Testimony of Leslie G. Wiser, Jr., Chief, Training, Outreach,
and Strategy Section, National Infrastructure Protection
Center, FBI
Before
the House Committee on Government Affairs
Subcommittee on Government Efficiency, Financial Management,
and Intergovernmental Relations
San Jose, California, Field Hearing
August 29, 2001
"Cyber
Security"
Good
morning Chairman Horn, thank you for inviting me here today
to discuss cyber security issues. While I am going to discuss
broad aspects of cyber security and the role of the NIPC in
helping to secure the nation's critical infrastructures, I
am going to focus on some recent incidents that demonstrate
the success we can have when government partners with other
nations and with the private sector. I will then discuss the
NIPCs role in cyber security with respect to predicting,
preventing, detecting, and responding to incidents with an
emphasis on computer viruses and worms. The final part of
my statement will focus on some of the recent virus and worm
cases we have faced.
A virus
is malicious computer code embedded within an executable program
that victims activate on their machines, usually by opening
an e-mail attachment. Often viruses are sent with notes instructing
recipients to open the attachment, such as the note with the
Melissa Macro Virus which stated "here is the document
you requested," or with a tantalizing title such as "sexxxy.jpg,"
or "naked wife." Worms, on the other hand, require
no action by the victims to activate. They spread on their
own from system to system without need for the victim to do
anything. The Code Red Worm, for example, automatically sends
itself to 99 IP addresses it generates. Once activated, viruses
and worms can do anything from deleting files to sending themselves,
together with documents on your hard drive, to some or all
of the names in your address book or to any internet protocol
address.
Arrest
in Leave Worm case
On June
23, 2001, the NIPC issued Advisory 01-014, New
Scanning Activity (with W32-Leave.worm) Exploiting SubSeven
Victims, regarding the Leave Worm activity. This particular
worm allowed the intruder access to an infected system while
the victim machine was connected to the Internet. It is believed
that home-users computers, without updated anti-virus
software, were the systems primarily infected by this worm.
Current anti-virus software will detect the presence of the
W32-Leave.worm. Full descriptions and removal instructions
can be found at various anti-virus web sites.
A 24-year-old
male was arrested on July 23, 2001, in the United Kingdom
for violation of its Computer Misuse Act 1990.
The announcement of his arrest was delayed to avoid potentially
compromising the ongoing investigation. This individual who,
under British Law, cannot be identified at this time, was
arrested in connection with designing and propagating malicious
code, known as the W32-Leave.worm, or Leaves worm, into Windows-based
computer systems. This individual has been released from custody
and ordered to return to New Scotland Yard on September 24,
2001.
This
malicious code was discovered by the analytical efforts of
the employees of the Systems Administration and Network Security
(SANS) Institute and reported by SANS to the NIPC. This arrest
came as a result of a joint FBI/New Scotland Yard, UK, investigation,
and illustrates the benefits of law enforcement and private
industry working together.
Ongoing Efforts on Code Red
The Code
Red Worm was discovered in the wild on July 13, 2001, by network
administrators who were experiencing a large number of attacks
targeting the buffer overflow vulnerability first reported
in June, 2001. On June 19, 2001, the NIPC and FedCIRC issued
a joint advisory about the buffer overflow vulnerability that
targeted Microsoft Windows NT and Microsoft Windows 2000 operating
systems running IIS 4.0 and 5.0. On July 19, 2001, the NIPC
issued an advisory on the code red worm. The advisory stated
that, "the activity of the Ida Code Red Worm has the
potential to degrade services running on the Internet."
In one day alone the Code Red Worm infected more than 250,000
systems in just nine hours. The Code Red Worm, which was first
reported by eEye Digital Security, takes advantage of known
vulnerabilities in the Microsoft IIS Internet Server Application
Program Interface (ISAPI) service. Un-patched systems are
susceptible to a "buffer overflow" in the Idq.dll,
which permit the attacker to run embedded code on the affected
system. This memory resident worm, once active on a system,
first attempts to spread itself by creating a sequence of
random IP addresses to infect unprotected web servers. Each
worm thread will then inspect the infected computers
time clock. The trigger time for the DOS execution of the
Code Red Worm was at midnight on July 20, 2001. Upon successful
infection, the worm proceeded to use the time thread in an
effort to bring down the www.whitehouse.gov domain by having
the infected systems simultaneously send 100 connections to
port 80 of the White Houses Internet Protocol address.
