Introductory Statement:
Good
morning Chairman McCain, and other members of the Committee.
On behalf of the FBI, I would like to thank you for this
opportunity to address the FBI's role in anti-spam initiatives.
Cyber
crime, in its many forms, continues to receive priority
attention from the FBI. A paramount objective of the Cyber
Division has been to arm field investigators with the necessary
resources to identify and combat evolving cyber crime matters.
Over the past 18 months, the FBI has supported the establishment
of more than 50 multi-jurisdictional task forces nationwide.
Partnerships with federal, state, and local law enforcement
are vital to the success of these teams, because cyber crime,
by its nature, does not respect jurisdictional boundaries
and we need to leverage existing resources to effectively
and efficiently fight cybercrime.
In
addition to law enforcement partnerships, another prime
objective of the FBI's Cyber Division is to establish active
partnerships with subject matter experts from the private
sector. Such experts are often better equipped to identify
cyber crimes at their earliest stages. Early identification
of cyber crimes is an absolute must, and directly correlates
to ultimate successes in investigating and prosecuting cyber
criminals.
In
keeping with this approach, and even before passage of the
CAN-SPAM Act by Congress, the FBI had begun work in a Public/Private
Alliance to specifically target the growing spam problem.
The Internet Crime Complaint Center (IC3), working in coordination
with industry, developed "SLAM-Spam," an initiative
that began operation last fall. This initiative targets
significant criminal spammers, as well as companies and
individuals that use spammers and their techniques to market
their products. It also investigates the techniques and
tools used by spammers to expand their targeted audience,
to circumvent filters and other countermeasures implemented
by consumers and industry, and to defraud customers with
misrepresented or non-existent products.
Enforcement
Before and After the CAN-SPAM Act:
Before
Congress passed the CAN-SPAM Act of 2003, some schemes perpetrated
by spam could have been pursued as violations of statutes
such as Title 18, United States Code, Section 1030 (fraud
and related activity in connection with computers) Title
18, United States Code, Section 2319 (criminal Infringement
of a copyright) or Title 18, United States Code, Section
1343 (wire fraud), as well as through several other existing
criminal or civil statutes. No existing statute, however,
directly addressed some typical behaviors of spammers, including:
using widely-available "open proxies" to bounce
e-mail traffic through intermediary computers with the intent
to hide the true location of the sender, the abuse of free
e-mail services to send out spam from accounts with false
registration information, and the use of tools to forge
the return address and other headers associated with the
e-mail. Prior to the CAN-SPAM Act, law enforcement lacked
the legal tools to address the spam problem directly. Because
of this, many investigators and prosecutors viewed cases
based primarily on the sending of spam as unlikely to result
in successful investigations and prosecutions. As the economic
impact attributable to spam, and the use of spam to send
unwanted pornographic images have become known, however,
law enforcement interest increased. Similarly, investigations
of computer intrusions and viruses have uncovered that infecting
computers with viruses is now often being done to facilitate
spam. In the SoBig.F computer intrusion investigation, we
learned that millions of computers were infected globally,
primarily to convert those computers into spam relays.
The
CAN SPAM Act now allows law enforcement to apply criminal
leverage to spammers, who previously were viewed as "facilitators"
of fraudulent schemes, but who would disclaim any knowledge
of the fraudulent or pornographic nature of the products
they were advertising. CAN-SPAM's provisions address the
most significant fraudulent and sexually explicit spam,
and provide both civil and criminal tools to combat them.
Project
SLAM-Spam:
In
response to the growing number of complaints it was receiving
about fraudulent and pornographic spam, the Internet Crime
Complaint Center began development of a project to address
the spam problem. The Center has developed extensive experience
in taking complaints relating to all types of crime occurring
over the Internet, analyzing them for significant patterns,
and then referring appropriate case leads out to the field
for further investigation. The IC3 receives more than 17,000
complaints every month from consumers alone, and additionally
receives a growing volume of referrals from key e-commerce
stakeholders. The use of spam is a substantial component
of these schemes, which includes reports of identity theft
schemes, fraudulent pitches and "get rich quick"
schemes, and unwanted pornography. Currently, over 25 percent
of all complaints to the IC3 involve some use of spam electronic
mail.
To
develop the project, the IC3 coordinated with industry Subject
Matter Experts and representatives of the Direct Marketing
Association (DMA), which have provided essential expertise
and resources to the project. The IC3 has also consulted
with the Federal Trade Commission, which has several years
of working with consumers on the spam problem. This project
has also identified a significant list of the methods used
by subjects to advance their individual schemes. I will
describe some of the efforts and summarize the primary accomplishments
of this project over the past six months, and project future
accomplishments, consistent with the overall project plan.
This include a national initiative in which suitable cases
developed or advanced through this project, will be highlighted
as part of our overall effort against those who have committed
criminal and civil violations of the CAN-SPAM Act.
The
first several months of the project focused on building
support structures to support the initiative. The IC3 identified
and consulted with Subject Matter Experts from Internet
Service Providers, anti-spam organizations, and other groups.
They defined responsibilities of participants, and began
weekly strategy meetings to ensure that progress and priorities
were consistent and clear. Experts developed communications
channels and databases to exchange information quickly and
robustly among the experts in the alliance. Finally, a list
of potential subjects was developed by analysts from the
Internet Crime Complaint Center (IC3), and compared against
existing IC3 referrals to determine if law enforcement had
already initiated investigations of subjects, and if those
investigations were making progress.
After
the effective date of the CAN-SPAM Act, the IC3 helped organize
and participated in three regional training conferences
on a number of subjects relating to cybercrime. At these
conferences, representatives of the FBI and Department of
Justice gave presentations designed to familiarize agents
specializing in cyber crime with the SLAM-Spam initiative,
the techniques used by spammers to falsify their identity,
and the additional criminal prohibitions in the CAN-SPAM
Act.
Identifying
the most significant subjects involved in criminal spam
scenarios is a prime objective of the SLAM-Spam initiative.
Equally significant has been developing those cases so that
they can be further investigated and prosecuted by field
offices, cyber task forces, and United States Attorneys'
Offices around the United States. Accordingly, while a growing
number of Internet crime schemes use spam to target larger
pools of victims, the Cyber Division's task force capabilities
have increased as well. Cyber Crime squads in our field
divisions are trained in quickly investigating computer
intrusions and virus attacks. When they are available, these
resources can also be used to investigate the source of
unwanted fraudulent and pornographic spam.
Project SLAM-Spam is on course and on schedule to achieve
substantial results against individuals and organizations
that are complicit in criminal (and potentially civil) schemes
where spam is used. As a result of these activities, more
than 20 Cyber Task Forces are actively pursuing criminal
and in some cases joint civil proceedings against subjects
identified to date. We expect that this number will continue
to rise, as successful actions are brought under this act.
We
are also improving our cooperation with the FTC, State Attorneys
General, and industry partners, because we understand that
criminal enforcement is only one aspect of the fight against
spam. While we cannot share every detail of ongoing criminal
investigations, we can and will share our knowledge about
tools and techniques used by spammers, their current primary
targets of opportunity, and the types of schemes they are
favoring.
Notable
Early Accomplishments of SLAM-Spam:
The
SLAM-Spam initiative has now moved beyond the planning stages,
and has begun identifying and packaging investigations from
the field. Within the last few months, the Initiative has: