Testimony of Michael A. Vatis, Director, National Infrastucture
Protection Center, FBI
Before the Senate
Judiciary Committee, Subcommittee on Technology and Terrorism
October 6, 1999
"NIPC Cyber Threat Assessment,
October 1999"
Introduction
Mr. Chairman, Senator Feinstein, and Members of the Committee:
Thank you for inviting me here today to discuss critical infrastructure
protection issues. Mr. Chairman, you and this committee have
been leaders in recognizing the importance of these issues
and the urgency of addressing the new threats to our national
security in the Information Age, and I welcome this opportunity
to share our perspectives with you today. As you know, the
Federal Government is developing its capabilities for dealing
with threats to our nation's infrastructures. Presidential
Decision Directive-63 set in motion an unprecedented effort
to protect our nation's critical infrastructures, which the
PDD defined as "those physical and cyber-based systems
essential to the minimum operations of the economy and government."
Critical infrastructures include telecommunications, energy,
banking and finance, transportation, water systems, and emergency
services, both public and private. The PDD formally designated
the National Infrastructure Protection Center (NIPC) to have
a central operational role in the government's effort. The
Center works closely with the National Coordinator for Security,
Infrastructure Protection, and Counter-terrorism; the Department
of Defense (DoD); the U.S. Intelligence Community (USIC);
other federal agencies; and the private sector to protect
our critical infrastructures. My statement will cover the
spectrum of threats we are facing and the status of the NIPC
and its activities.
Spectrum of Threats
The news media is filled with examples of intrusions into
government and private sector computer networks. Politically
motivated hackers have been attacking numerous U.S. Government
websites, including the Senate's. Deputy Secretary of Defense
John Hamre reported in February that DoD is "detecting
80 to 100 [potential hacking] events daily." We have
had several damaging computer viruses this year, including
the Melissa Macro Virus, the Explore.Zip Worm, and the CIH
(Chernobyl) Virus. Computer Economics, Inc., a California
firm, estimates that damage in the first two quarters of 1999
from viruses has topped $7 billion. The FBI's case load for
computer hacking and network intrusion cases has doubled each
of the last two years. Currently we have over 800 pending
investigations. In its 1999 survey, the Computer Security
Institute estimated the total financial losses by the 163
businesses it surveyed from computer security breaches at
$123.7 million. This includes everything from theft of proprietary
data to denial of service on networks. E-commerce has become
so important that firms, including Sedgwick Group PLC (in
cooperation with IBM), Lloyds of London, and Network Risk
Management Services, are now offering "hacker insurance."
Sensitive Intrusions
In the past few years we have seen a series of intrusions
into numerous Department of Defense computer networks as well
as networks of other federal agencies, universities, and private
sector entities. Intruders have successfully accessed U.S.
Government networks and took large amounts of unclassified
but sensitive information. In investigating these cases, the
NIPC has been coordinating with FBI Field Offices, the Department
of Defense, and other government agencies, as circumstances
require. But it is important that the Congress and the American
public understand the very real threat that we are facing
in the cyber realm, not just in the future, but now.
Information Warfare
Perhaps the greatest potential threat to our national security
is the prospect of "information warfare" by foreign
militaries against our critical infrastructures. We know that
several foreign nations are already developing information
warfare doctrine, programs, and capabilities for use against
each other and the United States or other nations. Foreign
nations are developing information warfare programs because
they see that they cannot defeat the United States in a head-to-head
military encounter and they believe that information operations
are a way to strike at what they perceive as America's Achilles
Heel -- our reliance on information technology to control
critical government and private sector systems. For example,
two Chinese military officers recently published a book that
called for the use of unconventional measures, including the
propagation of computer viruses, to counterbalance the military
power of the United States. In addition, during the recent
conflict in Yugoslavia, hackers sympathetic to Serbia electronically
"ping" attacked NATO web servers. And Russian as
well as other individuals supporting the Serbs attacked websites
in NATO countries, including the United States, using virus-infected
e-mail and hacking attempts. Over 100 entities in the United
States received these e-mails. Several British organizations
lost files and databases. These attacks did not cause any
disruption of the military effort, and the attacked entities
quickly recovered. But such attacks are portents of much more
serious attacks that we can expect foreign adversaries to
attempt in future conflicts.
Foreign intelligence services
Foreign intelligence services have adapted to using cyber
tools as part of their information gathering and espionage
tradecraft. In a case dubbed "the Cuckoo's Egg,"
between 1986 and 1989 a ring of West German hackers penetrated
numerous military, scientific, and industry computers in the
United States, Western Europe, and Japan, stealing passwords,
programs, and other information which they sold to the Soviet
KGB. Significantly, this was over a decade ago -- ancient
history in Internet years. While I cannot go into specifics
about the situation today in an open hearing, it is clear
that foreign intelligence services increasingly view computer
intrusions as a useful tool for acquiring sensitive U.S. government
and private sector information.