The original
variant of the worm also placed the words "Welcome to
worm.com! Hacked by Chinese!" on the victim sites. Two
other variants of the original worm do not deface victim web
sites. The NIPC, along with its government and private sector
partners, realized that persons using Microsoft Windows NT
and Microsoft Windows 2000 operating systems running IIS 4.0
and 5.0 needed to be warned to patch their systems for the
safety of the entire Internet. Officials from the following
organizations were all involved in the response effort working
through the weekend of July 28-29: National Infrastructure
Protection Center (NIPC) of the FBI, Critical Infrastructure
Assurance Office (CIAO) of the Department of Commerce, Federal
Computer Incident Response Center (FedCIRC) of the General
Services Administration, Computer Emergency Response Team
Coordination Center (CERT/CC) of Carnegie Mellon University,
Systems Administration and Network Security (SANS) Institute,
Microsoft, Internet Security Systems, Inc. (ISS), Cisco Systems,
Inc., Partnership for Critical Infrastructure Security (PCIS),
Information Technology Association of America (ITAA), Digital
Island, Inc., Information Technology Information Sharing and
Analysis Center (IT-ISAC), Internet Security Alliance (ISA),
UUNet, and America Online.
On Sunday July 29, the NIPC, Microsoft Corporation, Federal
Computer Incident Response Center (FedCIRC), the Information
Technology Association of America (ITAA), CERT Coordination
Center (CERT/CC), SANS Institute, Internet Security Systems
(ISS), and the Internet Security Alliance (ISA) issued a joint
warning message about Code Red.
The NIPC
posted the warning and numerous updates on its public website
(www.nipc.gov) and pushed the warning to InfraGard members
through the InfraGard communications network, to state and
local police through the National Threat Warning System, and
to tens of thousands of private sector companies via the FBI's
Awareness National Security Issues and Response (ANSIR) network.
By forwarding the warning message to those who may need it,
the NIPC strives to ensure that those who are part of its
information sharing networks receive the information as quickly
as possible with minimal effort on their part. In other cases
InfraGard has already prevented cyber attacks by discretely
alerting InfraGard members to compromises on their systems.
For efforts such as the one made on Code Red, the InfraGard
initiative recently received the 2001 WorldSafe Internet Safety
Award from the Safe America Foundation.
On July
30 a joint news conference was held at the Ronald Reagan Building
in Washington, D.C. The presence of representatives of agencies,
companies, and organizations which produced the Code Red warning
demonstrated the seriousness of the threat and the public-private
partnership that has developed with regard to protecting our
information systems from attack. The urgency of the news conference
lay in the fear that the spread of the worm could absorb so
much bandwidth as to degrade the overall functioning of the
Internet. Since business, medical, and government professionals
increasingly depend on the Internet's functioning to conduct
normal operations, service degradation poses an emerging threat
to America's economy and security.
Microsoft
has developed a patch for the identified vulnerability. According
to Microsoft, over 2 million copies of the IIS patch have
been downloaded. The July 30 news conference no doubt accelerated
this process. Since the patches can be downloaded and installed
on a number of machines, the actual number of systems patched
may be higher than 2 million. The NIPC and its partners have
received much positive feedback from the user community regarding
these efforts on Code Red.
We are
hopeful that the worst of the damage feared was averted based
on this awareness campaign. Nevertheless Computer Economics,
a California-based Internet research organization, estimates
that the worm has already cost $2.4 billion in economic impact,
including $1 billion to cleanse, inspect, patch, and return
systems to normal service, and $1.4 billion for other support
functions related to lost productivity due to the worm. As
of August 8, the SANS Internet Storm Center noted that 661,044
unique IP addresses have been infected, with 150-175,000 machines
infected (machines can have more than one associated IP address).
While all of these figures are subject to revision, two trends
seem clear. First, the rate of infections from the original
worm have been substantial, although not at the same rate
as in July. Second, the aggressive efforts on the part of
the government and private sector urging computer users to
patch their systems seems to have paid off.
Self-propagating worms that exploit vulnerabilities in commonly
used software platforms will continue to pose a security challenge.
These worms require no social engineering (i.e. no one needs
to be tricked into revealing any information) and require
no action on the part of users (i.e. the opening of attachments).
As we saw with Code Red, they can hurt us in two ways: they
can consume Internet bandwidth during their propagation phase
if enough machines are infected, and they can carry harmful
payloads, like the instructions to launch against a chosen
target. Anyone can be the next target as future worms may
result in much more destructive activity.
There
is another worm we have been tracking since early August dubbed
Code Red II. This worm exploits the same vulnerability
as the original Code Red Worm and its variants, but instead
of compromising a system to launch Denial of Service attacks,
it installs a backdoor into infected systems that can be accessed
by anyone knowing that the victim system has been compromised.
On August
16 the NIPC released an assessment entitled "Code Red
Reminder and Clarification, Assessment 01-018." That
assessment clarifies issues related to which operating systems
and software are vulnerable to Code Red and also makes clear
that, contrary to some reports, we have not yet identified
a Code Red III.
The
NIPC Approach to the Problem
Because
the NIPC is an interagency Center, it could quickly react
to the recent infections of the Leave and Code Red Worms.
Senior leadership positions in the NIPC are held by personnel
from several agencies. The NIPC Director is a senior FBI executive.
