Thank
you. I want to spend a few moments thanking Paul [McNulty, U.S.
Attorney for the Eastern District of Virginia] for putting this
together. I think it is important that we have meetings such as
this. I see a number of people who have done other things in their
lives and now come to talk about cyber-crime, which is an important
development in law enforcement. You understand that this is the
wave of the future and understand that in the future, to address
crime, we will have to look at it from the perspective of the
cyber-world.
I want
to say that -- it's in my written remarks, so I have to say
it: "It is also a pleasure to follow an old friend, Paul
McNulty, to this podium." That's true.
"The
U.S. Attorney's Office that Paul runs in the Eastern District
of Virginia is one of the finest in the country." That
is also true.
But what
is most striking about my written notes is that it says: "It's
almost as good as the United States Attorney's Office that we
had in the Northern District of California" -- which is
where I was for a number of years.
I will
tell you that when I served as U.S. Attorney in San Francisco,
I worked with many of your companies. And many of those companies
were a part of ITAA. And I want to say that this association
represents many of the most important and I would say most vibrant
companies in the United States today. That's actually underscored
by the fact that there is something like $800 billion in revenue
in the year 2001 attributable to ITAA member companies. That
is truly remarkable, and it says something not only about our
economy today, but about our economy in the future.
I want
to talk a little bit about San Francisco and what we did in
San Francisco, because I think it has become, with Marty [Stansell-Gamm,
Chief, Department of Justice Computer Crime and Intellectual
Property Section] -- who is up here -- and with Paul and with
other U.S. Attorneys around the country, a way of doing things.
We started a unit in San Francisco that was set up exclusively
to prosecute computer crimes and intellectual property crimes.
While I was out there, I saw a necessity to staff that unit
with individuals who were both talented prosecutors and who
understood and could work with the technology. And whether it
is computer crimes cases, or hacking and denial of service cases,
or the intellectual property cases, you need that combination.
We were very lucky, particularly in the San Jose area, to have
had a strike force that addressed computer crimes, established
by the police chief and the district attorney there. What I
wanted to do in San Francisco was to complement that state and
local law enforcement network with FBI agents and with the prosecutors
that would have the expertise in that area. Since that time,
across the country, there have been a number of similar units
set up, which I believe is the way to go.
I particularly
want to talk today about how we relate -- how you in private
industry relate to those units -- and how we can work together
to maximize our cooperation in the future.
Let me
talk at the outset about what I see as the two great threats
to cyber-security and some related problems. First, from our
perspective, there are a number of traditional crimes that have
migrated online: the garden variety frauds, identity theft,
copyright infringement, child pornography and child exploitation.
What has happened, as you all know, is that the powerful technologies
that have done so much to improve the quality of our lives are
also being used by some of the worst elements of our society:
small-time criminals who can take on a whole new persona on
the Internet; malcontents who can find like-minded hate groups;
and scam artists who think they can escape detection in the
anonymity of the Web.
Our projections
indicate that the number of Internet-enabled crimes will increase
radically over the next few years, with the potential for driving
down consumer confidence in Internet security and stunting the
growth of e-commerce, neither of which we can afford.
The second
problem is the evolution of a new category of crime that includes
computer intrusions, the denial-of-service attacks, the worms,
the viruses and the like. We saw an example of that just last
week with the attacks against the root servers on the Internet.
These types of attacks, quite obviously, did not exist in the
days before computers, but they are something that we must address.
In response
to these problems, we are reshaping the FBI -- and reshaping
it in a number of ways. We're reshaping the bureau to focus
hard on terrorism, which is our number-one priority, and to
focus on counter-intelligence, our second priority, because
there is no other agency with the skills and network to do it.
Our third
priority is cyber crime, and there are a number of reasons why.
It is our responsibility ultimately, we believe, to protect
the technological infrastructure of the United States. If we
do not do it, who else will?
We are working closely and cooperatively with the Secret Service,
but it is important for the FBI as an institution to recognize
that five, ten years down the road, we must have the expertise
to address cyber-attacks on our infrastructure and to address
cyber-crime in all of its iterations. We must prepare and get
that expertise now. That is why, when we sent out our list of
priorities in the wake of September 11, cyber crime was one
of our top three priorities.
For us
that means doing a number of things.
In the
past, we had organizationally fragmented our responsibilities
in a number of different divisions at headquarters and in a
number of different units in the field. Since September 11,
we have consolidated those strands within our organization in
a new cyber division, and we are in the process of similarly
consolidating these responsibilities in each of our field offices.
We hope by doing so to accumulate the expertise -- the investigative
expertise, along with the expertise of prosecutors -- to work
with our state and locals in discrete units, so that all players
will know where to go, whether at headquarters or in the field.
The second
thing we have done is to change our hiring philosophy. The minimum
age at which we will hire is 23: we are looking for people who
have had other careers and who have the judgment and maturity
to hold a badge and carry a gun. Now, in the past we have looked
at hiring in basically four categories--lawyers, accountants,
former law enforcement, and former military. But what we are
looking for now are individuals with specific and different
skills.
In the
wake of September 11, for instance, we are looking for computer
programmers. We are looking for IT specialists who have had
some other career and who want to be FBI agents. We are also
looking for language specialists, engineers, and scientists
who can assist with things like the anthrax investigation. Bottom
line: we want to bring in new types of agents, with expanded
brands of experience.
It is
important for us, in developing these IT capabilities, to ensure
that we get quality people who have that bedrock experience
so that they start with a profound understanding of the computer
world. Then we can teach them the techniques that are so necessary
to becoming a good investigator.
The third
area in which we are doing a better job is in working cooperatively
with others at the federal level as well as the state and local
level. That takes many forms. For example, we have formed joint
teams to address cyber-crime with the Secret Service in three
cities around the country. By combining our capabilities with
Secret Service capabilities, we can work cooperatively on the
federal level to maximize our effect.
As another example, we have established regional computer forensics
laboratories in several cities, starting in San Diego. Many
of you know about this. The individuals who put that concept
together had, I think, a remarkable idea. They understood that
when you take a hard drive out of a doper's computer or from
some person who has committed some sort of Ponzi scheme, you
have to analyze it. You have to download the information. And
then you have to be prepared to go to court and testify as to
what you have found. So by combining, in these forensics laboratories,
state and local and federal experts, an interchange of ideas
occurs and requirements and standards begin to be commonly developed
that enable us to go into a court room and testify with expertise
and credibility.
We are
establishing these laboratories around the country--and not
just at the FBI, but also at Secret Service, Customs, INS, and
with state and local authorities. These are the wave of the
future and enable us to work together with state and local law
enforcement in ways that we have not done in the past.
One last
example on how we are working cooperatively.
It is
important for us as an agency, as an organization, to understand
that while we bring substantial investigative and organizational
talents to the table, there are other agencies, whether at the
federal, state or local level, who bring to the table equal
talents and capabilities. The challenge for us in the future
is to fully understand the strengths we bring to the table,
but not to overwhelm others who bring equally important skills
there.
Take the
cooperative effort involved in the recent sniper investigation
with [Assistant Director in Charge of the FBI Washington Field
Office] Van Harp and [Special Assistant in Charge of the Baltimore
Field Office] Gary Bald, with state and local officers, with
Chief Moose, and with all other involved parties. While there
was some low level grousing, the fact of the matter is that
it worked -- that cooperative effort maximized the talents of
many agencies and resulted in a successful conclusion.
And that
is the way we, as an agency, have to work in the future, whether
it be sniper attacks, whether it be in addressing counter- terrorism
threats or in the cyber-arena. And to the extent that we expand
as an agency, we should expand understanding that we want to
complement others in the law enforcement community.
The last
point I would like to discuss this morning, as I said, is how
we -- the private sector and law enforcement -- can work together
better. And by that I mean it is critically important for us
to work with private industry in ways that we do not work with
other, quote, "victims."
There
are number of reasons for this. We lack the expertise in particular
areas, for instance, and we need your help in that.
