b"<html>\n<title> - CYBERCRIME</title>\n<body><pre>[Senate Hearing 106-600]\n[From the U.S. Government Printing Office]\n\n\n\n                                                        S. Hrg. 106-600\n \n                               CYBERCRIME\n\n=======================================================================\n\n                                HEARING\n\n                                before a\n\n                          SUBCOMMITTEE OF THE\n\n                      COMMITTEE ON APPROPRIATIONS\n                          UNITED STATES SENATE\n\n                       ONE HUNDRED SIXTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            SPECIAL HEARING\n\n                               __________\n\n         Printed for the use of the Committee on Appropriations\n\n\n\n\n Available via the World Wide Web: http://www.access.gpo.gov/congress/\n                                 senate\n\n                                 ______\n\n\n                     U.S. GOVERNMENT PRINTING OFFICE\n63-940 CC                    WASHINGTON : 2000\n_______________________________________________________________________\n            For sale by the U.S. Government Printing Office\nSuperintendent of Documents, Congressional Sales Office, Washington, DC \n                                 20402\n\n\n\n                     COMMITTEE ON APPROPRIATIONS\n\n                     TED STEVENS, Alaska, Chairman\nTHAD COCHRAN, Mississippi            ROBERT C. BYRD, West Virginia\nARLEN SPECTER, Pennsylvania          DANIEL K. INOUYE, Hawaii\nPETE V. DOMENICI, New Mexico         ERNEST F. HOLLINGS, South Carolina\nCHRISTOPHER S. BOND, Missouri        PATRICK J. LEAHY, Vermont\nSLADE GORTON, Washington             FRANK R. LAUTENBERG, New Jersey\nMITCH McCONNELL, Kentucky            TOM HARKIN, Iowa\nCONRAD BURNS, Montana                BARBARA A. MIKULSKI, Maryland\nRICHARD C. SHELBY, Alabama           HARRY REID, Nevada\nJUDD GREGG, New Hampshire            HERB KOHL, Wisconsin\nROBERT F. BENNETT, Utah              PATTY MURRAY, Washington\nBEN NIGHTHORSE CAMPBELL, Colorado    BYRON L. DORGAN, North Dakota\nLARRY CRAIG, Idaho                   DIANNE FEINSTEIN, California\nKAY BAILEY HUTCHISON, Texas          RICHARD J. DURBIN, Illinois\nJON KYL, Arizona\n                   Steven J. Cortese, Staff Director\n                 Lisa Sutherland, Deputy Staff Director\n               James H. English, Minority Staff Director\n                                 ------                                \n\n   Subcommittee on Commerce, Justice, and State, the Judiciary, and \n                            Related Agencies\n\n                  JUDD GREGG, New Hampshire, Chairman\nTED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina\nPETE V. DOMENICI, New Mexico         DANIEL K. INOUYE, Hawaii\nMITCH McCONNELL, Kentucky            FRANK R. LAUTENBERG, New Jersey\nKAY BAILEY HUTCHISON, Texas          BARBARA A. MIKULSKI, Maryland\nBEN NIGHTHORSE CAMPBELL, Colorado    PATRICK J. LEAHY, Vermont\n                                     ROBERT C. BYRD, West Virginia\n                                       (ex officio)\n                           Professional Staff\n                              Jim Morhard\n                             Kevin Linskey\n                               Paddy Link\n                               Dana Quam\n                              Clayton Heil\n                         Lila Helms (Minority)\n                     Sonia King (Minority)<greek-l>\n\n\n                           C O N T E N T S\n\n                              ----------                              \n\n                            GOVERNMENT PANEL\n\n                                                                   Page\n\nOpening remarks of Senator Gregg.................................     1\nPrepared statement of Senator Patrick J. Leahy...................     5\nStatement of Hon. Janet Reno, Attorney General, Department of \n  Justice........................................................     7\nFederal law enforcement response to computer crime...............     7\nBuilding a strong partnership....................................     8\nAppropriations needs.............................................     9\nPrepared statement of Janet Reno.................................     9\nStatement of Hon. Louis J. Freeh, Director, Federal Bureau of \n  Investigation, Department of Justice...........................    14\nNeed for cooperation.............................................    14\nChanging technology challenges...................................    15\nDenial of service cases..........................................    15\nCybercrime and computer intrusion threats........................    17\nInnocent Images..................................................    18\nTerrorist and foreign threats strategy...........................    18\nCybercrime fighting strategies...................................    18\nNational Infrastructure Protection Center........................    19\nInternational cooperation........................................    20\nBuilding prosecutorial experts...................................    20\nPartnership with industry and academia...........................    21\nBuilding forensic and technical capabilities.....................    21\nCounterencryption................................................    22\nDeveloping computer ethics.......................................    22\nPrepared statement of Louis J. Freeh.............................    23\nCybercrime threats faced by law enforcement......................    23\nChallenges to law enforcement in investigating cybercrime........    27\nFBI cybercrime investigation capabilities........................    31\nImproving FBI cybercrime capabilities............................    34\nStatement of Hon. William A. Reinsch, Under Secretary of \n  Commerce, Export Administration, Department of Commerce........    37\n    Prepared statement...........................................    39\nAdditional statutory authority requirements......................    40\nPrivate sector versus Federal Government role....................    41\nCoordination among Federal agencies..............................    42\nFBI lead agency roles............................................    43\nCoordination of law enforcement..................................    43\nNational Information Protection Center [NIPC]....................    44\nRole of the National Security Council............................    44\nCritical Infrastructure Assurance Office.........................    46\nInstitute for Information Infrastructure Protection..............    46\nLaw enforcement outreach to e-commerce industry..................    48\nFBI relationships with private sector............................    49\nNeed for uniform standards.......................................    50\n\n                             INDUSTRY PANEL\n\nStatement of Robert Chesnut, Associate General Counsel, eBay.....    53\n    Prepared statement...........................................    57\nStatement of Jeff B. Richards, Executive Director, Internet \n  Alliance.......................................................    58\n    Prepared statement...........................................    61\nStatement of Mark Rasch, Vice President, Cyberlaw, Global \n  Integrity Corp.................................................    66\n    Prepared statement......................................72<greek-l>\n\n                               (iii) deg.\n\n\n                               CYBERCRIME\n\n                              ----------                              \n\n\n                      WEDNESDAY, FEBRUARY 16, 2000\n\n                           U.S. Senate,    \n    Subcommittee on Commerce, Justice, and \n                                     State,\n               the Judiciary, and Related Agencies,\n                               Committee on Appropriations,\n                                                    Washington, DC.\n    The subcommittee met at 10 a.m., in room SD-192, Dirksen \nSenate Office Building, Hon. Judd Gregg (chairman) presiding.\n    Present: Senators Gregg and Leahy.\n\n                            GOVERNMENT PANEL\n\n\n                    opening remarks of senator gregg\n\n\n    Senator Gregg. Ladies and gentlemen, I will call the \nhearing to order. Let me thank the Attorney General for her \ncourtesy in coming today and the Director of the FBI for his \ncourtesy on short notice in coming. We also have the Under \nSecretary of Commerce Bill Reinsch, who depending on the way \nthe hearing goes, we may like to hear from him, also. In fact, \nI think we probably will. He is a participant.\n    This hearing is really a continuum of a number of hearings \nwhich this committee has had in the area of cybercrime and \ncyberterrorism. In fact, it was as a result of this committee's \nefforts that we initiated a fairly significant effort at the \nsuggestion of the FBI and the Justice Department in the area of \nillegal activity on the Internet involving child pornography \nand traveler cases. That has also been followed by a very \nsignificant effort in this committee, which again was initiated \nby myself and Senator Hollings and members of the committee, in \nthe area of cyberterrorism, where we have attempted to fund \naggressively initiatives within the Justice Department, and the \nFBI specifically, to try to fight cyberterrorism.\n    As a result of last week's hacker attacks on major \ncommercial sites, it seemed appropriate to hold a hearing to \ndiscuss further what the role of government should be in the \narea of security on the Internet and protecting the commerce of \nthe country. As a preliminary thought on this matter, it seems \nto me that we as a government must divide the issue. There are \ncertain functions of activity within the society which are \ncritical to our Nation, certain structures which are essential \nto our ability to function as a cohesive society, such as our \nelectric grid, our waterworks in our communities, obviously our \nbanking system, and obviously our national defense.\n    In those areas, the Government has a priority role in \nmaking sure that these infrastructure and national defense \ncapabilities are protected and maintained and that the security \nof those infrastructures are aggressively defended. However, \nwhen we get into the area of commercial activity, whether it is \nselling books or auctioning items, the role of the government, \nI think, is probably significantly different. That is an area \nwhere clearly the commercial community has the first obligation \nof protecting and securing their sites and making sure that \nthey give their customers the access that they need. And the \ngovernment's role here must be limited because there is the \npotential, obviously, for abuse.\n    But as a corollary to that, the government does have a \nrole, and when a crime occurs, the private sector cannot \nprosecute a crime. It is a crime to interfere with commerce at \na number of different levels and, therefore, the government's \nparticipation in protecting the Internet is significant, but as \nI said, it depends on the area of the Internet, the area of the \nactivity as to the level of government involvement.\n    So this hearing today is to discuss that second issue \nprimarily of what happens when commercial sites are put at risk \nbecause of hacker attacks on those sites. There are a number of \nareas that I want to go into. First, I hope and suspect we will \nbe getting a report from the FBI and the Attorney General on \nthe status of the present investigation.\n    Second, we need to know whether or not the Justice \nDepartment and the FBI feel there are adequate laws on the \nbooks to address the issues which are raised by these \nquestions.\n    Third, we need to address the question of coordination. By \nmy count, we have at least five or six different major agencies \nand a number of lesser agencies involved in the issue of \ncyberactivity and security. We have the Commerce Department and \nthe National Security Council which have been given recently \nthe portfolio by the President to begin a process and in this \nbudget made a budget request for that purpose.\n    We have the FBI, of course, which has a number of different \nfunctions in this area including Computer Analysis Resource \nResponse Teams, the CART teams, which we funded, and the \nNational Infrastructure Protection Center, which again we \nfunded and which there is an additional request for. We have \nthe NIST [National Institute of Standards and Technology] \nactivities, which is an agency of the Commerce Department, \nwhich has its own Institute for Information Infrastructure \nProtection. We have the Defense Department functioning through \nDARPA [Defense Advanced Research Projects Agency], which has \nfarmed out its activities in this area to the Carnegie Mellon \nInstitute which has up and running a very strong program called \nCERT, which is a Computer Emergency Response Team.\n    I learned today in reading the newspaper that the CIA has \nan initiative. That is the best way to learn what the CIA has \nas initiatives is to read the newspaper. It being a secret \nagency, it does not inform us, but we do get to read about it.\n    So there are obviously a lot of different initiatives in \nthis area. What I am interested in is, where is the \ncoordination? Is there adequate coordination? Is there overlap? \nIf there is overlap, how do we make sure everybody is working \noff the same page rather than singing different songs and \npossibly being off tune?\n    Fourth, after the coordination issue, we need to address \nthe resource issue. This is a critical issue. It is an issue \nwhich this committee has a special attention to. We have tried \nto address it in the past. This really goes to personnel \nbecause we understand that keeping the type of people you need \nto keep in order to fight the hacker means you are going to \nhave to be hiring people who are extraordinarily highly \nqualified and who have a tremendous market value.\n    Now, 2 years ago, this committee recognized that problem \nand bifurcated the wage and salary system within the FBI so \nthat the FBI had the capacity and has the capacity to go out \nand hire people who have technology capability at a much higher \nlevel of pay than what would have been the traditional \nreimbursement process. I hope we will find out today whether \nthat is working; whether we can get those folks; whether we do \nhave the resources necessary; and whether we can keep those \npeople in light of the tremendous demand for this type of \ntalent in the private sector. So that is another topic.\n    That is an outline of what I hope this hearing will go \ninto. Obviously, we would be interested in the initiatives \ncoming from the administration, and we would want to get your \nthoughts on that also. So having made that statement, I will \nturn to Senator Leahy. I understand Senator Hollings is not \ngoing to be able to make the hearing. Senator Leahy has a great \namount of interest in this area and also serves on the \nJudiciary Committee which has primary authorizing jurisdiction.\n    Senator Leahy. Thank you, Mr. Chairman, and I want to \ncommend you for holding this hearing. You and I come from \nStates where we guard our privacy. Well, you ease up on it a \nlittle bit every 4 years but the rest of the time, we----\n    Senator Gregg. But we make mistakes.\n    Senator Leahy. And I chuckled when I heard your comment \nabout reading in the paper on the CIA. I give high marks to the \ncurrent Director for keeping us informed, but I recall a former \nDirector once when in the fourth time in about 2 weeks he came \nup here to tell us about a matter that he was supposed to \nnotify the Congress about and each time had not and then each \ntime we read about it on the front page of one of the \nnewspapers, and he then showed up to tell us about something \nthat we had first learned about in the papers, and I said to \nhim, Director, I said you really--there is a better way of \ndoing this. Instead of sending somebody up here with all these \nbriefings, just take the New York Times or the Washington Post \neach day, mark it ``Top Secret,'' and deliver it to us.\n    I said we get three advantages. One, we will get the \ninformation a lot quicker; second, we will get it in far, far \ngreater detail than you have ever given it to us, and three, we \nget this wonderful New York Times crossword puzzle.\n    He did not find it as funny as some in the audience today, \nbut, you know, to be serious about this, whether you work in \nthe private sector or in government, you tend to go through all \nthese mazes of security checkpoints. Here in the Senate, for \nexample, you have the barriers and photo ID cards and metal \ndetectors and X-ray scanners. It is all done to protect us from \nterrorists or from those who might victimize us by crime. And \nyou find these things now ubiquitous in the private sector, \ntoo.\n    But the irony is every single one of these barriers, these \nphysical barriers, can be circumvented because we have wires \ncoming into this building or any other building. They support \nthe computers and the computer networks that are absolutely \nnecessary. We could not communicate. We could not do our work \nwithout them. And to know how easy it is to go past the normal \nphysical barriers--look what happened with the hacker attacks \nlast week on e*trade, ZDnet, Daytime, Yahoo!, eBay, Amazon.com, \nand a number of sites we saw during the Christmas time with all \nthe sales and the huge spike in e-commerce, but we also know \nwhat the Achilles heel would be if this commerce turned out to \nbe vulnerable to outside attack.\n    In our daily lives, we rely on computers. Director Freeh, \nyou have been to my home in Vermont. You know we are out in the \ncountry, and yet here is a place where I do not worry about \nsomebody coming in and stealing things, but I am connected to \nall my files in my office in Washington. I like being able to \nwork there, but I also like to know there is a certain degree \nof security. The chairman mentioned CERT, the coordination \ncenter. Well, they have provided some very chilling statistics \non the vulnerabilities of the Internet and the scope of the \nproblem. Over the last decade the number of reported computer \nsecurity incidents grew from 6 in 1988 to more than 8,000 in \n1999, but that does not reveal the scope of the problem.\n    According to CERT's most recent annual report, more than 4 \nmillion computer hosts were affected by computer security \nincidents in 1999 alone by damaging computer viruses, names \nlike Melissa or Chernobyl, ExploreZip, by other ways that \nremote intruders have found to exploit system vulnerabilities. \nEven before the denial of service attacks last week, CERT \ndocumented such incidents grew at a rate of around 50 percent \nper year which was greater than the growth of the Internet \nhosts. The Attorney General has visited in Vermont a couple of \nour law enforcement centers that we use to supply the rest of \nthe Nation, the alien tracking system, and we were so proud \nwhen the AG came to visit that. But that has to have security. \nAll of these things--we know that life is changing.\n    Now I am going after the recess to introduce legislation to \nbroaden the scope of the prohibitions relating to computer \nhacking, including a refinement of the definition of what \nconstitutes laws and damage caused by an intruder on a computer \nsystem. My proposal will contain measures to allow our law \nenforcement officers to investigate and assist in international \nhacker cases.\n    The President has proposed $37 million in additional \nfunding to combat cybercrime in the Department of Justice, $6 \nmillion to develop regional computer forensic labs, $11 million \nto hire 100 more FBI experts, $8 million for U.S. attorneys, \nand we should look very seriously at that. And last, I will put \nmy whole statement in the record, Mr. Chairman, but I think we \nought to listen to one of the best known hackers, now \nlegitimate hacker, in the country, what he said yesterday at \nthe meeting with the President at the White House. He stated \nthat these massive attacks were something that could have been \ndone several years ago. So we have to assume that there is a \nwhole new generation of ability to attack and get into our \ncomputer systems, and I think it is a chilling thing, and so, \nMr. Chairman, I am delighted you are having this, and I will \nstay until I have to get to my other hearing. But I am \ndelighted you are doing it.\n    [The statement follows:]\n             Prepared Statement of Senator Patrick J. Leahy\n    Mr. Chairman, I commend you for your leadership in convening this \nhearing.\n    Whether we work in the private sector or in government, we \nnegotiate daily through a variety of security checkpoints designed to \nprotect ourselves from being victimized by crime or targeted by \nterrorists. For instance, Senate buildings like this one use cement \npillars placed at entrances, photo identification cards, metal \ndetectors, x-ray scanners and security guards to protect this physical \nspace.\n    These security steps and others have become ubiquitous in the \nprivate sector as well.\n    Yet all these physical barriers can be circumvented using the wires \nthat run into every building to support the computers and computer \nnetworks that are the mainstay of how we communicate and do business. \nThis plain fact was amply demonstrated by the hacker attacks last week \non E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet \nsites. These attacks raise serious questions about Internet security--\nquestions that we need to answer to ensure the long-term stability of \nelectronic commerce. More importantly, a well-focused and more malign \ncyber-attack on the computer networks that support telecommunications, \ntransportation, water supply, banking, electrical power and other \ncritical infrastructure systems could wreak havoc on our national \neconomy or even jeopardize our national defense.\n    The reports of the CERT Coordination Center (formerly called the \n``Computer Emergency Response Team''), which was established in 1988 to \nhelp the Internet community detect and resolve computer security \nincidents, provide chilling statistics on the vulnerabilities of the \nInternet and the scope of the problem. Over the last decade, the number \nof reported computer security incidents grew from 6 in 1988 to more \nthan 8,000 in 1999. But that alone does not reveal the scope of the \nproblem. According to CERT's most recent annual report, more than four \nmillion computer hosts were affected by computer security incidents in \n1999 alone by damaging computer viruses, with names like ``Melissa,'' \n``Chernobyl,'' ``ExploreZip,''and by other ways that remote intruders \nhave found to exploit system vulnerabilities. Even before the ``denial-\nof-service'' attacks last week, CERT documented that such incidents \n``grew at a rate around 50 percent per year'' which was ``greater than \nthe rate of growth of Internet hosts.''\n    CERT has tracked recent trends in severe hacking incidents on the \nInternet--both are serious cause for concern. First, hacking techniques \nare getting more sophisticated. That means law enforcement is going to \nhave to get smarter too, and we need to give them the resources to do \nthis. Second, hackers have ``become increasingly difficult to locate \nand identify.'' These criminals are operating in many different \nlocations and are using techniques that allow them to operate in \n``nearly total obscurity.''\n    We have been aware of the vulnerabilities to terrorist attacks of \nour computer networks for more than a decade. It became clear to me, \nwhen I chaired a series of hearings in 1988 and 1989 by the \nSubcommittee on Technology and the Law in the Judiciary Committee on \nthe subject of high-tech terrorism and the threat of computer viruses, \nthat merely ``hardening'' our physical space from potential attack \nwould only prompt committed criminals and terrorists to switch tactics \nand use new technologies to reach vulnerable softer targets, such as \nour computer systems and other critical infrastructures. The government \nhad a responsibility to work with those in the private sector to assess \nthose vulnerabilities and defend them. That means making sure our law \nenforcement agencies have the tools they need, but also that the \ngovernment does not stand in the way of smart technical solutions to \ndefend our computer systems.\n    Targeting cybercrime with up-to-date criminal laws and tougher law \nenforcement is only part of the solution. While criminal penalties may \ndeter some computer criminals, these laws usually come into play too \nlate, after the crime has been committed and the injury inflicted. We \nshould keep in mind the adage that the best defense is a good offense. \nAmericans and American firms must be encouraged to take preventive \nmeasures to protect their computer information and systems.\n    That is why, for years, I have advocated and sponsored legislation \nto encourage the widespread use of strong encryption. Encryption is an \nimportant tool in our arsenal to protect the security of our computer \ninformation and networks. The Administration made enormous progress \nlast month when it issued new regulations relaxing export controls on \nstrong encryption. Of course, encryption technology cannot be the sole \nsource of protection for our critical computer networks and computer-\nbased infrastructure, but we need to make sure the government is \nencouraging--and not restraining--the use of strong encryption and \nother technical solutions to protecting our computer systems.\n    Congress has responded again and again to help our law enforcement \nagencies keep up with the challenges of new crimes being executed over \ncomputer networks. In 1984, we passed the Computer Fraud and Abuse Act, \nand its amendments, to criminalize conduct when carried out by means of \nunauthorized access to a computer. In 1986, we passed the Electronic \nCommunications Privacy Act (ECPA), which I was proud to sponsor, to \ncriminalize tampering with electronic mail systems and remote data \nprocessing systems and to protect the privacy of computer users. In the \n104th Congress, Senators Kyl, Grassley and I worked together to enact \nthe National Information Infrastructure Protection Act to increase \nprotection under federal criminal law for both government and private \ncomputers, and to address an emerging problem of computer-age blackmail \nin which a criminal threatens to harm or shut down a computer system \nunless their extortion demands are met.\n    In this Congress, I have introduced a bill with Senator DeWine, the \nComputer Crime Enforcement Act, S. 1314, to set up a $25 million grant \nprogram within the U.S. Department of Justice for states to tap for \nimproved education, training, enforcement and prosecution of computer \ncrimes. All 50 states have now enacted tough computer crime control \nlaws. These state laws establish a firm groundwork for electronic \ncommerce and Internet security. Unfortunately, too many state and local \nlaw enforcement agencies are struggling to afford the high cost of \ntraining and equipment necessary for effective enforcement of their \nstate computer crime statutes. Our legislation, the Computer Crime \nEnforcement Act, would help state and local law enforcement join the \nfight to combat the worsening threats we face from computer crime.\n    I am convinced that we should be doing more to combat the current \nwave of computer crime. Those who are engaged in computer hacking, \ncomputer fraud and counterfeiting computer programs should be \nprosecuted and punished appropriately. As we have seen recently, these \nkinds of criminals wreak havoc on consumers, our interstate businesses \nand computer systems. To strengthen our laws in these areas, after the \nrecess I plan to introduce legislation to broaden the scope of the \nprohibitions relating to computer hacking, including a refinement of \nthe definition of what constitutes loss and damage caused by an \nintruder on a computer system. My proposal also will contain measures \nto allow our law enforcement officers to investigate and assist in \ninternational hacker cases.\n    President Clinton has proposed $37 million in additional funding in \nhis fiscal year 2001 Department of Justice budget to combat cybercrime. \nThe President's request includes $6 million to develop regional \ncomputer forensic labs, $11 million to hire 100 more FBI experts on \ncomputer-related crimes and $8 million for U.S. Attorneys to prosecute \ncybercrime.\n    I look forward to working with the Chairman and other concerned \nSenators to consider this budget request and other steps like our \npending legislation to give state and local law enforcement agencies \nthe tools they need to combat computer crime and maintain consumer \nconfidence in electronic commerce.\n    I am a strong proponent of the Internet and a defender of our \nconstitutional rights to speak freely and to keep private our \nconfidential affairs from either private sector snoops or unreasonable \ngovernment searches. These principles can be respected at the same time \nwe hold accountable those malicious mischief makers and digital \ngraffiti sprayers, who use computers to damage or destroy the property \nof others. I have seen Congress react reflexively in the past to \naddress concerns over anti-social behavior on the Internet with \nlegislative proposals that would do more harm than good. A good example \nof this is the Communications Decency Act, which the Supreme Court \ndeclared unconstitutional. We must make sure that our legislative \nefforts are precisely targeted on stopping destructive acts and that we \navoid scattershot proposals that would threaten, rather than foster, \nelectronic commerce and sacrifice, rather than promote, our \nconstitutional rights.\n    Technology has ushered in a new age filled with unlimited potential \nfor commerce and communications. But the Internet age has also ushered \nin new challenges for federal, state and local law enforcement \nofficials. Congress and the Administration need to work together to \nmeet these new challenges while preserving the benefits of our new era. \nI look forward to hearing from Attorney General Reno and FBI Director \nFreeh, and the other distinguished witnesses, on this important \nchallenge.\n\n    Senator Gregg. Thank you. I appreciate your time, Senator \nLeahy. Secretary Reinsch, would you like to sit at the table \nhere because I suspect at some point we are going to want to \nask you some questions, if you do not mind? I recognize we did \nnot ask you to prepare a statement so I will not ask you to \nparticipate.\n    Mr. Reinsch. I have one.\n    Senator Gregg. But we would be happy to have your comments \nat some point. We will start with the Attorney General, \nhowever. Appreciate your taking the time to come, Attorney \nGeneral. Please give us your thoughts, and what we should know, \nand then we can turn to Director Freeh, and then to Mr. \nReinsch, and then we will take questions.\nSTATEMENT OF HON. JANET RENO, ATTORNEY GENERAL, \n            DEPARTMENT OF JUSTICE\n    Ms. Reno. Mr. Chairman, Senator Leahy, Mr. Chairman, I have \nappreciated your thoughtful, constructive support of law \nenforcement and your leadership in the area of cybertechnology \nas it is applied to law enforcement. You have a yankee \nfrugality, though, and you have been totally consistent in \nmaking sure we spend our monies wisely and according to proper \nplans, and I personally want to thank you for the contribution \nyou have made to a very effective law enforcement.\n    Senator Leahy, you are one of the first people that I met \nas I came to Washington. Your guidance, your wisdom and your \nthoughts on so many issues relating to matters in the Judiciary \nCommittee have been vital to me, and I thank you so very much.\n\n           federal law enforcement response to computer crime\n\n    As Director Freeh will discuss, computer crime \ninvestigators in a number of FBI field offices are \ninvestigating the recent computer attacks. They are \ncoordinating the information with the National Infrastructure \nProtection Center. The agents are working closely with our \nnetwork of specially trained computer crime prosecutors, who \nare available around the clock to provide legal advice and \nobtain whatever court orders are necessary. Attorneys from the \nCCIPS, which is the Computer Crime and Intellectual Property \nSection of the Criminal Division, are coordinating with the \nAssistant United States Attorneys in the field.\n    Other Federal agencies and the private sector are working \nwith us in a cooperative effort that I think is an example for \nall of us on how we must work together to address the issue of \ncybercrime. I am proud of that effort and I am proud of the \nefforts that have been made to date to ensure investigative and \nprosecutorial expertise and capacity to address the issue of \ncybercrime.\n    There is more to do if we are to be prepared to deal with \nthe challenges in this arena for the future. This is one of my \nlast appearances before this committee. Most of what we say \nhere will not affect me as Attorney General, but it will affect \neach one of us as citizens of this country. How we deal with \ncybercrime is one of the most critical issues that law \nenforcement has ever faced. If we are successful in our \nefforts, we will not only protect our citizens from harm, but \nwe will give people confidence in the Internet and in \ncybertechnology as magnificent tools of commerce, learning and \ncommunication.\n    Mr. Chairman, in the time I have remaining as Attorney \nGeneral, I would like to work with you and do everything I \npossibly can to leave for my successors the capacity to ensure \nthe equipment and the expertise necessary to ensure the prompt \nand professional investigation and prosecution of cybercrime; \nto make sure that we have the equipment that is sufficiently up \nto date to deal with the most sophisticated criminals; to \nimmediately and continually eliminate the backlog of computers \nto be searched, both in the investigation of cybercrime as well \nas other crimes such as drug crimes.\n    Also needed are the prevention and deterrence of intrusions \nor attacks on the Nation's critical infrastructure or other \nacts of cyberterrorism; and the capacity to detect and trace \ncybercriminals around the world and bring them to justice. The \ndamage that can be done by somebody sitting halfway around the \nworld is immense. We have got to be able to trace them, and we \nhave made real progress with our discussions with our \ncolleagues in the G-8 and in the Council of Europe.\n\n                     building a strong partnership\n\n    We need to continue to build a strong partnership with \nState and local law enforcement by which we share expertise, \nequipment, and avoid costly duplication and fragmentation. We \nneed to work in partnership with industry to address cybercrime \nand security. This should not be a top down approach through \nexcessive government regulation or mandates. Rather, we need a \ntrue partnership where we can discuss challenges and develop \neffective solutions that do not pose a threat to individual \nprivacy. We need to develop the means of educating our young \npeople concerning the responsible use of the Internet.\n    The Department must also address the vulnerability of its \nown systems. Based on internal reviews, we need enhanced \ncomputer security across the Department and we are redirecting \nour resources and efforts to focus on correcting computer \nsecurity vulnerabilities. But when threats like the denial of \nservice attacks of last week emerge, we have taken steps and we \nmust continue to do so to protect the Department's computer \nsystems. We must do all we can to reach out to academia and to \nindustry to learn the most up-to-date means of addressing \ncomplex technical issues as they emerge in this new exciting \nand developing world. We must achieve all these goals in a \nmanner that respects and upholds our cherished privacy and our \nfreedoms.\n    We would like to work with you, Mr. Chairman, and with \nmembers of the subcommittee to develop a comprehensive 5-year \nplan with fiscal year 2001 as our baseline to achieve these \nresults. Recent attacks demonstrate the importance of \ndeveloping such a long-term coordinated strategy. Mr. Chairman, \nit was under your leadership that we developed the 5-year plan \nwith respect to counterterrorism. If we focus on cybercrime, \nand make sure we have the equipment, and the expertise, I think \nwe can do so much and I would like to work with you in that \neffort.\n\n                          appropriations needs\n\n    In that undertaking, we need your help to refocus resources \nprovided for fiscal year 2000. The level of funding provided in \nthe fiscal year 2000 enacted appropriation for the General \nLegal Activities (GLA) appropriation is insufficient to cover \nthe base program needs of all the litigating components funded \nfrom GLA with the exception of the Civil Rights Division.\n    For the first time, the Congress allocated specific amounts \nto each individual GLA component in the report language that \naccompanies the Appropriations Act. This action made it \nimpossible for me to distribute the appropriated resources as \nneeded. The Criminal Division's allocation was hardest hit of \nall and this has had serious implications for the Division's \nability to support its computer crime efforts. Yesterday, we \ndelivered a reprogramming of resources appropriated to GLA \nwhich would make base resource funding available to all the GLA \naccounts by internally redistributing Congress' allocation of \nGLA resources and supplementing the total resources available \nto GLA with funding presently available from the Working \nCapital Fund unobligated balances.\n    We need Congress' approval of this reprogramming to ensure \nthe appropriate distribution of the resources among the \ncomponents and we especially need full base funding restored to \nthe Criminal Division in order to avoid having to reduce \nCriminal Division staffing by 83 positions including critical \npositions in the Computer Crime and Intellectual Property \nSection.\n    For fiscal year 2001, I am asking for $37 million in \nfunding enhancements to expand the Department's staffing, \ntraining and technological capabilities. These enhancements \ninclude $4.1 million for 59 new Assistant United States \nAttorneys and nine additional attorneys in the Criminal \nDivision to prosecute computer and child pornography crimes and \nto provide guidance to Federal, State and local agencies on \neffective response to the threat of computer crime; $8.75 \nmillion to provide critically needed computer crime \ninvestigation and prosecution training to State and local law \nenforcement agencies; $11.4 million for 100 new FBI computer \nanalysis and response team members. Finally, we intend to \nenhance law enforcement's ability to deal with evidence \navailable on computers by developing up to 10 new regional \ncomputer forensic labs.\n    Together these enhancements will increase the Department's \n2001 funding base for computer crime of $177.6 million by more \nthan 31 percent. If we can work together in these next weeks to \ndevelop a plan that addresses these goals, I think it will be \nextremely important for our future ability to address these \nconcerns. Director Freeh through his strategic plan has begun \nto address these efforts and we commit to do everything we can \nto work with you in coming up with something that satisfies \nyour very appropriate concerns and addresses our capacity to \nleave for my successors an effective effort at the Justice \nDepartment.\n    Senator Gregg. Thank you, Madam Attorney General.\n    [The statement follows:]\n                    Prepared Statement of Janet Reno\n    Chairman Gregg and other Members of the Subcommittee, I want to \nthank you for this opportunity to testify on our efforts to combat the \ngrowing problem of cybercrime, particularly in light of the recent \ndenial-of-service attacks on several major Internet sites.\nNeed for Five-Year Strategy\n    The recent attacks demonstrate the importance of developing a long-\nterm, coordinated strategy for dealing with cybercrime. The strategy \nmust address the challenges we face, both domestically and abroad, the \nneed for personnel with expertise and the latest cybercrime-fighting \nequipment, the importance of cooperation and sharing with state and \nlocal law enforcement and our international counterparts, the need for \neducating our young people and others about the responsible use of the \nInternet, and all of this must be done in a manner that respects and \nupholds our cherished privacy and freedoms.\n    Recently, I outlined a 10-point plan that identifies the key areas \nwhere we need to develop our cybercrime capability. The key points of \nthis plan include:\n  --Developing a round-the-clock network of federal, state and local \n        law enforcement officials with expertise in, and responsibility \n        for, investigating and prosecuting cybercrime.\n  --Developing and sharing expertise--personnel and equipment--among \n        federal, state and local law enforcement agencies.\n  --Dramatically increasing our computer forensic capabilities, which \n        are so essential in computer crime investigations--both hacking \n        cases and cases where computers are used to facilitate other \n        crimes, including drug trafficking, terrorism, and child \n        pornography.\n  --Reviewing whether we have adequate legal tools to locate, identify, \n        and prosecute cybercriminals. In particular, we need to explore \n        new and more robust procedural tools to allow state authorities \n        to more easily gather evidence located outside their \n        jurisdictions. We also need to explore whether we have adequate \n        tools at the federal level to effectively investigate \n        cybercrime.\n  --Because of the borderless nature of the Internet, we need to \n        develop effective partnerships with other nations to encourage \n        them to enact laws that adequately address cybercrime and to \n        provide assistance in cybercrime investigations. A balanced \n        international strategy for combating cybercrime should be at \n        the top of our national security agenda.\n  --We need to work in partnership with industry to address cybercrime \n        and security. This should not be a top-down approach through \n        excessive government regulation or mandates. Rather, we need a \n        true partnership, where we can discuss challenges and develop \n        effective solutions that do not pose a threat to individual \n        privacy.\n  --And we need to teach our young people about the responsible use of \n        the Internet.\n    I would like to work with you, Chairman Gregg, and the Members of \nthe Subcommittee to develop a comprehensive, five-year plan--with \nfiscal year 2001 as our baseline--to prevent cybercrime and, when it \ndoes occur, to locate, identify, apprehend and bring to justice those \nresponsible for these types of crimes.\nComments on the Recent Attacks\n    I would be happy to address your questions on the recent attacks, \nto the extent I can do so without compromising our investigation. At \nthis point, I would simply say that we are taking the attacks very \nseriously and that we will do everything in our power to identify those \nresponsible and bring them to justice. In addition to the malicious \ndisruption of legitimate commerce, so-called ``denial of service'' \nattacks involve the unlawful intrusion into an unknown number of \ncomputers, which are in turn used to launch attacks on the eventual \ntarget computer, in this case the computers of Yahoo, eBay, and others. \nThus, the number of victims in these types of cases can be substantial, \nand the collective loss and cost to respond to these attacks can run \ninto the tens of millions of dollars--or more.\nOverview of Investigative Efforts and Coordination\n    As Director Freeh will discuss, computer crime investigators in a \nnumber of FBI field offices are investigating these attacks. They are \ncoordinating information with the National Infrastructure Protection \nCenter (NIPC). The agents are also working closely with our network of \nspecially trained computer crime prosecutors who are available 24 hours \na day/7 days a week to provide legal advice and obtain whatever court \norders are necessary. Attorneys from the Criminal Division's Computer \nCrime and Intellectual Property Section (CCIPS) are coordinating with \nthe Assistant United States Attorneys in the field. We are also \nobtaining information from victim companies and security experts, who, \nlike many in the Internet community, condemn these recent attacks. I am \nproud of the efforts being made in this case, including the assistance \nwe are receiving from a number of federal agencies.\nThe Challenge of Fighting Cybercrime\n    The recent attacks highlight some of the challenges we face in \ncombating cybercrime. The challenges come in many forms: technical \nproblems in tracing criminals operating online; resource issues facing \nfederal, state, and local law enforcement in being able to undertake \nonline criminal investigations and obtain evidence stored in computers; \nand legal deficiencies caused by changes in technology. I will discuss \neach of these briefly.\n    As a technical matter, the attacks like the ones we saw last week \nare easy to carry out and hard to solve. The tools available to launch \nsuch attacks are widely available. In addition, too many companies pay \ninadequate attention to security issues, and are therefore vulnerable \nto be infiltrated and used as launching pads for this kind of \ndestructive programs. Once the attacks are carried out, it is hard to \ntrace the criminal activity to its source. Criminals can use a variety \nof methods to hide their tracks, allowing them to operate anonymously \nor through masked identities. This makes it difficult--and sometimes \nimpossible--to hold the perpetrator criminally accountable.\n    Even if criminals do not hide identities online, we still might be \nunable to find them. The design of the Internet and practices relating \nto retention of information means that it is often difficult to obtain \ntraffic data critical to an investigation. Without information showing \nwhich computer was logged onto a network at a particular point in time, \nthe opportunity to determine who was responsible may be lost.\n    There are other technical challenges, as well, that we must \nconsider. The Internet is a global medium that does not recognize \nphysical and jurisdictional boundaries. A hacker--armed with no more \nthan a computer and modem--can access computers anywhere around the \nglobe. They need no passports and pass no checkpoints as they commit \ntheir crimes. While we are working with our counterparts in other \ncountries to develop an international response, we must recognize that \nnot all countries are as concerned about computer threats as we are. \nIndeed, some countries have weak laws, or no laws, against computer \ncrimes, creating a major obstacle to solving and to prosecuting \ncomputer crimes. I am quite concerned that one or more nations will \nbecome ``safe havens'' for cybercriminals.\n    Resource issues are also critical. We must ensure that law \nenforcement has an adequate number of prosecutors and agents--assigned \nto the FBI, to the Department of Justice, to other federal agencies, \nand to state and local law enforcement--trained in the necessary skills \nand properly equipped to effectively fight cybercrime, whether it is \nhacking, fraud, child porn, or other forms.\n    Finally, legal issues are critical. We are finding that both our \nsubstantive laws and procedural tools are not always adequate to keep \npace with the rapid changes in technology.\nCurrent Efforts Against Cybercrime\n    While these challenges are daunting, the Department has \naccomplished much in building the infrastructure to combat cybercrime. \nDirector Freeh will discuss the work of the NIPC and the Computer Crime \nSquads established around the country. Similarly, in the Department, we \nhave a cadre of trained prosecutors, both in headquarters and in the \nfield, who are experts in the legal, technological, and practical \nchallenges involved in investigating and prosecuting cybercrime.\n    The cornerstone of our prosecutor cybercrime program is the \nCriminal Division's Computer Crime and Intellectual Property Section, \nknown as CCIPS. CCIPS was founded in 1991 as the Computer Crime Unit, \nand was elevated into a Section in 1996. With the help of this \nSubcommittee, CCIPS has grown from five attorneys in January of 1996, \nto eighteen attorneys today. CCIPS works closely on computer crime \ncases with Assistant United States Attorneys known as ``Computer and \nTelecommunications Coordinators'' (CTCs) in U.S. Attorney's Offices \naround the country. Each CTC is given special training and equipment, \nand serves as the district's expert in computer crime cases.\n    The responsibility and accomplishments of CCIPS and the CTC program \ninclude:\n            Litigating Cases:\n    CCIPS attorneys have litigating responsibilities, taking a lead \nrole in some computer crime and intellectual property investigations, \nand a coordinating role in many national investigations, such as the \ndenial of service investigation that is ongoing currently. As law \nenforcement matures into the Information Age, CCIPS is a central point \nof contact for investigators and prosecutors who confront investigative \nproblems with emerging technologies. This year, CCIPS assisted with \nwiretaps over computer networks, as well as traps and traces that \nrequire agents to segregate Internet headers from the content of the \npacket. CCIPS has also coordinated an interagency working group \nconsisting of all the federal law enforcement agencies, which developed \nguidance for law enforcement agents and prosecutors on the many \nproblems of law, jurisdiction, and policy that arise in the online \nenvironment.\n    Working with the U.S. Attorney's Office in the District of New \nJersey and the FBI, as well as with state prosecutors and \ninvestigators, CCIPS attorneys helped ensure that David Smith, the \ncreator of the Melissa virus, pled guilty to a violation of the \ncomputer fraud statute and admitted to causing damages in excess of $80 \nmillion.\n    CCIPS is also a key component in enforcing the ``Economic Espionage \nAct,'' enacted in 1996 to deter and punish the theft of valuable trade \nsecrets. CCIPS coordinates approval for all the charges under the theft \nof trade secret provision of this Act, and CCIPS attorneys successfully \ntried the first jury case ever under the Act, culminating in guilty \nverdicts against a company, its Chief Executive Officer, and another \nemployee.\n    The CTCs have been responsible for the prosecution of computer \ncrimes across the country, including the prosecution of the notorious \nhacker, Kevin Mitnick, in Los Angeles, the prosecution of the hacker \ngroup ``Global Hell'' in Dallas, and the prosecution of White House web \npage hacker, Eric Burns, in Alexandria, Virginia.\n            Training\n    CCIPS has spearheaded efforts to train local, state, and federal \nagents and prosecutors on the laws governing cybercrime, and last year \nalone gave over 200 presentations to a wide variety of audiences. In \naddition, CTCs across the country are training prosecutors and agents \nin their districts in a variety of fora.\n    CCIPS also chairs the National Cybercrime Training Partnership \n(NCTP), a ground-breaking consortium of federal, state, and local \nentities dedicated to improving the technical competence of law \nenforcement in the information age. The NCTP has made great strides in \ncreating a comprehensive prototype training curriculum for agents and \nprosecutors in a full range of infotech topics.\n            International\n    The borderless nature of computer crime requires a large role for \nCCIPS in international negotiations. CCIPS chairs the G-8 Subgroup on \nHigh-tech Crime, which has established a 24 hours a day/7 days a week \npoint of contact with 15 countries for mutual assistance in computer \ncrime. CCIPS also plays a leadership role in the Council of Europe \nExperts' Committee on Cybercrime, and in a new cybercrime project at \nthe Organization of American States.\n            Infrastructure Protection, Policy and Legislation\n    CCIPS provided expert legal and technical instruction and advice \nfor exercises and seminars to senior personnel on information warfare, \ninfrastructure protection, and other topics for the Department of \nDefense, the National Security Agency, the Central Intelligence Agency, \nand others. Further, the Naval War College invited CCIPS to give a \nfeatured presentation at a high-level, invitation-only conference on \ncyberwarfare and international law. CCIPS also led the Department's \nefforts to counter cyberterrorism through its work on PDD-63, the Five-\nYear Counterterrorism Strategy, its support to the National \nInfrastructure Protection Center.\n    CCIPS works on a number of policy issues raised at the intersection \nof law and technology. CCIPS attorneys meet regularly with a number of \nindustry groups to discuss issues of common concerns, and helped \nestablish the Cybercitizen Partnership in cooperation with high-tech \nindustries to help identify industry expertise which may be needed in a \ncomplex investigation, to initiate personnel exchanges and to help \nsafeguard our children.\n    CCIPS attorneys propose and comment on legislation that affects \ntheir high-tech mission.\n    Other Sections of the Criminal Division--including the Fraud \nSection, the Child Exploitation and Obscenity Section, and the \nTerrorism and Violent Crime Section--are responding as crimes within \ntheir areas of expertise move online.\n    Overall, the Department has the prosecutorial infrastructure in \nplace to combat cybercrime. We need the resources to keep the program \ngrowing to keep pace with the growing problem.\nAdditional Resources and Tools Are Needed\n    We appreciate the Subcommittee's support for many of the efforts \ndescribed above, but I also need your help to refocus resources \nprovided for fiscal year 2000. The level of funding provided in the \nfiscal year 2000 enacted appropriation for the General Legal Activities \n(GLA) appropriation is insufficient to cover the base program needs of \nall the litigating components funded from GLA, with the exception of \nthe Civil Rights Division. In particular, the specific amounts provided \nto the Criminal Division's has serious implications for the Division's \nability to support its computer crime efforts.\n    Yesterday, we submitted a request to reprogram resources \nappropriated to GLA which would make base resource funding available to \nall the GLA accounts.\n    We especially need full base funding restored to the Criminal \nDivision in order to avoid a reduction in Criminal Division staffing by \n83 positions, including critical positions in the Computer Crime and \nIntellectual Property Section.\n    We must have prosecutors, both in the field and here, in \nWashington, to deal with cybercrime investigations.\n    The Division has shifted more of its resources than ever to combat \ncybercrime. Attorneys in the Fraud Section are now focusing on internet \nfraud cases, attorneys in the Child Exploitation and Obscenity Section \nare doing more to combat on-line child pornography. We simply cannot \nsupport the demand for more anti-cybercrime positions at our current \nfunding level.\n    For fiscal year 2001, I am asking for $37 million in funding \nenhancements to expand he Department's staffing, training and \ntechnological capabilities to continue the fight against computer \ncrime. These enhancements include:\n  --$4.1 million for 59 new Assistant U.S. Attorneys and 9 additional \n        attorneys in the Criminal Division to prosecute computer and \n        child pornography crimes, and to provide guidance to federal, \n        state and local agencies on effective responses to the threat \n        of computer crime.\n  --$8.75 million to provide critically needed computer crime \n        investigation and prosecution training to state and local law \n        enforcement agencies.\n  --$11.4 million for 100 new FBI Computer Analysis and Response Team \n        (CART) members who will be dispatched to support investigations \n        into computer related crimes, as well as expanding the use of \n        the Automated Computer Examination System, which aids in \n        computer forensics examinations.\n  --Finally, we intend to enhance law enforcement's ability to deal \n        with evidence available on computers by developing up to 10 new \n        Regional Computer Forensic Labs.\n    Together, these enhancements will increase the Department's 2001 \nfunding base for computer crime of $177.6 million, 31 percent more than \nin 2000.\n    We also need to consider additional tools to locate and identify \ncybercriminals. For example, we may need to strengthen the Computer \nFraud and Abuse Act by closing a loophole that allows computer hackers \nwho have caused a large amount of damage to a network of computers to \nescape punishment if no individual computer sustained over $5,000 worth \nof damage. We may also need to update our trap and trace laws, under \nwhich we are able to identify the origin and destination of telephone \ncalls and computer messages. Under current law, in some instances we \nmust obtain court orders in multiple jurisdictions to trace a single \ncommunication. It might be extremely helpful, for instance, to provide \nnationwide effect for trap and trace orders.\n    We must also ensure that in upgrading our computer-crime fighting \nlaws, we ensure that appropriate privacy safeguards are maintained and, \nwhere possible, strengthened. For example, recent investigations have \nrevealed serious violations of privacy by hackers, who have obtained \nindividual's personal data, such as credit cards and passwords. An \nincrease in the penalty for violations of invasions into private stored \ncommunications may be appropriate. We would like to work with Congress \nto develop a thoughtful and effective package of tools that allow us to \nkeep pace with cybercriminals, update the laws that allow us to locate \nand identify cybercriminals, and ensure that privacy safeguards are \nrespected and, where possible, strengthened.\n    Finally, I believe one important answer lies in educating our youth \nand others in society, that computer hacking is not only illegal, but \nethically wrong. Most of us know that we should not break into a \nneighbor's house or read his mail, but many have not applied these same \nvalues to their online activities. Last April, I announced that the \nDepartment, along with the Information Technology Association of \nAmerica had formed the Cybercitizen Partnership, a national campaign to \neducate and raise awareness of computer responsibility. We hope the \nPartnership will announce a nationwide public awareness and education \ncampaign in the near future.\n    I look forward to working with the Subcommittee to ensure we have a \nrobust and effective long-term strategy for combating cybercrime, \nprotecting our nation's infrastructure, and ensuring that the Internet \nreaches its full potential for expanding communications, facilitating \ncommerce, and bringing countless other benefits to our society.\nSTATEMENT OF HON. LOUIS J. FREEH, DIRECTOR, FEDERAL \n            BUREAU OF INVESTIGATION, DEPARTMENT OF \n            JUSTICE\n    Senator Gregg. Director Freeh.\n    Mr. Freeh. Thank you, Mr. Chairman, Senator Leahy, Attorney \nGeneral Reno. Let me just echo the Attorney General's \nappreciation on behalf of the FBI and I think the entire \nnational law enforcement community to you, Chairman Gregg, \nSenator Hollings, and particularly to this committee, for what \nhas really been a consistent and now long-standing support in \nthe area of technology crimes and the ability for law \nenforcement agencies--State, local and Federal--to deal with \nthese issues.\n    I recall in 1997, you chaired a hearing together with \nChairman Stevens, and for the first time, at least in our \nmemory, a committee here addressed not just the immediate \nissues with respect to counterterrorism threats and the \ncyberterrorism implications of those threats, but looked for \nthe first time to developing a long-term planning and asset \nevaluation and resource allocation plan. That plan has \ndeveloped and prospered.\n    Senator Leahy, let me take the opportunity to thank you \nalso for the support that you have shown in this area, back in \n1994, leading the efforts in the Senate on the Communications \nto Law Enforcement Assistance Act. An act which you recall some \npeople in town said could never be passed, was passed and gave \nnot just the Federal Government but the State and local police \nforces around the country the continued ability, not any new \npowers, but the continued ability to exercise court-ordered \nelectronic surveillance without changing the balance of the \nFourth Amendment, and really getting into the information age \nwith respect to our technical ability. So let me just begin by \nthanking you and thanking the Attorney General for her valued \nsupport and continuous support in the area of technical \nassistance to law enforcement.\n\n                          need for cooperation\n\n    Going beyond 1997 when you inaugurated these hearings, \nChairman Gregg, there is no doubt anymore that these are issues \nwhich are critically important to the success of law \nenforcement. Looking at Judge Webster's report just a few weeks \nago, the Commission on the Advancement of Law Enforcement, \nwhich is a congressionally required commission, he says, among \nother things, global crime, cybercrime and terrorism pose the \nnew emerging security threats to the Nation and challenge the \nFederal law enforcement community.\n    The report talks about not only the importance of resource \nallocation but also coordination, which is the issue that you \nhighlighted, and perhaps just as importantly the cooperation \nand input from the private sector. Like any other area of the \ngovernment, the FBI, State and local police departments, and \nprosecuting authorities cannot deal with this issue without the \ncooperation and assistance of the private sector, particularly \nin the type of cases that I will talk about in a moment. These \ncompanies are not only victims of some of these crimes, but \nhave uniquely the resident expertise to furnish not only the \ninvestigative support and tools that are necessary, but also, \nindeed in many cases, the insight into their own systems.\n    I am very pleased to say that not just as a result of the \nNational Infrastructure Protection Center, which this committee \nauthorized and set up, and the use of our investigators \nthroughout the course of the last couple of weeks, the \nassistance from the private sector has been extraordinary. Not \njust the victim companies but dozens of other companies, \nscientific experts, academic scholars, think tanks, \nassociations have called the FBI and gave in many cases not \njust valuable leads but support, ideas, and in some cases \ntechnology assistance to pursue what has been a very complex \nand fast-moving investigation. This one would never get out of \nthe starting gate without the current structures as you have \nauthorized them and more importantly the interoperability of \nthat structure with not only other Federal, State, and local \nenforcement agencies and the private sector itself.\n\n                     changing technology challenges\n\n    You know if I came in one morning and said we were faced \nwith the invention of the automobile, the telephone, and the \nradio, and that law enforcement needed your assistance to deal \nwith this new technology, we would sit down and look at vast \narray of resources that would be necessary to deal with this \ntechnology being used in part by people who would commit \ncrimes. In many ways, the situation beginning several years ago \nis a comparable situation, although because the technology is \nnow not only more complex but in some cases changes on an 18 \nmonth cycle, perhaps even a greater challenge.\n    And as we would, we would have to respond to that threat, \ndevise resources, plans and infrastructure to make sure that \nlaw enforcement had the continued capacity to do its \ntraditional role of protecting the people we serve, but doing \nit not only in the face of the challenge of these technologies, \nbut also using those technologies. In fact, that is what the \nCongress has done over the last couple of years. The structures \nthat I will speak about briefly in a moment are really the \ndirect result and the absolute minimum ingredient required to \ndeal with these issues.\n\n                        denial of service cases\n\n    With respect to the current investigation, I will give you \na quick synopsis of it. Obviously, there are aspects of it that \nI cannot go into because of the nature of the case and the fact \nthat criminal prosecutions may very well result. Going back \nseveral months to the fall of last year, we at the FBI began to \nreceive reports about a threat to the Internet from the \ndistributed denial of service attacks, which is what was \nevidenced over the last couple of weeks. In these types of \nattacks, hackers first break into the computer system of an \nunwitting victim and then plant what they call malicious \nprograms. They go by names such as Trinoo, Tribal Flood Net, \nStacheldraht. Planting the malicious systems on unsuspecting or \nunwitting computer hosts is the first step in the line of that \nattack. This can be done hours, days, weeks, or even months \nbefore the actual attack occurs.\n    The hacker then sends a command that would activate the \nprogram which results in the victim computer systems themselves \nsending repeated messages against a target system which is what \nhappened in these cases. In some instances, the malicious \nprogram includes an embedded start date and time in its code \nprecluding even the need for a separate activation command.\n    Because the hacker uses a ``spoofed'' or non-valid Internet \naddress, the target system overloads because the target system \nis unable to confirm the receipt of the messages from the \ncomputer sending that message. As a result, the build up of \nunconfirmed messages overwhelms these target systems which in \nturn denies legitimate access by the regular users.\n    In December 1999, again with notice of some of these \nthreats, the National Infrastructure Protection Center, which \nas I noted has only been in existence since December 9, 1998, \nissued an alert to the community regarding these threats. In \nfact, for the first time, NIPC made available to the industry a \nsoftware tool that can be used to detect the presence of \nservice coding. This is the first time that this was done. This \ntool was downloaded, we know, by hundreds and hundreds of users \nand, hopefully, put to some good use with respect to both \ndetection and the furnishing of subsequent leads.\n    On February 8, we received reports that the Yahoo! site had \nexperienced the first coordinated denial of service attack. The \ndays that followed, as reflected in your display here in the \nhearing room, Amazon.com, eBay, e*Trade, and CNN.com also \nreported similar denial of service outages. The victim \ncompanies of these attacks, as I mentioned, are cooperating \nfully with the FBI and, as I mentioned, in many cases \nfurnishing, in addition to leads, very important technical \nsupport. Additionally, members of the community at large, in \nfact, some hackers, many of whom condemned the present attacks \npublicly, have come forward and supplied extremely valuable \ninformation to the FBI for which we are very grateful.\n    Five of our major offices where the target companies are \nlocated, Los Angeles, San Francisco, Atlanta, Boston, and \nSeattle, have initiated full investigations. Seven secondary \noffices are working in primary support of those offices. In \naddition, all of our divisions and many of our overseas \noffices, as I will note in a moment, are furnishing active \nsupport in this very fast-moving investigation.\n    Analysts and computer scientists, both within the NIPC as \nwell as outside, are reviewing and analyzing voluminous \nmaterial from the target companies logs which have been \nfurnished. This is a very time consuming procedure. The \ninvestigation is continuing and even public reports this \nmorning, accurately reflect an investigation which is now \nstretching literally around the world, working with our \noverseas FBI offices in places like Canada, Germany, and \nseveral other countries, and working with our liaison police \npartner services in many of these countries running down leads, \ninterviewing people, asking for technical records as well as \nassistance. This is the nature of these investigations.\n    As we saw over the millennial period, the ability to \nconduct investigations in this particular subject matter \nrequires absolutely the instantaneous ability to contact and \nwork with our overseas partners, which is why, thanks to the \nsupport of this committee and other committees, the FBI now has \n35 foreign Legal attache offices. We had 21 in 1993. These \noffices give us the ability to literally pick up the phone and \nhave an FBI agent familiar with the case walk into the host law \nenforcement agency and receive law enforcement assistance that \ncould never otherwise have been received in that kind of a time \nframe. We are very, very thankful for that assistance.\n    We have been very, very pleased with the progress of the \ninvestigation. There are fast developing leads as we speak and, \nhopefully, we will be able to report with more details in the \ncoming days and weeks.\n\n               cybercrime and computer intrusion threats\n\n    I would like to just talk a little bit about the emerging \ncybercrime and computer intrusion threats. We know that the \ngrowth of the Internet has certainly been the single reason why \nthese threats have been not only elevated but why the \ncompromising of the systems that we have seen in the past few \nweeks has such broad implications.\n    Last year, 1999, there were over 100 million Internet users \nin the United States. By 2003, experts project the number of \nusers to reach 177 million in the United States and over 500 \nmillion worldwide. Economic commerce, a significant new sector \nof our economy, accounted in 1999 for about $100 billion in \nsales over the Internet. By 2003, electronic commerce is \nprojected to account for sales in excess of $1 trillion. And \nthe rate of growth after that will clearly be exponential.\n    Over the past several years, we have seen and investigated \na range of computer crimes and threats really across the \nspectrum. And I want to just briefly refer to some of those. \nThere are the insider threats that computer systems within \nuniversities, within corporations, and even within government \nentities have experienced. A 1999 Computer Security Institute \nreport indicated that 55 percent of the respondents had \nreported malicious activity from insiders with respect to their \nindividual entities or corporations.\n    Another brand of these attacks and threats are in the area \nof hackers about which we have seen much activity. There is a \nsubcategory which we referred to as ``hacktivism,'' which are \npolitically motivated attacks. We saw that during the recent \nhostilities in the former Yugoslavia with hundreds and hundreds \nof threats and computer attacks being launched against NATO web \nservers as well as institutions in many of the NATO countries. \nThere are the virus writers, which is a particularly dangerous \ntype of threat. Back in 1999, the FBI in conjunction with some \nState and local partners, particularly the New Jersey State \nPolice, solved the Melissa Macro Virus case. If you recall, and \nagain, very importantly for purposes of liaison with the \nprivate sector, the New Jersey State Police received some \ninformation from America Online that came to the FBI in our \nNewark office where we have one of our computer squads. A \nseries of investigations were conducted jointly which resulted \nin several searches and arrests. The individual who pled guilty \nadmitted to activities which affected over one million computer \nsystems and caused over $80 million worth of damage.\n    Another brand of these threats represent activities by \norganized criminal groups. In another case last year, two \nmembers of a group who called themselves the ``Phonemasters'' \nwere convicted of the theft and possession of unauthorized \naccess devices. This was a case where the subjects penetrated \nMCI, Sprint, AT&T, and Equifax. We needed and obtained \njudicially approved surveillance orders to conduct the \ninvestigation using intercept technologies which were very, \nvery complex and had to be tailor made to use in those \nparticular cases. To give you some idea of the scope of the \nplan, the individuals downloaded thousands of Sprint calling \ncards. Some of these were sold to a Canadian citizen. He in \nturn passed them to a citizen back in Ohio. This was all done \nby computer. They were then sent to an individual in \nSwitzerland and they ended up in part in the hands of some \norganized crime groups down in Italy. This is typical in many \nrespects with regard to this type of criminal activity.\n    We have another category called the distributed denial of \nservice attacks which we have talked about this morning. We \nalso see threats and attacks involving economic espionage. The \neconomic espionage statute, which the Congress passed in 1996, \nwas particularly designed to deal with the theft by computer of \nvaluable trade secrets, where losses of billions and billions \nof dollars can occur according to the American Society of \nIndustrial Security.\n\n                            innocent images\n\n    We have another broad set of criminal activity being \nconducted by individuals, and perhaps the one most notoriously \nknown, and certainly you have been the principal source of the \nenforcement resources that have been used in this area, named \nInnocent Images cases. These are cases where pedophiles use the \ntechnology of the Internet to go into people's homes to contact \nminors, to make arrangements to see them, which often requires \ntraveling interstate. We opened 1,497 of these new cases last \nyear, fiscal year 1999. We have made 193 arrests, and obtained \nover 108 convictions. This is an activity which is now being \nworked not only by the FBI, but again because of your support \nand the committee's support, it is being worked in a \ncoordinated fashion by many State and local agencies in \ncooperation with the FBI.\n\n                 terrorist and foreign threats strategy\n\n    We also have other threats that come not from individuals \nand not even from within the United States but from terrorists, \nfrom foreign intelligence services. The whole subject matter of \ninformation warfare, of course, gets into national security \nissues well beyond the purview of the FBI. But the scope of \nthreats on the front of cyberspace and cybercrime; as shown \njust by this very brief summary, is obviously an immense one.\n\n                     cybercrime fighting strategies\n\n    I think there are probably some keys and some experience \nthat we have shown relevant directly to our success in any \ncrime fighting strategy involving cybercrime and cyberspace. I \nwould like to highlight just a few of these. The first one is \nlaw enforcement investigative capacities. The second one is \nbuilding prosecutorial expertise--the Attorney General referred \nto that in part. Third, developing partnerships with industry \nand academia--these are absolutely vital if we are to be \nsuccessful. Fourth, building law enforcement data forensic and \ntechnology capabilities. Again, these can be built without \ndisturbing the balance of the Fourth Amendment, without people \nworrying about the government operating national computer \nsystems. These can be done under our existing Constitution and \nenabling statutes. And finally, the issue of encouraging not \nonly computer ethics but the lawfulness of computer use and \ncomputer law, particularly in the area of law enforcement.\n\n               national infrastructure protection center\n\n    With respect to building law enforcement investigative \ncapabilities, this obviously is the vital and first building \nblock. We are, as I said, grateful for your support and your \nleadership in the establishment of the National Infrastructure \nProtection Center. This center, as you know, is unique. It is \nthe only national organization devoted to investigation, \nanalysis, warning and response to attacks against our \ninfrastructure. It was established in December 1998. There are \n193 FBI special agents around the field who are particularly \nqualified and who reside in the investigative part of this \nprogram. There are over 100 personnel back here at headquarters \nin NIPC. Many other government agencies have representatives \nthere.\n    The private sector has representation there. We have State \nand local participation. We even have participation from some \nof the national security agencies. In all we have 16 NIPC \nsquads around the United States. Again, these are recently \nestablished and five of them are working on the main cases that \nI have mentioned before. They share much of their information \nwith State and local partners. We use a series of Federal \nchannels for sharing information including Law Enforcement On-\nLine and the national law enforcement telecommunications \nsystem. We have a key asset program managed by this activity \nwhich identifies those key assets in infrastructure which could \nbe compromised.\n    We have an InfraGard program, which is a program that \ndirectly involves the private sector in the planning as well as \nthe reaction to some of these attacks. We have a 24 hour watch \nsystem at our FBI Headquarters which monitors not just threats \nbut in some cases, as I mentioned, becomes the originating \npoint for intelligence as it is collected and enables us to \ntake preventive action as we tried to do earlier last year.\n    One of the issues that you mentioned that I would just like \nto respond to is the hiring, training, and retention of the \npeople who are necessary to perform this work. And that has \nbeen a continuing challenge and will probably be our foremost \npersonnel challenge in the years to come. We were very pleased \nseveral years ago when the Congress provided the FBI with a \npilot program to use our Title 5 exemption authority to hire \npeople who could not otherwise be hired because their talent \nand the competition for their work is such that the usual GS \npay scale would be insufficient to attract and retain them.\n    We have been able to staff over 54 experts, particularly in \nscientific and computer positions, under this program. We would \nvery, very much like to extend the authority for that program \nwhich is due to expire in September of this year. My prediction \nis that if that program is extended and we continue to use it \nand expand it, we will have the ability to do exactly what you \nwould like us to do and what the American people would like us \nto do: get the men and women into the FBI, not just the agents, \nbut the analysts, the computer scientists, the people who \nunderstand these codes, and make sure that we are able to keep \nthem. The training and expertise that they bring is also made \navailable to our State and local partners.\n    One of the other major functions of the NIPC is training \nand liaison. We have trained hundreds of State and local \nofficers, other Federal officers, in the area of computer \ncrimes. We have even given them, in many cases, some of the \ntools and techniques necessary to perform this job. But the \npersonnel and the authority to hire over and above the current \nGS scale is absolutely vital for us.\n\n                       international cooperation\n\n    I also want to mention again how critical it is that we \nhave not only the domestic law enforcement network and liaison \nbut the international one. There is no computer hacking case of \nany large dimension that I can imagine where it is not likely \nto have leads, evidence, witnesses, and needs that go well \nbeyond the United States to literally places around the world. \nOver the millennium weekend, we did exactly that. It was \nprimarily in the counterterrorism area, but we had agents and \ncomputer forensic experts literally around the world working \nwith our liaison partners because that is the nature of this \nvenue and that is where these cases very, very quickly take us.\n    We have the need obviously, as the Attorney General \nmentioned, to continue to obtain necessary equipment, including \nbasic hardware to do our job. The 2001 request asks for an \nadditional $40 million for the Information Sharing Initiative. \nThat is the initiative that buys basic hardware and computers \nto be used by our agents and other personnel to conduct these \ninvestigations. We are hoping to receive the final approvals to \nspend the $80 million which the Congress has authorized and \nappropriated in the fiscal year 1999 and 2000 budgets and we \nare hoping to get the final paperwork up to the committees \nwithin the next couple of weeks.\n\n                     building prosecutorial experts\n\n    The second broader area that I mentioned is building \nprosecutorial expertise. The best computer analysts and the \nbest technical agents in the world will not succeed at the end \nof the day unless there are trained prosecutors with the \nability, the know-how, and the experience to assist in the \ncomplex investigation of these cases where many legal issues, \nincluding privacy issues and Fourth Amendment issues, take \ndifferent permutations, arise and have to be addressed very \nspeedily and decisively. We are very thankful to the Attorney \nGeneral for her strong support and leadership in the Department \nfor the development of a strong cadre of Assistant U.S. \nAttorneys who are able to do these cases and respond to them as \nthe needs arise.\n\n                 partnership with industry and academia\n\n    The other area I have alluded to several times, the \npartnerships with industry as well as academia. Yesterday, the \nhead of my laboratory, Dr. Kerr, met with the head of the \nThayer School of Engineering to discuss direct FBI \nparticipation in the Thayer School Institute for Security \nTechnology Studies, which addresses among other things the \nprimary area of cybersecurity. This is the type of support that \nwe desperately need not only to pursue investigations but also \nto develop tools and techniques that can be used in these cases \nto do research and development--which our investigators who are \nvery busy do not always have the time and luxury to do, and \nwhich is particularly suited for academia as well as the \nprivate sector.\n\n              building forensic and technical capabilities\n\n    The other area--building forensic and technical \ncapabilities is something where I think we have made a very \ngood start. We have 142 full- or part-time CART examiners. \nThese are the individuals who do the forensic examinations, who \ncan take evidence off a hard drive that even the people who are \nfairly sophisticated think has been erased and deleted from the \nsystem. This is a demand which is growing exponentially. We had \nabout 1,800 examinations in the last year. We predict by the \nend of next year, there will be 6,000 of these examinations \nrequired on a yearly basis. Some of the cases, because of their \ncomplexity and because of the growth of the capacity of hard \ndrives, require more and more time, more and more complex \nanalysis and techniques.\n    In 1998, most of the computers that were sold had hard \ndrives with a six to eight gigabyte capacity. By the end of \nthis year, we are going to see 60 to 80 gigabyte capacities. \nWhat this means is that you double, double, and double again \nthe magnetic area that needs to be searched to obtain evidence \nas well as for other preemptory examinations. What this means \nis that the capacity to do more electronic type of examinations \nwill be required. We have a system that the CART examiners use \nand which this committee has funded called the ACES system, \nwhich is the Automated Computer Examination System. We have \nasked in the current budget proposal for a continuation of that \nfunding. ACES allows the examiners to expeditiously look at \nhuge areas of media which otherwise even under technical means \nwould take an enormous amount of time. In some cases, not these \ncases, but others where lives may literally be at risk, this \ntime consumption is very, very critical.