as the ISAC for the sector. The NIPC is working to implement
this request.
Detection:
Given the ubiquitous vulnerabilities
in existing Commercial Off-the-Shelf (COTS) software, intrusions
into critical systems are inevitable for the foreseeable future.
Thus detection of these intrusions is critical if the U.S.
Government and critical infrastructure owners and operators
are going to be able to respond. To improve our detection
capabilities, we first need to ensure that we are fully collecting,
sharing, and analyzing all extant information from all relevant
sources. It is often the case that intrusions can be discerned
simply by collecting bits of information from various sources;
conversely, if we don't collate these pieces of information
for analysis, we might not detect the intrusions at all. Thus
the NIPC's role in collecting information from all sources
and performing analysis in itself serves the role of detection.
Agency system administrators
need to work with FedCIRC and the NIPC. PDD-63 makes clear
the importance of such reporting. It states, "All
executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that
the NIPC may request, to the extent permitted by law. All
executive departments shall also share with the NIPC information
about threats and warning of attacks and about actual attacks
on critical government and private sector infrastructures,
to the extent permitted by law." We are working with
OMB, FedCIRC, and the agencies to improve agency reporting
of security incidents.
In some cases, in response to
victims' reports, the NIPC has sponsored the development of
tools to detect malicious software code. For example, in December
1999, in anticipation of possible Y2K related malicious conduct,
the NIPC posted a detection tool on its web site that allowed
systems administrators to detect the presence of certain Distributed
Denial of Service (DDoS) tools on their networks. In these
cases, hackers plant tools such as Trinoo, Tribal Flood Net
(TFN), TFN2K, or Stacheldraht (German for barbed wire) on
a number of unwitting victim systems. Then when the hacker
sends the command, the victim systems in turn begin sending
messages against a target system. The target system is overwhelmed
with the traffic and is unable to function. Users trying to
access that system are denied its services. The NIPC's detection
tools were downloaded thousands of times and have no doubt
prevented many DDoS attacks.
The NIPC also led the FBI's
multiagency Y2K command center. NIPC personnel were on alert
during the rollover period watching for possible malicious
activity under the guise of Y2K. NIPC coordinated a nationwide
watch effort and distributed reports every four hours round
the clock on the situation.
Regarding warning, if we determine
that an intrusion is imminent or underway, the NIPC Watch
is responsible for formulating assessments, advisories, and
alerts, and quickly disseminating them. The substance of those
products will come from analytical work done by NIPC analysts.
If we determine an attack is underway, we can notify both
private sector and government entities using an array of mechanisms
so they can take protective steps. In some cases these warning
products can prevent a wider attack; in other cases warnings
can mitigate an attack already underway. Finally, these notices
can prevent attacks from ever happening in the first place.
For example, the NIPC released an advisory on March 30, 2001
regarding the "Lion Internet Worm," which is a DDoS
tool targeting Unix-based systems. Based on all-source information
and analysis, the NIPC alerted systems administrators how
to look for this compromise of their system and what specific
steps to take to remove the tools if they are found. This
alert was issued after consultation with FedCIRC, JTF-CND,
a private sector ISAC, and other infrastructure partners.
Response:
Despite our efforts, we know
that government systems will continue to be attacked. Thus
we need to determine the origin of these attacks in order
to get to the person behind the keyboard for our government
to formulate the appropriate response. In the cyber world,
determining what is happening is difficult at the early stages.
An event could be a system probe to find vulnerabilities or
entry points, an intrusion to steal data or plant sniffers
or malicious code, an act of teenage vandalism, an attack
to disrupt or deny service, or even an act of war. The crime
scene itself is totally different from the physical world
in that it is dynamic -- it grows, contracts, and can change
shape. Further, the tools used to perpetrate a major infrastructure
attack can be the same ones used for other cyber intrusions
(simple hacking, foreign intelligence gathering, organized
crime activity to steal property, data, etc...), making identification
more difficult. Determining that an event is even occurring
thus can often be difficult in the cyber world, and usually
a determination cannot be made without a thorough investigation.
In the physical world one can see instantly if a building
has been bombed or an airliner brought down. In the cyber
world, an intrusion may go undetected for some time.
