[Senate Hearing 106-527]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 106-527

                        CYBERCRIME: CAN A SMALL
                        BUSINESS PROTECT ITSELF?

=======================================================================

                                 FORUM

                               BEFORE THE

                      COMMITTEE ON SMALL BUSINESS
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 9, 2000
                                     

                                     

              Printed for the Committee on Small Business

                                 ______

_______________________________________________________________________
            For sale by the U.S. Government Printing Office
Superintendent of Documents, Congressional Sales Office, Washington, DC 
                                 20402

                     U.S. GOVERNMENT PRINTING OFFICE
64-417CC                     WASHINGTON : 2000



                      COMMITTEE ON SMALL BUSINESS

                              ----------                              

                       ONE HUNDRED SIXTH CONGRESS

                CHRISTOPHER S. BOND, Missouri, Chairman
CONRAD BURNS, Montana                JOHN F. KERRY, Massachusetts
PAUL COVERDELL, Georgia              CARL LEVIN, Michigan
ROBERT F. BENNETT, Utah              TOM HARKIN, Iowa
OLYMPIA J. SNOWE, Maine              JOSEPH I. LIEBERMAN, Connecticut
MICHAEL ENZI, Wyoming                PAUL D. WELLSTONE, Minnesota
PETER G. FITZGERALD, Illinois        MAX CLELAND, Georgia
MIKE CRAPO, Idaho                    MARY LANDRIEU, Louisiana
GEORGE V. VOINOVICH, Ohio            JOHN EDWARDS, North Carolina
SPENCER ABRAHAM, Michigan
                     Emilia DiSanto, Staff Director
                      Paul Cooksey, Chief Counsel
    Patricia R. Forbes, Democratic Staff Director and Chief Counsel
                            C O N T E N T S

                              ----------                              

                           Opening Statement

                                                                   Page

Bond, The Honorable Christopher S., Chairman, Committee on Small 
  Business, and a United States Senator from Missouri............     1
Kerry, The Honorable John F., Ranking Member, Committee on Small 
  Business, and a United States Senator from Massachusetts.......    18
Burns, The Honorable Conrad, a United States Senator from Montana    21

                            Committee Staff

Conlon, Paul, Research Analyst, Majority Staff...................     *
Dozier, Damon, Legislative Assistant, Minority Staff.............     *

                           Panelist Testimony

Neptune, Joan, General Manager, LC Communications, Davie, Florida    24
Riley, Mary, Special Agent, Assistant to the Special Agent in 
  Charge, Financial Crimes Division/Electronic Crimes Branch, 
  United States Secret Service, Washington, D.C..................    30
Charney, Scott, Partner, PricewaterhouseCoopers LLP, Washington 
  D.C............................................................    40
Farnsworth, Roger, Manager of Product Marketing, Cisco Systems 
  Inc., San Jose, California.....................................    46

             Alphabetical Listing of Senators and Panelists

Bond, The Honorable Christopher S.
    Opening statement............................................     1
    Attachments to statement.....................................     4
Burns, The Honorable Conrad
    Opening statement............................................    21
    Prepared statement...........................................    22
Charney, Scott
    Testimony....................................................    40
    Prepared statement...........................................    42
Farnsworth, Roger
    Testimony....................................................    46
    Prepared statement and attachment............................    49
Kerry, The Honorable John F.
    Opening statement............................................    18
    Prepared statement...........................................    20
Neptune, Joan
    Testimony....................................................    24
    Prepared statement...........................................    27
Riley, Mary
    Testimony....................................................    30
    Prepared statement...........................................    32