\n    We need to propagate and decentralize the computer \nexamining abilities that we have in the FBI. This goes along \nthe lines you alluded to before about encouraging and \nsupporting State and local expertise. One very successful \neffort in this area was the recent establishment by the FBI and \nState and local authorities in San Diego, California, of a \nregional computer forensic lab, the first time that we have \nundertaken this type of a joint venture. What this does is \nestablish a regional laboratory for computer examinations so \nthe investigators, particularly State and local investigators \nin that area, do not have to rely on our headquarters \nfacilities or even FBI stand alone capacity to conduct these \nexaminations.\n    This creates a center of excellence. It is a method to \nenhance training as well as other expertise. We are looking at \ndoing the same type of establishments in the New England area, \nand in the Dallas area. The cost of these start-ups is very \nminimal and the return and the benefit--not just to the State \nand local authorities but the ability to cut some of the \nbacklogs coming back to Washington and the attendant delays--we \nthink is a very, very good formula for success.\n    So we want to look at this very carefully. We want to make \nsure the results are as impressive as they have been so far. \nThis is an area where I think very critically we need to get \nthis technology and law enforcement ability out to our State \nand local partners.\n\n                           counterencryption\n\n    I wanted to mention a little bit about some of the other \nengineering issues. I mentioned the ACES system. I referred \nearlier to the Communications Assistance for Law Enforcement \nAct, the CART examinations. We also need again the ability to \nwork these cases not only in a digital environment as we find \nourselves but an encrypted environment. We are finding more and \nmore, 53 new cases last year, computer media as well as stored \ndata, where encryption has made the information and the \npotential evidence all but worthless or unavailable to us \nbecause we do not have the plain text and there is no ability \nto understand, either on a real time basis or historical basis, \nwhat it is that is being discussed by the hackers, what plans \nreside in their encrypted files, and all the other impediments \nthat this poses.\n    This is a huge issue not just for law enforcement in \ngeneral but particularly in the area of computer crime and \ncybersecurity. Without the ability for law enforcement officers \nto get court-ordered access to plain text, we are going to be \nout of business in a large number of these cases. We will never \nknow in some cases who the subjects are, what the conspiracy \nconsisted of, what the objectives were. We will be operating \nwith basically primitive tools in a very high tech environment.\n    This committee has held hearings on this before. You have \ncertainly supported our budget requests in trying to address \nthis area. As I have testified to numerous times over the last \n7 years, if this area remains unaddressed, not just for the FBI \nbut for our State and local partners, we will be very, very \nmuch unable and incapable of investigating some of these major \ncases. As we have testified before, we do not need a change in \nthe Constitution or our statutory authority to do this. We can \nobtain plain text access which comes only with a court order \nwithout changing any of the parameters and without changing the \nstatutes that legitimately protect not just privacy but the \nexpectation of privacy. But if it is unaddressed, we are not \ngoing to be able to work in many of these cases.\n\n                       developing computer ethics\n\n    The last area that I just wanted to mention briefly is \nencouraging the development of computer law in the law \nenforcement area, as well as computer ethics. I think that is a \ntheme that has to become much more conversant in our \nuniversities, our schools, our workplaces, our Government \nplaces. We have to respond to some of these incidents, even the \nones that are non-criminal, with a framework of law as well as \nan ethical framework that seeks to deter and discourage \nactivities that affect these systems and promote the positive \nside of it.\n    Again, I am very, very pleased to be here and on behalf of \nthe law enforcement community--and I emphasize the State and \nlocal community. I want to thank this committee, Mr. Chairman, \nfor your leadership in this area. We have made a good start. We \nhave found in the last couple of weeks that although we were \nbusy, we were not overwhelmed. We have been able to follow \nleads. The response and support from the other government \nagencies and the private sector has been enormous. So we are in \nthe ballgame right now thanks to your support, and the \nresources we have received. We want to make sure that balance \ndoes not change in the next couple of years. Thank you.\n    [The statement follows:]\n                  Prepared Statement of Louis J. Freeh\n    Good morning, Mr. Chairman and members of the Subcommittee. I am \nprivileged to join Attorney General Reno in this opportunity to discuss \ncybercrime--one of the fastest evolving areas of criminal behavior and \na significant threat to our national and economic security.\n    Twelve years ago the ``Morris Worm'' paralyzed half of the \nInternet, yet so few of us were connected at that time that the impact \non our society was minimal. Since then, the Internet has grown from a \ntool primarily in the realm of academia and the defense/intelligence \ncommunities, to a global electronic network that touches nearly every \naspect of everyday life at the workplace and in our homes. There were \nover 100 million Internet users in the United States in 1999. That \nnumber is projected to reach 177 million in the United States and 502 \nmillion worldwide by the end of 2003. Electronic commerce has emerged \nas a new sector of the American economy, accounting for over $100 \nbillion in sales during 1999, more than double the amount in 1998. By \n2003, electronic commerce is projected to exceed $1 trillion. The \nrecent denial of service attacks on leading elements of the electronic \neconomic sector, including Yahoo!, Amazon.com, Ebay, E*Trade, and \nothers, had dramatic and immediate impact on many Americans.\n    I would like to acknowledge the strong support this Subcommittee \nhas provided to the FBI over the past several years for fighting \ncybercrime. This Subcommittee was the first to support resources--back \nin fiscal year 1997--for establishing a computer intrusion \ninvestigative capability within the FBI. You have generously provided \nsupport for our efforts against on-line sexual exploitation of children \nand child pornography--the Innocent Images initiative, as well as to \ndevelop our Computer Analysis Response Team (CART) program, and the \ncreation of computer crime squads in our field offices. For that \nsupport, I would like to say thank you.\n    In my testimony today, I would like to first discuss the nature of \nthe threat that is posed from cybercrime and then describe the FBI's \ncurrent capabilities for fighting cybercrime. Finally, I would like to \nclose by discussing several of the challenges that cybercrime and \ntechnology present for law enforcement.\n              cybercrime threats faced by law enforcement\n    Before discussing the FBI's programs and requirements with respect \nto cybercrime, let me take a few minutes to discuss the dimensions of \nthe problem. Our case load is increasing dramatically. In fiscal year \n1998, we opened 547 computer intrusion cases; in fiscal year 1999, that \nhad jumped to 1,154. At the same time, because of the opening the \nNational Infrastructure Protection Center (NIPC) in February 1998, and \nour improving ability to fight cyber crime, we closed more cases. In \nfiscal year 1998, we closed 399 intrusion cases, and in fiscal year \n1999, we closed 912 such cases. However, given the exponential increase \nin the number of cases opened, cited above, our actual number of \npending cases has increased by 39 percent, from 601 at the end of \nfiscal year 1998, to 834 at the end of fiscal year 1999. In short, even \nthough we have markedly improved our capabilities to fight cyber \nintrusions, the problem is growing even faster and thus we are falling \nfurther behind. These figures do not even include other types of crimes \ncommitted by a computer such as Internet fraud or child pornography on-\nline.\n    As part of our efforts to counter the mounting cyber threat, the \nFBI uses both full National Infrastructure Protection and Computer \nIntrusion squads located in 16 field offices and is developing baseline \ncomputer intrusion team capabilities in non-squad field offices. \nFurther, we are establishing partnerships with state and local law \nenforcement through cybercrime task forces.\nCyber Threats Facing the United States\n    The numbers above do not provide a sense of the wide range in the \ntypes of cases we see. Over the past several years we have seen a range \nof computer crimes ranging from simple hacking by juveniles to \nsophisticated intrusions that we suspect may be sponsored by foreign \npowers, and everything in between. A website hack that takes an e-\ncommerce site off-line or deprives a citizen of information about the \nworkings of her government or important government services she needs, \nthese are serious matters. An intrusion that results in the theft of \ncredit card numbers or proprietary information or the loss of sensitive \ngovernment information can threaten our national security and undermine \nconfidence in e-commerce. A denial-of-service attack that can knock e-\ncommerce sites off-line, as we've seen over the last week, can have \nsignificant consequences, not only for victim companies, but also for \nconsumers and the economy as a whole. Because of these implications, it \nis critical that we have in place the programs and resources to \nconfront this threat. The following is a breakdown of types of \nmalicious actors and the seriousness of the threat they pose.\n    Insider Threat.--The disgruntled insider is a principal source of \ncomputer crimes. Insiders do not need a great deal of knowledge about \ncomputer intrusions, because their knowledge of victim systems often \nallows them to gain unrestricted access to cause damage to the system \nor to steal system data. The 1999 Computer Security Institute/FBI \nreport notes that 55 percent of respondents reported malicious activity \nby insiders.\n    There are many cases in the public domain involving disgruntled \ninsiders. For example, Shakuntla Devi Singla used her insider knowledge \nand another employee's password and logon identification to delete data \nfrom a U.S. Coast Guard personnel database system. It took 115 agency \nemployees over 1,800 hours to recover and reenter the lost data. Ms. \nSingla was convicted and sentenced to five months in prison, five \nmonths home detention, and ordered to pay $35,000 in restitution.\n    In January and February 1999 the National Library of Medicine (NLM) \ncomputer system, relied on by hundreds of thousands of doctors and \nmedical professionals from around the world for the latest information \non diseases, treatments, drugs, and dosage units, suffered a series of \nintrusions where system administrator passwords were obtained, hundreds \nof files were downloaded which included sensitive medical ``alert'' \nfiles and programming files that kept the system running properly. The \nintrusions were a significant threat to public safety and resulted in a \nmonetary loss in excess of $25,000. FBI investigation identified the \nintruder as Montgomery Johns Gray, III, a former computer programmer \nfor NLM, whose access to the computer system had been revoked. Gray was \nable to access the system through a ``backdoor'' he had created in the \nprogramming code. Due to the threat to public safety, a search warrant \nwas executed for Gray's computers and Gray was arrested by the FBI \nwithin a few days of the intrusions. Subsequent examination of the \nseized computers disclosed evidence of the intrusion as well as images \nof child pornography. Gray was convicted by a jury in December 1999 on \nthree counts for violation of 18 U.S.C. 1030. Subsequently, Gray \npleaded guilty to receiving obscene images through the Internet, in \nviolation of 47 U.S.C. 223.\n    Hackers.--Hackers are also a common threat. They sometimes crack \ninto networks simply for the thrill of the challenge or for bragging \nrights in the hacker community. More recently, however, we have seen \nmore cases of hacking for illicit financial gain or other malicious \npurposes. While remote cracking once required a fair amount of skill or \ncomputer knowledge, hackers can now download attack scripts and \nprotocols from the World Wide Web and launch them against victim sites. \nThus while attack tools have become more sophisticated, they have also \nbecome easier to use. The recent denial-of-service attacks are merely \nillustrations of the disruption that can be caused by tools now readily \navailable on the Internet. Hacks can also be mistaken for something \nmore serious. This happened initially in the Solar Sunrise case, \ndiscussed below.\n    Hactivism.--Recently we have seen a rise in what has been dubbed \n``hacktivism''--politically motivated attacks on publicly accessible \nweb pages or e-mail servers. These groups and individuals overload e-\nmail servers and hack into web sites to send a political message. While \nthese attacks generally have not altered operating systems or networks, \nthey still damage services and deny the public access to websites \ncontaining valuable information and infringe on others' rights to \ncommunicate. One such group is called the ``Electronic Disturbance \nTheater,'' which promotes civil disobedience on-line in support of its \npolitical agenda regarding the Zapatista movement in Mexico and other \nissues. This past spring they called for worldwide electronic civil \ndisobedience and have taken what they term ``protest actions'' against \nWhite House and Department of Defense servers. In addition, during the \nrecent conflict in Yugoslavia, hackers sympathetic to Serbia \nelectronically ``ping'' attacked NATO web servers. Russians, as well as \nother individuals supporting the Serbs, attacked websites in NATO \ncountries, including the United States, using virus-infected e-mail and \nhacking attempts.\n    Supporters of Kevin Mitnick hacked into the Senate webpage and \ndefaced it in May and June of last year. Mitnick had pled guilty to \nfive felony counts and was sentenced in August 1999 to 46 months in \nfederal prison and ordered to pay restitution. Mitnick was released \nfrom custody in January 2000 after receiving credit for time served on \nprior convictions.\n    The Internet has enabled new forms of political gathering and \ninformation sharing for those who want to advance social causes; that \nis good for our democracy. But illegal activities that disrupt e-mail \nservers, deface web-sites, and prevent the public from accessing \ninformation on U.S. Government and private sector web sites should be \nregarded as criminal acts that deny others their First Amendment rights \nto communicate rather than as an acceptable form of protest.\n    Virus Writers.--Virus writers are posing an increasingly serious \nthreat to networks and systems worldwide. As noted above, we have had \nseveral damaging computer viruses this year, including the Melissa \nMacro Virus, the Explore.Zip worm, and the CIH (Chernobyl) Virus. The \nNIPC frequently sends out warnings or advisories regarding particularly \ndangerous viruses.\n    The Melissa Macro Virus was a good example of our response to a \nvirus spreading in the networks. The NIPC sent out warnings as soon as \nit had solid information on the virus and its effects. On the \ninvestigative side, the NIPC acted as a central point of contact for \nthe field offices who worked leads on the case. A tip received by the \nNew Jersey State Police from America Online, and their follow-up \ninvestigation with the FBI's Newark Field Office, led to the April 1, \n1999 arrest of David L. Smith. Search warrants were executed in New \nJersey by the New Jersey State Police and FBI Special Agents from the \nNewark Field Office. Mr. Smith pleaded guilty to one count of violating \nTitle 18, U.S.C. 1030 in Federal Court. Smith stipulated to affecting \none million computer systems and causing $80 million in damage.\n    Criminal Groups.--We are also seeing the increased use of cyber \nintrusions by criminal groups who attack systems for purposes of \nmonetary gain. In September, 1999, two members of a group dubbed the \n``Phonemasters'' were sentenced after their conviction for theft and \npossession of unauthorized access devices (18 U.S.C. Sec. 1029) and \nunauthorized access to a federal interest computer (18 U.S.C. \nSec. 1030). The ``Phonemasters'' were an international group of \ncriminals who penetrated the computer systems of MCI, Sprint, AT&T, \nEquifax, and even the FBI's National Crime Information Center. Under \njudicially approved electronic surveillance orders, the FBI's Dallas \nField Office made use of new data intercept technology to monitor the \ncalling activity and modem pulses of one of the suspects, Calvin \nCantrell. Mr. Cantrell downloaded thousands of Sprint calling card \nnumbers, which he sold to a Canadian individual, who passed them on to \nsomeone in Ohio. These numbers made their way to an individual in \nSwitzerland and eventually ended up in the hands of organized crime \ngroups in Italy. Mr. Cantrell was sentenced to two years as a result of \nhis guilty plea, while one of his associates, Cory Lindsay, was \nsentenced to 41 months.\n    The ``Phonemaster's'' methods included ``dumpster diving'' to \ngather old phone books and technical manuals for systems. They then \nused this information to trick employees into giving up their logon and \npassword information. The group then used this information to break \ninto victim systems. It is important to remember that often ``cyber \ncrimes'' are facilitated by old fashioned guile, such as calling \nemployees and tricking them into giving up passwords. Good ``cyber \nsecurity'' practices must therefore address personnel security and \n``social engineering'' in addition to instituting electronic security \nmeasures.\n    Distributed Denial of Service Attacks.--In the fall of 1999, the \nNIPC began receiving reports about a new threat on the Internet--\nDistributed Denial of Service Attacks. In these cases, hackers plant \ntools such as Trinoo, Tribal Flood Net (TFN), TFN2K, or Stacheldraht \n(German for barbed wire) on a number of unwitting victim systems. Then \nwhen the hacker sends the command, the victim systems in turn begin \nsending messages against a target system. The target system is \noverwhelmed with the traffic and is unable to function. Users trying to \naccess that system are denied its services. The NIPC issued an alert \nregarding these tools in December 1999 in order to notify the private \nsector and government agencies about this threat. Moreover, the NIPC's \nSpecial Technologies and Applications Unit (STAU) created and released \nto the public a software tool that enables system administrators to \nidentify DDOS software installed on victimized machines. The public has \ndownloaded these tools tens of thousands of times from the web site, \nand has responded to the FBI by reporting many intrusions and \ninstallations of the DDOS software. The public received the NIPC tool \nso well that the computer security trade group SANS awarded their \nyearly Security Technology Leadership Award to members of the STAU. The \navailability of this tool has helped facilitate our investigations of \nongoing criminal activity by uncovering evidence on victim computer \nsystems.\n    On February 8, 2000, the FBI received reports that Yahoo had \nexperienced a denial of service attack. In a display of the close \ncooperative relationship the NIPC has developed with the private \nsector, in the days that followed, several other companies also \nreported denial of service outages. These companies cooperated with our \nNational Infrastructure Protection and Computer Intrusion squads in the \nFBI field offices and provided critical logs and other information. \nStill, the challenges to apprehending the suspects are substantial. In \nmany cases, the attackers used ``spoofed'' IP addresses, meaning that \nthe address that appeared on the target's log was not the true address \nof the system that sent the messages.\n    The resources required in these investigations can be substantial. \nAlready we have five FBI field offices with cases opened: Los Angeles, \nSan Francisco, Atlanta, Boston, and Seattle. Each of these offices has \nvictim companies in its jurisdiction. In addition, so far seven field \noffices are supporting the five offices that have opened \ninvestigations. The NIPC is coordinating the nationwide investigative \neffort, performing technical analysis of logs from victims sites and \nInternet Service Providers, and providing all-source analytical \nassistance to field offices. Agents from these offices are following up \nliterally hundreds of leads. While the crime may be high tech, \ninvestigating it involves a substantial amount of traditional police \nwork as well as technical work. For example, in addition to following \nup leads, NIPC personnel need to review an overwhelming amount of log \ninformation received from the victims. Much of this analysis needs to \nbe done manually. Analysts and agents conducting this analysis have \nbeen drawn off other case work. In the coming years we expect our case \nload to substantially increase.\n    Terrorists.--Terrorists are known to use information technology and \nthe Internet to formulate plans, raise funds, spread propaganda, and to \ncommunicate securely. For example, convicted terrorist Ramzi Yousef, \nthe mastermind of the World Trade Center bombing, stored detailed plans \nto destroy United States airliners on encrypted files on his laptop \ncomputer. Moreover, some groups have already used cyber attacks to \ninflict damage on their enemies' information systems. For example, a \ngroup calling itself the Internet Black Tigers conducted a successful \n``denial of service'' attack on servers of Sri Lankan government \nembassies. Italian sympathizers of the Mexican Zapatista rebels \nattacked web pages of Mexican financial institutions. Thus, while we \nhave yet to see a significant instance of ``cyber terrorism'' with \nwidespread disruption of critical infrastructures, all of these facts \nportend the use of cyber attacks by terrorists to cause pain to \ntargeted governments or civilian populations by disrupting critical \nsystems.\n    Foreign intelligence services.--Foreign intelligence services have \nadapted to using cyber tools as part of their information gathering and \nespionage tradecraft. In a case dubbed ``the Cuckoo's Egg,'' between \n1986 and 1989 a ring of West German hackers penetrated numerous \nmilitary, scientific, and industry computers in the United States, \nWestern Europe, and Japan, stealing passwords, programs, and other \ninformation which they sold to the Soviet KGB. Significantly, this was \nover a decade ago--ancient history in Internet years. While I cannot go \ninto specifics about the situation today in an open hearing, it is \nclear that foreign intelligence services increasingly view computer \nintrusions as a useful tool for acquiring sensitive U.S. Government and \nprivate sector information.\n    Sensitive Intrusions.--In the last two years we have seen a series \nof intrusions into numerous Department of Defense computer networks as \nwell as networks of other federal agencies, universities, and private \nsector entities. Intruders have successfully accessed U.S. Government \nnetworks and taken enormous amounts of unclassified but sensitive \ninformation. In investigating these cases, the NIPC has been \ncoordinating with FBI Field Offices, Legats, the Department of Defense \n(DOD), and other government agencies, as circumstances require. The \ninvestigation has determined that these intrusions appear to originate \nin Russia. The NIPC has also supported other very sensitive \ninvestigations, including the possible theft of nuclear secrets from \nLos Alamos National Laboratory in New Mexico. It is important that the \nCongress and the American public understand the very real threat that \nwe are facing in the cyber realm, not just in the future, but now.\n    Information Warfare.--One of the greatest potential threats to our \nnational security is the prospect of ``information warfare'' by foreign \nmilitaries against our critical infrastructures. We know that several \nforeign nations are already developing information warfare doctrine, \nprograms, and capabilities for use against each other and the United \nStates or other nations. Foreign nations are developing information \nwarfare programs because they see that they cannot defeat the United \nStates in a head-to-head military encounter and they believe that \ninformation operations are a way to strike at what they perceive as \nAmerica's Achilles Heel--our reliance on information technology to \ncontrol critical government and private sector systems. For example, \ntwo Chinese military officers recently published a book that called for \nthe use of unconventional measures, including the propagation of \ncomputer viruses, to counterbalance the military power of the United \nStates. A serious challenge we face is even recognizing when a nation \nmay be undertaking some form of information warfare. If another nation \nlaunched an information warfare attack against the United States, the \nNIPC would be responsible to gather information on the attack and work \nwith the appropriate defense, intelligence, and national command \nauthorities.\nTraditional Threats to Society Moved to the Cyber Realm\n    Computers and networks are not just being used to commit new crimes \nsuch as computer intrusions, denial of service attacks, and virus \npropagation, but they are also facilitating some traditional criminal \nbehavior such as extortion threats, fraud and the transmission of child \npornography. For example, the NIPC recently supported an investigation \ninvolving e-mail threats sent to a Columbine High School student \nthreatening violence.\n    Child Pornography and Exploitation.--While the Internet has been a \ntremendous boon for information sharing and for our economy, it \nunfortunately has also become a zone where predators prey on the \nweakest and most vulnerable members of our society, our children. The \nsex offender using a computer is not a new type of criminal. Rather it \nis simply a case of modern technology being combined with an age old \nproblem. The use of computers has made child pornography more available \nnow than at any time since the 1970s. An offender can use a computer to \ntransfer, manipulate, or even create child pornography. Images can be \nstored, transferred from video tape or print media, and transmitted via \nthe Internet. With newer technology, faster processors and modems, \nmoving images can now also be transmitted. In addition, the information \nand images stored and transmitted can be encrypted to deter or avoid \ndetection. As computers and technological enhancements, such as faster \nmodems and processors, become less expensive and more sophisticated, \nthe potential for abuse will grow.\n       challenges to law enforcement in investigating cybercrime\n    The burgeoning problem of cybercrime poses unique challenges to law \nenforcement. These challenges require novel solutions, close teamwork \namong agencies and with the private sector, and adequate numbers of \ntrained and experienced agents and analysts with sophisticated \nequipment.\nIdentification and Jurisdictional Challenges\n    Identifying the Intruder.--One major difficulty that distinguishes \ncyber threats from physical threats is determining who is attacking \nyour system, why, how, and from where. This difficulty stems from the \nease with which individuals can hide or disguise their tracks by \nmanipulating logs and directing their attacks through networks in many \ncountries before hitting their ultimate target. The now well know \n``Solar Sunrise'' case illustrates this point. Solar Sunrise was a \nmulti-agency investigation (which occurred while the NIPC was being \nestablished) of intrusions into more than 500 military, civilian \ngovernment, and private sector computer systems in the United States, \nduring February and March 1998. The intrusions occurred during the \nbuild-up of United States military personnel in the Persian Gulf in \nresponse to tension with Iraq over United Nations weapons inspections. \nThe intruders penetrated at least 200 unclassified U.S. military \ncomputer systems, including seven Air Force bases and four Navy \ninstallations, Department of Energy National Laboratories, NASA sites, \nand university sites. Agencies involved in the investigation included \nthe FBI, DOD, NASA, Defense Information Systems Agency, AFOSI, and the \nDepartment of Justice (DOJ).\n    The timing of the intrusions and links to some Internet Service \nProviders in the Gulf region caused many to believe that Iraq was \nbehind the intrusions. The investigation, however, revealed that two \njuveniles in Cloverdale, California, and several individuals in Israel \nwere the culprits. Solar Sunrise thus demonstrated to the interagency \ncommunity how difficult it is to identify an intruder until facts are \ngathered in an investigation, and why assumptions cannot be made until \nsufficient facts are available. It also vividly demonstrated the \nvulnerabilities that exist in our networks; if these individuals were \nable to assume ``root access'' to DOD systems, it is not difficult to \nimagine what hostile adversaries with greater skills and resources \nwould be able to do. Finally, Solar Sunrise demonstrated the need for \ninteragency coordination by the NIPC.\n    Jurisdictional Issues.--Another significant challenge we face is \nhacking in multiple jurisdictions. A typical hacking investigation \ninvolves victim sites in multiple states and often many countries. This \nis the case even when the hacker and victim are both located in the \nUnited States. In the United States, we can subpoena records and \nexecute search warrants on suspects' homes, seize evidence, and examine \nit. We can do none of those things ourselves overseas, rather, we \ndepend on the local authorities. In some cases the local police forces \nsimply do not understand or cannot cope with the technology. In other \ncases, these nations simply do not have laws against computer \nintrusions. Our Legats are working very hard to build bridges with \nlocal law enforcement to enhance cooperation on cyber crime. The NIPC \nhas held international computer crime conferences with foreign law \nenforcement officials to develop liaison contacts and bring these \nofficials up to speed on cybercrime issues. We have also held \ncybercrime training classes for officers from partner nations.\n    Despite the difficulties, we have had some success in investigating \nand prosecuting these crimes. In 1996 and 1997, the National Oceanic \nand Atmospheric Administration (NOAA) suffered a series of computer \nintrusions that were linked to a set of intrusions occurring at the \nNational Aeronautics and Space Administration (NASA). Working with the \nCanadian authorities, it was determined that the subject resided in \nCanada. In April 1999, Jason G. Mewhiney was indicted by Canadian \nauthorities. In January 2000, he pled guilty to 12 counts of computer \nintrusions and the Canadian Superior Court of Justice sentenced him to \n6 months in jail for each of the counts, with the sentences running \nconcurrently. In another case, Peter Iliev Pentchev, a Princeton \nUniversity student, was identified as an intruder on an e-commerce \nsystem. An estimated 1,800 credit card numbers, customer names, and \nuser passwords were stolen. The company had to shut down its web \nservers for five days to repair the damages estimated at $100,000. \nPentchev has fled to his native Bulgaria and the process is being \ndetermined to return Pentchev to the United States to face charges.\n    In 1994-95, an organized crime group headquartered in St. \nPetersburg, Russia, transferred $10.4 million from Citibank into \naccounts all over the world. After investigation by the FBI's New York \nfield office, all but $400,000 of the funds were recovered. Cooperation \nwith Russian authorities helped bring Vladimir Levin, the perpetrator, \nto justice. In another case, the FBI investigated Julio Cesar Ardita, \nan Argentine computer science student who gained unauthorized access to \nNavy and NASA computer systems. He committed these intrusions from \nArgentina, and Argentine authorities cooperated with the FBI on the \ninvestigation. While he could not be extradited for the offenses, he \nreturned voluntarily to the United States and was sentenced to three \nyears probation. In all of these cases, Legats have been essential to \nthe investigation. As the Internet spreads to even more countries, we \nwill see greater demand placed on the Legats to support computer \nintrusion investigations.\nHuman and Technical Challenges\n    The threats we face are compounded by human and technical \nchallenges posed by these types of investigations. The first problem \nis, of course, having enough positions for agents, computer scientists, \nand analysts to work computer intrusions. Once we have the authorized \npositions, we face the issue of recruiting people to fill these \npositions, training them in the rapidly changing technology, and \nretaining them. There is a very tight market out there for information \ntechnology professionals. The Federal Government needs to be able to \nrecruit the very best people into its programs. Fortunately, we can \noffer exciting, cutting-edge work in this area and can offer agents, \nanalysts, and computer scientists the opportunities to work on issues \nthat no one else addresses, and to make a difference to our national \nsecurity and public safety.\n    Our current resources are stretched paper thin. We only have 193 \nagents assigned to NIPC squads and teams nationwide. Major cases, such \nas the recent DDOS attacks on Yahoo, draw a tremendous amount of \npersonnel resources. Most of our technical analysts will have to be \npulled from other work to examine the log files received from the \nvictim companies. Tracking down hundreds of leads will absorb the \nenergy of a dozen field offices. And this is all reactive. My goal is \nfor the FBI to become proactive in this area just as we have in other \nareas such as drugs and violent crime. In a few minutes I'll discuss \nwhat we need to do to improve our cybercrime fighting capabilities to \nbecome proactive in fighting cybercrime.\n    The technical challenges of fighting crime in this arena are \nequally vast. We can start just by looking at the size of the Internet \nand its exponential growth. Today it is estimated that more than 60,000 \nindividual networks with 40 million users are connected to the \nInternet. Thousands of more sites and people are coming on line every \nmonth. In addition, the power of personal computers is vastly \nincreasing. The FBI's Computer Analysis Response Team (CART) examiners \nconducted 1,260 forensic examinations in 1998 and 1,900 in 1999. With \nthe anticipated increase in high technology crime and the growth of \nprivate sector technologies, the FBI expects 50 percent of its caseload \nto require at least one computer forensic examination. By 2001, the FBI \nanticipates the number of required CART examinations to rise to 6,000.\n    It is important to note that personnel resources with very specific \ntechnical skills are required not only for computer and Internet based \ncrimes such as the DDOS incidents, but are increasingly necessary for \nmore traditional matters as well. Examples of this type of problem \ninclude the approximately 6,000 man hours that the NIPC was required to \nexpend investigating a recent computer-based espionage case. The NIPC's \nSpecial Technologies and Applications Unit (STAU) received \napproximately one million raw files from CART, and was required by the \ninvestigators to reproduce the activities of individuals over a period \nof years from that raw data. The amount of information which was \nrequired to be processed by STAU, and is still necessary to process, \nwould fill the Library of Congress nearly twice. This type of case \nillustrates where technical analysis of the highest order has become \nnecessary in sophisticated espionage matters. A recent extortion and \nbombing illustrate how traditional violent criminals are also turning \nto high technology. In this extortion case, the bomber's demands \nincluded that the victim post their responses to his requirements on \ntheir web site. The STAU was required to sort through millions of web \nsite ``hits'' to discern which entries may have come from the bomber. \nBased on information generated by the STAU's efforts, agents were able \nto trace the bomber to a specific telephone line to his home address.\n    Clearly, the FBI needs engineering personnel to develop and deploy \nsophisticated electronic surveillance capabilities in an increasingly \ncomplex and technical investigative environment, skilled CART personnel \nto conduct the computer forensics examinations to support an \nincreasingly diverse set of cases involving computers, as well as \nexpert NIPCI personnel to examine network log files to track the path \nan intruder took to his victim. In cases such as Los Alamos or \nColumbine, both NIPCI and CART personnel were called in to bring their \nunique areas of expertise to bear on the case.\n    During the last part of 1998, most computers on the market had hard \ndrives of 6-8 gigabytes (GB). Very soon 13-27 GB hard drives will \nbecome the norm. By the end of 2000, we will be seeing 60-80 GB hard \ndrives. All this increase in storage capacity means more data that must \nbe searched by our forensics examiners, since even if these hard drives \nare not full, the CART examiner must review every bit of data and every \narea of the media to search for evidence.\n    The FBI has an urgent requirement for improved tools, techniques \nand services for gathering, processing, and analyzing data from \ncomputers and computer networks to acquire critical intelligence and \nevidence of criminal activity. Over the past three years, the FBI's \nLaboratory Division (LD) has been increasingly requested to provide \ndata interception support for such investigative programs as: \nInfrastructure Protection, Violent Crimes (Exploitation of Children, \nExtortion), Counterterrorism, and Espionage. In fact, since 1997, the \nLD has seen a dramatic increase in field requests for assistance with \ninterception of data communications. Unless the FBI increases its \ncapability and capacity for gathering and processing computer data, \ninvestigators and prosecutors will be denied timely access to valuable \nevidence that will solve crimes and support the successful prosecutions \nof child pornographers, drug traffickers, corrupt officials, persons \ncommitting fraud, terrorists, and other criminals.\n    One of the largest challenges to FBI computer investigative \ncapabilities lies in the increasingly widespread use of strong \nencryption. The widespread use of digitally-based telecommunications \ntechnologies, and the unprecedented expansion of computer networks \nincorporating privacy features/capabilities through the use of \ncryptography (i.e. encryption), has placed a tremendous burden on the \nFBI's electronic surveillance technologies. Today the most basic \ncommunications employ layers of protocols, formatting, compression and \nproprietary coding that were non-existent only a few years ago. New \ncryptographic systems provide robust security to conventional and \ncellular telephone conversations, facsimile transmissions, local and \nwide area networks, Internet communications, personal computers, \nwireless transmissions, electronically stored information, remote \nkeyless entry systems, advanced messaging systems, and radio frequency \ncommunications systems. The FBI is already encountering the use of \nstrong encryption. In 1999, 53 new cases involved the use of \nencryption.\n    The FBI is establishing a centralized capability for development of \ninvestigative tools which support the law enforcement community's \ntechnical needs for cybercrime investigations, including processing and \ndecrypting lawfully intercepted digital communications and \nelectronically stored information. A centralized approach is \nappropriate since state and local law enforcement have neither the \nprocessing power nor trained individuals to assume highly complex \nanalysis or reverse engineering tasks. The fiscal year 2001 budget \nincludes $7,000,000 for this effort.\n    The need for a law enforcement centralized civilian resource for \nprocessing and decrypting lawfully intercepted digital communications \nand electronically stored information is well documented in several \nstudies, including:\n  --The National Research Council's Committee Report entitled \n        ``Cryptography's Role in Securing the Information Society.'' \n        Specifically, the Committee recommended that high priority be \n        given to the development of technical capabilities, such as \n        signal analysis and decryption, to assist law enforcement in \n        coping with technological challenges.\n  --In 1996, Public Law 104-132 Section 811, the 104th Congress \n        acknowledged the critical need and authorized the Attorney \n        General to ``* * * support and enhance the technical support \n        [capabilities] * * *'' of the FBI.\n  --The Administration policy position as set forth in the September \n        16, 1998, press release acknowledges that ``The Administration \n        intends to support FBI's establishment of a technical support \n        [capability] to help build the technical capacity of law \n        enforcement--Federal, State, and local--to stay abreast of \n        advancing communications technology.''\n    It has been the position of the FBI that law enforcement should \nseek the voluntary cooperation of the computer hardware and software \nindustry as a means of attempting to address the public safety issues \nassociated with use of encryption in furtherance of serious criminal \nactivity. Over the past year and a half, the FBI has initiated an \naggressive industry outreach strategy to inform industry of law \nenforcement's needs in the area of encryption, to continue to encourage \nthe development of recoverable encryption products that meet law \nenforcement's needs, and to seek industry's assistance regarding the \ndevelopment of law enforcement plaintext access ``tools'' and \ncapabilities when non-recoverable encryption products are encountered \nduring the course of lawful investigations.\n    The FBI will be meeting this year with industry in an environment \nwherein various computer and software industry representatives can \nexchange technical and business information regarding encryption and \nencryption products with law enforcement. This information will assist \nlaw enforcement agencies with establishing development and operational \nstrategies to make the most effective use of limited resources.\nState and Local Assistance\n    Just as with other crimes, often the state and local authorities \nare going to be the first ones on the scene. The challenge for these \nlaw enforcement officers is even greater than the one the Federal \nGovernment faces in that state and local law enforcement is less likely \nto have the expertise to investigate computer intrusions, gather and \nexamine cyber media and evidence. The challenge for the federal \ngovernment is to provide the training and backup resources to the state \nand local levels so that they can successfully conduct investigations \nand prosecutions in their jurisdictions. This sort of cooperation is \nalready showing results. For example, the FBI worked with the New \nJersey State Police on the Melissa Macro Virus case that resulted in \nthe arrest of David L. Smith by the New Jersey authorities. In \naddition, the NIPC and our Training Division are working together to \nprovide training to state and local law enforcement officers on \ncybercrime. In fiscal year 1999 over 383 FBI Agents, state and local \nlaw enforcement and other government representatives have taken NIPC \nsponsored or outside training on computer intrusion and network \nanalysis, energy and telecommunications key assets. We have made great \nstrides in developing our training program for state and local law \nenforcement officials. More NIPC training than ever before is being \nconducted outside of Washington, DC, meaning that more state and local \nofficers should have the opportunity to attend these classes with less \ndisruption to their schedules and less travel. One of the main \nresponsibilities of the NIPC Training and Continuing Education Unit is \nto develop and manage the state and local Law Enforcement Training \nProgram. This program trains state and local law enforcement officials \nin a myriad of state-of-the-art cyber courses.\n    Building on the success of the San Diego Regional Computer Forensic \nLaboratory, the Attorney General asked the FBI and the Office of \nJustice Programs, to work in partnership to develop a series of \nregional laboratories. These facilities will provide computer forensic \nservices as joint ventures among federal, state and local law \nenforcement. Six million dollars is requested in the Office of Justice \nPrograms to establish several regional computer forensic laboratories. \nWorking together, we are identifying geographical areas where the \nestablishment of such partnerships could make significant impact.\n    The NIPC is supporting the Attorney General's proposal to create a \nnetwork of federal, state, and local law enforcement personnel for \ncombating cybercrimes. We are instructing each field office to have a \npoint of contact at the appropriate investigative agencies regarding \ntheir area of jurisdiction and to provide this information to NIPC at \nFBIHQ.\n    Presidential Decision Directive (PDD) 63 identified the Emergency \nLaw Enforcement Services Sector (ELES) as one of the eight critical \ninfrastructures. PDD 63 further designated the Federal Bureau of \nInvestigation as the lead agency with protecting the ELES. The NIPC is \ncurrently working on a strategic plan for this sector and holding \nmeetings with sector representatives. This involves developing and \nimplementing a plan to help law enforcement protect its own systems \nfrom attack so it will be able to deliver vitally needed services to \nthe public.\n    Success of the NIPC requires building on proven mechanisms to \ndevelop and maintain long-term relationships with state and local law \nenforcement agencies. NIPC oversees outreach programs, coordinates \ntraining, shares information and coordinates interagency efforts to \nplan for, deter, and respond to cyber attacks.\n    Currently, the NIPC is sharing information with state and local \ngovernments via Law Enforcement On-line (LEO) and the National Law \nEnforcement Telecommunications System. Timely coordination and sharing \nof information with other law enforcement agencies is essential in \ncombating the cyber threat in the Information Age. Local law \nenforcement is also encouraged to join the InfraGard chapters in their \narea.\n    State and local agencies investigate and prosecute cyber crimes \nbased on violations of local laws. By sharing investigative data with \nthe NIPC, emerging trends can be identified, analyzed and further \nshared with other agencies to share investigative responsibilities with \ntheir local FBI field office and the NIPC. The cross-jurisdictional \nnature of cyber crimes, in which attacks occur outside the state or \neven national borders, means that investigative efforts must be \ncoordinated among local, state and federal agencies to ensure effective \nprosecution.\n               fbi cybercrime investigation capabilities\nNational Infrastructure Protection Center\n    Under PDD-63, the NIPC's mission is to detect, warn of, respond to, \nand investigate computer intrusions and unlawful acts that threaten or \ntarget our critical infrastructures. The Center not only provides a \nreactive response to an attack that has already occurred, but \nproactively seeks to discover planned attacks and issues warnings \nbefore they occur. This large and difficult task requires the \ncollection and analysis of information gathered from all available \nsources (including law enforcement investigations, intelligence \nsources, data voluntarily provided by industry and open sources) and \ndissemination of analyses and warnings of possible attacks to potential \nvictims, whether in the government or the private sector. To accomplish \nthis mission, the NIPC relies on the assistance of, and information \ngathered by the FBI's 56 field offices, other federal agencies, state \nand local law enforcement, and perhaps most importantly, the private \nsector.\n    The NIPC, while located at the FBI, is an interagency center, with \nrepresentatives from many other agencies, including DOD, the U.S. \nIntelligence Community, and other federal agencies. The NIPC at FBI \nHeadquarters currently has 79 FBI personnel, with an authorized ceiling \nof 94. There are 22 representatives from Other Government Agencies \n(OGAs), the private sector, state and local law enforcement, and our \ninternational partners at the Center. Our target for OGA and private \nsector participation is 40.\n    To accomplish its goals, the NIPC is organized into three sections:\n    The Computer Investigations and Operations Section (CIOS) is the \noperational response arm of the Center. It program manages computer \nintrusion investigations conducted by FBI field offices throughout the \ncountry: provides subject matter experts, equipment, and technical \nsupport to cyber investigators in federal, state and local government \nagencies involved in critical infrastructure protection; and provides a \ncyber emergency response capability to help resolve a cyber incident.\n    The Analysis and Warning Section (AWS) serves as the indications \nand warning arm of the NIPC. It provides analytical support during \ncomputer intrusion investigations and long-term analyses of \nvulnerability and threat trends. Through its 24/7 watch and warning \ncapability, it distributes tactical warnings and analyses to all the \nrelevant partners, informing them of potential vulnerabilities and \nthreats and long-term trends. It also reviews numerous government and \nprivate sector databases, media, and other sources daily to gather \ninformation that may be relevant to any aspect of our mission, \nincluding the gathering of indications of a possible attack.\n    The Training, Outreach and Strategy Section (TOSS) coordinates the \ntraining and education of cyber investigators within the FBI field \noffices, state and local law enforcement agencies, and private sector \norganizations. It also coordinates outreach to private sector \ncompanies, state and local governments, other government agencies, and \nthe FBI's field offices. In addition, this section manages collection \nand cataloguing of information concerning ``key assets'' across the \ncountry. Finally, it handles our strategic planning and administrative \nfunctions with FBI and DOJ, the National Security Counsel, other \nagencies and Congress.\n    Through these, the Center brings its unique perspective as the only \nnational organization devoted to investigation, analysis, warning, and \nresponse to attacks on the infrastructures. Further, as an interagency \nentity, the NIPC takes a broad view of infrastructure protection, \nlooking not just at reactive investigations but also at proactive \nwarnings and prevention. Finally, through the FBI, the Center has a \nnational reach to implement policy. The Center is working closely on \npolicy initiatives with its Federal partners and meets regularly with \nthe other Federal lead agencies on policy issues.\nNational Infrastructure Protection and Computer Intrusion Squads/Teams\n    In October 1998, the National Infrastructure Protection and \nComputer Intrusion Program (NIPCIP) was approved as an investigative \nprogram and resources were created and placed in each FBI field office \nwith the NIPC at FBI Headquarters acting as program manager.\n    By the end of this fiscal year, there will be 16 FBI Field Offices \nwith regional NIPC squads. Each of these squads will be staffed with 7 \nto 8 agents. Nationwide, there are 193 agents dedicated to \ninvestigating NIPC matters. In order to maximize investigative \nresources the FBI has taken the approach of creating regional squads \nthat have sufficient size to work difficult major cases and to assist \nthose field offices without an NIPC squad. In those field offices \nwithout squads, the FBI is building a baseline capability by having one \nor two agents to work NIPC matters, i.e. computer intrusions (criminal \nand national security), viruses, InfraGard, state and local liaison \netc.\nComputer Analysis and Response Teams (CART)\n    An essential element in the investigation of computer crime is the \nrecovery of evidence from electronic media. In a murder investigation, \nthe detectives investigate the case but the coroner examines the body \nfor evidence of how the crime was committed. The CART personnel serve \nthis function in cyber investigations. CART examiners perform three \nessential functions. First, they extract data from computer and network \nsystems, and conduct forensic examinations and on-site field support to \nall FBI investigations and programs where computers and storage media \nare required as evidence. Second, they provide technical support and \nadvice to field agents conducting such investigations. Finally, they \nassist in the development of technical capabilities needed to produce \ntimely and accurate forensic information.\n    Currently the FBI has 26 full time CART personnel at FBI \nHeadquarters and 62 full-time and 54 part-time CART personnel in the \nfield, for a total of 142 trained CART personnel. CART resources are \nused in a variety of investigations ranging from sensitive espionage \ncases to health care fraud. For example, on September 12, 1998, the FBI \nexecuted the arrest of individuals who were involved in an espionage \nring trying to penetrate U.S. military bases on behalf of the Cuban \ngovernment. During the arrest of these individuals CART conducted the \nseizure of 35 Gb of digital evidence to include personal computers \ncontaining twelve (12) hard drives, 2,500 floppy diskettes, and \nassorted CD-ROMs. The FBI deployed more than 30 CART field examiners \nduring the search and examination which consumed thousands of hours of \ntheir time.\n    In order to process the vast quantities of information required, \nthe CART program needs to purchase or develop new ways of handling \ndigital evidence. One program used by the FBI is the Automated Computer \nExamination System (ACES), a data exploration tool developed by the FBI \nLaboratory, to scan thousands of files for identification of known \nformat and executable program files. ACES verifies that certain \nprogram, batch or executable files are for computer operation and do \nnot represent a file in which potential evidentiary material is stored. \nResults from an ACES examination can be passed to other analytical \nutilities used in examining a computer.\n    The FBI is also working with other federal agencies as well as \nstate and local law enforcement to share data and forensic expertise. \nIn San Diego, a regional computer forensic capability has been \nestablished that is staffed by the FBI, the Navy, and the San Diego \npolice department, among others. This lab serves as a resource for the \nentire region. The vast majority of all computer related seizures in \nSan Diego County are currently being made through the RCFL. During the \nstart-up period (Summer 1999 to December 1999), although all \nparticipating agencies had been co-located, each examiner had been \nworking on his own agencies's cases. As of January 3, 2000, the San \nDiego lab started receiving submissions as a joint facility and jointly \ntracking those submissions. As of February 3, the lab had received 26 \ncases, including three federal cases consisting of large scale \nnetworks, and local cases including a death threat to a Judge, a \npoisoning case, and a child molestation case. We recognize that state \nand local law enforcement often will not have the resources for complex \ncomputer forensics, and we hope that the San Diego model can be \nexpanded.\nTechnical Investigative Support\n    The FBI has long had capabilities regarding the interception of \nconventional phone lines and modems. The rapid advance of data \ntechnologies and the unregulated nature of the Internet has resulted in \na myriad of technologies and protocols which make the interception of \ndata communications extremely difficult. It is critical that the FBI \nproperly equip investigators with technical capabilities for utilizing \nthe critical investigative tools on lawfully authorized Title III and \nTitle 50 interception.\nInnocent Images Initiative/Child Pornography\n    The FBI has moved aggressively against child pornographers. In 1995 \nthe FBI's first undercover operation, code name Innocent Images, was \ninitiated. Almost five years later, Innocent Images is an FBI National \nInitiative, supported by annual funding of $10 million, with undercover \noperations in eleven FBI field offices--Baltimore, Birmingham, \nCleveland, Dallas, Houston, Las Vegas, Los Angeles, Newark, Phoenix, \nSan Francisco, and Tampa--being worked by task forces that combine the \nresources of the FBI with other federal, state and local law \nenforcement officers from Maryland, Virginia, the District of Columbia, \nAlabama, Ohio, Texas, Nevada, California, New Jersey, Arizona, and \nFlorida. Investigations developed by the National Initiative's \nundercover operations are being conducted by every field office and \ninformation has been referred to foreign law enforcement agencies \nthrough the FBI's Legal Attache Offices.\n    During fiscal year 1999 a total of 1,497 new cases were opened. \nEvery one of these investigations has digital evidence and requires the \nassistance of a CART examiner. Additionally, 188 search warrants and 57 \nconsent searches were executed, and 193 arrests, 125 indictments, 29 \ninformation and 108 convictions were obtained as a result of the \nInnocent Images National Initiative. Also in fiscal year 1999, the IINI \nprovided 227 presentations to 17,522 individuals from foreign and \ndomestic law enforcement and government officials, civilian groups, and \nprivate citizens in an effort to raise awareness about child \npornography/child sexual exploitation issues and increase coordination \nbetween federal, state and local law enforcement.\nIntellectual Property Rights/Internet Fraud\n    Intellectual property is the driver of the 21st century American \neconomy. In many ways it has become what America does best. The United \nStates is the leader in the development of creative, technical \nintellectual property. Violations of Intellectual Property Rights, \ntherefore, threaten the very basis of our economy. Of primary concern \nis the development and production of trade secret information. The \nAmerican Society of Industrial Security estimated the potential losses \nat $2 billion per month in 1997. Pirated products threaten public \nsafety in that many are manufactured to inferior or non-existent \nquality standards. A growing percentage of IPR violations now involve \nthe Internet. There are thousands of web sites solely devoted to the \ndistribution of pirated materials. The FBI has recognized, along with \nother federal agencies, that a coordinated effort must be made to \nattack this problem. The FBI, along with the Department of Justice, \nU.S. Customs Service, and other agencies with IPR responsibilities, \nwill be opening an IPR Center this year to enhance our national ability \nto investigate and prosecute IPR crimes through the sharing of \ninformation among agencies.\n    One of the most critical challenges facing the FBI and law \nenforcement in general, is the use of the Internet for criminal \npurposes. Understanding and using the Internet to combat Internet fraud \nis essential for law enforcement. The fraud being committed over the \nInternet is the same type of white collar fraud the FBI has \ntraditionally investigated but poses additional concerns and challenges \nbecause of the new environment in which it is located. Internet fraud \nis defined as any fraudulent scheme in which one or more components of \nthe Internet, such as Web sites, chat rooms, and E-mail, play a \nsignificant role in offering nonexistent goods or services to \nconsumers, communicating false or fraudulent representations about the \nschemes to consumers, or transmitting victims' funds, access devices, \nor other items of value to the control of the scheme's perpetrators. \nThe accessability of such an immense audience coupled with the \nanonymity of the subject, require a different approach. The frauds \nrange from simple geometric progression schemes to complex frauds. The \nInternet appears to be a perfect manner to locate victims and provides \nan environment where the victims don't see or speak to the fraud \nperpetrators. Anyone in the privacy of their own home can create a very \npersuasive vehicle for fraud over the Internet. In addition, the \nexpenses associated with the operation of a ``home page'' and the use \nof electronic mail (E-mail) are minimal. Fraud perpetrators do not \nrequire the capital to send out mailers, hire people to respond to the \nmailers, finance and operate toll free numbers, etc. This technology \nhas evolved exponentially over the past few years and will continue to \nevolve at a tremendous rate. By now it is common knowledge that the \nInternet is being used to host criminal behavior. The top ten most \nfrequently reported frauds committed on the Internet include Web \nauctions, Internet services, general merchandise, computer equipment/\nsoftware, pyramid schemes, business opportunities/franchises, work at \nhome plans, credit card issuing, prizes/sweepstakes and book sales.\n                 improving fbi cybercrime capabilities\n    The last two years have seen tremendous strides in the development \nof the National Infrastructure Protection Center in both the \nHeadquarters and field program. We have directed our resources into \ndeveloping our prevention, detection, and response capabilities. This \nhas meant recruiting talented personnel from both inside and outside \nthe FBI, training those personnel, and developing investigative, \nanalytic, and outreach programs. Most of these programs had to be \ndeveloped from scratch, either because no program previously existed or \nbecause the program had to be reinvigorated from an earlier FBI \nincarnation.\n    The cyber crime scene is dynamic--it grows, contracts, and can \nchange shape. Determining whether an intrusion is even occurring can \noften be difficult in the cyber world, and usually a determination \ncannot be made until after an investigation is initiated. The \nestablishment of the NIPC has greatly enhanced the FBI's investigative, \nanalytic, and case support capabilities. A few years ago, the NIPC \nwould have been limited in its ability to undertake some of the \nsensitive investigations of computer intrusions that the FBI has \nsupported. While the FBI has been able to develop and maintain its \npresent response capability, the explosive nature of the crime problem \ncontinues to challenge our capacities. While much has been \naccomplished, much remains to be done.\nBuilding Investigative Capacity\n    Trained personnel and resources present the greatest challenges to \nthe FBI critical infrastructure protection mission. The FBI must make \nsure that the NIPC and Field Office squads are fully staffed with \ntechnologically competent investigators and analysts. It is also \nessential that these professional have state of the art equipment and \nconnectivity they need to conduct their training.\n    To accomplish this, the FBI must identify, recruit, and train \npersonnel who have the technical, analytical, investigative, and \nintelligence skills for engaging in cyber investigations. This includes \npersonnel to provide early warnings of attacks, to read and analyze log \nfiles, write analytic reports and products for the field and the \nprivate sector, and to support other investigations with cyber \ncomponents. With such a configuration of selected personnel skills, the \nFBI will be able to effectively and efficiently investigate cyber \nthreats, allegations, incidents, and violations of the law that target \nand/or impact critical infrastructure facilities, components, and key \nassets. Aggressive recruitment of qualified specialists is critical. \nTargeting the right people and providing hiring and educational \nincentives are good steps in building this professional cadre.\n    Developing and deploying the best equipment in support of the \nmission is very important. Not only do investigators and analysts need \nthe best equipment to conduct investigations in the rapidly evolving \ncyber system but the NIPC must be on the cutting edge of cyber research \nand development. NIPC must not only keep abreast of the criminal \nelement but they must also accurately predict the next generation of \ncriminal activity.\n    In order to support state and local law enforcement efforts, field \noffices will seek to form cybercrime task forces. This should include \nassigning a prosecutor to handle task force cases.\nBuilding Partnerships with Industry and Academia\n    NIPC is founded on the notion of partnership. This partnership is \ncritical to ensuring timely information sharing about threats and \nincidents, new technologies, and keeping our capabilities at the \ncutting edge. The FBI, in conjunction with the private sector, has also \ndeveloped an initiative call ``InfraGard'' to expand direct contacts \nwith the private sector infrastructure owners and operators and to \nshare information about cyber intrusions, exploited vulnerabilities, \nand physical infrastructure threats. The initiative encourages the \nexchange of information by government and private sector members \nthrough the formation of local InfraGard chapters within the \njurisdiction of each Field Office. Chapter membership includes \nrepresentatives from the FBI, private industry, other government \nagencies, State and local law enforcement, and the academic community. \nThe initiative provides four basic services to its members: an \nintrusion alert network using encrypted e-mail; a secure website for \ncommunication about suspicious activity or intrusions; local chapter \nactivities; and a help desk for questions. The critical component of \nInfraGard is the ability of industry to provide information on \nintrusions to the local FBI Field Office using secure communications in \nboth a ``sanitized'' and detailed format. The local FBI Field Offices \ncan, if appropriate, use the detailed version to initiate an \ninvestigation; while NIPC Headquarters can analyze that information in \nconjunction with other law enforcement, intelligence, or industry \ninformation to determine if the intrusion is part of a broader attack \non numerous sites. The Center can simultaneously use the sanitized \nversion to inform other members of the intrusion without compromising \nthe confidentiality of the reporting company. The secure website will \nalso contain a variety of analytic and warning products that we can \nmake available to the InfraGard community.\n    The NIPC has also developed and is implementing an aggressive \noutreach program. We have briefed a number of key critical \ninfrastructure sector groups including the North American Electric \nReliability Council and business groups such as the U.S. Chamber of \nCommerce. We are also working closely with our international partners.\n    Much attention has been given to the need to create mechanisms for \nsharing information with the private sector. The NIPC has built up a \ntrack record for doing this over the past 2 tears with concrete \nresults. Not only has it provided early warnings and vulnerability \nthreat assessments but it has also developed unique detection tools to \nhelp potential victims of DDOS attacks. And contrary to press \nstatements by companies offering security services that private \ncompanies won't share information with law enforcement, private \ncompanies have reported incidents and threats to the NIPC or FBI. The \ncooperation we have received from victims in the recent DDOS attacks is \nonly the most recent example of this. InfraGard will increase this \ncapacity by providing a secure two way mechanism for sharing \ninformation between the government and the private sector.\nDeveloping Forensic and Technical Capabilities\n    As noted above, CART has developed substantial capability to \nexamine computer and network media and storage devices. But the rapid \nchange in technology and the increasing use of computers in criminal \nactivity necessitate the on-going development of better investigative \nand forensic tools and techniques for examiners. We fully expect that \nthe number of cases requiring CART examinations will increase by over \n50 percent in the next few years. In addition, as storage media hold \nmore information, each individual examination will require more effort. \nTo even attempt to keep pace with these developments, we will need to \nincrease our personnel base in CART. For fiscal year 2001, funding is \nproposed to add 100 new CART examiners.\n    In addition, in order for our ACES program to remain able to \nprovide comprehensive analysis of computer files, it needs to be \ncontinuously updated. After all, how many iterations of \nWindows<Register>, Microsoft Office<Register>, and other software and \noperating systems have we seen just in the last two years? We need to \nensure that ACES can perform its function. The fiscal year 2001 budget \nincludes $2,800,000 for the ACES program.\n    Improving our technical capabilities to access plaintext \ncommunications is a critical challenge to the FBI. The ultimate \nobjective is to provide field investigators with an integrated suite of \nautomated data collection systems, operating in a low-cost and readily \navailable personal computer environment, which will be capable of \nidentifying, intercepting and collecting targeted data of interest from \na broad spectrum of data telecommunications transmissions mediums and \nnetworks. Substantial resource enhancements are required to progress \ndevelopment from current ad hoc, tactical data intercept systems to \nintegrated modular systems, providing the field investigators with \nincreased flexibility, simplicity and reliability and to enhance \ntraining programs to enable field Technically Trained Agents and \nInvestigators to install and operate this complex equipment. The most \ntechnically complex component of electronic surveillance, has been and \nalways will be the deciphering of encrypted signals and data. In the \npast few years, growth in electronic communications and the public \ndemand for security have increased the number of investigations which \nencounter encrypted signals and data. With the convergence of digital \ntechnologies in the very near future, all electronic communications \nconducted using computers, the Internet, wireless and other forms of \ncommunications, will inherently incorporate and apply data security \n(i.e. encryption). The ability to gather evidence from FBI electronic \nsurveillance and seized electronic data will significantly depend upon \nthe development of and deployment of signal analysis and decryption \ncapabilities. Funding enhancements are requested to step toward the \nfulfillment of a strategic plan to ensure that collected signals, data \nand evidence can be intercepted, interpreted and made usable in the \nprosecution of crimes and the detection of national security offenses. \nFailure to strategically prepare for the impending global changes data \nand voice telecommunications, information security, and the volumes of \nencrypted information collected by law enforcement pursuant to lawful \ncourt orders, will ensure that critical information and evidence will \nbe unintelligible and unusable in future investigations.\n    We are urgently trying to develop our capabilities in this area \nthrough the acquisition of hardware and software tools, technologies \nand systems, and support services to work on a variety of research \nprojects to meet this problem. Last September, the Administration \nannounced a ``New Approach to Encryption'' which included significant \nchanges to the nation's encryption export policies and recommended \npublic safety enhancement to ensure ``that law enforcement has the \nlegal tools, personnel, and equipment necessary to investigate crime in \nan encrypted world.''\n    Specifically, on September 16, 1999, the President, on behalf of \nlaw enforcement, transmitted to Congress the ``Cyberspace Electronic \nSecurity Act of 1999'' which would: ensure that law enforcement \nmaintains its ability to access decryption information stored with \nthird parties, while protecting such information from inappropriate \nrelease; protect sensitive investigative techniques and industry trade \nsecrets from unnecessary disclosure in litigation or criminal trials \ninvolving encryption, consistent with fully protecting defendants' \nrights to a fair trial; and authorize $80 million over four years for \nthe FBI's Technical Support Center (TSC), which serves as a centralized \ntechnical resource for federal, state and local law enforcement in \nresponding to the increased use of encryption in criminal cases. The \nTSC is an expansion of the FBI's Engineering Research capabilities that \nwill take advantage of existing institutional and technical expertise \nin this area. As indicated earlier, the fiscal year 2001 budget \nproposes an increase of $7,000,000 for the FBI's counterencryption \nprogram. We urge Congress to support us in these endeavors.\n    The law enforcement community relies on lawfully-authorized \nelectronic surveillance as an essential tool for the investigation, \ndisruption, and prevention of serious and violent offenses. \nTechnological advances have taken a serious toll on law enforcement's \nability to protect the public through the use of lawfully-authorized \nelectronic surveillance. The Communications Assistance for Law \nEnforcement Act (CALEA) was passed so that the telecommunications \nindustry would pro-actively address law enforcement's need and \nauthority to conduct lawfully-authorized electronic surveillance as a \nbasic element in providing service. CALEA clarifies and further defines \nexisting statutory obligations of the telecommunications industry to \nassist law enforcement in executing lawfully-authorized electronic \nsurveillance.\n    The FBI developed a flexible deployment strategy to minimize the \ncosts and the operational impact of installation of CALEA-compliant \nsoftware on telecommunications carriers. This strategy supports the \ncarriers' deployment of CALEA-compliant solutions in accordance with \ntheir normal business cycles when this deployment will not delay \nimplementation of CALEA solutions in high-priority areas. The carriers \nwill provide projected CALEA-deployment schedules for all switches in \ntheir network and information pertaining to recent lawfully authorized \nelectronic surveillance activity. Using this information, the FBI and \nthe carrier will develop a mutually agreeable deployment schedule. The \nFBI provided the carriers with the Flexible Deployment Assistance Guide \nto facilitate the carrier's submission of information.\n    The FBI is negotiating with telecommunications carriers and \nmanufacturers of telecommunications equipment for nationwide Right-to-\nUse (RTU) licenses to facilitate the availability of CALEA-compliant \nsoftware to carriers. Also, the FBI is establishing a regional, \nnationwide law enforcement liaison program. This team will facilitate \ndeveloping consensus law enforcement electronic surveillance \nrequirements for all telecommunications technologies and services \nrequired to comply with CALEA; educate and inform Congress and the \nFederal Communications Commission (FCC) to ensure law enforcement's \nability to conduct court-authorized electronic surveillance is not \ncompromised on any telecommunications technology or service required to \ncomply with CALEA; identify, publish, and ensure deployment of capacity \nrequirements in accordance with Section 104 of CALEA; and develop a \nprioritized plan for the effective deployment and tracking of CALEA \nsolutions.\n    The FBI needs to conduct testing and verification of manufacturer-\nproposed CALEA technical solutions and to have the subject matter \nexpertise necessary to address new technologies that must comply with \nCALEA. Without these capabilities, the FBI will be unable to conduct \ntesting and verification of manufacturer-proposed CALEA technical \nsolutions and complete the nationwide RTU license agreements. The \nfiscal year 2001 budget proposes a total of $240,000,000 for CALEA RTU \nlicense agreements, including $120,000,000 under the Telecommunications \nCarrier Compliance Fund and $120,000,000 under the Department of \nDefense. Additionally, $2,100,000 is requested to support the FBI's \nCALEA program management office.\n                               conclusion\n    Computer crime is one of the most dynamic problems the FBI faces \ntoday. Just think about how many computers you have owned and how many \ndifferent software packages you have learned over the past several \nyears and you can only begin to appreciate the scope of the problem we \nare dealing with in the fast changing area. We need to budget for and \ntrain on technology that often has not even been invented when we begin \nthe budget cycle some 18 months prior to the beginning of the fiscal \nyear. I am proud of the progress that we have made in dealing with this \nproblem. What I have tried to do here today is give you a flavor of \nwhat we are facing. I am confident that once the scope of the problem \nis clear, we can work together to develop the capabilities to meet the \ncomputer crime problem, in all its facets, head on. Our economy and \npublic safety depend on it.\n\n    Senator Gregg. Thank you, Director. That was a very \ncomprehensive summary of what you are doing and actually it \nsounded to me like a pretty good outline of a 5-year plan, \nwhich the Attorney General had mentioned earlier, or at least a \nbase off of which to begin a 5-year plan.\nSTATEMENT OF HON. WILLIAM A. REINSCH, UNDER SECRETARY \n            OF COMMERCE, EXPORT ADMINISTRATION, \n            DEPARTMENT OF COMMERCE\n    Senator Gregg. Secretary Reinsch, I did not know if you \nwanted to throw in some comments here. We have a bit of a time \nissue, but please.\n    Mr. Reinsch. I have only three, Mr. Chairman, and I \nappreciate the courtesy. Let me say first that Secretary Daley \nvery much appreciated your invitation to appear. He regrets he \ncannot be here. He is leading a business delegation to Latin \nAmerica. He flew back from Brazil Monday night for the White \nHouse meeting on this subject yesterday morning and then he \nflew back to Argentina last night to rejoin the delegation. If \nnothing else, he is racking up frequent flier miles, and he \napologizes for not being able to be with you. I think his \npresence yesterday indicates how important he felt this issue \nis.\n    Second, I did submit a statement for the record. I will not \nattempt to deliver it. I would like to excerpt from one \nparagraph of it, if I may, Mr. Chairman.\n    Senator Gregg. Please.\n    Mr. Reinsch. And that is the following, and it responds to, \nalludes to a point that you made. I want to make clear that \nwhile the Federal Government's responsibility in the critical \ninfrastructure area is clear with respect to the commission of \ncrimes, that is only part of the equation. With respect to \nprevention and the development of more comprehensive security \nmeasures, the government can best play a supporting role. The \ninfrastructure at risk is owned and operated by the private \nsector. Inevitably, it will be they who must work together to \ntake the steps necessary to protect themselves.\n    The government can help. We can identify problems and \npublicize them. We can encourage planning, promote research and \ndevelopment, convene meetings. In short, we can act as a \ncatalyst, and that is precisely the role that the Commerce \nDepartment is playing in several ways. One, through the \nCritical Infrastructure Assurance Office's coordination of the \ndevelopment of a national plan, which the President released \nthe first version of last month. Most recently through the \nconvening of the Partnership for Critical Infrastructure \nSecurity, which I can comment on later if you are interested, \nwhich kicked off in New York in December, the next meeting of \nwhich will be next week. We already have some 180 people signed \nup to attend, so we are optimistic it is going to be a \nsignificant event in terms of developing a better means for \ncompanies to talk with each other about these problems.\n    Third, and finally, Mr. Chairman, I would be derelict in my \nduty and would be chastised by my superiors if I did not make a \npitch for the money since I am in the appropriate forum to do \nthat. I am sure it will be no surprise to you that we believe \nthat we need and deserve every penny we have asked for, and we \nwill be happy to provide support for that at the appropriate \ntime. I am sure the Secretary will want to say something about \nthat when he appears before you I believe either later this \nmonth or early next month.\n    I would just note in passing that the President's total \nbudget in the critical infrastructure area projects a 15 \npercent increase across all the different functions including \nthose that the Attorney General and the Director talked about. \nThis is, in our judgment, an area where there is no one-size-\nfits-all solution. And that is reflected in the plan. It is \nreflected in the different activities by different agencies. It \nis also reflected in the budget request. Most of the money goes \nto the national security and law enforcement agencies, as it \nshould.\n    A number of the other activities respond to some of the \npoints you made, Mr. Chairman, and some of the things that you \nwill be reading about in the papers in the future are handled \nelsewhere. For example, the Federal Cyber Services Training and \nEducation Initiative which deals with precisely the problem you \nraised of the Federal Government's difficulty in obtaining and \nretaining skilled people is a program that is going to be \nhandled through OPM and the National Science Foundation.\n    Other things like FIDNET, the Expert Review Teams, Public \nKey Infrastructure pilot programs; and R&D are handled partly \nthrough a variety of civilian entities or agencies, the most \nnotable of which in terms of new requests is the request for \nNIST's Institute for Information Infrastructure Protection, or \nI\\3\\P, which will finance longer-term research on the part of \nprivate sector universities and private sector actors for \nsolutions to these problems. The President's budget includes \nnot only 2001 request but a $9 million supplemental request for \nfiscal year 2000 to try to jumpstart some of the programs I \njust alluded to. And with that, Mr. Chairman, I appreciate your \ntime, and I would be happy to join in the questioning if you \nwish.\n    [The statement follows:]\n                Prepared Statement of William A. Reinsch\n    Mr. Chairman, I welcome this opportunity to appear before you to \ndiscuss the Federal government's efforts to protect the nation's \ncritical infrastructures.\n    Inter-dependent computer networks are an integral part of doing \nbusiness in the Information Age. America is increasingly dependent upon \ncomputer networks for essential services, such as banking and finance, \nemergency services, delivery of water, electricity and gas, \ntransportation, and voice and data communications. New ways of doing \nbusiness in the 21st century are rapidly evolving. Business is \nincreasingly relying on E-commerce for its commercial transactions. At \nthe same time, recent hacking attempts at some of the most popular \ncommercial Web sites underscore that America's information \ninfrastructure is an attractive target for deliberate attack or \nsabotage. These attacks can originate from a host of sources, such as \nterrorists, criminals, hostile nations, or the equivalent of car thief \n``joyriders.'' Regardless of the source, however, the potential for \ncyber damage to our national security and economy is evident.\n    Protecting our critical infrastructures requires that we draw on \nvarious assets of the government. When specific incidents or cyber \nevents occur, the government needs a capacity to issue warnings, \ninvestigate the incident, and develop a case to punish the offenders. \nThe National Information Protection Center at the FBI is organized to \ndeal with such events as they occur.\n    Over the long term, the government also has a duty to be proactive \nto ensure that our computer systems are protected from attack. Critical \ninfrastructure protection involves assets of both the government and \nthe private sector. A number of agencies have responsibilities with \nrespect to government computer systems. The Department of Defense is \nwell on its way to securing its critical systems, and the Office of \nManagement and Budget (OMB) and the National Institute of Standards and \nTechnology at the Department of Commerce (NIST) have responsibility for \ninformation resources management of computer systems in Federal \nagencies.\n    I want to make clear that while the Federal government's \nresponsibility in this area is clear with respect to the commission of \ncrimes, that is only part of the equation. With respect to prevention \nand the development of more comprehensive security measures, the \ngovernment can best play a supporting role. The infrastructure at risk \nis owned and operated by the private sector. Inevitably, it will be \nthey who must work together to take the steps necessary to protect \nthemselves. We can help. We can identify problems and publicize them, \nencourage planning, promote research and development, convene meetings. \nIn short, we can act as a catalyst. That is precisely the role the \nCommerce Department is playing in several ways.\n    The Commerce Department, through its Critical Infrastructure \nAssurance Office (CIAO), coordinated the development of the National \nPlan for Information Systems Protection. President Clinton announced \nthe release of Version 1.0 of the Plan on January 7.\n    Another active area is the creation of the Partnership for Critical \nInfrastructure Security. The Partnership is a collaborative effort \nbetween industry and government. This undertaking brings \nrepresentatives of the infrastructure sectors together in a dialogue \nwith other stakeholders, including the risk management and investment \ncommunities, mainstream businesses, and state and local governments. It \ncomplements the NIPC's focus on cyber-terrorism by encouraging industry \nto collaborate on information security issues. Secretary Daley and I \nmet with senior members of Partnership companies in December in New \nYork. We will meet again next week in Washington, D.C., with senior \nmembers of the Partnership companies in order to encourage business \nleaders to adopt information security as an important business \npractice.\n    CIAO also is assisting Federal agencies in conducting analyses of \ntheir own dependencies on critical infrastructures. CIAO has just \nfinished an ambitious pilot program that identifies the critical assets \nof the Commerce Department and maps out dependencies on governmental \nand private sector infrastructures. This program will provide important \ninput to managers and security officials as they seek to assure their \ncritical assets against cyber attacks.\n    President Clinton has increased funding for critical infrastructure \nsubstantially over the past three years, including a 15 percent \nincrease in his fiscal year 2001 budget to $2.01 billion. He has also \ndeveloped and funded new initiatives to defend the nation's systems \nfrom cyber attack.\n    The Clinton Administration has developed and provided full or pilot \nfunding for the following key initiatives designed to protect our \ncomputer systems:\n  --Establishing a permanent Expert Review Team (ERT) at NIST that will \n        help agencies conduct vulnerability analyses and develop \n        critical infrastructure protection plans. ($5 million).\n  --Funding seven Public Key Infrastructure model pilot programs in \n        fiscal year 2001 at different Federal agencies. ($7 million).\n  --Designing a Federal Intrusion Detection Network (FIDNET) to protect \n        vital systems in Federal civilian agencies, and in ensuring the \n        rapid implementation of system ``patches'' for known software \n        defects. ($10 million).\n  --Developing Federal R&D Efforts. R&D investments in computer \n        security will grow by 31 percent in the fiscal year 2001 \n        budget. ($606 million).\n  --Establishing an Institute for Information Infrastructure \n        Protection. Building on a Science Advisory Panel \n        recommendation, the Institute is designed to fill gaps in both \n        government and private sector cyber-security R&D. ($50 \n        million).\n  --National Infrastructure Assurance Council (NIAC). The President \n        signed an Executive order creating this Advisory Council last \n        year. Its members are now being recruited from senior ranks of \n        the information technology industry, key sectors of the \n        corporate economy, and academia.\n    In addition, the President announced a number of new initiatives \ndesigned to support efforts for enhancing computer security, including \na $9 million fiscal year 2000 budget supplemental to jump-start key \nelements of next year's budget. Among these was funding for NIST to \ncreate the Institute for Information Infrastructure Protection (I\\3\\P).\n    Yesterday Secretary Daley met with the President and 25 senior \nexecutives concerned about the recent disruptions to the Internet. This \nmeeting reinforced the need for further cooperation between government \nand industry to help the private sector develop its action agenda for \ncyber security. The incidents of the past week are not cause for \npushing the panic button, but they are a wake up call for action. As \nthe President said, ``I think there is a way that we can clearly \npromote security.'' The President has submitted a budget proposal that \nfunds a number of initiatives that address critical information systems \nprotection. If we are to reap the benefits of the Information Age, we \nneed to take action to maintain a secure business environment in order \nto ensure both our national security and the growth of our economy.\n\n              additional statutory authority requirements\n\n    Senator Gregg. Thank you. Yes, absolutely. Let us begin \nwith some simple issues so we can sort of lay the groundwork \nhere. Madam Attorney General or Director Freeh, do you believe \nthere is any additional statutory authority in order to pursue \nthe crimes that we are seeing?\n    Ms. Reno. We are going to consider additional tools to \nlocate and identify the criminals. For example, we may need to \nstrengthen the Computer Fraud and Abuse Act by closing the \nloophole that allows computer hackers who have caused a large \namount of damage to a network of computers to escape punishment \nif no individual computer sustained over $5,000 worth of \ndamage. I think that is important.\n    We may also need to update our trap and trace laws under \nwhich we are able to identify the origin and destination of \ntelephone calls and computer messages. Under current law, in \nsome instances, we must obtain court orders in multiple \njurisdictions to trace a single communication. It might be \nextremely helpful, for instance, to provide a nationwide effect \nfor trap and trace orders. We must also ensure that, in \nupgrading our computer crime fighting laws, appropriate privacy \nsafeguards are maintained and wherever possible strengthened. \nFor example, recent investigations have revealed serious \nviolations of privacy by hackers who have obtained individuals' \npersonnel data such as credit cards and passwords. An increase \nin the penalty for violations of invasions into private stored \ncommunications may be appropriate. We would like to develop a \nthoughtful and effective package in working with your staff.\n    Senator Gregg. Director Freeh, do you have any further \nthoughts on that?\n    Mr. Freeh. The only thing I would add to that, and I think \nit is an issue that we are exploring, is whether some of this \nactivity which is beyond a single episode of fraud or hacking, \nyou know, gets into the realm of enterprise criminal activity. \nIn other words, whether somebody or a group of people doing \nthis is engaging in a criminal enterprise which, of course, \nwould bring it under the racketeering statutes with much more \nsubstantial penalties than all these current predicate \nstatutes. I do not think most of the statutes that are \nordinarily employed are actually RICO predicates. I think it is \nan area that needs a lot of research and thought, but if you \nare talking about an international group of people that is \nengaging in activity with billions of dollars of potential loss \nand affecting millions of people, I am not so sure that should \nnot be in the realm of much more serious coverage.\n    Senator Gregg. So you are saying we should apply RICO, \npotentially apply the RICO portion of the mechanism to these \ntypes of events?\n    Mr. Freeh. I think we should consider that and look at all \nthe other forfeiture provisions that would obtain under that \nstatute both criminally and civilly for people who are found to \nbe doing this.\n    Senator Gregg. Can we expect to get a package then of \nsuggestions in this area?\n    Ms. Reno. We are working to put together a package and I \nthink you can anticipate that.\n\n             private sector versus federal government role\n\n    Senator Gregg. That would be very helpful. The second \nthreshold issue is this question of balancing the privacy \nversus the role of the government in the commercial activity. I \nknow you have both alluded to this, and Secretary Reinsch made \na very specific statement on this. Where do we cross the line? \nHow far should the Government go, and what are the risks of \ninterfering with the energy and the freedom of the Internet by \nhaving Government involvement in trying to discipline--\ndiscipline is the wrong term--in trying to pursue criminals who \nhack these sites?\n    Ms. Reno. I think that with respect to prevention, much can \nbe done by the private sector with, as I suggested, the law \nenforcement agencies providing suggestions, thoughts and \ndiscussion as to what our experience in terms of the \ninvestigation of actual crime in this area has produced. That \nwould indicate what steps could have been taken to have \nprevented it. But I do not think we should interrupt the energy \nof the Internet by doing it top down and suggesting that \nmandates and directives be imposed on the private sector. I \nthink we can do so much if we build a partnership that is based \non mutual respect and on our experience.\n    With respect to law enforcement investigations, I think we \nhave got to be as measured with law enforcement investigations \nin the area of cybercrime as we are with respect to any other \ncrime. We must use the Attorney General's guidelines in a \nthoughtful, effective manner to ensure wherever we can \nappropriate privacy and that steps be taken to ensure \nenforcement of all Department procedures directed at ensuring \nprivacy.\n    Senator Gregg. Anybody else want to comment on that general \nphilosophical issue?\n    Mr. Reinsch. If I may, Mr. Chairman, I think the clearest \npoint, of course, is when there is an attack or an imminent \ncredible threat of an attack, when something is a crime or is \nabout to be a crime. I think what you find is it certainly is \nappropriate for law enforcement to be directly and intimately \ninvolved at that point, and I think you find most private \nparties being very interested in their involvement at that \npoint because of the clarity of the situation. Your question \nbecomes more difficult when you are talking about days, weeks, \nmonths in advance of that situation.\n    And that creates a much more complicated situation. I think \nthe Attorney General's comment is right on target and in \nparticular the phrase she used, ``building partnerships'', is \nprobably the best way to do this. That is mutual confidence. \nThere is, in fact, a spectrum of opinion in the private sector \non this as you would expect on everything. Some people, \nsometimes people who have an economic stake in these situations \nare a little less interested in privacy because they are \ninterested in the economics. There are other people at the \nother end of the spectrum who will not cooperate with anybody \nin the Federal Government under any circumstances even if a \ncrime were being committed because that is their philosophy and \nthat is a problem that, you know, we have to deal with.\n    I think trying to narrow the extremes of that spectrum and \nbuild a critical mass of cooperation in the middle, which is \nwhat we ought to be striving for, really depends on exactly \nwhat the Attorney General said: creating structures that build \nmutual confidence, creating structures in which we--I think the \ncivilian side of the government, if you will, law enforcement \nif you will--and the private sector all participate and can \nshare information in an atmosphere of mutual confidence. We \nhave to do that in a variety of different ways. I do not think \nthere is one institution or one mechanism that is going to meet \nthe needs of everybody in that situation, but I think that she \nis exactly right. That is the way to go about it.\n\n                  coordination among federal agencies\n\n    Senator Gregg. On the issue of coordination, it seems to me \nthat we are dealing with a couple, a variety of different \nlevels here, and let me see if I am adequately summarizing it, \nand please tell me if I am not. I want to get your comments on \nit. We have the terrorist event, and we have a variety of \ndifferent agencies that are addressing the terrorist event. We \nhave the commercial event and then we have the issue of putting \nforward a cooperative effort with the private sector in order \nto give the private sector tools that we may have developed \nwithin the government or which our expertise within the \ngovernment is able to develop or which we are paying for to be \ndeveloped and making those generally available to the public.\n    These different levels of activity seem to be functioning \nin various agencies without necessarily the coordination that \nwe might want to see so that there is an overlap. My question \nis, is that a correct summary of what the different efforts \nare; and is there, in your sense, adequate coordination between \nCommerce, Justice, within Justice, between FBI and Justice, \nCIA, DARPA, NIST within Commerce, and the National Security \nCouncil which has decided to put its rather large foot into \nthis issue?\n    First, are we working together on the terrorism issue? \nSecond, are we working together on the commercial side? And \nthird, are we working together on the issue of getting out \ninformation capacity to the private sector in a partnership \nway?\n    Mr. Freeh. Starting with the terrorism issue, I think the \nresults are very, very good. Again, these coordinating efforts \nare probably only about 5 years old, which in the life of \nGovernment agencies is not a great deal of time. But over the \nlast 5 years, the ability to coordinate investigations of \nactive terrorism as well as responding to them I think has been \nsteadily improving to the point where I believe it is very \nsufficient. Again, our getting back----\n    Senator Gregg. And is the FBI the lead agency on that \nwithin the Government?\n    Mr. Freeh. Yes, the FBI is the lead agency with respect to \ncounterterrorism, law enforcement, prevention, protection both \nwithin the United States or overseas on behalf of the Federal \nGovernment.\n    [The information follows:]\n\n                         FBI Lead Agency Roles\n\n    Under Presidential Decision Directive (PDD) 39, the \nDepartment of Justice, through the FBI, is designated lead \nresponsibility for the operational response to terrorist \nincidents that take place within U.S. territory. PDD-39 also \nconfers upon the Department of State, through U.S. Ambassadors, \nlead responsibility for serving as the on-scene coordinator for \nthe response of the U.S. Government to international terrorist \nincidents that take place outside of U.S. territory, except \nwhen the exercise of military force is directed. In those \ninstances, the Department of Defense is the lead agency until \nsuch time as the use of military force is terminated. The \nFederal Aviation Administration has lead responsibility for \ncoordinating any law enforcement activity affecting the safety \nof persons aboard an aircraft during acts of air piracy. The \norder also reaffirms the FBI lead responsibility for \ninvestigating terrorist acts that are planned or carried out by \neither foreign or domestic terrorists in the United States or \nwhich are carried out by terrorists against United States \ncitizens or institutions outside the territorial United States.\n\n                    Coordination of Law Enforcement\n\n    Mr. Freeh. The events over the millennium period I think \nwere the template of how that is supposed to work. The FBI \noperations center, which you supported, was up and running 24 \nhours a day for several weeks. We had representatives of every \nsingle Federal agency there, including all the security \nagencies. We were on-line in real-time with our foreign and \nState and local partners. Leads were covered. An investigation \nwas conducted in extremely fast-moving circumstances 24 hours a \nday and it worked. It worked to the sense that there were no \nmajor breakdowns. There were some things we learned that we \ncould improve and will improve upon. But the coordination, the \nadvice and updates to both the NSC and the congressional \ncommittees was ongoing and effective.\n    We do not think we lost anything between the cracks during \nthat very critical period with a case of momentous \nsignificance. We are not doing as well in the cybercrime and \ncyber-terror area only because this is a new challenge and the \nstructures that are responsible for that coordination are new. \nThe NIPC, which we mentioned, has multi-agency representation, \nprivate sector representation, but we are really just beginning \nthis process. There are a lot of things, both on the NSC level \nas well as the interagency level, that need to be improved \nupon--new coordinating groups, structures, resources. But the \ngood news is we are well on our way to doing that, and if we \nuse the counterterrorism case as a model, we have been \nextremely successful in that area.\n    Senator Gregg. What are we doing? I mean is there a task \nforce, an interagency task force that is presently functioning \nthat is trying to work up the turf issues on this?\n\n             national information protection center [nipc]\n\n    Mr. Freeh. On the operational level, yes. There is the \nNIPC. Those are the people who are coordinating and doing the \ninvestigations, representing all the various agencies. On the \npolicy level, as you said, you have new initiatives and new \nplayers and that is an area that needs to be improved.\n\n                 role of the national security council\n\n    Senator Gregg. What is the NSC's role as far as you are \nconcerned relative to this exercise, and how constructive is \nit?\n    Ms. Reno. I would describe it this way. Law enforcement is \npursuing its law enforcement coordination responsibilities \nthrough the NIPC. I think Secretary Reinsch would point out \nthat there are separate issues that go to coordination with \nrespect to industry in terms of what can be done to prevent the \nproblem in the first place. As bankers groups have banking \nassociations that address bank security issues, so that is \nbeing done and the Commerce Department, I think, is involved in \nthat effort. The NSC is looking at it through its coordinating \nfunction and the President announced the first version of the \nNational Plan for Information Systems Protection last month. It \nis an invitation to dialogue with industry, with Congress and \nothers. It was drafted by an interagency group and attorneys \nfrom the Justice Department and the FBI participated. It \ncontains a number of proposals for protecting critical \ninfrastructures that are contained in the 2001 budget request, \nfor instance, a cyberservices training and education \ninitiative.\n    Secretary Reinsch can talk a little bit more about the non-\nlaw enforcement side, but for something that is so new, \nsomething that is developing, I think the coordination is good. \nIt can always improve.\n    Mr. Reinsch. If I may, Mr. Chairman, I think the Attorney \nGeneral's comments were exactly on target, particularly the \nlast one, which is the same one that Director Freeh made, which \nI would also echo. This is essentially a start-up, and start-\nups are always a little rough around the edges, and you should \nexpect this one to be a little rough around the edges. It is no \ndifferent from any other start-up.\n    These things are gradually being sorted out. It takes time. \nSometimes it takes episodes like this to get the line straight. \nWhere the lines are straightest is probably in the event \ncategory of the three categories you described: the terrorist \nevent or the cyber hacker event. Those are areas where law \nenforcement really has the lead, and I do not have anything to \nsay about how that operates.\n    The area that is more complicated is what you might \ncategorize as the pre-event situation, which was your third \nscenario. What are we doing to build confidence? What are we \ndoing to create structures that will operate and exist outside \nof specific attacks and try to create tools or best practices, \nif you will, that will make it harder for those attacks to \noccur in the first place? There you have the best example of \nwhat I said earlier about no one-size-fits-all solution.\n    There are a number of different parties who participate in \nthat exercise and certainly law enforcement does participate \nand should participate and we encourage--we, the Commerce \nDepartment, encourage private parties to deal with law \nenforcement in exactly the way that Director Freeh has \ndescribed. Our experience suggests, however, that not all of \nthem are prepared to do that in exactly the way that he would \nlike. And that is why we have focused on the development of \nsome other devices or some other means of sharing information \nbut focusing more on sharing information amongst the private \nparties themselves, trying to get people in the private sector \nto take leadership and take ownership of these issues, to speak \nfor their sector.\n    I think the banking and financial sector probably for \nobvious reasons has been the lead in doing this and has set up \na very effective ISAC, Information Sharing and Analysis Center. \nThe different departments, Energy, Transportation, Commerce, et \ncetera, have plans in various stages of development to \nencourage the same thing for their sectors. What this does is \nput the people inside the U.S. Government that have functional \nexpertise, if you will, in touch with the people that they \nalready know anyway because they regulate them in other fora, \nor they work with them on a regular basis with respect to other \nprogrammatic activities.\n    In the case of the Commerce Department, we are doing this \nfor information and telecommunications, and NTIA is doing that. \nWe think this is a process that is going to take off. We see \nsigns that the private sector, again, to a different extent in \ndifferent sectors, is understanding the need for joint \nactivities and cooperation amongst themselves, not necessarily \ninvolving us.\n    Events like that of 2 weeks ago frankly are wake-up calls \nto these companies to get busy, and that is happening, and I \nthink what you will see over time is the development of private \nstructures that will end up doing several things: promoting \nbest practices, tools and information amongst themselves, and \ndisseminating those things amongst themselves, and in the \nprocess building confidence in their relationship with the \ngovernment so that people that are now nervous about interface \ndirectly with law enforcement will not be nervous in the \nfuture. That is the point that we are trying to get to, but I \nwould not say that we are entirely there yet and I think, you \nknow, the getting there is going to be a little bit two steps \nforward, one step backward from time to time.\n\n                critical infrastructure assurance office\n\n    Senator Gregg. That is good explanation by all of you on \nthis point, but let me follow up with some specifics. The \nCommerce Department, as I understand it, has got a Critical \nInfrastructure Assurance Office; it has this Institute for \nInformation Infrastructure Protection, which is the NIST \noffice, the I\\3\\P you are calling it.\n    Mr. Reinsch. That is proposed.\n    Senator Gregg. And the new proposal from the President \nwhich is COMNIC. What was that?\n    Mr. Reinsch. That has not been proposed. And I believe that \nit will not be proposed. You have been reading the Wall Street \nJournal, and they were wrong, Mr. Chairman.\n    Senator Gregg. That will come as a shock to them, but OK.\n    Mr. Reinsch. It came as a shock to me because I talked to \nthat reporter and did not talk about that, but that is not a \nproposal.\n    Senator Gregg. Well, I guess my question is, what do you \nhave up and running at the Commerce Department right now which \ndeals with this issue and what is their portfolio?\n    Mr. Reinsch. Several things. First of all, as you noted, \nthe Critical Infrastructure Assurance Office, the CIAO, if you \nwill, is the staff coordinating agency for many of these \nactivities. It is administratively in the Commerce Department. \nIt staffs us. It does a lot of the work with us. One of its \npeople is sitting right behind me ready to catch me when I \nfall. It also supports the National Security Council's work in \nthis area as well. And I did not--if I can digress just a \nsecond--I did not respond and should have to your previous \nquestion about the role of the NSC, which I know is something \nthat has concerned you. On that I would just say that the NSC \nwith the CIAO's help has really played the role of, first of \nall, of staffing the President on the issue, which is not an \ninsignificant issue because the President is very interested in \nthis. Second, an idea generator. Not all of them have flown, \nbut some of them have. The Cyber Services idea came from the \nNSC.\n    These things do not just happen because somebody in the NSC \nthinks they are a good idea. They get circulated out to \nagencies. People comment. They get massaged, but the NSC has \nbeen a good idea generator and has been a good coordinator of a \nlot of the activity in the pre-event phase that I described. So \nthat is the NSC.\n    To go back to Commerce, there is the CIAO. NIST has a long-\nstanding relationship with NSA that goes back a number of years \nin the cybersecurity area in terms of developing standards \nwhich is what NIST's primary activity is in this area, \nalgorithms, encryption standards, for example. That is a long-\nstanding exercise of theirs.\n\n          institute for information infrastructure protection\n\n    They have had a modest increment of R&D funding this year \nfor these related functions, and I have to defer to Ray Kammer \nto tell you exactly what is going on there. The significant \nresearch increment is, as you mentioned, or would be if you \napproved it, the I\\3\\P, the Institute for Information \nInfrastructure Protection, which although located at NIST is \nessentially going to be a virtual institution in the sense that \nNIST is not going to do the research. NIST is going to use the \nmoney, in this case the request is $50 million, for grants to \nprivate parties including universities for research into \nlonger-term solutions of this problem.\n    Senator Gregg. If we can stop there, how do you expect that \nto interface with already existing research projects such as \nthe Carnegie Mellon CERT team; the Thayer School which was \nreferred to; and the Oklahoma school which is specifically \ndoing research right now on technologies and ways to respond to \ncounterterrorism?\n    Mr. Reinsch. Well, I think the answer is different \ndepending on the institution. With respect to CERT and \norganizations like CERT, I do not see an overlap because CERT \nis really focusing more on short-term, you know, intervention \nand response, developing tools to deal with situations as they \ncome up. CERT has an active, ongoing relationship with a lot of \npeople in the private sector to do that, and it has been very \neffective. CERT is not the only CERT. There are other ones as \nwell.\n    What we are talking about here is sort of looking at this \nissue, developing longer-term tools. Now, in that case, I think \ncertainly there are other activities going on already including \nat some of the institutions you alluded to. In this case, this \nwould be a supplement. I think there is room for more activity.\n    Senator Gregg. Is it going to be coordinated though?\n    Mr. Reinsch. To the extent that there is Federal \ninvolvement, yes. Under PDD-63, the President's Science \nAdviser, the head of the Office of Science Technology Policy, \nis charged with coordinating Federal R&D, and he would be in \ncharge of coordinating this piece of that as well. Now if a \nuniversity is not interested in Federal funding and wants to do \nsomething on its own, that would be a different matter.\n    Senator Gregg. My concern is that this new institute, \nI\\3\\P, appears to be coming forward with a portfolio that is \nalready being served in part by institutes that were created by \nother functions of government, such as the Attorney General's \noffice, the FBI or in some instances, State and CIA. We will \njust have to wait and see how it is drafted, but we will want \nto get into that in more depth. I recognize it is a new \ninitiative.\n    Mr. Reinsch. If I may, one more thing, Mr. Chairman. This \ngrew directly out of a recommendation from PCAST, the \nPresident's Committee of Advisors on Science and Technology. It \nwas a private sector group of scientists that recommended to \nthe President that he do this. Their actual recommendation \nproposed something larger than what we have proposed. Their \nbelief was that while there is private activity in this area \nright now, there are gaps in it, and it is appropriate for the \nFederal Government to try to, first of all, inventory what is \ngoing on and then to try to come up with a modest amount of \nmoney to fill the gaps.\n    Senator Gregg. I do not doubt that that is absolutely true. \nI think my concern is, if we already have law enforcement \naggressively financing some of this, we ought to make sure that \nthere is coordination between research which is already being \ndone and paid for by the Federal Government for law enforcement \npurposes that overlaps distinctly research which would come out \nof this NIST initiative. I am sure it will be a good initiative \nbecause NIST is a superb organization, in my opinion.\n\n            law enforcement outreach to e-commerce industry\n\n    Madam Attorney General, where do we stand in your opinion \nin the effort to do outreach to the e-commerce industry? Do you \nfeel comfortable that they are comfortable with you and with \nthe FBI or do we need more work? We have another panel after \nyou to second-guess you on this one.\n    Ms. Reno. I think they are getting comfortable and I think \nthat many of them are. It is exciting to hear representatives \nof industry, of banks and others talk about how they have had \nan opportunity to work with the FBI at the local level, how \nimpressed they are with the knowledge a particular agent may \nhave, how impressed they are with the professionalism with \nwhich they pursue the investigation. And it is that type of \nrelationship that does so much to build an understanding \nthroughout the agency. So in some measures it will take time, \nbut at the meeting yesterday I was gratified by comments made \nto me on the part of industry about what we were doing and the \nsuccess we were having in building a partnership.\n    Our Computer Crime Section, for example, has established \nthe Industry Information Group, which includes representatives \nfrom the major ISPs, telecommunications companies and other \nindustry groups. The IIG meets regularly to discuss cybercrime \nand security issues. We have also forged a cooperative \nrelationship with the Internet Alliance, a group that \nrepresents the largest ISPs. Last week, DOJ officials met with \nInternet Alliance to discuss cooperative efforts.\n    With respect to privacy, I continually try to emphasize \nthat we do not want a surveillance society or a top down \napproach to cybersecurity. We want to build a partnership that \npermits an appropriate exchange of information based on our \nexperience.\n    We have really, I think, done something else, too, that is \nexciting in terms of forming a partnership, the beginnings of \npartnership that I think is where we are going in the future. \nThis idea came about once when I was speaking to an industry \ngroup. One of the representatives said my 13-year-old daughter \nknows that she should not open other people's mail, that she \nshould not go in and rummage around in her sister's bedroom, \nand that she should respect the privacy of others, but she has \nnot been taught about what she should and should not do on the \nInternet. Last April, I announced that the Department along \nwith Harris Miller and Information Technology Association of \nAmerica had formed the Cybercitizen Partnership, a national \ncampaign to educate and raise awareness of computer \nresponsibility. I expect that that campaign will be in full \nforce in the near future.\n    These are some of the things that we are doing, Mr. \nChairman. Yesterday I asked the industry representatives there \nif they would meet with me just on the law enforcement issue of \nwhat law enforcement can do to improve the partnership and to \nbuild the working relationship that is so vital. Nobody likes \nto get into a situation where they have to deal with law \nenforcement because that means that they have been a victim of \na crime. That is not a pleasant experience in any circumstance, \nbut the FBI is doing so much in terms of outreach, in terms of \nworking with others, to build that trust and that confidence. I \nthink we have come a long way.\n\n                 fbi relationships with private sector\n\n    Senator Gregg. Director Freeh, did you have any comment on \nthat?\n    Mr. Freeh. Just to supplement it a little bit, I agree with \nthe Attorney General 100 percent. This relationship is going to \ntake some time. I think if you look back at the early \nrelationship between the FBI, for instance, and the banking \nindustry, 40, 50 years ago, you see where that relationship has \ngrown in terms of trust, reliability, support. We are building \nthat with not just the new high tech industry but many of these \nother interrelated companies. We mentioned before the InfraGard \nprogram which the NIPC administers and that is resident in many \nof our divisions, will hopefully be resident in all 56 \ndivisions. Those agents go out to the private sector in that \nparticular division--banks, transportation, and energy--and say \nwe need to sit down with you, you need to tell us about the \nthings that have to be protected and how your systems and \nnetworks can be compromised. That requires somewhat of an act \nof faith by some of the companies to give that information and \nassistance, and then when an attack occurs have the confidence \nto report that.\n    It is much akin to working the economic espionage cases. \nSomebody has tried to steal a valuable trade secret of a \ncompany. The FBI comes in to do the investigation and asks \nbasically to get all the information about that trade secret. \nThat information goes into our reports, which may go into \ndiscovery in a criminal trial. The company has to stop and \nthink and maybe ask its board and shareholders if this is \nsomething that it wants to pursue, if the objective there is \nreally to protect the trade secret.\n    We met a couple of months ago with representatives of 16 \nmajor companies, the chief information officers, and we talked \nabout these issues. We have got to do things to further that \nrelationship. One example just very, very quickly is the \nproposal that the Attorney General and the FBI has made for the \ntechnical support center. This was the result of a discussion, \nin fact, the discussion the Attorney General and I had with six \nof the major CEOs of the software industry about ways we can \nwork on these encryption issues without passing legislation \nwhich, of course, the industry is very concerned about.\n    And the CEOs--and we were delighted at this response--\noffered to not only give services but even lend us some of \ntheir scientists to work in a center where we could solve some \nof these problems on a case-by-case basis.\n    Senator Gregg. Do you need a counter-encryption center?\n    Mr. Freeh. Yes, we do, absolutely. This was an example of \nwhere the industry and the Government in an area of great \nsensitivity could work together. The Congress, in fact, passed \na statute in 1998, part of the Intelligence Authorization Act, \nwhich would allow those companies to give the Attorney General \nthose services. It would not be prohibited as a gift. So these \nare the kinds of initiatives that have to be pursued.\n\n                               conclusion\n\n    Senator Gregg. Thank you. Rather than take any more of your \ntime because you have been extraordinarily generous with it \nthis morning, I do intend to send some specific questions for \nthe record to you. Especially how have the CERT teams evolved? \nAlso, how is the evolution of the National Infrastructure \nProtection Center and the money that we have put into that? I \nwould also like to get an outline of how we would approach \ndeveloping a 5 year plan in this area for law enforcement. But \nif the Commerce Department is so inclined, I would be \ninterested in getting a 5-year plan for how we address a \ncoordinated effort in the areas that are not law enforcement \ndominated so we can have some coherence in this. You are going \nto get us language on the law changes you think you need?\n    Ms. Reno. Yes.\n    Senator Gregg. Statutory changes. And we are going to try \nto put in the Title 5 extension. Obviously, that will be a \npriority for this Committee. It was a priority getting it. We \ncertainly do not want to see it lapse. I did not realize it \nlapsed in September. I sure hope we can get this bill signed by \nSeptember. That would be a first, and it would be nice.\n    I appreciate all your time. This is the beginning of a road \nthat is going to have a very long, and I suspect, many turns \nand forks in it. But it is a process which requires a lot of \npublic vetting, and I appreciate your taking the time to \nparticipate in that process today. Thank you very much.\n\n                       need for uniform standards\n\n    Ms. Reno. Mr. Chairman, I would just like to put one other \npoint at issue because I think it is going to be vital as to \nhow law enforcement responds. We are going to have to develop, \nand I would like to work with you on it, a means of ensuring \nuniform standards with respect to equipment and technology. It \nis becoming obsolete practically before we get it installed and \nthe cost can be astronomical or we can work with industry to \ndevelop common standards that people can understand. That will \nnot address the issue where a vital new piece of equipment has \ncome into play, but the costs are going to be something that \nneeds your yankee frugality to address.\n    Senator Gregg. Well, I think that is a critical issue, and \nthere are a lot of issues where we have not really gone in \ndepth. Encryption is just a huge issue. The Director alluded to \nthat, and it has to be resolved, as the Director said. \nObviously, the purchasing of technology and keeping the \nGovernment up to speed while making sure that it is consistent \nis important, as you have outlined. That item and the personnel \nitem are going to take money. I will tell you that from my \nstandpoint, this committee has always put an extraordinary high \npriority on the issue of terrorism, cyberterrorism. And we are \ngoing to put the same type of priority on the issue of funding \ninitiatives in the Internet areas that are not necessarily \nterrorism related but are commercially related. So I think we \nwill be able to find the dollars, but I want to make sure they \nare spent effectively and in a coordinated manner. Thank you \nvery much. I appreciate your time.\n    Ms. Reno. Thank you for your leadership, Mr. Chairman.\n    Mr. Reinsch. Thank you.\n                             INDUSTRY PANEL\n\nSTATEMENT OF ROBERT CHESNUT, ASSOCIATE GENERAL COUNSEL, \n            EBAY\n    Senator Gregg. We begin the second panel here, and I \nappreciate the tolerance of the second panel in waiting to \ntestify. If the members of the second panel could come forward \nand take a seat, that would be very helpful. Please take a \nseat, gentlemen.\n    The second panel are members of industry. They are not \nrepresentative of all the industry, obviously, but a portion of \nit. You will hear from Robert Chesnut, associate general \ncounsel of eBay, which was one of the companies that was \nsubjected to an attack last week. He will address Internet \nsecurity issues, as will Mark Rasch, the senior vice president \nof Global Integrity Corporation. He will testify also relative \nto his previous experience in prosecutions of major Internet \ncases, specifically the Morris worm case. And finally we will \nhear from Jeff Richards, executive director of the Internet \nAlliance, which represents major Internet providers like AOL. \nMr. Richards will discuss the industry's concerns about \nInternet security efforts, and specifically, the coordination \nof law enforcement agencies. Again, I thank you for your \nwillingness to be here today and participate in this hearing.\n    As I think was made clear not only in my opening statement \nbut in the comments by the members of the government, we \nconsider the private sector's views on this to be the dominant \nviews. This is an area where the law enforcement agencies come \nin, but they come in in a secondary capacity in many instances \nand, therefore, your ideas and opinions are important to us.\n    Mr. Chesnut, I appreciate your coming. I am a user of your \nsite on a regular basis. I have a lot of New Hampshire \nmemorabilia from eBay. In fact, if you come to my office and go \nto what we call the ``moose room,'' you will see a number of \nthings that were eBay purchased. So I am a big fan of your \norganization, and I appreciate your taking the time to come by. \nWe will start with you and then go right down the line.\n    Mr. Chesnut. Thank you, Mr. Chairman. eBay greatly \nappreciates the opportunity to come here today and to \nparticipate in this hearing. My name is Robert Chesnut, and I \nam the associate general counsel of eBay and prior to joining \neBay last year, I was an Assistant United States Attorney here \nin the Eastern District of Virginia and handled a variety of \ncases involving computer crimes and violent crime and \nespionage. Since I have been at eBay, I have been able to work \non some of these areas involving a partnership between law \nenforcement and the private industry that have already been \ndiscussed earlier in this hearing.\n    In 1995, as the Chairman knows, eBay created the first on-\nline trading community on the Internet, and today we are the \nworld's largest e-commerce site with nearly four million items \nfor sale at any given time in about 4,000 different categories. \nEveryday we have approximately 500,000 items that are placed on \nour site from our over 10 million users including, I think, \nabout 50,000 from your State.\n    Being the world's largest e-commerce site poses a number of \nchallenges for us and not the least among these challenges is \nreally a daily challenge of dealing with the protection of our \nweb site from abuse, from hackers, database pirates, and \nvarious pranksters. As, Mr. Chairman, you know, last week we \nwere one of the victims in the attack along with Yahoo!, \ne*Trade, CNN and other well known e-commerce sites. And at \neBay, as the chart there shows, we were attacked at about 3 \no'clock in the afternoon on February 8. The attack blocked \nlegitimate access to eBay's site for approximately 90 minutes \nbefore we were able to turn it back. The attack continued on \nfor another 90 minutes after we had successfully dealt with it.\n    That attack was followed by a second attack the following \nday at about 5 o'clock in the afternoon, and we were able to \ndeal with that attack within just a few minutes without any \nsignificant disruption to our service. Mr. Chairman, the \nattacks are obviously extraordinarily serious. They \nfundamentally disrupted business on our Nation's key e-commerce \nsites for several days. They affected not only eBay's business \nbut a number of--literally hundreds of thousands of individuals \ndepend on eBay as their livelihood and so when eBay is down or \nblocked, they cannot do business. And so it fundamentally \ndisrupts business all across the country when a site like ours \nis blocked.\n    Although we do not know yet who was behind the attack, it \nwas obviously well planned and aimed directly at leading \ncommercial web sites, such as ours. As we understand the facts, \nnefarious computer code was placed into computers of \nunsuspecting individuals and institutions, such as the \nUniversity of California at Santa Barbara, and these computers \nwere then used to launch a sustained attack on the leading web \nsites. The purpose of the attacks in this case was to block \naccess to at least a portion of the web sites by bombarding \nthem with a huge volume of traffic--what is known as ICMP \ntraffic, Internet Control Message Protocol traffic.\n    In this case, Mr. Chairman, they bombarded eBay with \napproximately one billion bits per second of traffic, nearly \ndouble our normal incoming traffic, and this flood of what we \ncall bad traffic effectively blocked any legitimate traffic \nfrom reaching our home page for about 90 minutes. Now since \nYahoo! had been attacked the day before on February 8, we had \nalready begun to prepare several countermeasures in case an \nattack like this occurred at eBay, and when the attack \noccurred, we took several steps to try to fight back \nimmediately. We put some of our own firewalls into place to try \nto repel the attack, but the volume of the traffic was simply \nso heavy that the firewalls were not effective.\n    We quickly got in touch with our Internet service \nproviders, and it was their lines that were actually providing \nthe bad traffic to us, and we worked with these Internet \nservice providers to put some filtering mechanisms in place, to \ntry to filter out the traffic before it even got to our site. \nWithin 90 minutes, these filters were effective in blocking the \ntraffic and allowed our site to return to normal usage even \nthough the attack continued for another 90 minutes after the \nfilters had taken effect.\n    It was because of those filters and because of the measures \nthat we had taken on the eighth that when the next attack \noccurred at about 5 p.m. on the ninth, we had already worked \nwith the Internet service providers; we had put some permanent \nfixes in place, and therefore the attack the next day was much, \nmuch easier to deal with. We were able to deal with it within \njust a few minutes.\n    The attack in this case was not distinguished by its \nsophistication. I think, as was mentioned earlier, this was an \nattack that could have occurred several years ago in terms of \nsophistication but what marked it was its sheer volume which \nwas unlike any other attack that eBay had previously been a \nvictim of. On an ordinary day, our outbound traffic exceeds \ninbound traffic by about a ten to one margin. That is because \nusers are coming in asking for data from our site and we are \nsending a lot more out than we usually get in. Because of the \nhuge volume of traffic, the bad traffic in this case, the \nincoming traffic actually equaled our outbound traffic which \nwas an extraordinary event for us.\n    In our view, these sort of computer intrusions and attacks \non commercial web sites are serious crimes that merit a \nforceful response and many of these crimes are widely viewed \nwithin the hacking community as little more than pranks. They \nare much more serious in our view, and they demonstrate the \nneed for some forceful action.\n    Now prior to last week's attacks, eBay had already \nestablished a relationship with the computer intrusion squad at \nthe Federal Bureau of Investigation in northern California near \nwhere our offices are located. We had already been speaking \nwith the United States Attorney's Office in that district to \nwork with them in the event of problems like this. eBay has \nrecognized that the most effective way to combat cybercrime, \nwhether it is by fraud or by hacking, is to work cooperatively \nwith law enforcement, and we are, as a company, very \ncomfortable in working with law enforcement in this area.\n    Therefore, last year, we had already set up procedures, put \nthem in effect, so that we would be able to quickly notify the \nFBI in case an attack like this occurred, and as a result of \nthat preparation, we were able to contact the FBI pretty \nquickly once the attack occurred to notify them of the attack \nand to provide them with some information that we hope will \nassist them in their investigation. And in the aftermath of the \nattack, we have also come across other leads that we have been \nable to quickly reach the FBI and provide them with the \ninformation.\n    We do believe that this attack illustrates the challenge \nfaced by law enforcement in the investigation and prosecution \nof cybercrime and the importance of ensuring that the Justice \nDepartment is adequately funded to meet this challenge. The \nInternet has become the backbone and life blood of our new \nworld economy, and it is imperative that consumers retain the \nhighest degree of confidence in its reliability and security.\n    High tech has to take the lead. You know leading high tech \ncompanies can work cooperatively together and meet many of the \nchallenges that are posed by cybercriminals. But industry alone \ncannot solve the problem. We cannot go out and do the criminal \ninvestigations and the prosecutions of these cases. We need a \npartnership with law enforcement. And an important element in \nfighting this sort of cybercrime is ensuring that law \nenforcement both understands the technology and has the tools \nto work with private industry in investigating these crimes.\n    The need for an effective Internet law enforcement presence \nis particularly important in areas of the country that have the \nhigh concentration of high tech companies. Some examples are \nthe Eastern District of Virginia, just right outside of the \nDistrict here, northern California where eBay is located, and \nsome other areas such as the Boston-New Hampshire corridor \nwhere high tech is concentrated. Northern California, for \nexample, where eBay is located, has undergone a radical \nmetamorphosis in the last 20 years. It is home now to over \n6,000 high tech companies and that includes many of the leading \nhigh tech companies in the world.\n    This growth in the high tech industry has been accompanied \nby a corresponding growth in high tech crimes and these crimes \nare no less a threat to our economic viability than \nconventional crimes, but they are much more difficult to \ninvestigate and prosecute.\n    The areas of the country that have this high concentration \nof high tech companies need resources dedicated to this growing \nproblem. In northern California, for example, the FBI's \ncomputer intrusion squad and the United States Attorney's \nOffice must be adequately staffed to investigate and prosecute \nhigh tech related crime. Such crime is a serious issue. \nComputer intrusions and attacks have become increasingly \nfrequent. They cost companies billions and billions of dollars \nevery year to deal with, and other high tech related crimes \nsuch as theft of trade secrets, counterfeit good sales over the \nInternet, and simply the theft of computer equipment itself has \nbecome a major problem. According to a 1999 Rand Corporation \nsurvey, theft of high technology components such as computers \ncosts the industry over $5 billion annually. The Justice \nDepartment cannot hope really to keep up with this high volume \nof work unless there are some specific resources targeted to \nthe areas that need them with badly needed agents and \nprosecutors.\n    Likewise, it is impossible to effectively combat cybercrime \nunless law enforcement understands this new medium as well, at \nleast as well as the cybercriminals do. This requires a \nsophisticated level of training and up-to-date computer \nequipment. Private industry can play an important role in this \ntraining process with law enforcement. For example, FBI has \nalready been working with law enforcement and is providing \ntraining for law enforcement agents, for criminal agents in \nseveral places across the country, so that law enforcement \nunderstands exactly how the medium works and how the industries \ncan actually help law enforcement and work with them quickly \nwhen crimes occur.\n    While this partnership can play a very important role in \nfighting cybercrime, it cannot be a substitute for the basic \ntools that law enforcement needs: agents, prosecutors, and \ncomputer equipment. eBay believes that it is important for this \nsubcommittee to send a message to cybercriminals throughout the \nworld that the United States Government can and will protect e-\ncommerce from criminal activity, but if Congress is going to \nsend a credible message that cybercrimes will be investigated \nand prosecuted vigorously, law enforcement must have the \nresources to back up that message. We urge you to take this \ninto consideration as you determine the appropriate funding \nlevel for these important law enforcement agencies. Thank you.\n    Senator Gregg. Thank you, Mr. Chesnut.\n    [The statement follows:]\n                  Prepared Statement of Robert Chesnut\n    My name is Robert Chesnut, and I am the Associate General Counsel \nfor eBay. Before joining eBay last year, I served for 11 years in the \nUnited States Justice Department as an Assistant United States Attorney \nfor the Eastern District of Virginia, where I prosecuted a variety of \ncriminal cases, including violent crimes, computer crimes and espionage \nmatters, such as the Aldrich Ames spy case.\n    In 1995, eBay created the first online person-to-person trading \ncommunity on the Internet. Today, eBay is the world's leading e-\ncommerce web site with nearly 4 million items for sale in over 4,000 \ncategories ranging from coins and stamps to toys and antiques. Every \nday, users around the country and the world list approximately 500,000 \nitems on our site to sell.\n    Being the world's leading e-commerce web site poses a great many \nchallenges for eBay. Not the least among them is the daily challenge of \nprotecting our web site from attack, abuse and misuse by hackers, \ndatabase pirates and pranksters.\n    As you undoubtedly have heard, last week eBay, Yahoo, e*Trade, CNN \nand other well known e-commerce sites were victims of an insidious \norganized attack that shut down portions of their web sites. At eBay, \nthe principal attack occurred at approximately 3 o'clock on February \n8th and blocked legitimate access to eBay's site for nearly 90 minutes. \nThat attack was followed by a second attack on our site the next day, \nwhich we were effectively able to fend off within a few minutes.\n    Let me explain why these attacks are so serious. This attack \nfundamentally disrupted business on our nation's key e-commerce sites \nfor several days. Although we don't yet know who was behind this \nattack, it was obviously well planned and aimed directly at leading \ncommercial web sites, such as ours. As we understand the facts, \nnefarious computer code was serpitiously planted in the computers of \nunsuspecting individuals and institutions, such as the University of \nCalifornia at Santa Barbara. These computers were then used to launch a \nsustained attack on leading web sites. The purpose of the attack was to \nblock access to portions of these web sites by bombarding them with a \nhuge volume of what is known as ICMP (Internet Control Message \nProtocol) traffic. This attack bombarded eBay with over 1 billion bits \nper second of bad traffic, nearly double eBay's normal incoming \ntraffic. This flood of bad traffic effectively blocked legitimate \ntraffic from reaching our home page.\n    Since Yahoo had been attacked the day before, eBay had already \nstarted to prepare several countermeasures. When the attack began, we \nquickly took a number of steps to fight back. Initially, we put in a \nnumber of our own fire walls to repel the bad traffic, but the volume \nof that traffic was so heavy that the fire walls were ineffective. \nQuickly, we turned to our Internet Service Providers (``ISPs''), whose \nlines were bringing this bad traffic to our site. We worked with these \nproviders to develop filtering mechanisms to prevent bad traffic from \neven reaching our site. Within 90 minutes, the filter effectively \nstopped the bad traffic and allowed our site to return to normal \nservice, even though the attack itself continued for an additional 90 \nminutes.\n    The next day, a similar attack was launched against eBay at about \n5:30 p.m. With our experience from the previous day and with a number \nof countermeasures already in place, eBay and its ISPs were able to \nquickly repel this attack without any disruption of eBay's services.\n    Let me be clear, this attack on our site was distinguished not by \nits sophistication, but by it sheer scale. On an ordinary day on our \nweb site outbound traffic exceeds inbound traffic by a 10-to-1 margin. \nDuring this attack we noted that inbound traffic was so heavy that it \nactually equaled outbound traffic.\n    It's our view that computer intrusions and attacks on commercial \nweb sites are serious crimes that require a forceful response. Although \nthese crimes are widely viewed within the hacking community as little \nmore than pranks, they are much more serious, as last week's attacks \ndemonstrate.\n    Prior to last week's attacks, eBay had established a close working \nrelationship with the computer crimes squad within the Northern \nCalifornia office of the Federal Bureau of Investigation (``FBI''). \neBay has long recognized that the best way to combat cyber crime, \nwhether it's fraud or hacking, is by working cooperatively with law \nenforcement. Therefore, last year we established procedures for \nnotifying the FBI in the event of such an attack on our web site. As \nresult of this preparation, we were able to contact the FBI computer \nintrusion squad during the attack and provide them with information \nthat we expect will assist in their investigation. In the aftermath of \nthe attack, eBay has also been able to provide the FBI with additional \nleads that have come to our attention.\n    We believe that this latest attack illustrates the challenge faced \nby law enforcement in the investigation and prosecution of cyber crime, \nand the importance of assuring that the Justice Department is \nadequately funded to meet this challenge. The Internet has become the \nbackbone and lifeblood of the new world economy. And it is imperative \nthat consumers retain the highest degree of confidence in its \nreliability and security.\n    Leading high tech companies can work cooperatively together and \nmeet many of the challenges posed by cyber-criminals. But industry \nalone can't solve the problem without establishing a partnership with \nlaw enforcement. An important element in fighting this kind of cyber \ncrime is ensuring that law enforcement both understands the technology, \nand has the tools it needs to work with private industry in \ninvestigating these crimes.\n    The need for an effective Internet law enforcement presence is \nparticularly important in areas of the country that have a high \nconcentration of high tech companies, such as the Eastern District of \nVirginia and the Northern District of California. Northern California, \nfor example, has undergone a radical metamorphosis in the last 20 \nyears, and is now home to more than 6,000 high tech companies, many of \nwhich are the leading high tech companies in the world. This growth in \nthe high tech industry has been accompanied by a corresponding growth \nin high tech crimes. These crimes are no less a threat to our economic \nviability than conventional crimes, and can be much more difficult to \ninvestigate and prosecute.\n    The areas of the country that have a high concentration of high \ntech companies need resources dedicated to this growing problem. In \nNorthern California, for example, the FBI's computer intrusion squad \nand the United States Attorney's Office must be adequately staffed to \ninvestigate and prosecute high tech-related crime. Such crime is a \nserious issue. Computer intrusions and attacks have become increasingly \nfrequent, costing companies billions of dollars each year. Other high \ntech-related crimes, such as theft of trade secrets, sale of \ncounterfeit goods on the Internet and theft of computer and high tech \ncomponents, also require intervention by law enforcement. According to \na 1999 Rand Corporation study, theft of high technology components \nalone costs the industry $5 billion annually. The Justice Department \ncannot hope to keep up with this volume of work unless specific \nresources are targeted to provide them with badly needed agents and \nprosecutors in key high tech regions of the country.\n    Likewise, it is impossible to effectively combat cyber crime unless \nlaw enforcement understands this new medium at least as well as the \ncyber-criminals do. This requires both a sophisticated level of \ntraining, and up-to-date computer equipment. Private industry can play \nan important role in the training process. For example, eBay already \nprovides regular training to law enforcement agencies to help them \nunderstand Internet commerce and the kinds of information available to \nassist them in finding and gathering evidence of cyber crimes.\n    While this partnership between industry and law enforcement can \nplay an important role in fighting cyber crime, it cannot substitute \nfor the basic tools that law enforcement must have to be effective--\nagents, prosecutors, and computer equipment.\n    It is important for this Subcommittee to send a message to cyber \ncriminals throughout the world that the U.S. Government can and will \nprotect e-commerce from criminal activity. But if Congress is to send a \ncredible message that cyber crimes will be investigated and prosecuted \nvigorously, law enforcement must have the resources to back up that \nmessage. We urge you to take this into consideration as you determine \nthe appropriate funding level for these important law enforcement \nagencies.\n    Thank you for giving us the opportunity to testify today and I \nwould be glad to answer questions you may have.\nSTATEMENT OF JEFF B. RICHARDS, EXECUTIVE DIRECTOR, \n            INTERNET ALLIANCE\n    Senator Gregg. Mr. Richards.\n    Mr. Richards. Mr. Chairman, I am Jeff Richards, executive \ndirector of the Internet Alliance, and on behalf of the \nAlliance I want to thank you for this opportunity. We would \nlike to give our views on criminal activity on the Internet, on \nthe necessity of enforcing laws applicable to that activity, \nand on the need for Federal law enforcement authorities to have \nresources that enable them to better carry out their mandate.\n    Since our founding in 1982 as the Videotex Industry \nAssociation, the Internet Alliance has been the only trade \nassociation to address online and Internet issues from a \nconsumer perspective, consumer confidence and trust. The \nInternet Alliance's 70 plus members today represent more than \n90 percent of consumer access to the Internet in the United \nStates and our Law Enforcement and Security Council gather \nsenior security officials--in fact, this organization is co-\nchaired by AOL and MCI-Worldcom-UUNET--to bridge the gaps \nbetween industry and law enforcement agencies.\n    We are actively then building confidence and trust and it \nis necessary to do that so that this becomes the global mass \nmarket medium of this century, the Internet century. So the \nInternet Alliance has recognized that the Internet can mature \nreally as a revolutionary mass medium and one that is about new \nknowledge relationships and choices but only if we all promote \nthe public's trust and confidence. It in the context of that \ntrust and confidence that we assess the recent denial of \nservice attacks.\n    Vandals flooded important web portals and sites with \nspurious requests, rendering them temporarily unavailable, as \nwe have heard, to would-be users. For many Americans, last \nweek's event marked their first exposure to one of the \ndownsides of the Internet's main strengths: its relatively open \narchitecture. Consumers could wrongly conclude that the \nInternet is essentially an open sieve for malcontents or \ncriminals.\n    Internet vandalism has occurred before and it will occur \nagain. Destructive, freely distributed software tools are \ncreated by those with malicious or misguided motives, and more \nwill be created in the future. But at the same time, I think \nsome perspective is in order. First, the duration of the \ninterrupted service was measured in hours, not days. In an \nindustry less than a decade old, that record compares favorably \nwith electrical power outages during storms or telephone \nservice interruptions. When the assault was detected, teams of \nexperts employed additional capacity and screening tools--we \nhave heard some of those talked about this morning--bringing \nthe situation under control.\n    I just want to point out this in itself is an impressive \ndemonstration of the sophistication and responsiveness of \nservice and infrastructure providers. And very importantly, at \nthe same time, industry and law enforcement agencies began \ncooperating on these investigations starting that very day. So \nmy point is we must not overreact to these events. Whether in \npersonal relationships, in the process of democratic \ngovernment, or in the operation of the Internet, openness, Mr. \nChairman, is always accompanied by a degree of risk. In \nInternet terms, though, then we say openness needs to be \npreserved so that small as well as large enterprises can be \npart of this new economy, so citizens can speak freely, and so \nthat the web is truly a global medium.\n    So the effectiveness of web attacks can and will be \nreduced. I am confident we are going to steer the right course \nbetween security on one side and openness and freedom on the \nother, and this hearing is an important one to advance both of \nthose goals.\n    So at the Internet Alliance, we believe in a simple \napproach: first things first. With respect to crime on the \nInternet, that means focusing on security and on the effective \nenforcement of existing criminal laws. Prosecutions under such \nlaws serve two goals equally well, deterrence on the one hand \nand promotion of the public's confidence in the Internet \nmedium. Investigation and prosecution of criminal acts in the \nnew on-line world pose new challenges for agencies that we have \nheard about today. And as a result, law enforcement ranges from \nsome centers of excellence to some haphazardness to some \nserious lacks. I am not just referring to denial of service \nattacks. The situation can extend across several categories of \ncrime.\n    So now I will speak more broadly and speak specifically of \nthe Internet Alliance's support of additional appropriations \nfor Federal law enforcement agencies, assuming that those \nresources will be spread among different categories. What are \nsome of the keys to improved enforcement of existing laws in \nthe Internet space? A short list would include training of \nexisting officers in computer and Internet skills and \napplication of constitutional and statutory liberties in the \nInternet context. It would include hiring additional experts, \nadditional computer and other investigative equipment, and very \ndefinitely improve coordination and cooperation among law \nenforcement agencies themselves and with the industry. I think \nthere has been great progress there and continuing work on \njurisdictional matters. It would include public education \nefforts to urge consumers to act wisely and cautiously to \nprotect themselves online as they do off-line.\n    Today, law enforcement is inadequately trained to \ninvestigate crimes and support effective prosecution of current \nlaws in the Internet space. This is no indictment of law \nenforcement agencies. There are centers of excellence within \nDOJ, FBI, some State attorneys general, some State and \nmetropolitan police forces, but only a small percentage of law \nenforcement agencies, perhaps 5 percent or less, in the United \nStates have the knowledge and skills to prosecute properly \nreceived Internet related complaints, to adequately investigate \nthose crimes and otherwise assist in the successful prosecution \nof Internet criminals.\n    We have no reason to believe this situation is better in \nany other nation. To help address these challenges, the IA has \nmoved beyond rhetoric in the areas in a number of constructive \nlaw enforcement related activities and for the Internet \nAlliance these include training, and we heard reference earlier \nthis morning, to work with several agencies including \nDepartment of Justice, FBI, and our Law Enforcement and \nSecurity Council where we are preparing updated law enforcement \ntraining and resource materials and a much needed secure \nworldwide directory of key industry and law enforcement \ncontacts.\n    We must resist, frankly, overreaching, even in the name of \nsecurity, and make certain the constitutional and other \nstatutory protections in investigations and prosecutions are \nobserved and we think that training is a critical part of \nachieving that.\n    And finally, we must also keep clear the distinction of \nroles between industry and law enforcement. We as companies can \nand will do more to help law enforcement succeed in all its \nduties, but industry cannot be made an agent of law enforcement \nas some have proposed abroad.\n    Let us return quickly to last week's distributed denial of \nservice attacks. Broadly speaking, what can we learn for the \nfuture? First, we see that widespread prevention at the user \nend; the university that was cited, for example, the local \nsystem administrator end could have made a difference. This is \na broad issue that we need to continue to address. It appears \nthat many of the computer resources used to launch these \nattacks were not those of ISPs, for example, or networks or \nother Internet companies, but some of those end-user customers \nthemselves. That means that all of us must be vigilant and take \nsteps to close the backdoors, apply software patches, update \nfirewalls, and use proper Internet hygiene.\n    Second, we see that the apparent advanced planning, \ncoordination, and delayed execution of this launch-on-command \nattack would have evaded real time monitoring and intercepts of \nthe Internet by law enforcement, and we do not support at this \ntime such steps to a solution.\n    Third, the process of identifying and prosecuting those \nresponsible, which will increase public confidence and deter \nfuture vandalism, would be significantly more efficient if law \nenforcement agencies get the financial resources that they \nneed.\n    In conclusion, each of us can make valuable contributions \nagainst Internet crime. For our part, the Internet Alliance \nwill pursue law enforcement training efforts. We are going to \nprototype the secure directory of industry and law enforcement \ncontacts. We will bring forward a carefully crafted proposal \nregarding forgery of header and routing data and we will \nstrongly pursue industry best practices in the areas of law \nenforcement and security addressing data retention domestically \nand internationally as an example. Industry itself will \ncontinue to develop and deploy more and more secure and stable \nhardware and software to improve the consumer Internet \nexperience.\n    Turning to the government's contribution, we ask Congress \nto support the effective enforcement of current laws through \nincreased appropriations and through ongoing oversight and \nencouragement. Thank you. I would be glad to answer any \nquestions as best as I can.\n    Senator Gregg. Thank you, Mr. Richards.\n    [The statement follows:]\n                 Prepared Statement of Jeff B. Richards\n    Mr. Chairman, Mr. Ranking Member and Members of the Committee, I am \nJeff B. Richards, Executive Director of the Internet Alliance \n(www.internetalliance.org). On behalf of the Alliance, I thank you for \nthe opportunity to give you our views on criminal activity on the \nInternet, on the necessity of enforcement of the laws applicable to \nthat activity, and on the need of federal law enforcement authorities \nfor resources that would enable them to better carry out their mandate \nto protect law abiding citizens and businesses from criminals.\n    Since its founding in 1982 as the Videotex Industry Association, \nthe Internet Alliance (IA) has been the only trade association to \naddress online Internet issues from a consumer Internet online company \nperspective. Through public policy, advocacy, consumer outreach and \nstrategic alliances, the IA is building the trust and confidence \nnecessary for the Internet to become the global mass-market medium of \nthis century, the Internet Century. The Internet Alliance's 70-plus \nmembers represent more than ninety percent of consumer access to the \nInternet in the United States. IA's Law Enforcement and Security \nCouncil brings together senior security officials of key IA members to \nbridge the gaps between industry and federal, state, and international \nlaw enforcement agencies. It benefits from IA's unique presence--in the \nfifty states, Washington and abroad--to increase its knowledge and \nleverage. Since May of 1999, the Internet Alliance has been a separate \nsubsidiary of the Direct Marketing Association, bringing the resources \nof a 4,500-member organization to bear on Internet issues and their \nresolution.\nThe Internet Century\n    Coming as it did at the end of the last millennium, the sudden and \nexponential growth of the consumer Internet over the past ten years \nwill undoubtedly be seen as a portent of things to come in the new \n``Internet Age.'' Less than a decade after the development of the first \nWeb browser, billions of dollars were spent online in 1999. The range \nof transactions was broad indeed--from books and records to food and \nwine, from computers and exercise equipment to automobiles and houses, \nfrom pay-to-view webcasts and news alert subscriptions to online \nbanking and computer training. In short, The Internet is transforming \nthe American economy and consumerism itself.\n    Growing public acceptance of the Internet has important \nimplications. For consumers, the new medium has brought a range of new \noptions, accompanied by some new and different worries. For business, \nthe Internet has brought new methods of reaching customers, as well as \nnew competition from unfamiliar places. For the U.S. government, online \ncommercial activity has created a vast new economic sector, an engine \nof productivity that renews many familiar challenges and generates a \nfew new ones.\n    By any reasonable measure, however, the Internet has been a \npositive development for consumers, business and government. By most \naccounts, the rise of the Internet has been a key factor in the \nsustained economic growth of 1990s America, helping to put record \nnumbers of Americans to work and generating productivity increases that \nhave in turn helped buy down federal and state budget deficits, tame \ninflation, and create the circumstances for a record period of economic \ngrowth.\nConsumer Confidence and Trust\n    The Internet Alliance has always recognized that the Internet can \nmature as a revolutionary mass medium, successfully empowering \nconsumers through new knowledge, relationships and choices, only if it \npromotes the public's confidence and trust. The process of increasing \nconsumer confidence and trust has led the Internet industry to \nvigorously address a range of policy issues, including privacy, \nunwanted commercial e-mail, information security, enforcement of the \nlaws on the Internet, marketing to children, taxation, and \ninternational jurisdiction and consistency. Of particular relevance to \nthe topic of this hearing, in 1999, the Internet Alliance inaugurated \nits Law Enforcement and Security Council, bringing together experts \nfrom leading companies to undertake concrete law-enforcement-focused \nprojects, to regularize contacts between law enforcement and industry, \nto find points of agreement and join efforts with non-U.S. Internet \norganizations, and to work on ``best business practices.''\nDenial of Service Attacks\n    Let me first add some perspective about the recent denial of \nservice attacks reported prominently in the media beginning February 7. \nVandals flooded important Web portals and sites with spurious requests, \nrendering them temporarily unavailable to would-be users. While I \ncannot comment on ongoing investigations, we take denial of service \nattacks seriously, both for the damage they do and for the perceptions \nthey create. For many Americans, last week's events marked their first \nexposure to a downside of one of the Internet's main strengths--its \nrelatively open architecture. Consumers could erroneously conclude that \nthe Internet is essentially an open sieve for malcontents or criminals.\n    Granted, Internet vandalism has occurred before, and doubtless will \noccur again. Destructive, freely distributed software tools are \navailable to those with malicious or misguided motives, and more will \nbe created in the future.\nMaintaining Our Perspective\n    At the same time, I think some perspective is in order. First, the \nduration of interrupted service was measured in hours, not days. In an \nindustry less than a decade old, that record compares favorably with \nelectrical power outages during storms or periods of heavy usage, and \nwith phone service interruptions. When the assault was detected, teams \nof experts deployed additional user capacity and screening tools, \nquickly bringing the situation under control. This is an impressive \ndemonstration of the sophistication and responsiveness of service and \ninfrastructure providers. At the same time, industry and law \nenforcement agencies began cooperating on investigations seeking to \nidentify and prosecute those responsible.\n    What is new about the events of the last ten days is the level of \npublic awareness and scrutiny. In turn, this offers us a renewed \nopportunity to further improve our performance. Industry must continue \nto develop and deploy effective technologies and countermeasures, with \nthe Internet itself increasingly serving as a platform for solutions \nproviders.\n    At the same time, we must not overreact. Whether in personal \nrelationships, in the processes of democratic government, or in the \noperation of the Internet, openness always is accompanied by a degree \nof risk. We would not think of abandoning these benefits because of \ntheir risks--we accept risks even while trying to reduce them. Thus the \ngoal is not to achieve perfect security at any cost; it is to find an \nacceptable balance, and thereafter to work on improving the terms of \nthat balance. In Internet terms, openness needs to be preserved so that \nsmall as well as large enterprises can be a part of the New Economy, so \nthat citizens may continue to speak freely, and so that the Web is \ntruly a global medium.\n    The effectiveness of Web attacks can and will be reduced. And I am \nconfident that we will steer a wise course between security on the one \nside, and openness and freedom on the other. This hearing is one \nimportant opportunity to advance both goals.\nFirst Things First\n    At the Internet Alliance, we believe in a simple approach--``first \nthings first.'' With respect to crime on the Internet, that has meant \nfocusing on security and on the effective enforcement of existing \ncriminal laws. Prosecutions under such laws serve two goals equally \nwell: deterrence, and promotion of the public's confidence in the \nInternet medium. However, investigation and prosecution of criminal \nacts in the new online world pose new challenges for law enforcement \nagencies. As a result, law enforcement online ranges from haphazard to \nnearly nonexistent. Our Federal agencies have led the field, developing \nthe most skilled corps of professionals and the greatest depth of \nexperience in the world. But unless they get additional resources, they \nwill be unable to enforce federal laws properly and will have little \ncapability to help upgrade state and local agencies.\n    I am not referring just to denial of service attacks. The situation \nextends more or less across all categories of crimes. Thus, the \nremainder of my comments will speak more broadly, and the IA's support \nof additional appropriations for Federal law enforcement agencies \nassumes those resources will be spread among different categories \naccording to need, urgency and the degree of improvement expected in \neach.\n    What are some of the keys to improved enforcement of existing laws \nin the Internet space?\n    A short list would include training for existing officers in \ncomputer and Internet skills, and in the application of constitutional \nand statutory civil liberties in the Internet context. It would include \nadditional computer and other investigative equipment, and the hiring \nof additional personnel to investigate and prosecute Internet crimes, \nas well as to improve coordination and cooperation among law \nenforcement agencies themselves and with the Internet industry, \ncontinuing work on jurisdictional matters. And it would include public \neducation efforts to urge consumers to act as wisely and cautiously to \nprotect themselves online as they do offline.\n    Today, law enforcement is inadequately trained to investigate \ncrimes and support effective prosecution of current laws in the \nInternet space. This is no indictment of law enforcement agencies. \nThere are some centers of excellence within the Department of Justice \nand the Federal Bureau of Investigation, some state Attorneys General \noffices, and a few metropolitan police forces. However, only a small \npercentage, probably well under five, of law enforcement agencies in \nthe United States have the knowledge and skills to properly receive \nInternet related complaints, adequately investigate those crimes \nthrough online and offline resources, develop and maintain admissible \nevidence, refer complaints through the system, network with experts, \nand otherwise assist in the successful prosecution of Internet \ncriminals. We have no reason to believe the situation is any better in \nother nations.\n    And superimposed on the challenge of adding personnel and upgrading \nskills and equipment is the evolving nature of the Internet and the \nspeed of action the new medium makes possible. Today, law enforcement \ntoo must move on ``Internet time,'' and that takes prioritization, \ncontinual training and management focus.\n    Finally, the nature of the Internet requires us to seek a wise \nbalance among local, national, and international law enforcement, \nespecially as we negotiate the ground rules of this first global \nmedium. We know that today citizen complaints may enter the system at \nany level of jurisdiction. The Internet is simultaneously intensely \nlocal and intensely global. The Internet will be a vehicle--one among \nmany--for the commission of criminal acts within communities. The IA \ntracks state laws, and we know that in this state legislative cycle, we \nmay see more than 2,200 Internet-related bills. So at least in the \nforeseeable future, the Internet and law enforcement will be \nintertwined at far more than the federal level.\nConcrete Steps Going Forward\n    IA has moved beyond rhetoric in a number of constructive law-\nenforcement related activities. These include:\n            Training\n    In coordination with several agencies, including the Department of \nJustice and the FBI, the Internet Alliance's Law Enforcement and \nSecurity Council is preparing updated Internet law enforcement training \nand resource materials. While many of our members already provide \nbriefings, materials and consultations for the law enforcement \ncommunity as requested, needs may soon outstrip individual companies' \ncapabilities. By combining our experience, the IA can provide both \nbasic introductory and updated, advanced materials to increase law \nenforcement's expertise and success. This is a commitment we undertake \nknowing that industry's roles are distinct from those of law \nenforcement, but that we can help each other where they converge.\n            Coordination\n    Cooperation among law enforcement agencies is another basic aspect \nof a ``first things first'' philosophy. Again, we applaud the \nleadership of those who have built expertise and a track record of \nsuccessful enforcement and prosecution. We also believe that since the \nInternet has grown so quickly, it has now outstripped the often ``ad \nhoc'' communications among agencies. We encourage law enforcement at \nall levels to share techniques and their own ``best practices'' rapidly \nand thoroughly.\n    IA recognizes that coordination among international enforcement \nagencies is necessary to adequately fight crime on the borderless \nInternet. In September of last year, IA assumed a leadership role at an \ninternational conference of enforcement agencies in Vienna, Austria, \nfor the first time catalyzing a constructive business/government \ndialogue on tackling specific Internet crimes.\n    Domestically, we are giving input to the FBI, at its request, in \nthe development of reporting mechanisms for the new Internet Fraud \nReporting Center. In another initiative we respond to the fact that the \nInternet industry itself has not always been easily accessible to law \nenforcement. Accordingly, in conjunction with DOJ's recently announced \n``24/7'' computer crime personnel network, the Internet Alliance's Law \nEnforcement and Security Council is prototyping a secure online \ndirectory of law enforcement and industry contacts. By consulting this \nlist, law enforcement officers will quickly identify and be able to \ncontact designated individuals within Internet companies who are \nresponsible for responding to their requests.\n    We firmly support the appropriation of new federal dollars to bring \nenforcement of current laws into the Internet Century. As new resources \nare made available, the continuing challenge will be to apply them \noptimally, and to make certain that this financial commitment is not \nmerely a short-term focus for policymakers, nor on the other hand, a \nplatform for front-line monitoring of Internet activities generally. \nPriorities should be clear and rational. We need to include local and \ninternational law enforcement, industry and problem-solving \norganizations such as ours. Our consumers, and your constituents, \nshould expect nothing less.\nForging Header and Other Routing Information\n    Based on our industry experience, the Internet Alliance believes \nthat one tightly tailored legislative approach would be useful in \ndiminishing distributed denial of service attacks, as well as a \nfundamental problem affecting consumers and ISPs--unwanted commercial \ne-mail sent through forged header and other routing information. We \nvalue the Internet's open architecture and we value commercial and \nother speech. We also see that both are undermined by the deliberate \nforgery of key message header and routing information. We will soon \noffer to Congress a tightly focused legislative proposal aimed at these \nforgeries. We believe that it will preserve the benefits of the \nInternet to millions of consumers and to our economy while making \ncriminal the act of forging these important technical data upon which \nthe Internet infrastructure relies.\nResisting A Crisis Mentality\n    The recent denial of service attacks may lead to calls for new laws \nand new police powers. We respect the motives for these calls, but we \nhave serious misgivings about responding quickly, and we urge this \nSubcommittee and the Congress to exercise caution and scrutiny. When \ncurrent law is not sufficiently enforced, there are numerous risks in \npursuing new ones. We must build the solid track record of enforcement \nin the current environment before we can accurately determine what \nfurther steps are needed. We must not pass laws of dubious \nenforceability, risking erosion of the public's confidence in law \nenforcement and in the Internet. We must resist overreaching, even in \nthe name of security, and make certain that constitutional and \nstatutory protections in the investigation and prosecution of Internet \ncrimes are observed.\n    The world is watching the United States carefully. There are \nnations who would like to exercise control over Internet traffic and \ncontent, curtail U.S. innovation and global opportunities, and bend \ntechnical advances to their own purposes. Our national policy has been \nto resist these developments through negotiation, persuasion and \nexample. Action by Congress to grant new powers to law enforcement to \nmonitor or control Internet activities will be cited by these nations \nto undermine U.S. moral authority and to justify their own activities.\n    We are wise instead to ensure that our traditional criminal law \nrestraints and balances are carried over into the Internet context. We \nare wise to invest and prioritize wisely, and to build international \ncooperation based on well understood legal and law enforcement \nprinciples. And we will all build consumer confidence and trust through \nmaking clear our governments' enforcement and prosecution prowess, \nrather than communicating encouragement of additional government \nsurveillance of citizens. At a time when concern about privacy is \nintense both in the U.S. and Europe, we risk too much by appearing \nwilling to skip over the fundamentals. Basics should indeed come first.\n    We are also on solid ground when we keep clear the distinction in \nroles played by industry and law enforcement. For industry, the \ninfluence of the marketplace is overwhelming. Increasingly, companies \nwill be scrutinized and judged by consumers on their security practices \nand their investments in technology advances. Companies and \nassociations of companies have done and will do more to give consumers \na reliable, satisfying and productive Internet experience than any \nother sector of society. They can and will do more to help law \nenforcement succeed in its duties. But industry cannot and must not be \nmade an agent of law enforcement, as some have proposed abroad.\nLessons Learned\n    Let's return to last week's distributed denial of service attacks. \nBroadly speaking, what can we learn for the future? First, we see that \nwidespread prevention at the user end--the local system administrator \nend--could have made a difference. Generally, we promote the idea that \nsecurity must be a high priority for all entities connected to the \nInternet. This means not only commercial backbone and access providers \nand web site hosts and merchants, but also not for profit and other \nproviders and users. It appears that many of the computer resources \nused to launch the attacks were not those of ISPs, networks or other \nInternet companies, but in fact ``end users'' themselves. This means \nthat all of us must be vigilant, and must take steps to close ``back \ndoors'', apply software patches as they become available, update \nfirewalls and use proper Internet hygiene. In the coming days and \nweeks, you can expect that many of us in the Internet community will be \nproposing specific recommendations about system administration, \nespecially as details surrounding the attacks are made clear. Second, \nwe see that the apparent advanced planning, coordination, and delayed \nexecution of the ``launch on command'' attacks would have evaded real \ntime monitoring and intercepts of the Internet by law enforcement, and \ndo not support such steps as a solution. Third, the process of \nidentifying and prosecuting those responsible for the attacks, a \nprocess which will increase public confidence in the Internet and \nhopefully deter future Internet vandalism, would be significantly more \nefficient if the federal law enforcement agencies had the financial \nresources they need.\nConclusion\n    Each of us can make valuable contributions in the fight against \nInternet crime.\n    For its part, the Internet Alliance will pursue its law enforcement \ntraining efforts. We will prototype the secure directory of industry \nand law enforcement contacts. We will bring forward a carefully crafted \nproposal regarding forgery of header and routing data. And we will \nstrongly pursue industry ``best practices'' in the areas of law \nenforcement and security addressing matters such as data retention \ndomestically and internationally. Industry itself will continue to \ndevelop and deploy ever more secure and stable hardware and software to \ncontinually improve the consumer Internet experience.\n    Turning to the government contribution, we ask the Congress to \nsupport the effective enforcement of current laws through increased \nappropriations and through ongoing oversight and encouragement.\n    Thank you. I will be glad to answer any questions to the best of my \nability.\n\nSTATEMENT OF MARK RASCH, VICE PRESIDENT, CYBERLAW, \n            GLOBAL INTEGRITY CORP.\n    Senator Gregg. Mr. Rasch, I understand you are with Global \nIntegrity, and we would appreciate any comments you might have.\n    Mr. Rasch. Yes. Good morning, Chairman Gregg. Thank you for \ninviting me to testify today on the important issue of Internet \nsecurity. I am Mark Rasch, and I am vice president of Global \nIntegrity. We are a subsidiary of Science Applications \nInternational Corporation, and we are located in Reston, \nVirginia. What we do is we work with banks and Fortune 100 \ncompanies along with Internet companies, dot-com companies and \nthe like, and help them develop secure architectures. We help \nthem respond to computer security incidents, and we help them \nmonitor their firewalls and things like that dedicated to \ninformation protection.\n    Before I joined Global Integrity, I was a trial attorney \nwith the Fraud Section of the Criminal Division of the Justice \nDepartment responsible for investigating and prosecuting \ncomputer and high technology crimes. Among the cases I worked \non were the investigation and prosecution of Robert Morris, the \nCornell University graduate student who created a computer worm \nback in 1988 that shut down 10 percent of the computers on the \nInternet. At that time, that was about 6,000 computers. There \nare probably more than that right now in a three square block \nradius in Concord, New Hampshire.\n    I also worked on the investigation and prosecutions of the \nCuckoo's Egg cases. That was a case involving foreign espionage \nagainst the United States by computer and the investigations of \nKevin Mitnick, a hacker who was recently released from jail in \nCalifornia.\n    At the time I left the Justice Department in 1991, the \nComputer Crime Unit consisted of me on a part-time basis. Right \nnow, the Computer Crime Unit has a Computer Crime and \nIntellectual Property Section of the Justice Department which \nhas more than 18 attorneys and that number continues to grow.\n    As you requested, I would like to address three principal \ntopics today. First is the nature of the threats against the \ninfrastructure, particularly the commercial infrastructure, the \nvulnerabilities and trends that we have seen in cyberspace. \nSecond, I would like to address what the private sector is \ndoing and can do in the future on its own to help protect the \ncritical infrastructure. And the third thing is the proper role \nof law enforcement and the role of the government in general in \nhelping to protect and defend cyberspace.\n    The distributed denial of service attacks last week against \nthese companies here have made painfully clear that there are \nvery few rules in cyberspace. Information security has to a \ngreat extent been the stepchild of electronic commerce. For \nAmerica to remain competitive and foster the growth of \nelectronic commerce with its increases in productivity and \nconvenience, it is essential that we protect the critical \ninfrastructure. The gravamen of the situation is essentially \nthis. There are genuine threats to electronic commerce and \nprivacy and security of digital information, but none is so \nsignificant that they should long deter us from continuing on \nthe path towards the growth of electronic commerce.\n    The same Internet that empowers a single individual to \nobtain a lower interest rate on a home mortgage or buy \nsomething from eBay at a lower price also would empower someone \nfrom a basement or garage in Concord, New Hampshire to get \ninformation about a transaction in say Charleston, South \nCarolina, or break into a dot-com business in Palo Alto, \nCalifornia. The Internet is no respecter of borders or \nsovereignty. Government, in general, and the U.S. Government in \nparticular, does have a legitimate role in helping make the \nInternet more robust, more secure, and more dependable by \nhelping design more dependable computer systems.\n    But the government should not use the general insecurity \nabout online commerce as an opportunity to take upon itself new \npowers of investigation, new powers to compel cooperation or \nreporting or new opportunities to increase the regulatory \nburden on those doing e-business. The government can, though, \ndo more to be a partner with e-business with the commercial \nsector and to promote trust and confidence in its abilities and \nits dedication to security.\n    First question is, of course, is the sky falling? And the \nanswer to that is maybe. What we see from last week's attacks \nagainst these various electronic companies is essentially a \nwake-up call, but it is not the first wake-up call. We have had \na series of wake-up calls that have shaken the industry and \nsaid we need to do something about security. I want to \nemphasize the fact that none of the sites mentioned here were \nactually hacked themselves. What actually happened was these \nautomatic programs monitored the networks and then broke into \nother people's sites using known vulnerabilities, widely known, \nwidely publicized vulnerabilities.\n    Had those vulnerabilities been effectively fixed by the \nsites that were broken into, this attack could not have taken \nplace. So if we can fix the problems we know about, we will be \n90 percent of the way there. Cybercrime represents a real and \ngrowing threat although it is difficult to measure its scope. \nReporting of cybercrime is limited by virtue of the difficulty \nin detecting it, and, in fact, a study that was done by the Air \nForce indicated that fewer than 9 percent of cybercrimes are \never even detected, much less reported, much less investigated, \nmuch less prosecuted.\n    So there is another problem as well and that is the \nunderstandable reticence, especially in the commercial sector, \nto report cybercrime because of the nature of electronic \ncommerce being dependent upon not only security but also on \nconfidence.\n    We did detect the following trends over the last year, \nhowever. First of all, distributed attacks, the type that we \nhave seen here last week, specifically indicated by the \nactivities of late 1999 and last week, are increasing. \nCompromising the same vulnerabilities in systems is the \npredominant method of attack. Hackers use the same old tricks \nthat they have been using for years to break in. Most incidents \nand penetrations seem to be crimes of opportunity. Although \nthere may be significant planning involved in them, they break \nin where they feel they can break in.\n    The release of point and click tools--these are complete \nprograms that are available on the Internet that you can \ndownload--have made it easier for teenage hackers and others to \nsimply download programs and break into people's computers. \nThese can be perpetrated by what we call ``script kiddies'' who \ndownload the tools and more sophisticated hackers can take \nthese same tools and alter them. I would guess that the types \nof attacks we saw last week could be perpetrated again next \nweek if somebody simply altered the programming and made them \nappear somewhat different.\n    Generally speaking, attack coding has become more \nsophisticated, and it has been very creative. Media exposure \nseems to be at least one of the catalysts for many of the \nattacks and appears to correlate to web attacks and hacks. \nThese are attacks on people's web sites. Organizations \nappearing prominently in the news or those launching new \nadvertising campaigns or IPOs tend to be the ones that seem to \nbe the targets of many of these hackers.\n    Also, the electronic workplace has bred a certain degree of \ndisloyalty among employees. Because they work and take a more \nindependent and individual view of their job and their work and \nbecause of the emergence of these dot-com millionaires and the \nIPO frenzies and the ease in starting one's own business, there \nis a tremendous amount of competition to obtain intellectual \nproperty. As a result, we see sophisticated attacks against \ncomputer systems in order to steal intellectual property which \nthen can be utilized in competition with other companies.\n    We live in a world where more information that is more \nconnected and is more sensitive is contained on more computers. \nThose computers are more connected to each other, more \nvulnerable to attack, and, therefore, we need to take \nelectronic commerce security extremely seriously.\n    Now, the next question is what is the private sector doing, \nand how can they do more? It is difficult to generalize about \nan entire industry, particularly an industry that is moving as \nquickly as the e-commerce industry is moving. Some commercial \nenterprises, particularly in the banking and financial services \nindustry, which have a tradition of security, have taken the \nproblem very seriously. Newer e-commerce companies like eBay, \nwhere security is perceived to be important, have taken \ntremendous steps as well.\n    On the other hand, there are companies out there, and \nthousands of them, where there is a competition for resources \nand where they have a choice of promoting more functionality or \nmore security, they may choose the easy route and take more \nfunctionality. And, therefore, the institutions like banks, \nbrokerage houses, and insurance companies are generally well \nsecured. They have done a number of things in the past several \nyears to help promote even increasing security. I would like to \nspeak about two of them right now.\n    As a result of Presidential Decision Directive 63, PDD-63, \nthe Commerce Department, the Securities and Exchange \nCommission, and other areas of the government have promoted a \nprivate enterprise of cooperation among the financial services \nindustries called the ISAC. This is the Information Sharing and \nAnalysis Center, and the FS, or Financial Services ISAC acts as \na clearinghouse of information about information security \nthreats, vulnerabilities, and incidents, and so what the FS \nISAC does is it acts as a mechanism for these disparate \ncompanies to share information on a real-time basis about \nattacks that are going on.\n    One of the problems is that companies do not like to report \nthese types of incidents for a variety of different reasons. \nWhat the FS ISAC allows them to do is to share the information \nin an anonymous and confidential and secure manner. That is \njust one of the things that the financial services industry is \ndoing to help make themselves more secure.\n    Another thing is the Banking Industry Technology \nSecretariat, or BITS, which is a group of various banks and \nother financial institutions, has formed something called the \nBITS Laboratory. What the BITS Laboratory does is it will test \nany products, whether it is hardware or software, biometric \ndevices, bill payment systems, operating systems, e-mail \nsystems and the like, against a set of common criteria. They \nestablish a set of criteria, and this is run by Global \nIntegrity, and then the products get to be tested against that \ncriteria and get essentially what amounts to the Good \nHousekeeping Seal of Approval.\n    Once the product is then tested and cleared for the \nsecurity criteria, then other banks and financial institutions \ncan buy these products with a reasonable degree of confidence \nand belief that the product is reasonably safe. What this \neliminates is the possibility that products get shipped to \nbanks or financial institutions with default settings that are \ninsecure. Essentially we would run the same types of hacker \ntools against these products that the hackers would to test \nthem before they get into the banks or financial institutions.\n    Now no method of security is going to be 100 percent \neffective. But these are some of the mechanisms that at least \nthe financial services industry, which represents about 70 \npercent of the work that we do, are doing to protect \nthemselves. This model of information sharing within the FS \nISAC is going to be perpetrated against other of the critical \ninfrastructures. Another model is the National Secure \nTelecommunications Advisory Commission or NSTAC that acts in a \nsimilar capacity for sharing information about vulnerabilities \nin the telecommunications industry. So we will see similar \ntypes of ISACs that are going to be developed in the energy \nsector, in the telecommunication sector, the power sector, and \nother sectors as to that.\n    Now, the next question is what is the role of law \nenforcement and the appropriate role of law enforcement? There \nhas been a lot of debate about that. Just as protecting the \nhighway system is not the exclusive role of the police \ndepartment, protecting the information superhighway is not \nexclusively or even primarily the role of law enforcement. Law \nenforcement's role is, in fact, that. It is to enforce the law, \nto arrest offenders, to investigate criminal activity, but it \nneed not be only reactive. It has a proactive role as well.\n    Just as in the Nation's highway system, the Department of \nTransportation, for example, does highway planning to make sure \nthat the roads are safe, to set standards for trucks and cars \nand vehicles on the highway, I think that the government has a \nlegitimate role in setting standards and helping to set \nstandards for security and for interoperability on the \ninformation superhighway.\n    However, one of the problems we have is a fundamental \ndistrust between the commercial sector and law enforcement. \nThis is not to say that eBay is not going to be calling the \npolice or the FBI when they get hit by an attack or things like \nthat because by and large I found that the commercial sector \nwants to do the right thing. They want to report criminal \nactivity. They want to know who to call, and they want to work \ncooperatively.\n    I have also found that law enforcement, by and large, wants \nto work cooperatively with the commercial sector. However, what \nwe find is, for example, if you are buying a commercial \nencryption product that has been ``approved,'' and I use that \nterm in quotes, by the National Security Agency, there will be \na perception in the commercial sector that that product has \nbeen in some way deliberately weakened and, therefore, there \nwill be a fundamental mistrust of it.\n    That problem is also emphasized in the area of incident \nresponse. By and large, as I said, the commercial enterprises \nwant to do the right thing and call the FBI or call the Secret \nService when there has been an incident. However, one of the \nthings that you find is that when there has been an incident, \nthere is a reluctance in the commercial sector to call law \nenforcement because they are afraid of losing control over the \ninvestigation, losing control over their resources. There is a \nconcern that the FBI might come in there and say, ``tell me \nwhat was the computer that was hit?'' You would point to a \nparticular computer and say, ``that is our main server that is \nserving all of our Internet traffic, that was what was hit.'' \nAnd the FBI will say, ``well, we need that for evidentiary \npurposes,'' and walk away with a handcart and your main server.\n    So we need to have better coordination and education \nbetween the commercial sector and between the FBI and other law \nenforcement agencies so that they each understand each other's \npositions, and so they are each more sensitive to each other's \npositions as well.\n    So we see one of the problems is a problem of simple \ncooperation, coordination, and communication. We need to do \nmore of both in the commercial sector and in the law \nenforcement sector to promote that. One of the problems is that \nto the FBI and law enforcement, a successful case is when there \nis a public attack on a site and they are able to arrest a non-\njuvenile defendant, have a swift and public prosecution, \nresulting in a conviction and a sentence which will act as a \ndeterrent both to that individual and to others as well.\n    However, in many cases to the private sector such a result \nwould be disastrous. The public nature of the trial would \nreveal the very vulnerabilities that were used and exploited to \nattack the system in the first place. It would result in a \ndecrease in confidence by the public in electronic commerce in \ngeneral and in security. So, generally, we have found that \ncompanies that have reported computer security incidents lose \nanywhere from 10 to 100 times as much money as a result of the \nreporting, and the public nature of that reporting, than they \nlost in the actual attack itself.\n    Additional problems plague law enforcement agencies as \nwell. It is difficult, if not impossible, for them to train and \nretain staff skilled in the subtleties and nuances of new high \ntechnology crime scenes. The pace of technological change \ncoupled with the lure of the private sector may discourage all \nbut the most dedicated staff from remaining within law \nenforcement. Law enforcement is also used to dealing with other \nlaw enforcement agencies in coordinating criminal responses.\n    In the new Internet era, however, the primary investigators \nare no longer those with badges and guns. Computer crimes are \ninitially investigated by the 23-year-old system administrator \nwho happens to be on duty at 4 o'clock in the morning. That is \nthe person who is investigating the computer crime. Then they \ncall the IT professionals who call the legal staff within the \ncompany who then call the security staff within the company, \nand, eventually, law enforcement may be called.\n    So when law enforcement, the Federal law enforcement \nagencies, are training and helping train the State law \nenforcement agencies as being the quote ``first responders'' to \nthe crime scene, by the time the law enforcement gets called in \nany capacity, they are already down to the 20th or 30th \nrespondent. So we need to do more to train commercial \nenterprises about how to collect and manage evidence for the \npurposes of later prosecution.\n    Add to this the problem of the fast pace of change of both \nlaw and technology, differences in rights to privacy in various \ncountries, the inability of any individual law enforcement \nagency to act beyond its borders, and the transnational nature \nof computer crime, and we are left with serious impediments to \nrelying upon law enforcement as a means of prevention of \ncomputer crime.\n    There are a few things that I mentioned in my prepared \ntestimony that law enforcement does need to do and that the \ngovernment needs to do. Among these are helping to set \nstandards working with NIST, working with the commercial \nsectors, working with companies like Cisco and IBM, to help set \nstandards for the Internet and for Internet security; to help \nfund additional research and development into security \nprotocols; letting the commercial sector be part of the \ndevelopment of the laboratory facilities; letting the \ncommercial sector both get training and give training to law \nenforcement agencies; additional funding for education and \ntraining, not just at colleges and universities but also \nspecialized training for law enforcement and for the commercial \nsector.\n    Providing additional technical support to companies both \nwithin law enforcement and within the Department of Commerce; \npromoting new security technologies both as a consumer and as a \ndeveloper of security technologies; and most important, the \ngovernment needs to lead by example. The government needs \nitself to protect its own critical infrastructure, develop new \ntechnologies and new methodologies to protect itself, and then \nshare these technologies with the commercial sector.\n    Finally, there are some things that the government should \nnot do. The government should not seize the publicity \nsurrounding these recent attacks to take upon itself new powers \nor new regulations or impose new burdens on those operating in \nthe web. Any such regulations are likely to be ineffective, \ncounterproductive, and impose a disproportionate compliance \nburden on U.S. companies.\n    The government must respect the fundamental rights to \nprivacy, including a respect for anonymity where appropriate. \nFor political and social discourse to flourish on the web in \nAmerica and abroad, governments must agree not to unduly burden \nthe privacy rights of the electronic community. The government \nshould not use the legitimate threats to computer systems as a \njustification for increased monitoring or surveillance of its \ncitizens or of others. While much of the traffic on the \nInternet is public in the sense that the IP traffic is \ntransmitted over public networks, the government should not \ncreate a database of normal traffic patterns or surveil \notherwise innocent Internet traffic.\n    Most importantly, the government should not rush to pass \nnew laws or new regulations unless and until it has \ndemonstrated that current legal regimes are both inadequate to \nsolve the problems and are not preserving other fundamental \nrights or liberties. We should not sacrifice liberty at the \nalter of security.\n    The final question is whether or not we need new laws?\n    Senator Gregg. Unfortunately we are running out of time \nhere. Can we take that in your submission, Mr. Rasch?\n    Mr. Rasch. Yes. Thank you, Mr. Chairman, and I will be glad \nto answer any questions you might have.\n    [The statement follows:]\n                  Prepared Statement of Mark D. Rasch\n    Good morning Chairman Gregg, Senator Hollings, and members of the \nSubcommittee. Thank you for inviting me to testify today on the \nimportant issue of Internet Security. My name is Mark Rasch, and I am a \nSenior Vice President of Global Integrity Corporation, a wholly owned \nsubsidiary of Science Applications International Corporation (SAIC) \nlocated in Reston, Virginia. Global Integrity works as an information \nsecurity consulting company and resource for Fortune 100 companies, \nincluding online businesses, banks, brokerage houses, insurance \ncompanies, telecommunications and entertainment companies and other \n``dot com'' industries. In this capacity, we test the overall computer \nsecurity of our clients' sites, help them develop secure information \narchitectures, and help them respond to attacks and incidents. We \nmonitor and report to our clients about the most recent threats and \nvulnerabilities in cyberspace, and help them cooperate with regulators \nand law enforcement agencies where required or where appropriate.\n    Before joining Global Integrity, I was a trial attorney with the \nFraud Section of the Criminal Division of the United States Department \nof Justice, principally responsible for investigating and prosecuting \nall computer and high technology crimes, including the prosecution of \nthe Robert Morris Cornell Computer ``Worm,'' and investigations of the \nHannover Hackers of Clifford Stoll's ``Cuckoo's Egg'' fame, and \ninvestigations of Kevin Mitnick, the recently released computer hacker \nfrom California. When I left the Department of Justice in 1991, I was \nthe sole attorney in the computer crime unit--and that was on a part-\ntime basis. The Computer Crime and Intellectual Property Section of the \nDepartment of Justice today consists of more than a dozen attorneys and \ncontinues to grow.\n    As you requested, Chairman Gregg, I would like to address three \nprincipal topics today: the nature of the threats, vulnerabilities and \ntrends in cyberspace and what the private sector is already doing about \nthem; what, in my opinion, the government should and should not do to \nhelp protect the nation's critical infrastructure; and the adequacy of \ncurrent law to combat cyber attacks on commercial systems.\n    As the Distributed Denial of Service attacks against Yahoo!, \nAmazon.com, e-Bay and e-Trade last week have made painfully clear, \nthere are few rules in the electronic frontier, and information \nsecurity has, for many, been the step-child of electronic commerce. For \nAmerica to remain competitive--and to foster the growth of electronic \ncommerce with its concomitant increases in productivity and \nconvenience--protecting the critical electronic infrastructure is \nimperative.\n    The gravamen of the situation is essentially this. There are \ngenuine threats to electronic commerce and to privacy and security of \ndigital information, but none so significant that they should long \ndeter or delay the growth of this wonderful technology. The same \nInternet that empowers a single individual to obtain a lower interest \nrate on a home mortgage by negotiating online empowers an individual \nhacker in a basement garage in Concord, New Hampshire to get \ninformation about a transaction in Charleston, South Carolina, or to \nshut down a dot com business in Palo Alto, California. The Internet is \nno respecter of borders or of sovereignty. Government in general, and \nthe U.S. government in particular, has a legitimate interest, and \ntherefore a legitimate role, in encouraging the development of more \nsecure, more robust, and more dependable computers and computer \nsystems. However, government should not use the general insecurity \nabout online commerce as an opportunity to take upon itself new powers \nof investigation, new powers to compel cooperation or reporting, or new \nopportunities to increase the regulatory burden on those doing e-\nbusiness. The government can, though, do more to be a partner with the \ncommercial sector and to promote trust and confidence in its abilities \nand its dedication to security.\n    No remarks of a lawyer would be complete without a disclaimer. \nTherefore, the Subcommittee should understand that while my remarks \nthis morning represent the general views of Global Integrity and its \nparent, SAIC, as with any company of almost 40,000 employees, no single \nindividual can truly represent all of the views of any collective \nentity. Moreover, while my views are colored by the work we have done \nwith commercial enterprises--particularly in the financial services \nindustry--I cannot and do not purport to speak for these entities. I \ndon't think that they would be reticent about expressing their own \nviews on this matter if asked.\nThe Sky is Falling?\n    The first question raised by the recent Distributed Denial of \nService (dDOS) is whether this means that Chicken Little was right. Is \nthe sky actually falling? The answer is, of course, maybe. The recent \nattacks have emphasized the inherent fragility of the public Internet \nthat we have come to rely upon. The attacks themselves are not new, nor \nare the methods for perpetuating them. It is important to emphasize the \nfact that none of the ``affected'' websites--Yahoo!, e*Trade, e-Bay or \nCNN--were themselves ``hacked.'' Nobody broke into these sites, nobody \nstole sensitive information from these sites, and nobody altered or \ndamaged information resident on these sites. While there is some \ncomfort to be found in these observations, the fact that a hacker or a \nfew hackers, using a well known and fairly well publicized methodology, \ncould nonetheless cripple these sites (albeit for a short period of \ntime) demonstrates the interdependence of those on the web, and the \nvulnerability of all netizens to such attacks.\nThe Rise In CyberAttacks\n    According to Department of Justice statistics, cybercrime cases \nhave increased 43 percent from 1977 to 1999. Reports and analyses \nconducted by the Computer Security Institute, the FBI, the Computer \nEmergency Response Team, SANS, as well as Global Integrity \nCorporation's data confirm the increase of computer related incidents \nand cyber attacks. By incorporating and synthesizing all available data \nfrom government studies, private industry surveys, research/academic \nresearch, information security reports, law enforcement statistics, \npublic data and media reports and, most importantly, the live data, \nintelligence, and incidents worked by GLOBAL INTEGRITY, we have \nidentified the following trends in cyber attacks:\n  --Distributed attacks are increasing, specifically indicated by the \n        activity in late 1999 through the events of last week.\n  --Compromising the same vulnerabilities in systems is the predominant \n        method of attack. Attackers are using the known and publicized \n        security holes to compromise systems.\n  --Most incidents and penetrations seem to be attacks of opportunity.\n  --The release of point and click tools (complete programs, scripts \n        and virus recipes) has made the ability to hack very easy and \n        accessible to everyone. The numbers of attacks and door \n        knocking have reflected this increase in accessibility and \n        ability. The attacks can be perpetuated by so called ``script \n        kiddies'' who can download these tools, or by more \n        sophisticated hackers who can create or modify these tools to \n        be more malicious or more difficult to detect.\n  --Generally speaking, attack coding is more sophisticated and some of \n        it has been very creative.\n  --There has been an increasing number and sophistication of attacks \n        against Microsoft systems; UNIX based attacks are remaining the \n        same.\n  --Media exposure appears to be the catalyst for many attacks and \n        appears to correlate to web attacks and hacks. Organizations \n        appearing prominently in the news, launching new advertising \n        campaigns, announcing IPO status, or holding press conferences \n        seem to attract penetration attempts, hacks, and web \n        defacement.\n  --Those attacks perpetrated by an insider seem to be driven by an \n        internal change within the organization. Management changes, an \n        acquisition or merger, or a changed employment policy (i.e., \n        benefits, retirement, stock options) seemed to be the catalyst \n        (or at least one of the major precursors) to an attack.\n    Employees have also tended to take a more independent and \nindividual view of their job and their work. Due to the emergence of \nthe ``dot.com'' millionaires, the IPO frenzy, and the ease with which \nstarting your own business was publicized in 1999, many employees are \nlosing company loyalty. An upsurge in capitalism combined with the \n``American Dream,'' the ability to launch a new .com product quickly, \nobtain venture capital, the health of the stock market, and the ease \nand success of e-trading contribute to a foundational change in the \nAmerican employee. The year 2000 will most likely bring even more \nchanges in the workplace. Corporations should be particularly \nprotective of their intellectual property.\nTypes of Attacks\n    In general, all types of attacks have increased to some degree \nduring 1999. However, the greatest increases have been noted in theft \nof intellectual property, unauthorized insider access, insider abuse, \nand system penetration by an external party.\n  --Theft of Proprietary Information and Intellectual Property has \n        increased 15 percent from 1998.\n  --Unauthorized Access by an Insider has increased 28 percent from \n        1998.\n  --Insider Abuse of Internet (i.e., e-trading, pornography, e-mail \n        abuse) has increased 17 percent since 1998.\n  --System Penetration by External Parties has increased 32 percent \n        from 1998.\n    Other types of attacks such as viruses and denial of service have \nbeen reported less in public and government surveys; however, these \nstatistics may not reflect the true state of affairs. Global Integrity \nhas observed both increases in virus-related attacks as well as denial \nof service attacks. Even though raw numbers may reflect a drop in \nactual reported incidents, the interpretation of these decreases are \nmeaningful. Those corporations who have experienced a decrease in \noverall quantity of virus attacks may have also experienced an increase \nin the ``quality'' or system devastation of the fewer attacks. The \nviruses that have recently been observed are more sophisticated and \ncomplicated than viruses seen in the last two years.