Identification of the perpetrators
and their objectives during an event is critical especially
in the initial stages. The perpetrators could be criminal
hackers, teenagers, electronic protesters, terrorists, or
foreign intelligence services. In order to attribute an attack,
the NIPC coordinates an investigation that gathers information
from within the United Sates using either criminal investigative
or foreign counter-intelligence authorities, depending on
the circumstances. We also rely on the assistance of other
nations when appropriate. Obtaining reliable information is
necessary not only to identify the perpetrator but also to
determine the size and nature of the intrusion: how many systems
are affected, what techniques are being used, and what is
the purpose of the intrusions--disruption, economic espionage,
theft of money, etc...
Relevant information could come
from existing criminal investigations or other contacts at
the FBI Field Office level. It could come from the U.S. Intelligence
Community, other U.S. Government agency information, through
private sector contacts, the media, other open sources, or
foreign law enforcement contacts. The NIPC's role is to coordinate,
collect, analyze, and disseminate this information. Indeed
this is one of the principal reasons the NIPC was created.
Because the Internet by its
nature embodies a degree of anonymity, our government's proper
response to an attack first requires significant investigative
steps. Investigators typically need a full range of criminal
and/or national security authorities to determine who launched
the attack. Under our system the legal authorities for conducting
investigations within the United States include: the Computer
Fraud and Abuse Act, the Economic Espionage Statute, the Electronic
Communications Privacy Act, the Foreign Intelligence Surveillance
Act, as well as the relevant executive orders delineating
the responsibilities of the intelligence community. Thus the
FBI can apply for court orders to get subscriber information
from Internet Service Providers, and monitor communications
under the Electronic Communications Privacy Act or under the
Foreign Intelligence Surveillance Act, depending on the facts
of the case as they are known at the time the order is requested.
The FBI has designated the NIPC to act as the program manager
for all of its computer intrusion investigations, and the
NIPC has made enormous strides in developing this critical
nationwide program. In that connection, the NIPC works closely
with the Criminal Division's Section on Computer Crime and
Intellectual Property, the Department's Office of Intelligence
Policy and Review, and the U.S. Attorney's Offices in coordinating
legal responses.
In the event of a national-level
set of intrusions into significant systems, the NIPC will
form a Cyber Crisis Action Team (C-CAT) to coordinate response
activities and use the facilities of the FBI's Strategic Information
and Operations Center (SIOC). The team will have expert investigators,
computer scientists, analysts, watch standers, and other U.S.
government agency representatives. Part of the U.S. government
team might be physically located at FBI Headquarters and part
of the team may be just electronically connected. The C-CAT
will immediately contact field offices responsible for the
jurisdictions where the attacks are occurring and where the
attacks may be originating. The C-CAT will continually assess
the situation and support/coordinate investigative activities,
issue updated warnings, as necessary, to all those affected
by or responding to the crisis. The C-CAT will then coordinate
the investigative effort to discern the scope of the attack,
the technology being used, and the possible source and purpose
of the attack.
While we have not seen an example
of cyber terrorism directed against U.S. government systems,
the NIPC's placement in the FBI's Counterterrorism division
will allow for a seamless FBI response in the event of a terrorist
action that encompasses both cyber and physical attacks. The
NIPC and the other elements of the FBI's Counterterrorism
Division have conducted joint operations and readiness exercises
in the FBI's SIOC. We are prepared to respond if called upon.
Case Examples
Over the past several years
we have seen a wide range of cyber threats ranging from defacement
of websites by juveniles to sophisticated intrusions sponsored
by foreign powers, and everything in between. Some of these
are obviously more significant than others. The theft of national
security information from a government agency or the interruption
of electrical power to a major metropolitan area would have
greater consequences for national security, public safety,
and the economy than the defacement of a web-site. But even
the less serious categories have real consequences and, ultimately,
can undermine confidence in e-commerce and violate privacy
or property rights. A web site hack that shuts down an e-commerce
site can have disastrous consequences for a business. An intrusion
that results in the theft of credit card numbers from an online
vendor can result in significant financial loss and, more
broadly, reduce consumers' willingness to engage in e-commerce.
Because of these implications, it is critical that we have
in place the programs and resources to investigate and, ultimately,
to deter these sorts of crimes.
In addition, because it is often
difficult to determine whether an intrusion or denial of service
attack, for instance, is the work of an individual with criminal
motives or foreign nation state, we must treat each case as
potentially serious until we gather sufficient information
to determine the nature, purpose, scope, and perpetrator of
the attack. While we cannot discuss ongoing investigations,
we can discuss closed cases that involve FBI and other agency
investigations in which the intruder's methods and motivation
were similar to what we are currently seeing. A few illustrative
are described below:
In hacker cases, the attacker's
motivation is just to see how far he can intrude into a system.
