[Senate Hearing 106-600]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 106-600
 
                               CYBERCRIME

=======================================================================

                                HEARING

                                before a

                          SUBCOMMITTEE OF THE

                      COMMITTEE ON APPROPRIATIONS
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                            SPECIAL HEARING

                               __________

         Printed for the use of the Committee on Appropriations




 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 senate

                                 ______


                     U.S. GOVERNMENT PRINTING OFFICE
63-940 CC                    WASHINGTON : 2000
_______________________________________________________________________
            For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 
                                 20402



                     COMMITTEE ON APPROPRIATIONS

                     TED STEVENS, Alaska, Chairman
THAD COCHRAN, Mississippi            ROBERT C. BYRD, West Virginia
ARLEN SPECTER, Pennsylvania          DANIEL K. INOUYE, Hawaii
PETE V. DOMENICI, New Mexico         ERNEST F. HOLLINGS, South Carolina
CHRISTOPHER S. BOND, Missouri        PATRICK J. LEAHY, Vermont
SLADE GORTON, Washington             FRANK R. LAUTENBERG, New Jersey
MITCH McCONNELL, Kentucky            TOM HARKIN, Iowa
CONRAD BURNS, Montana                BARBARA A. MIKULSKI, Maryland
RICHARD C. SHELBY, Alabama           HARRY REID, Nevada
JUDD GREGG, New Hampshire            HERB KOHL, Wisconsin
ROBERT F. BENNETT, Utah              PATTY MURRAY, Washington
BEN NIGHTHORSE CAMPBELL, Colorado    BYRON L. DORGAN, North Dakota
LARRY CRAIG, Idaho                   DIANNE FEINSTEIN, California
KAY BAILEY HUTCHISON, Texas          RICHARD J. DURBIN, Illinois
JON KYL, Arizona
                   Steven J. Cortese, Staff Director
                 Lisa Sutherland, Deputy Staff Director
               James H. English, Minority Staff Director
                                 ------                                

   Subcommittee on Commerce, Justice, and State, the Judiciary, and 
                            Related Agencies

                  JUDD GREGG, New Hampshire, Chairman
TED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina
PETE V. DOMENICI, New Mexico         DANIEL K. INOUYE, Hawaii
MITCH McCONNELL, Kentucky            FRANK R. LAUTENBERG, New Jersey
KAY BAILEY HUTCHISON, Texas          BARBARA A. MIKULSKI, Maryland
BEN NIGHTHORSE CAMPBELL, Colorado    PATRICK J. LEAHY, Vermont
                                     ROBERT C. BYRD, West Virginia
                                       (ex officio)
                           Professional Staff
                              Jim Morhard
                             Kevin Linskey
                               Paddy Link
                               Dana Quam
                              Clayton Heil
                         Lila Helms (Minority)
                     Sonia King (Minority)


                           C O N T E N T S

                              ----------                              

                            GOVERNMENT PANEL

                                                                   Page

Opening remarks of Senator Gregg.................................     1
Prepared statement of Senator Patrick J. Leahy...................     5
Statement of Hon. Janet Reno, Attorney General, Department of 
  Justice........................................................     7
Federal law enforcement response to computer crime...............     7
Building a strong partnership....................................     8
Appropriations needs.............................................     9
Prepared statement of Janet Reno.................................     9
Statement of Hon. Louis J. Freeh, Director, Federal Bureau of 
  Investigation, Department of Justice...........................    14
Need for cooperation.............................................    14
Changing technology challenges...................................    15
Denial of service cases..........................................    15
Cybercrime and computer intrusion threats........................    17
Innocent Images..................................................    18
Terrorist and foreign threats strategy...........................    18
Cybercrime fighting strategies...................................    18
National Infrastructure Protection Center........................    19
International cooperation........................................    20
Building prosecutorial experts...................................    20
Partnership with industry and academia...........................    21
Building forensic and technical capabilities.....................    21
Counterencryption................................................    22
Developing computer ethics.......................................    22
Prepared statement of Louis J. Freeh.............................    23
Cybercrime threats faced by law enforcement......................    23
Challenges to law enforcement in investigating cybercrime........    27
FBI cybercrime investigation capabilities........................    31
Improving FBI cybercrime capabilities............................    34
Statement of Hon. William A. Reinsch, Under Secretary of 
  Commerce, Export Administration, Department of Commerce........    37
    Prepared statement...........................................    39
Additional statutory authority requirements......................    40
Private sector versus Federal Government role....................    41
Coordination among Federal agencies..............................    42
FBI lead agency roles............................................    43
Coordination of law enforcement..................................    43
National Information Protection Center [NIPC]....................    44
Role of the National Security Council............................    44
Critical Infrastructure Assurance Office.........................    46
Institute for Information Infrastructure Protection..............    46
Law enforcement outreach to e-commerce industry..................    48
FBI relationships with private sector............................    49
Need for uniform standards.......................................    50

                             INDUSTRY PANEL

Statement of Robert Chesnut, Associate General Counsel, eBay.....    53
    Prepared statement...........................................    57
Statement of Jeff B. Richards, Executive Director, Internet 
  Alliance.......................................................    58
    Prepared statement...........................................    61
Statement of Mark Rasch, Vice President, Cyberlaw, Global 
  Integrity Corp.................................................    66
    Prepared statement......................................72

                               (iii) deg.


                               CYBERCRIME

                              ----------                              


                      WEDNESDAY, FEBRUARY 16, 2000

                           U.S. Senate,    
    Subcommittee on Commerce, Justice, and 
                                     State,
               the Judiciary, and Related Agencies,
                               Committee on Appropriations,
                                                    Washington, DC.
    The subcommittee met at 10 a.m., in room SD-192, Dirksen 
Senate Office Building, Hon. Judd Gregg (chairman) presiding.
    Present: Senators Gregg and Leahy.

                            GOVERNMENT PANEL


                    opening remarks of senator gregg


    Senator Gregg. Ladies and gentlemen, I will call the 
hearing to order. Let me thank the Attorney General for her 
courtesy in coming today and the Director of the FBI for his 
courtesy on short notice in coming. We also have the Under 
Secretary of Commerce Bill Reinsch, who depending on the way 
the hearing goes, we may like to hear from him, also. In fact, 
I think we probably will. He is a participant.
    This hearing is really a continuum of a number of hearings 
which this committee has had in the area of cybercrime and 
cyberterrorism. In fact, it was as a result of this committee's 
efforts that we initiated a fairly significant effort at the 
suggestion of the FBI and the Justice Department in the area of 
illegal activity on the Internet involving child pornography 
and traveler cases. That has also been followed by a very 
significant effort in this committee, which again was initiated 
by myself and Senator Hollings and members of the committee, in 
the area of cyberterrorism, where we have attempted to fund 
aggressively initiatives within the Justice Department, and the 
FBI specifically, to try to fight cyberterrorism.
    As a result of last week's hacker attacks on major 
commercial sites, it seemed appropriate to hold a hearing to 
discuss further what the role of government should be in the 
area of security on the Internet and protecting the commerce of 
the country. As a preliminary thought on this matter, it seems 
to me that we as a government must divide the issue. There are 
certain functions of activity within the society which are 
critical to our Nation, certain structures which are essential 
to our ability to function as a cohesive society, such as our 
electric grid, our waterworks in our communities, obviously our 
banking system, and obviously our national defense.
    In those areas, the Government has a priority role in 
making sure that these infrastructure and national defense 
capabilities are protected and maintained and that the security 
of those infrastructures are aggressively defended. However, 
when we get into the area of commercial activity, whether it is 
selling books or auctioning items, the role of the government, 
I think, is probably significantly different. That is an area 
where clearly the commercial community has the first obligation 
of protecting and securing their sites and making sure that 
they give their customers the access that they need. And the 
government's role here must be limited because there is the 
potential, obviously, for abuse.
    But as a corollary to that, the government does have a 
role, and when a crime occurs, the private sector cannot 
prosecute a crime. It is a crime to interfere with commerce at 
a number of different levels and, therefore, the government's 
participation in protecting the Internet is significant, but as 
I said, it depends on the area of the Internet, the area of the 
activity as to the level of government involvement.
    So this hearing today is to discuss that second issue 
primarily of what happens when commercial sites are put at risk 
because of hacker attacks on those sites. There are a number of 
areas that I want to go into. First, I hope and suspect we will 
be getting a report from the FBI and the Attorney General on 
the status of the present investigation.
    Second, we need to know whether or not the Justice 
Department and the FBI feel there are adequate laws on the 
books to address the issues which are raised by these 
questions.
    Third, we need to address the question of coordination. By 
my count, we have at least five or six different major agencies 
and a number of lesser agencies involved in the issue of 
cyberactivity and security. We have the Commerce Department and 
the National Security Council which have been given recently 
the portfolio by the President to begin a process and in this 
budget made a budget request for that purpose.
    We have the FBI, of course, which has a number of different 
functions in this area including Computer Analysis Resource 
Response Teams, the CART teams, which we funded, and the 
National Infrastructure Protection Center, which again we 
funded and which there is an additional request for. We have 
the NIST [National Institute of Standards and Technology] 
activities, which is an agency of the Commerce Department, 
which has its own Institute for Information Infrastructure 
Protection. We have the Defense Department functioning through 
DARPA [Defense Advanced Research Projects Agency], which has 
farmed out its activities in this area to the Carnegie Mellon 
Institute which has up and running a very strong program called 
CERT, which is a Computer Emergency Response Team.
    I learned today in reading the newspaper that the CIA has 
an initiative. That is the best way to learn what the CIA has 
as initiatives is to read the newspaper. It being a secret 
agency, it does not inform us, but we do get to read about it.
    So there are obviously a lot of different initiatives in 
this area. What I am interested in is, where is the 
coordination? Is there adequate coordination? Is there overlap? 
If there is overlap, how do we make sure everybody is working 
off the same page rather than singing different songs and 
possibly being off tune?
    Fourth, after the coordination issue, we need to address 
the resource issue. This is a critical issue. It is an issue 
which this committee has a special attention to. We have tried 
to address it in the past. This really goes to personnel 
because we understand that keeping the type of people you need 
to keep in order to fight the hacker means you are going to 
have to be hiring people who are extraordinarily highly 
qualified and who have a tremendous market value.
    Now, 2 years ago, this committee recognized that problem 
and bifurcated the wage and salary system within the FBI so 
that the FBI had the capacity and has the capacity to go out 
and hire people who have technology capability at a much higher 
level of pay than what would have been the traditional 
reimbursement process. I hope we will find out today whether 
that is working; whether we can get those folks; whether we do 
have the resources necessary; and whether we can keep those 
people in light of the tremendous demand for this type of 
talent in the private sector. So that is another topic.
    That is an outline of what I hope this hearing will go 
into. Obviously, we would be interested in the initiatives 
coming from the administration, and we would want to get your 
thoughts on that also. So having made that statement, I will 
turn to Senator Leahy. I understand Senator Hollings is not 
going to be able to make the hearing. Senator Leahy has a great 
amount of interest in this area and also serves on the 
Judiciary Committee which has primary authorizing jurisdiction.
    Senator Leahy. Thank you, Mr. Chairman, and I want to 
commend you for holding this hearing. You and I come from 
States where we guard our privacy. Well, you ease up on it a 
little bit every 4 years but the rest of the time, we----
    Senator Gregg. But we make mistakes.
    Senator Leahy. And I chuckled when I heard your comment 
about reading in the paper on the CIA. I give high marks to the 
current Director for keeping us informed, but I recall a former 
Director once when in the fourth time in about 2 weeks he came 
up here to tell us about a matter that he was supposed to 
notify the Congress about and each time had not and then each 
time we read about it on the front page of one of the 
newspapers, and he then showed up to tell us about something 
that we had first learned about in the papers, and I said to 
him, Director, I said you really--there is a better way of 
doing this. Instead of sending somebody up here with all these 
briefings, just take the New York Times or the Washington Post 
each day, mark it ``Top Secret,'' and deliver it to us.
    I said we get three advantages. One, we will get the 
information a lot quicker; second, we will get it in far, far 
greater detail than you have ever given it to us, and three, we 
get this wonderful New York Times crossword puzzle.
    He did not find it as funny as some in the audience today, 
but, you know, to be serious about this, whether you work in 
the private sector or in government, you tend to go through all 
these mazes of security checkpoints. Here in the Senate, for 
example, you have the barriers and photo ID cards and metal 
detectors and X-ray scanners. It is all done to protect us from 
terrorists or from those who might victimize us by crime. And 
you find these things now ubiquitous in the private sector, 
too.
    But the irony is every single one of these barriers, these 
physical barriers, can be circumvented because we have wires 
coming into this building or any other building. They support 
the computers and the computer networks that are absolutely 
necessary. We could not communicate. We could not do our work 
without them. And to know how easy it is to go past the normal 
physical barriers--look what happened with the hacker attacks 
last week on e*trade, ZDnet, Daytime, Yahoo!, eBay, Amazon.com, 
and a number of sites we saw during the Christmas time with all 
the sales and the huge spike in e-commerce, but we also know 
what the Achilles heel would be if this commerce turned out to 
be vulnerable to outside attack.
    In our daily lives, we rely on computers. Director Freeh, 
you have been to my home in Vermont. You know we are out in the 
country, and yet here is a place where I do not worry about 
somebody coming in and stealing things, but I am connected to 
all my files in my office in Washington. I like being able to 
work there, but I also like to know there is a certain degree 
of security. The chairman mentioned CERT, the coordination 
center. Well, they have provided some very chilling statistics 
on the vulnerabilities of the Internet and the scope of the 
problem. Over the last decade the number of reported computer 
security incidents grew from 6 in 1988 to more than 8,000 in 
1999, but that does not reveal the scope of the problem.
    According to CERT's most recent annual report, more than 4 
million computer hosts were affected by computer security 
incidents in 1999 alone by damaging computer viruses, names 
like Melissa or Chernobyl, ExploreZip, by other ways that 
remote intruders have found to exploit system vulnerabilities. 
Even before the denial of service attacks last week, CERT 
documented such incidents grew at a rate of around 50 percent 
per year which was greater than the growth of the Internet 
hosts. The Attorney General has visited in Vermont a couple of 
our law enforcement centers that we use to supply the rest of 
the Nation, the alien tracking system, and we were so proud 
when the AG came to visit that. But that has to have security. 
All of these things--we know that life is changing.
    Now I am going after the recess to introduce legislation to 
broaden the scope of the prohibitions relating to computer 
hacking, including a refinement of the definition of what 
constitutes laws and damage caused by an intruder on a computer 
system. My proposal will contain measures to allow our law 
enforcement officers to investigate and assist in international 
hacker cases.
    The President has proposed $37 million in additional 
funding to combat cybercrime in the Department of Justice, $6 
million to develop regional computer forensic labs, $11 million 
to hire 100 more FBI experts, $8 million for U.S. attorneys, 
and we should look very seriously at that. And last, I will put 
my whole statement in the record, Mr. Chairman, but I think we 
ought to listen to one of the best known hackers, now 
legitimate hacker, in the country, what he said yesterday at 
the meeting with the President at the White House. He stated 
that these massive attacks were something that could have been 
done several years ago. So we have to assume that there is a 
whole new generation of ability to attack and get into our 
computer systems, and I think it is a chilling thing, and so, 
Mr. Chairman, I am delighted you are having this, and I will 
stay until I have to get to my other hearing. But I am 
delighted you are doing it.
    [The statement follows:]
             Prepared Statement of Senator Patrick J. Leahy
    Mr. Chairman, I commend you for your leadership in convening this 
hearing.
    Whether we work in the private sector or in government, we 
negotiate daily through a variety of security checkpoints designed to 
protect ourselves from being victimized by crime or targeted by 
terrorists. For instance, Senate buildings like this one use cement 
pillars placed at entrances, photo identification cards, metal 
detectors, x-ray scanners and security guards to protect this physical 
space.
    These security steps and others have become ubiquitous in the 
private sector as well.
    Yet all these physical barriers can be circumvented using the wires 
that run into every building to support the computers and computer 
networks that are the mainstay of how we communicate and do business. 
This plain fact was amply demonstrated by the hacker attacks last week 
on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet 
sites. These attacks raise serious questions about Internet security--
questions that we need to answer to ensure the long-term stability of 
electronic commerce. More importantly, a well-focused and more malign 
cyber-attack on the computer networks that support telecommunications, 
transportation, water supply, banking, electrical power and other 
critical infrastructure systems could wreak havoc on our national 
economy or even jeopardize our national defense.
    The reports of the CERT Coordination Center (formerly called the 
``Computer Emergency Response Team''), which was established in 1988 to 
help the Internet community detect and resolve computer security 
incidents, provide chilling statistics on the vulnerabilities of the 
Internet and the scope of the problem. Over the last decade, the number 
of reported computer security incidents grew from 6 in 1988 to more 
than 8,000 in 1999. But that alone does not reveal the scope of the 
problem. According to CERT's most recent annual report, more than four 
million computer hosts were affected by computer security incidents in 
1999 alone by damaging computer viruses, with names like ``Melissa,'' 
``Chernobyl,'' ``ExploreZip,''and by other ways that remote intruders 
have found to exploit system vulnerabilities. Even before the ``denial-
of-service'' attacks last week, CERT documented that such incidents 
``grew at a rate around 50 percent per year'' which was ``greater than 
the rate of growth of Internet hosts.''
    CERT has tracked recent trends in severe hacking incidents on the 
Internet--both are serious cause for concern. First, hacking techniques 
are getting more sophisticated. That means law enforcement is going to 
have to get smarter too, and we need to give them the resources to do 
this. Second, hackers have ``become increasingly difficult to locate 
and identify.'' These criminals are operating in many different 
locations and are using techniques that allow them to operate in 
``nearly total obscurity.''
    We have been aware of the vulnerabilities to terrorist attacks of 
our computer networks for more than a decade. It became clear to me, 
when I chaired a series of hearings in 1988 and 1989 by the 
Subcommittee on Technology and the Law in the Judiciary Committee on 
the subject of high-tech terrorism and the threat of computer viruses, 
that merely ``hardening'' our physical space from potential attack 
would only prompt committed criminals and terrorists to switch tactics 
and use new technologies to reach vulnerable softer targets, such as 
our computer systems and other critical infrastructures. The government 
had a responsibility to work with those in the private sector to assess 
those vulnerabilities and defend them. That means making sure our law 
enforcement agencies have the tools they need, but also that the 
government does not stand in the way of smart technical solutions to 
defend our computer systems.
    Targeting cybercrime with up-to-date criminal laws and tougher law 
enforcement is only part of the solution. While criminal penalties may 
deter some computer criminals, these laws usually come into play too 
late, after the crime has been committed and the injury inflicted. We 
should keep in mind the adage that the best defense is a good offense. 
Americans and American firms must be encouraged to take preventive 
measures to protect their computer information and systems.
    That is why, for years, I have advocated and sponsored legislation 
to encourage the widespread use of strong encryption. Encryption is an 
important tool in our arsenal to protect the security of our computer 
information and networks. The Administration made enormous progress 
last month when it issued new regulations relaxing export controls on 
strong encryption. Of course, encryption technology cannot be the sole 
source of protection for our critical computer networks and computer-
based infrastructure, but we need to make sure the government is 
encouraging--and not restraining--the use of strong encryption and 
other technical solutions to protecting our computer systems.
    Congress has responded again and again to help our law enforcement 
agencies keep up with the challenges of new crimes being executed over 
computer networks. In 1984, we passed the Computer Fraud and Abuse Act, 
and its amendments, to criminalize conduct when carried out by means of 
unauthorized access to a computer. In 1986, we passed the Electronic 
Communications Privacy Act (ECPA), which I was proud to sponsor, to 
criminalize tampering with electronic mail systems and remote data 
processing systems and to protect the privacy of computer users. In the 
104th Congress, Senators Kyl, Grassley and I worked together to enact 
the National Information Infrastructure Protection Act to increase 
protection under federal criminal law for both government and private 
computers, and to address an emerging problem of computer-age blackmail 
in which a criminal threatens to harm or shut down a computer system 
unless their extortion demands are met.
    In this Congress, I have introduced a bill with Senator DeWine, the 
Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant 
program within the U.S. Department of Justice for states to tap for 
improved education, training, enforcement and prosecution of computer 
crimes. All 50 states have now enacted tough computer crime control 
laws. These state laws establish a firm groundwork for electronic 
commerce and Internet security. Unfortunately, too many state and local 
law enforcement agencies are struggling to afford the high cost of 
training and equipment necessary for effective enforcement of their 
state computer crime statutes. Our legislation, the Computer Crime 
Enforcement Act, would help state and local law enforcement join the 
fight to combat the worsening threats we face from computer crime.
    I am convinced that we should be doing more to combat the current 
wave of computer crime. Those who are engaged in computer hacking, 
computer fraud and counterfeiting computer programs should be 
prosecuted and punished appropriately. As we have seen recently, these 
kinds of criminals wreak havoc on consumers, our interstate businesses 
and computer systems. To strengthen our laws in these areas, after the 
recess I plan to introduce legislation to broaden the scope of the 
prohibitions relating to computer hacking, including a refinement of 
the definition of what constitutes loss and damage caused by an 
intruder on a computer system. My proposal also will contain measures 
to allow our law enforcement officers to investigate and assist in 
international hacker cases.
    President Clinton has proposed $37 million in additional funding in 
his fiscal year 2001 Department of Justice budget to combat cybercrime. 
The President's request includes $6 million to develop regional 
computer forensic labs, $11 million to hire 100 more FBI experts on 
computer-related crimes and $8 million for U.S. Attorneys to prosecute 
cybercrime.
    I look forward to working with the Chairman and other concerned 
Senators to consider this budget request and other steps like our 
pending legislation to give state and local law enforcement agencies 
the tools they need to combat computer crime and maintain consumer 
confidence in electronic commerce.
    I am a strong proponent of the Internet and a defender of our 
constitutional rights to speak freely and to keep private our 
confidential affairs from either private sector snoops or unreasonable 
government searches. These principles can be respected at the same time 
we hold accountable those malicious mischief makers and digital 
graffiti sprayers, who use computers to damage or destroy the property 
of others. I have seen Congress react reflexively in the past to 
address concerns over anti-social behavior on the Internet with 
legislative proposals that would do more harm than good. A good example 
of this is the Communications Decency Act, which the Supreme Court 
declared unconstitutional. We must make sure that our legislative 
efforts are precisely targeted on stopping destructive acts and that we 
avoid scattershot proposals that would threaten, rather than foster, 
electronic commerce and sacrifice, rather than promote, our 
constitutional rights.
    Technology has ushered in a new age filled with unlimited potential 
for commerce and communications. But the Internet age has also ushered 
in new challenges for federal, state and local law enforcement 
officials. Congress and the Administration need to work together to 
meet these new challenges while preserving the benefits of our new era. 
I look forward to hearing from Attorney General Reno and FBI Director 
Freeh, and the other distinguished witnesses, on this important 
challenge.

    Senator Gregg. Thank you. I appreciate your time, Senator 
Leahy. Secretary Reinsch, would you like to sit at the table 
here because I suspect at some point we are going to want to 
ask you some questions, if you do not mind? I recognize we did 
not ask you to prepare a statement so I will not ask you to 
participate.
    Mr. Reinsch. I have one.
    Senator Gregg. But we would be happy to have your comments 
at some point. We will start with the Attorney General, 
however. Appreciate your taking the time to come, Attorney 
General. Please give us your thoughts, and what we should know, 
and then we can turn to Director Freeh, and then to Mr. 
Reinsch, and then we will take questions.
STATEMENT OF HON. JANET RENO, ATTORNEY GENERAL, 
            DEPARTMENT OF JUSTICE
    Ms. Reno. Mr. Chairman, Senator Leahy, Mr. Chairman, I have 
appreciated your thoughtful, constructive support of law 
enforcement and your leadership in the area of cybertechnology 
as it is applied to law enforcement. You have a yankee 
frugality, though, and you have been totally consistent in 
making sure we spend our monies wisely and according to proper 
plans, and I personally want to thank you for the contribution 
you have made to a very effective law enforcement.
    Senator Leahy, you are one of the first people that I met 
as I came to Washington. Your guidance, your wisdom and your 
thoughts on so many issues relating to matters in the Judiciary 
Committee have been vital to me, and I thank you so very much.

           federal law enforcement response to computer crime

    As Director Freeh will discuss, computer crime 
investigators in a number of FBI field offices are 
investigating the recent computer attacks. They are 
coordinating the information with the National Infrastructure 
Protection Center. The agents are working closely with our 
network of specially trained computer crime prosecutors, who 
are available around the clock to provide legal advice and 
obtain whatever court orders are necessary. Attorneys from the 
CCIPS, which is the Computer Crime and Intellectual Property 
Section of the Criminal Division, are coordinating with the 
Assistant United States Attorneys in the field.
    Other Federal agencies and the private sector are working 
with us in a cooperative effort that I think is an example for 
all of us on how we must work together to address the issue of 
cybercrime. I am proud of that effort and I am proud of the 
efforts that have been made to date to ensure investigative and 
prosecutorial expertise and capacity to address the issue of 
cybercrime.
    There is more to do if we are to be prepared to deal with 
the challenges in this arena for the future. This is one of my 
last appearances before this committee. Most of what we say 
here will not affect me as Attorney General, but it will affect 
each one of us as citizens of this country. How we deal with 
cybercrime is one of the most critical issues that law 
enforcement has ever faced. If we are successful in our 
efforts, we will not only protect our citizens from harm, but 
we will give people confidence in the Internet and in 
cybertechnology as magnificent tools of commerce, learning and 
communication.
    Mr. Chairman, in the time I have remaining as Attorney 
General, I would like to work with you and do everything I 
possibly can to leave for my successors the capacity to ensure 
the equipment and the expertise necessary to ensure the prompt 
and professional investigation and prosecution of cybercrime; 
to make sure that we have the equipment that is sufficiently up 
to date to deal with the most sophisticated criminals; to 
immediately and continually eliminate the backlog of computers 
to be searched, both in the investigation of cybercrime as well 
as other crimes such as drug crimes.
    Also needed are the prevention and deterrence of intrusions 
or attacks on the Nation's critical infrastructure or other 
acts of cyberterrorism; and the capacity to detect and trace 
cybercriminals around the world and bring them to justice. The 
damage that can be done by somebody sitting halfway around the 
world is immense. We have got to be able to trace them, and we 
have made real progress with our discussions with our 
colleagues in the G-8 and in the Council of Europe.

                     building a strong partnership

    We need to continue to build a strong partnership with 
State and local law enforcement by which we share expertise, 
equipment, and avoid costly duplication and fragmentation. We 
need to work in partnership with industry to address cybercrime 
and security. This should not be a top down approach through 
excessive government regulation or mandates. Rather, we need a 
true partnership where we can discuss challenges and develop 
effective solutions that do not pose a threat to individual 
privacy. We need to develop the means of educating our young 
people concerning the responsible use of the Internet.
    The Department must also address the vulnerability of its 
own systems. Based on internal reviews, we need enhanced 
computer security across the Department and we are redirecting 
our resources and efforts to focus on correcting computer 
security vulnerabilities. But when threats like the denial of 
service attacks of last week emerge, we have taken steps and we 
must continue to do so to protect the Department's computer 
systems. We must do all we can to reach out to academia and to 
industry to learn the most up-to-date means of addressing 
complex technical issues as they emerge in this new exciting 
and developing world. We must achieve all these goals in a 
manner that respects and upholds our cherished privacy and our 
freedoms.
    We would like to work with you, Mr. Chairman, and with 
members of the subcommittee to develop a comprehensive 5-year 
plan with fiscal year 2001 as our baseline to achieve these 
results. Recent attacks demonstrate the importance of 
developing such a long-term coordinated strategy. Mr. Chairman, 
it was under your leadership that we developed the 5-year plan 
with respect to counterterrorism. If we focus on cybercrime, 
and make sure we have the equipment, and the expertise, I think 
we can do so much and I would like to work with you in that 
effort.