Terrorists
Terrorists are
known to use information technology and the Internet to formulate
plans, raise funds, spread propaganda, and to communicate
securely. For example, convicted terrorist Ramzi Yousef, the
mastermind of the World Trade Center bombing, stored detailed
plans to destroy United States airliners on encrypted files
on his laptop computer. Moreover, some groups have already
used cyber attacks to inflict damage on their enemies' information
systems. For example, a group calling itself the Internet
Black Tigers conducted a successful "denial of service"
attack on servers of Sri Lankan government embassies. Italian
sympathizers of the Mexican Zapatista rebels attacked web
pages of Mexican financial institutions. And a Canadian government
report indicates that the Irish Republican Army has considered
the use of information operations against British interests.
We are also concerned that Aum Shinrikyo, which launched the
deadly Sarin gas attack in the Tokyo subway system, could
use its growing expertise in computer manufacturing and Internet
technology to develop "cyber terrorism" weapons
for use against Japanese and U.S. interests. Thus while we
have yet to see a significant instance of "cyber terrorism"
with widespread disruption of critical infrastructures, all
of these facts portend the use of
cyber attacks by terrorists to cause pain to targeted governments
or civilian populations by disrupting critical systems.
Criminal Groups
We are also beginning to see the increased use of cyber intrusions
by criminal groups who attack systems for purposes of monetary
gain. For example, in 1994 the U.S. Secret Service uncovered
a $50 million phone card scam that abused the accounts of
AT&T, MCI, and Sprint customers. In addition, in 1994-95
an organized crime group headquartered in St. Petersburg,
Russia, transferred $10.4 million from Citibank into accounts
all over the world. After surveillance and investigation by
the FBI's New York field office, all but $400,000 of the funds
were recovered. In another case, Carlos Felipe Salgado, Jr.
gained unauthorized access to several Internet Service Providers
in California and stole 100,000 credit card numbers with a
combined limit of over $1 billion. The FBI arrested him in
the San Francisco International Airport when he tried to sell
the credit card numbers to a cooperating witness for $260,000.
With the expansion of electronic commerce, we expect to see
an increase in hacking by organized crime as the new frontier
for large-scale theft.
Just two weeks ago, two members of a group dubbed the "Phonemasters"
were sentenced after their conviction for theft and possession
of unauthorized access devices (18 USC §1029) and unauthorized
access to a federal interest computer (18 USC §1030).
The "Phonemasters" are an international group of
criminals who penetrated the computer systems of MCI, Sprint,
AT&T, Equifax, and even the FBI's National Crime Information
Center (NCIC). Under judicially approved electronic surveillance
orders, the FBI's Dallas Field Office made use of new data
intercept technology to monitor the calling activity and modem
pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell
downloaded thousands of Sprint calling card numbers, which
he sold to a Canadian individual, who passed them on to someone
in Ohio. These numbers made their way to an individual in
Switzerland and eventually ended up in the hands of organized
crime groups in Italy. Mr. Cantrell was sentenced to two years
as a result of his guilty plea, while one of his associates,
Cory Lindsay, was sentenced to 41 months.
The "Phonemasters" activities should serve as a
wake up call for corporate security. Their methods included
"dumpster diving" to gather old phone books and
technical manuals for systems. They then used this information
to trick employees into giving up their logon and password
information. The group then used this information to break
into victim systems. It is important to remember that often
"cyber crimes" are facilitated by old fashioned
guile, such as calling employees and tricking them into giving
up passwords. Good "cyber security" practices must
therefore address personnel security and "social engineering"
in addition to instituting electronic security measures.
Virus Writers
Virus writers are posing an increasingly serious threat to
networks and systems worldwide. As noted above, we have had
several damaging computer viruses this year, including the
Melissa Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl)
Virus. The NIPC frequently sends out warnings regarding particularly
dangerous viruses.
Earlier this year, we reacted quickly to the spread of the
Melissa Macro Virus. While there are dozens of viruses released
every day, the speedy propagation of Melissa and its effects
on networks caused us great concern. Within hours of learning
about the virus on Friday, March 26, 1999, we had coordinated
with key cyber response components of DoD and the Computer
Emergency Response Team (CERT) at Carnegie-Mellon University.
Our Watch operation went into 24-hour posture and sent out
warning messages to federal agencies, state and local law
enforcement, FBI Field Offices, and the private sector. Because
the virus affected systems throughout the public, we also
took the unusual step of issuing a public warning through
the FBI's Public Affairs Office and on our website. These
steps helped mitigate the damage by alerting computer users
of the virus and of protective steps they could take.
On the investigative side, the NIPC acted as a central point
of contact for the Field Offices who worked leads on the case.
A tip received by the New Jersey State Police from America
Online, and their follow-up investigation with the FBI's Newark
Field Office, led to the April 1, 1999 arrest of David L.
Smith. Search warrants were executed in New Jersey by the
New Jersey State Police and FBI Special Agents from the Newark
Field Office.
Just in the last few weeks we have seen reports on the Suppl
Word Macro virus, the toadie.exe virus, and the W97M/Thurs.A
(or Thursday) virus. This last virus has already infected
over 5,000 machines, according to news reports, and deletes
files on victim's hard drives. The payload of the virus is
triggered on 12-13 and disables the macro virus protection
in Word 97. We are also concerned with the propagation of
a Trojan Horse called Back Orifice 2000, which allows malicious
actors to monitor or tamper with computers undetected by the
users.
Virus writers are not often broken out as a threat category,
and yet they often do more damage to networks than hackers
do. The prevalence of computer viruses reminds us that we
all have to be very careful about the attachments we open
and we all must be sure to keep our anti-virus software up-to-date.
Hactivism
Recently we have seen a rise in what has been dubbed "hacktivism"--
politically motivated attacks on publicly accessible web pages
or e-mail servers. These groups and individuals overload e-mail
servers and hack into web sites to send a political message.
While these attacks generally have not altered operating systems
or networks, they still damage services and deny the public
access to websites containing valuable information and infringe
on others' right to communicate. One such group is called
the "Electronic Disturbance Theater," which promotes
civil disobedience on-line in support of its political agenda
regarding the Zapatista movement in Mexico and other issues.
This past spring they called for worldwide electronic civil
disobedience and have taken what they term "protest actions"
against White House and Department of Defense servers. Supporters
of Kevin Mitnick, recently convicted of numerous computer
security offenses, hacked into the Senate webpage and defaced
it in May and June of this past year. The Internet has enabled
new forms of political gathering and information sharing for
those who want to advance social causes; that is good for
our democracy. But illegal activities that disrupt e-mail
servers, deface web-sites, and prevent the public from accessing
information on U.S. government and private sector web sites
should be regarded as criminal acts that deny others their
First Amendment rights to communicate rather than as an acceptable
form of protest.
"Recreational" Hackers
Virtually every day we see a report about "recreational
hackers," or "crackers," who crack into networks
for the thrill of the challenge or for bragging rights in
the hacker community. While remote cracking once required
a fair amount of skill or computer knowledge, the recreational
hacker can now download attack scripts and protocols from
the World Wide Web and launch them against victim sites. Thus
while attack tools have become more sophisticated, they have
also become easier to use.
These types of hacks are very numerous and may appear on their
face to be benign. But they can have serious consequences.
A well-known example of this involved a juvenile who hacked
into the NYNEX (now Bell Atlantic) telephone system that serviced
the Worcester, Massachusetts area using his personal computer
and modem. The hacker shut down telephone service to 600 customers
in the local community. The resulting disruption affected
all local police and fire 911 services as well as the ability
of incoming aircraft to activate the runway lights at the
Worcester airport. Telephone service was out at the airport
tower for six hours. The U.S. Secret Service investigation
of this case also brought to light a vulnerability in 22,000
telephone switches nationwide that could be taken down with
four keystrokes. Because he was a juvenile, however, the hacker
was sentenced to only two years probation and 250 hours of
community service, and was forced to forfeit the computer
equipment used to hack into the phone system and reimburse
the phone company for $5,000. This case demonstrated that
an attack against our critical communications hubs can have
cascading effects on several infrastructures. In this case,
transportation, emergency services, and telecommunications
were disrupted. It also showed that widespread disruption
could be caused by a single person from his or her home computer.
Insider Threat
The disgruntled insider is a principal source of computer
crimes. Insiders do not need a great deal of knowledge about
computer intrusions, because their knowledge of victim systems
often allows them to gain unrestricted access to cause damage
to the system or to steal system data. The 1999 Computer Security
Institute/FBI report notes that 55% of respondents reported
malicious activity by insiders.
There are many cases in the public domain involving disgruntled
insiders. For example, Shakuntla Devi Singla used her insider
knowledge and another employee's password and logon identification
to delete data from a U.S. Coast Guard personnel database
system. It took 115 agency employees over 1800 hours to recover
and reenter the lost data. Ms. Singla was convicted and sentenced
to five months in prison, five months home detention, and
ordered to pay $35,000 in restitution.
In another case, a former Forbes employee named George Parente
hacked got into Forbes systems using another employee's password
and login identification and crashed over half of Forbes'
computer network servers and erased all of the data on each
of the crashed services. The data could not be restored. The
losses to Forbes were reportedly over $100,000.
Identifying the Intruder
One major difficulty that distinguishes cyber threats from
physical threats is determining who is attacking your system,
why, how, and from where. This difficulty stems from the ease
with which individuals can hide or disguise their tracks by
manipulating logs and directing their attacks through networks
in many countries before hitting their ultimate target. The
now well know "Solar Sunrise" case illustrates this
point. Solar Sunrise was a multi-agency investigation (which
occurred while the NIPC was being established) of intrusions
into more than 500 military, civilian government, and private
sector computer systems in the United States, during February
and March 1998. The intrusions occurred during the build-up
of United States military personnel in the Persian Gulf in
response to tension with Iraq over United Nations weapons
inspections. The intruders penetrated at least 200 unclassified
U.S. military computer systems, including seven Air Force
bases and four Navy installations, Department of Energy National
Laboratories, NASA sites, and university sites. Agencies involved
in the investigation included the FBI, DoD, NASA, Defense
Information Systems Agency, AFOSI, and the Department of Justice.
The timing of the intrusions and links to some Internet Service
Providers in the Gulf region caused many to believe that Iraq
was behind the intrusions. The investigation, however, revealed
that two juveniles in Cloverdale, California and several individuals
in Israel were the culprits. Solar Sunrise thus demonstrated
to the interagency community how difficult it is to identify
an intruder until facts are gathered in an investigation,
and why assumptions cannot be made until sufficient facts
are available. It also vividly demonstrated the vulnerabilities
that exist in our networks; if these individuals were able
to assume "root access" to DoD systems, it is not
difficult to imagine what hostile adversaries with greater
skills and resources would be able to do. Finally, Solar Sunrise
demonstrated the need for interagency coordination by the
NIPC.
Special Threat: Y2K Malicious Activity
The main concern with the Y2K rollover is, of course, the
possibility of widespread service outages caused by the millennium
date problem in older computer systems. The President's Y2K
Council has done an excellent job in helping the nation prepare
for the rollover event. Given our overall mission under PDD
63, the NIPC's role with regard to Y2K will be to maintain
real-time awareness of intentional cyber threats or
incidents that might take place around the transition to 2000,
disseminate warnings to the appropriate government and private
sector parties, and coordinate the government's response to
such incidents. We are not responsible for dealing
with system outages caused by the millennium bug. Because
of the possibility that there might be an increase in malicious
activity around January 1, 2000, we have formulated contingency
plans both for NIPC Headquarters and the FBI Field Offices.
We are presently augmenting our existing relationships and
information-sharing mechanisms with relevant entities in the
federal government, such as the Information Coordination Center
(ICC), state and local governments, private industry, and
the CERT/FIRST community. Information will come to us from
a variety of places, including FBI field offices and Legal
Attaches overseas, as well as the ICC. FBI field offices are
also tasked to establish Y2K plans for their regions of responsibility.
In essence, all of the activities that we will undertake during
the rollover period are ones we perform everyday. The difference
is that we will be prepared to conduct them at an increased
tempo to deal with any incidents occurring during the Y2K
rollover.
There is one potential problem associated with Y2K that causes
us special concern -- the possibility that malicious actors,
foreign or domestic, could use the Y2K remediation process
to install malicious code in the "remediated" software.
Thousands of companies across the United States and around
the world are busy having their source code reviewed to ensure
that they are "Y2K compliant." Those who are doing
the Y2K remediation are almost always contractors who are
given the status of a trusted insider with broad authority
to review and make changes to the source code that runs information
systems. These contractors could, undetected, do any of the
following to compromise systems:
-
Install Trap
Doors: By installing trap doors, intruders can later gain
access to a system through an opening that they have created
and then exploit or attack the system
-
Obtain "Root
Access": Given their level of access, remediation
companies can gain the same extensive privileges as the
system administrator, allowing them to steal or alter
information or engage in a "denial of service"
attack on the system.
-
Implant Malicious
Code: By implanting malicious code, someone could place
a logic bomb or a time-delayed virus in a system that
will later disrupt it. A malicious actor could also implant
a program to compromise passwords or other aspects of
system security.
-
Map Systems:
By mapping systems as a trusted insider, a contractor
can gain valuable information to sell to economic competitors
or even foreign intelligence agencies.