                              Participants

Bahret, Mary Ellen, Manager, Legislative Affairs (Senate), 
  National Federation of Independent Business, Washington, D.C...     *
Barton, Richard, Senior Vice President, Congressional Relations, 
  Direct 
  Marketing Association, Washington, D.C., and Representative, 
  Association for Interactive Media and the Internet Alliance, 
  Washington, D.C................................................     *
DeBow, Charles H., III, Director, Special Projects, National 
  Black Chamber of Commerce, Washington, D.C.....................     *
Duggan, Marty, President and Chief Executive Officer, Small 
  Business 
  Exporters Association, McLean, Virginia........................     *
Glover, The Honorable Jere W., Chief Counsel for Advocacy, Small 
  Business Administration, Washington, D.C.......................     *
Jacques, Veronica, Manager, Government Relations, Direct Selling 
  Association, Washington, D.C...................................     *
Keam, Mark, Assistant Chief Counsel, Office of Advocacy, Small 
  Business Administration, Washington, D.C.......................     *
Lane, Rick, Director, eCommerce and Internet Technology, U.S. 
  Chamber of Commerce, Washington, D.C...........................     *
Morrison, James, Senior Policy Advisor, National Association for 
  the Self-Employed, Washington, D.C.............................     *
Page, Matthew, Director, Legislative Affairs, Small Business 
  Legislative Council, Washington, D.C...........................     *
Rivera, Maritza, Vice President of Government Relations, U.S. 
  Hispanic Chamber of Commerce, Washington, D.C..................     *
Schneier, Abe, Representative, National Alliance of Sales 
  Representatives Associations, Washington, D.C..................     *

                         Comment for the Record

Wilkinson, Anthony R., President and Chief Executive Officer, 
  National Association of Government Guaranteed Lenders, Inc., 
  Stillwater, Oklahoma, statement and attachment.................    91

*Comments (if any) between pages 56 and 88.

 
            CYBERCRIME: CAN A SMALL BUSINESS PROTECT ITSELF?

                              ----------                              


                        THURSDAY, MARCH 9, 2000

                              United States Senate,
                               Committee on Small Business,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 9:41 a.m., in 
Room SR-428A, Russell Senate Office Building, The Honorable 
Christopher S. Bond (Chairman of the Committee) presiding.
    Present: Senators Bond, Burns, and Kerry.

    OPENING STATEMENT OF THE HONORABLE CHRISTOPHER S. BOND, 
  CHAIRMAN, SENATE COMMITTEE ON SMALL BUSINESS, AND A UNITED 
                  STATES SENATOR FROM MISSOURI

    Chairman Bond. Good morning. The Committee on Small 
Business welcomes you to its second forum of the 106th 
Congress. This forum is entitled ``CyberCrime: Can a Small 
Business Protect Itself?''
    I have to apologize for the delay in starting. We have had 
so much interest on this, I stopped to do some media interviews 
on the way in because people are finally beginning to realize 
how important this subject is. Senator Burns tells me that in 
the Commerce Committee he has just held a hearing on this. We 
want to focus particularly on small businesses and the 
vulnerability of small businesses, and what we can do about it.
    We have some real experts here today, some people who have 
had experience with this issue. I remember from unsuccessful 
political ventures of mine, friends after a significant loss 
have slapped me on the back and told me that experience is what 
you get when you expect to get something else. We believe we 
can learn from some of the experiences we will be told about 
today.
    Nine months ago this Committee held a forum on e-Commerce 
and its potential to allow a small business to compete 
successfully against its giant competitors. At that forum we 
outlined some of the obstacles to success in this dynamic 
market. The goal of this forum is to raise awareness of 
CyberCrime and to generate a dialogue between law enforcement 
and the small business community.
    According to a study by the University of Texas, e-Commerce 
accounted for the creation of 1.2 million jobs and $300 billion 
in revenue in 1998 alone. We all recognize what an astonishing 
growth pattern that is and the pace of it is truly remarkable. 
What is even more impressive is a recent Forrester Research 
study concluded that in January 2000 alone there was $2.8 
billion in online retail sales, greater than the total $2.4 
billion of retail sales for the entire year of 1997.
    We expect growth in this area to continue with increasingly 
more business being conducted via the Internet, both through e-
retail and through more conventional business-to-business e-
Commerce. With such expanded business activity, however, come 
new threats that we must address. A prime example is computer 
crime.
    The extent of the threat is truly alarming. The most 
accurate data that we have available comes to us from the 
Computer Emergency Response Team, or CERT as its known, at 
Carnegie Mellon University. We plotted that data on the chart 
to my right. What we see is a 121 percent increase in intrusion 
incidents like ``hacking'' reported from 1998 to 1999. For some 
of you it is a little hard to see with the lights, but you see 
a slowly rising curve to 1997 and it goes up sharply in 1998 
and almost straight up in 1999. Recent research by the Computer 
Security Institute indicates that 30 percent of businesses 
nationwide have been victimized by computer intrusions.
    It is important to note that many companies have been the 
victim of hacker attacks, yet fearing negative publicity and 
reduced consumer confidence, they have been reluctant in too 
many instances to report such incidents. Over time many of the 
Nation's largest businesses have been actively working to 
protect themselves from computer criminals and computer vandals 
whose actions can cause considerable harm. I am concerned that 
with greater efforts on the part of Government, and as big 
business does take steps to protect itself, small business will 
become a much more inviting target.
    This is even more timely given the recent case where a 
home-based business in Oregon was reported to have its computer 
hacked and used in the so-called ``denial of service'' attacks 
on the web sites of Yahoo, eBay, CNN, Amazon.com and others. 
These recent attacks should serve as a useful wake-up call to 
business, Government and academia. Nearly 2 years ago, CERT 
warned the industry of the potential of a such an attack. These 
warnings were repeated by the National Infrastructure 
Protection Center at the FBI. Unfortunately, it appears that 
the warnings have not had their necessary impact.
    We have today a panel of experts, Joan Neptune from LC 
Communications in Florida was a victim of computer crime and 
she will share her personal experience; Special Agent Mary 
Riley from the Secret Service, the head of the Electronic 
Crimes Branch; Scott Charney from PricewaterhouseCoopers, 
formerly chief of the computer crime section at the Department 
of Justice; and we will hear from Roger Farnsworth, manager of 
product marketing at Cisco Systems. Cisco is the world's 
largest manufacturer of equipment that connects people and 
businesses.
    But before turning to our panelists, let me encourage 
everyone here today to take an active part in the discussion 
portion. I hope that everyone will think about areas where this 
Committee can be of assistance, either encouraging dialogue, by 
providing a voice for small businesses, or if there are 
legislative fixes needed.
    We will be producing a formal transcript of the forum and 
we will hold the record open for 2 weeks to invite additional 
statements that any of you would like to submit. I would extend 
that to our audience both here and the people who are watching 
us via live transmission on the Committee's web site.
    Before turning to the panelists, obviously it is always a 
pleasure to turn to my partner in this operation, the 
distinguished Senator from Massachusetts, Senator Kerry.
    Welcome, Senator Kerry.
    [Attachments to the statement of Senator Bond follow:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
   OPENING STATEMENT OF THE HONORABLE JOHN F. KERRY, RANKING 
   MEMBER, COMMITTEE ON SMALL BUSINESS, AND A UNITED STATES 
                   SENATOR FROM MASSACHUSETTS

    Senator Kerry. Thank you, Mr. Chairman, very, very much. 
And thank you for this particular forum and for its structure. 
I congratulate you on that. I think it is a terrific way to 
combine the input from the panel, but also to have a dialogue. 
I think this Committee does an excellent job of being creative 
in how we do our information-gathering and digesting, so I 
think this is a good way to do it.
    Let me just say very quickly that this is a timely, 
fascinating topic, for reasons that everybody here understands 
very well. I have the pleasure of also sitting on the Commerce 
Committee and I sit on the subcommittee with Senator Burns, and 
on both the Technology and Communications Subcommittees of the 
Commerce Committee. So I am really having as good a time as I 
have had since I have been in the United States Senate learning 
about and watching the extraordinary entrepreneurial creativity 
that is taking place in this sector, which many people assure 
me is really only just beginning in many ways.
    The disintermediation that is going to take place in the 
context of our economy is, I am convinced, going to be just 
enormous. We are already witnessing it. It will remake not 
everything, because consumers will always want to touch and 
feel and try and have a certain kind of experience in the 
context of their consumerism. But nevertheless, it will shape 
every kind of retail establishment in one way or the other, 
affect distribution monumentally, and most people are sharing 
with us the ways in which it will particularly be mostly 
business-to-business oriented in its impact, certainly at the 
earliest stages. We are seeing that.
    So this particular issue in small business looms even 
larger in that context because most of America is small 
business. And the Internet offers, obviously, this remarkable 
democratization of sales. You can be small and new and offer up 
something that can compete with the old and large and big. That 
is really what is fascinating about it, is that it creates 
these new opportunities.
    But obviously, one of the great restraints has been, is 
today, and will continue to be people's perceptions of 
security, of their privacy, which is another great issue we are 
grappling with here in the Congress. As I talk to CEOs of these 
companies I am convinced that they understand better than 
anybody, because they are in the middle of it and they are 
doing it with a passion, that they want this thing accessible 
to everybody and as available as possible; free if possible, in 
most contexts.
    But at the same time, there is this confrontation with 
these other issues that we are here to talk about today. How do 
you keep it that accessible, and that open, and that free if 
people disrespect it in the way some have chosen to over the 
last years.
    This is not just this year this has happened. I began to 
learn about some banks that had some rather embarrassing 
experiences a number of years ago and their choice was 
obviously not to let the world know about it, they were so 
embarrassed by it. So we have only now seen this surface as a 
kind of legitimate issue in the context we have to deal with 
it.
    The Chairman has properly shown the number of increases of 
incidents. I think the White House yesterday, the White House 
Office of Science and Technology was quoted as saying in Roll 
Call that there may be $100 million of cost associated with 
this. And the professional associations say it may be as much 
as $250 billion worth of actual losses, which is different from 
cost.
    So we are glad to hear from people here today. I am pleased 
with everybody on the panel. I particularly want to say welcome 
to Cisco who has been just a huge mover, player in what is 
happening globally, and we are delighted to have them opening a 
campus in Massachusetts now and engaged there.
    This is something the industry will solve, in my judgment. 
It is something that technology itself will solve, and I think 
Government needs to be careful not to--we should air it. We 
should discuss it. But we ought to be wary of maybe rushing in 
with solutions. But I think that is the purpose of today's 
discussion.
    Final comment is, I apologize that as usual around here I 
have about 17 different conflicts and several of them are 
hearings so I cannot be here for the whole thing. But my staff 
will be and I certainly look forward to reviewing the record 
and listening to the parts of the discussion I can.
    Thank you, Mr. Chairman.
    [The prepared statement of Senator Kerry follows:]
    [GRAPHIC OMITTED]
    
    Chairman Bond. Thank you very much, Senator Kerry. I too am 
being pulled in 11 different directions, and with Paul Conlon 
on my staff and Damon with your staff we are going to conduct 
the business and we hope that many of our colleagues will be 
able to join us. But one of our colleagues who has been a real 
leader in discussions of e-commerce and technology for a long 
time is here. We are very delighted to have Senator Kerry and 
Senator Burns' expertise in this area.
    With that, let me call on Senator Conrad Burns of Montana 
for his comments and insights into this.

   OPENING STATEMENT OF THE HONORABLE CONRAD BURNS, A UNITED 
                  STATES SENATOR FROM MONTANA

    Senator Burns. Thank you, Mr. Chairman, and thanks for 
calling this hearing. I too want to congratulate you on the 
structure of this hearing. I am going to submit my statement 
for the record.
    Chairman Bond. It will be accepted.
    Senator Burns. However, I want to make a couple of 
comments. As we look at this and what really brought us to this 
day of when Yahoo and eBay and e-Commerce and I think maybe a 
couple of trading houses were jammed, and it was not hacking as 
we understand it. In other words, hacking as we have always 
understood it is a person getting into a secure site illegally. 
Basically this one had to do with the enlistment of surrogate 
or many computers on the outside to jam the lines or to 
overload the system of any particular web site. That is the way 
I understand it.
    There was not actually an illegal entry into a secure site. 
It was they surrounded the site where nobody else could get 
into it, and that is a little more disconcerting to me because 
the situation of hijacking other computers and other systems in 
order to do your work for you is troubling to us, and as we 
look at this situation, what it would cost small business.
    The Chairman is exactly right, e-Commerce last year had a 
terrific year in growth. Although they only amounted to 1 
percent of the retail sales totally in this country, they sent 
a strong message to the commerce sector of our country saying 
that we are a player now, and even the smallest web site can 
compete with the largest and the most well-established. That is 
an encouraging sign when we talk about commerce and the 
competition in the marketplace.
    So this morning I look forward to the comments of our panel 
and our experts here. I too am pulled 11 ways but I am OK until 
the twelfth one is added. Thank you, Mr. Chairman.
    [The prepared statement of Senator Burns follows:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    Chairman Bond. Thank you, Senator Burns.
    Now let us get down to business. First we welcome Ms. Joan 
Neptune, general manager, LC Communications of Davie, Florida; 
one who can speak to us with great personal experience in this 
area. Ms. Neptune, welcome.

          STATEMENT OF JOAN NEPTUNE, GENERAL MANAGER, 
               LC COMMUNICATIONS, DAVIE, FLORIDA

    Ms. Neptune. Thank you very much for having me here today. 
In 1996, I was executive vice president of a small ISP located 
in south Florida. When I tell this story please remember that 
it was in the beginning days of the Internet and technology is 
not what it is today. But at that time we were the victim of a 
CyberCrime that eventually had a devastating financial impact 
on the company.
    We offered many services. We offer all different types of 
access, web hosting, web development. We were connected to the 
customers through the public telephone network and into the 
Internet through a backbone provider, and of course, we had a 
billing platform where the customer information was. Plus about 
80 percent of our customers did use credit card billing, so all 
the credit card information and other secure information about 
their passwords and logins were located on the billing server.
    One day in the early morning hours, miraculously the login 
and password file that you use to actually get into the 
Internet every time you dial in, was missing. We immediately 
went to our backup tapes, installed the backup of the file and 
then looked into the log files to see what had happened. We had 
determined that an unauthorized user had come in through a 
computer terminal that was left on, used a terminal simulator 
program so that they were actually looking like they were the 
operator of the terminal at the time.
    We instituted new procedures. A couple of weeks later the 
same thing happened. When we put the backup in, a few days 
passed and we received an e-mail from them saying that they 
were very upset and the reason that they had done this was 
because we had shut down an unauthorized chat room. We had chat 
rooms as one of our services, but this was unauthorized. They 
were using a lot of bandwidth. They were blocking our customers 
from accessing the Net.
    We decided not to put the unauthorized chat room back on. 
We installed new procedures, ordered new firewalls. We did have 
other firewalls, but the system was increasing over time and 
new technologies were coming out daily.
    A couple of weeks passed and again the system crashed, but 
this time they also deleted all of our customer web sites, 
hosting sites, et cetera. Of course as luck would have it, the 
backup was corrupted, so it was not a good backup and about 10 
percent of the web sites were lost which we did have to 
redevelop on-site.
    A few days passed and we got an e-mail saying that they 
were not kidding around, and they had copies of our customers 
credit cards, and they wanted $30,000 otherwise they would sell 
these credit cards, notify our customers, et cetera. At that 
point we began to take them very seriously and contacted our 
corporate attorneys who referred us to the Secret Service 
through contacts, because the Secret Service was the agency 
that handled credit card fraud.
    It was very fortunate at the time that hacking was just 
coming into the limelight and the Secret Service was looking 
for a test case and looking to develop procedures to track 
people on the Internet. The Secret Service did come in. They 
were very wonderful. They lived day and night at our office.
    While we were sending e-mails back and forth to the 
hackers, which were passed by the Secret Service psychologist 
to kind of peg them in and develop a rapport, we also had to 
shut down a lot of our services like telenetting, chat rooms, 
et cetera, to our customer base because we needed to limit the 
access of the hackers. We could not notify our customer base 
and we could not notify most of our employees because the 
Secret Service did not want anybody to get wind of the 
investigation that was going on.
    About a month passed and finally a set up, a plan was 
developed and they wanted us to send $30,000 hidden in a book, 
overnight special delivery. By that time we had tracked the 
hackers back to Germany through the telecommunications 
industry. We were able to find the login files to find the 
telephone number that they had originated their access into our 
system from, tracked it back to an MCI long distance switch in 
New England, and then MCI helped track it back to access 
numbers in Germany.
    So the Secret Service had also gotten the German local 
authorities involved in this. The Secret Service flew over to 
Germany, waited with the German police at the dropoff point and 
a young gentleman picked it up. Of course, he was not the 
culprit. He was only instructed to pick it up, drop it at 
another destination. This went on through four different 
dropoff points. Finally, they found the gentleman, who turned 
out to be a college student who had spent his college money 
that his parents had given him and he needed this $30,000 to 
replace the money.
    The Secret Service had no authority in Germany so the case 
was turned over to the local authorities, and he was charged 
with a minor crime, which I cannot really recall exactly what 
it was called. About 6, 7 months later he went to trial. His 
family was very influential. He got 14 months probation and a 
slap on the wrist.
    Back on the homefront though, this cost us very much more 
than a slap on the wrist. Obviously, after the third hacking 
incident our customers were not happy. There was a lot of 
competition in the Internet involvement, as there is today, and 
they simply went to other carriers. Then when our services were 
curtailed, they went to other carriers. The money that we had 
earmarked for expansion instead went to putting in firewalls. 
Eventually we had to, because they did find the credit card 
numbers on the hacker's hard drive, we had to notify all of our 
customers in the end that their credit cards could have been 
compromised.
    So the cancellation rates went crazy and we were never able 
to come back from this devastating experience. Our momentum in 
the marketplace was lost. Our reputation was ruined in the 
marketplace. We had to expend about $500,000 in expenses of 
which we only received about $135,000 back from insurance. So 
all around it was a death sentence.
    The only good thing, and I would like to underline here, 
was how wonderful the Secret Service was to us. They really 
worked day and night and saved the company at that point. I 
thank them and I thank you for having me here today.
    [The prepared statement of Ms. Neptune follows:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    Chairman Bond. Ms. Neptune, that is a very scary tale and 
that is also a wonderful introduction for our next panelist, 
Special Agent Mary Riley, assistant to the special agent in 
charge of the Financial Crimes Division of the United States 
Secret Service in Washington.
    Ms. Riley, welcome.

   STATEMENT OF MARY RILEY, SPECIAL AGENT, ASSISTANT TO THE 
 SPECIAL AGENT IN CHARGE, FINANCIAL CRIMES DIVISION/ELECTRONIC 
                 CRIMES BRANCH, UNITED STATES 
                SECRET SERVICE, WASHINGTON, D.C.

    Ms. Riley. Thank you very much, Mr. Chairman. Good morning.
    Within the Secret Service we have been working these 
network intrusion type investigations--Ms. Neptune outlined one 
of the perfect examples of that this morning--since about 1987. 
The focus of our efforts and in an effort to avoid duplication 
or unorganized activity between law enforcement agencies, we 
have tried very hard to focus our investigative efforts in the 
areas of financial institutions and telecommunications 
networks, such as that that Ms. Neptune described this morning.
    It has allowed us to really train our agents and give them 
an 
expertise in a smaller number of networks so that as they do 
respond to victim companies they have the ability to understand 
the types of questions to ask, the types of investigative 
techniques to bring forward, and keep that germane to a smaller 
segment of industry and allow the expertise to work through the 
investigations.
    One of the most important things that we have seen in 
working with victims in these types of cases is that we as law 
enforcement have got to take on a great deal of responsibility 
in protecting the victim throughout the investigation. We have 
to ensure that the 
activities that we have to deploy throughout the investigation 
do not cause greater harm to the victim than the original 
hacking activity or the criminal activity that brought them to 
our attention in the first place.
    For example, within the investigation that was outlined for 
you this morning, when 11,000 credit card numbers were 
identified as having been potentially compromised not only 
would there be harm in notifying a broad sector in some blanket 
notification that those numbers could have been potentially 
compromised. At that point we had a lot of threats but no 
confirmation initially that this information had actually been 
stolen. It was simply a threat to try to entice the victim in 
this case to provide the $30,000 or the open access into their 
network. They were using any type of threat that they could.
    What we did from our angle was, because of our experience 
within the credit card industry, for example, we have been 
working 
extensively with that industry for the last 15 years, we were 
able to take the information provided to us by the victim and 
take that information to the credit card issuers saying, these 
are potentially compromised numbers. Let us keep that in that 
realm initially. Let us not go out and notify every customer 
out there who may be somewhat skeptical about using credit 
cards on the Internet in the first place or dealing within the 
electronic commerce arena. Let us try to keep this in 
perspective. Let us make sure that we are only acting on known 
facts.
    Threats have got to be treated as such until we can provide 
confirmation there. The credit card industry responded 
admirably. They were able to take all 11,000 numbers, notify 
the issuers to flag those accounts in the event fraud activity 
did occur, but keep it within that realm until we could provide 
further confirmation through the activity in Germany that was 
later done in the search warrants at the suspect's residence.
    Another example of that same type of activity occurred when 
we had a network intrusion into a telecommunications company in 
Boston. The telecommunications company that provided services 
to the public was, of course, one of the primary victims. But a 
smaller business that was affected there was the company that 
actually manufactured the switch that was affected. Their 
reputation was on the line immediately once that switch was 
compromised.
    The first thing that we did in that investigation, once we 
identified the methods used by the suspects in that case, was 
contact the manufacturer of the switch and also give them the 
opportunity to notify their customers themselves of the 
compromised activity and the work that they were doing with law 
enforcement to provide a fix.
    The United States Attorneys Office was then incredibly 
responsive and agreed to give us the time--us meaning law 
enforcement and industry, to ensure that the company had the 
opportunity to work with their customers, develop patches that 
would allow the compromised activity to be discontinued 
completely, and ensure that at no time did we release any 
information about the case that could have caused that victim 
to suffer further harm as a result of our actions. All 
prosecution, for example, in that particular case was withheld 
until the fixes were put into place by the small company that 
manufactured the switches there.
    We find that it is incredibly important to ensure in all of 
our partnerships with industry and with other law enforcement 
agencies that we take the benefit of our experience, that every 
time we learn a new lesson in dealing with industry victims and 
in dealing with the types of vulnerabilities out there, that we 
are very candid with our industry partners so that we can learn 
from these past experiences. We would like to support entirely 
the prevention techniques that are being deployed by industry, 
such as those outlined in Mr. Farnsworth's written statement 
where he outlines some very effective prevention techniques 
that industry can use to keep these types of events from 
happening to other victims.
    We would like to continue to share the information that we 
have picked up from the industry, from the different types of 
suspect interviews that we have done, and the technical reviews 
of the actual hacking activity and just continue to get that 
out to industry and to any agencies and companies that are 
affected by these types of cases so that we can learn from the 
past experience and hopefully deploy more prevention 
techniques, as you well mentioned, that technology can work to 
solve this problem by taking advantage of the information we 
have.
    Thank you for the opportunity.
    [The prepared statement of Ms. Riley follows:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    Chairman Bond. Thank you very much, Ms. Riley.
    Mr. Scott Charney, partner of PricewaterhouseCoopers LLP in 
Washington, D.C.
    Welcome, Mr. Charney.