                          appropriations needs

    In that undertaking, we need your help to refocus resources 
provided for fiscal year 2000. The level of funding provided in 
the fiscal year 2000 enacted appropriation for the General 
Legal Activities (GLA) appropriation is insufficient to cover 
the base program needs of all the litigating components funded 
from GLA with the exception of the Civil Rights Division.
    For the first time, the Congress allocated specific amounts 
to each individual GLA component in the report language that 
accompanies the Appropriations Act. This action made it 
impossible for me to distribute the appropriated resources as 
needed. The Criminal Division's allocation was hardest hit of 
all and this has had serious implications for the Division's 
ability to support its computer crime efforts. Yesterday, we 
delivered a reprogramming of resources appropriated to GLA 
which would make base resource funding available to all the GLA 
accounts by internally redistributing Congress' allocation of 
GLA resources and supplementing the total resources available 
to GLA with funding presently available from the Working 
Capital Fund unobligated balances.
    We need Congress' approval of this reprogramming to ensure 
the appropriate distribution of the resources among the 
components and we especially need full base funding restored to 
the Criminal Division in order to avoid having to reduce 
Criminal Division staffing by 83 positions including critical 
positions in the Computer Crime and Intellectual Property 
Section.
    For fiscal year 2001, I am asking for $37 million in 
funding enhancements to expand the Department's staffing, 
training and technological capabilities. These enhancements 
include $4.1 million for 59 new Assistant United States 
Attorneys and nine additional attorneys in the Criminal 
Division to prosecute computer and child pornography crimes and 
to provide guidance to Federal, State and local agencies on 
effective response to the threat of computer crime; $8.75 
million to provide critically needed computer crime 
investigation and prosecution training to State and local law 
enforcement agencies; $11.4 million for 100 new FBI computer 
analysis and response team members. Finally, we intend to 
enhance law enforcement's ability to deal with evidence 
available on computers by developing up to 10 new regional 
computer forensic labs.
    Together these enhancements will increase the Department's 
2001 funding base for computer crime of $177.6 million by more 
than 31 percent. If we can work together in these next weeks to 
develop a plan that addresses these goals, I think it will be 
extremely important for our future ability to address these 
concerns. Director Freeh through his strategic plan has begun 
to address these efforts and we commit to do everything we can 
to work with you in coming up with something that satisfies 
your very appropriate concerns and addresses our capacity to 
leave for my successors an effective effort at the Justice 
Department.
    Senator Gregg. Thank you, Madam Attorney General.
    [The statement follows:]
                    Prepared Statement of Janet Reno
    Chairman Gregg and other Members of the Subcommittee, I want to 
thank you for this opportunity to testify on our efforts to combat the 
growing problem of cybercrime, particularly in light of the recent 
denial-of-service attacks on several major Internet sites.
Need for Five-Year Strategy
    The recent attacks demonstrate the importance of developing a long-
term, coordinated strategy for dealing with cybercrime. The strategy 
must address the challenges we face, both domestically and abroad, the 
need for personnel with expertise and the latest cybercrime-fighting 
equipment, the importance of cooperation and sharing with state and 
local law enforcement and our international counterparts, the need for 
educating our young people and others about the responsible use of the 
Internet, and all of this must be done in a manner that respects and 
upholds our cherished privacy and freedoms.
    Recently, I outlined a 10-point plan that identifies the key areas 
where we need to develop our cybercrime capability. The key points of 
this plan include:
  --Developing a round-the-clock network of federal, state and local 
        law enforcement officials with expertise in, and responsibility 
        for, investigating and prosecuting cybercrime.
  --Developing and sharing expertise--personnel and equipment--among 
        federal, state and local law enforcement agencies.
  --Dramatically increasing our computer forensic capabilities, which 
        are so essential in computer crime investigations--both hacking 
        cases and cases where computers are used to facilitate other 
        crimes, including drug trafficking, terrorism, and child 
        pornography.
  --Reviewing whether we have adequate legal tools to locate, identify, 
        and prosecute cybercriminals. In particular, we need to explore 
        new and more robust procedural tools to allow state authorities 
        to more easily gather evidence located outside their 
        jurisdictions. We also need to explore whether we have adequate 
        tools at the federal level to effectively investigate 
        cybercrime.
  --Because of the borderless nature of the Internet, we need to 
        develop effective partnerships with other nations to encourage 
        them to enact laws that adequately address cybercrime and to 
        provide assistance in cybercrime investigations. A balanced 
        international strategy for combating cybercrime should be at 
        the top of our national security agenda.
  --We need to work in partnership with industry to address cybercrime 
        and security. This should not be a top-down approach through 
        excessive government regulation or mandates. Rather, we need a 
        true partnership, where we can discuss challenges and develop 
        effective solutions that do not pose a threat to individual 
        privacy.
  --And we need to teach our young people about the responsible use of 
        the Internet.
    I would like to work with you, Chairman Gregg, and the Members of 
the Subcommittee to develop a comprehensive, five-year plan--with 
fiscal year 2001 as our baseline--to prevent cybercrime and, when it 
does occur, to locate, identify, apprehend and bring to justice those 
responsible for these types of crimes.
Comments on the Recent Attacks
    I would be happy to address your questions on the recent attacks, 
to the extent I can do so without compromising our investigation. At 
this point, I would simply say that we are taking the attacks very 
seriously and that we will do everything in our power to identify those 
responsible and bring them to justice. In addition to the malicious 
disruption of legitimate commerce, so-called ``denial of service'' 
attacks involve the unlawful intrusion into an unknown number of 
computers, which are in turn used to launch attacks on the eventual 
target computer, in this case the computers of Yahoo, eBay, and others. 
Thus, the number of victims in these types of cases can be substantial, 
and the collective loss and cost to respond to these attacks can run 
into the tens of millions of dollars--or more.
Overview of Investigative Efforts and Coordination
    As Director Freeh will discuss, computer crime investigators in a 
number of FBI field offices are investigating these attacks. They are 
coordinating information with the National Infrastructure Protection 
Center (NIPC). The agents are also working closely with our network of 
specially trained computer crime prosecutors who are available 24 hours 
a day/7 days a week to provide legal advice and obtain whatever court 
orders are necessary. Attorneys from the Criminal Division's Computer 
Crime and Intellectual Property Section (CCIPS) are coordinating with 
the Assistant United States Attorneys in the field. We are also 
obtaining information from victim companies and security experts, who, 
like many in the Internet community, condemn these recent attacks. I am 
proud of the efforts being made in this case, including the assistance 
we are receiving from a number of federal agencies.
The Challenge of Fighting Cybercrime
    The recent attacks highlight some of the challenges we face in 
combating cybercrime. The challenges come in many forms: technical 
problems in tracing criminals operating online; resource issues facing 
federal, state, and local law enforcement in being able to undertake 
online criminal investigations and obtain evidence stored in computers; 
and legal deficiencies caused by changes in technology. I will discuss 
each of these briefly.
    As a technical matter, the attacks like the ones we saw last week 
are easy to carry out and hard to solve. The tools available to launch 
such attacks are widely available. In addition, too many companies pay 
inadequate attention to security issues, and are therefore vulnerable 
to be infiltrated and used as launching pads for this kind of 
destructive programs. Once the attacks are carried out, it is hard to 
trace the criminal activity to its source. Criminals can use a variety 
of methods to hide their tracks, allowing them to operate anonymously 
or through masked identities. This makes it difficult--and sometimes 
impossible--to hold the perpetrator criminally accountable.
    Even if criminals do not hide identities online, we still might be 
unable to find them. The design of the Internet and practices relating 
to retention of information means that it is often difficult to obtain 
traffic data critical to an investigation. Without information showing 
which computer was logged onto a network at a particular point in time, 
the opportunity to determine who was responsible may be lost.
    There are other technical challenges, as well, that we must 
consider. The Internet is a global medium that does not recognize 
physical and jurisdictional boundaries. A hacker--armed with no more 
than a computer and modem--can access computers anywhere around the 
globe. They need no passports and pass no checkpoints as they commit 
their crimes. While we are working with our counterparts in other 
countries to develop an international response, we must recognize that 
not all countries are as concerned about computer threats as we are. 
Indeed, some countries have weak laws, or no laws, against computer 
crimes, creating a major obstacle to solving and to prosecuting 
computer crimes. I am quite concerned that one or more nations will 
become ``safe havens'' for cybercriminals.
    Resource issues are also critical. We must ensure that law 
enforcement has an adequate number of prosecutors and agents--assigned 
to the FBI, to the Department of Justice, to other federal agencies, 
and to state and local law enforcement--trained in the necessary skills 
and properly equipped to effectively fight cybercrime, whether it is 
hacking, fraud, child porn, or other forms.
    Finally, legal issues are critical. We are finding that both our 
substantive laws and procedural tools are not always adequate to keep 
pace with the rapid changes in technology.
Current Efforts Against Cybercrime
    While these challenges are daunting, the Department has 
accomplished much in building the infrastructure to combat cybercrime. 
Director Freeh will discuss the work of the NIPC and the Computer Crime 
Squads established around the country. Similarly, in the Department, we 
have a cadre of trained prosecutors, both in headquarters and in the 
field, who are experts in the legal, technological, and practical 
challenges involved in investigating and prosecuting cybercrime.
    The cornerstone of our prosecutor cybercrime program is the 
Criminal Division's Computer Crime and Intellectual Property Section, 
known as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, 
and was elevated into a Section in 1996. With the help of this 
Subcommittee, CCIPS has grown from five attorneys in January of 1996, 
to eighteen attorneys today. CCIPS works closely on computer crime 
cases with Assistant United States Attorneys known as ``Computer and 
Telecommunications Coordinators'' (CTCs) in U.S. Attorney's Offices 
around the country. Each CTC is given special training and equipment, 
and serves as the district's expert in computer crime cases.
    The responsibility and accomplishments of CCIPS and the CTC program 
include:
            Litigating Cases:
    CCIPS attorneys have litigating responsibilities, taking a lead 
role in some computer crime and intellectual property investigations, 
and a coordinating role in many national investigations, such as the 
denial of service investigation that is ongoing currently. As law 
enforcement matures into the Information Age, CCIPS is a central point 
of contact for investigators and prosecutors who confront investigative 
problems with emerging technologies. This year, CCIPS assisted with 
wiretaps over computer networks, as well as traps and traces that 
require agents to segregate Internet headers from the content of the 
packet. CCIPS has also coordinated an interagency working group 
consisting of all the federal law enforcement agencies, which developed 
guidance for law enforcement agents and prosecutors on the many 
problems of law, jurisdiction, and policy that arise in the online 
environment.
    Working with the U.S. Attorney's Office in the District of New 
Jersey and the FBI, as well as with state prosecutors and 
investigators, CCIPS attorneys helped ensure that David Smith, the 
creator of the Melissa virus, pled guilty to a violation of the 
computer fraud statute and admitted to causing damages in excess of $80 
million.
    CCIPS is also a key component in enforcing the ``Economic Espionage 
Act,'' enacted in 1996 to deter and punish the theft of valuable trade 
secrets. CCIPS coordinates approval for all the charges under the theft 
of trade secret provision of this Act, and CCIPS attorneys successfully 
tried the first jury case ever under the Act, culminating in guilty 
verdicts against a company, its Chief Executive Officer, and another 
employee.
    The CTCs have been responsible for the prosecution of computer 
crimes across the country, including the prosecution of the notorious 
hacker, Kevin Mitnick, in Los Angeles, the prosecution of the hacker 
group ``Global Hell'' in Dallas, and the prosecution of White House web 
page hacker, Eric Burns, in Alexandria, Virginia.
            Training
    CCIPS has spearheaded efforts to train local, state, and federal 
agents and prosecutors on the laws governing cybercrime, and last year 
alone gave over 200 presentations to a wide variety of audiences. In 
addition, CTCs across the country are training prosecutors and agents 
in their districts in a variety of fora.
    CCIPS also chairs the National Cybercrime Training Partnership 
(NCTP), a ground-breaking consortium of federal, state, and local 
entities dedicated to improving the technical competence of law 
enforcement in the information age. The NCTP has made great strides in 
creating a comprehensive prototype training curriculum for agents and 
prosecutors in a full range of infotech topics.
            International
    The borderless nature of computer crime requires a large role for 
CCIPS in international negotiations. CCIPS chairs the G-8 Subgroup on 
High-tech Crime, which has established a 24 hours a day/7 days a week 
point of contact with 15 countries for mutual assistance in computer 
crime. CCIPS also plays a leadership role in the Council of Europe 
Experts' Committee on Cybercrime, and in a new cybercrime project at 
the Organization of American States.
            Infrastructure Protection, Policy and Legislation
    CCIPS provided expert legal and technical instruction and advice 
for exercises and seminars to senior personnel on information warfare, 
infrastructure protection, and other topics for the Department of 
Defense, the National Security Agency, the Central Intelligence Agency, 
and others. Further, the Naval War College invited CCIPS to give a 
featured presentation at a high-level, invitation-only conference on 
cyberwarfare and international law. CCIPS also led the Department's 
efforts to counter cyberterrorism through its work on PDD-63, the Five-
Year Counterterrorism Strategy, its support to the National 
Infrastructure Protection Center.
    CCIPS works on a number of policy issues raised at the intersection 
of law and technology. CCIPS attorneys meet regularly with a number of 
industry groups to discuss issues of common concerns, and helped 
establish the Cybercitizen Partnership in cooperation with high-tech 
industries to help identify industry expertise which may be needed in a 
complex investigation, to initiate personnel exchanges and to help 
safeguard our children.
    CCIPS attorneys propose and comment on legislation that affects 
their high-tech mission.
    Other Sections of the Criminal Division--including the Fraud 
Section, the Child Exploitation and Obscenity Section, and the 
Terrorism and Violent Crime Section--are responding as crimes within 
their areas of expertise move online.
    Overall, the Department has the prosecutorial infrastructure in 
place to combat cybercrime. We need the resources to keep the program 
growing to keep pace with the growing problem.
Additional Resources and Tools Are Needed
    We appreciate the Subcommittee's support for many of the efforts 
described above, but I also need your help to refocus resources 
provided for fiscal year 2000. The level of funding provided in the 
fiscal year 2000 enacted appropriation for the General Legal Activities 
(GLA) appropriation is insufficient to cover the base program needs of 
all the litigating components funded from GLA, with the exception of 
the Civil Rights Division. In particular, the specific amounts provided 
to the Criminal Division's has serious implications for the Division's 
ability to support its computer crime efforts.
    Yesterday, we submitted a request to reprogram resources 
appropriated to GLA which would make base resource funding available to 
all the GLA accounts.
    We especially need full base funding restored to the Criminal 
Division in order to avoid a reduction in Criminal Division staffing by 
83 positions, including critical positions in the Computer Crime and 
Intellectual Property Section.
    We must have prosecutors, both in the field and here, in 
Washington, to deal with cybercrime investigations.
    The Division has shifted more of its resources than ever to combat 
cybercrime. Attorneys in the Fraud Section are now focusing on internet 
fraud cases, attorneys in the Child Exploitation and Obscenity Section 
are doing more to combat on-line child pornography. We simply cannot 
support the demand for more anti-cybercrime positions at our current 
funding level.
    For fiscal year 2001, I am asking for $37 million in funding 
enhancements to expand he Department's staffing, training and 
technological capabilities to continue the fight against computer 
crime. These enhancements include:
  --$4.1 million for 59 new Assistant U.S. Attorneys and 9 additional 
        attorneys in the Criminal Division to prosecute computer and 
        child pornography crimes, and to provide guidance to federal, 
        state and local agencies on effective responses to the threat 
        of computer crime.
  --$8.75 million to provide critically needed computer crime 
        investigation and prosecution training to state and local law 
        enforcement agencies.
  --$11.4 million for 100 new FBI Computer Analysis and Response Team 
        (CART) members who will be dispatched to support investigations 
        into computer related crimes, as well as expanding the use of 
        the Automated Computer Examination System, which aids in 
        computer forensics examinations.
  --Finally, we intend to enhance law enforcement's ability to deal 
        with evidence available on computers by developing up to 10 new 
        Regional Computer Forensic Labs.
    Together, these enhancements will increase the Department's 2001 
funding base for computer crime of $177.6 million, 31 percent more than 
in 2000.
    We also need to consider additional tools to locate and identify 
cybercriminals. For example, we may need to strengthen the Computer 
Fraud and Abuse Act by closing a loophole that allows computer hackers 
who have caused a large amount of damage to a network of computers to 
escape punishment if no individual computer sustained over $5,000 worth 
of damage. We may also need to update our trap and trace laws, under 
which we are able to identify the origin and destination of telephone 
calls and computer messages. Under current law, in some instances we 
must obtain court orders in multiple jurisdictions to trace a single 
communication. It might be extremely helpful, for instance, to provide 
nationwide effect for trap and trace orders.
    We must also ensure that in upgrading our computer-crime fighting 
laws, we ensure that appropriate privacy safeguards are maintained and, 
where possible, strengthened. For example, recent investigations have 
revealed serious violations of privacy by hackers, who have obtained 
individual's personal data, such as credit cards and passwords. An 
increase in the penalty for violations of invasions into private stored 
communications may be appropriate. We would like to work with Congress 
to develop a thoughtful and effective package of tools that allow us to 
keep pace with cybercriminals, update the laws that allow us to locate 
and identify cybercriminals, and ensure that privacy safeguards are 
respected and, where possible, strengthened.
    Finally, I believe one important answer lies in educating our youth 
and others in society, that computer hacking is not only illegal, but 
ethically wrong. Most of us know that we should not break into a 
neighbor's house or read his mail, but many have not applied these same 
values to their online activities. Last April, I announced that the 
Department, along with the Information Technology Association of 
America had formed the Cybercitizen Partnership, a national campaign to 
educate and raise awareness of computer responsibility. We hope the 
Partnership will announce a nationwide public awareness and education 
campaign in the near future.
    I look forward to working with the Subcommittee to ensure we have a 
robust and effective long-term strategy for combating cybercrime, 
protecting our nation's infrastructure, and ensuring that the Internet 
reaches its full potential for expanding communications, facilitating 
commerce, and bringing countless other benefits to our society.
STATEMENT OF HON. LOUIS J. FREEH, DIRECTOR, FEDERAL 
            BUREAU OF INVESTIGATION, DEPARTMENT OF 
            JUSTICE
    Senator Gregg. Director Freeh.
    Mr. Freeh. Thank you, Mr. Chairman, Senator Leahy, Attorney 
General Reno. Let me just echo the Attorney General's 
appreciation on behalf of the FBI and I think the entire 
national law enforcement community to you, Chairman Gregg, 
Senator Hollings, and particularly to this committee, for what 
has really been a consistent and now long-standing support in 
the area of technology crimes and the ability for law 
enforcement agencies--State, local and Federal--to deal with 
these issues.
    I recall in 1997, you chaired a hearing together with 
Chairman Stevens, and for the first time, at least in our 
memory, a committee here addressed not just the immediate 
issues with respect to counterterrorism threats and the 
cyberterrorism implications of those threats, but looked for 
the first time to developing a long-term planning and asset 
evaluation and resource allocation plan. That plan has 
developed and prospered.
    Senator Leahy, let me take the opportunity to thank you 
also for the support that you have shown in this area, back in 
1994, leading the efforts in the Senate on the Communications 
to Law Enforcement Assistance Act. An act which you recall some 
people in town said could never be passed, was passed and gave 
not just the Federal Government but the State and local police 
forces around the country the continued ability, not any new 
powers, but the continued ability to exercise court-ordered 
electronic surveillance without changing the balance of the 
Fourth Amendment, and really getting into the information age 
with respect to our technical ability. So let me just begin by 
thanking you and thanking the Attorney General for her valued 
support and continuous support in the area of technical 
assistance to law enforcement.

                          need for cooperation

    Going beyond 1997 when you inaugurated these hearings, 
Chairman Gregg, there is no doubt anymore that these are issues 
which are critically important to the success of law 
enforcement. Looking at Judge Webster's report just a few weeks 
ago, the Commission on the Advancement of Law Enforcement, 
which is a congressionally required commission, he says, among 
other things, global crime, cybercrime and terrorism pose the 
new emerging security threats to the Nation and challenge the 
Federal law enforcement community.
    The report talks about not only the importance of resource 
allocation but also coordination, which is the issue that you 
highlighted, and perhaps just as importantly the cooperation 
and input from the private sector. Like any other area of the 
government, the FBI, State and local police departments, and 
prosecuting authorities cannot deal with this issue without the 
cooperation and assistance of the private sector, particularly 
in the type of cases that I will talk about in a moment. These 
companies are not only victims of some of these crimes, but 
have uniquely the resident expertise to furnish not only the 
investigative support and tools that are necessary, but also, 
indeed in many cases, the insight into their own systems.
    I am very pleased to say that not just as a result of the 
National Infrastructure Protection Center, which this committee 
authorized and set up, and the use of our investigators 
throughout the course of the last couple of weeks, the 
assistance from the private sector has been extraordinary. Not 
just the victim companies but dozens of other companies, 
scientific experts, academic scholars, think tanks, 
associations have called the FBI and gave in many cases not 
just valuable leads but support, ideas, and in some cases 
technology assistance to pursue what has been a very complex 
and fast-moving investigation. This one would never get out of 
the starting gate without the current structures as you have 
authorized them and more importantly the interoperability of 
that structure with not only other Federal, State, and local 
enforcement agencies and the private sector itself.

                     changing technology challenges

    You know if I came in one morning and said we were faced 
with the invention of the automobile, the telephone, and the 
radio, and that law enforcement needed your assistance to deal 
with this new technology, we would sit down and look at vast 
array of resources that would be necessary to deal with this 
technology being used in part by people who would commit 
crimes. In many ways, the situation beginning several years ago 
is a comparable situation, although because the technology is 
now not only more complex but in some cases changes on an 18 
month cycle, perhaps even a greater challenge.
    And as we would, we would have to respond to that threat, 
devise resources, plans and infrastructure to make sure that 
law enforcement had the continued capacity to do its 
traditional role of protecting the people we serve, but doing 
it not only in the face of the challenge of these technologies, 
but also using those technologies. In fact, that is what the 
Congress has done over the last couple of years. The structures 
that I will speak about briefly in a moment are really the 
direct result and the absolute minimum ingredient required to 
deal with these issues.

                        denial of service cases

    With respect to the current investigation, I will give you 
a quick synopsis of it. Obviously, there are aspects of it that 
I cannot go into because of the nature of the case and the fact 
that criminal prosecutions may very well result. Going back 
several months to the fall of last year, we at the FBI began to 
receive reports about a threat to the Internet from the 
distributed denial of service attacks, which is what was 
evidenced over the last couple of weeks. In these types of 
attacks, hackers first break into the computer system of an 
unwitting victim and then plant what they call malicious 
programs. They go by names such as Trinoo, Tribal Flood Net, 
Stacheldraht. Planting the malicious systems on unsuspecting or 
unwitting computer hosts is the first step in the line of that 
attack. This can be done hours, days, weeks, or even months 
before the actual attack occurs.
    The hacker then sends a command that would activate the 
program which results in the victim computer systems themselves 
sending repeated messages against a target system which is what 
happened in these cases. In some instances, the malicious 
program includes an embedded start date and time in its code 
precluding even the need for a separate activation command.
    Because the hacker uses a ``spoofed'' or non-valid Internet 
address, the target system overloads because the target system 
is unable to confirm the receipt of the messages from the 
computer sending that message. As a result, the build up of 
unconfirmed messages overwhelms these target systems which in 
turn denies legitimate access by the regular users.
    In December 1999, again with notice of some of these 
threats, the National Infrastructure Protection Center, which 
as I noted has only been in existence since December 9, 1998, 
issued an alert to the community regarding these threats. In 
fact, for the first time, NIPC made available to the industry a 
software tool that can be used to detect the presence of 
service coding. This is the first time that this was done. This 
tool was downloaded, we know, by hundreds and hundreds of users 
and, hopefully, put to some good use with respect to both 
detection and the furnishing of subsequent leads.
    On February 8, we received reports that the Yahoo! site had 
experienced the first coordinated denial of service attack. The 
days that followed, as reflected in your display here in the 
hearing room, Amazon.com, eBay, e*Trade, and CNN.com also 
reported similar denial of service outages. The victim 
companies of these attacks, as I mentioned, are cooperating 
fully with the FBI and, as I mentioned, in many cases 
furnishing, in addition to leads, very important technical 
support. Additionally, members of the community at large, in 
fact, some hackers, many of whom condemned the present attacks 
publicly, have come forward and supplied extremely valuable 
information to the FBI for which we are very grateful.
    Five of our major offices where the target companies are 
located, Los Angeles, San Francisco, Atlanta, Boston, and 
Seattle, have initiated full investigations. Seven secondary 
offices are working in primary support of those offices. In 
addition, all of our divisions and many of our overseas 
offices, as I will note in a moment, are furnishing active 
support in this very fast-moving investigation.
    Analysts and computer scientists, both within the NIPC as 
well as outside, are reviewing and analyzing voluminous 
material from the target companies logs which have been 
furnished. This is a very time consuming procedure. The 
investigation is continuing and even public reports this 
morning, accurately reflect an investigation which is now 
stretching literally around the world, working with our 
overseas FBI offices in places like Canada, Germany, and 
several other countries, and working with our liaison police 
partner services in many of these countries running down leads, 
interviewing people, asking for technical records as well as 
assistance. This is the nature of these investigations.
    As we saw over the millennial period, the ability to 
conduct investigations in this particular subject matter 
requires absolutely the instantaneous ability to contact and 
work with our overseas partners, which is why, thanks to the 
support of this committee and other committees, the FBI now has 
35 foreign Legal attache offices. We had 21 in 1993. These 
offices give us the ability to literally pick up the phone and 
have an FBI agent familiar with the case walk into the host law 
enforcement agency and receive law enforcement assistance that 
could never otherwise have been received in that kind of a time 
frame. We are very, very thankful for that assistance.
    We have been very, very pleased with the progress of the 
investigation. There are fast developing leads as we speak and, 
hopefully, we will be able to report with more details in the 
coming days and weeks.

               cybercrime and computer intrusion threats

    I would like to just talk a little bit about the emerging 
cybercrime and computer intrusion threats. We know that the 
growth of the Internet has certainly been the single reason why 
these threats have been not only elevated but why the 
compromising of the systems that we have seen in the past few 
weeks has such broad implications.
    Last year, 1999, there were over 100 million Internet users 
in the United States. By 2003, experts project the number of 
users to reach 177 million in the United States and over 500 
million worldwide. Economic commerce, a significant new sector 
of our economy, accounted in 1999 for about $100 billion in 
sales over the Internet. By 2003, electronic commerce is 
projected to account for sales in excess of $1 trillion. And 
the rate of growth after that will clearly be exponential.
    Over the past several years, we have seen and investigated 
a range of computer crimes and threats really across the 
spectrum. And I want to just briefly refer to some of those. 
There are the insider threats that computer systems within 
universities, within corporations, and even within government 
entities have experienced. A 1999 Computer Security Institute 
report indicated that 55 percent of the respondents had 
reported malicious activity from insiders with respect to their 
individual entities or corporations.
    Another brand of these attacks and threats are in the area 
of hackers about which we have seen much activity. There is a 
subcategory which we referred to as ``hacktivism,'' which are 
politically motivated attacks. We saw that during the recent 
hostilities in the former Yugoslavia with hundreds and hundreds 
of threats and computer attacks being launched against NATO web 
servers as well as institutions in many of the NATO countries. 
There are the virus writers, which is a particularly dangerous 
type of threat. Back in 1999, the FBI in conjunction with some 
State and local partners, particularly the New Jersey State 
Police, solved the Melissa Macro Virus case. If you recall, and 
again, very importantly for purposes of liaison with the 
private sector, the New Jersey State Police received some 
information from America Online that came to the FBI in our 
Newark office where we have one of our computer squads. A 
series of investigations were conducted jointly which resulted 
in several searches and arrests. The individual who pled guilty 
admitted to activities which affected over one million computer 
systems and caused over $80 million worth of damage.
    Another brand of these threats represent activities by 
organized criminal groups. In another case last year, two 
members of a group who called themselves the ``Phonemasters'' 
were convicted of the theft and possession of unauthorized 
access devices. This was a case where the subjects penetrated 
MCI, Sprint, AT&T, and Equifax. We needed and obtained 
judicially approved surveillance orders to conduct the 
investigation using intercept technologies which were very, 
very complex and had to be tailor made to use in those 
particular cases. To give you some idea of the scope of the 
plan, the individuals downloaded thousands of Sprint calling 
cards. Some of these were sold to a Canadian citizen. He in 
turn passed them to a citizen back in Ohio. This was all done 
by computer. They were then sent to an individual in 
Switzerland and they ended up in part in the hands of some 
organized crime groups down in Italy. This is typical in many 
respects with regard to this type of criminal activity.
    We have another category called the distributed denial of 
service attacks which we have talked about this morning. We 
also see threats and attacks involving economic espionage. The 
economic espionage statute, which the Congress passed in 1996, 
was particularly designed to deal with the theft by computer of 
valuable trade secrets, where losses of billions and billions 
of dollars can occur according to the American Society of 
Industrial Security.

                            innocent images

    We have another broad set of criminal activity being 
conducted by individuals, and perhaps the one most notoriously 
known, and certainly you have been the principal source of the 
enforcement resources that have been used in this area, named 
Innocent Images cases. These are cases where pedophiles use the 
technology of the Internet to go into people's homes to contact 
minors, to make arrangements to see them, which often requires 
traveling interstate. We opened 1,497 of these new cases last 
year, fiscal year 1999. We have made 193 arrests, and obtained 
over 108 convictions. This is an activity which is now being 
worked not only by the FBI, but again because of your support 
and the committee's support, it is being worked in a 
coordinated fashion by many State and local agencies in 
cooperation with the FBI.

                 terrorist and foreign threats strategy

    We also have other threats that come not from individuals 
and not even from within the United States but from terrorists, 
from foreign intelligence services. The whole subject matter of 
information warfare, of course, gets into national security 
issues well beyond the purview of the FBI. But the scope of 
threats on the front of cyberspace and cybercrime; as shown 
just by this very brief summary, is obviously an immense one.

                     cybercrime fighting strategies

    I think there are probably some keys and some experience 
that we have shown relevant directly to our success in any 
crime fighting strategy involving cybercrime and cyberspace. I 
would like to highlight just a few of these. The first one is 
law enforcement investigative capacities. The second one is 
building prosecutorial expertise--the Attorney General referred 
to that in part. Third, developing partnerships with industry 
and academia--these are absolutely vital if we are to be 
successful. Fourth, building law enforcement data forensic and 
technology capabilities. Again, these can be built without 
disturbing the balance of the Fourth Amendment, without people 
worrying about the government operating national computer 
systems. These can be done under our existing Constitution and 
enabling statutes. And finally, the issue of encouraging not 
only computer ethics but the lawfulness of computer use and 
computer law, particularly in the area of law enforcement.

               national infrastructure protection center

    With respect to building law enforcement investigative 
capabilities, this obviously is the vital and first building 
block. We are, as I said, grateful for your support and your 
leadership in the establishment of the National Infrastructure 
Protection Center. This center, as you know, is unique. It is 
the only national organization devoted to investigation, 
analysis, warning and response to attacks against our 
infrastructure. It was established in December 1998. There are 
193 FBI special agents around the field who are particularly 
qualified and who reside in the investigative part of this 
program. There are over 100 personnel back here at headquarters 
in NIPC. Many other government agencies have representatives 
there.
    The private sector has representation there. We have State 
and local participation. We even have participation from some 
of the national security agencies. In all we have 16 NIPC 
squads around the United States. Again, these are recently 
established and five of them are working on the main cases that 
I have mentioned before. They share much of their information 
with State and local partners. We use a series of Federal 
channels for sharing information including Law Enforcement On-
Line and the national law enforcement telecommunications 
system. We have a key asset program managed by this activity 
which identifies those key assets in infrastructure which could 
be compromised.
    We have an InfraGard program, which is a program that 
directly involves the private sector in the planning as well as 
the reaction to some of these attacks. We have a 24 hour watch 
system at our FBI Headquarters which monitors not just threats 
but in some cases, as I mentioned, becomes the originating 
point for intelligence as it is collected and enables us to 
take preventive action as we tried to do earlier last year.
    One of the issues that you mentioned that I would just like 
to respond to is the hiring, training, and retention of the 
people who are necessary to perform this work. And that has 
been a continuing challenge and will probably be our foremost 
personnel challenge in the years to come. We were very pleased 
several years ago when the Congress provided the FBI with a 
pilot program to use our Title 5 exemption authority to hire 
people who could not otherwise be hired because their talent 
and the competition for their work is such that the usual GS 
pay scale would be insufficient to attract and retain them.
    We have been able to staff over 54 experts, particularly in 
scientific and computer positions, under this program. We would 
very, very much like to extend the authority for that program 
which is due to expire in September of this year. My prediction 
is that if that program is extended and we continue to use it 
and expand it, we will have the ability to do exactly what you 
would like us to do and what the American people would like us 
to do: get the men and women into the FBI, not just the agents, 
but the analysts, the computer scientists, the people who 
understand these codes, and make sure that we are able to keep 
them. The training and expertise that they bring is also made 
available to our State and local partners.
    One of the other major functions of the NIPC is training 
and liaison. We have trained hundreds of State and local 
officers, other Federal officers, in the area of computer 
crimes. We have even given them, in many cases, some of the 
tools and techniques necessary to perform this job. But the 
personnel and the authority to hire over and above the current 
GS scale is absolutely vital for us.

                       international cooperation

    I also want to mention again how critical it is that we 
have not only the domestic law enforcement network and liaison 
but the international one. There is no computer hacking case of 
any large dimension that I can imagine where it is not likely 
to have leads, evidence, witnesses, and needs that go well 
beyond the United States to literally places around the world. 
Over the millennium weekend, we did exactly that. It was 
primarily in the counterterrorism area, but we had agents and 
computer forensic experts literally around the world working 
with our liaison partners because that is the nature of this 
venue and that is where these cases very, very quickly take us.
    We have the need obviously, as the Attorney General 
mentioned, to continue to obtain necessary equipment, including 
basic hardware to do our job. The 2001 request asks for an 
additional $40 million for the Information Sharing Initiative. 
That is the initiative that buys basic hardware and computers 
to be used by our agents and other personnel to conduct these 
investigations. We are hoping to receive the final approvals to 
spend the $80 million which the Congress has authorized and 
appropriated in the fiscal year 1999 and 2000 budgets and we 
are hoping to get the final paperwork up to the committees 
within the next couple of weeks.

                     building prosecutorial experts

    The second broader area that I mentioned is building 
prosecutorial expertise. The best computer analysts and the 
best technical agents in the world will not succeed at the end 
of the day unless there are trained prosecutors with the 
ability, the know-how, and the experience to assist in the 
complex investigation of these cases where many legal issues, 
including privacy issues and Fourth Amendment issues, take 
different permutations, arise and have to be addressed very 
speedily and decisively. We are very thankful to the Attorney 
General for her strong support and leadership in the Department 
for the development of a strong cadre of Assistant U.S. 
Attorneys who are able to do these cases and respond to them as 
the needs arise.

                 partnership with industry and academia

    The other area I have alluded to several times, the 
partnerships with industry as well as academia. Yesterday, the 
head of my laboratory, Dr. Kerr, met with the head of the 
Thayer School of Engineering to discuss direct FBI 
participation in the Thayer School Institute for Security 
Technology Studies, which addresses among other things the 
primary area of cybersecurity. This is the type of support that 
we desperately need not only to pursue investigations but also 
to develop tools and techniques that can be used in these cases 
to do research and development--which our investigators who are 
very busy do not always have the time and luxury to do, and 
which is particularly suited for academia as well as the 
private sector.

              building forensic and technical capabilities

    The other area--building forensic and technical 
capabilities is something where I think we have made a very 
good start. We have 142 full- or part-time CART examiners. 
These are the individuals who do the forensic examinations, who 
can take evidence off a hard drive that even the people who are 
fairly sophisticated think has been erased and deleted from the 
system. This is a demand which is growing exponentially. We had 
about 1,800 examinations in the last year. We predict by the 
end of next year, there will be 6,000 of these examinations 
required on a yearly basis. Some of the cases, because of their 
complexity and because of the growth of the capacity of hard 
drives, require more and more time, more and more complex 
analysis and techniques.
    In 1998, most of the computers that were sold had hard 
drives with a six to eight gigabyte capacity. By the end of 
this year, we are going to see 60 to 80 gigabyte capacities. 
What this means is that you double, double, and double again 
the magnetic area that needs to be searched to obtain evidence 
as well as for other preemptory examinations. What this means 
is that the capacity to do more electronic type of examinations 
will be required. We have a system that the CART examiners use 
and which this committee has funded called the ACES system, 
which is the Automated Computer Examination System. We have 
asked in the current budget proposal for a continuation of that 
funding. ACES allows the examiners to expeditiously look at 
huge areas of media which otherwise even under technical means 
would take an enormous amount of time. In some cases, not these 
cases, but others where lives may literally be at risk, this 
time consumption is very, very critical.
    We need to propagate and decentralize the computer 
examining abilities that we have in the FBI. This goes along 
the lines you alluded to before about encouraging and 
supporting State and local expertise. One very successful 
effort in this area was the recent establishment by the FBI and 
State and local authorities in San Diego, California, of a 
regional computer forensic lab, the first time that we have 
undertaken this type of a joint venture. What this does is 
establish a regional laboratory for computer examinations so 
the investigators, particularly State and local investigators 
in that area, do not have to rely on our headquarters 
facilities or even FBI stand alone capacity to conduct these 
examinations.
    This creates a center of excellence. It is a method to 
enhance training as well as other expertise. We are looking at 
doing the same type of establishments in the New England area, 
and in the Dallas area. The cost of these start-ups is very 
minimal and the return and the benefit--not just to the State 
and local authorities but the ability to cut some of the 
backlogs coming back to Washington and the attendant delays--we 
think is a very, very good formula for success.
    So we want to look at this very carefully. We want to make 
sure the results are as impressive as they have been so far. 
This is an area where I think very critically we need to get 
this technology and law enforcement ability out to our State 
and local partners.

                           counterencryption

    I wanted to mention a little bit about some of the other 
engineering issues. I mentioned the ACES system. I referred 
earlier to the Communications Assistance for Law Enforcement 
Act, the CART examinations. We also need again the ability to 
work these cases not only in a digital environment as we find 
ourselves but an encrypted environment. We are finding more and 
more, 53 new cases last year, computer media as well as stored 
data, where encryption has made the information and the 
potential evidence all but worthless or unavailable to us 
because we do not have the plain text and there is no ability 
to understand, either on a real time basis or historical basis, 
what it is that is being discussed by the hackers, what plans 
reside in their encrypted files, and all the other impediments 
that this poses.
    This is a huge issue not just for law enforcement in 
general but particularly in the area of computer crime and 
cybersecurity. Without the ability for law enforcement officers 
to get court-ordered access to plain text, we are going to be 
out of business in a large number of these cases. We will never 
know in some cases who the subjects are, what the conspiracy 
consisted of, what the objectives were. We will be operating 
with basically primitive tools in a very high tech environment.
    This committee has held hearings on this before. You have 
certainly supported our budget requests in trying to address 
this area. As I have testified to numerous times over the last 
7 years, if this area remains unaddressed, not just for the FBI 
but for our State and local partners, we will be very, very 
much unable and incapable of investigating some of these major 
cases. As we have testified before, we do not need a change in 
the Constitution or our statutory authority to do this. We can 
obtain plain text access which comes only with a court order 
without changing any of the parameters and without changing the 
statutes that legitimately protect not just privacy but the 
expectation of privacy. But if it is unaddressed, we are not 
going to be able to work in many of these cases.

                       developing computer ethics

    The last area that I just wanted to mention briefly is 
encouraging the development of computer law in the law 
enforcement area, as well as computer ethics. I think that is a 
theme that has to become much more conversant in our 
universities, our schools, our workplaces, our Government 
places. We have to respond to some of these incidents, even the 
ones that are non-criminal, with a framework of law as well as 
an ethical framework that seeks to deter and discourage 
activities that affect these systems and promote the positive 
side of it.
    Again, I am very, very pleased to be here and on behalf of 
the law enforcement community--and I emphasize the State and 
local community. I want to thank this committee, Mr. Chairman, 
for your leadership in this area. We have made a good start. We 
have found in the last couple of weeks that although we were 
busy, we were not overwhelmed. We have been able to follow 
leads. The response and support from the other government 
agencies and the private sector has been enormous. So we are in 
the ballgame right now thanks to your support, and the 
resources we have received. We want to make sure that balance 
does not change in the next couple of years. Thank you.
    [The statement follows:]
                  Prepared Statement of Louis J. Freeh
    Good morning, Mr. Chairman and members of the Subcommittee. I am 
privileged to join Attorney General Reno in this opportunity to discuss 
cybercrime--one of the fastest evolving areas of criminal behavior and 
a significant threat to our national and economic security.
    Twelve years ago the ``Morris Worm'' paralyzed half of the 
Internet, yet so few of us were connected at that time that the impact 
on our society was minimal. Since then, the Internet has grown from a 
tool primarily in the realm of academia and the defense/intelligence 
communities, to a global electronic network that touches nearly every 
aspect of everyday life at the workplace and in our homes. There were 
over 100 million Internet users in the United States in 1999. That 
number is projected to reach 177 million in the United States and 502 
million worldwide by the end of 2003. Electronic commerce has emerged 
as a new sector of the American economy, accounting for over $100 
billion in sales during 1999, more than double the amount in 1998. By 
2003, electronic commerce is projected to exceed $1 trillion. The 
recent denial of service attacks on leading elements of the electronic 
economic sector, including Yahoo!, Amazon.com, Ebay, E*Trade, and 
others, had dramatic and immediate impact on many Americans.
    I would like to acknowledge the strong support this Subcommittee 
has provided to the FBI over the past several years for fighting 
cybercrime. This Subcommittee was the first to support resources--back 
in fiscal year 1997--for establishing a computer intrusion 
investigative capability within the FBI. You have generously provided 
support for our efforts against on-line sexual exploitation of children 
and child pornography--the Innocent Images initiative, as well as to 
develop our Computer Analysis Response Team (CART) program, and the 
creation of computer crime squads in our field offices. For that 
support, I would like to say thank you.
    In my testimony today, I would like to first discuss the nature of 
the threat that is posed from cybercrime and then describe the FBI's 
current capabilities for fighting cybercrime. Finally, I would like to 
close by discussing several of the challenges that cybercrime and 
technology present for law enforcement.
              cybercrime threats faced by law enforcement
    Before discussing the FBI's programs and requirements with respect 
to cybercrime, let me take a few minutes to discuss the dimensions of 
the problem. Our case load is increasing dramatically. In fiscal year 
1998, we opened 547 computer intrusion cases; in fiscal year 1999, that 
had jumped to 1,154. At the same time, because of the opening the 
National Infrastructure Protection Center (NIPC) in February 1998, and 
our improving ability to fight cyber crime, we closed more cases. In 
fiscal year 1998, we closed 399 intrusion cases, and in fiscal year 
1999, we closed 912 such cases. However, given the exponential increase 
in the number of cases opened, cited above, our actual number of 
pending cases has increased by 39 percent, from 601 at the end of 
fiscal year 1998, to 834 at the end of fiscal year 1999. In short, even 
though we have markedly improved our capabilities to fight cyber 
intrusions, the problem is growing even faster and thus we are falling 
further behind. These figures do not even include other types of crimes 
committed by a computer such as Internet fraud or child pornography on-
line.
    As part of our efforts to counter the mounting cyber threat, the 
FBI uses both full National Infrastructure Protection and Computer 
Intrusion squads located in 16 field offices and is developing baseline 
computer intrusion team capabilities in non-squad field offices. 
Further, we are establishing partnerships with state and local law 
enforcement through cybercrime task forces.
Cyber Threats Facing the United States
    The numbers above do not provide a sense of the wide range in the 
types of cases we see. Over the past several years we have seen a range 
of computer crimes ranging from simple hacking by juveniles to 
sophisticated intrusions that we suspect may be sponsored by foreign 
powers, and everything in between. A website hack that takes an e-
commerce site off-line or deprives a citizen of information about the 
workings of her government or important government services she needs, 
these are serious matters. An intrusion that results in the theft of 
credit card numbers or proprietary information or the loss of sensitive 
government information can threaten our national security and undermine 
confidence in e-commerce. A denial-of-service attack that can knock e-
commerce sites off-line, as we've seen over the last week, can have 
significant consequences, not only for victim companies, but also for 
consumers and the economy as a whole. Because of these implications, it 
is critical that we have in place the programs and resources to 
confront this threat. The following is a breakdown of types of 
malicious actors and the seriousness of the threat they pose.
    Insider Threat.--The disgruntled insider is a principal source of 
computer crimes. Insiders do not need a great deal of knowledge about 
computer intrusions, because their knowledge of victim systems often 
allows them to gain unrestricted access to cause damage to the system 
or to steal system data. The 1999 Computer Security Institute/FBI 
report notes that 55 percent of respondents reported malicious activity 
by insiders.
    There are many cases in the public domain involving disgruntled 
insiders. For example, Shakuntla Devi Singla used her insider knowledge 
and another employee's password and logon identification to delete data 
from a U.S. Coast Guard personnel database system. It took 115 agency 
employees over 1,800 hours to recover and reenter the lost data. Ms. 
Singla was convicted and sentenced to five months in prison, five 
months home detention, and ordered to pay $35,000 in restitution.
    In January and February 1999 the National Library of Medicine (NLM) 
computer system, relied on by hundreds of thousands of doctors and 
medical professionals from around the world for the latest information 
on diseases, treatments, drugs, and dosage units, suffered a series of 
intrusions where system administrator passwords were obtained, hundreds 
of files were downloaded which included sensitive medical ``alert'' 
files and programming files that kept the system running properly. The 
intrusions were a significant threat to public safety and resulted in a 
monetary loss in excess of $25,000. FBI investigation identified the 
intruder as Montgomery Johns Gray, III, a former computer programmer 
for NLM, whose access to the computer system had been revoked. Gray was 
able to access the system through a ``backdoor'' he had created in the 
programming code. Due to the threat to public safety, a search warrant 
was executed for Gray's computers and Gray was arrested by the FBI 
within a few days of the intrusions. Subsequent examination of the 
seized computers disclosed evidence of the intrusion as well as images 
of child pornography. Gray was convicted by a jury in December 1999 on 
three counts for violation of 18 U.S.C. 1030. Subsequently, Gray 
pleaded guilty to receiving obscene images through the Internet, in 
violation of 47 U.S.C. 223.
    Hackers.--Hackers are also a common threat. They sometimes crack 
into networks simply for the thrill of the challenge or for bragging 
rights in the hacker community. More recently, however, we have seen 
more cases of hacking for illicit financial gain or other malicious 
purposes. While remote cracking once required a fair amount of skill or 
computer knowledge, hackers can now download attack scripts and 
protocols from the World Wide Web and launch them against victim sites. 
Thus while attack tools have become more sophisticated, they have also 
become easier to use. The recent denial-of-service attacks are merely 
illustrations of the disruption that can be caused by tools now readily 
available on the Internet. Hacks can also be mistaken for something 
more serious. This happened initially in the Solar Sunrise case, 
discussed below.
    Hactivism.--Recently we have seen a rise in what has been dubbed 
``hacktivism''--politically motivated attacks on publicly accessible 
web pages or e-mail servers. These groups and individuals overload e-
mail servers and hack into web sites to send a political message. While 
these attacks generally have not altered operating systems or networks, 
they still damage services and deny the public access to websites 
containing valuable information and infringe on others' rights to 
communicate. One such group is called the ``Electronic Disturbance 
Theater,'' which promotes civil disobedience on-line in support of its 
political agenda regarding the Zapatista movement in Mexico and other 
issues. This past spring they called for worldwide electronic civil 
disobedience and have taken what they term ``protest actions'' against 
White House and Department of Defense servers. In addition, during the 
recent conflict in Yugoslavia, hackers sympathetic to Serbia 
electronically ``ping'' attacked NATO web servers. Russians, as well as 
other individuals supporting the Serbs, attacked websites in NATO 
countries, including the United States, using virus-infected e-mail and 
hacking attempts.
    Supporters of Kevin Mitnick hacked into the Senate webpage and 
defaced it in May and June of last year. Mitnick had pled guilty to 
five felony counts and was sentenced in August 1999 to 46 months in 
federal prison and ordered to pay restitution. Mitnick was released 
from custody in January 2000 after receiving credit for time served on 
prior convictions.
    The Internet has enabled new forms of political gathering and 
information sharing for those who want to advance social causes; that 
is good for our democracy. But illegal activities that disrupt e-mail 
servers, deface web-sites, and prevent the public from accessing 
information on U.S. Government and private sector web sites should be 
regarded as criminal acts that deny others their First Amendment rights 
to communicate rather than as an acceptable form of protest.
    Virus Writers.--Virus writers are posing an increasingly serious 
threat to networks and systems worldwide. As noted above, we have had 
several damaging computer viruses this year, including the Melissa 
Macro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The 
NIPC frequently sends out warnings or advisories regarding particularly 
dangerous viruses.
    The Melissa Macro Virus was a good example of our response to a 
virus spreading in the networks. The NIPC sent out warnings as soon as 
it had solid information on the virus and its effects. On the 
investigative side, the NIPC acted as a central point of contact for 
the field offices who worked leads on the case. A tip received by the 
New Jersey State Police from America Online, and their follow-up 
investigation with the FBI's Newark Field Office, led to the April 1, 
1999 arrest of David L. Smith. Search warrants were executed in New 
Jersey by the New Jersey State Police and FBI Special Agents from the 
Newark Field Office. Mr. Smith pleaded guilty to one count of violating 
Title 18, U.S.C. 1030 in Federal Court. Smith stipulated to affecting 
one million computer systems and causing $80 million in damage.
    Criminal Groups.--We are also seeing the increased use of cyber 
intrusions by criminal groups who attack systems for purposes of 
monetary gain. In September, 1999, two members of a group dubbed the 
``Phonemasters'' were sentenced after their conviction for theft and 
possession of unauthorized access devices (18 U.S.C. Sec. 1029) and 
unauthorized access to a federal interest computer (18 U.S.C. 
Sec. 1030). The ``Phonemasters'' were an international group of 
criminals who penetrated the computer systems of MCI, Sprint, AT&T, 
Equifax, and even the FBI's National Crime Information Center. Under 
judicially approved electronic surveillance orders, the FBI's Dallas 
Field Office made use of new data intercept technology to monitor the 
calling activity and modem pulses of one of the suspects, Calvin 
Cantrell. Mr. Cantrell downloaded thousands of Sprint calling card 
numbers, which he sold to a Canadian individual, who passed them on to 
someone in Ohio. These numbers made their way to an individual in 
Switzerland and eventually ended up in the hands of organized crime 
groups in Italy. Mr. Cantrell was sentenced to two years as a result of 
his guilty plea, while one of his associates, Cory Lindsay, was 
sentenced to 41 months.
    The ``Phonemaster's'' methods included ``dumpster diving'' to 
gather old phone books and technical manuals for systems. They then 
used this information to trick employees into giving up their logon and 
password information. The group then used this information to break 
into victim systems. It is important to remember that often ``cyber 
crimes'' are facilitated by old fashioned guile, such as calling 
employees and tricking them into giving up passwords. Good ``cyber 
security'' practices must therefore address personnel security and 
``social engineering'' in addition to instituting electronic security 
measures.
    Distributed Denial of Service Attacks.--In the fall of 1999, the 
NIPC began receiving reports about a new threat on the Internet--
Distributed Denial of Service Attacks. In these cases, hackers plant 
tools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht 
(German for barbed wire) on a number of unwitting victim systems. Then 
when the hacker sends the command, the victim systems in turn begin 
sending messages against a target system. The target system is 
overwhelmed with the traffic and is unable to function. Users trying to 
access that system are denied its services. The NIPC issued an alert 
regarding these tools in December 1999 in order to notify the private 
sector and government agencies about this threat. Moreover, the NIPC's 
Special Technologies and Applications Unit (STAU) created and released 
to the public a software tool that enables system administrators to 
identify DDOS software installed on victimized machines. The public has 
downloaded these tools tens of thousands of times from the web site, 
and has responded to the FBI by reporting many intrusions and 
installations of the DDOS software. The public received the NIPC tool 
so well that the computer security trade group SANS awarded their 
yearly Security Technology Leadership Award to members of the STAU. The 
availability of this tool has helped facilitate our investigations of 
ongoing criminal activity by uncovering evidence on victim computer 
systems.
    On February 8, 2000, the FBI received reports that Yahoo had 
experienced a denial of service attack. In a display of the close 
cooperative relationship the NIPC has developed with the private 
sector, in the days that followed, several other companies also 
reported denial of service outages. These companies cooperated with our 
National Infrastructure Protection and Computer Intrusion squads in the 
FBI field offices and provided critical logs and other information. 
Still, the challenges to apprehending the suspects are substantial. In 
many cases, the attackers used ``spoofed'' IP addresses, meaning that 
the address that appeared on the target's log was not the true address 
of the system that sent the messages.
    The resources required in these investigations can be substantial. 
Already we have five FBI field offices with cases opened: Los Angeles, 
San Francisco, Atlanta, Boston, and Seattle. Each of these offices has 
victim companies in its jurisdiction. In addition, so far seven field 
offices are supporting the five offices that have opened 
investigations. The NIPC is coordinating the nationwide investigative 
effort, performing technical analysis of logs from victims sites and 
Internet Service Providers, and providing all-source analytical 
assistance to field offices. Agents from these offices are following up 
literally hundreds of leads. While the crime may be high tech, 
investigating it involves a substantial amount of traditional police 
work as well as technical work. For example, in addition to following 
up leads, NIPC personnel need to review an overwhelming amount of log 
information received from the victims. Much of this analysis needs to 
be done manually. Analysts and agents conducting this analysis have 
been drawn off other case work. In the coming years we expect our case 
load to substantially increase.
    Terrorists.--Terrorists are known to use information technology and 
the Internet to formulate plans, raise funds, spread propaganda, and to 
communicate securely. For example, convicted terrorist Ramzi Yousef, 
the mastermind of the World Trade Center bombing, stored detailed plans 
to destroy United States airliners on encrypted files on his laptop 
computer. Moreover, some groups have already used cyber attacks to 
inflict damage on their enemies' information systems. For example, a 
group calling itself the Internet Black Tigers conducted a successful 
``denial of service'' attack on servers of Sri Lankan government 
embassies. Italian sympathizers of the Mexican Zapatista rebels 
attacked web pages of Mexican financial institutions. Thus, while we 
have yet to see a significant instance of ``cyber terrorism'' with 
widespread disruption of critical infrastructures, all of these facts 
portend the use of cyber attacks by terrorists to cause pain to 
targeted governments or civilian populations by disrupting critical 
systems.
    Foreign intelligence services.--Foreign intelligence services have 
adapted to using cyber tools as part of their information gathering and 
espionage tradecraft. In a case dubbed ``the Cuckoo's Egg,'' between 
1986 and 1989 a ring of West German hackers penetrated numerous 
military, scientific, and industry computers in the United States, 
Western Europe, and Japan, stealing passwords, programs, and other 
information which they sold to the Soviet KGB. Significantly, this was 
over a decade ago--ancient history in Internet years. While I cannot go 
into specifics about the situation today in an open hearing, it is 
clear that foreign intelligence services increasingly view computer 
intrusions as a useful tool for acquiring sensitive U.S. Government and 
private sector information.
    Sensitive Intrusions.--In the last two years we have seen a series 
of intrusions into numerous Department of Defense computer networks as 
well as networks of other federal agencies, universities, and private 
sector entities. Intruders have successfully accessed U.S. Government 
networks and taken enormous amounts of unclassified but sensitive 
information. In investigating these cases, the NIPC has been 
coordinating with FBI Field Offices, Legats, the Department of Defense 
(DOD), and other government agencies, as circumstances require. The 
investigation has determined that these intrusions appear to originate 
in Russia. The NIPC has also supported other very sensitive 
investigations, including the possible theft of nuclear secrets from 
Los Alamos National Laboratory in New Mexico. It is important that the 
Congress and the American public understand the very real threat that 
we are facing in the cyber realm, not just in the future, but now.
    Information Warfare.--One of the greatest potential threats to our 
national security is the prospect of ``information warfare'' by foreign 
militaries against our critical infrastructures. We know that several 
foreign nations are already developing information warfare doctrine, 
programs, and capabilities for use against each other and the United 
States or other nations. Foreign nations are developing information 
warfare programs because they see that they cannot defeat the United 
States in a head-to-head military encounter and they believe that 
information operations are a way to strike at what they perceive as 
America's Achilles Heel--our reliance on information technology to 
control critical government and private sector systems. For example, 
two Chinese military officers recently published a book that called for 
the use of unconventional measures, including the propagation of 
computer viruses, to counterbalance the military power of the United 
States. A serious challenge we face is even recognizing when a nation 
may be undertaking some form of information warfare. If another nation 
launched an information warfare attack against the United States, the 
NIPC would be responsible to gather information on the attack and work 
with the appropriate defense, intelligence, and national command 
authorities.
Traditional Threats to Society Moved to the Cyber Realm
    Computers and networks are not just being used to commit new crimes 
such as computer intrusions, denial of service attacks, and virus 
propagation, but they are also facilitating some traditional criminal 
behavior such as extortion threats, fraud and the transmission of child 
pornography. For example, the NIPC recently supported an investigation 
involving e-mail threats sent to a Columbine High School student 
threatening violence.
    Child Pornography and Exploitation.--While the Internet has been a 
tremendous boon for information sharing and for our economy, it 
unfortunately has also become a zone where predators prey on the 
weakest and most vulnerable members of our society, our children. The 
sex offender using a computer is not a new type of criminal. Rather it 
is simply a case of modern technology being combined with an age old 
problem. The use of computers has made child pornography more available 
now than at any time since the 1970s. An offender can use a computer to 
transfer, manipulate, or even create child pornography. Images can be 
stored, transferred from video tape or print media, and transmitted via 
the Internet. With newer technology, faster processors and modems, 
moving images can now also be transmitted. In addition, the information 
and images stored and transmitted can be encrypted to deter or avoid 
detection. As computers and technological enhancements, such as faster 
modems and processors, become less expensive and more sophisticated, 
the potential for abuse will grow.
       challenges to law enforcement in investigating cybercrime
    The burgeoning problem of cybercrime poses unique challenges to law 
enforcement. These challenges require novel solutions, close teamwork 
among agencies and with the private sector, and adequate numbers of 
trained and experienced agents and analysts with sophisticated 
equipment.
Identification and Jurisdictional Challenges
    Identifying the Intruder.--One major difficulty that distinguishes 
cyber threats from physical threats is determining who is attacking 
your system, why, how, and from where. This difficulty stems from the 
ease with which individuals can hide or disguise their tracks by 
manipulating logs and directing their attacks through networks in many 
countries before hitting their ultimate target. The now well know 
``Solar Sunrise'' case illustrates this point. Solar Sunrise was a 
multi-agency investigation (which occurred while the NIPC was being 
established) of intrusions into more than 500 military, civilian 
government, and private sector computer systems in the United States, 
during February and March 1998. The intrusions occurred during the 
build-up of United States military personnel in the Persian Gulf in 
response to tension with Iraq over United Nations weapons inspections. 
The intruders penetrated at least 200 unclassified U.S. military 
computer systems, including seven Air Force bases and four Navy 
installations, Department of Energy National Laboratories, NASA sites, 
and university sites. Agencies involved in the investigation included 
the FBI, DOD, NASA, Defense Information Systems Agency, AFOSI, and the 
Department of Justice (DOJ).
    The timing of the intrusions and links to some Internet Service 
Providers in the Gulf region caused many to believe that Iraq was 
behind the intrusions. The investigation, however, revealed that two 
juveniles in Cloverdale, California, and several individuals in Israel 
were the culprits. Solar Sunrise thus demonstrated to the interagency 
community how difficult it is to identify an intruder until facts are 
gathered in an investigation, and why assumptions cannot be made until 
sufficient facts are available. It also vividly demonstrated the 
vulnerabilities that exist in our networks; if these individuals were 
able to assume ``root access'' to DOD systems, it is not difficult to 
imagine what hostile adversaries with greater skills and resources 
would be able to do. Finally, Solar Sunrise demonstrated the need for 
interagency coordination by the NIPC.
    Jurisdictional Issues.--Another significant challenge we face is 
hacking in multiple jurisdictions. A typical hacking investigation 
involves victim sites in multiple states and often many countries. This 
is the case even when the hacker and victim are both located in the 
United States. In the United States, we can subpoena records and 
execute search warrants on suspects' homes, seize evidence, and examine 
it. We can do none of those things ourselves overseas, rather, we 
depend on the local authorities. In some cases the local police forces 
simply do not understand or cannot cope with the technology. In other 
cases, these nations simply do not have laws against computer 
intrusions. Our Legats are working very hard to build bridges with 
local law enforcement to enhance cooperation on cyber crime. The NIPC 
has held international computer crime conferences with foreign law 
enforcement officials to develop liaison contacts and bring these 
officials up to speed on cybercrime issues. We have also held 
cybercrime training classes for officers from partner nations.
    Despite the difficulties, we have had some success in investigating 
and prosecuting these crimes. In 1996 and 1997, the National Oceanic 
and Atmospheric Administration (NOAA) suffered a series of computer 
intrusions that were linked to a set of intrusions occurring at the 
National Aeronautics and Space Administration (NASA). Working with the 
Canadian authorities, it was determined that the subject resided in 
Canada. In April 1999, Jason G. Mewhiney was indicted by Canadian 
authorities. In January 2000, he pled guilty to 12 counts of computer 
intrusions and the Canadian Superior Court of Justice sentenced him to 
6 months in jail for each of the counts, with the sentences running 
concurrently. In another case, Peter Iliev Pentchev, a Princeton 
University student, was identified as an intruder on an e-commerce 
system. An estimated 1,800 credit card numbers, customer names, and 
user passwords were stolen. The company had to shut down its web 
servers for five days to repair the damages estimated at $100,000. 
Pentchev has fled to his native Bulgaria and the process is being 
determined to return Pentchev to the United States to face charges.
    In 1994-95, an organized crime group headquartered in St. 
Petersburg, Russia, transferred $10.4 million from Citibank into 
accounts all over the world. After investigation by the FBI's New York 
field office, all but $400,000 of the funds were recovered. Cooperation 
with Russian authorities helped bring Vladimir Levin, the perpetrator, 
to justice. In another case, the FBI investigated Julio Cesar Ardita, 
an Argentine computer science student who gained unauthorized access to 
Navy and NASA computer systems. He committed these intrusions from 
Argentina, and Argentine authorities cooperated with the FBI on the 
investigation. While he could not be extradited for the offenses, he 
returned voluntarily to the United States and was sentenced to three 
years probation. In all of these cases, Legats have been essential to 
the investigation. As the Internet spreads to even more countries, we 
will see greater demand placed on the Legats to support computer 
intrusion investigations.
Human and Technical Challenges
    The threats we face are compounded by human and technical 
challenges posed by these types of investigations. The first problem 
is, of course, having enough positions for agents, computer scientists, 
and analysts to work computer intrusions. Once we have the authorized 
positions, we face the issue of recruiting people to fill these 
positions, training them in the rapidly changing technology, and 
retaining them. There is a very tight market out there for information 
technology professionals. The Federal Government needs to be able to 
recruit the very best people into its programs. Fortunately, we can 
offer exciting, cutting-edge work in this area and can offer agents, 
analysts, and computer scientists the opportunities to work on issues 
that no one else addresses, and to make a difference to our national 
security and public safety.
    Our current resources are stretched paper thin. We only have 193 
agents assigned to NIPC squads and teams nationwide. Major cases, such 
as the recent DDOS attacks on Yahoo, draw a tremendous amount of 
personnel resources. Most of our technical analysts will have to be 
pulled from other work to examine the log files received from the 
victim companies. Tracking down hundreds of leads will absorb the 
energy of a dozen field offices. And this is all reactive. My goal is 
for the FBI to become proactive in this area just as we have in other 
areas such as drugs and violent crime. In a few minutes I'll discuss 
what we need to do to improve our cybercrime fighting capabilities to 
become proactive in fighting cybercrime.
    The technical challenges of fighting crime in this arena are 
equally vast. We can start just by looking at the size of the Internet 
and its exponential growth. Today it is estimated that more than 60,000 
individual networks with 40 million users are connected to the 
Internet. Thousands of more sites and people are coming on line every 
month. In addition, the power of personal computers is vastly 
increasing. The FBI's Computer Analysis Response Team (CART) examiners 
conducted 1,260 forensic examinations in 1998 and 1,900 in 1999. With 
the anticipated increase in high technology crime and the growth of 
private sector technologies, the FBI expects 50 percent of its caseload 
to require at least one computer forensic examination. By 2001, the FBI 
anticipates the number of required CART examinations to rise to 6,000.
    It is important to note that personnel resources with very specific 
technical skills are required not only for computer and Internet based 
crimes such as the DDOS incidents, but are increasingly necessary for 
more traditional matters as well. Examples of this type of problem 
include the approximately 6,000 man hours that the NIPC was required to 
expend investigating a recent computer-based espionage case. The NIPC's 
Special Technologies and Applications Unit (STAU) received 
approximately one million raw files from CART, and was required by the 
investigators to reproduce the activities of individuals over a period 
of years from that raw data. The amount of information which was 
required to be processed by STAU, and is still necessary to process, 
would fill the Library of Congress nearly twice. This type of case 
illustrates where technical analysis of the highest order has become 
necessary in sophisticated espionage matters. A recent extortion and 
bombing illustrate how traditional violent criminals are also turning 
to high technology. In this extortion case, the bomber's demands 
included that the victim post their responses to his requirements on 
their web site. The STAU was required to sort through millions of web 
site ``hits'' to discern which entries may have come from the bomber. 
Based on information generated by the STAU's efforts, agents were able 
to trace the bomber to a specific telephone line to his home address.
    Clearly, the FBI needs engineering personnel to develop and deploy 
sophisticated electronic surveillance capabilities in an increasingly 
complex and technical investigative environment, skilled CART personnel 
to conduct the computer forensics examinations to support an 
increasingly diverse set of cases involving computers, as well as 
expert NIPCI personnel to examine network log files to track the path 
an intruder took to his victim. In cases such as Los Alamos or 
Columbine, both NIPCI and CART personnel were called in to bring their 
unique areas of expertise to bear on the case.
    During the last part of 1998, most computers on the market had hard 
drives of 6-8 gigabytes (GB). Very soon 13-27 GB hard drives will 
become the norm. By the end of 2000, we will be seeing 60-80 GB hard 
drives. All this increase in storage capacity means more data that must 
be searched by our forensics examiners, since even if these hard drives 
are not full, the CART examiner must review every bit of data and every 
area of the media to search for evidence.
    The FBI has an urgent requirement for improved tools, techniques 
and services for gathering, processing, and analyzing data from 
computers and computer networks to acquire critical intelligence and 
evidence of criminal activity. Over the past three years, the FBI's 
Laboratory Division (LD) has been increasingly requested to provide 
data interception support for such investigative programs as: 
Infrastructure Protection, Violent Crimes (Exploitation of Children, 
Extortion), Counterterrorism, and Espionage. In fact, since 1997, the 
LD has seen a dramatic increase in field requests for assistance with 
interception of data communications. Unless the FBI increases its 
capability and capacity for gathering and processing computer data, 
investigators and prosecutors will be denied timely access to valuable 
evidence that will solve crimes and support the successful prosecutions 
of child pornographers, drug traffickers, corrupt officials, persons 
committing fraud, terrorists, and other criminals.
    One of the largest challenges to FBI computer investigative 
capabilities lies in the increasingly widespread use of strong 
encryption. The widespread use of digitally-based telecommunications 
technologies, and the unprecedented expansion of computer networks 
incorporating privacy features/capabilities through the use of 
cryptography (i.e. encryption), has placed a tremendous burden on the 
FBI's electronic surveillance technologies. Today the most basic 
communications employ layers of protocols, formatting, compression and 
proprietary coding that were non-existent only a few years ago. New 
cryptographic systems provide robust security to conventional and 
cellular telephone conversations, facsimile transmissions, local and 
wide area networks, Internet communications, personal computers, 
wireless transmissions, electronically stored information, remote 
keyless entry systems, advanced messaging systems, and radio frequency 
communications systems. The FBI is already encountering the use of 
strong encryption. In 1999, 53 new cases involved the use of 
encryption.
    The FBI is establishing a centralized capability for development of 
investigative tools which support the law enforcement community's 
technical needs for cybercrime investigations, including processing and 
decrypting lawfully intercepted digital communications and 
electronically stored information. A centralized approach is 
appropriate since state and local law enforcement have neither the 
processing power nor trained individuals to assume highly complex 
analysis or reverse engineering tasks. The fiscal year 2001 budget 
includes $7,000,000 for this effort.
    The need for a law enforcement centralized civilian resource for 
processing and decrypting lawfully intercepted digital communications 
and electronically stored information is well documented in several 
studies, including:
  --The National Research Council's Committee Report entitled 
        ``Cryptography's Role in Securing the Information Society.'' 
        Specifically, the Committee recommended that high priority be 
        given to the development of technical capabilities, such as 
        signal analysis and decryption, to assist law enforcement in 
        coping with technological challenges.
  --In 1996, Public Law 104-132 Section 811, the 104th Congress 
        acknowledged the critical need and authorized the Attorney 
        General to ``* * * support and enhance the technical support 
        [capabilities] * * *'' of the FBI.
  --The Administration policy position as set forth in the September 
        16, 1998, press release acknowledges that ``The Administration 
        intends to support FBI's establishment of a technical support 
        [capability] to help build the technical capacity of law 
        enforcement--Federal, State, and local--to stay abreast of 
        advancing communications technology.''
    It has been the position of the FBI that law enforcement should 
seek the voluntary cooperation of the computer hardware and software 
industry as a means of attempting to address the public safety issues 
associated with use of encryption in furtherance of serious criminal 
activity. Over the past year and a half, the FBI has initiated an 
aggressive industry outreach strategy to inform industry of law 
enforcement's needs in the area of encryption, to continue to encourage 
the development of recoverable encryption products that meet law 
enforcement's needs, and to seek industry's assistance regarding the 
development of law enforcement plaintext access ``tools'' and 
capabilities when non-recoverable encryption products are encountered 
during the course of lawful investigations.
    The FBI will be meeting this year with industry in an environment 
wherein various computer and software industry representatives can 
exchange technical and business information regarding encryption and 
encryption products with law enforcement. This information will assist 
law enforcement agencies with establishing development and operational 
strategies to make the most effective use of limited resources.
State and Local Assistance
    Just as with other crimes, often the state and local authorities 
are going to be the first ones on the scene. The challenge for these 
law enforcement officers is even greater than the one the Federal 
Government faces in that state and local law enforcement is less likely 
to have the expertise to investigate computer intrusions, gather and 
examine cyber media and evidence. The challenge for the federal 
government is to provide the training and backup resources to the state 
and local levels so that they can successfully conduct investigations 
and prosecutions in their jurisdictions. This sort of cooperation is 
already showing results. For example, the FBI worked with the New 
Jersey State Police on the Melissa Macro Virus case that resulted in 
the arrest of David L. Smith by the New Jersey authorities. In 
addition, the NIPC and our Training Division are working together to 
provide training to state and local law enforcement officers on 
cybercrime. In fiscal year 1999 over 383 FBI Agents, state and local 
law enforcement and other government representatives have taken NIPC 
sponsored or outside training on computer intrusion and network 
analysis, energy and telecommunications key assets. We have made great 
strides in developing our training program for state and local law 
enforcement officials. More NIPC training than ever before is being 
conducted outside of Washington, DC, meaning that more state and local 
officers should have the opportunity to attend these classes with less 
disruption to their schedules and less travel. One of the main 
responsibilities of the NIPC Training and Continuing Education Unit is 
to develop and manage the state and local Law Enforcement Training 
Program. This program trains state and local law enforcement officials 
in a myriad of state-of-the-art cyber courses.
    Building on the success of the San Diego Regional Computer Forensic 
Laboratory, the Attorney General asked the FBI and the Office of 
Justice Programs, to work in partnership to develop a series of 
regional laboratories. These facilities will provide computer forensic 
services as joint ventures among federal, state and local law 
enforcement. Six million dollars is requested in the Office of Justice 
Programs to establish several regional computer forensic laboratories. 
Working together, we are identifying geographical areas where the 
establishment of such partnerships could make significant impact.
    The NIPC is supporting the Attorney General's proposal to create a 
network of federal, state, and local law enforcement personnel for 
combating cybercrimes. We are instructing each field office to have a 
point of contact at the appropriate investigative agencies regarding 
their area of jurisdiction and to provide this information to NIPC at 
FBIHQ.
    Presidential Decision Directive (PDD) 63 identified the Emergency 
Law Enforcement Services Sector (ELES) as one of the eight critical 
infrastructures. PDD 63 further designated the Federal Bureau of 
Investigation as the lead agency with protecting the ELES. The NIPC is 
currently working on a strategic plan for this sector and holding 
meetings with sector representatives. This involves developing and 
implementing a plan to help law enforcement protect its own systems 
from attack so it will be able to deliver vitally needed services to 
the public.
    Success of the NIPC requires building on proven mechanisms to 
develop and maintain long-term relationships with state and local law 
enforcement agencies. NIPC oversees outreach programs, coordinates 
training, shares information and coordinates interagency efforts to 
plan for, deter, and respond to cyber attacks.
    Currently, the NIPC is sharing information with state and local 
governments via Law Enforcement On-line (LEO) and the National Law 
Enforcement Telecommunications System. Timely coordination and sharing 
of information with other law enforcement agencies is essential in 
combating the cyber threat in the Information Age. Local law 
enforcement is also encouraged to join the InfraGard chapters in their 
area.
    State and local agencies investigate and prosecute cyber crimes 
based on violations of local laws. By sharing investigative data with 
the NIPC, emerging trends can be identified, analyzed and further 
shared with other agencies to share investigative responsibilities with 
their local FBI field office and the NIPC. The cross-jurisdictional 
nature of cyber crimes, in which attacks occur outside the state or 
even national borders, means that investigative efforts must be 
coordinated among local, state and federal agencies to ensure effective 
prosecution.
               fbi cybercrime investigation capabilities
National Infrastructure Protection Center
    Under PDD-63, the NIPC's mission is to detect, warn of, respond to, 
and investigate computer intrusions and unlawful acts that threaten or 
target our critical infrastructures. The Center not only provides a 
reactive response to an attack that has already occurred, but 
proactively seeks to discover planned attacks and issues warnings 
before they occur. This large and difficult task requires the 
collection and analysis of information gathered from all available 
sources (including law enforcement investigations, intelligence 
sources, data voluntarily provided by industry and open sources) and 
dissemination of analyses and warnings of possible attacks to potential 
victims, whether in the government or the private sector. To accomplish 
this mission, the NIPC relies on the assistance of, and information 
gathered by the FBI's 56 field offices, other federal agencies, state 
and local law enforcement, and perhaps most importantly, the private 
sector.
    The NIPC, while located at the FBI, is an interagency center, with 
representatives from many other agencies, including DOD, the U.S. 
Intelligence Community, and other federal agencies. The NIPC at FBI 
Headquarters currently has 79 FBI personnel, with an authorized ceiling 
of 94. There are 22 representatives from Other Government Agencies 
(OGAs), the private sector, state and local law enforcement, and our 
international partners at the Center. Our target for OGA and private 
sector participation is 40.
    To accomplish its goals, the NIPC is organized into three sections:
    The Computer Investigations and Operations Section (CIOS) is the 
operational response arm of the Center. It program manages computer 
intrusion investigations conducted by FBI field offices throughout the 
country: provides subject matter experts, equipment, and technical 
support to cyber investigators in federal, state and local government 
agencies involved in critical infrastructure protection; and provides a 
cyber emergency response capability to help resolve a cyber incident.
    The Analysis and Warning Section (AWS) serves as the indications 
and warning arm of the NIPC. It provides analytical support during 
computer intrusion investigations and long-term analyses of 
vulnerability and threat trends. Through its 24/7 watch and warning 
capability, it distributes tactical warnings and analyses to all the 
relevant partners, informing them of potential vulnerabilities and 
threats and long-term trends. It also reviews numerous government and 
private sector databases, media, and other sources daily to gather 
information that may be relevant to any aspect of our mission, 
including the gathering of indications of a possible attack.
    The Training, Outreach and Strategy Section (TOSS) coordinates the 
training and education of cyber investigators within the FBI field 
offices, state and local law enforcement agencies, and private sector 
organizations. It also coordinates outreach to private sector 
companies, state and local governments, other government agencies, and 
the FBI's field offices. In addition, this section manages collection 
and cataloguing of information concerning ``key assets'' across the 
country. Finally, it handles our strategic planning and administrative 
functions with FBI and DOJ, the National Security Counsel, other 
agencies and Congress.
    Through these, the Center brings its unique perspective as the only 
national organization devoted to investigation, analysis, warning, and 
response to attacks on the infrastructures. Further, as an interagency 
entity, the NIPC takes a broad view of infrastructure protection, 
looking not just at reactive investigations but also at proactive 
warnings and prevention. Finally, through the FBI, the Center has a 
national reach to implement policy. The Center is working closely on 
policy initiatives with its Federal partners and meets regularly with 
the other Federal lead agencies on policy issues.
National Infrastructure Protection and Computer Intrusion Squads/Teams
    In October 1998, the National Infrastructure Protection and 
Computer Intrusion Program (NIPCIP) was approved as an investigative 
program and resources were created and placed in each FBI field office 
with the NIPC at FBI Headquarters acting as program manager.
    By the end of this fiscal year, there will be 16 FBI Field Offices 
with regional NIPC squads. Each of these squads will be staffed with 7 
to 8 agents. Nationwide, there are 193 agents dedicated to 
investigating NIPC matters. In order to maximize investigative 
resources the FBI has taken the approach of creating regional squads 
that have sufficient size to work difficult major cases and to assist 
those field offices without an NIPC squad. In those field offices 
without squads, the FBI is building a baseline capability by having one 
or two agents to work NIPC matters, i.e. computer intrusions (criminal 
and national security), viruses, InfraGard, state and local liaison 
etc.
Computer Analysis and Response Teams (CART)
    An essential element in the investigation of computer crime is the 
recovery of evidence from electronic media. In a murder investigation, 
the detectives investigate the case but the coroner examines the body 
for evidence of how the crime was committed. The CART personnel serve 
this function in cyber investigations. CART examiners perform three 
essential functions. First, they extract data from computer and network 
systems, and conduct forensic examinations and on-site field support to 
all FBI investigations and programs where computers and storage media 
are required as evidence. Second, they provide technical support and 
advice to field agents conducting such investigations. Finally, they 
assist in the development of technical capabilities needed to produce 
timely and accurate forensic information.
    Currently the FBI has 26 full time CART personnel at FBI 
Headquarters and 62 full-time and 54 part-time CART personnel in the 
field, for a total of 142 trained CART personnel. CART resources are 
used in a variety of investigations ranging from sensitive espionage 
cases to health care fraud. For example, on September 12, 1998, the FBI 
executed the arrest of individuals who were involved in an espionage 
ring trying to penetrate U.S. military bases on behalf of the Cuban 
government. During the arrest of these individuals CART conducted the 
seizure of 35 Gb of digital evidence to include personal computers 
containing twelve (12) hard drives, 2,500 floppy diskettes, and 
assorted CD-ROMs. The FBI deployed more than 30 CART field examiners 
during the search and examination which consumed thousands of hours of 
their time.
    In order to process the vast quantities of information required, 
the CART program needs to purchase or develop new ways of handling 
digital evidence. One program used by the FBI is the Automated Computer 
Examination System (ACES), a data exploration tool developed by the FBI 
Laboratory, to scan thousands of files for identification of known 
format and executable program files. ACES verifies that certain 
program, batch or executable files are for computer operation and do 
not represent a file in which potential evidentiary material is stored. 
Results from an ACES examination can be passed to other analytical 
utilities used in examining a computer.
    The FBI is also working with other federal agencies as well as 
state and local law enforcement to share data and forensic expertise. 
In San Diego, a regional computer forensic capability has been 
established that is staffed by the FBI, the Navy, and the San Diego 
police department, among others. This lab serves as a resource for the 
entire region. The vast majority of all computer related seizures in 
San Diego County are currently being made through the RCFL. During the 
start-up period (Summer 1999 to December 1999), although all 
participating agencies had been co-located, each examiner had been 
working on his own agencies's cases. As of January 3, 2000, the San 
Diego lab started receiving submissions as a joint facility and jointly 
tracking those submissions. As of February 3, the lab had received 26 
cases, including three federal cases consisting of large scale 
networks, and local cases including a death threat to a Judge, a 
poisoning case, and a child molestation case. We recognize that state 
and local law enforcement often will not have the resources for complex 
computer forensics, and we hope that the San Diego model can be 
expanded.
Technical Investigative Support
    The FBI has long had capabilities regarding the interception of 
conventional phone lines and modems. The rapid advance of data 
technologies and the unregulated nature of the Internet has resulted in 
a myriad of technologies and protocols which make the interception of 
data communications extremely difficult. It is critical that the FBI 
properly equip investigators with technical capabilities for utilizing 
the critical investigative tools on lawfully authorized Title III and 
Title 50 interception.
Innocent Images Initiative/Child Pornography
    The FBI has moved aggressively against child pornographers. In 1995 
the FBI's first undercover operation, code name Innocent Images, was 
initiated. Almost five years later, Innocent Images is an FBI National 
Initiative, supported by annual funding of $10 million, with undercover 
operations in eleven FBI field offices--Baltimore, Birmingham, 
Cleveland, Dallas, Houston, Las Vegas, Los Angeles, Newark, Phoenix, 
San Francisco, and Tampa--being worked by task forces that combine the 
resources of the FBI with other federal, state and local law 
enforcement officers from Maryland, Virginia, the District of Columbia, 
Alabama, Ohio, Texas, Nevada, California, New Jersey, Arizona, and 
Florida. Investigations developed by the National Initiative's 
undercover operations are being conducted by every field office and 
information has been referred to foreign law enforcement agencies 
through the FBI's Legal Attache Offices.
    During fiscal year 1999 a total of 1,497 new cases were opened. 
Every one of these investigations has digital evidence and requires the 
assistance of a CART examiner. Additionally, 188 search warrants and 57 
consent searches were executed, and 193 arrests, 125 indictments, 29 
information and 108 convictions were obtained as a result of the 
Innocent Images National Initiative. Also in fiscal year 1999, the IINI 
provided 227 presentations to 17,522 individuals from foreign and 
domestic law enforcement and government officials, civilian groups, and 
private citizens in an effort to raise awareness about child 
pornography/child sexual exploitation issues and increase coordination 
between federal, state and local law enforcement.
Intellectual Property Rights/Internet Fraud
    Intellectual property is the driver of the 21st century American 
economy. In many ways it has become what America does best. The United 
States is the leader in the development of creative, technical 
intellectual property. Violations of Intellectual Property Rights, 
therefore, threaten the very basis of our economy. Of primary concern 
is the development and production of trade secret information. The 
American Society of Industrial Security estimated the potential losses 
at $2 billion per month in 1997. Pirated products threaten public 
safety in that many are manufactured to inferior or non-existent 
quality standards. A growing percentage of IPR violations now involve 
the Internet. There are thousands of web sites solely devoted to the 
distribution of pirated materials. The FBI has recognized, along with 
other federal agencies, that a coordinated effort must be made to 
attack this problem. The FBI, along with the Department of Justice, 
U.S. Customs Service, and other agencies with IPR responsibilities, 
will be opening an IPR Center this year to enhance our national ability 
to investigate and prosecute IPR crimes through the sharing of 
information among agencies.
    One of the most critical challenges facing the FBI and law 
enforcement in general, is the use of the Internet for criminal 
purposes. Understanding and using the Internet to combat Internet fraud 
is essential for law enforcement. The fraud being committed over the 
Internet is the same type of white collar fraud the FBI has 
traditionally investigated but poses additional concerns and challenges 
because of the new environment in which it is located. Internet fraud 
is defined as any fraudulent scheme in which one or more components of 
the Internet, such as Web sites, chat rooms, and E-mail, play a 
significant role in offering nonexistent goods or services to 
consumers, communicating false or fraudulent representations about the 
schemes to consumers, or transmitting victims' funds, access devices, 
or other items of value to the control of the scheme's perpetrators. 
The accessability of such an immense audience coupled with the 
anonymity of the subject, require a different approach. The frauds 
range from simple geometric progression schemes to complex frauds. The 
Internet appears to be a perfect manner to locate victims and provides 
an environment where the victims don't see or speak to the fraud 
perpetrators. Anyone in the privacy of their own home can create a very 
persuasive vehicle for fraud over the Internet. In addition, the 
expenses associated with the operation of a ``home page'' and the use 
of electronic mail (E-mail) are minimal. Fraud perpetrators do not 
require the capital to send out mailers, hire people to respond to the 
mailers, finance and operate toll free numbers, etc. This technology 
has evolved exponentially over the past few years and will continue to 
evolve at a tremendous rate. By now it is common knowledge that the 
Internet is being used to host criminal behavior. The top ten most 
frequently reported frauds committed on the Internet include Web 
auctions, Internet services, general merchandise, computer equipment/
software, pyramid schemes, business opportunities/franchises, work at 
home plans, credit card issuing, prizes/sweepstakes and book sales.
                 improving fbi cybercrime capabilities
    The last two years have seen tremendous strides in the development 
of the National Infrastructure Protection Center in both the 
Headquarters and field program. We have directed our resources into 
developing our prevention, detection, and response capabilities. This 
has meant recruiting talented personnel from both inside and outside 
the FBI, training those personnel, and developing investigative, 
analytic, and outreach programs. Most of these programs had to be 
developed from scratch, either because no program previously existed or 
because the program had to be reinvigorated from an earlier FBI 
incarnation.
    The cyber crime scene is dynamic--it grows, contracts, and can 
change shape. Determining whether an intrusion is even occurring can 
often be difficult in the cyber world, and usually a determination 
cannot be made until after an investigation is initiated. The 
establishment of the NIPC has greatly enhanced the FBI's investigative, 
analytic, and case support capabilities. A few years ago, the NIPC 
would have been limited in its ability to undertake some of the 
sensitive investigations of computer intrusions that the FBI has 
supported. While the FBI has been able to develop and maintain its 
present response capability, the explosive nature of the crime problem 
continues to challenge our capacities. While much has been 
accomplished, much remains to be done.
Building Investigative Capacity
    Trained personnel and resources present the greatest challenges to 
the FBI critical infrastructure protection mission. The FBI must make 
sure that the NIPC and Field Office squads are fully staffed with 
technologically competent investigators and analysts. It is also 
essential that these professional have state of the art equipment and 
connectivity they need to conduct their training.
    To accomplish this, the FBI must identify, recruit, and train 
personnel who have the technical, analytical, investigative, and 
intelligence skills for engaging in cyber investigations. This includes 
personnel to provide early warnings of attacks, to read and analyze log 
files, write analytic reports and products for the field and the 
private sector, and to support other investigations with cyber 
components. With such a configuration of selected personnel skills, the 
FBI will be able to effectively and efficiently investigate cyber 
threats, allegations, incidents, and violations of the law that target 
and/or impact critical infrastructure facilities, components, and key 
assets. Aggressive recruitment of qualified specialists is critical. 
Targeting the right people and providing hiring and educational 
incentives are good steps in building this professional cadre.
    Developing and deploying the best equipment in support of the 
mission is very important. Not only do investigators and analysts need 
the best equipment to conduct investigations in the rapidly evolving 
cyber system but the NIPC must be on the cutting edge of cyber research 
and development. NIPC must not only keep abreast of the criminal 
element but they must also accurately predict the next generation of 
criminal activity.
    In order to support state and local law enforcement efforts, field 
offices will seek to form cybercrime task forces. This should include 
assigning a prosecutor to handle task force cases.
Building Partnerships with Industry and Academia
    NIPC is founded on the notion of partnership. This partnership is 
critical to ensuring timely information sharing about threats and 
incidents, new technologies, and keeping our capabilities at the 
cutting edge. The FBI, in conjunction with the private sector, has also 
developed an initiative call ``InfraGard'' to expand direct contacts 
with the private sector infrastructure owners and operators and to 
share information about cyber intrusions, exploited vulnerabilities, 
and physical infrastructure threats. The initiative encourages the 
exchange of information by government and private sector members 
through the formation of local InfraGard chapters within the 
jurisdiction of each Field Office. Chapter membership includes 
representatives from the FBI, private industry, other government 
agencies, State and local law enforcement, and the academic community. 
The initiative provides four basic services to its members: an 
intrusion alert network using encrypted e-mail; a secure website for 
communication about suspicious activity or intrusions; local chapter 
activities; and a help desk for questions. The critical component of 
InfraGard is the ability of industry to provide information on 
intrusions to the local FBI Field Office using secure communications in 
both a ``sanitized'' and detailed format. The local FBI Field Offices 
can, if appropriate, use the detailed version to initiate an 
investigation; while NIPC Headquarters can analyze that information in 
conjunction with other law enforcement, intelligence, or industry 
information to determine if the intrusion is part of a broader attack 
on numerous sites. The Center can simultaneously use the sanitized 
version to inform other members of the intrusion without compromising 
the confidentiality of the reporting company. The secure website will 
also contain a variety of analytic and warning products that we can 
make available to the InfraGard community.
    The NIPC has also developed and is implementing an aggressive 
outreach program. We have briefed a number of key critical 
infrastructure sector groups including the North American Electric 
Reliability Council and business groups such as the U.S. Chamber of 
Commerce. We are also working closely with our international partners.
    Much attention has been given to the need to create mechanisms for 
sharing information with the private sector. The NIPC has built up a 
track record for doing this over the past 2 tears with concrete 
results. Not only has it provided early warnings and vulnerability 
threat assessments but it has also developed unique detection tools to 
help potential victims of DDOS attacks. And contrary to press 
statements by companies offering security services that private 
companies won't share information with law enforcement, private 
companies have reported incidents and threats to the NIPC or FBI. The 
cooperation we have received from victims in the recent DDOS attacks is 
only the most recent example of this. InfraGard will increase this 
capacity by providing a secure two way mechanism for sharing 
information between the government and the private sector.
Developing Forensic and Technical Capabilities
    As noted above, CART has developed substantial capability to 
examine computer and network media and storage devices. But the rapid 
change in technology and the increasing use of computers in criminal 
activity necessitate the on-going development of better investigative 
and forensic tools and techniques for examiners. We fully expect that 
the number of cases requiring CART examinations will increase by over 
50 percent in the next few years. In addition, as storage media hold 
more information, each individual examination will require more effort. 
To even attempt to keep pace with these developments, we will need to 
increase our personnel base in CART. For fiscal year 2001, funding is 
proposed to add 100 new CART examiners.
    In addition, in order for our ACES program to remain able to 
provide comprehensive analysis of computer files, it needs to be 
continuously updated. After all, how many iterations of 
Windows, Microsoft Office, and other software and 
operating systems have we seen just in the last two years? We need to 
ensure that ACES can perform its function. The fiscal year 2001 budget 
includes $2,800,000 for the ACES program.
    Improving our technical capabilities to access plaintext 
communications is a critical challenge to the FBI. The ultimate 
objective is to provide field investigators with an integrated suite of 
automated data collection systems, operating in a low-cost and readily 
available personal computer environment, which will be capable of 
identifying, intercepting and collecting targeted data of interest from 
a broad spectrum of data telecommunications transmissions mediums and 
networks. Substantial resource enhancements are required to progress 
development from current ad hoc, tactical data intercept systems to 
integrated modular systems, providing the field investigators with 
increased flexibility, simplicity and reliability and to enhance 
training programs to enable field Technically Trained Agents and 
Investigators to install and operate this complex equipment. The most 
technically complex component of electronic surveillance, has been and 
always will be the deciphering of encrypted signals and data. In the 
past few years, growth in electronic communications and the public 
demand for security have increased the number of investigations which 
encounter encrypted signals and data. With the convergence of digital 
technologies in the very near future, all electronic communications 
conducted using computers, the Internet, wireless and other forms of 
communications, will inherently incorporate and apply data security 
(i.e. encryption). The ability to gather evidence from FBI electronic 
surveillance and seized electronic data will significantly depend upon 
the development of and deployment of signal analysis and decryption 
capabilities. Funding enhancements are requested to step toward the 
fulfillment of a strategic plan to ensure that collected signals, data 
and evidence can be intercepted, interpreted and made usable in the 
prosecution of crimes and the detection of national security offenses. 
Failure to strategically prepare for the impending global changes data 
and voice telecommunications, information security, and the volumes of 
encrypted information collected by law enforcement pursuant to lawful 
court orders, will ensure that critical information and evidence will 
be unintelligible and unusable in future investigations.
    We are urgently trying to develop our capabilities in this area 
through the acquisition of hardware and software tools, technologies 
and systems, and support services to work on a variety of research 
projects to meet this problem. Last September, the Administration 
announced a ``New Approach to Encryption'' which included significant 
changes to the nation's encryption export policies and recommended 
public safety enhancement to ensure ``that law enforcement has the 
legal tools, personnel, and equipment necessary to investigate crime in 
an encrypted world.''
    Specifically, on September 16, 1999, the President, on behalf of 
law enforcement, transmitted to Congress the ``Cyberspace Electronic 
Security Act of 1999'' which would: ensure that law enforcement 
maintains its ability to access decryption information stored with 
third parties, while protecting such information from inappropriate 
release; protect sensitive investigative techniques and industry trade 
secrets from unnecessary disclosure in litigation or criminal trials 
involving encryption, consistent with fully protecting defendants' 
rights to a fair trial; and authorize $80 million over four years for 
the FBI's Technical Support Center (TSC), which serves as a centralized 
technical resource for federal, state and local law enforcement in 
responding to the increased use of encryption in criminal cases. The 
TSC is an expansion of the FBI's Engineering Research capabilities that 
will take advantage of existing institutional and technical expertise 
in this area. As indicated earlier, the fiscal year 2001 budget 
proposes an increase of $7,000,000 for the FBI's counterencryption 
program. We urge Congress to support us in these endeavors.
    The law enforcement community relies on lawfully-authorized 
electronic surveillance as an essential tool for the investigation, 
disruption, and prevention of serious and violent offenses. 
Technological advances have taken a serious toll on law enforcement's 
ability to protect the public through the use of lawfully-authorized 
electronic surveillance. The Communications Assistance for Law 
Enforcement Act (CALEA) was passed so that the telecommunications 
industry would pro-actively address law enforcement's need and 
authority to conduct lawfully-authorized electronic surveillance as a 
basic element in providing service. CALEA clarifies and further defines 
existing statutory obligations of the telecommunications industry to 
assist law enforcement in executing lawfully-authorized electronic 
surveillance.
    The FBI developed a flexible deployment strategy to minimize the 
costs and the operational impact of installation of CALEA-compliant 
software on telecommunications carriers. This strategy supports the 
carriers' deployment of CALEA-compliant solutions in accordance with 
their normal business cycles when this deployment will not delay 
implementation of CALEA solutions in high-priority areas. The carriers 
will provide projected CALEA-deployment schedules for all switches in 
their network and information pertaining to recent lawfully authorized 
electronic surveillance activity. Using this information, the FBI and 
the carrier will develop a mutually agreeable deployment schedule. The 
FBI provided the carriers with the Flexible Deployment Assistance Guide 
to facilitate the carrier's submission of information.
    The FBI is negotiating with telecommunications carriers and 
manufacturers of telecommunications equipment for nationwide Right-to-
Use (RTU) licenses to facilitate the availability of CALEA-compliant 
software to carriers. Also, the FBI is establishing a regional, 
nationwide law enforcement liaison program. This team will facilitate 
developing consensus law enforcement electronic surveillance 
requirements for all telecommunications technologies and services 
required to comply with CALEA; educate and inform Congress and the 
Federal Communications Commission (FCC) to ensure law enforcement's 
ability to conduct court-authorized electronic surveillance is not 
compromised on any telecommunications technology or service required to 
comply with CALEA; identify, publish, and ensure deployment of capacity 
requirements in accordance with Section 104 of CALEA; and develop a 
prioritized plan for the effective deployment and tracking of CALEA 
solutions.
    The FBI needs to conduct testing and verification of manufacturer-
proposed CALEA technical solutions and to have the subject matter 
expertise necessary to address new technologies that must comply with 
CALEA. Without these capabilities, the FBI will be unable to conduct 
testing and verification of manufacturer-proposed CALEA technical 
solutions and complete the nationwide RTU license agreements. The 
fiscal year 2001 budget proposes a total of $240,000,000 for CALEA RTU 
license agreements, including $120,000,000 under the Telecommunications 
Carrier Compliance Fund and $120,000,000 under the Department of 
Defense. Additionally, $2,100,000 is requested to support the FBI's 
CALEA program management office.
                               conclusion
    Computer crime is one of the most dynamic problems the FBI faces 
today. Just think about how many computers you have owned and how many 
different software packages you have learned over the past several 
years and you can only begin to appreciate the scope of the problem we 
are dealing with in the fast changing area. We need to budget for and 
train on technology that often has not even been invented when we begin 
the budget cycle some 18 months prior to the beginning of the fiscal 
year. I am proud of the progress that we have made in dealing with this 
problem. What I have tried to do here today is give you a flavor of 
what we are facing. I am confident that once the scope of the problem 
is clear, we can work together to develop the capabilities to meet the 
computer crime problem, in all its facets, head on. Our economy and 
public safety depend on it.

    Senator Gregg. Thank you, Director. That was a very 
comprehensive summary of what you are doing and actually it 
sounded to me like a pretty good outline of a 5-year plan, 
which the Attorney General had mentioned earlier, or at least a 
base off of which to begin a 5-year plan.
STATEMENT OF HON. WILLIAM A. REINSCH, UNDER SECRETARY 
            OF COMMERCE, EXPORT ADMINISTRATION, 
            DEPARTMENT OF COMMERCE
    Senator Gregg. Secretary Reinsch, I did not know if you 
wanted to throw in some comments here. We have a bit of a time 
issue, but please.
    Mr. Reinsch. I have only three, Mr. Chairman, and I 
appreciate the courtesy. Let me say first that Secretary Daley 
very much appreciated your invitation to appear. He regrets he 
cannot be here. He is leading a business delegation to Latin 
America. He flew back from Brazil Monday night for the White 
House meeting on this subject yesterday morning and then he 
flew back to Argentina last night to rejoin the delegation. If 
nothing else, he is racking up frequent flier miles, and he 
apologizes for not being able to be with you. I think his 
presence yesterday indicates how important he felt this issue 
is.
    Second, I did submit a statement for the record. I will not 
attempt to deliver it. I would like to excerpt from one 
paragraph of it, if I may, Mr. Chairman.
    Senator Gregg. Please.
    Mr. Reinsch. And that is the following, and it responds to, 
alludes to a point that you made. I want to make clear that 
while the Federal Government's responsibility in the critical 
infrastructure area is clear with respect to the commission of 
crimes, that is only part of the equation. With respect to 
prevention and the development of more comprehensive security 
measures, the government can best play a supporting role. The 
infrastructure at risk is owned and operated by the private 
sector. Inevitably, it will be they who must work together to 
take the steps necessary to protect themselves.
    The government can help. We can identify problems and 
publicize them. We can encourage planning, promote research and 
development, convene meetings. In short, we can act as a 
catalyst, and that is precisely the role that the Commerce 
Department is playing in several ways. One, through the 
Critical Infrastructure Assurance Office's coordination of the 
development of a national plan, which the President released 
the first version of last month. Most recently through the 
convening of the Partnership for Critical Infrastructure 
Security, which I can comment on later if you are interested, 
which kicked off in New York in December, the next meeting of 
which will be next week. We already have some 180 people signed 
up to attend, so we are optimistic it is going to be a 
significant event in terms of developing a better means for 
companies to talk with each other about these problems.
    Third, and finally, Mr. Chairman, I would be derelict in my 
duty and would be chastised by my superiors if I did not make a 
pitch for the money since I am in the appropriate forum to do 
that. I am sure it will be no surprise to you that we believe 
that we need and deserve every penny we have asked for, and we 
will be happy to provide support for that at the appropriate 
time. I am sure the Secretary will want to say something about 
that when he appears before you I believe either later this 
month or early next month.
    I would just note in passing that the President's total 
budget in the critical infrastructure area projects a 15 
percent increase across all the different functions including 
those that the Attorney General and the Director talked about. 
This is, in our judgment, an area where there is no one-size-
fits-all solution. And that is reflected in the plan. It is 
reflected in the different activities by different agencies. It 
is also reflected in the budget request. Most of the money goes 
to the national security and law enforcement agencies, as it 
should.
    A number of the other activities respond to some of the 
points you made, Mr. Chairman, and some of the things that you 
will be reading about in the papers in the future are handled 
elsewhere. For example, the Federal Cyber Services Training and 
Education Initiative which deals with precisely the problem you 
raised of the Federal Government's difficulty in obtaining and 
retaining skilled people is a program that is going to be 
handled through OPM and the National Science Foundation.
    Other things like FIDNET, the Expert Review Teams, Public 
Key Infrastructure pilot programs; and R&D are handled partly 
through a variety of civilian entities or agencies, the most 
notable of which in terms of new requests is the request for 
NIST's Institute for Information Infrastructure Protection, or 
I\3\P, which will finance longer-term research on the part of 
private sector universities and private sector actors for 
solutions to these problems. The President's budget includes 
not only 2001 request but a $9 million supplemental request for 
fiscal year 2000 to try to jumpstart some of the programs I 
just alluded to. And with that, Mr. Chairman, I appreciate your 
time, and I would be happy to join in the questioning if you 
wish.
    [The statement follows:]
                Prepared Statement of William A. Reinsch
    Mr. Chairman, I welcome this opportunity to appear before you to 
discuss the Federal government's efforts to protect the nation's 
critical infrastructures.
    Inter-dependent computer networks are an integral part of doing 
business in the Information Age. America is increasingly dependent upon 
computer networks for essential services, such as banking and finance, 
emergency services, delivery of water, electricity and gas, 
transportation, and voice and data communications. New ways of doing 
business in the 21st century are rapidly evolving. Business is 
increasingly relying on E-commerce for its commercial transactions. At 
the same time, recent hacking attempts at some of the most popular 
commercial Web sites underscore that America's information 
infrastructure is an attractive target for deliberate attack or 
sabotage. These attacks can originate from a host of sources, such as 
terrorists, criminals, hostile nations, or the equivalent of car thief 
``joyriders.'' Regardless of the source, however, the potential for 
cyber damage to our national security and economy is evident.
    Protecting our critical infrastructures requires that we draw on 
various assets of the government. When specific incidents or cyber 
events occur, the government needs a capacity to issue warnings, 
investigate the incident, and develop a case to punish the offenders. 
The National Information Protection Center at the FBI is organized to 
deal with such events as they occur.
    Over the long term, the government also has a duty to be proactive 
to ensure that our computer systems are protected from attack. Critical 
infrastructure protection involves assets of both the government and 
the private sector. A number of agencies have responsibilities with 
respect to government computer systems. The Department of Defense is 
well on its way to securing its critical systems, and the Office of 
Management and Budget (OMB) and the National Institute of Standards and 
Technology at the Department of Commerce (NIST) have responsibility for 
information resources management of computer systems in Federal 
agencies.
    I want to make clear that while the Federal government's 
responsibility in this area is clear with respect to the commission of 
crimes, that is only part of the equation. With respect to prevention 
and the development of more comprehensive security measures, the 
government can best play a supporting role. The infrastructure at risk 
is owned and operated by the private sector. Inevitably, it will be 
they who must work together to take the steps necessary to protect 
themselves. We can help. We can identify problems and publicize them, 
encourage planning, promote research and development, convene meetings. 
In short, we can act as a catalyst. That is precisely the role the 
Commerce Department is playing in several ways.
    The Commerce Department, through its Critical Infrastructure 
Assurance Office (CIAO), coordinated the development of the National 
Plan for Information Systems Protection. President Clinton announced 
the release of Version 1.0 of the Plan on January 7.
    Another active area is the creation of the Partnership for Critical 
Infrastructure Security. The Partnership is a collaborative effort 
between industry and government. This undertaking brings 
representatives of the infrastructure sectors together in a dialogue 
with other stakeholders, including the risk management and investment 
communities, mainstream businesses, and state and local governments. It 
complements the NIPC's focus on cyber-terrorism by encouraging industry 
to collaborate on information security issues. Secretary Daley and I 
met with senior members of Partnership companies in December in New 
York. We will meet again next week in Washington, D.C., with senior 
members of the Partnership companies in order to encourage business 
leaders to adopt information security as an important business 
practice.
    CIAO also is assisting Federal agencies in conducting analyses of 
their own dependencies on critical infrastructures. CIAO has just 
finished an ambitious pilot program that identifies the critical assets 
of the Commerce Department and maps out dependencies on governmental 
and private sector infrastructures. This program will provide important 
input to managers and security officials as they seek to assure their 
critical assets against cyber attacks.
    President Clinton has increased funding for critical infrastructure 
substantially over the past three years, including a 15 percent 
increase in his fiscal year 2001 budget to $2.01 billion. He has also 
developed and funded new initiatives to defend the nation's systems 
from cyber attack.
    The Clinton Administration has developed and provided full or pilot 
funding for the following key initiatives designed to protect our 
computer systems:
  --Establishing a permanent Expert Review Team (ERT) at NIST that will 
        help agencies conduct vulnerability analyses and develop 
        critical infrastructure protection plans. ($5 million).
  --Funding seven Public Key Infrastructure model pilot programs in 
        fiscal year 2001 at different Federal agencies. ($7 million).
  --Designing a Federal Intrusion Detection Network (FIDNET) to protect 
        vital systems in Federal civilian agencies, and in ensuring the 
        rapid implementation of system ``patches'' for known software 
        defects. ($10 million).
  --Developing Federal R&D Efforts. R&D investments in computer 
        security will grow by 31 percent in the fiscal year 2001 
        budget. ($606 million).
  --Establishing an Institute for Information Infrastructure 
        Protection. Building on a Science Advisory Panel 
        recommendation, the Institute is designed to fill gaps in both 
        government and private sector cyber-security R&D. ($50 
        million).
  --National Infrastructure Assurance Council (NIAC). The President 
        signed an Executive order creating this Advisory Council last 
        year. Its members are now being recruited from senior ranks of 
        the information technology industry, key sectors of the 
        corporate economy, and academia.
    In addition, the President announced a number of new initiatives 
designed to support efforts for enhancing computer security, including 
a $9 million fiscal year 2000 budget supplemental to jump-start key 
elements of next year's budget. Among these was funding for NIST to 
create the Institute for Information Infrastructure Protection (I\3\P).
    Yesterday Secretary Daley met with the President and 25 senior 
executives concerned about the recent disruptions to the Internet. This 
meeting reinforced the need for further cooperation between government 
and industry to help the private sector develop its action agenda for 
cyber security. The incidents of the past week are not cause for 
pushing the panic button, but they are a wake up call for action. As 
the President said, ``I think there is a way that we can clearly 
promote security.'' The President has submitted a budget proposal that 
funds a number of initiatives that address critical information systems 
protection. If we are to reap the benefits of the Information Age, we 
need to take action to maintain a secure business environment in order 
to ensure both our national security and the growth of our economy.

              additional statutory authority requirements

    Senator Gregg. Thank you. Yes, absolutely. Let us begin 
with some simple issues so we can sort of lay the groundwork 
here. Madam Attorney General or Director Freeh, do you believe 
there is any additional statutory authority in order to pursue 
the crimes that we are seeing?
    Ms. Reno. We are going to consider additional tools to 
locate and identify the criminals. For example, we may need to 
strengthen the Computer Fraud and Abuse Act by closing the 
loophole that allows computer hackers who have caused a large 
amount of damage to a network of computers to escape punishment 
if no individual computer sustained over $5,000 worth of 
damage. I think that is important.
    We may also need to update our trap and trace laws under 
which we are able to identify the origin and destination of 
telephone calls and computer messages. Under current law, in 
some instances, we must obtain court orders in multiple 
jurisdictions to trace a single communication. It might be 
extremely helpful, for instance, to provide a nationwide effect 
for trap and trace orders. We must also ensure that, in 
upgrading our computer crime fighting laws, appropriate privacy 
safeguards are maintained and wherever possible strengthened. 
For example, recent investigations have revealed serious 
violations of privacy by hackers who have obtained individuals' 
personnel data such as credit cards and passwords. An increase 
in the penalty for violations of invasions into private stored 
communications may be appropriate. We would like to develop a 
thoughtful and effective package in working with your staff.
    Senator Gregg. Director Freeh, do you have any further 
thoughts on that?
    Mr. Freeh. The only thing I would add to that, and I think 
it is an issue that we are exploring, is whether some of this 
activity which is beyond a single episode of fraud or hacking, 
you know, gets into the realm of enterprise criminal activity. 
In other words, whether somebody or a group of people doing 
this is engaging in a criminal enterprise which, of course, 
would bring it under the racketeering statutes with much more 
substantial penalties than all these current predicate 
statutes. I do not think most of the statutes that are 
ordinarily employed are actually RICO predicates. I think it is 
an area that needs a lot of research and thought, but if you 
are talking about an international group of people that is 
engaging in activity with billions of dollars of potential loss 
and affecting millions of people, I am not so sure that should 
not be in the realm of much more serious coverage.
    Senator Gregg. So you are saying we should apply RICO, 
potentially apply the RICO portion of the mechanism to these 
types of events?
    Mr. Freeh. I think we should consider that and look at all 
the other forfeiture provisions that would obtain under that 
statute both criminally and civilly for people who are found to 
be doing this.
    Senator Gregg. Can we expect to get a package then of 
suggestions in this area?
    Ms. Reno. We are working to put together a package and I 
think you can anticipate that.

             private sector versus federal government role

    Senator Gregg. That would be very helpful. The second 
threshold issue is this question of balancing the privacy 
versus the role of the government in the commercial activity. I 
know you have both alluded to this, and Secretary Reinsch made 
a very specific statement on this. Where do we cross the line? 
How far should the Government go, and what are the risks of 
interfering with the energy and the freedom of the Internet by 
having Government involvement in trying to discipline--
discipline is the wrong term--in trying to pursue criminals who 
hack these sites?
    Ms. Reno. I think that with respect to prevention, much can 
be done by the private sector with, as I suggested, the law 
enforcement agencies providing suggestions, thoughts and 
discussion as to what our experience in terms of the 
investigation of actual crime in this area has produced. That 
would indicate what steps could have been taken to have 
prevented it. But I do not think we should interrupt the energy 
of the Internet by doing it top down and suggesting that 
mandates and directives be imposed on the private sector. I 
think we can do so much if we build a partnership that is based 
on mutual respect and on our experience.
    With respect to law enforcement investigations, I think we 
have got to be as measured with law enforcement investigations 
in the area of cybercrime as we are with respect to any other 
crime. We must use the Attorney General's guidelines in a 
thoughtful, effective manner to ensure wherever we can 
appropriate privacy and that steps be taken to ensure 
enforcement of all Department procedures directed at ensuring 
privacy.
    Senator Gregg. Anybody else want to comment on that general 
philosophical issue?
    Mr. Reinsch. If I may, Mr. Chairman, I think the clearest 
point, of course, is when there is an attack or an imminent 
credible threat of an attack, when something is a crime or is 
about to be a crime. I think what you find is it certainly is 
appropriate for law enforcement to be directly and intimately 
involved at that point, and I think you find most private 
parties being very interested in their involvement at that 
point because of the clarity of the situation. Your question 
becomes more difficult when you are talking about days, weeks, 
months in advance of that situation.
    And that creates a much more complicated situation. I think 
the Attorney General's comment is right on target and in 
particular the phrase she used, ``building partnerships'', is 
probably the best way to do this. That is mutual confidence. 
There is, in fact, a spectrum of opinion in the private sector 
on this as you would expect on everything. Some people, 
sometimes people who have an economic stake in these situations 
are a little less interested in privacy because they are 
interested in the economics. There are other people at the 
other end of the spectrum who will not cooperate with anybody 
in the Federal Government under any circumstances even if a 
crime were being committed because that is their philosophy and 
that is a problem that, you know, we have to deal with.
    I think trying to narrow the extremes of that spectrum and 
build a critical mass of cooperation in the middle, which is 
what we ought to be striving for, really depends on exactly 
what the Attorney General said: creating structures that build 
mutual confidence, creating structures in which we--I think the 
civilian side of the government, if you will, law enforcement 
if you will--and the private sector all participate and can 
share information in an atmosphere of mutual confidence. We 
have to do that in a variety of different ways. I do not think 
there is one institution or one mechanism that is going to meet 
the needs of everybody in that situation, but I think that she 
is exactly right. That is the way to go about it.

                  coordination among federal agencies

    Senator Gregg. On the issue of coordination, it seems to me 
that we are dealing with a couple, a variety of different 
levels here, and let me see if I am adequately summarizing it, 
and please tell me if I am not. I want to get your comments on 
it. We have the terrorist event, and we have a variety of 
different agencies that are addressing the terrorist event. We 
have the commercial event and then we have the issue of putting 
forward a cooperative effort with the private sector in order 
to give the private sector tools that we may have developed 
within the government or which our expertise within the 
government is able to develop or which we are paying for to be 
developed and making those generally available to the public.
    These different levels of activity seem to be functioning 
in various agencies without necessarily the coordination that 
we might want to see so that there is an overlap. My question 
is, is that a correct summary of what the different efforts 
are; and is there, in your sense, adequate coordination between 
Commerce, Justice, within Justice, between FBI and Justice, 
CIA, DARPA, NIST within Commerce, and the National Security 
Council which has decided to put its rather large foot into 
this issue?
    First, are we working together on the terrorism issue? 
Second, are we working together on the commercial side? And 
third, are we working together on the issue of getting out 
information capacity to the private sector in a partnership 
way?
    Mr. Freeh. Starting with the terrorism issue, I think the 
results are very, very good. Again, these coordinating efforts 
are probably only about 5 years old, which in the life of 
Government agencies is not a great deal of time. But over the 
last 5 years, the ability to coordinate investigations of 
active terrorism as well as responding to them I think has been 
steadily improving to the point where I believe it is very 
sufficient. Again, our getting back----
    Senator Gregg. And is the FBI the lead agency on that 
within the Government?
    Mr. Freeh. Yes, the FBI is the lead agency with respect to 
counterterrorism, law enforcement, prevention, protection both 
within the United States or overseas on behalf of the Federal 
Government.
    [The information follows:]

                         FBI Lead Agency Roles

    Under Presidential Decision Directive (PDD) 39, the 
Department of Justice, through the FBI, is designated lead 
responsibility for the operational response to terrorist 
incidents that take place within U.S. territory. PDD-39 also 
confers upon the Department of State, through U.S. Ambassadors, 
lead responsibility for serving as the on-scene coordinator for 
the response of the U.S. Government to international terrorist 
incidents that take place outside of U.S. territory, except 
when the exercise of military force is directed. In those 
instances, the Department of Defense is the lead agency until 
such time as the use of military force is terminated. The 
Federal Aviation Administration has lead responsibility for 
coordinating any law enforcement activity affecting the safety 
of persons aboard an aircraft during acts of air piracy. The 
order also reaffirms the FBI lead responsibility for 
investigating terrorist acts that are planned or carried out by 
either foreign or domestic terrorists in the United States or 
which are carried out by terrorists against United States 
citizens or institutions outside the territorial United States.

                    Coordination of Law Enforcement

    Mr. Freeh. The events over the millennium period I think 
were the template of how that is supposed to work. The FBI 
operations center, which you supported, was up and running 24 
hours a day for several weeks. We had representatives of every 
single Federal agency there, including all the security 
agencies. We were on-line in real-time with our foreign and 
State and local partners. Leads were covered. An investigation 
was conducted in extremely fast-moving circumstances 24 hours a 
day and it worked. It worked to the sense that there were no 
major breakdowns. There were some things we learned that we 
could improve and will improve upon. But the coordination, the 
advice and updates to both the NSC and the congressional 
committees was ongoing and effective.
    We do not think we lost anything between the cracks during 
that very critical period with a case of momentous 
significance. We are not doing as well in the cybercrime and 
cyber-terror area only because this is a new challenge and the 
structures that are responsible for that coordination are new. 
The NIPC, which we mentioned, has multi-agency representation, 
private sector representation, but we are really just beginning 
this process. There are a lot of things, both on the NSC level 
as well as the interagency level, that need to be improved 
upon--new coordinating groups, structures, resources. But the 
good news is we are well on our way to doing that, and if we 
use the counterterrorism case as a model, we have been 
extremely successful in that area.
    Senator Gregg. What are we doing? I mean is there a task 
force, an interagency task force that is presently functioning 
that is trying to work up the turf issues on this?

             national information protection center [nipc]

    Mr. Freeh. On the operational level, yes. There is the 
NIPC. Those are the people who are coordinating and doing the 
investigations, representing all the various agencies. On the 
policy level, as you said, you have new initiatives and new 
players and that is an area that needs to be improved.

                 role of the national security council

    Senator Gregg. What is the NSC's role as far as you are 
concerned relative to this exercise, and how constructive is 
it?
    Ms. Reno. I would describe it this way. Law enforcement is 
pursuing its law enforcement coordination responsibilities 
through the NIPC. I think Secretary Reinsch would point out 
that there are separate issues that go to coordination with 
respect to industry in terms of what can be done to prevent the 
problem in the first place. As bankers groups have banking 
associations that address bank security issues, so that is 
being done and the Commerce Department, I think, is involved in 
that effort. The NSC is looking at it through its coordinating 
function and the President announced the first version of the 
National Plan for Information Systems Protection last month. It 
is an invitation to dialogue with industry, with Congress and 
others. It was drafted by an interagency group and attorneys 
from the Justice Department and the FBI participated. It 
contains a number of proposals for protecting critical 
infrastructures that are contained in the 2001 budget request, 
for instance, a cyberservices training and education 
initiative.
    Secretary Reinsch can talk a little bit more about the non-
law enforcement side, but for something that is so new, 
something that is developing, I think the coordination is good. 
It can always improve.
    Mr. Reinsch. If I may, Mr. Chairman, I think the Attorney 
General's comments were exactly on target, particularly the 
last one, which is the same one that Director Freeh made, which 
I would also echo. This is essentially a start-up, and start-
ups are always a little rough around the edges, and you should 
expect this one to be a little rough around the edges. It is no 
different from any other start-up.
    These things are gradually being sorted out. It takes time. 
Sometimes it takes episodes like this to get the line straight. 
Where the lines are straightest is probably in the event 
category of the three categories you described: the terrorist 
event or the cyber hacker event. Those are areas where law 
enforcement really has the lead, and I do not have anything to 
say about how that operates.
    The area that is more complicated is what you might 
categorize as the pre-event situation, which was your third 
scenario. What are we doing to build confidence? What are we 
doing to create structures that will operate and exist outside 
of specific attacks and try to create tools or best practices, 
if you will, that will make it harder for those attacks to 
occur in the first place? There you have the best example of 
what I said earlier about no one-size-fits-all solution.
    There are a number of different parties who participate in 
that exercise and certainly law enforcement does participate 
and should participate and we encourage--we, the Commerce 
Department, encourage private parties to deal with law 
enforcement in exactly the way that Director Freeh has 
described. Our experience suggests, however, that not all of 
them are prepared to do that in exactly the way that he would 
like. And that is why we have focused on the development of 
some other devices or some other means of sharing information 
but focusing more on sharing information amongst the private 
parties themselves, trying to get people in the private sector 
to take leadership and take ownership of these issues, to speak 
for their sector.
    I think the banking and financial sector probably for 
obvious reasons has been the lead in doing this and has set up 
a very effective ISAC, Information Sharing and Analysis Center. 
The different departments, Energy, Transportation, Commerce, et 
cetera, have plans in various stages of development to 
encourage the same thing for their sectors. What this does is 
put the people inside the U.S. Government that have functional 
expertise, if you will, in touch with the people that they 
already know anyway because they regulate them in other fora, 
or they work with them on a regular basis with respect to other 
programmatic activities.
    In the case of the Commerce Department, we are doing this 
for information and telecommunications, and NTIA is doing that. 
We think this is a process that is going to take off. We see 
signs that the private sector, again, to a different extent in 
different sectors, is understanding the need for joint 
activities and cooperation amongst themselves, not necessarily 
involving us.
    Events like that of 2 weeks ago frankly are wake-up calls 
to these companies to get busy, and that is happening, and I 
think what you will see over time is the development of private 
structures that will end up doing several things: promoting 
best practices, tools and information amongst themselves, and 
disseminating those things amongst themselves, and in the 
process building confidence in their relationship with the 
government so that people that are now nervous about interface 
directly with law enforcement will not be nervous in the 
future. That is the point that we are trying to get to, but I 
would not say that we are entirely there yet and I think, you 
know, the getting there is going to be a little bit two steps 
forward, one step backward from time to time.

                critical infrastructure assurance office

    Senator Gregg. That is good explanation by all of you on 
this point, but let me follow up with some specifics. The 
Commerce Department, as I understand it, has got a Critical 
Infrastructure Assurance Office; it has this Institute for 
Information Infrastructure Protection, which is the NIST 
office, the I\3\P you are calling it.
    Mr. Reinsch. That is proposed.
    Senator Gregg. And the new proposal from the President 
which is COMNIC. What was that?
    Mr. Reinsch. That has not been proposed. And I believe that 
it will not be proposed. You have been reading the Wall Street 
Journal, and they were wrong, Mr. Chairman.
    Senator Gregg. That will come as a shock to them, but OK.
    Mr. Reinsch. It came as a shock to me because I talked to 
that reporter and did not talk about that, but that is not a 
proposal.
    Senator Gregg. Well, I guess my question is, what do you 
have up and running at the Commerce Department right now which 
deals with this issue and what is their portfolio?
    Mr. Reinsch. Several things. First of all, as you noted, 
the Critical Infrastructure Assurance Office, the CIAO, if you 
will, is the staff coordinating agency for many of these 
activities. It is administratively in the Commerce Department. 
It staffs us. It does a lot of the work with us. One of its 
people is sitting right behind me ready to catch me when I 
fall. It also supports the National Security Council's work in 
this area as well. And I did not--if I can digress just a 
second--I did not respond and should have to your previous 
question about the role of the NSC, which I know is something 
that has concerned you. On that I would just say that the NSC 
with the CIAO's help has really played the role of, first of 
all, of staffing the President on the issue, which is not an 
insignificant issue because the President is very interested in 
this. Second, an idea generator. Not all of them have flown, 
but some of them have. The Cyber Services idea came from the 
NSC.
    These things do not just happen because somebody in the NSC 
thinks they are a good idea. They get circulated out to 
agencies. People comment. They get massaged, but the NSC has 
been a good idea generator and has been a good coordinator of a 
lot of the activity in the pre-event phase that I described. So 
that is the NSC.
    To go back to Commerce, there is the CIAO. NIST has a long-
standing relationship with NSA that goes back a number of years 
in the cybersecurity area in terms of developing standards 
which is what NIST's primary activity is in this area, 
algorithms, encryption standards, for example. That is a long-
standing exercise of theirs.

          institute for information infrastructure protection

    They have had a modest increment of R&D funding this year 
for these related functions, and I have to defer to Ray Kammer 
to tell you exactly what is going on there. The significant 
research increment is, as you mentioned, or would be if you 
approved it, the I\3\P, the Institute for Information 
Infrastructure Protection, which although located at NIST is 
essentially going to be a virtual institution in the sense that 
NIST is not going to do the research. NIST is going to use the 
money, in this case the request is $50 million, for grants to 
private parties including universities for research into 
longer-term solutions of this problem.
    Senator Gregg. If we can stop there, how do you expect that 
to interface with already existing research projects such as 
the Carnegie Mellon CERT team; the Thayer School which was 
referred to; and the Oklahoma school which is specifically 
doing research right now on technologies and ways to respond to 
counterterrorism?
    Mr. Reinsch. Well, I think the answer is different 
depending on the institution. With respect to CERT and 
organizations like CERT, I do not see an overlap because CERT 
is really focusing more on short-term, you know, intervention 
and response, developing tools to deal with situations as they 
come up. CERT has an active, ongoing relationship with a lot of 
people in the private sector to do that, and it has been very 
effective. CERT is not the only CERT. There are other ones as 
well.
    What we are talking about here is sort of looking at this 
issue, developing longer-term tools. Now, in that case, I think 
certainly there are other activities going on already including 
at some of the institutions you alluded to. In this case, this 
would be a supplement. I think there is room for more activity.
    Senator Gregg. Is it going to be coordinated though?
    Mr. Reinsch. To the extent that there is Federal 
involvement, yes. Under PDD-63, the President's Science 
Adviser, the head of the Office of Science Technology Policy, 
is charged with coordinating Federal R&D, and he would be in 
charge of coordinating this piece of that as well. Now if a 
university is not interested in Federal funding and wants to do 
something on its own, that would be a different matter.
    Senator Gregg. My concern is that this new institute, 
I\3\P, appears to be coming forward with a portfolio that is 
already being served in part by institutes that were created by 
other functions of government, such as the Attorney General's 
office, the FBI or in some instances, State and CIA. We will 
just have to wait and see how it is drafted, but we will want 
to get into that in more depth. I recognize it is a new 
initiative.
    Mr. Reinsch. If I may, one more thing, Mr. Chairman. This 
grew directly out of a recommendation from PCAST, the 
President's Committee of Advisors on Science and Technology. It 
was a private sector group of scientists that recommended to 
the President that he do this. Their actual recommendation 
proposed something larger than what we have proposed. Their 
belief was that while there is private activity in this area 
right now, there are gaps in it, and it is appropriate for the 
Federal Government to try to, first of all, inventory what is 
going on and then to try to come up with a modest amount of 
money to fill the gaps.
    Senator Gregg. I do not doubt that that is absolutely true. 
I think my concern is, if we already have law enforcement 
aggressively financing some of this, we ought to make sure that 
there is coordination between research which is already being 
done and paid for by the Federal Government for law enforcement 
purposes that overlaps distinctly research which would come out 
of this NIST initiative. I am sure it will be a good initiative 
because NIST is a superb organization, in my opinion.

            law enforcement outreach to e-commerce industry

    Madam Attorney General, where do we stand in your opinion 
in the effort to do outreach to the e-commerce industry? Do you 
feel comfortable that they are comfortable with you and with 
the FBI or do we need more work? We have another panel after 
you to second-guess you on this one.
    Ms. Reno. I think they are getting comfortable and I think 
that many of them are. It is exciting to hear representatives 
of industry, of banks and others talk about how they have had 
an opportunity to work with the FBI at the local level, how 
impressed they are with the knowledge a particular agent may 
have, how impressed they are with the professionalism with 
which they pursue the investigation. And it is that type of 
relationship that does so much to build an understanding 
throughout the agency. So in some measures it will take time, 
but at the meeting yesterday I was gratified by comments made 
to me on the part of industry about what we were doing and the 
success we were having in building a partnership.
    Our Computer Crime Section, for example, has established 
the Industry Information Group, which includes representatives 
from the major ISPs, telecommunications companies and other 
industry groups. The IIG meets regularly to discuss cybercrime 
and security issues. We have also forged a cooperative 
relationship with the Internet Alliance, a group that 
represents the largest ISPs. Last week, DOJ officials met with 
Internet Alliance to discuss cooperative efforts.
    With respect to privacy, I continually try to emphasize 
that we do not want a surveillance society or a top down 
approach to cybersecurity. We want to build a partnership that 
permits an appropriate exchange of information based on our 
experience.
    We have really, I think, done something else, too, that is 
exciting in terms of forming a partnership, the beginnings of 
partnership that I think is where we are going in the future. 
This idea came about once when I was speaking to an industry 
group. One of the representatives said my 13-year-old daughter 
knows that she should not open other people's mail, that she 
should not go in and rummage around in her sister's bedroom, 
and that she should respect the privacy of others, but she has 
not been taught about what she should and should not do on the 
Internet. Last April, I announced that the Department along 
with Harris Miller and Information Technology Association of 
America had formed the Cybercitizen Partnership, a national 
campaign to educate and raise awareness of computer 
responsibility. I expect that that campaign will be in full 
force in the near future.
    These are some of the things that we are doing, Mr. 
Chairman. Yesterday I asked the industry representatives there 
if they would meet with me just on the law enforcement issue of 
what law enforcement can do to improve the partnership and to 
build the working relationship that is so vital. Nobody likes 
to get into a situation where they have to deal with law 
enforcement because that means that they have been a victim of 
a crime. That is not a pleasant experience in any circumstance, 
but the FBI is doing so much in terms of outreach, in terms of 
working with others, to build that trust and that confidence. I 
think we have come a long way.

                 fbi relationships with private sector

    Senator Gregg. Director Freeh, did you have any comment on 
that?
    Mr. Freeh. Just to supplement it a little bit, I agree with 
the Attorney General 100 percent. This relationship is going to 
take some time. I think if you look back at the early 
relationship between the FBI, for instance, and the banking 
industry, 40, 50 years ago, you see where that relationship has 
grown in terms of trust, reliability, support. We are building 
that with not just the new high tech industry but many of these 
other interrelated companies. We mentioned before the InfraGard 
program which the NIPC administers and that is resident in many 
of our divisions, will hopefully be resident in all 56 
divisions. Those agents go out to the private sector in that 
particular division--banks, transportation, and energy--and say 
we need to sit down with you, you need to tell us about the 
things that have to be protected and how your systems and 
networks can be compromised. That requires somewhat of an act 
of faith by some of the companies to give that information and 
assistance, and then when an attack occurs have the confidence 
to report that.
    It is much akin to working the economic espionage cases. 
Somebody has tried to steal a valuable trade secret of a 
company. The FBI comes in to do the investigation and asks 
basically to get all the information about that trade secret. 
That information goes into our reports, which may go into 
discovery in a criminal trial. The company has to stop and 
think and maybe ask its board and shareholders if this is 
something that it wants to pursue, if the objective there is 
really to protect the trade secret.
    We met a couple of months ago with representatives of 16 
major companies, the chief information officers, and we talked 
about these issues. We have got to do things to further that 
relationship. One example just very, very quickly is the 
proposal that the Attorney General and the FBI has made for the 
technical support center. This was the result of a discussion, 
in fact, the discussion the Attorney General and I had with six 
of the major CEOs of the software industry about ways we can 
work on these encryption issues without passing legislation 
which, of course, the industry is very concerned about.
    And the CEOs--and we were delighted at this response--
offered to not only give services but even lend us some of 
their scientists to work in a center where we could solve some 
of these problems on a case-by-case basis.
    Senator Gregg. Do you need a counter-encryption center?
    Mr. Freeh. Yes, we do, absolutely. This was an example of 
where the industry and the Government in an area of great 
sensitivity could work together. The Congress, in fact, passed 
a statute in 1998, part of the Intelligence Authorization Act, 
which would allow those companies to give the Attorney General 
those services. It would not be prohibited as a gift. So these 
are the kinds of initiatives that have to be pursued.