The Deputy Director of the NIPC is a two-star Navy Rear Admiral
and the Executive Director is detailed from the Air Force
Office of Special Investigations. The Section and Unit Chiefs
in the Computer Investigation and Operations Section and the
Training, Outreach, and Strategy Section are from the FBI.
The Assistant Section Chief for Training, Outreach and Strategy
is detailed from the Defense Criminal Investigative Service.
The Section Chief of the Analysis and Warning Section is from
the CIA and his deputy is a senior FBI agent. The head of
the NIPC Watch and Warning Unit is reserved for a uniformed
service officer, and the head of the Analysis and Information
Sharing Unit is reserved for a National Security Agency manager.
This breadth of leadership has meant that when worms such
as Code Red appear, coordination across the civilian and military
agencies of the government is rapid and efficient.
But it
is not just in the leadership ranks that the NIPC has broad
representation. Currently the Center has representatives from
the following agencies: FBI, Office of the Secretary of Defense,
Army, Air Force Office of Special Investigations, Defense
Criminal Investigative Service, National Security Agency,
United States Postal Service, Department of Transportation/Federal
Aviation Administration, Central Intelligence Agency, Department
of Commerce/Critical Infrastructure Assurance Office, and
the Department of Energy. This representation has given us
the unprecedented ability to reach back to the parent organizations
of our interagency detailees on intrusions and infrastructure
protection matters in order to provide and receive information.
In addition, we have formed an interagency coordination cell
at the Center which holds monthly meetings with U.S. Secret
Service, U.S. Customs Service, representatives from DoD investigative
agencies, the Offices of Inspector General of NASA, Social
Security Administration, Departments of Energy, State, and
Education, and the U.S. Postal Service, to discuss topics
of mutual concern.
This
representation is not enough, however. The NIPC would like
to see all lead agencies represented in the Center. The more
broadly representative the NIPC is, the better job it can
do in responding to viruses, worms, and other intrusions into
critical U.S. systems.
We have
established four strategic directions for our capability growth:
prediction, prevention, detection, and mitigation/response.
None of these are new concepts but the NIPC will renew its
focus on each of them in order to strengthen our strategic
analysis capabilities. The NIPC will work to further strengthen
its longstanding efforts on the early detection and mitigation
of cyber attacks. These strategic directions will be significantly
advanced by our intensified cooperation with federal agencies
and the private sector.
Prediction:
Our most
ambitious strategic directions, prediction and prevention,
are intended to forestall attacks before they occur. We are
seeking ways to forecast or predict hostile capabilities in
much the same way that the military forecasts weapons threats.
The goal here is to forecast these threats with sufficient
warning to prevent them. A key to success in these areas will
be strengthened cooperation with intelligence collectors and
the application of sophisticated new analytic tools to better
learn from day-to-day trends. The strategy of prevention is
reminiscent of traditional community policing programs but
with our infrastructure partners and key systems vendors.
As the recent Leave and Code Red Worm incidents demonstrate,
our working relations have never been closer with key federal
agencies, like FedCIRC, NSA, CIA, and the Joint Task Force
- Computer Network Operations (JTF-CNO), and private sector
groups such as SANS, the anti-virus community, major Internet
Service Providers, and the backbone companies. These close
relationships aid in predicting events before they happen.
Prevention:
Our role
in preventing the spread of computer viruses and worms as
well as other cyber intrusions into critical U.S. systems
is not to provide advice on what hardware or software to use
or to act as a federal systems administrator. Rather, our
role is to provide information about threats, ongoing incidents,
and exploited vulnerabilities so that government and private
sector system administrators can take the appropriate protective
measures. The NIPC has a variety of products to inform the
private sector and other domestic and foreign government agencies
of the threat, including: alerts, advisories, and assessments;
biweekly CyberNotes; monthly Highlights; and topical electronic
reports. These products are designed for tiered distribution
to both government and private sector entities consistent
with applicable law and the need to protect intelligence sources
and methods, and law enforcement investigations. For example,
Highlights is a publication for sharing analysis and information
on critical infrastructure issues. It provides analytical
insights into major trends and events affecting the nations
critical infrastructures. It is usually published in an unclassified
format and reaches national security and civilian government
agency officials as well as infrastructure owners and operators.
CyberNotes is another NIPC publication designed to provide
security and information system professionals with timely
information on cyber vulnerabilities, hacker exploit scripts,
hacker trends, virus information, and other critical infrastructure-related
best practices. It is published on our website and disseminated
in hardcopy to government and private sector audiences.
The NIPC
has elements responsible for both analysis and warning. What
makes the NIPC unique is that it has access to law enforcement,
intelligence, private sector, foreign liaison, and open source
information. No other entity has this range of information.
Complete and timely reporting of incidents from private industry
and government agencies allows NIPC analysts to make the linkages
between government and private sector intrusions. We are currently
working on integrating our databases consistent with the law
to allow us to more quickly make the linkages among seemingly
disparate intrusions. This database will leverage both the
unique information available to the NIPC through FBI investigations
and information available from the intelligence community
and open sources. Having these analytic functions at the NIPC
is a central element of its ability to carry out its preventive
mission.