This seems to be the motivation for the California teens in
the well-known Solar Sunrise case. In this case the intruders
exploited a well known vulnerability in computers that run
on the Sun Solaris operating system. By exploiting this vulnerability,
the intruder can gain root access (total control) of the system.
As in the Solar Sunrise case, the intruders can then install
their own accounts on the system and create backdoors into
the system from which they can then install additional programs
to find passwords. They also had the ability to alter, remove,
or destroy data on those systems. This case demonstrated to
the interagency community how difficult it is to identify
an intruder until all of the facts are gathered through an
investigation, and why assumptions cannot be made until sufficient
facts are available. The incident also vividly demonstrated
the vulnerabilities that exist in our networks; if these individuals
were able to assume "root access" to certain unclassified
DOD systems, it is not difficult to imagine what hostile adversaries
with greater skills and resources would be able to do. Finally,
Solar Sunrise demonstrated the need for interagency coordination
to deal with such attacks. The perpetrators in this case were
two 16 and an 18 years old.
We have also seen cases of hacking
and mischief for what might be termed personal reasons. For
example, Eric Burns, a.k.a Zyklon, hacked into the White House
web site as well as other sites. This case was worked jointly
by the U.S. Secret Service and the FBI. He was caught and
pled guilty to one count of 18 U.S.C.1030. In November 1999
he was sentenced to 15 months in prison, 3 years supervised
release, and ordered to pay $36,240 in restitution and a $100
fine.
In another example, the Melissa
Macro Virus was reportedly named after an exotic dancer from
Florida; this virus wreaked havoc on government and private
sector networks in March 1999. He pled guilty to one federal
count of violating 18 U.S.C. 1030 and four state counts. He
admitted to causing $80 million in damage as well. David Smith,
the author of the virus, faces a maximum sentence of five
years and $250,000 on the federal charge. He is currently
awaiting sentencing. This is a good example of how federal
and state governments are increasingly coordinating investigations
and prosecutions in combating computer crime.
In another case, system penetration
coupled with theft can be the motivation. A Florida youth
admitted to breaking into 13 computers at the Marshall Space
Flight Center in Huntsville, Alabama in June 1999 and downloading
$1.7 million in NASA proprietary software that supports the
International Space Station's environmental systems. NASA
has estimated the cost to repair the damage at $41,000. The
subject has also admitted to entering Defense Department systems
of the Defense Threat Reduction Agency, intercepting 3,300
e-mail messages, and stealing passwords from Pentagon computers.
This case was investigated by NASA. He was sentenced to six
months in a juvenile detention center for hacking into NASA
computers which support the International Space Station.
Virus writers have become a
more prevalent threat in recent years. We have seen virus
writers unleash havoc on the Internet for a variety of motivations.
In May 2000 companies and individuals around the world were
stricken by the "Love Bug", a virus (or, technically,
a "worm" ) that traveled as an attachment to an
e-mail message and propagated itself extremely rapidly through
the address books of Microsoft Outlook users. The virus/worm
also reportedly penetrated at least 14 federal agencies C
including the Department of Defense (DOD), the Social Security
Administration, the Central Intelligence Agency, the Immigration
and Naturalization Service, the Department of Energy, the
Department of Agriculture, the Department of Education, the
National Aeronautics and Space Administration (NASA), along
with the House and Senate.
Investigative work by the FBI's
New York Field Office, with assistance from the NIPC, traced
the source of the virus to the Philippines within 24 hours.
The FBI then worked, through the FBI Legal Attaché
in Manila, with the Philippines' National Bureau of Investigation,
to identify the perpetrator. The speed with which the virus
was traced back to its source is unprecedented. The prosecution
in the Philippines was hampered by the lack of a specific
computer crime statute. Nevertheless, Onel de Guzman was
charged on June 29, 2000 with fraud, theft, malicious mischief,
and violation of the Devices Regulation Act. However, those
charges were dropped in August by Philippine judicial authorities.
As a postscript, it is important to note that the Philippines'
government on June 14, 2000 reacted quickly and approved the
E-Commerce Act, which now specifically criminalizes computer
hacking and virus propagation. The Philippine government will
not be hindered by insufficient charging authorities should
an incident like this one ever occur again. Also, the NIPC
continues to work with other nations to provide guidance on
the need to update criminal law statutes.