                               conclusion

    Senator Gregg. Thank you. Rather than take any more of your 
time because you have been extraordinarily generous with it 
this morning, I do intend to send some specific questions for 
the record to you. Especially how have the CERT teams evolved? 
Also, how is the evolution of the National Infrastructure 
Protection Center and the money that we have put into that? I 
would also like to get an outline of how we would approach 
developing a 5 year plan in this area for law enforcement. But 
if the Commerce Department is so inclined, I would be 
interested in getting a 5-year plan for how we address a 
coordinated effort in the areas that are not law enforcement 
dominated so we can have some coherence in this. You are going 
to get us language on the law changes you think you need?
    Ms. Reno. Yes.
    Senator Gregg. Statutory changes. And we are going to try 
to put in the Title 5 extension. Obviously, that will be a 
priority for this Committee. It was a priority getting it. We 
certainly do not want to see it lapse. I did not realize it 
lapsed in September. I sure hope we can get this bill signed by 
September. That would be a first, and it would be nice.
    I appreciate all your time. This is the beginning of a road 
that is going to have a very long, and I suspect, many turns 
and forks in it. But it is a process which requires a lot of 
public vetting, and I appreciate your taking the time to 
participate in that process today. Thank you very much.

                       need for uniform standards

    Ms. Reno. Mr. Chairman, I would just like to put one other 
point at issue because I think it is going to be vital as to 
how law enforcement responds. We are going to have to develop, 
and I would like to work with you on it, a means of ensuring 
uniform standards with respect to equipment and technology. It 
is becoming obsolete practically before we get it installed and 
the cost can be astronomical or we can work with industry to 
develop common standards that people can understand. That will 
not address the issue where a vital new piece of equipment has 
come into play, but the costs are going to be something that 
needs your yankee frugality to address.
    Senator Gregg. Well, I think that is a critical issue, and 
there are a lot of issues where we have not really gone in 
depth. Encryption is just a huge issue. The Director alluded to 
that, and it has to be resolved, as the Director said. 
Obviously, the purchasing of technology and keeping the 
Government up to speed while making sure that it is consistent 
is important, as you have outlined. That item and the personnel 
item are going to take money. I will tell you that from my 
standpoint, this committee has always put an extraordinary high 
priority on the issue of terrorism, cyberterrorism. And we are 
going to put the same type of priority on the issue of funding 
initiatives in the Internet areas that are not necessarily 
terrorism related but are commercially related. So I think we 
will be able to find the dollars, but I want to make sure they 
are spent effectively and in a coordinated manner. Thank you 
very much. I appreciate your time.
    Ms. Reno. Thank you for your leadership, Mr. Chairman.
    Mr. Reinsch. Thank you.
                             INDUSTRY PANEL

STATEMENT OF ROBERT CHESNUT, ASSOCIATE GENERAL COUNSEL, 
            EBAY
    Senator Gregg. We begin the second panel here, and I 
appreciate the tolerance of the second panel in waiting to 
testify. If the members of the second panel could come forward 
and take a seat, that would be very helpful. Please take a 
seat, gentlemen.
    The second panel are members of industry. They are not 
representative of all the industry, obviously, but a portion of 
it. You will hear from Robert Chesnut, associate general 
counsel of eBay, which was one of the companies that was 
subjected to an attack last week. He will address Internet 
security issues, as will Mark Rasch, the senior vice president 
of Global Integrity Corporation. He will testify also relative 
to his previous experience in prosecutions of major Internet 
cases, specifically the Morris worm case. And finally we will 
hear from Jeff Richards, executive director of the Internet 
Alliance, which represents major Internet providers like AOL. 
Mr. Richards will discuss the industry's concerns about 
Internet security efforts, and specifically, the coordination 
of law enforcement agencies. Again, I thank you for your 
willingness to be here today and participate in this hearing.
    As I think was made clear not only in my opening statement 
but in the comments by the members of the government, we 
consider the private sector's views on this to be the dominant 
views. This is an area where the law enforcement agencies come 
in, but they come in in a secondary capacity in many instances 
and, therefore, your ideas and opinions are important to us.
    Mr. Chesnut, I appreciate your coming. I am a user of your 
site on a regular basis. I have a lot of New Hampshire 
memorabilia from eBay. In fact, if you come to my office and go 
to what we call the ``moose room,'' you will see a number of 
things that were eBay purchased. So I am a big fan of your 
organization, and I appreciate your taking the time to come by. 
We will start with you and then go right down the line.
    Mr. Chesnut. Thank you, Mr. Chairman. eBay greatly 
appreciates the opportunity to come here today and to 
participate in this hearing. My name is Robert Chesnut, and I 
am the associate general counsel of eBay and prior to joining 
eBay last year, I was an Assistant United States Attorney here 
in the Eastern District of Virginia and handled a variety of 
cases involving computer crimes and violent crime and 
espionage. Since I have been at eBay, I have been able to work 
on some of these areas involving a partnership between law 
enforcement and the private industry that have already been 
discussed earlier in this hearing.
    In 1995, as the Chairman knows, eBay created the first on-
line trading community on the Internet, and today we are the 
world's largest e-commerce site with nearly four million items 
for sale at any given time in about 4,000 different categories. 
Everyday we have approximately 500,000 items that are placed on 
our site from our over 10 million users including, I think, 
about 50,000 from your State.
    Being the world's largest e-commerce site poses a number of 
challenges for us and not the least among these challenges is 
really a daily challenge of dealing with the protection of our 
web site from abuse, from hackers, database pirates, and 
various pranksters. As, Mr. Chairman, you know, last week we 
were one of the victims in the attack along with Yahoo!, 
e*Trade, CNN and other well known e-commerce sites. And at 
eBay, as the chart there shows, we were attacked at about 3 
o'clock in the afternoon on February 8. The attack blocked 
legitimate access to eBay's site for approximately 90 minutes 
before we were able to turn it back. The attack continued on 
for another 90 minutes after we had successfully dealt with it.
    That attack was followed by a second attack the following 
day at about 5 o'clock in the afternoon, and we were able to 
deal with that attack within just a few minutes without any 
significant disruption to our service. Mr. Chairman, the 
attacks are obviously extraordinarily serious. They 
fundamentally disrupted business on our Nation's key e-commerce 
sites for several days. They affected not only eBay's business 
but a number of--literally hundreds of thousands of individuals 
depend on eBay as their livelihood and so when eBay is down or 
blocked, they cannot do business. And so it fundamentally 
disrupts business all across the country when a site like ours 
is blocked.
    Although we do not know yet who was behind the attack, it 
was obviously well planned and aimed directly at leading 
commercial web sites, such as ours. As we understand the facts, 
nefarious computer code was placed into computers of 
unsuspecting individuals and institutions, such as the 
University of California at Santa Barbara, and these computers 
were then used to launch a sustained attack on the leading web 
sites. The purpose of the attacks in this case was to block 
access to at least a portion of the web sites by bombarding 
them with a huge volume of traffic--what is known as ICMP 
traffic, Internet Control Message Protocol traffic.
    In this case, Mr. Chairman, they bombarded eBay with 
approximately one billion bits per second of traffic, nearly 
double our normal incoming traffic, and this flood of what we 
call bad traffic effectively blocked any legitimate traffic 
from reaching our home page for about 90 minutes. Now since 
Yahoo! had been attacked the day before on February 8, we had 
already begun to prepare several countermeasures in case an 
attack like this occurred at eBay, and when the attack 
occurred, we took several steps to try to fight back 
immediately. We put some of our own firewalls into place to try 
to repel the attack, but the volume of the traffic was simply 
so heavy that the firewalls were not effective.
    We quickly got in touch with our Internet service 
providers, and it was their lines that were actually providing 
the bad traffic to us, and we worked with these Internet 
service providers to put some filtering mechanisms in place, to 
try to filter out the traffic before it even got to our site. 
Within 90 minutes, these filters were effective in blocking the 
traffic and allowed our site to return to normal usage even 
though the attack continued for another 90 minutes after the 
filters had taken effect.
    It was because of those filters and because of the measures 
that we had taken on the eighth that when the next attack 
occurred at about 5 p.m. on the ninth, we had already worked 
with the Internet service providers; we had put some permanent 
fixes in place, and therefore the attack the next day was much, 
much easier to deal with. We were able to deal with it within 
just a few minutes.
    The attack in this case was not distinguished by its 
sophistication. I think, as was mentioned earlier, this was an 
attack that could have occurred several years ago in terms of 
sophistication but what marked it was its sheer volume which 
was unlike any other attack that eBay had previously been a 
victim of. On an ordinary day, our outbound traffic exceeds 
inbound traffic by about a ten to one margin. That is because 
users are coming in asking for data from our site and we are 
sending a lot more out than we usually get in. Because of the 
huge volume of traffic, the bad traffic in this case, the 
incoming traffic actually equaled our outbound traffic which 
was an extraordinary event for us.
    In our view, these sort of computer intrusions and attacks 
on commercial web sites are serious crimes that merit a 
forceful response and many of these crimes are widely viewed 
within the hacking community as little more than pranks. They 
are much more serious in our view, and they demonstrate the 
need for some forceful action.
    Now prior to last week's attacks, eBay had already 
established a relationship with the computer intrusion squad at 
the Federal Bureau of Investigation in northern California near 
where our offices are located. We had already been speaking 
with the United States Attorney's Office in that district to 
work with them in the event of problems like this. eBay has 
recognized that the most effective way to combat cybercrime, 
whether it is by fraud or by hacking, is to work cooperatively 
with law enforcement, and we are, as a company, very 
comfortable in working with law enforcement in this area.
    Therefore, last year, we had already set up procedures, put 
them in effect, so that we would be able to quickly notify the 
FBI in case an attack like this occurred, and as a result of 
that preparation, we were able to contact the FBI pretty 
quickly once the attack occurred to notify them of the attack 
and to provide them with some information that we hope will 
assist them in their investigation. And in the aftermath of the 
attack, we have also come across other leads that we have been 
able to quickly reach the FBI and provide them with the 
information.
    We do believe that this attack illustrates the challenge 
faced by law enforcement in the investigation and prosecution 
of cybercrime and the importance of ensuring that the Justice 
Department is adequately funded to meet this challenge. The 
Internet has become the backbone and life blood of our new 
world economy, and it is imperative that consumers retain the 
highest degree of confidence in its reliability and security.
    High tech has to take the lead. You know leading high tech 
companies can work cooperatively together and meet many of the 
challenges that are posed by cybercriminals. But industry alone 
cannot solve the problem. We cannot go out and do the criminal 
investigations and the prosecutions of these cases. We need a 
partnership with law enforcement. And an important element in 
fighting this sort of cybercrime is ensuring that law 
enforcement both understands the technology and has the tools 
to work with private industry in investigating these crimes.
    The need for an effective Internet law enforcement presence 
is particularly important in areas of the country that have the 
high concentration of high tech companies. Some examples are 
the Eastern District of Virginia, just right outside of the 
District here, northern California where eBay is located, and 
some other areas such as the Boston-New Hampshire corridor 
where high tech is concentrated. Northern California, for 
example, where eBay is located, has undergone a radical 
metamorphosis in the last 20 years. It is home now to over 
6,000 high tech companies and that includes many of the leading 
high tech companies in the world.
    This growth in the high tech industry has been accompanied 
by a corresponding growth in high tech crimes and these crimes 
are no less a threat to our economic viability than 
conventional crimes, but they are much more difficult to 
investigate and prosecute.
    The areas of the country that have this high concentration 
of high tech companies need resources dedicated to this growing 
problem. In northern California, for example, the FBI's 
computer intrusion squad and the United States Attorney's 
Office must be adequately staffed to investigate and prosecute 
high tech related crime. Such crime is a serious issue. 
Computer intrusions and attacks have become increasingly 
frequent. They cost companies billions and billions of dollars 
every year to deal with, and other high tech related crimes 
such as theft of trade secrets, counterfeit good sales over the 
Internet, and simply the theft of computer equipment itself has 
become a major problem. According to a 1999 Rand Corporation 
survey, theft of high technology components such as computers 
costs the industry over $5 billion annually. The Justice 
Department cannot hope really to keep up with this high volume 
of work unless there are some specific resources targeted to 
the areas that need them with badly needed agents and 
prosecutors.
    Likewise, it is impossible to effectively combat cybercrime 
unless law enforcement understands this new medium as well, at 
least as well as the cybercriminals do. This requires a 
sophisticated level of training and up-to-date computer 
equipment. Private industry can play an important role in this 
training process with law enforcement. For example, FBI has 
already been working with law enforcement and is providing 
training for law enforcement agents, for criminal agents in 
several places across the country, so that law enforcement 
understands exactly how the medium works and how the industries 
can actually help law enforcement and work with them quickly 
when crimes occur.
    While this partnership can play a very important role in 
fighting cybercrime, it cannot be a substitute for the basic 
tools that law enforcement needs: agents, prosecutors, and 
computer equipment. eBay believes that it is important for this 
subcommittee to send a message to cybercriminals throughout the 
world that the United States Government can and will protect e-
commerce from criminal activity, but if Congress is going to 
send a credible message that cybercrimes will be investigated 
and prosecuted vigorously, law enforcement must have the 
resources to back up that message. We urge you to take this 
into consideration as you determine the appropriate funding 
level for these important law enforcement agencies. Thank you.
    Senator Gregg. Thank you, Mr. Chesnut.
    [The statement follows:]
                  Prepared Statement of Robert Chesnut
    My name is Robert Chesnut, and I am the Associate General Counsel 
for eBay. Before joining eBay last year, I served for 11 years in the 
United States Justice Department as an Assistant United States Attorney 
for the Eastern District of Virginia, where I prosecuted a variety of 
criminal cases, including violent crimes, computer crimes and espionage 
matters, such as the Aldrich Ames spy case.
    In 1995, eBay created the first online person-to-person trading 
community on the Internet. Today, eBay is the world's leading e-
commerce web site with nearly 4 million items for sale in over 4,000 
categories ranging from coins and stamps to toys and antiques. Every 
day, users around the country and the world list approximately 500,000 
items on our site to sell.
    Being the world's leading e-commerce web site poses a great many 
challenges for eBay. Not the least among them is the daily challenge of 
protecting our web site from attack, abuse and misuse by hackers, 
database pirates and pranksters.
    As you undoubtedly have heard, last week eBay, Yahoo, e*Trade, CNN 
and other well known e-commerce sites were victims of an insidious 
organized attack that shut down portions of their web sites. At eBay, 
the principal attack occurred at approximately 3 o'clock on February 
8th and blocked legitimate access to eBay's site for nearly 90 minutes. 
That attack was followed by a second attack on our site the next day, 
which we were effectively able to fend off within a few minutes.
    Let me explain why these attacks are so serious. This attack 
fundamentally disrupted business on our nation's key e-commerce sites 
for several days. Although we don't yet know who was behind this 
attack, it was obviously well planned and aimed directly at leading 
commercial web sites, such as ours. As we understand the facts, 
nefarious computer code was serpitiously planted in the computers of 
unsuspecting individuals and institutions, such as the University of 
California at Santa Barbara. These computers were then used to launch a 
sustained attack on leading web sites. The purpose of the attack was to 
block access to portions of these web sites by bombarding them with a 
huge volume of what is known as ICMP (Internet Control Message 
Protocol) traffic. This attack bombarded eBay with over 1 billion bits 
per second of bad traffic, nearly double eBay's normal incoming 
traffic. This flood of bad traffic effectively blocked legitimate 
traffic from reaching our home page.
    Since Yahoo had been attacked the day before, eBay had already 
started to prepare several countermeasures. When the attack began, we 
quickly took a number of steps to fight back. Initially, we put in a 
number of our own fire walls to repel the bad traffic, but the volume 
of that traffic was so heavy that the fire walls were ineffective. 
Quickly, we turned to our Internet Service Providers (``ISPs''), whose 
lines were bringing this bad traffic to our site. We worked with these 
providers to develop filtering mechanisms to prevent bad traffic from 
even reaching our site. Within 90 minutes, the filter effectively 
stopped the bad traffic and allowed our site to return to normal 
service, even though the attack itself continued for an additional 90 
minutes.
    The next day, a similar attack was launched against eBay at about 
5:30 p.m. With our experience from the previous day and with a number 
of countermeasures already in place, eBay and its ISPs were able to 
quickly repel this attack without any disruption of eBay's services.
    Let me be clear, this attack on our site was distinguished not by 
its sophistication, but by it sheer scale. On an ordinary day on our 
web site outbound traffic exceeds inbound traffic by a 10-to-1 margin. 
During this attack we noted that inbound traffic was so heavy that it 
actually equaled outbound traffic.
    It's our view that computer intrusions and attacks on commercial 
web sites are serious crimes that require a forceful response. Although 
these crimes are widely viewed within the hacking community as little 
more than pranks, they are much more serious, as last week's attacks 
demonstrate.
    Prior to last week's attacks, eBay had established a close working 
relationship with the computer crimes squad within the Northern 
California office of the Federal Bureau of Investigation (``FBI''). 
eBay has long recognized that the best way to combat cyber crime, 
whether it's fraud or hacking, is by working cooperatively with law 
enforcement. Therefore, last year we established procedures for 
notifying the FBI in the event of such an attack on our web site. As 
result of this preparation, we were able to contact the FBI computer 
intrusion squad during the attack and provide them with information 
that we expect will assist in their investigation. In the aftermath of 
the attack, eBay has also been able to provide the FBI with additional 
leads that have come to our attention.
    We believe that this latest attack illustrates the challenge faced 
by law enforcement in the investigation and prosecution of cyber crime, 
and the importance of assuring that the Justice Department is 
adequately funded to meet this challenge. The Internet has become the 
backbone and lifeblood of the new world economy. And it is imperative 
that consumers retain the highest degree of confidence in its 
reliability and security.
    Leading high tech companies can work cooperatively together and 
meet many of the challenges posed by cyber-criminals. But industry 
alone can't solve the problem without establishing a partnership with 
law enforcement. An important element in fighting this kind of cyber 
crime is ensuring that law enforcement both understands the technology, 
and has the tools it needs to work with private industry in 
investigating these crimes.
    The need for an effective Internet law enforcement presence is 
particularly important in areas of the country that have a high 
concentration of high tech companies, such as the Eastern District of 
Virginia and the Northern District of California. Northern California, 
for example, has undergone a radical metamorphosis in the last 20 
years, and is now home to more than 6,000 high tech companies, many of 
which are the leading high tech companies in the world. This growth in 
the high tech industry has been accompanied by a corresponding growth 
in high tech crimes. These crimes are no less a threat to our economic 
viability than conventional crimes, and can be much more difficult to 
investigate and prosecute.
    The areas of the country that have a high concentration of high 
tech companies need resources dedicated to this growing problem. In 
Northern California, for example, the FBI's computer intrusion squad 
and the United States Attorney's Office must be adequately staffed to 
investigate and prosecute high tech-related crime. Such crime is a 
serious issue. Computer intrusions and attacks have become increasingly 
frequent, costing companies billions of dollars each year. Other high 
tech-related crimes, such as theft of trade secrets, sale of 
counterfeit goods on the Internet and theft of computer and high tech 
components, also require intervention by law enforcement. According to 
a 1999 Rand Corporation study, theft of high technology components 
alone costs the industry $5 billion annually. The Justice Department 
cannot hope to keep up with this volume of work unless specific 
resources are targeted to provide them with badly needed agents and 
prosecutors in key high tech regions of the country.
    Likewise, it is impossible to effectively combat cyber crime unless 
law enforcement understands this new medium at least as well as the 
cyber-criminals do. This requires both a sophisticated level of 
training, and up-to-date computer equipment. Private industry can play 
an important role in the training process. For example, eBay already 
provides regular training to law enforcement agencies to help them 
understand Internet commerce and the kinds of information available to 
assist them in finding and gathering evidence of cyber crimes.
    While this partnership between industry and law enforcement can 
play an important role in fighting cyber crime, it cannot substitute 
for the basic tools that law enforcement must have to be effective--
agents, prosecutors, and computer equipment.
    It is important for this Subcommittee to send a message to cyber 
criminals throughout the world that the U.S. Government can and will 
protect e-commerce from criminal activity. But if Congress is to send a 
credible message that cyber crimes will be investigated and prosecuted 
vigorously, law enforcement must have the resources to back up that 
message. We urge you to take this into consideration as you determine 
the appropriate funding level for these important law enforcement 
agencies.
    Thank you for giving us the opportunity to testify today and I 
would be glad to answer questions you may have.
STATEMENT OF JEFF B. RICHARDS, EXECUTIVE DIRECTOR, 
            INTERNET ALLIANCE
    Senator Gregg. Mr. Richards.
    Mr. Richards. Mr. Chairman, I am Jeff Richards, executive 
director of the Internet Alliance, and on behalf of the 
Alliance I want to thank you for this opportunity. We would 
like to give our views on criminal activity on the Internet, on 
the necessity of enforcing laws applicable to that activity, 
and on the need for Federal law enforcement authorities to have 
resources that enable them to better carry out their mandate.
    Since our founding in 1982 as the Videotex Industry 
Association, the Internet Alliance has been the only trade 
association to address online and Internet issues from a 
consumer perspective, consumer confidence and trust. The 
Internet Alliance's 70 plus members today represent more than 
90 percent of consumer access to the Internet in the United 
States and our Law Enforcement and Security Council gather 
senior security officials--in fact, this organization is co-
chaired by AOL and MCI-Worldcom-UUNET--to bridge the gaps 
between industry and law enforcement agencies.
    We are actively then building confidence and trust and it 
is necessary to do that so that this becomes the global mass 
market medium of this century, the Internet century. So the 
Internet Alliance has recognized that the Internet can mature 
really as a revolutionary mass medium and one that is about new 
knowledge relationships and choices but only if we all promote 
the public's trust and confidence. It in the context of that 
trust and confidence that we assess the recent denial of 
service attacks.
    Vandals flooded important web portals and sites with 
spurious requests, rendering them temporarily unavailable, as 
we have heard, to would-be users. For many Americans, last 
week's event marked their first exposure to one of the 
downsides of the Internet's main strengths: its relatively open 
architecture. Consumers could wrongly conclude that the 
Internet is essentially an open sieve for malcontents or 
criminals.
    Internet vandalism has occurred before and it will occur 
again. Destructive, freely distributed software tools are 
created by those with malicious or misguided motives, and more 
will be created in the future. But at the same time, I think 
some perspective is in order. First, the duration of the 
interrupted service was measured in hours, not days. In an 
industry less than a decade old, that record compares favorably 
with electrical power outages during storms or telephone 
service interruptions. When the assault was detected, teams of 
experts employed additional capacity and screening tools--we 
have heard some of those talked about this morning--bringing 
the situation under control.
    I just want to point out this in itself is an impressive 
demonstration of the sophistication and responsiveness of 
service and infrastructure providers. And very importantly, at 
the same time, industry and law enforcement agencies began 
cooperating on these investigations starting that very day. So 
my point is we must not overreact to these events. Whether in 
personal relationships, in the process of democratic 
government, or in the operation of the Internet, openness, Mr. 
Chairman, is always accompanied by a degree of risk. In 
Internet terms, though, then we say openness needs to be 
preserved so that small as well as large enterprises can be 
part of this new economy, so citizens can speak freely, and so 
that the web is truly a global medium.
    So the effectiveness of web attacks can and will be 
reduced. I am confident we are going to steer the right course 
between security on one side and openness and freedom on the 
other, and this hearing is an important one to advance both of 
those goals.
    So at the Internet Alliance, we believe in a simple 
approach: first things first. With respect to crime on the 
Internet, that means focusing on security and on the effective 
enforcement of existing criminal laws. Prosecutions under such 
laws serve two goals equally well, deterrence on the one hand 
and promotion of the public's confidence in the Internet 
medium. Investigation and prosecution of criminal acts in the 
new on-line world pose new challenges for agencies that we have 
heard about today. And as a result, law enforcement ranges from 
some centers of excellence to some haphazardness to some 
serious lacks. I am not just referring to denial of service 
attacks. The situation can extend across several categories of 
crime.
    So now I will speak more broadly and speak specifically of 
the Internet Alliance's support of additional appropriations 
for Federal law enforcement agencies, assuming that those 
resources will be spread among different categories. What are 
some of the keys to improved enforcement of existing laws in 
the Internet space? A short list would include training of 
existing officers in computer and Internet skills and 
application of constitutional and statutory liberties in the 
Internet context. It would include hiring additional experts, 
additional computer and other investigative equipment, and very 
definitely improve coordination and cooperation among law 
enforcement agencies themselves and with the industry. I think 
there has been great progress there and continuing work on 
jurisdictional matters. It would include public education 
efforts to urge consumers to act wisely and cautiously to 
protect themselves online as they do off-line.
    Today, law enforcement is inadequately trained to 
investigate crimes and support effective prosecution of current 
laws in the Internet space. This is no indictment of law 
enforcement agencies. There are centers of excellence within 
DOJ, FBI, some State attorneys general, some State and 
metropolitan police forces, but only a small percentage of law 
enforcement agencies, perhaps 5 percent or less, in the United 
States have the knowledge and skills to prosecute properly 
received Internet related complaints, to adequately investigate 
those crimes and otherwise assist in the successful prosecution 
of Internet criminals.
    We have no reason to believe this situation is better in 
any other nation. To help address these challenges, the IA has 
moved beyond rhetoric in the areas in a number of constructive 
law enforcement related activities and for the Internet 
Alliance these include training, and we heard reference earlier 
this morning, to work with several agencies including 
Department of Justice, FBI, and our Law Enforcement and 
Security Council where we are preparing updated law enforcement 
training and resource materials and a much needed secure 
worldwide directory of key industry and law enforcement 
contacts.
    We must resist, frankly, overreaching, even in the name of 
security, and make certain the constitutional and other 
statutory protections in investigations and prosecutions are 
observed and we think that training is a critical part of 
achieving that.
    And finally, we must also keep clear the distinction of 
roles between industry and law enforcement. We as companies can 
and will do more to help law enforcement succeed in all its 
duties, but industry cannot be made an agent of law enforcement 
as some have proposed abroad.
    Let us return quickly to last week's distributed denial of 
service attacks. Broadly speaking, what can we learn for the 
future? First, we see that widespread prevention at the user 
end; the university that was cited, for example, the local 
system administrator end could have made a difference. This is 
a broad issue that we need to continue to address. It appears 
that many of the computer resources used to launch these 
attacks were not those of ISPs, for example, or networks or 
other Internet companies, but some of those end-user customers 
themselves. That means that all of us must be vigilant and take 
steps to close the backdoors, apply software patches, update 
firewalls, and use proper Internet hygiene.
    Second, we see that the apparent advanced planning, 
coordination, and delayed execution of this launch-on-command 
attack would have evaded real time monitoring and intercepts of 
the Internet by law enforcement, and we do not support at this 
time such steps to a solution.
    Third, the process of identifying and prosecuting those 
responsible, which will increase public confidence and deter 
future vandalism, would be significantly more efficient if law 
enforcement agencies get the financial resources that they 
need.
    In conclusion, each of us can make valuable contributions 
against Internet crime. For our part, the Internet Alliance 
will pursue law enforcement training efforts. We are going to 
prototype the secure directory of industry and law enforcement 
contacts. We will bring forward a carefully crafted proposal 
regarding forgery of header and routing data and we will 
strongly pursue industry best practices in the areas of law 
enforcement and security addressing data retention domestically 
and internationally as an example. Industry itself will 
continue to develop and deploy more and more secure and stable 
hardware and software to improve the consumer Internet 
experience.
    Turning to the government's contribution, we ask Congress 
to support the effective enforcement of current laws through 
increased appropriations and through ongoing oversight and 
encouragement. Thank you. I would be glad to answer any 
questions as best as I can.
    Senator Gregg. Thank you, Mr. Richards.
    [The statement follows:]
                 Prepared Statement of Jeff B. Richards
    Mr. Chairman, Mr. Ranking Member and Members of the Committee, I am 
Jeff B. Richards, Executive Director of the Internet Alliance 
(www.internetalliance.org). On behalf of the Alliance, I thank you for 
the opportunity to give you our views on criminal activity on the 
Internet, on the necessity of enforcement of the laws applicable to 
that activity, and on the need of federal law enforcement authorities 
for resources that would enable them to better carry out their mandate 
to protect law abiding citizens and businesses from criminals.
    Since its founding in 1982 as the Videotex Industry Association, 
the Internet Alliance (IA) has been the only trade association to 
address online Internet issues from a consumer Internet online company 
perspective. Through public policy, advocacy, consumer outreach and 
strategic alliances, the IA is building the trust and confidence 
necessary for the Internet to become the global mass-market medium of 
this century, the Internet Century. The Internet Alliance's 70-plus 
members represent more than ninety percent of consumer access to the 
Internet in the United States. IA's Law Enforcement and Security 
Council brings together senior security officials of key IA members to 
bridge the gaps between industry and federal, state, and international 
law enforcement agencies. It benefits from IA's unique presence--in the 
fifty states, Washington and abroad--to increase its knowledge and 
leverage. Since May of 1999, the Internet Alliance has been a separate 
subsidiary of the Direct Marketing Association, bringing the resources 
of a 4,500-member organization to bear on Internet issues and their 
resolution.
The Internet Century
    Coming as it did at the end of the last millennium, the sudden and 
exponential growth of the consumer Internet over the past ten years 
will undoubtedly be seen as a portent of things to come in the new 
``Internet Age.'' Less than a decade after the development of the first 
Web browser, billions of dollars were spent online in 1999. The range 
of transactions was broad indeed--from books and records to food and 
wine, from computers and exercise equipment to automobiles and houses, 
from pay-to-view webcasts and news alert subscriptions to online 
banking and computer training. In short, The Internet is transforming 
the American economy and consumerism itself.
    Growing public acceptance of the Internet has important 
implications. For consumers, the new medium has brought a range of new 
options, accompanied by some new and different worries. For business, 
the Internet has brought new methods of reaching customers, as well as 
new competition from unfamiliar places. For the U.S. government, online 
commercial activity has created a vast new economic sector, an engine 
of productivity that renews many familiar challenges and generates a 
few new ones.
    By any reasonable measure, however, the Internet has been a 
positive development for consumers, business and government. By most 
accounts, the rise of the Internet has been a key factor in the 
sustained economic growth of 1990s America, helping to put record 
numbers of Americans to work and generating productivity increases that 
have in turn helped buy down federal and state budget deficits, tame 
inflation, and create the circumstances for a record period of economic 
growth.
Consumer Confidence and Trust
    The Internet Alliance has always recognized that the Internet can 
mature as a revolutionary mass medium, successfully empowering 
consumers through new knowledge, relationships and choices, only if it 
promotes the public's confidence and trust. The process of increasing 
consumer confidence and trust has led the Internet industry to 
vigorously address a range of policy issues, including privacy, 
unwanted commercial e-mail, information security, enforcement of the 
laws on the Internet, marketing to children, taxation, and 
international jurisdiction and consistency. Of particular relevance to 
the topic of this hearing, in 1999, the Internet Alliance inaugurated 
its Law Enforcement and Security Council, bringing together experts 
from leading companies to undertake concrete law-enforcement-focused 
projects, to regularize contacts between law enforcement and industry, 
to find points of agreement and join efforts with non-U.S. Internet 
organizations, and to work on ``best business practices.''
Denial of Service Attacks
    Let me first add some perspective about the recent denial of 
service attacks reported prominently in the media beginning February 7. 
Vandals flooded important Web portals and sites with spurious requests, 
rendering them temporarily unavailable to would-be users. While I 
cannot comment on ongoing investigations, we take denial of service 
attacks seriously, both for the damage they do and for the perceptions 
they create. For many Americans, last week's events marked their first 
exposure to a downside of one of the Internet's main strengths--its 
relatively open architecture. Consumers could erroneously conclude that 
the Internet is essentially an open sieve for malcontents or criminals.
    Granted, Internet vandalism has occurred before, and doubtless will 
occur again. Destructive, freely distributed software tools are 
available to those with malicious or misguided motives, and more will 
be created in the future.
Maintaining Our Perspective
    At the same time, I think some perspective is in order. First, the 
duration of interrupted service was measured in hours, not days. In an 
industry less than a decade old, that record compares favorably with 
electrical power outages during storms or periods of heavy usage, and 
with phone service interruptions. When the assault was detected, teams 
of experts deployed additional user capacity and screening tools, 
quickly bringing the situation under control. This is an impressive 
demonstration of the sophistication and responsiveness of service and 
infrastructure providers. At the same time, industry and law 
enforcement agencies began cooperating on investigations seeking to 
identify and prosecute those responsible.
    What is new about the events of the last ten days is the level of 
public awareness and scrutiny. In turn, this offers us a renewed 
opportunity to further improve our performance. Industry must continue 
to develop and deploy effective technologies and countermeasures, with 
the Internet itself increasingly serving as a platform for solutions 
providers.
    At the same time, we must not overreact. Whether in personal 
relationships, in the processes of democratic government, or in the 
operation of the Internet, openness always is accompanied by a degree 
of risk. We would not think of abandoning these benefits because of 
their risks--we accept risks even while trying to reduce them. Thus the 
goal is not to achieve perfect security at any cost; it is to find an 
acceptable balance, and thereafter to work on improving the terms of 
that balance. In Internet terms, openness needs to be preserved so that 
small as well as large enterprises can be a part of the New Economy, so 
that citizens may continue to speak freely, and so that the Web is 
truly a global medium.
    The effectiveness of Web attacks can and will be reduced. And I am 
confident that we will steer a wise course between security on the one 
side, and openness and freedom on the other. This hearing is one 
important opportunity to advance both goals.
First Things First
    At the Internet Alliance, we believe in a simple approach--``first 
things first.'' With respect to crime on the Internet, that has meant 
focusing on security and on the effective enforcement of existing 
criminal laws. Prosecutions under such laws serve two goals equally 
well: deterrence, and promotion of the public's confidence in the 
Internet medium. However, investigation and prosecution of criminal 
acts in the new online world pose new challenges for law enforcement 
agencies. As a result, law enforcement online ranges from haphazard to 
nearly nonexistent. Our Federal agencies have led the field, developing 
the most skilled corps of professionals and the greatest depth of 
experience in the world. But unless they get additional resources, they 
will be unable to enforce federal laws properly and will have little 
capability to help upgrade state and local agencies.
    I am not referring just to denial of service attacks. The situation 
extends more or less across all categories of crimes. Thus, the 
remainder of my comments will speak more broadly, and the IA's support 
of additional appropriations for Federal law enforcement agencies 
assumes those resources will be spread among different categories 
according to need, urgency and the degree of improvement expected in 
each.
    What are some of the keys to improved enforcement of existing laws 
in the Internet space?
    A short list would include training for existing officers in 
computer and Internet skills, and in the application of constitutional 
and statutory civil liberties in the Internet context. It would include 
additional computer and other investigative equipment, and the hiring 
of additional personnel to investigate and prosecute Internet crimes, 
as well as to improve coordination and cooperation among law 
enforcement agencies themselves and with the Internet industry, 
continuing work on jurisdictional matters. And it would include public 
education efforts to urge consumers to act as wisely and cautiously to 
protect themselves online as they do offline.
    Today, law enforcement is inadequately trained to investigate 
crimes and support effective prosecution of current laws in the 
Internet space. This is no indictment of law enforcement agencies. 
There are some centers of excellence within the Department of Justice 
and the Federal Bureau of Investigation, some state Attorneys General 
offices, and a few metropolitan police forces. However, only a small 
percentage, probably well under five, of law enforcement agencies in 
the United States have the knowledge and skills to properly receive 
Internet related complaints, adequately investigate those crimes 
through online and offline resources, develop and maintain admissible 
evidence, refer complaints through the system, network with experts, 
and otherwise assist in the successful prosecution of Internet 
criminals. We have no reason to believe the situation is any better in 
other nations.
    And superimposed on the challenge of adding personnel and upgrading 
skills and equipment is the evolving nature of the Internet and the 
speed of action the new medium makes possible. Today, law enforcement 
too must move on ``Internet time,'' and that takes prioritization, 
continual training and management focus.
    Finally, the nature of the Internet requires us to seek a wise 
balance among local, national, and international law enforcement, 
especially as we negotiate the ground rules of this first global 
medium. We know that today citizen complaints may enter the system at 
any level of jurisdiction. The Internet is simultaneously intensely 
local and intensely global. The Internet will be a vehicle--one among 
many--for the commission of criminal acts within communities. The IA 
tracks state laws, and we know that in this state legislative cycle, we 
may see more than 2,200 Internet-related bills. So at least in the 
foreseeable future, the Internet and law enforcement will be 
intertwined at far more than the federal level.
Concrete Steps Going Forward
    IA has moved beyond rhetoric in a number of constructive law-
enforcement related activities. These include:
            Training
    In coordination with several agencies, including the Department of 
Justice and the FBI, the Internet Alliance's Law Enforcement and 
Security Council is preparing updated Internet law enforcement training 
and resource materials. While many of our members already provide 
briefings, materials and consultations for the law enforcement 
community as requested, needs may soon outstrip individual companies' 
capabilities. By combining our experience, the IA can provide both 
basic introductory and updated, advanced materials to increase law 
enforcement's expertise and success. This is a commitment we undertake 
knowing that industry's roles are distinct from those of law 
enforcement, but that we can help each other where they converge.
            Coordination
    Cooperation among law enforcement agencies is another basic aspect 
of a ``first things first'' philosophy. Again, we applaud the 
leadership of those who have built expertise and a track record of 
successful enforcement and prosecution. We also believe that since the 
Internet has grown so quickly, it has now outstripped the often ``ad 
hoc'' communications among agencies. We encourage law enforcement at 
all levels to share techniques and their own ``best practices'' rapidly 
and thoroughly.
    IA recognizes that coordination among international enforcement 
agencies is necessary to adequately fight crime on the borderless 
Internet. In September of last year, IA assumed a leadership role at an 
international conference of enforcement agencies in Vienna, Austria, 
for the first time catalyzing a constructive business/government 
dialogue on tackling specific Internet crimes.
    Domestically, we are giving input to the FBI, at its request, in 
the development of reporting mechanisms for the new Internet Fraud 
Reporting Center. In another initiative we respond to the fact that the 
Internet industry itself has not always been easily accessible to law 
enforcement. Accordingly, in conjunction with DOJ's recently announced 
``24/7'' computer crime personnel network, the Internet Alliance's Law 
Enforcement and Security Council is prototyping a secure online 
directory of law enforcement and industry contacts. By consulting this 
list, law enforcement officers will quickly identify and be able to 
contact designated individuals within Internet companies who are 
responsible for responding to their requests.
    We firmly support the appropriation of new federal dollars to bring 
enforcement of current laws into the Internet Century. As new resources 
are made available, the continuing challenge will be to apply them 
optimally, and to make certain that this financial commitment is not 
merely a short-term focus for policymakers, nor on the other hand, a 
platform for front-line monitoring of Internet activities generally. 
Priorities should be clear and rational. We need to include local and 
international law enforcement, industry and problem-solving 
organizations such as ours. Our consumers, and your constituents, 
should expect nothing less.
Forging Header and Other Routing Information
    Based on our industry experience, the Internet Alliance believes 
that one tightly tailored legislative approach would be useful in 
diminishing distributed denial of service attacks, as well as a 
fundamental problem affecting consumers and ISPs--unwanted commercial 
e-mail sent through forged header and other routing information. We 
value the Internet's open architecture and we value commercial and 
other speech. We also see that both are undermined by the deliberate 
forgery of key message header and routing information. We will soon 
offer to Congress a tightly focused legislative proposal aimed at these 
forgeries. We believe that it will preserve the benefits of the 
Internet to millions of consumers and to our economy while making 
criminal the act of forging these important technical data upon which 
the Internet infrastructure relies.
Resisting A Crisis Mentality
    The recent denial of service attacks may lead to calls for new laws 
and new police powers. We respect the motives for these calls, but we 
have serious misgivings about responding quickly, and we urge this 
Subcommittee and the Congress to exercise caution and scrutiny. When 
current law is not sufficiently enforced, there are numerous risks in 
pursuing new ones. We must build the solid track record of enforcement 
in the current environment before we can accurately determine what 
further steps are needed. We must not pass laws of dubious 
enforceability, risking erosion of the public's confidence in law 
enforcement and in the Internet. We must resist overreaching, even in 
the name of security, and make certain that constitutional and 
statutory protections in the investigation and prosecution of Internet 
crimes are observed.
    The world is watching the United States carefully. There are 
nations who would like to exercise control over Internet traffic and 
content, curtail U.S. innovation and global opportunities, and bend 
technical advances to their own purposes. Our national policy has been 
to resist these developments through negotiation, persuasion and 
example. Action by Congress to grant new powers to law enforcement to 
monitor or control Internet activities will be cited by these nations 
to undermine U.S. moral authority and to justify their own activities.
    We are wise instead to ensure that our traditional criminal law 
restraints and balances are carried over into the Internet context. We 
are wise to invest and prioritize wisely, and to build international 
cooperation based on well understood legal and law enforcement 
principles. And we will all build consumer confidence and trust through 
making clear our governments' enforcement and prosecution prowess, 
rather than communicating encouragement of additional government 
surveillance of citizens. At a time when concern about privacy is 
intense both in the U.S. and Europe, we risk too much by appearing 
willing to skip over the fundamentals. Basics should indeed come first.
    We are also on solid ground when we keep clear the distinction in 
roles played by industry and law enforcement. For industry, the 
influence of the marketplace is overwhelming. Increasingly, companies 
will be scrutinized and judged by consumers on their security practices 
and their investments in technology advances. Companies and 
associations of companies have done and will do more to give consumers 
a reliable, satisfying and productive Internet experience than any 
other sector of society. They can and will do more to help law 
enforcement succeed in its duties. But industry cannot and must not be 
made an agent of law enforcement, as some have proposed abroad.
Lessons Learned
    Let's return to last week's distributed denial of service attacks. 
Broadly speaking, what can we learn for the future? First, we see that 
widespread prevention at the user end--the local system administrator 
end--could have made a difference. Generally, we promote the idea that 
security must be a high priority for all entities connected to the 
Internet. This means not only commercial backbone and access providers 
and web site hosts and merchants, but also not for profit and other 
providers and users. It appears that many of the computer resources 
used to launch the attacks were not those of ISPs, networks or other 
Internet companies, but in fact ``end users'' themselves. This means 
that all of us must be vigilant, and must take steps to close ``back 
doors'', apply software patches as they become available, update 
firewalls and use proper Internet hygiene. In the coming days and 
weeks, you can expect that many of us in the Internet community will be 
proposing specific recommendations about system administration, 
especially as details surrounding the attacks are made clear. Second, 
we see that the apparent advanced planning, coordination, and delayed 
execution of the ``launch on command'' attacks would have evaded real 
time monitoring and intercepts of the Internet by law enforcement, and 
do not support such steps as a solution. Third, the process of 
identifying and prosecuting those responsible for the attacks, a 
process which will increase public confidence in the Internet and 
hopefully deter future Internet vandalism, would be significantly more 
efficient if the federal law enforcement agencies had the financial 
resources they need.
Conclusion
    Each of us can make valuable contributions in the fight against 
Internet crime.
    For its part, the Internet Alliance will pursue its law enforcement 
training efforts. We will prototype the secure directory of industry 
and law enforcement contacts. We will bring forward a carefully crafted 
proposal regarding forgery of header and routing data. And we will 
strongly pursue industry ``best practices'' in the areas of law 
enforcement and security addressing matters such as data retention 
domestically and internationally. Industry itself will continue to 
develop and deploy ever more secure and stable hardware and software to 
continually improve the consumer Internet experience.
    Turning to the government contribution, we ask the Congress to 
support the effective enforcement of current laws through increased 
appropriations and through ongoing oversight and encouragement.
    Thank you. I will be glad to answer any questions to the best of my 
ability.