The NIPC
also shares information via its InfraGard Initiative. All
56 FBI field offices now have InfraGard chapters. Just in
the last six months the InfraGard Initiative has added over
1000 new members to increase the overall membership to over
1800. It is the most extensive government-private sector partnership
for infrastructure protection in the world, and is a service
we provide to InfraGard members free of charge. InfraGard
expands direct contacts with the private sector infrastructure
owners and operators and shares information about cyber intrusions
and vulnerabilities through the formation of local InfraGard
chapters within the jurisdiction of each of the 56 FBI Field
Offices and several of its Resident Agencies (subdivisions
of the larger field offices).
A key
element of the InfraGard initiative is the confidentiality
of reporting by members. The reporting members edit out the
identifying information about themselves on the notices that
are sent to other members of the InfraGard network. This process
is called sanitization and it protects the information provided
by the victim of a cyber attack. Much of the information provided
by the private sector is proprietary and is treated as such.
InfraGard provides its membership with the capability to write
an encrypted sanitized report for dissemination to other members.
This measure helps to build a trusted relationship with the
private sector and at the same time encourages other private
sector companies to report cyber attacks to law enforcement.
InfraGard
held its first national congress from June 12-14, 2001. This
conclave provided an excellent forum for NIPC senior managers
and InfraGard members to exchange ideas. InfraGard's success
is directly related to private industry's involvement in protecting
its critical systems, since private industry owns most of
the infrastructures. The dedicated work of the NIPC and the
InfraGard members is paying off. InfraGard has already prevented
cyber attacks by discretely alerting InfraGard members to
compromises on their systems.
The NIPC
is also working with the Information Sharing and Analysis
Centers (ISACS) established under the auspices of PDD-63.
The North American Electric Reliability Council (NERC) serves
as the electric power ISAC. The NIPC has developed a program
with the NERC for an Indications and Warning System for physical
and cyber attacks. Under the program, electric utility companies
and other power entities transmit incident reports to the
NIPC. These reports are analyzed and assessed to determine
whether an NIPC alert, advisory, or assessment is warranted
to the electric utility community. Electric power participants
in the program have stated that the information and analysis
provided by the NIPC makes this program especially worthwhile.
NERC has recently decided to expand this initiative nationwide.
This initiative will serve as a good example of government
and industry working together to share information, and the
Electric Power Indications and Warning System will provide
a model for the other critical infrastructures.
With
the assistance of NERC, the NIPC conducted a six-month pilot
program and a series of workshops to familiarize participants
with the program's operating procedures. The workshops included
hands-on table-top exercises that required program participants
to work through simulated scenarios dealing with credible
cyber and physical attacks directed against the power industry.
In the summer of 2000, a half-day table-top exercise was held
for companies in NERC's Mid-Atlantic region allowing them
to role-play in responding to simulated incidents pre-scripted
by NIPC and company representatives. Since October 2000, the
NIPC supported by NERC conducted three workshops around the
country in order to provide program participants with hands-on
experience in responding to attacks against the electric power
grid. Eventually, the NIPC will strive to have similar models
and exercises for all the infrastructures.
The NIPC
serves as sector liaison for the Emergency Law Enforcement
Services (ELES) Sector at the request of the FBI. The NIPC
completed the ELES Sector Plan in February, 2001. The ELES
Sector Plan was the first completed sector report under PDD-63
and was delivered to the White House on March 2, 2001. At
the Partnership for Critical Infrastructure Security in Washington,
D.C., in March, 2001, the ELES Plan was held up as a model
for the other sectors. The NIPC also sponsored the formation
of the Emergency Law Enforcement Services Sector Forum, which
meets quarterly to discuss issues relevant to sector security
planning. The Forum contains federal, state, and local representatives.
The next meeting of the Forum is scheduled for September,
2001.
The Plan
was the result of two years' work in which the NIPC surveyed
law enforcement agencies concerning the vulnerabilities of
their infrastructure, in particular their data and communications
systems. Following the receipt of the survey results, the
NIPC and the ELES Forum produced the ELES Sector Plan. The
NIPC also produced a companion "Guide for State and Local
Law Enforcement Agencies" that provides guidance and
a "toolkit" that law enforcement agencies can use
when implementing the activities suggested in the Plan.
The importance
of the ELES Sector Plan and the Guide cannot be overstated.
These documents will aid some 18,000 police and sheriffs
departments located in towns and neighborhoods to better protect
themselves from attack by providing them with useful checklists
and examples of procedures they can use to improve their security.
Since the local police are usually among the first responders
to any incident threatening public safety, their protection
is vital.
Also,
the NIPC has prepared model agreements to promote information
sharing and has presented them for negotiation to the following
existing or potential ISACs: Association of Metropolitan Water
Agencies (AMWA), Financial Services, Information Technology,
National Association of State Chief Information Officers (NASCIO),
National Coordinating Center (NCC) for Telecommunications,
National Emergency Management Association (NEMA), National
Petroleum Council (NPC), and US Fire Administration (USFA).