Systems can be compromised for any number of purposes, including
foreign intelligence activities, information warfare, industrial
espionage, terrorism, or organized crime. And since any vulnerabilities
that are implanted will persist as long as the software is
in place, this is a problem that will last well beyond January
1, 2000. Companies and government agencies therefore need
to determine how they will deal with this potential "Post-Y2K
problem" on their critical systems.
We have little concrete evidence so far of vendors' planting
malicious code during remediation. But the threat is such
that companies should take every precaution possible. Of course,
checking the remediation work to make sure that no malicious
code was implanted in a system is no easy matter. If reviewing
the millions of lines of code at issue were simple, there
would be little need for Y2K contractors in the first place.
Nevertheless, given the vulnerabilities that could be implanted
in critical systems, it is imperative that the client companies
do as much as possible to check the background of the companies
doing their remediation work, oversee the remediation process
closely, and review new code as closely as possible and remove
any extraneous code. Further, companies should test for trap
doors and other known vulnerabilities to cracking. Companies
can also use "red teams" to try to crack the software
and further determine if trap doors exist.
Status of the NIPC
The NIPC is an interagency Center located at the FBI. Created
in 1998, the NIPC serves as the focal point for the government's
efforts to warn of and respond to cyber intrusions. In PDD-63,
the President directed that the NIPC "serve as a national
critical infrastructure threat assessment, warning, vulnerability,
and law enforcement investigation and response entity."
The PDD further states that the mission of the NIPC "will
include providing timely warnings of intentional threats,
comprehensive analyses and law enforcement investigation and
response."
Thus, the PDD places the NIPC at the core of the government's
warning, investigation, and response system for threats to,
or attacks on, the nation's critical infrastructures. The
NIPC is the focal point for gathering information on threats
to the infrastructures as well as "facilitating and coordinating
the Federal Government's response to an incident." The
PDD further specifies that the NIPC should include "elements
responsible for warning, analysis, computer investigation,
coordinating emergency response, training, outreach, and development
and application of technical tools."
The NIPC has a vital role in collecting and disseminating
information from all relevant sources. The PDD directs the
NIPC to "sanitize law enforcement and intelligence information
for inclusion into analyses and reports that it will provide,
in appropriate form, to relevant federal, state, and local
agencies; the relevant owners and operators of critical infrastructures;
and to any private sector information sharing and analysis
entity." The NIPC is also charged with issuing "attack
warnings or alerts to increases in threat condition to any
private sector information sharing and analysis entity and
to the owners and operators."
In order to perform its role, the NIPC is continuing to establish
a network of relationships with a wide range of entities in
both the government and the private sector. The PDD provides
for this in several ways. First, it states that the Center
will "include representatives from the FBI, U.S. Secret
Service, and other investigators experienced in computer crimes
and infrastructure protection, as well as representatives
detailed from the Department of Defense, Intelligence Community
and Lead Agencies.1
Second, pursuant to the PDD, the NIPC has electronic links
to the rest of the government in order to facilitate the sharing
of information and the timely issuance of warnings. Third,
the PDD directs all executive departments and agencies to
"share with the NIPC information about threats and warning
of attacks and actual attacks on critical government and private
sector infrastructures, to the extent permitted by law."
By bringing other agencies directly into the Center and building
direct communication linkages, the Center provides a means
of coordinating the government's cyber expertise and ensuring
full sharing of information, consistent with applicable laws
and regulations.
To accomplish its goals under the PDD, the NIPC is organized
into three sections:
1) The Computer Investigations and Operations Section (CIOS)
is the operational and response arm of the Center. It program
manages computer intrusion investigations conducted by FBI
Field Offices throughout the country; provides subject matter
experts, equipment, and technical support to cyber investigators
in federal, state, and local government agencies involved
in critical infrastructure protection; and provides a cyber
emergency response capability to help resolve a cyber incident.
2) The Analysis and Warning Section (AWS) serves as the "indications
and warning" arm of the NIPC. The AWS reviews numerous
government and private sector databases, media, and other
sources daily to disseminate information that is relevant
to any aspect of NIPC's mission, including the gathering of
indications of a possible attack. It provides analytical support
during computer intrusion investigations, performs analyses
of infrastructure risks and threat trends, and produces current
analytic products for the national security and law enforcement
communities, the owners-operators of the critical infrastructures,
and the computer network managers who protect their systems.
It also distributes tactical warnings, alerts, and advisories
to all the relevant partners, informing them of exploited
vulnerabilities and threats.