\n    In addition to the above mentioned attack types, we have seen as \nmany as ten different attack types: Theft of intellectual property; \nsabotage to systems and networks; system penetration by an external \nparty; insider abuse; financial fraud; denial of service; virus; \nunauthorized insider use of systems; web attacks and defacement; and \nother.\n    In addition to the attack types directly on corporate systems and \nnetworks described above, a secondary type of attack has been \noccurring. Employees and external personnel have caused damage to \ncompanies by their postings and communication on the Internet and World \nWide Web. Either originating from inside their workplace or from home, \nhuman communication on-line has increased the vulnerability of \ncorporate information assets. Global Integrity has assessed the on-line \nthreat to include seven major categories:\n  --The disclosure of client related information;\n  --Overt threats to personnel or facilities;\n  --Disclosure of stock pricing and stock manipulation;\n  --The disclosure of technical information about corporate system and \n        network architecture;\n  --Disclosure of intellectual property information and/or research and \n        developments secrets;\n  --Trademark violations; and\n  --Other.\n    Global Integrity has also noted a trend in ``jurisdictional \njumping'' where an attacker jumps or passes through several borders in \norder to appear to be originating the attack from a foreign country. \nMany of the 1999 overseas activities have also originated in countries \nand third world nations where on-line laws and guidelines are non-\nexistent. Attacks originating from various foreign points appeared to \nincrease. Another trend appears to include the behavior of a foreign \nnational in U.S. based companies. Global Integrity has likewise \ndetected a trend in foreign nationals, who are internal employees (or \ncontractors) who have attacked the company from both a systems-network \nperspective, but also from inappropriate on-line communications.\nTrends in Computer Attacks\n    The major new trends are perceived to include:\n  --More sophisticated attacks using both available and created tools, \n        such as the ``stacheldraht'' distributed denial of service \n        attack tool\n  --A greater prevalence of coordinated attacks from multiple sources\n  --Cross-cultural and cross-national origin of attacks\n  --Increased ``disappearance'' of intellectual property for personal \n        benefit to spin off a new company or business as well as to \n        sell to a competitor or other interested buyer\n  --An increase in attacks from out of the U.S., particularly from \n        Eastern Europe\n  --An increase in the use of social engineering to acquire \n        intellectual property, proprietary information, and sensitive \n        information from commercial industries\n  --More encryption techniques will be used to hide files, network \n        traffic, and other information\n  --An increase in attacks, due to the proliferation of on-line \n        banking, which will lead to the compromise of personal and home \n        systems. As the value of data on the home systems increase, so \n        will the probability of attack. Those employees who work out of \n        their homes on a personal or corporate system will become more \n        vulnerable.\n  --An increase in coordinated and distributed DOS attacks\n  --A lowering of security standards and hiring standards, due to a \n        shortage of IT professionals. Other security and HR standards \n        such as criminal checks and background checks may be overlooked \n        in order to hire quickly with the needed skill sets. If these \n        vetting and screening procedures are not maintained, an \n        increase in insider attacks will most likely occur.\n  --An increase in number and sophistication of self-mailing viruses as \n        well as copycat or mutated viruses.\nWhat the Private Sector Is Doing\n    It is difficult to generalize about the activities of a \nconstituency as diverse as that of the Internet. Some institutions have \ntaken information protection and security extremely seriously, and have \ndedicated significant energies and resources to protecting the \ninformation on the web. Other web-based enterprises deliberately act as \na conduit for hackers or others to share information about propagating \nattacks. By necessity, the individuals and organizations Global \nIntegrity deals with, for the most part, have at least taken the first \nsteps. They have identified the need to prevent unauthorized and \nabusive uses of their computers and computer systems. Thus, our \nexperiences are likely not representative of the Internet as a whole. \nMoreover, the bulk of our confidential client base--more than 70 \npercent--are in the financial services industry. These institutions, \nbanks, brokerage houses, and insurance companies have long had a \ntradition and commitment to protecting confidentiality of information.\nInformation Sharing in the Private Sector\n    One of the concerns addressed in Presidential Decision Directive \n(PDD) 63 about the state of the critical infrastructure is the problem \nof information sharing in the private sector. This is of particular \nconcern since the bulk of the nation's critical infrastructure--the \ncomputers and computer networks which make the nation run--are in the \nhands of the regulated private sector. The financial services, energy, \ntransportation, and telecommunications industries are not owned by the \ngovernment, but rather by the private sector. With deregulation and \ncompetition, information protection could be used as a competitive \ntool, allowing one company to keep secret tools for protecting itself, \nat the expense of the industry as a whole.\nThe FS/ISAC Model\n    In order to combat this problem, and to help promote an overall \nsecure infrastructure, the financial services industry has been the \nfirst to create a formalized mechanism to share information about \ncomputer security threats, vulnerabilities and incidents between and \namong its members. The Financial Services Information Sharing and \nAnalysis Center--FS/ISAC--formally launched on October 1, 1999, and \nhosted by Global Integrity, is a tool which permits its members to \nanonymously share information which could help protect the industry as \na whole. Fears of publicity, fears of inviting additional attacks, \nfears of confidentiality, and fears of anti-trust liabilities have, in \nthe past, limited the willingness of industry members to share \ninformation. Nobody wants it to be reported in the front page of ``The \nWashington Post'' that a bank or financial institution has been the \nvictim of an attack or an attempted attack. The FS/ISAC provides a \nmeans for sharing information--and for distributing threat information \nobtained from government sources--without fear of attribution or \npublicity. Nothing contained in the FS/ISAC rules or regulations alters \nthe obligations of banks or other financial institutions to report \ncriminal activities to regulators or law enforcement agencies. Nothing \ncontained in the ISAC regulations precludes or discourages reporting of \nincidents, except that information learned exclusively from the \ninformation provided in the ISAC database remains confidential unless \ndisclosed by the source of that information.\n    The FS/ISAC represents a form of public-private cooperation that \ncan be a model for the future. The Treasury Department and the SEC \nsupport but do not run the FS/ISAC. It is a separate entity with its \nown governing board made up of representatives of various financial \ninstitutions. The government may use the FS/ISAC as a means for \ndisseminating information TO members of the financial services \nindustry, but relies on traditional reporting requirements for \nobtaining information from the industry. It works to facilitate inter-\ncorporate information sharing to help protect one of the critical \ninfrastructures.\nInformation Sharing and Public Dissemination\n    It was reported yesterday by Ted Bridis of the Associated Press \nthat ``computer experts at some of the nation's largest financial \ninstitutions received detailed warnings of impending threats and that \nbanking officials never passed their detailed warnings to the FBI or \nother law enforcement agencies, even as alerts escalated last week from \nthe first assault against the Yahoo! Web site on to eBay, Amazon, \nBuy.Com, CNN and others.'' The report continued by observing that \n``Participating banks weren't allowed to share the warnings with \ngovernment investigators under rules of an unusual $1.5 million private \nsecurity network created in recent months for the financial industry.'' \nThis report is based upon a series of unrelated events and is not \nentirely correct.\n    In mid August 1999, a distributed denial of service attack was \nlaunched against a Midwestern university. This attack was discussed in \na mailing list discussion on the Forum of Incident Response Teams \n(FIRST) and was available to information security professionals who \nwere members of FIRST and who had subscribed to the list. Utilizing \nthis and other information gathered by Global Integrity, on September \n9, 1999 Global Integrity sent an advisory to subscribers to its Rapid \nEmergency Action Crisis Team (REACT) Advisory Service. This service is \na fee-based subscription service that distributes advisories about a \nmyriad of computer security incidents, vulnerabilities and threats. The \nissuance of this advisory by Global Integrity predated by almost a \nmonth the formal initiation of the FS/ISAC.\n    On October 21, 1999, a similar analysis was publicly issued by Dave \nDittrich, who wrote an analysis of the Trinoo attack tool. A copy of \nthis posting can be found on the web at http://staff.washington.edu/\ndittrich/misc/trinoo.analysis.\n    On November 2, 1999 the Computer Emergency Response Team at \nCarnegie Mellon University held a conference, open to the public, in \nwhich the dDOS attack scenarios were discussed, and a paper describing \nhow companies should respond to such dDOS attacks was published on the \nCERT website at www.cert.org. A more detailed advisory was issued by \nCERT on November 18, 1999, and Global Integrity issued a more detailed \nadvisory to the REACT subscribers the following day. A similar advisory \nwas posted for members of the newly formed FS/ISAC.\n    On December 6, 1999, the National Infrastructure Protection \nCommission (NIPC) issued advisory 99-029 describing the denial of \nservice attacks and the manner in which they could be used to attack \ncomputer systems. The NIPC advisory specifically described the TRINOO, \nand Tribe Flood Network (or TFN & tfn2k) attacks on January 19, 2000, \nand advised that:\n\n          * * * the NIPC has seen multiple reports of intruders \n        installing distributed denial of service tools on various \n        computer systems, to create large networks of hosts capable of \n        launching significant coordinated packet flooding denial of \n        service attacks. Installation has been accomplished primarily \n        through compromises exploiting known sun rpc vulnerabilities. \n        These multiple denial of service tools include TRINOO, and \n        Tribe Flood Network (or TFN & tfn2k), and have been reported on \n        many systems. The NIPC is highly concerned about the scale and \n        significance of these reports, for the following reasons:\n          --LMany of the victims have high bandwidth Internet \n        connections, representing a possibly significant threat to \n        Internet traffic.\n          --The technical vulnerabilities used to install these denial \n        of service tools are widespread, well known and readily \n        accessible on most networked systems throughout the Internet.\n          --The tools appear to be undergoing active development, \n        testing and deployment on the Internet.\n          --The activity often stops once system owners start filtering \n        for TRINOO/TFN and related activity.\n\n    On December 28, 1999 the Computer Emergency Response Team at \nCarnegie Mellon issued another advisory further describing the dDOS \ntools and their effects. At about this time, Global Integrity began to \nreceive reports from clients that versions of these attacks were \nactually being launched--albeit on a limited scale. These consisted of \nreports of coordinated scans of systems and Trojan horse attacks on \nsystems--indicia of automated efforts that might have been attempts to \ninsert software ``agents'' on computers on the net. Such attacks are \nnot uncommon, and represented yet another attempt to exploit widely \nknow vulnerabilities in computer systems. On December 28, 1999, Global \nIntegrity issued advisories to its customers about both the methodology \nof the dDOS attacks and the fact that such scans were ongoing.\n    On December 30, 1999, the NIPC again issued an advisory to the \npublic warning about the Trinoo/TFN/TFN2k toolkits, and the way they \ncould be used to perpetuate a denial of service attack. This was \nfollowed on January 3, 2000 by an advisory issued by CERT detailing new \ndevelopments in the denial of service software. On January 6, 2000 \nGlobal Integrity advised its clients, including subscribers to the FS/\nISAC, that it had seen increased dDOS attack activity, including \ncontinued efforts to probe insecure systems on the Internet.\n    On February 8, 2000, Global Integrity issued a press release, which \nhad been prepared earlier, again describing the nature of these \nvulnerabilities, and advising potential victims of such attacks of \nGlobal Integrity's ability to assist in responding or tracing such \nattacks. This release was, like the earlier NIPC, CERT and other \nadvisories, widely disseminated. The news release was not prompted by \nany specific threat or incident, and indeed, was scheduled to be \nreleased some weeks earlier. Never underestimating the power of \ncoincidence, within 12 hours of the issuance of the press release, the \nattacks against Yahoo! began. However, the FBI and the NIPC had long \nbeen aware of, and had long reported publicly about, the nature of \nthese kinds of dDOS attacks.\n    When the dDOS attacks began, members of the FS/ISAC used the \nfacilities and protocols previously established to share information \nabout the attacks on an ongoing basis, and to coordinate an industry \nwide response. The nature of this particular attack required a detailed \nsharing of log and system information to effectively coordinate a \nresponse. Thus, rather than ``hiding the ball'' from both law \nenforcement and the public, the FS/ISAC and Global Integrity, like the \nNIPC, and CERT, attempted to widely disseminate information about the \nvulnerability before it was widely exploited. There were, to the best \nof my knowledge, no urgent e-mails or pages to FS/ISAC members prior to \nthe attack--and during the attack, none were necessary. By then, the \nentire world knew of the attacks. However, when there are actual \ninformation security emergencies, the FS/ISAC will page its members and \nalert them to log on to the service to see the latest releases. In this \nway, FS/ISAC acts as a clearing house and early warning system, but it \nis only as good as the information it receives, and depends upon the \ncontinued vigilance and cooperation of its members.\nExpansion of the FS/ISAC Information Sharing Model\n    It is contemplated that the FS/ISAC model can be and will be \nutilized as a template for voluntary industry cooperation and \ninformation sharing in other industries. Only through voluntary \ncooperation can this model work. A similar vehicle for voluntary \ncooperation has existed in the telecommunications industry for many \nyears. This entity, known as NSTAC--the National Secure \nTelecommunications Advisory Commission--which includes in its members, \nScience Applications International Corporation, Global Integrity's \nparent company, facilitates voluntary information sharing in the \ntelecommunications industry. Mandatory reporting to government agencies \nof security incidents or vulnerabilities will prove counter productive, \nas some will choose to report every ``ping'' or bad password use, and \nsome will report only the most serious attacks or vulnerabilities.\nWhat Role for Law Enforcement?\n    Protecting the information superhighway is not exclusively a law \nenforcement function any more than protecting the nation's highway \nsystem is the sole province of law enforcement. Ensuring that the \nhighway is designed and implemented properly, that roadblocks and \npotholes are appropriately marked and repaired, that vehicles traveling \nare tested and safe is the province of standard setters, industry \ngroups, and regulators. In many ways, the information superhighway is \nthe same. The government can and should help set standards for secure \ninfrastructures. The government can and should encourage the use of \nsecurity technologies--including encryption technologies. The \ngovernment can and should work with the private sector to ensure \ninteroperability and emergency response capabilities. However, if these \nstandards are perceived to come from the nation's law enforcement or \nintelligence communities, they will be met with distrust by both civil \nliberties groups and the commercial sector. The commercial sector--\nrightly or wrongly--perceives any encryption standards ``approved'' by \nthe NSA as being inherently weakened.\n    This problem is emphasized in the area of incident response. By and \nlarge, commercial enterprises want to do the right thing, and want to \nwork with law enforcement agencies to timely report and coordinate \nresponses to information security incidents. Where incidents represent \nan immediate threat to public health or safety, there should be no \nquestion about reporting of such incidents, and generally there is \nnone. The FBI, Secret Service, Department of Justice and other agencies \nhave made great strides toward promoting public-private cooperation, \naddressing private sector security groups, conferences and public \nevents, as well as working behind the scenes to foster greater \nconfidence in law enforcement. In many cases individuals within \ncorporate America responsible for security are themselves former law-\nenforcement officials, and the cooperation proceeds on an informal \nbasis.\n    Despite these efforts, however, there is a problem of communication \nbetween the private sector and law enforcement. While both groups are \ncommitted to securing the web in general, they use different means and \ntechniques. A successful case to law enforcement is when a public \nattack on a site results in the swift apprehension of a non-juvenile \ndefendant, the speedy and public prosecution of the subject, \nculminating in a conviction and a sentence sufficient to act as both a \nspecific and general deterrent.\n    To the private sector, such a result may be disastrous. The public \nnature of the trial would reveal the vulnerabilities in information \nsecurity that were exploited. Public confidence in the security of the \ne-commerce site would be eroded, even if the site had done all that was \nfeasible to prevent or deter the attack, and even if the company \nresponded quickly and appropriately. Moreover, by calling in law \nenforcement, the company quickly loses control over the scope and pace \nof the investigation, its direction and whether or not it will become \npublic. Law enforcement agencies are today much more sensitive to the \nconcerns of the ``victims'' of these attacks. They are directed to \nconduct investigations in the manner that will be the least intrusive \non the business operations of the company. Nevertheless, some \ndisruption is inevitable. The ``evidence'' of the crime may be the web \nserver that is essential to the ongoing business operation. Law \nenforcement may wish the attack to continue so that the suspect can be \ntraced and apprehended, but the ``victim'' may simply want the attack \nto stop. It may turn out that the offender lies within the company that \nreported the offense, and that the company itself now faces the \nprospect of civil or criminal liability. All of these factors point to \nan inherent mistrust--for reasons real and imagined--of vesting in a \nlaw enforcement agency the sole or exclusive responsibility for \ncritical infrastructure protection.\n    Nevertheless, as with highway traffic safety, law enforcement has \nand will continue to have a significant role in doing what it is \ntrained to do: enforce the law. This response need not be solely \nreactive. Gathering and disseminating threat data may be an appropriate \nrole of law enforcement. Whatever agency or department--or agencies or \ndepartments--that ultimately have the responsibility for infrastructure \nprotection must have the confidence and participation of the commercial \nsector, and of the community at large to be effective.\n    Additional problems plague law enforcement agencies. It is \ndifficult if not impossible for them to train and retain staff skilled \nin the subtleties and nuances of the new high technology crime scene. \nThe pace of technological change coupled with the lure of the private \nsector may discourage all but the most dedicated staff from staying \nwith law enforcement.\n    Law enforcement also is used to dealing with other law enforcement \nagencies in coordinating criminal responses. In the new Internet era, \nhowever, the primary investigators are no longer those with badges and \nguns. Computer crimes are detected and investigated initially by 23 \nyear old overworked system administrators under the rubrick of ``other \nduties as assigned.'' For those companies that have a computer incident \nresponse plan--fewer that 2 percent of the companies we surveyed--the \nnext to be notified are the information security officers, legal staff, \nhuman resource and other security staffs. Only after this chain has \nbeen called into place are law enforcement likely to be notified. By \nthen, the hacker may be long gone or the trail cold. The private sector \nlacks the authority to compel the cooperation of distant ISPs, and law \nenforcement lacks the information and training to protect a corporate \ninfrastructure.\n    Add to these problems the fast pace of change of both the law and \ntechnology, the differences in rights to privacy in various countries, \nthe inability of any individual law enforcement agency to act beyond \nits borders and the trans-national nature of computer crime, and we are \nleft with serious impediments to relying upon law enforcement as a \nmeans of prevention of computer crime. We need better locks on \ncomputers, not better locks on jails to prevent this conduct.\nRole of the Government\n    There are certain roles and functions that are and can be the \nprovince of the government. These include setting minimum standards for \nsecurity and interoperability, conducting and supporting fundamental \nresearch on new security technologies--particularly in the area of \nbiometrics and smart card technologies--promoting awareness of issues \nrelating to information protection, ensuring greater international \ncooperation between law enforcement and other agencies, and bringing \ndown barriers that inhibit such cooperation.\nSetting of Standards\n    The government can and should set standards in cooperation with \nboth Internet companies like Cisco, IBM and others, and \ntelecommunications and software companies for security. These standards \nshould both afford a reasonable degree of security and be attainable in \na cost effective manner. Such standards should empower users to secure \nthemselves, but should not be used as a ``command and control'' \nmechanism to force new regulatory burdens on users. In essence, the \ngoal should be to standardize for interoperability and security, and \nnot to mandate a particular technology.\nResearch and Development\n    Computers and computer networks are inherently complicated. \nMoreover, it is always easier to tear down a building than it is to \ndesign and build it. The government has a legitimate role in funding \nand supporting basic and applied research in the area of information \nsecurity. Let us not forget that the Internet itself was the outgrowth \nof basic research initiatives by the Department of Defense Advance \nResearch Projects Agency. Such research funding should be across \ndisciplines--not limited to computer sciences. Security depends not \nonly on hardware and software, but also on policies, practices, and \npersonnel. We need not only to understand the vulnerabilities of the \ninfrastructure, but to understand who exploits them and why.\nEducation and Training\n    Education and training is an essential component of information \nprotection. No passwords, or poor passwords, are the most common and \ncost efficient way to obtain unauthorized access to a computer or \ncomputer system. Users, administrators and others must be educated \nabout the appropriate use and threats to computer systems. The bulk of \nthis training should be done by companies educating their employees \nabout the need to be vigilant, and the government educating its \nemployees and contractors about the need for security precautions.\n    In addition to user education, the government has a role in \npromoting the development of undergraduate and graduate level programs \nin information security. Global Integrity has established a mentoring \nprogram in this area with several universities, including Purdue \nUniversity, and I have taught classes in information security at the \nGeorge Washington University and a distance learning program at James \nMadison University. The dearth of trained professionals, inside and \noutside of government, may cause the private sector to unfortunately \nreach out--from sheer desperation or a misguided trust--to untrained \nindividuals at best, or computer hackers themselves. Basic levels of \ncompetence, possibly including independent non governmental \ncertification programs, will assist in ensuring that there is a cadre \nof trained information security professionals.\nTechnical Support\n    Many information security attacks are beyond the technical \ncapabilities of any individual company, and no individual company \nshould be required to bear the burden of fixing what are essentially \nsocietal problems. The government, in cooperation with private \nindustry, can provide meaningful databases and technical support to \nassist.\nPromoting New Security Technologies\n    A lesson should be learned from the recent debates over encryption. \nAfter almost ten years of debate, the government has finally \nliberalized the regulations concerning the use and export of commercial \nencryption software to the point where most companies now feel free to \ncreate and use such software to protect confidentiality, integrity and \navailability of information. However, the efforts to restrict the \nexport of such software--while motivated by a legitimate desire to \nprotect national security and promote the ability of law enforcement \nand intelligence agencies to lawfully intercept communications--proved \nto be counterproductive, and had the unfortunate effect of making \nindividual communications less secure. At present, the default for most \ncompanies and government agencies is to send electronic communications \nin an unencrypted and therefore insecure manner. For true information \nprotection, the default should be seamless effective encryption.\nProtecting the Government's Own Infrastructure\n    The government should also spend the resources necessary to protect \nand defend its own infrastructure--civilian and military. Most of the \ncurrent Administration's efforts reflected in its budget requests are \ngeared toward this goal. For example, on February 15, 2000 the White \nHouse issued a press release indicating a proposal, reflected in the \nbudget previously submitted for a 15 percent increase in the fiscal \nyear 2000 request for spending on critical infrastructure to reflect a \ntotal budge for such operations of $2 billion. The Administration \nproposes spending $606 million for research and development. These \nexpenditures are geared principally toward protecting the government's \ninfrastructure, training those charged with protecting government \nsystems, and establishing an early warning system to detect attempted \npenetration into the government's own computers.\nWhat the Government should not do\n    The government should not seize the publicity surrounding these \nincidents to take upon itself new powers of regulation or impose new \nburdens upon those operating on the web. Any such regulations would \nlikely be ineffective, counter productive, and would impose a \ndisproportionate compliance burden on U.S. companies.\n    The government must respect the fundamental rights of privacy--\nincluding a respect for the right of anonymity where appropriate. For \npolitical and social discourse to flourish on the web--in America and \nabroad--governments must agree not to unduly burden the privacy rights \nof the electronic community.\n    The government should not use the legitimate threats to computer \nsystems as a justification for increased monitoring or surveillance of \nits citizens or others. While much of the traffic on the Internet is \n``public'' in the sense that the IP traffic is transmitted over \ninsecure routers and servers, the government should not create a \ndatabase of ``normal'' traffic patterns or surveil otherwise innocent \nInternet traffic.\n    Most importantly, the government should not rush to pass new laws \nor new regulations unless and until it is demonstrated that current \nlegal regimes are both inadequate to solve the problems, and are not \npreserving other fundamental rights or liberties. We should not \nsacrifice liberty at the altar of security.\nLegal Issues\n    One question raised by the recent attacks is whether the current \nlegal regime is sufficient to respond. Let me begin by observing that \nthe intentional transmission of a computer program with the intent to \ndisrupt or deny the lawful use of a computer system is already an \noffense under 18 U.S.C. 1030, as well as a host of state criminal \nstatutes. Many in the media have speculated whether the current \npenalties--up to five years incarceration (per incident) and a fine of \neither $250,000 or the amount of loss or gain resulting from the \noffense (together with possible forfeiture of proceeds or \ninstrumentalities of the offense)--is sufficient to deter such conduct. \nThis is especially a concern where the offenders may be--and I stress \nmay be--juveniles for whom such punishments may not even be available.\n    At the outset, I observe that the chances of detection and \nprosecution of computer hackers is very small. A handful of high \nprofile cases have been reported. These include:\n  --Prosecution of Andrew Miffleton a/k/a Daphtpunk in December of 1999 \n        in Dallas, Texas for trafficking in root access codes which \n        would permit a user to break into and take over a computer \n        system.\n  --The December 1999 prosecution of David Smith in the District of New \n        Jersey for creating and releasing the so-called Melissa virus \n        which reportedly caused more than $80 million in damage.\n  --The November 1999 prosecution of Jeffrey Gerard Levy in Eugene, \n        Oregon for the criminal posting to the Internet of pirated \n        software valued at at least $70,000. Levy was sentenced to \n        probation.\n  --The November 1999 prosecution in the Eastern District of Virginia \n        of 19 year old Eric Burns, a/k/a ZYKLON, for hacking into and \n        altering the web pages of the USIA, NATO, and the Vice-\n        President, as well as commercial sites in the Northern Virginia \n        area.\n  --The multiple prosecutions of Kevin Mitnick, released earlier this \n        year for a series of computer attacks and cell phone clones.\n  --The prosecution, in Brooklyn, New York in March 1998, of Eugene \n        Kashpureff for invading the Internet Domain Name System (DNS) \n        and rerouting internet traffic intended to go to Global \n        Integrity sister company Network Solutions to his own website.\n  --The international cooperation which resulted in the Israeli arrest \n        of Ehud Tenebaum, a hacker who broke into hundreds of insecure \n        U.S. government sites. Tenebaum is now reportedly working as a \n        computer security consultant.\n    In none of these cases would additional punishments necessarily \nhave served to prevent or deter the criminal activity. Because hacking \noffenses generally can result in multiple counts of conviction, the \nfive year statutory cap on punishment is somewhat illusory. The true \npunishment for computer hackers is dictated not by the provisions of \nthe United States Code, but rather by the provisions of the United \nStates Sentencing Guidelines, which treat computer hacking in a manner \nidentical to the outright ``theft'' of money.\n    A convicted hacker is sentenced under U.S.S.G. 2F1.1, which \nattempts to measure either the ``gain'' or ``loss'' resulting from the \ncriminal activity. The loss may include things like lost business \nopportunities resulting from downtime, or the cost of repair or \nreplacement, but is ill defined. Moreover, such an analysis may \noverstate the seriousness of an offense like that of the Melissa virus. \nWhile the virus itself caused massive disruption and inconvenience, and \nis deserving of stringent punishment for deterrence, one can reasonably \nquestion whether the defendant should be sentenced on the same par as \nsomeone who literally ``stole'' $80 million. The guidelines likewise \nserve to understate the seriousness of hacker offenses. Invasions of \nprivacy, the inconvenience associated with having to obtain new credit \ncard numbers or a new identity, the loss of confidence or business \nopportunities and other collateral losses are not adequately captured \nin the manner in which we punish or attempt to punish hackers.\nConclusion\n    Undoubtedly, there will be call for new laws regarding search and \nseizure powers, calling for the streamlining of procedures to permit \nmulti districts investigations and international investigations, and \npossibly calling for additional powers of investigation. I urge the \nSubcommittee to tread lightly. Some of these may be warranted and some \nmay not. The application of old rules to new technologies results in \nmany absurdities. The government should encourage the use of new \ntechnologies by recognizing the binding nature of digital or electronic \nsignatures, and promote the use of the Internet. The government should \nnot use the new medium of cyberspace to inflict draconian regulations, \nassume new authority, or take upon itself the mantle of the protector \nor defender of cyberspace. The obligation and responsibility for \nprotection of private data lies in a cooperative public-private \npartnership.\n    I thank the Subcommittee for the opportunity to present my views \nand welcome any questions members might have.\n\n    Senator Gregg. I think most of you answered most of my \nquestions because you pretty well summarized your view as to \nthe role of the government relative to e-commerce. You heard \nthe Attorney General say that she felt that there was a comfort \nlevel being developed, and you heard the Director of FBI say \nthe same thing. I would be interested in whether you folks feel \nthere is a comfort level that is being developed?\n    Mr. Richards. Senator, if I can, the Internet Alliance's \nLaw Enforcement Security Council was formed last fall for just \nthis reason, partly because we need the daily dialogue, and we \nneed to do it in a group sense as well as an individual company \nsense for many of the reasons that were talked about here. I \nthink the curve is exactly in the right direction, lots of \ntalk, lots of specifics. What this has to get down to is a \nlevel of trust but also concrete accomplishments. Training is a \ncritical area. We could talk about training all day. It is the \nsteps we will take together that ought to be a bellwether for \nyou.\n    Senator Gregg. Anybody else have thoughts on this?\n    Mr. Chesnut. With eBay we agree. We believe that the level \nof cooperation has been growing, certainly over the last year, \nand there has been a good fundamental level of trust that has \nbeen established I know at eBay between eBay and law \nenforcement. So we are very happy in that area.\n    Mr. Rasch. I find that trust is based on personal \nrelationships. Rather than having an agency or a company call \nthe FBI, it is much easier if someone in the company is calling \na friend of theirs at the FBI. We have started to do that and \nestablish personal relationships between these electronic \ncompanies and law enforcement agencies. I think we can do a lot \nmore.\n    Senator Gregg. How do you handle the fact that a lot of \nthis happens from out of the country? I mean as the FBI \nDirector said, their investigation is leading them to Germany, \nit appears, and we have other reports in the press that there \nmay be other countries where these originated from.\n    Mr. Richards. Senator, the Internet Alliance and others \nhere work with, and our own DOJ and FBI work with, Interpol and \nothers. First I just have to tell you from my own direct \nexperience, you know, our best folks at FBI and DOJ are \nextremely well thought of by their peers around the world. I \njust want to make clear that there is a high level of regard \nfor our technical and strategic expertise. That is why we need \nto add some more resources to that. But the issues are real, \nand frankly, international law enforcement is not moving at \nInternet time. I think we are working hard here to get our \nrelationships moving on Internet time, you know, very, very \nquickly, but we see lots of bureaucracy when we leave North \nAmerica. So we are really concerned about that.\n    The fundamentals may not end up being elaborate treaties or \nprotocols. They may end up being in 90 percent of the cases \nreally good cooperation using standard techniques but applied \nto the Internet through the rule of law. And that is what we \nneed to focus on next.\n    Mr. Chesnut. The international aspects certainly present \nsome different challenges. For a company like eBay, we actually \nhave sites with employees in different countries, such as \nGermany and Australia and the United Kingdom, but when I spoke \nearlier about establishing a partnership with law enforcement, \nwe view that partnership to be with law enforcement in \ndifferent countries and to reach out and to make contact and \nexplain what we are about and at least establish a protocol so \nthat if something happens we can find each other and provide \ninformation under appropriate circumstances. eBay has been \ndoing that as well. We also work through the FBI because, \nagain, they have a presence in many countries overseas, and \nwhile it poses challenges, it is not anything that is \ninsurmountable.\n    Senator Gregg. Mr. Rasch, you said or were quoted as saying \nthat the absolute worst people to coordinate law enforcement \nwould be the FBI. Maybe give me--if that is an accurate quote, \ngive me your reasons.\n    Mr. Rasch. The absolutely worst people to coordinate \nsecurity is law enforcement, and not the FBI in particular, but \nthe worst people to coordinate security is law enforcement. Law \nenforcements were always to enforce the law and to investigate \nand prosecute criminal activity. Just as I would not feel \ncomfortable necessarily in having law enforcement come in and \ninstall my security system. There is a fundamental mistrust \nhere. And there is a difference between protecting cyberspace \nand developing secure architectures, which is a role for \nagencies like the Commerce Department, like NIST, and the \nfundamental research and enforcing and investigating criminal \nactivities which is the role of the FBI, the Secret Service, \nand the other law enforcement agencies. We should not allow the \nlaw enforcement agencies to take upon themselves the \nresponsibility for protecting critical infrastructure or \ndesigning architectures because they will not have necessarily \nthe confidence of the private sector.\n    If I am buying a product, a security product, with an FBI \nseal of approval, I am going to have a fundamental mistrust of \nthat or more importantly the NSA [National Security Agency]. \nThere is a fundamental mistrust there because there is a \nbelief, whether it is rational or not, that that product has \nbeen maximized to allow FBI or NSA to engage in its other \nfunctions. For example, surveillance.\n    Senator Gregg. That was an excellent point. You all talked, \ncertainly Mr. Richards and Mr. Chesnut talked, at length about \nthe need for more resources in this area. I will simply tell \nyou that as far as this committee is concerned--and we are in \ncharge of resources, by the way--we will be putting more \nresources in this area. Our concern is that it be coordinated, \nthat it be used effectively, and we do not end up going down \nthe wrong path--that we do not end up creating a three-headed \nhorse in response to the issue.\n    So industry's role here is critical, and I appreciate your \ntaking the time to come today. I appreciate your input, and I \nhope that you will, and I know you will, continue to \naggressively pursue the interaction between the functions of \nlaw enforcement and the functions of research within the \ngovernment and private sector. Do you folks have anything else \nyou wish to add? Well, thank you very much. I appreciate your \ntime.\n\n                         conclusion of hearing\n\n    I would note that the subcommittee will be holding a \nhearing on February 24 with Commerce Secretary Daley. We are \nalso going to continue the issue of the Internet, specifically \nat the request of Senator Hollings. I strongly support his \ninterest in this area, dealing with the SEC and the FTC and the \nissue of fraud on the Internet, which also happens to come \nunder the jurisdiction of this committee. So we may change our \ntitle to the ``Internet Appropriations Committee.'' But in any \nevent we are going to be pursuing this issue in other forums, \nin other areas. Thank you very much.\n    [Whereupon, at 12:25 p.m., Wednesday, February 16, the \nhearing was concluded, and the subcommittee was recessed, to \nreconvene subject to the call of the Chair.]\n\n                                   - \n\x1a\n</pre></body></html>\n"