Offers for information sharing arrangements will be made to
the emerging Rail and Aviation ISACs. We are promoting the
establishment of an ISAC for the Public Health Services Sector.
With respect to the federal agencies, NIPC has developed a
model agreement for use in promoting information sharing with
the other 70 plus executive branch agencies, and will soon
launch a campaign to formalize these arrangements.
Detection:
Given
the ubiquitous vulnerabilities in existing Commercial Off-the-Shelf
(COTS) software, intrusions into critical systems are inevitable
for the foreseeable future. Thus detection of these viruses,
worms, and other intrusions is crucial if the U.S. Government
and critical infrastructure owners and operators are going
to be able to respond effectively. To improve our detection
capabilities, we first need to ensure that we are fully collecting,
sharing, and analyzing all extant information. It is often
the case that intrusions can be discerned simply by collecting
bits of information from various sources; conversely, if we
do not collate these pieces of information for analysis, we
might not detect the intrusions at all. Thus the NIPC's role
in collecting information from all sources and performing
analysis in itself serves the role of detection.
Federal
Agency system administrators need to work with NIPC. PDD-63
makes clear the importance of such reporting. It states, All
executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that
the NIPC may request, to the extent permitted by law. All
executive departments shall also share with the NIPC information
about threats and warning of attacks and about actual attacks
on critical government and private sector infrastructures,
to the extent permitted by law.
In order
to carry out this mandate, the NIPC is working closely with
FedCIRC and the anti-virus community. The NIPC and the Computer
Emergency Response Team (CERT) at Carnegie Mellon University
have formed a mutually beneficial contractual relationship.
The NIPC receives information from the CERT that it incorporates
into strategic and tactical analyses and utilizes as part
of its warning function. The NIPC is routinely in telephonic
contact with CERT/CC and the anti-virus community for purposes
of sharing vulnerability and threat information on a real-time
basis. CERT/CC input is often sought when an NIPC warning
is in production. The NIPC also provides information to the
CERT that it obtains through investigations and other sources,
using CERT as one method for distributing information (normally
with investigative sources sanitized) to security professionals
in industry and to the public. The Watch also provides the
NIPC Daily Report to the CERT/CC via Internet e-mail. On more
than one occasion, the NIPC provided CERT with the first information
regarding a new threat, and the two organizations have often
collaborated in putting information out about incidents and
threats.
The NIPC
has an excellent relationship with the General Services Administrations
Federal Computer Incident Response Center (FedCIRC). NIPC
and FedCIRC are both crucial to effective cyber defense but
serve different roles. When an agency reports an incident,
FedCIRC works with the agency to identify the type of incident,
mitigate any damage to the agency's system, and provide guidance
to the agency on recovering from the incident. FedCIRC has
detailed a person to the NIPC Watch Center. In addition, the
NIPC sends draft alerts, advisories, and assessments on a
regular basis to FedCIRC for input and commentary prior to
their release. NIPC and FedCIRC information exchange assists
both centers with their analytic products. The NIPC and FedCIRC
are currently discussing ways to improve the flow of information
between the two organizations and encourage federal agency
reporting of incident information to the NIPC.
In response
to victim reports, the NIPC sponsored the development of tools
to detect malicious software code. For example, in December
1999, in anticipation of possible Y2K related malicious conduct,
the NIPC posted a detection tool on its web site that allowed
systems administrators to detect the presence of certain Distributed
Denial of Service (DDoS) tools on their networks. In those
cases, hackers planted tools named Trinoo, Tribal Flood Net
(TFN), TFN2K, and Stacheldraht (German for barbed wire) on
a large number of unwitting victim systems. Then when the
hacker sent a particular command, the victim systems in turn
began sending messages against target systems. The target
systems became overwhelmed with the traffic and were unable
to function. Users trying to access the victim system were
denied its services. The NIPCs detection tools were
downloaded thousands of times and have no doubt prevented
many DDoS attacks. In fact, in this cutting edge area of network
security, the NIPCs Special Technologies and Applications
Unit (STAU) received the 2000 SANS Award.
If we
determine that an intrusion is imminent or underway, the NIPC
Watch is responsible for formulating assessments, advisories,
and alerts, and quickly disseminating them. The substance
of those products will come from work performed by NIPC analysts.
We can notify both private sector and government entities
using an array of mechanisms so they can take protective steps.
In some cases these warning products can prevent a wider attack;
in other cases warnings can mitigate an attack already underway.
This was the case both with our warnings regarding e-commerce
vulnerabilities and the more recent warnings posted about
Code Red. Finally, these notices can prevent attacks from
ever happening in the first place. For example, the NIPC released
an advisory on March 30, 2001, regarding the Lion Internet
Worm, which is a DDoS tool targeting Unix-based systems.