3) The Training, Outreach and Strategy Section (TOSS) coordinates
the training and continuing education of cyber investigators
within the FBI Field Offices and other federal, state and
local law enforcement agencies. It also coordinates our liaison
with private sector companies, state and local governments,
other government agencies, and the FBI's Field Offices. In
addition, this section manages our collection and cataloguing
of information concerning "key assets" -- i.e.,
critical individual components within each infrastructure
sector, such as specific power grids, telecommunications switch
nodes, or financial systems -- across the country.
To facilitate our ability to investigate and respond to attacks,
the FBI has created the National Infrastructure Protection
and Computer Intrusion (NIPCI) Program in the 56 FBI Field
Offices across the country. Under this program, managed by
the NIPC at FBIHQ, "NIPCI" squads consisting of
at least seven agents have been created in 10 Field Offices:
Washington D.C., New York, San Francisco, Chicago, Dallas,
Los Angeles, Atlanta, Charlotte, Boston, and Seattle. For
FY 2000, we intend to reallocate our existing field agent
compliment to create six additional squads in Baltimore, Houston,
Miami, Newark, New Orleans, and San Diego. Because of resource
constraints, the other field offices have only 1 - 5 agents
dedicated to working NIPCIP matters.
The NIPC's mission clearly requires the involvement and expertise
of many agencies other than the FBI. This is why the NIPC,
though housed at the FBI, is an interagency center that brings
together personnel from all the relevant agencies. In addition
to our 79 FBI employees, the NIPC currently has 28 representatives
from: DoD (including the military services and component agencies),
the CIA, DOE, NASA, the State Department as well as federal
law enforcement, including the U.S. Secret Service, the U.S.
Postal Service and, until recently, the Oregon State Police.
The NIPC is in the process of seeking additional representatives
from State and local law enforcement.
But clearly we cannot rely on government personnel alone.
Much of the technical expertise needed for our mission resides
in the private sector. Accordingly, we rely on contractors
to provide technical and other assistance. We are also in
the process of arranging for private sector representatives
to serve in the Center full time. In particular, the Attorney
General and the Information Technology Association of America
(ITAA) announced in April that the ITAA would detail personnel
to the NIPC as part of a "Cybercitizens Partnership"
between the government and the information technology (IT)
industry. Information technology industry representatives
serving in the NIPC would enhance our technical expertise
and our understanding of the information and communications
infrastructure.
NIPC Activities
The NIPC's operations can be divided into three categories:
protection, detection, and response.
Protection
Our role in protecting infrastructures against cyber intrusions
is not to advise the private sector on what hardware or software
to use or to act as their systems administrator. Rather, our
role is to provide information about threats, ongoing incidents,
and exploited vulnerabilities so that government and private
sector system administrators can take the appropriate protective
measures. The NIPC is developing a variety of products to
inform the private sector and other government agencies of
threats, including: warnings, alerts, and advisories; the
Infrastructure Protection Digest; Critical Infrastructure
Developments; CyberNotes; and topical electronic
reports. These products are designed for tiered distribution
to both government and private sector entities consistent
with applicable law and the need to protect intelligence sources
and methods, and law enforcement investigations. For example,
the Infrastructure Protection Digest is a quarterly
publication providing analyses and information on critical
infrastructure issues. The Digest provides analytical
insights into major trends and events affecting the nation's
critical infrastructures. It is usually published in both
classified and unclassified formats and reaches national security
and civilian government agency officials as well as infrastructure
owners. Critical Infrastructure Developments is distributed
bi-weekly to private sector entities. It contains analyses
of recent trends, incidents, or events concerning critical
infrastructure protection. CyberNotes is another NIPC
publication designed to provide security and information system
professionals with timely information on cyber vulnerabilities,
hacker exploit scripts, hacker trends, virus information,
and critical infrastructure-related best practices. It is
published twice a month on our website and disseminated in
hard copy to government and private sector audiences.
The NIPC, in conjunction with the private sector, has also
developed an initiative called "InfraGard" to expand
direct contacts with the private sector infrastructure owners
and operators and to share information about cyber intrusions
and exploited vulnerabilities, with the goal of increasing
protection of critical infrastructures. The initiative encourages
the exchange of information by government and private sector
members through the formation of local InfraGard chapters
within the jurisdiction of each of the 56 FBI Field Offices.
The initiative includes an intrusion alert network using encrypted
e-mail, a secure website and local chapter activities. A critical
component of InfraGard is the ability of industry to provide
information on intrusions to the NIPC and the local FBI Field
Office using secure communications in both a detailed and
a "sanitized" format. The local FBI Field Offices
can, if appropriate, use the detailed version to initiate
an investigation, while the NIPC can analyze that information
in conjunction with law enforcement, intelligence, open source,
or other industry information to determine if the intrusion
is part of a broader attack on numerous sites. The NIPC can
simultaneously use the sanitized version to inform
other members of the intrusion without compromising the confidentiality
of the reporting company. InfraGard also provides us with
a regular, secure method of providing additional security
related to information to the private sector based on information
we obtained from law enforcement investigations and other
sources. InfraGard has recently been expanded to a total of
21 FBI Field Offices. The program will be expanded to the
rest of the country later this year.