As we
address cyber crimes -- whether it be denial-of-service attacks,
hacking attacks or worms or the like -- we need to work with
you, share with you, get your expertise, and be attentive to
your practical concerns. You who are here from the corporate
world are the real victims in these cases. And it is important
for us, as we found out in San Francisco, to understand your
very real concerns about being identified as victim companies.
We have to understand that when we are called into an investigation,
the mere fact of you calling on us can adversely impact the
image of your company.
We have
to understand in law enforcement that there may be privacy concerns
that you need to protect in order to protect the image of your
company.
We have
to understand that if we put on raid jackets and come in with
a lot of publicity, that will not help us do the job. I think
the FBI has learned that you do not want us there in raid jackets;
you want us there quietly. You want to have discussions about
the problem. You want to discuss how we can initiate the logs
that may be needed to identify the perpetrator. And you want
us to understand, and we need to understand, your concerns regarding
your intellectual property -- that if a particular case ever
goes to court and there is a problem about publicizing what
happened in it, that might open to the public those items that
are important to your profit margins.
We have
to understand all that.
And we
are beginning to understand, but we still need to work through
the incidents and issues with you. I am confident that when
we have those issues, there are mechanisms, for instance protective
orders, to protect the things you think need to be protected.
I am confident that we can do this in a low-key fashion, and
that we can work with you -- the victims -- to reach some resolution.
Let me
specifically address the subject of you reporting to us cyber
attacks on your computer systems. We probably get one-third
of the reports that we would like to get, probably for all the
reasons I have just discussed. But for us, you are not enabling
us to do the job we need to do.
If we
as an agency are to become more predictive in the future and
prevent attacks from happening, we need a comprehensive database
that pulls in -- and I understand part of the dialogue this
afternoon is to see how we can better communicate -- that pulls
in all those instances where your infrastructure has been attacked.
So our bedrock need at the outset is to be notified of all attacks.
I encourage you to discuss this afternoon, and to discuss with
the special agent in charge in your area, how these attacks
can be reported in such a way that the reporting does not adversely
affect your industry.
The other
side of this coin, of course, is that there has to be a sanction
on the attackers. You want attacks stopped; you want hackers
stopped; you don't want to face this down the road; so you put
up the best possible protection. But then the attacker will
just wander down the street and hit the next company, and that's
not good for the industry, and it is not good for your friends
and peers in the industry. There has to be a sanction. And the
sanction is locking up these people -- putting the cuffs on
them.
So the future of cyber cases is not just protecting your systems.
If there are people out there who are going to be hitting company
after company after company, it is important that we go after
them. The sanction has to be arresting them. And in the future
we need you as the victim companies to help provide us with
the information that will enable us to do that.
One of
the things that the FBI must do better than we have in the past
is to address the international dimensions of these attacks.
We are now beefing up our international capabilities, because
denial-of-service attacks or hacking attacks can start in Bulgaria
and hit us in the United States.
Any one
individual company cannot address this problem. But we can.
We can do that with our contacts, with our 45 legal attache
offices overseas, where we have established the contacts that
will enable us to address that kind of conduct. But we need
your reporting at the outset to be able to trace the attacker.
About
a month and a half ago, when I was in Germany, my legal attache
there told me of an instance where an attack began in the German
telephone system and maybe from one of the German ISPs. Because
we were there and had developed relationships with a German
telephone company and the spinoff ISPs, we were invited to go
over with our experts to help them understand what had happened
in this series of attacks.
That is
the kind of relationship that is very important for us to develop.
In the future, these will serve as a foundation for other cases
down the road. It is that kind of international cooperation
that will stand us all in good stead.
The core
law enforcement value in all of this is the cooperative effort
among law enforcement entities at every one of the levels, the
cooperative efforts between law enforcement entities within
the United States and with our counterparts overseas, and, critically,
the cooperative efforts between private industry and law enforcement
-- us and you.
Symposia
like this today enable us to discuss issues, to come up with
solutions, and to establish the relationships that will help
us address these problems in the future. I thank you for your
attention this morning, and I look forward to our continuing
dialogue.