Based on all-source information and analysis, the NIPC alerted
systems administrators how to look for this compromise of
their system and what specific steps to take to remove the
tools if they are found. This alert was issued after consultation
with FedCIRC, JTF-CNO, a private sector ISAC, and other infrastructure
partners.
Mitigation/Response:
Despite
our efforts, we know that critical U.S. systems will continue
to be attacked. The perpetrators could be criminal hackers,
teenagers, cyber protestors, terrorists, or foreign intelligence
services. In order to identify an intruder, the NIPC coordinates
an investigation that gathers information using either criminal
investigative or foreign counter-intelligence authorities,
depending on the circumstances. We also rely on the assistance
of other nations when appropriate.
In the
cyber world, determining the who, what, where, when,
and how is difficult. An event could be a system probe
to find vulnerabilities or entry points, an intrusion to steal
data or plant sniffers or malicious code, the spreading of
a virus or worm, an act of teenage vandalism, an attack to
disrupt or deny service, or even an act of war. The crime
scene itself is totally different from the physical world
in that it is dynamic--it grows, contracts, and can change
shape. Further, the tools used to perpetrate a major infrastructure
attack can be the same ones that are freely available on the
Internet and used for other cyber intrusions (such as simple
hacking, foreign intelligence gathering, or organized crime
activity to steal property), making identification more difficult.
Obtaining reliable information is necessary not only to identify
the perpetrator but also to determine the size and nature
of the intrusion and what information security response may
prevent further attack: how many systems are affected, what
techniques are being used, and what is the purpose of the
intrusions--disruption, economic espionage, theft of money,
etc..
Relevant
information could come from existing criminal investigations
or other contacts at the FBI Field Office level. It could
come from the U.S. Intelligence Community, other U.S. Government
agency information, private sector contacts, the media, other
open sources, or foreign law enforcement contacts. The NIPCs
role is to coordinate, collect, analyze, and disseminate this
information. Indeed this is one of the principal reasons the
NIPC was created.
Because
the Internet by its nature embodies a degree of anonymity,
our governments proper response to an attack first requires
significant investigative steps. Investigators typically need
a full range of criminal and/or national security authorities
to determine who launched the attack or authored the malicious
code. There are many federal statutes that criminalize unauthorized
conduct over the Internet. The law prohibits a wide variety
of acts conducted with computers, some of which are traditional
crimes (such as wire fraud and pornography) and others of
which are more technology-specific crimes, such as hacking.
The primary
Federal statute that criminalizes breaking into computers
and spreading malicious viruses and worms is the Computer
Fraud and Abuse Act, codified at Title 18 of the United States
Code, Section 1030. Other statutes that are typically implicated
in a hacking case include Section 1029 of Title 18, which
criminalizes the misuse of computer passwords, and Section
2511 of Title 18, which criminalizes those hackers that break
into systems and install "sniffers" to illegally
intercept electronic communications. In order to investigate
these violations, law enforcement relies on traditional sources
and techniques to gather evidence, ranging from the public's
voluntary assistance to court authorized searches and court
authorized surveillance. We have similar investigative capabilities
when pursuing cases in which foreign powers or terrorist organizations
are impairing the confidentiality, integrity, or availability
of our networks, although in these cases our legal authority
typically is derived from the National Security Act of 1947
and the Foreign Intelligence Surveillance Act (FISA), both
codified in Title 50 of the United States Code, rather than
pursuant to the Federal Criminal Code.
The FBI
has designated the NIPC to act as the program manager for
all of its computer intrusion investigations, and the NIPC
has made enormous strides in developing this critical nationwide
program. In that connection, the NIPC works closely with the
Department of Justice Criminal Divisions Computer Crime
and Intellectual Property Section, Office of Intelligence
Policy and Review, and the U.S. Attorneys Offices in
coordinating legal responses.
In the
event of a national-level set of intrusions into significant
systems or a major virus outbreak, the NIPC will form a Cyber
Crisis Action Team (C-CAT) to coordinate response activities
and use the facilities of the FBI's Strategic Information
and Operations Center (SIOC). The team will have expert investigators,
computer scientists, analysts, watch standers, and other U.S.
government agency representatives. Part of the U.S. government
team might be physically located at FBI Headquarters and part
of the team may be just electronically connected. The C-CAT
will immediately contact field offices responsible for the
jurisdictions where the attacks are occurring and where the
attacks may be originating. The C-CAT will continually assess
the situation and support/coordinate investigative activities,
issue updated warnings, as necessary, to all those affected
by or responding to the crisis. The C-CAT will then coordinate
the investigative effort to discern the scope of the attack,
the technology being used, and the possible source and purpose
of the attack.
The NIPCs
placement in the FBIs Counterterrorism Division will
allow for a seamless FBI response in the event of a terrorist
action that encompasses both cyber and physical attacks. The
NIPC and the other elements of the FBIs Counterterrorism
Division have conducted joint operations and readiness exercises
in the FBIs SIOC. We are prepared to respond when called
upon.