Under PDD-63, the NIPC also serves as the U.S. government's
"Lead Agency" for the Emergency Law Enforcement
Services Sector. As Sector Liaison for law enforcement, the
NIPC and a "Sector Coordinator" committee representing
state and local law enforcement are formulating a plan to
reduce the vulnerabilities of state and local law enforcement
to cyber attack and are developing methods and procedures
to share information within the sector. The NIPC and the FBI
Field Offices are also working with the State and local law
enforcement agencies to raise awareness with regard to vulnerabilities
in this sector.
Detection
Given the ubiquitous vulnerabilities in existing Commercial
Off-the-Shelf (COTS) software, intrusions into critical systems
are inevitable for the foreseeable future. Thus, detection
of these intrusions is critical if the U.S. Government and
critical infrastructure owners and operators are going to
be able to respond. To improve our detection capabilities,
we first need to ensure that we are fully collecting, sharing,
and analyzing all extant information from all relevant sources.
It is often the case that intrusions can be discerned simply
by collecting bits of information from various sources; conversely,
if we don't collate these pieces of information for analysis,
we might not detect the intrusions at all. Thus the NIPC's
role in collecting information from all sources and performing
analysis in itself aids the role of detection.
The NIPC is currently concentrating on developing and implementing
reliable mechanisms for receiving, processing, analyzing and
storing information provided by government and private sector
entities. This information is being used by NIPC analysts
to develop tactical and strategic warning indicators of cyber
threats and attacks. The NIPC and North American Energy Reliability
Council (NERC) have established an industry-based Electric
Power Working Group to develop tactical warning indicators
and information sharing procedures for the electric power
sector. The NIPC also has developed mechanisms to share cyber
incident information with both government agencies and private
companies in the telecommunications sector. In the long-term,
our indications and warning efforts will require participation
by the Intelligence Community, DoD, the sector lead agencies,
other government agencies, federal, State and local law enforcement,
and the private sector owners and operators of the infrastructures.
Another initiative that will aid in the detection of network
intrusions is the "Federal Intrusion Detection Network"
("FIDNet"), a National Security Council initiative
that would be managed by the General Services Administration.
Many agencies already have their own intrusion detection systems.
FIDNet will enhance agencies' cyber security by linking their
intrusion detection systems together so that suspicious patterns
of activity can be detected and alerts issued across agencies.
The goal of FIDNet is to detect intrusions in the federal
civilian agencies' critical computer systems. (Contrary to
recent press reports, FIDNet will not extend to private sector
systems.) To do this, critical network event data will be
captured and analyzed so that patterns can be established
and, in the event of an attack, warnings issued. FIDNet will
be the civilian agency counterpart for the automated detection
system currently deployed across Department of Defense systems.
FIDNet, under current plans, will consist of the following:
sensors at key network nodes; a centrally managed GSA facility,
the Federal Intrusion Detection Analysis Center (FIDAC), to
analyze the technical data from the nodes; and secure storage
and dissemination of collected information. The NIPC will
receive reports from the FIDAC when there is evidence of a
possible federal crime (such as a violation of 18 U.S.C §1030).
Using all-source information, the Center would then analyze
intrusions and other significant incidents to implement response
efforts and support and inform national security decision-makers.
FIDNet-derived information would also be combined with all-source
reporting available to the NIPC to produce analysis and warning
products which will be distributed to government, private
sector companies, and the public, as appropriate.
Response
The NIPC's and the FBI's role in response principally consists
of investigating intrusions to identify the responsible party
and issuing warnings to affected entities so that they can
take appropriate protective steps. As discussed earlier, in
the cyber world, determining what is happening during a suspected
intrusion is difficult, particularly in the early stages.
An incident could be a system probe to find vulnerabilities
or entry points, an intrusion to steal or alter data or plant
sniffers or malicious code, or an attack to disrupt or deny
service. The cyber crime scene is totally different from a
crime scene in the physical world in that it is dynamic --
it grows, contracts, and can change shape. Determining whether
an intrusion is even occurring can often be difficult in the
cyber world, and usually a determination cannot be made until
after an investigation is initiated. In the physical world,
by contrast, one can see instantly if a building has been
bombed or an airliner brought down.