In some cases, we have been
able to prevent the release of disastrous viruses against
public systems. On March 29, 2000, FBI Houston initiated an
investigation when it was discovered that certain small businesses
in the Houston area had been targeted by someone who was using
their Internet accounts in an unauthorized manner and causing
their hard drives to be erased. On March 30, 2000, FBI Houston
conducted a search warrant on a residence of an individual
who allegedly created a computer "worm" that seeks
out computers on the Internet. This "worm" looks
for computer networks that have certain sharing capabilities
enabled, and uses them for the mass replication of the worm.
The worm causes the hard drives of randomly selected computers
to be erased. The computers whose hard drives are not erased
actively scan the Internet for other computers to infect and
force the infected computers to use their modems to dial 911.
Because each infected computer can scan approximately 2,550
computers at a time, this worm could have the potential to
create a denial of service attack against the E911 system.
The NIPC issued a warning to the public through the NIPC webpage,
SANS, NLETS, InfraGard, and teletypes to government agencies.
On May 15, 2000 Franklin Wayne Adams of Houston was charged
by a federal grand jury with knowingly causing the transmission
of a program onto the Internet which caused damage to a protected
computer system by threatening public health and safety and
by causing loss aggregated to at least $5000. Adams was also
charged with unauthorized access to electronic or wire communications
while those communications were in electronic storage. He
faces 5 years in prison and a $250,000 fine.
Revenge by disgruntled employees
seems to be another strong motivation for attacks. Insiders
do not need a great deal of knowledge about computer intrusions,
because their knowledge of victim systems often allows them
to gain unrestricted access to cause damage to the system
or to steal system data. For example, in July 1997 Shakuntla
Devi Singla used her insider knowledge and another employee's
password and logon identification to delete data from a U.S.
Coast Guard personnel database system. It took 115 agency
employees over 1800 hours to recover and reenter the lost
data. Ms. Singla was convicted and sentenced to five months
in prison, five months home detention, and ordered to pay
$35,000 in restitution.
Another case involved a National
Library of Medicine (NLM) employee. In January and February
1999 the National Library of Medicine computer system, relied
on by hundreds of thousands of doctors and medical professionals
from around the world for the latest information on diseases,
treatments, drugs, and dosage units, suffered a series of
intrusions where system administrator passwords were obtained
and hundreds of files downloaded, including sensitive medical
A alert @ files and programming files that kept the system
running properly. The intrusions were a significant threat
to public safety and resulted in a monetary loss in excess
of $25,000. FBI investigation identified the intruder as Montgomery
Johns Gray, III, a former computer programmer for NLM, whose
access to the computer system had been revoked. Gray was able
to access the system through a "backdoor" he had
created in the programming code. Due to the threat to public
safety, a search warrant was executed for Gray's computers
and Gray was arrested by the FBI within a few days of the
intrusions. Subsequent examination of the seized computers
disclosed evidence of the intrusion as well as images of child
pornography. Gray was convicted by a jury in December 1999
on three counts for violation of 18 U.S.C. 1030. Subsequently,
Gray pleaded guilty to receiving obscene images through the
Internet, in violation of 47 U.S.C. 223. Montgomery Johns
Gray III was sentenced to 5 months prison, 5 months halfway
house, 3 years probation and ordered to pay $10,000 in restitution
and assessments.
We are also seeing the increased
use of cyber intrusions by criminal groups who attack systems
for purposes of monetary gain. In September, 1999, two members
of a group dubbed the "Phonemasters" were sentenced
after their conviction for theft and possession of unauthorized
access devices (18 USC § 1029) and unauthorized access
to a federal interest computer (18 USC § '1030). The
"Phonemasters" were an international group of criminals
who penetrated the computer systems of MCI, Sprint, AT&T,
Equifax, and even the National Crime Information Center. The
Phonemasters' methods included "dumpster diving"
to gather old phone books and technical manuals for systems.
They used this information to trick employees into giving
up their logon and password information. The group then used
this information to break into victim systems. One member
of this group, Mr. Calvin Cantrell, downloaded thousands of
Sprint calling card numbers, which he sold to a Canadian individual,
who passed them on to someone in Ohio. These numbers made
their way to an individual in Switzerland and eventually ended
up in the hands of organized crime groups in Italy. Cantrell
was sentenced to two years as a result of his guilty plea,
while one of his associates, Cory Lindsay, was sentenced to
41 months.