As
the Worm Turns
Over
the past several years we have seen a wide range of cyber
threats ranging from defacement of websites by juveniles to
devastating worms and viruses released on the Internet. Some
of these are obviously more significant than others. The theft
of national security information from a government agency,
or the interruption of electrical power to a major metropolitan
area would have greater consequences for national security,
public safety, and the economy than the defacement of a web-site.
But even the less serious categories have real consequences
and, ultimately, can undermine confidence in e-commerce and
violate privacy or property rights. A web site hack that shuts
down an e-commerce site can have disastrous consequences for
a business. An intrusion that results in the theft of credit
card numbers from an online vendor can result in significant
financial loss and, more broadly, reduce consumers willingness
to engage in e-commerce. Because of these implications, it
is critical that we have in place the programs and resources
to investigate and, ultimately, to deter these sorts of crimes.
Virus
attacks have become more prevalent in recent years. While
tens of thousands of viruses and worms exist in the wild,
the vast majority of them are not serious threats. But just
a few of them have unleashed havoc on the networks. A survey
by InformationWeek and PriceWaterhouseCoopers conducted in
the summer of 2000 estimated viruses would cause $1.6 trillion
worth of damage in the year 2000 worldwide. That figure is
larger than the gross domestic product of all but a handful
of nations and demonstrates the huge economic costs that viruses
and worms can have on the global economy.
In addition,
because it is often difficult to determine whether a virus
outbreak or worm propagation is the work of an individual
with criminal motives or a foreign power, we must treat certain
cases for their potential as a national security matter until
we gather sufficient information to determine the nature,
purpose, scope, and perpetrator of the attack. While we cannot
discuss ongoing investigations, we can discuss closed cases
that involve FBI and other agency investigations in which
the intruders methods and motivation were similar to
what we are currently seeing. A few illustrative cases are
described below:
As discussed
above, Code Red infected over 150,000 systems and has yet
to be stopped. But this is only the most recent in a growing
list of computer worms. The first worm to get the attention
of the computer users community was the Morris worm, released
on November 2, 1988, by Robert Tappan Morris, a 23-year-old
graduate student at Cornell University. The infant Internet
community had never seen anything like this worm. In a matter
of hours it had infected 6,000 machines and, while it did
not damage files, it clogged the machines and made them unusable.
The machines had to be disconnected from the Internet and
repaired. Morris was convicted of violating the Computer Fraud
and Abuse Act and sentenced to three years probation, 400
hours of community service, and fined $10,500.
In May
2000 companies and individuals around the world were stricken
by the Love Bug, a virus (or, technically, a worm)
that traveled as an attachment to an e-mail message and propagated
itself extremely rapidly through the victims address
books. The virus/worm also reportedly penetrated at least
14 federal agencies including the Department of Defense (DOD),
the Social Security Administration, the Central Intelligence
Agency, the Immigration and Naturalization Service, the Department
of Energy, the Department of Agriculture, the Department of
Education, the National Aeronautics and Space Administration
(NASA), along with the House and Senate.
Investigative
work by the FBIs New York Field Office, with assistance
from the NIPC, traced the source of the virus to the Philippines
within 24 hours. The FBI then worked, through the FBI Legal
Attaché in Manila, with the Philippines National
Bureau of Investigation, to identify the perpetrator. The
speed with which the virus was traced back to its source is
unprecedented. The prosecution in the Philippines was hampered
by the lack of a specific computer crime statute. Nevertheless,
Onel de Guzman was charged on June 29, 2000, with fraud, theft,
malicious mischief, and violation of the Devices Regulation
Act. However, those charges were dropped in August by Philippine
judicial authorities. As a postscript, it is important to
note that the Philippines government on June 14, 2000,
reacted quickly and approved the E-Commerce Act, which now
specifically criminalizes computer hacking and virus propagation.
Also, the NIPC continues to work with other nations to provide
guidance on the need to update criminal law statutes.
In some
cases, we have been able to prevent the release of malicious
code viruses against public systems. On March 29, 2000, FBI
Houston initiated an investigation when it was discovered
that certain small businesses in the Houston area had been
targeted by someone who was using their Internet accounts
in an unauthorized manner and causing their hard drives to
be erased. The next day, FBI Houston conducted a search warrant
on the residence of an individual who allegedly created a
computer "worm" that seeks out computers on the
Internet. This "worm" looked for computer networks
that have certain enabled sharing capabilities, and uses them
for the mass replication of the worm. The worm caused the
hard drives of randomly selected computers to be erased. The
computers whose hard drives are not erased actively scan the
Internet for other computers to infect and force the infected
computers to use their modems to dial 911. Because each infected
computer can scan approximately 2,550 computers at a time,
this worm could have the potential to create a denial of service
attack against the 911 system. The NIPC issued a warning to
the public through the NIPC webpage, SANS, InfraGard, and
teletypes to government agencies. On May 15, 2000, Franklin
Wayne Adams of Houston was charged by a federal grand jury
with knowingly causing the transmission of a program onto
the Internet that caused damage to a protected computer system
by threatening public health and safety and by causing loss
aggregated to at least $5000. Adams was also charged with
unauthorized access to electronic or wire communications while
those communications were in electronic storage. On April
5, 2001, Adams was sentenced to 5 years probation and fined
$12,353 restitution. Under the terms of his sentencing, Adams
is restricted to using a computer only for work and educational
purposes.