Further, the tools used to perpetrate a cyber terrorist attack
can be the same ones used for other cyber intrusions (simple
hacking, foreign intelligence gathering, organized crime activity
to steal data, etc.), making identification and attribution
more difficult. The perpetrators could be teenagers, criminal
hackers, electronic protestors, terrorists, foreign intelligence
services, or foreign military. In order to attribute an attack,
FBI Field Offices can gather information from within the United
Sates using either criminal investigative or foreign counter-intelligence
authorities, depending on the circumstances. This information
is necessary not only to identify the perpetrator but also
to determine the size and nature of the intrusion: how many
systems are affected, what techniques are being used, and
what the purpose of the intrusions is--disruption, espionage,
theft of money, etc.
Relevant information also could come from the U.S. Intelligence
Community (if the attack is from a foreign source), other
U.S. government agency information, state and local law enforcement,
private sector contacts, the media, other open sources, or
foreign law enforcement contacts. The NIPC's role is to coordinate
and collect this information.
On the warning side, if we determine an intrusion is imminent
or underway, the Watch and Warning Unit is responsible for
formulating warnings, alerts, or advisories and quickly disseminating
them to all appropriate parties. If we determine an attack
is underway, we can issue warnings using an array of mechanisms,
and send out sanitized and unsanitized warnings to the appropriate
parties in the government and the private sector so they can
take immediate protective steps. The Center has issued 22
warnings, alerts, or advisories between January 4 and September
22, 1999.
Two other NIPC initiatives are directed to improving our response
capabilities. First, to respond appropriately, our field investigators
need the proper training. Training FBI and other agencies'
investigators is critical if we hope to keep pace with the
rapidly changing technology and be able to respond quickly
and effectively to computer intrusions. The NIPC has been
very active in training. These training efforts will help
keep us at the cutting edge of law enforcement and national
security in the 21st Century. The Center provided training
to 314 attendees in FY 1998. In FY 99, over 383 FBI Agents,
state and local law enforcement representatives, and representatives
from other government agencies have taken FBI-sponsored courses
on computer intrusions and network analysis, the workings
of the energy and telecommunications key assets, and other
relevant topics.
Second, our Key Asset Initiative (KAI) facilitates response
to threats and intrusion incidents by building liaison and
communication links with the owners and operators of individual
companies in the critical infrastructure sectors and enabling
contingency planning. The KAI began in the 1980s and focused
on physical vulnerabilities to terrorism. Under the NIPC,
the KAI has been reinvigorated and expanded to focus on cyber
vulnerabilities as well. The KAI initially will involve determining
which assets are key within the jurisdiction of each FBI Field
Office and obtaining 24-hour points of contact at each asset
in cases of emergency. Eventually, if future resources permit,
the initiative will include the development of contingency
plans to respond to attacks on each asset, exercises to test
response plans, and modeling to determine the effects of an
attack on particular assets. FBI Field Offices will be responsible
for developing a list of the assets within their respective
jurisdictions, while the NIPC will maintain the national database.
The KAI is being developed in coordination with DOD and other
agencies.
Conclusion
While the NIPC has accomplished much over the last year in
building the first national-level operational capability to
respond to cyber intrusions, much work remains. We have learned
from cases that successful network investigation is highly
dependent on expert investigators and analysts, with state
of the art equipment and training. We have begun to build
that capability both in the FBI Field Offices and at NIPC
Headquarters, but we have much work ahead if we are to build
our resources and capability to keep pace with the changing
technology and growing threat environment and be capable of
responding to several major incidents at once.
We have also demonstrated how much can be accomplished when
agencies work together, share information, and coordinate
their activities as much as legally permissible. But on this
score, too, more can be done to achieve the interagency and
public-private partnerships called for by PDD- 63. We need
to ensure that all relevant agencies are sharing information
about threats and incidents with the NIPC and devoting personnel
and other resources to the Center so that we can continue
to build a truly interagency, "national" center.
Finally, we must work with Congress to make sure that policy
makers understand the threats we face in the Information Age
and what measures are necessary to secure our Nation against
them. I look forward to working with the Members and Staff
of this Committee to address these vitally important issues.
Thank you.
1 The Lead Agencies are: Commerce
for information and communications; Treasury for banking and
finance; EPA for water supply; Transportation for aviation,
highways, mass transit, pipelines, rail, and waterborne commerce;
Justice/FBI for emergency law enforcement services; Federal
Emergency Management Agency for emergency fire service and
continuity of government; Health and Human Services for public
health services. The Lead Agencies for special functions are:
State for foreign affairs, CIA for intelligence, Defense for
national defense, and Justice/FBI for law enforcement and
internal security. The NIPC is performing the lead agency
and special functions roles specified for "Justice/FBI"
in the PDD.
|