Terrorists groups are increasingly
using new information technology and the Internet to formulate
plans, raise funds, spread propaganda, and to communicate
securely. In his statement on the worldwide threat in 2000,
Director of Central Intelligence George Tenet testified that
terrorists groups, "including Hizbollah, HAMAS, the Abu
Nidal organization, and Bin Laden's al Qa'ida organization
are using computerized files, e-mail, and encryption to support
their operations." In one example, convicted terrorist
Ramzi Yousef, the mastermind of the World Trade Center bombing,
stored detailed plans to destroy United States airliners on
encrypted files on his laptop computer. While we have not
yet seen these groups employ cyber tools as a weapon
to use against critical infrastructures, their reliance on
information technology and acquisition of computer expertise
are clear warning signs. Moreover, we have seen other terrorist
groups, such as the Internet Black Tigers (who are reportedly
affiliated with the Tamil Tigers), engage in attacks on foreign
government web-sites and email servers. During the riots on
the West Bank in the fall of 2000, Israeli government sites
were subjected to e-mail flooding and "ping" attacks.
The attacks allegedly originated with Islamic elements trying
to inundate the systems with email messages. As one can see
from these examples overseas, "cyber terrorism"
-- meaning the use of cyber tools to shut down critical national
infrastructures (such as energy, transportation, or government
operations) for the purpose of coercing or intimidating a
government or civilian population -- is thus a very real threat.
We have worked closely with
our international partners on computer intrusion cases, including
cases in which hackers have illegally accessed U.S. government
systems. In 1999 the FBI cooperated with New Scotland Yard
in the United Kingdom on a case in which a UK citizen confessed
to breaking into U.S. Navy systems. He was further suspected
of intruding into other systems, including that of the U.S.
Senate. He was sentenced to a term of 3 years on a probation-like
status.
We believe that foreign intelligence
services have adapted to using cyber tools as part of their
information gathering tradecraft. While I cannot go into specific
cases, there are overseas probes against U.S. government systems
every day. It would be naive to ignore the possibility or
even probability that foreign powers were behind some or all
of these probes. The motivation of such intelligence gathering
is obvious. By combining law enforcement and intelligence
community assets and authorities under one Center, the NIPC
can work with other agencies of the U.S. government to detect
these foreign intrusion attempts.
The prospect of "information
warfare" by foreign militaries against our critical infrastructures
is perhaps the greatest potential cyber threat to our national
security. We know that many foreign nations are developing
information warfare doctrine, programs, and capabilities for
use against the United States or other nations. Knowing that
they cannot match our military might with conventional or
"kinetic" weapons, nations see cyber attacks on
our critical infrastructures or military operations as a way
to hit what they perceive as America's Achilles heel -- our
growing dependence on information technology in government
and commercial operations. For example, two Chinese military
officers recently published a book that called for the use
of unconventional measures, including the propagation of computer
viruses, to counterbalance the military power of the United
States.
Conclusion
While the NIPC has accomplished
much over the last three years in building the first national-level
operational capability to respond to cyber intrusions, much
work remains. We have learned from cases that successful network
investigation is highly dependent on expert investigators
and analysts, with state-of-the-art equipment and training.
We have built that capability both in the FBI Field Offices
and at NIPC Headquarters, but we have much work ahead if we
are to build our resources and capability to keep pace with
the changing technology and growing threat environment, while
at the same time being able to respond to several major incidents
at once.
We are building the international,
agency to agency, government to private sector, and law enforcement
partnerships that are vital to this effort. The NIPC is well
suited to foster these partnerships since it has analysis,
information sharing, outreach, and investigative missions.
We are working with the executives in the infrastructure protection
community with the goal of fostering the development of safe
and secure networks for our critical infrastructures. While
this is a daunting task, we are making progress.
Within the federal sector, we
have seen how much can be accomplished when agencies work
together, share information, and coordinate their activities
as much as legally permissible. But on this score, too, more
can be done to achieve the interagency and public-private
partnerships called for by PDD-63. We need to ensure that
all relevant agencies are sharing information about threats
and incidents with the NIPC and devoting personnel and other
resources to the Center so that we can continue to build a
truly interagency, "national" center. Finally, we
must work with Congress to make sure that policy makers understand
the threats we face in the Information Age and what measures
are necessary to secure our Nation against them. I look forward
to working with the Members and Staff of this Committee to
address these vitally important issues.
Thank you.
|