STATEMENT OF MARK RASCH, VICE PRESIDENT, CYBERLAW, 
            GLOBAL INTEGRITY CORP.
    Senator Gregg. Mr. Rasch, I understand you are with Global 
Integrity, and we would appreciate any comments you might have.
    Mr. Rasch. Yes. Good morning, Chairman Gregg. Thank you for 
inviting me to testify today on the important issue of Internet 
security. I am Mark Rasch, and I am vice president of Global 
Integrity. We are a subsidiary of Science Applications 
International Corporation, and we are located in Reston, 
Virginia. What we do is we work with banks and Fortune 100 
companies along with Internet companies, dot-com companies and 
the like, and help them develop secure architectures. We help 
them respond to computer security incidents, and we help them 
monitor their firewalls and things like that dedicated to 
information protection.
    Before I joined Global Integrity, I was a trial attorney 
with the Fraud Section of the Criminal Division of the Justice 
Department responsible for investigating and prosecuting 
computer and high technology crimes. Among the cases I worked 
on were the investigation and prosecution of Robert Morris, the 
Cornell University graduate student who created a computer worm 
back in 1988 that shut down 10 percent of the computers on the 
Internet. At that time, that was about 6,000 computers. There 
are probably more than that right now in a three square block 
radius in Concord, New Hampshire.
    I also worked on the investigation and prosecutions of the 
Cuckoo's Egg cases. That was a case involving foreign espionage 
against the United States by computer and the investigations of 
Kevin Mitnick, a hacker who was recently released from jail in 
California.
    At the time I left the Justice Department in 1991, the 
Computer Crime Unit consisted of me on a part-time basis. Right 
now, the Computer Crime Unit has a Computer Crime and 
Intellectual Property Section of the Justice Department which 
has more than 18 attorneys and that number continues to grow.
    As you requested, I would like to address three principal 
topics today. First is the nature of the threats against the 
infrastructure, particularly the commercial infrastructure, the 
vulnerabilities and trends that we have seen in cyberspace. 
Second, I would like to address what the private sector is 
doing and can do in the future on its own to help protect the 
critical infrastructure. And the third thing is the proper role 
of law enforcement and the role of the government in general in 
helping to protect and defend cyberspace.
    The distributed denial of service attacks last week against 
these companies here have made painfully clear that there are 
very few rules in cyberspace. Information security has to a 
great extent been the stepchild of electronic commerce. For 
America to remain competitive and foster the growth of 
electronic commerce with its increases in productivity and 
convenience, it is essential that we protect the critical 
infrastructure. The gravamen of the situation is essentially 
this. There are genuine threats to electronic commerce and 
privacy and security of digital information, but none is so 
significant that they should long deter us from continuing on 
the path towards the growth of electronic commerce.
    The same Internet that empowers a single individual to 
obtain a lower interest rate on a home mortgage or buy 
something from eBay at a lower price also would empower someone 
from a basement or garage in Concord, New Hampshire to get 
information about a transaction in say Charleston, South 
Carolina, or break into a dot-com business in Palo Alto, 
California. The Internet is no respecter of borders or 
sovereignty. Government, in general, and the U.S. Government in 
particular, does have a legitimate role in helping make the 
Internet more robust, more secure, and more dependable by 
helping design more dependable computer systems.
    But the government should not use the general insecurity 
about online commerce as an opportunity to take upon itself new 
powers of investigation, new powers to compel cooperation or 
reporting or new opportunities to increase the regulatory 
burden on those doing e-business. The government can, though, 
do more to be a partner with e-business with the commercial 
sector and to promote trust and confidence in its abilities and 
its dedication to security.
    First question is, of course, is the sky falling? And the 
answer to that is maybe. What we see from last week's attacks 
against these various electronic companies is essentially a 
wake-up call, but it is not the first wake-up call. We have had 
a series of wake-up calls that have shaken the industry and 
said we need to do something about security. I want to 
emphasize the fact that none of the sites mentioned here were 
actually hacked themselves. What actually happened was these 
automatic programs monitored the networks and then broke into 
other people's sites using known vulnerabilities, widely known, 
widely publicized vulnerabilities.
    Had those vulnerabilities been effectively fixed by the 
sites that were broken into, this attack could not have taken 
place. So if we can fix the problems we know about, we will be 
90 percent of the way there. Cybercrime represents a real and 
growing threat although it is difficult to measure its scope. 
Reporting of cybercrime is limited by virtue of the difficulty 
in detecting it, and, in fact, a study that was done by the Air 
Force indicated that fewer than 9 percent of cybercrimes are 
ever even detected, much less reported, much less investigated, 
much less prosecuted.
    So there is another problem as well and that is the 
understandable reticence, especially in the commercial sector, 
to report cybercrime because of the nature of electronic 
commerce being dependent upon not only security but also on 
confidence.
    We did detect the following trends over the last year, 
however. First of all, distributed attacks, the type that we 
have seen here last week, specifically indicated by the 
activities of late 1999 and last week, are increasing. 
Compromising the same vulnerabilities in systems is the 
predominant method of attack. Hackers use the same old tricks 
that they have been using for years to break in. Most incidents 
and penetrations seem to be crimes of opportunity. Although 
there may be significant planning involved in them, they break 
in where they feel they can break in.
    The release of point and click tools--these are complete 
programs that are available on the Internet that you can 
download--have made it easier for teenage hackers and others to 
simply download programs and break into people's computers. 
These can be perpetrated by what we call ``script kiddies'' who 
download the tools and more sophisticated hackers can take 
these same tools and alter them. I would guess that the types 
of attacks we saw last week could be perpetrated again next 
week if somebody simply altered the programming and made them 
appear somewhat different.
    Generally speaking, attack coding has become more 
sophisticated, and it has been very creative. Media exposure 
seems to be at least one of the catalysts for many of the 
attacks and appears to correlate to web attacks and hacks. 
These are attacks on people's web sites. Organizations 
appearing prominently in the news or those launching new 
advertising campaigns or IPOs tend to be the ones that seem to 
be the targets of many of these hackers.
    Also, the electronic workplace has bred a certain degree of 
disloyalty among employees. Because they work and take a more 
independent and individual view of their job and their work and 
because of the emergence of these dot-com millionaires and the 
IPO frenzies and the ease in starting one's own business, there 
is a tremendous amount of competition to obtain intellectual 
property. As a result, we see sophisticated attacks against 
computer systems in order to steal intellectual property which 
then can be utilized in competition with other companies.
    We live in a world where more information that is more 
connected and is more sensitive is contained on more computers. 
Those computers are more connected to each other, more 
vulnerable to attack, and, therefore, we need to take 
electronic commerce security extremely seriously.
    Now, the next question is what is the private sector doing, 
and how can they do more? It is difficult to generalize about 
an entire industry, particularly an industry that is moving as 
quickly as the e-commerce industry is moving. Some commercial 
enterprises, particularly in the banking and financial services 
industry, which have a tradition of security, have taken the 
problem very seriously. Newer e-commerce companies like eBay, 
where security is perceived to be important, have taken 
tremendous steps as well.
    On the other hand, there are companies out there, and 
thousands of them, where there is a competition for resources 
and where they have a choice of promoting more functionality or 
more security, they may choose the easy route and take more 
functionality. And, therefore, the institutions like banks, 
brokerage houses, and insurance companies are generally well 
secured. They have done a number of things in the past several 
years to help promote even increasing security. I would like to 
speak about two of them right now.
    As a result of Presidential Decision Directive 63, PDD-63, 
the Commerce Department, the Securities and Exchange 
Commission, and other areas of the government have promoted a 
private enterprise of cooperation among the financial services 
industries called the ISAC. This is the Information Sharing and 
Analysis Center, and the FS, or Financial Services ISAC acts as 
a clearinghouse of information about information security 
threats, vulnerabilities, and incidents, and so what the FS 
ISAC does is it acts as a mechanism for these disparate 
companies to share information on a real-time basis about 
attacks that are going on.
    One of the problems is that companies do not like to report 
these types of incidents for a variety of different reasons. 
What the FS ISAC allows them to do is to share the information 
in an anonymous and confidential and secure manner. That is 
just one of the things that the financial services industry is 
doing to help make themselves more secure.
    Another thing is the Banking Industry Technology 
Secretariat, or BITS, which is a group of various banks and 
other financial institutions, has formed something called the 
BITS Laboratory. What the BITS Laboratory does is it will test 
any products, whether it is hardware or software, biometric 
devices, bill payment systems, operating systems, e-mail 
systems and the like, against a set of common criteria. They 
establish a set of criteria, and this is run by Global 
Integrity, and then the products get to be tested against that 
criteria and get essentially what amounts to the Good 
Housekeeping Seal of Approval.
    Once the product is then tested and cleared for the 
security criteria, then other banks and financial institutions 
can buy these products with a reasonable degree of confidence 
and belief that the product is reasonably safe. What this 
eliminates is the possibility that products get shipped to 
banks or financial institutions with default settings that are 
insecure. Essentially we would run the same types of hacker 
tools against these products that the hackers would to test 
them before they get into the banks or financial institutions.
    Now no method of security is going to be 100 percent 
effective. But these are some of the mechanisms that at least 
the financial services industry, which represents about 70 
percent of the work that we do, are doing to protect 
themselves. This model of information sharing within the FS 
ISAC is going to be perpetrated against other of the critical 
infrastructures. Another model is the National Secure 
Telecommunications Advisory Commission or NSTAC that acts in a 
similar capacity for sharing information about vulnerabilities 
in the telecommunications industry. So we will see similar 
types of ISACs that are going to be developed in the energy 
sector, in the telecommunication sector, the power sector, and 
other sectors as to that.
    Now, the next question is what is the role of law 
enforcement and the appropriate role of law enforcement? There 
has been a lot of debate about that. Just as protecting the 
highway system is not the exclusive role of the police 
department, protecting the information superhighway is not 
exclusively or even primarily the role of law enforcement. Law 
enforcement's role is, in fact, that. It is to enforce the law, 
to arrest offenders, to investigate criminal activity, but it 
need not be only reactive. It has a proactive role as well.
    Just as in the Nation's highway system, the Department of 
Transportation, for example, does highway planning to make sure 
that the roads are safe, to set standards for trucks and cars 
and vehicles on the highway, I think that the government has a 
legitimate role in setting standards and helping to set 
standards for security and for interoperability on the 
information superhighway.
    However, one of the problems we have is a fundamental 
distrust between the commercial sector and law enforcement. 
This is not to say that eBay is not going to be calling the 
police or the FBI when they get hit by an attack or things like 
that because by and large I found that the commercial sector 
wants to do the right thing. They want to report criminal 
activity. They want to know who to call, and they want to work 
cooperatively.
    I have also found that law enforcement, by and large, wants 
to work cooperatively with the commercial sector. However, what 
we find is, for example, if you are buying a commercial 
encryption product that has been ``approved,'' and I use that 
term in quotes, by the National Security Agency, there will be 
a perception in the commercial sector that that product has 
been in some way deliberately weakened and, therefore, there 
will be a fundamental mistrust of it.
    That problem is also emphasized in the area of incident 
response. By and large, as I said, the commercial enterprises 
want to do the right thing and call the FBI or call the Secret 
Service when there has been an incident. However, one of the 
things that you find is that when there has been an incident, 
there is a reluctance in the commercial sector to call law 
enforcement because they are afraid of losing control over the 
investigation, losing control over their resources. There is a 
concern that the FBI might come in there and say, ``tell me 
what was the computer that was hit?'' You would point to a 
particular computer and say, ``that is our main server that is 
serving all of our Internet traffic, that was what was hit.'' 
And the FBI will say, ``well, we need that for evidentiary 
purposes,'' and walk away with a handcart and your main server.
    So we need to have better coordination and education 
between the commercial sector and between the FBI and other law 
enforcement agencies so that they each understand each other's 
positions, and so they are each more sensitive to each other's 
positions as well.
    So we see one of the problems is a problem of simple 
cooperation, coordination, and communication. We need to do 
more of both in the commercial sector and in the law 
enforcement sector to promote that. One of the problems is that 
to the FBI and law enforcement, a successful case is when there 
is a public attack on a site and they are able to arrest a non-
juvenile defendant, have a swift and public prosecution, 
resulting in a conviction and a sentence which will act as a 
deterrent both to that individual and to others as well.
    However, in many cases to the private sector such a result 
would be disastrous. The public nature of the trial would 
reveal the very vulnerabilities that were used and exploited to 
attack the system in the first place. It would result in a 
decrease in confidence by the public in electronic commerce in 
general and in security. So, generally, we have found that 
companies that have reported computer security incidents lose 
anywhere from 10 to 100 times as much money as a result of the 
reporting, and the public nature of that reporting, than they 
lost in the actual attack itself.
    Additional problems plague law enforcement agencies as 
well. It is difficult, if not impossible, for them to train and 
retain staff skilled in the subtleties and nuances of new high 
technology crime scenes. The pace of technological change 
coupled with the lure of the private sector may discourage all 
but the most dedicated staff from remaining within law 
enforcement. Law enforcement is also used to dealing with other 
law enforcement agencies in coordinating criminal responses.
    In the new Internet era, however, the primary investigators 
are no longer those with badges and guns. Computer crimes are 
initially investigated by the 23-year-old system administrator 
who happens to be on duty at 4 o'clock in the morning. That is 
the person who is investigating the computer crime. Then they 
call the IT professionals who call the legal staff within the 
company who then call the security staff within the company, 
and, eventually, law enforcement may be called.
    So when law enforcement, the Federal law enforcement 
agencies, are training and helping train the State law 
enforcement agencies as being the quote ``first responders'' to 
the crime scene, by the time the law enforcement gets called in 
any capacity, they are already down to the 20th or 30th 
respondent. So we need to do more to train commercial 
enterprises about how to collect and manage evidence for the 
purposes of later prosecution.
    Add to this the problem of the fast pace of change of both 
law and technology, differences in rights to privacy in various 
countries, the inability of any individual law enforcement 
agency to act beyond its borders, and the transnational nature 
of computer crime, and we are left with serious impediments to 
relying upon law enforcement as a means of prevention of 
computer crime.
    There are a few things that I mentioned in my prepared 
testimony that law enforcement does need to do and that the 
government needs to do. Among these are helping to set 
standards working with NIST, working with the commercial 
sectors, working with companies like Cisco and IBM, to help set 
standards for the Internet and for Internet security; to help 
fund additional research and development into security 
protocols; letting the commercial sector be part of the 
development of the laboratory facilities; letting the 
commercial sector both get training and give training to law 
enforcement agencies; additional funding for education and 
training, not just at colleges and universities but also 
specialized training for law enforcement and for the commercial 
sector.
    Providing additional technical support to companies both 
within law enforcement and within the Department of Commerce; 
promoting new security technologies both as a consumer and as a 
developer of security technologies; and most important, the 
government needs to lead by example. The government needs 
itself to protect its own critical infrastructure, develop new 
technologies and new methodologies to protect itself, and then 
share these technologies with the commercial sector.
    Finally, there are some things that the government should 
not do. The government should not seize the publicity 
surrounding these recent attacks to take upon itself new powers 
or new regulations or impose new burdens on those operating in 
the web. Any such regulations are likely to be ineffective, 
counterproductive, and impose a disproportionate compliance 
burden on U.S. companies.
    The government must respect the fundamental rights to 
privacy, including a respect for anonymity where appropriate. 
For political and social discourse to flourish on the web in 
America and abroad, governments must agree not to unduly burden 
the privacy rights of the electronic community. The government 
should not use the legitimate threats to computer systems as a 
justification for increased monitoring or surveillance of its 
citizens or of others. While much of the traffic on the 
Internet is public in the sense that the IP traffic is 
transmitted over public networks, the government should not 
create a database of normal traffic patterns or surveil 
otherwise innocent Internet traffic.
    Most importantly, the government should not rush to pass 
new laws or new regulations unless and until it has 
demonstrated that current legal regimes are both inadequate to 
solve the problems and are not preserving other fundamental 
rights or liberties. We should not sacrifice liberty at the 
alter of security.
    The final question is whether or not we need new laws?
    Senator Gregg. Unfortunately we are running out of time 
here. Can we take that in your submission, Mr. Rasch?
    Mr. Rasch. Yes. Thank you, Mr. Chairman, and I will be glad 
to answer any questions you might have.
    [The statement follows:]
                  Prepared Statement of Mark D. Rasch
    Good morning Chairman Gregg, Senator Hollings, and members of the 
Subcommittee. Thank you for inviting me to testify today on the 
important issue of Internet Security. My name is Mark Rasch, and I am a 
Senior Vice President of Global Integrity Corporation, a wholly owned 
subsidiary of Science Applications International Corporation (SAIC) 
located in Reston, Virginia. Global Integrity works as an information 
security consulting company and resource for Fortune 100 companies, 
including online businesses, banks, brokerage houses, insurance 
companies, telecommunications and entertainment companies and other 
``dot com'' industries. In this capacity, we test the overall computer 
security of our clients' sites, help them develop secure information 
architectures, and help them respond to attacks and incidents. We 
monitor and report to our clients about the most recent threats and 
vulnerabilities in cyberspace, and help them cooperate with regulators 
and law enforcement agencies where required or where appropriate.
    Before joining Global Integrity, I was a trial attorney with the 
Fraud Section of the Criminal Division of the United States Department 
of Justice, principally responsible for investigating and prosecuting 
all computer and high technology crimes, including the prosecution of 
the Robert Morris Cornell Computer ``Worm,'' and investigations of the 
Hannover Hackers of Clifford Stoll's ``Cuckoo's Egg'' fame, and 
investigations of Kevin Mitnick, the recently released computer hacker 
from California. When I left the Department of Justice in 1991, I was 
the sole attorney in the computer crime unit--and that was on a part-
time basis. The Computer Crime and Intellectual Property Section of the 
Department of Justice today consists of more than a dozen attorneys and 
continues to grow.
    As you requested, Chairman Gregg, I would like to address three 
principal topics today: the nature of the threats, vulnerabilities and 
trends in cyberspace and what the private sector is already doing about 
them; what, in my opinion, the government should and should not do to 
help protect the nation's critical infrastructure; and the adequacy of 
current law to combat cyber attacks on commercial systems.
    As the Distributed Denial of Service attacks against Yahoo!, 
Amazon.com, e-Bay and e-Trade last week have made painfully clear, 
there are few rules in the electronic frontier, and information 
security has, for many, been the step-child of electronic commerce. For 
America to remain competitive--and to foster the growth of electronic 
commerce with its concomitant increases in productivity and 
convenience--protecting the critical electronic infrastructure is 
imperative.
    The gravamen of the situation is essentially this. There are 
genuine threats to electronic commerce and to privacy and security of 
digital information, but none so significant that they should long 
deter or delay the growth of this wonderful technology. The same 
Internet that empowers a single individual to obtain a lower interest 
rate on a home mortgage by negotiating online empowers an individual 
hacker in a basement garage in Concord, New Hampshire to get 
information about a transaction in Charleston, South Carolina, or to 
shut down a dot com business in Palo Alto, California. The Internet is 
no respecter of borders or of sovereignty. Government in general, and 
the U.S. government in particular, has a legitimate interest, and 
therefore a legitimate role, in encouraging the development of more 
secure, more robust, and more dependable computers and computer 
systems. However, government should not use the general insecurity 
about online commerce as an opportunity to take upon itself new powers 
of investigation, new powers to compel cooperation or reporting, or new 
opportunities to increase the regulatory burden on those doing e-
business. The government can, though, do more to be a partner with the 
commercial sector and to promote trust and confidence in its abilities 
and its dedication to security.
    No remarks of a lawyer would be complete without a disclaimer. 
Therefore, the Subcommittee should understand that while my remarks 
this morning represent the general views of Global Integrity and its 
parent, SAIC, as with any company of almost 40,000 employees, no single 
individual can truly represent all of the views of any collective 
entity. Moreover, while my views are colored by the work we have done 
with commercial enterprises--particularly in the financial services 
industry--I cannot and do not purport to speak for these entities. I 
don't think that they would be reticent about expressing their own 
views on this matter if asked.
The Sky is Falling?
    The first question raised by the recent Distributed Denial of 
Service (dDOS) is whether this means that Chicken Little was right. Is 
the sky actually falling? The answer is, of course, maybe. The recent 
attacks have emphasized the inherent fragility of the public Internet 
that we have come to rely upon. The attacks themselves are not new, nor 
are the methods for perpetuating them. It is important to emphasize the 
fact that none of the ``affected'' websites--Yahoo!, e*Trade, e-Bay or 
CNN--were themselves ``hacked.'' Nobody broke into these sites, nobody 
stole sensitive information from these sites, and nobody altered or 
damaged information resident on these sites. While there is some 
comfort to be found in these observations, the fact that a hacker or a 
few hackers, using a well known and fairly well publicized methodology, 
could nonetheless cripple these sites (albeit for a short period of 
time) demonstrates the interdependence of those on the web, and the 
vulnerability of all netizens to such attacks.
The Rise In CyberAttacks
    According to Department of Justice statistics, cybercrime cases 
have increased 43 percent from 1977 to 1999. Reports and analyses 
conducted by the Computer Security Institute, the FBI, the Computer 
Emergency Response Team, SANS, as well as Global Integrity 
Corporation's data confirm the increase of computer related incidents 
and cyber attacks. By incorporating and synthesizing all available data 
from government studies, private industry surveys, research/academic 
research, information security reports, law enforcement statistics, 
public data and media reports and, most importantly, the live data, 
intelligence, and incidents worked by GLOBAL INTEGRITY, we have 
identified the following trends in cyber attacks:
  --Distributed attacks are increasing, specifically indicated by the 
        activity in late 1999 through the events of last week.
  --Compromising the same vulnerabilities in systems is the predominant 
        method of attack. Attackers are using the known and publicized 
        security holes to compromise systems.
  --Most incidents and penetrations seem to be attacks of opportunity.
  --The release of point and click tools (complete programs, scripts 
        and virus recipes) has made the ability to hack very easy and 
        accessible to everyone. The numbers of attacks and door 
        knocking have reflected this increase in accessibility and 
        ability. The attacks can be perpetuated by so called ``script 
        kiddies'' who can download these tools, or by more 
        sophisticated hackers who can create or modify these tools to 
        be more malicious or more difficult to detect.
  --Generally speaking, attack coding is more sophisticated and some of 
        it has been very creative.
  --There has been an increasing number and sophistication of attacks 
        against Microsoft systems; UNIX based attacks are remaining the 
        same.
  --Media exposure appears to be the catalyst for many attacks and 
        appears to correlate to web attacks and hacks. Organizations 
        appearing prominently in the news, launching new advertising 
        campaigns, announcing IPO status, or holding press conferences 
        seem to attract penetration attempts, hacks, and web 
        defacement.
  --Those attacks perpetrated by an insider seem to be driven by an 
        internal change within the organization. Management changes, an 
        acquisition or merger, or a changed employment policy (i.e., 
        benefits, retirement, stock options) seemed to be the catalyst 
        (or at least one of the major precursors) to an attack.
    Employees have also tended to take a more independent and 
individual view of their job and their work. Due to the emergence of 
the ``dot.com'' millionaires, the IPO frenzy, and the ease with which 
starting your own business was publicized in 1999, many employees are 
losing company loyalty. An upsurge in capitalism combined with the 
``American Dream,'' the ability to launch a new .com product quickly, 
obtain venture capital, the health of the stock market, and the ease 
and success of e-trading contribute to a foundational change in the 
American employee. The year 2000 will most likely bring even more 
changes in the workplace. Corporations should be particularly 
protective of their intellectual property.
Types of Attacks
    In general, all types of attacks have increased to some degree 
during 1999. However, the greatest increases have been noted in theft 
of intellectual property, unauthorized insider access, insider abuse, 
and system penetration by an external party.
  --Theft of Proprietary Information and Intellectual Property has 
        increased 15 percent from 1998.
  --Unauthorized Access by an Insider has increased 28 percent from 
        1998.
  --Insider Abuse of Internet (i.e., e-trading, pornography, e-mail 
        abuse) has increased 17 percent since 1998.
  --System Penetration by External Parties has increased 32 percent 
        from 1998.
    Other types of attacks such as viruses and denial of service have 
been reported less in public and government surveys; however, these 
statistics may not reflect the true state of affairs. Global Integrity 
has observed both increases in virus-related attacks as well as denial 
of service attacks. Even though raw numbers may reflect a drop in 
actual reported incidents, the interpretation of these decreases are 
meaningful. Those corporations who have experienced a decrease in 
overall quantity of virus attacks may have also experienced an increase 
in the ``quality'' or system devastation of the fewer attacks. The 
viruses that have recently been observed are more sophisticated and 
complicated than viruses seen in the last two years.
    In addition to the above mentioned attack types, we have seen as 
many as ten different attack types: Theft of intellectual property; 
sabotage to systems and networks; system penetration by an external 
party; insider abuse; financial fraud; denial of service; virus; 
unauthorized insider use of systems; web attacks and defacement; and 
other.
    In addition to the attack types directly on corporate systems and 
networks described above, a secondary type of attack has been 
occurring. Employees and external personnel have caused damage to 
companies by their postings and communication on the Internet and World 
Wide Web. Either originating from inside their workplace or from home, 
human communication on-line has increased the vulnerability of 
corporate information assets. Global Integrity has assessed the on-line 
threat to include seven major categories:
  --The disclosure of client related information;
  --Overt threats to personnel or facilities;
  --Disclosure of stock pricing and stock manipulation;
  --The disclosure of technical information about corporate system and 
        network architecture;
  --Disclosure of intellectual property information and/or research and 
        developments secrets;
  --Trademark violations; and
  --Other.
    Global Integrity has also noted a trend in ``jurisdictional 
jumping'' where an attacker jumps or passes through several borders in 
order to appear to be originating the attack from a foreign country. 
Many of the 1999 overseas activities have also originated in countries 
and third world nations where on-line laws and guidelines are non-
existent. Attacks originating from various foreign points appeared to 
increase. Another trend appears to include the behavior of a foreign 
national in U.S. based companies. Global Integrity has likewise 
detected a trend in foreign nationals, who are internal employees (or 
contractors) who have attacked the company from both a systems-network 
perspective, but also from inappropriate on-line communications.
Trends in Computer Attacks
    The major new trends are perceived to include:
  --More sophisticated attacks using both available and created tools, 
        such as the ``stacheldraht'' distributed denial of service 
        attack tool
  --A greater prevalence of coordinated attacks from multiple sources
  --Cross-cultural and cross-national origin of attacks
  --Increased ``disappearance'' of intellectual property for personal 
        benefit to spin off a new company or business as well as to 
        sell to a competitor or other interested buyer
  --An increase in attacks from out of the U.S., particularly from 
        Eastern Europe
  --An increase in the use of social engineering to acquire 
        intellectual property, proprietary information, and sensitive 
        information from commercial industries
  --More encryption techniques will be used to hide files, network 
        traffic, and other information
  --An increase in attacks, due to the proliferation of on-line 
        banking, which will lead to the compromise of personal and home 
        systems. As the value of data on the home systems increase, so 
        will the probability of attack. Those employees who work out of 
        their homes on a personal or corporate system will become more 
        vulnerable.
  --An increase in coordinated and distributed DOS attacks
  --A lowering of security standards and hiring standards, due to a 
        shortage of IT professionals. Other security and HR standards 
        such as criminal checks and background checks may be overlooked 
        in order to hire quickly with the needed skill sets. If these 
        vetting and screening procedures are not maintained, an 
        increase in insider attacks will most likely occur.
  --An increase in number and sophistication of self-mailing viruses as 
        well as copycat or mutated viruses.
What the Private Sector Is Doing
    It is difficult to generalize about the activities of a 
constituency as diverse as that of the Internet. Some institutions have 
taken information protection and security extremely seriously, and have 
dedicated significant energies and resources to protecting the 
information on the web. Other web-based enterprises deliberately act as 
a conduit for hackers or others to share information about propagating 
attacks. By necessity, the individuals and organizations Global 
Integrity deals with, for the most part, have at least taken the first 
steps. They have identified the need to prevent unauthorized and 
abusive uses of their computers and computer systems. Thus, our 
experiences are likely not representative of the Internet as a whole. 
Moreover, the bulk of our confidential client base--more than 70 
percent--are in the financial services industry. These institutions, 
banks, brokerage houses, and insurance companies have long had a 
tradition and commitment to protecting confidentiality of information.
Information Sharing in the Private Sector
    One of the concerns addressed in Presidential Decision Directive 
(PDD) 63 about the state of the critical infrastructure is the problem 
of information sharing in the private sector. This is of particular 
concern since the bulk of the nation's critical infrastructure--the 
computers and computer networks which make the nation run--are in the 
hands of the regulated private sector. The financial services, energy, 
transportation, and telecommunications industries are not owned by the 
government, but rather by the private sector. With deregulation and 
competition, information protection could be used as a competitive 
tool, allowing one company to keep secret tools for protecting itself, 
at the expense of the industry as a whole.
The FS/ISAC Model
    In order to combat this problem, and to help promote an overall 
secure infrastructure, the financial services industry has been the 
first to create a formalized mechanism to share information about 
computer security threats, vulnerabilities and incidents between and 
among its members. The Financial Services Information Sharing and 
Analysis Center--FS/ISAC--formally launched on October 1, 1999, and 
hosted by Global Integrity, is a tool which permits its members to 
anonymously share information which could help protect the industry as 
a whole. Fears of publicity, fears of inviting additional attacks, 
fears of confidentiality, and fears of anti-trust liabilities have, in 
the past, limited the willingness of industry members to share 
information. Nobody wants it to be reported in the front page of ``The 
Washington Post'' that a bank or financial institution has been the 
victim of an attack or an attempted attack. The FS/ISAC provides a 
means for sharing information--and for distributing threat information 
obtained from government sources--without fear of attribution or 
publicity. Nothing contained in the FS/ISAC rules or regulations alters 
the obligations of banks or other financial institutions to report 
criminal activities to regulators or law enforcement agencies. Nothing 
contained in the ISAC regulations precludes or discourages reporting of 
incidents, except that information learned exclusively from the 
information provided in the ISAC database remains confidential unless 
disclosed by the source of that information.
    The FS/ISAC represents a form of public-private cooperation that 
can be a model for the future. The Treasury Department and the SEC 
support but do not run the FS/ISAC. It is a separate entity with its 
own governing board made up of representatives of various financial 
institutions. The government may use the FS/ISAC as a means for 
disseminating information TO members of the financial services 
industry, but relies on traditional reporting requirements for 
obtaining information from the industry. It works to facilitate inter-
corporate information sharing to help protect one of the critical 
infrastructures.
Information Sharing and Public Dissemination
    It was reported yesterday by Ted Bridis of the Associated Press 
that ``computer experts at some of the nation's largest financial 
institutions received detailed warnings of impending threats and that 
banking officials never passed their detailed warnings to the FBI or 
other law enforcement agencies, even as alerts escalated last week from 
the first assault against the Yahoo! Web site on to eBay, Amazon, 
Buy.Com, CNN and others.'' The report continued by observing that 
``Participating banks weren't allowed to share the warnings with 
government investigators under rules of an unusual $1.5 million private 
security network created in recent months for the financial industry.'' 
This report is based upon a series of unrelated events and is not 
entirely correct.
    In mid August 1999, a distributed denial of service attack was 
launched against a Midwestern university. This attack was discussed in 
a mailing list discussion on the Forum of Incident Response Teams 
(FIRST) and was available to information security professionals who 
were members of FIRST and who had subscribed to the list. Utilizing 
this and other information gathered by Global Integrity, on September 
9, 1999 Global Integrity sent an advisory to subscribers to its Rapid 
Emergency Action Crisis Team (REACT) Advisory Service. This service is 
a fee-based subscription service that distributes advisories about a 
myriad of computer security incidents, vulnerabilities and threats. The 
issuance of this advisory by Global Integrity predated by almost a 
month the formal initiation of the FS/ISAC.
    On October 21, 1999, a similar analysis was publicly issued by Dave 
Dittrich, who wrote an analysis of the Trinoo attack tool. A copy of 
this posting can be found on the web at http://staff.washington.edu/
dittrich/misc/trinoo.analysis.
    On November 2, 1999 the Computer Emergency Response Team at 
Carnegie Mellon University held a conference, open to the public, in 
which the dDOS attack scenarios were discussed, and a paper describing 
how companies should respond to such dDOS attacks was published on the 
CERT website at www.cert.org. A more detailed advisory was issued by 
CERT on November 18, 1999, and Global Integrity issued a more detailed 
advisory to the REACT subscribers the following day. A similar advisory 
was posted for members of the newly formed FS/ISAC.
    On December 6, 1999, the National Infrastructure Protection 
Commission (NIPC) issued advisory 99-029 describing the denial of 
service attacks and the manner in which they could be used to attack 
computer systems. The NIPC advisory specifically described the TRINOO, 
and Tribe Flood Network (or TFN & tfn2k) attacks on January 19, 2000, 
and advised that:

          * * * the NIPC has seen multiple reports of intruders 
        installing distributed denial of service tools on various 
        computer systems, to create large networks of hosts capable of 
        launching significant coordinated packet flooding denial of 
        service attacks. Installation has been accomplished primarily 
        through compromises exploiting known sun rpc vulnerabilities. 
        These multiple denial of service tools include TRINOO, and 
        Tribe Flood Network (or TFN & tfn2k), and have been reported on 
        many systems. The NIPC is highly concerned about the scale and 
        significance of these reports, for the following reasons:
          --LMany of the victims have high bandwidth Internet 
        connections, representing a possibly significant threat to 
        Internet traffic.
          --The technical vulnerabilities used to install these denial 
        of service tools are widespread, well known and readily 
        accessible on most networked systems throughout the Internet.
          --The tools appear to be undergoing active development, 
        testing and deployment on the Internet.
          --The activity often stops once system owners start filtering 
        for TRINOO/TFN and related activity.

    On December 28, 1999 the Computer Emergency Response Team at 
Carnegie Mellon issued another advisory further describing the dDOS 
tools and their effects. At about this time, Global Integrity began to 
receive reports from clients that versions of these attacks were 
actually being launched--albeit on a limited scale. These consisted of 
reports of coordinated scans of systems and Trojan horse attacks on 
systems--indicia of automated efforts that might have been attempts to 
insert software ``agents'' on computers on the net. Such attacks are 
not uncommon, and represented yet another attempt to exploit widely 
know vulnerabilities in computer systems. On December 28, 1999, Global 
Integrity issued advisories to its customers about both the methodology 
of the dDOS attacks and the fact that such scans were ongoing.
    On December 30, 1999, the NIPC again issued an advisory to the 
public warning about the Trinoo/TFN/TFN2k toolkits, and the way they 
could be used to perpetuate a denial of service attack. This was 
followed on January 3, 2000 by an advisory issued by CERT detailing new 
developments in the denial of service software. On January 6, 2000 
Global Integrity advised its clients, including subscribers to the FS/
ISAC, that it had seen increased dDOS attack activity, including 
continued efforts to probe insecure systems on the Internet.
    On February 8, 2000, Global Integrity issued a press release, which 
had been prepared earlier, again describing the nature of these 
vulnerabilities, and advising potential victims of such attacks of 
Global Integrity's ability to assist in responding or tracing such 
attacks. This release was, like the earlier NIPC, CERT and other 
advisories, widely disseminated. The news release was not prompted by 
any specific threat or incident, and indeed, was scheduled to be 
released some weeks earlier. Never underestimating the power of 
coincidence, within 12 hours of the issuance of the press release, the 
attacks against Yahoo! began. However, the FBI and the NIPC had long 
been aware of, and had long reported publicly about, the nature of 
these kinds of dDOS attacks.
    When the dDOS attacks began, members of the FS/ISAC used the 
facilities and protocols previously established to share information 
about the attacks on an ongoing basis, and to coordinate an industry 
wide response. The nature of this particular attack required a detailed 
sharing of log and system information to effectively coordinate a 
response. Thus, rather than ``hiding the ball'' from both law 
enforcement and the public, the FS/ISAC and Global Integrity, like the 
NIPC, and CERT, attempted to widely disseminate information about the 
vulnerability before it was widely exploited. There were, to the best 
of my knowledge, no urgent e-mails or pages to FS/ISAC members prior to 
the attack--and during the attack, none were necessary. By then, the 
entire world knew of the attacks. However, when there are actual 
information security emergencies, the FS/ISAC will page its members and 
alert them to log on to the service to see the latest releases. In this 
way, FS/ISAC acts as a clearing house and early warning system, but it 
is only as good as the information it receives, and depends upon the 
continued vigilance and cooperation of its members.
Expansion of the FS/ISAC Information Sharing Model
    It is contemplated that the FS/ISAC model can be and will be 
utilized as a template for voluntary industry cooperation and 
information sharing in other industries. Only through voluntary 
cooperation can this model work. A similar vehicle for voluntary 
cooperation has existed in the telecommunications industry for many 
years. This entity, known as NSTAC--the National Secure 
Telecommunications Advisory Commission--which includes in its members, 
Science Applications International Corporation, Global Integrity's 
parent company, facilitates voluntary information sharing in the 
telecommunications industry. Mandatory reporting to government agencies 
of security incidents or vulnerabilities will prove counter productive, 
as some will choose to report every ``ping'' or bad password use, and 
some will report only the most serious attacks or vulnerabilities.
What Role for Law Enforcement?
    Protecting the information superhighway is not exclusively a law 
enforcement function any more than protecting the nation's highway 
system is the sole province of law enforcement. Ensuring that the 
highway is designed and implemented properly, that roadblocks and 
potholes are appropriately marked and repaired, that vehicles traveling 
are tested and safe is the province of standard setters, industry 
groups, and regulators. In many ways, the information superhighway is 
the same. The government can and should help set standards for secure 
infrastructures. The government can and should encourage the use of 
security technologies--including encryption technologies. The 
government can and should work with the private sector to ensure 
interoperability and emergency response capabilities. However, if these 
standards are perceived to come from the nation's law enforcement or 
intelligence communities, they will be met with distrust by both civil 
liberties groups and the commercial sector. The commercial sector--
rightly or wrongly--perceives any encryption standards ``approved'' by 
the NSA as being inherently weakened.
    This problem is emphasized in the area of incident response. By and 
large, commercial enterprises want to do the right thing, and want to 
work with law enforcement agencies to timely report and coordinate 
responses to information security incidents. Where incidents represent 
an immediate threat to public health or safety, there should be no 
question about reporting of such incidents, and generally there is 
none. The FBI, Secret Service, Department of Justice and other agencies 
have made great strides toward promoting public-private cooperation, 
addressing private sector security groups, conferences and public 
events, as well as working behind the scenes to foster greater 
confidence in law enforcement. In many cases individuals within 
corporate America responsible for security are themselves former law-
enforcement officials, and the cooperation proceeds on an informal 
basis.
    Despite these efforts, however, there is a problem of communication 
between the private sector and law enforcement. While both groups are 
committed to securing the web in general, they use different means and 
techniques. A successful case to law enforcement is when a public 
attack on a site results in the swift apprehension of a non-juvenile 
defendant, the speedy and public prosecution of the subject, 
culminating in a conviction and a sentence sufficient to act as both a 
specific and general deterrent.
    To the private sector, such a result may be disastrous. The public 
nature of the trial would reveal the vulnerabilities in information 
security that were exploited. Public confidence in the security of the 
e-commerce site would be eroded, even if the site had done all that was 
feasible to prevent or deter the attack, and even if the company 
responded quickly and appropriately. Moreover, by calling in law 
enforcement, the company quickly loses control over the scope and pace 
of the investigation, its direction and whether or not it will become 
public. Law enforcement agencies are today much more sensitive to the 
concerns of the ``victims'' of these attacks. They are directed to 
conduct investigations in the manner that will be the least intrusive 
on the business operations of the company. Nevertheless, some 
disruption is inevitable. The ``evidence'' of the crime may be the web 
server that is essential to the ongoing business operation. Law 
enforcement may wish the attack to continue so that the suspect can be 
traced and apprehended, but the ``victim'' may simply want the attack 
to stop. It may turn out that the offender lies within the company that 
reported the offense, and that the company itself now faces the 
prospect of civil or criminal liability. All of these factors point to 
an inherent mistrust--for reasons real and imagined--of vesting in a 
law enforcement agency the sole or exclusive responsibility for 
critical infrastructure protection.
    Nevertheless, as with highway traffic safety, law enforcement has 
and will continue to have a significant role in doing what it is 
trained to do: enforce the law. This response need not be solely 
reactive. Gathering and disseminating threat data may be an appropriate 
role of law enforcement. Whatever agency or department--or agencies or 
departments--that ultimately have the responsibility for infrastructure 
protection must have the confidence and participation of the commercial 
sector, and of the community at large to be effective.
    Additional problems plague law enforcement agencies. It is 
difficult if not impossible for them to train and retain staff skilled 
in the subtleties and nuances of the new high technology crime scene. 
The pace of technological change coupled with the lure of the private 
sector may discourage all but the most dedicated staff from staying 
with law enforcement.
    Law enforcement also is used to dealing with other law enforcement 
agencies in coordinating criminal responses. In the new Internet era, 
however, the primary investigators are no longer those with badges and 
guns. Computer crimes are detected and investigated initially by 23 
year old overworked system administrators under the rubrick of ``other 
duties as assigned.'' For those companies that have a computer incident 
response plan--fewer that 2 percent of the companies we surveyed--the 
next to be notified are the information security officers, legal staff, 
human resource and other security staffs. Only after this chain has 
been called into place are law enforcement likely to be notified. By 
then, the hacker may be long gone or the trail cold. The private sector 
lacks the authority to compel the cooperation of distant ISPs, and law 
enforcement lacks the information and training to protect a corporate 
infrastructure.
    Add to these problems the fast pace of change of both the law and 
technology, the differences in rights to privacy in various countries, 
the inability of any individual law enforcement agency to act beyond 
its borders and the trans-national nature of computer crime, and we are 
left with serious impediments to relying upon law enforcement as a 
means of prevention of computer crime. We need better locks on 
computers, not better locks on jails to prevent this conduct.
Role of the Government
    There are certain roles and functions that are and can be the 
province of the government. These include setting minimum standards for 
security and interoperability, conducting and supporting fundamental 
research on new security technologies--particularly in the area of 
biometrics and smart card technologies--promoting awareness of issues 
relating to information protection, ensuring greater international 
cooperation between law enforcement and other agencies, and bringing 
down barriers that inhibit such cooperation.
Setting of Standards
    The government can and should set standards in cooperation with 
both Internet companies like Cisco, IBM and others, and 
telecommunications and software companies for security. These standards 
should both afford a reasonable degree of security and be attainable in 
a cost effective manner. Such standards should empower users to secure 
themselves, but should not be used as a ``command and control'' 
mechanism to force new regulatory burdens on users. In essence, the 
goal should be to standardize for interoperability and security, and 
not to mandate a particular technology.
Research and Development
    Computers and computer networks are inherently complicated. 
Moreover, it is always easier to tear down a building than it is to 
design and build it. The government has a legitimate role in funding 
and supporting basic and applied research in the area of information 
security. Let us not forget that the Internet itself was the outgrowth 
of basic research initiatives by the Department of Defense Advance 
Research Projects Agency. Such research funding should be across 
disciplines--not limited to computer sciences. Security depends not 
only on hardware and software, but also on policies, practices, and 
personnel. We need not only to understand the vulnerabilities of the 
infrastructure, but to understand who exploits them and why.
Education and Training
    Education and training is an essential component of information 
protection. No passwords, or poor passwords, are the most common and 
cost efficient way to obtain unauthorized access to a computer or 
computer system. Users, administrators and others must be educated 
about the appropriate use and threats to computer systems. The bulk of 
this training should be done by companies educating their employees 
about the need to be vigilant, and the government educating its 
employees and contractors about the need for security precautions.
    In addition to user education, the government has a role in 
promoting the development of undergraduate and graduate level programs 
in information security. Global Integrity has established a mentoring 
program in this area with several universities, including Purdue 
University, and I have taught classes in information security at the 
George Washington University and a distance learning program at James 
Madison University. The dearth of trained professionals, inside and 
outside of government, may cause the private sector to unfortunately 
reach out--from sheer desperation or a misguided trust--to untrained 
individuals at best, or computer hackers themselves. Basic levels of 
competence, possibly including independent non governmental 
certification programs, will assist in ensuring that there is a cadre 
of trained information security professionals.
Technical Support
    Many information security attacks are beyond the technical 
capabilities of any individual company, and no individual company 
should be required to bear the burden of fixing what are essentially 
societal problems. The government, in cooperation with private 
industry, can provide meaningful databases and technical support to 
assist.
Promoting New Security Technologies
    A lesson should be learned from the recent debates over encryption. 
After almost ten years of debate, the government has finally 
liberalized the regulations concerning the use and export of commercial 
encryption software to the point where most companies now feel free to 
create and use such software to protect confidentiality, integrity and 
availability of information. However, the efforts to restrict the 
export of such software--while motivated by a legitimate desire to 
protect national security and promote the ability of law enforcement 
and intelligence agencies to lawfully intercept communications--proved 
to be counterproductive, and had the unfortunate effect of making 
individual communications less secure. At present, the default for most 
companies and government agencies is to send electronic communications 
in an unencrypted and therefore insecure manner. For true information 
protection, the default should be seamless effective encryption.
Protecting the Government's Own Infrastructure
    The government should also spend the resources necessary to protect 
and defend its own infrastructure--civilian and military. Most of the 
current Administration's efforts reflected in its budget requests are 
geared toward this goal. For example, on February 15, 2000 the White 
House issued a press release indicating a proposal, reflected in the 
budget previously submitted for a 15 percent increase in the fiscal 
year 2000 request for spending on critical infrastructure to reflect a 
total budge for such operations of $2 billion. The Administration 
proposes spending $606 million for research and development. These 
expenditures are geared principally toward protecting the government's 
infrastructure, training those charged with protecting government 
systems, and establishing an early warning system to detect attempted 
penetration into the government's own computers.
What the Government should not do
    The government should not seize the publicity surrounding these 
incidents to take upon itself new powers of regulation or impose new 
burdens upon those operating on the web. Any such regulations would 
likely be ineffective, counter productive, and would impose a 
disproportionate compliance burden on U.S. companies.
    The government must respect the fundamental rights of privacy--
including a respect for the right of anonymity where appropriate. For 
political and social discourse to flourish on the web--in America and 
abroad--governments must agree not to unduly burden the privacy rights 
of the electronic community.
    The government should not use the legitimate threats to computer 
systems as a justification for increased monitoring or surveillance of 
its citizens or others. While much of the traffic on the Internet is 
``public'' in the sense that the IP traffic is transmitted over 
insecure routers and servers, the government should not create a 
database of ``normal'' traffic patterns or surveil otherwise innocent 
Internet traffic.
    Most importantly, the government should not rush to pass new laws 
or new regulations unless and until it is demonstrated that current 
legal regimes are both inadequate to solve the problems, and are not 
preserving other fundamental rights or liberties. We should not 
sacrifice liberty at the altar of security.
Legal Issues
    One question raised by the recent attacks is whether the current 
legal regime is sufficient to respond. Let me begin by observing that 
the intentional transmission of a computer program with the intent to 
disrupt or deny the lawful use of a computer system is already an 
offense under 18 U.S.C. 1030, as well as a host of state criminal 
statutes. Many in the media have speculated whether the current 
penalties--up to five years incarceration (per incident) and a fine of 
either $250,000 or the amount of loss or gain resulting from the 
offense (together with possible forfeiture of proceeds or 
instrumentalities of the offense)--is sufficient to deter such conduct. 
This is especially a concern where the offenders may be--and I stress 
may be--juveniles for whom such punishments may not even be available.
    At the outset, I observe that the chances of detection and 
prosecution of computer hackers is very small. A handful of high 
profile cases have been reported. These include:
  --Prosecution of Andrew Miffleton a/k/a Daphtpunk in December of 1999 
        in Dallas, Texas for trafficking in root access codes which 
        would permit a user to break into and take over a computer 
        system.
  --The December 1999 prosecution of David Smith in the District of New 
        Jersey for creating and releasing the so-called Melissa virus 
        which reportedly caused more than $80 million in damage.
  --The November 1999 prosecution of Jeffrey Gerard Levy in Eugene, 
        Oregon for the criminal posting to the Internet of pirated 
        software valued at at least $70,000. Levy was sentenced to 
        probation.
  --The November 1999 prosecution in the Eastern District of Virginia 
        of 19 year old Eric Burns, a/k/a ZYKLON, for hacking into and 
        altering the web pages of the USIA, NATO, and the Vice-
        President, as well as commercial sites in the Northern Virginia 
        area.
  --The multiple prosecutions of Kevin Mitnick, released earlier this 
        year for a series of computer attacks and cell phone clones.
  --The prosecution, in Brooklyn, New York in March 1998, of Eugene 
        Kashpureff for invading the Internet Domain Name System (DNS) 
        and rerouting internet traffic intended to go to Global 
        Integrity sister company Network Solutions to his own website.
  --The international cooperation which resulted in the Israeli arrest 
        of Ehud Tenebaum, a hacker who broke into hundreds of insecure 
        U.S. government sites. Tenebaum is now reportedly working as a 
        computer security consultant.
    In none of these cases would additional punishments necessarily 
have served to prevent or deter the criminal activity. Because hacking 
offenses generally can result in multiple counts of conviction, the 
five year statutory cap on punishment is somewhat illusory. The true 
punishment for computer hackers is dictated not by the provisions of 
the United States Code, but rather by the provisions of the United 
States Sentencing Guidelines, which treat computer hacking in a manner 
identical to the outright ``theft'' of money.
    A convicted hacker is sentenced under U.S.S.G. 2F1.1, which 
attempts to measure either the ``gain'' or ``loss'' resulting from the 
criminal activity. The loss may include things like lost business 
opportunities resulting from downtime, or the cost of repair or 
replacement, but is ill defined. Moreover, such an analysis may 
overstate the seriousness of an offense like that of the Melissa virus. 
While the virus itself caused massive disruption and inconvenience, and 
is deserving of stringent punishment for deterrence, one can reasonably 
question whether the defendant should be sentenced on the same par as 
someone who literally ``stole'' $80 million. The guidelines likewise 
serve to understate the seriousness of hacker offenses. Invasions of 
privacy, the inconvenience associated with having to obtain new credit 
card numbers or a new identity, the loss of confidence or business 
opportunities and other collateral losses are not adequately captured 
in the manner in which we punish or attempt to punish hackers.
Conclusion
    Undoubtedly, there will be call for new laws regarding search and 
seizure powers, calling for the streamlining of procedures to permit 
multi districts investigations and international investigations, and 
possibly calling for additional powers of investigation. I urge the 
Subcommittee to tread lightly. Some of these may be warranted and some 
may not. The application of old rules to new technologies results in 
many absurdities. The government should encourage the use of new 
technologies by recognizing the binding nature of digital or electronic 
signatures, and promote the use of the Internet. The government should 
not use the new medium of cyberspace to inflict draconian regulations, 
assume new authority, or take upon itself the mantle of the protector 
or defender of cyberspace. The obligation and responsibility for 
protection of private data lies in a cooperative public-private 
partnership.
    I thank the Subcommittee for the opportunity to present my views 
and welcome any questions members might have.

    Senator Gregg. I think most of you answered most of my 
questions because you pretty well summarized your view as to 
the role of the government relative to e-commerce. You heard 
the Attorney General say that she felt that there was a comfort 
level being developed, and you heard the Director of FBI say 
the same thing. I would be interested in whether you folks feel 
there is a comfort level that is being developed?
    Mr. Richards. Senator, if I can, the Internet Alliance's 
Law Enforcement Security Council was formed last fall for just 
this reason, partly because we need the daily dialogue, and we 
need to do it in a group sense as well as an individual company 
sense for many of the reasons that were talked about here. I 
think the curve is exactly in the right direction, lots of 
talk, lots of specifics. What this has to get down to is a 
level of trust but also concrete accomplishments. Training is a 
critical area. We could talk about training all day. It is the 
steps we will take together that ought to be a bellwether for 
you.
    Senator Gregg. Anybody else have thoughts on this?
    Mr. Chesnut. With eBay we agree. We believe that the level 
of cooperation has been growing, certainly over the last year, 
and there has been a good fundamental level of trust that has 
been established I know at eBay between eBay and law 
enforcement. So we are very happy in that area.
    Mr. Rasch. I find that trust is based on personal 
relationships. Rather than having an agency or a company call 
the FBI, it is much easier if someone in the company is calling 
a friend of theirs at the FBI. We have started to do that and 
establish personal relationships between these electronic 
companies and law enforcement agencies. I think we can do a lot 
more.
    Senator Gregg. How do you handle the fact that a lot of 
this happens from out of the country? I mean as the FBI 
Director said, their investigation is leading them to Germany, 
it appears, and we have other reports in the press that there 
may be other countries where these originated from.
    Mr. Richards. Senator, the Internet Alliance and others 
here work with, and our own DOJ and FBI work with, Interpol and 
others. First I just have to tell you from my own direct 
experience, you know, our best folks at FBI and DOJ are 
extremely well thought of by their peers around the world. I 
just want to make clear that there is a high level of regard 
for our technical and strategic expertise. That is why we need 
to add some more resources to that. But the issues are real, 
and frankly, international law enforcement is not moving at 
Internet time. I think we are working hard here to get our 
relationships moving on Internet time, you know, very, very 
quickly, but we see lots of bureaucracy when we leave North 
America. So we are really concerned about that.
    The fundamentals may not end up being elaborate treaties or 
protocols. They may end up being in 90 percent of the cases 
really good cooperation using standard techniques but applied 
to the Internet through the rule of law. And that is what we 
need to focus on next.
    Mr. Chesnut. The international aspects certainly present 
some different challenges. For a company like eBay, we actually 
have sites with employees in different countries, such as 
Germany and Australia and the United Kingdom, but when I spoke 
earlier about establishing a partnership with law enforcement, 
we view that partnership to be with law enforcement in 
different countries and to reach out and to make contact and 
explain what we are about and at least establish a protocol so 
that if something happens we can find each other and provide 
information under appropriate circumstances. eBay has been 
doing that as well. We also work through the FBI because, 
again, they have a presence in many countries overseas, and 
while it poses challenges, it is not anything that is 
insurmountable.
    Senator Gregg. Mr. Rasch, you said or were quoted as saying 
that the absolute worst people to coordinate law enforcement 
would be the FBI. Maybe give me--if that is an accurate quote, 
give me your reasons.
    Mr. Rasch. The absolutely worst people to coordinate 
security is law enforcement, and not the FBI in particular, but 
the worst people to coordinate security is law enforcement. Law 
enforcements were always to enforce the law and to investigate 
and prosecute criminal activity. Just as I would not feel 
comfortable necessarily in having law enforcement come in and 
install my security system. There is a fundamental mistrust 
here. And there is a difference between protecting cyberspace 
and developing secure architectures, which is a role for 
agencies like the Commerce Department, like NIST, and the 
fundamental research and enforcing and investigating criminal 
activities which is the role of the FBI, the Secret Service, 
and the other law enforcement agencies. We should not allow the 
law enforcement agencies to take upon themselves the 
responsibility for protecting critical infrastructure or 
designing architectures because they will not have necessarily 
the confidence of the private sector.
    If I am buying a product, a security product, with an FBI 
seal of approval, I am going to have a fundamental mistrust of 
that or more importantly the NSA [National Security Agency]. 
There is a fundamental mistrust there because there is a 
belief, whether it is rational or not, that that product has 
been maximized to allow FBI or NSA to engage in its other 
functions. For example, surveillance.
    Senator Gregg. That was an excellent point. You all talked, 
certainly Mr. Richards and Mr. Chesnut talked, at length about 
the need for more resources in this area. I will simply tell 
you that as far as this committee is concerned--and we are in 
charge of resources, by the way--we will be putting more 
resources in this area. Our concern is that it be coordinated, 
that it be used effectively, and we do not end up going down 
the wrong path--that we do not end up creating a three-headed 
horse in response to the issue.
    So industry's role here is critical, and I appreciate your 
taking the time to come today. I appreciate your input, and I 
hope that you will, and I know you will, continue to 
aggressively pursue the interaction between the functions of 
law enforcement and the functions of research within the 
government and private sector. Do you folks have anything else 
you wish to add? Well, thank you very much. I appreciate your 
time.

                         conclusion of hearing

    I would note that the subcommittee will be holding a 
hearing on February 24 with Commerce Secretary Daley. We are 
also going to continue the issue of the Internet, specifically 
at the request of Senator Hollings. I strongly support his 
interest in this area, dealing with the SEC and the FTC and the 
issue of fraud on the Internet, which also happens to come 
under the jurisdiction of this committee. So we may change our 
title to the ``Internet Appropriations Committee.'' But in any 
event we are going to be pursuing this issue in other forums, 
in other areas. Thank you very much.
    [Whereupon, at 12:25 p.m., Wednesday, February 16, the 
hearing was concluded, and the subcommittee was recessed, to 
reconvene subject to the call of the Chair.]

                                   - 