National
security threats remain our top concern. As Dr. Lawrence Gershwin,
National Intelligence Officer for Science and Technology,
told the Joint Economic Committee in June, 2001, "For
attackers, viruses and worms are likely to become more controllable,
precise, and predictable--making them more suitable for weaponization.
Advanced modeling and simulation technologies are likely to
assist in identifying critical nodes for an attack and conducting
battle damage assessments." The NIPC is concerned about
three specific categories of national security intruders:
terrorists, foreign intelligence services, and information
warriors. As Gershwin noted in June, "Most U.S. adversaries
have access to the technology needed to pursue computer network
operations."
Terrorists
groups are increasingly using new information technology and
the Internet to formulate plans, raise funds, spread propaganda,
and to communicate securely. In his statement on the worldwide
threat in 2000, Director of Central Intelligence George Tenet
testified that terrorists groups, including Hizbollah,
HAMAS, the Abu Nidal organization, and Bin Ladens al
Qaida organization are using computerized files, e-mail,
and encryption to support their operations. In one example,
convicted terrorist Ramzi Yousef, the mastermind of the World
Trade Center bombing, stored detailed plans to destroy United
States airliners on encrypted files on his laptop computer.
While we have not yet seen these groups employ cyber tools
as a weapon to use against critical infrastructures, their
reliance on information technology and acquisition of computer
expertise are clear warning signs. During the riots on the
West Bank in the fall of 2000, Israeli government sites were
subjected to e-mail flooding and "ping" attacks.
The attacks originated with sympathetic Islamic elements trying
to inundate the systems with email messages. As one can see
from these examples overseas, cyber terrorism
which refers to malicious conduct in cyberspace to commit
or threaten to commit acts dangerous to human life, or against
a nations critical infrastructures, such as such as
energy, transportation, or government operations in order
to intimidate or coerce a government or civilian population,
or any segment thereof, in furtherance of political or social
objectives - is a very real threat.
Foreign
intelligence services have adapted to using cyber tools as
part of their information gathering tradecraft. While I cannot
go into specific cases, there are overseas probes against
U.S. government systems every day. It would be naive to ignore
the possibility or even probability that foreign powers were
behind some or all of these probes. The motivation of such
intelligence gathering is obvious. By coordinating law enforcement
and intelligence community assets and authorities in one Center,
the NIPC can work with other agencies of the U.S. government
to detect these foreign intrusion attempts.
The prospect
of "information warfare" by foreign militaries against
our critical infrastructures is perhaps the greatest potential
cyber threat to our national security. We know that many foreign
nations are developing information warfare doctrine, programs,
and capabilities for use against the United States or other
nations. In testimony in June, 2001, National Intelligence
Officer Gershwin stated that "for the next 5 to 10 years
or so, only nation states appear to have the discipline, commitment,
and resources to fully develop the capabilities to attack
critical infrastructures."
Conclusion
While
the NIPC has accomplished much over the last three years in
building the first national-level operational capability to
respond to cyber intrusions, much work remains. We have learned
from cases that successful network investigation is highly
dependent on expert investigators and analysts, with state-of-the-art
equipment and training. We have had the resources to build
some of that capability both in the FBI Field Offices and
at the NIPC, but we have much work ahead if we are to build
our resources and capability to keep pace with the changing
technology and growing threat environment, while at the same
time being able to respond to several major incidents at once.
We are
building the agency to agency, government to private sector,
foreign liaison, and law enforcement partnerships that are
vital to this effort. The NIPC is well suited to foster these
partnerships since it has analysis, information sharing, outreach,
and investigative missions. We are working with the executives
in the infrastructure protection community to foster the development
of safe and secure networks for our critical infrastructures.
While this is a daunting task, we are making progress.
Within
the federal sector, we have seen how much can be accomplished
when agencies work together, share information, and coordinate
their activities as much as legally permissible. But on this
score, too, more can be done to achieve the interagency and
public-private partnerships called for by PDD-63. We need
to ensure that all relevant agencies are sharing information
about threats and incidents with the NIPC and devoting personnel
and other resources to the Center so that we can continue
to build a truly interagency, "national" center.
Finally, we must work with Congress to make sure that policy
makers understand the threats we face in the Information Age
and what measures are necessary to secure our Nation against
them. I look forward to working with the Members and Staff
of this Subcommittee to address these vitally important issues.
Thank
you.
|