  STATEMENT OF SCOTT CHARNEY, PARTNER, PRICEWATERHOUSECOOPERS 
                     LLP, WASHINGTON, D.C.

    Mr. Charney. Thank you. Thank you for inviting me here.
    First I would like to say something about these statistics, 
which is that they probably under-report and under-represent 
the scope of the problem. The reason for that is that what you 
see from the CERT team and from the Computer Security Institute 
are reports of people who have detected and reported computer 
crime. It has been widely viewed by experts that most computer 
crimes are neither detected nor reported. Of course, it was 
always hard to prove that. How do you prove what someone does 
not know?
    Well, fortunately the Defense Department did a controlled 
study. They attacked their own machines. They attacked 38,000 
of them and they got in 65 percent of the time, 24,700 
successful penetrations. But here is the really interesting 
statistic. They then went to the system administrators and 
said, how many intrusions have you detected, and the answer 
was, 988 out of 24,700. Basically a detection rate of 4 
percent.
    So then the next question was, how many of these system 
administrators reported the intrusions to DISA, the Defense 
Information Systems Agency, and the answer to that was 267; 
roughly 27 percent reporting rate. This is in an agency with 
mandatory reporting and a staff that if they know anything, it 
is follow orders.
    So one of the things that we learned from these statistics 
is, they probably do not fully represent the problem. It is 
interesting, if you come back to Senator Burns' comments about 
the denial of service attacks, one of the things about a denial 
of service attack is, you know it happened. Your system goes 
down. It is easy to detect.
    But other computer crimes attack the confidentiality and 
integrity of information. Those crimes are very hard to detect. 
It is somewhat interesting, as a person now in the private 
sector I will go to a company and say, you need to deploy 
computer security and they will say, ``Well, we have never been 
attacked.'' And I ask, ``How do you know?'' And they respond, 
``Well, we have never seen anything go wrong.''
    And I ask, ``Well, if I steal your car, how do you know?'' 
And they say, ``Well, my car is gone.'' And I ask, ``If I steal 
your customer list how do you know?'' They respond, ``My 
customer list is--oh, no, I would still have it, would I not?'' 
That is right. A copy has been taken, not the original. The 
original remains intact. So those kinds of crime are much 
harder to detect.
    There are, of course, increasingly, preventive steps that 
companies can take, and some of these involve intrusion 
detection systems, or computer anomaly detection systems using 
the power of the computer to look for behavior that we know is 
bad.
    But there are a couple of problems here. One is that the 
technology is not yet very mature, only it is getting better. 
The second thing is, how do you detect abuse in a computer 
network? You watch what people are doing. You monitor their 
activities. You see when they log on and log off. You watch 
their activities on the network to see what kinds of 
information they are accessing.
    In the context of computer security, these techniques equal 
surveillance. So now you run into some very serious privacy 
issues. How do you monitor what is going on on networks to 
figure out when people are abusing them without at the same 
time monitoring lots of innocuous activity, or activity that 
looks suspicious but later proves to be innocuous, and how do 
you protect the privacy of Americans using the Net? So needless 
to say, these are very complicated issues.
    I would add to that, a particular problem for small 
business, which is the technology is changing very, very 
rapidly. As a result of that, each time the technology changes 
it costs considerable money to upgrade to the newest and 
greatest technology. At the same time, with each new technology 
comes a new set of vulnerabilities. So when people migrate from 
one operating system to the next, they get the vulnerabilities 
of this new operating system. That means that businesses have 
to be ever vigilant, constantly testing their systems, mapping 
their networks, seeing who is connected, looking for 
vulnerabilities, educating their users, looking for fraud.
    The difficulty is, for large companies this can be very 
expensive. For smaller companies, where are they going to get 
the money to do it? To the extent they have some sort of IT 
budget, they are spending that budget to create opportunity; 
security is often viewed as a loss center as opposed to a 
business enabler. So it is very difficult for them to allocate 
their resources in a way that allows them to devote significant 
attention to computer security.
    I will leave you with one other problem along the same 
lines, which is where do small businesses get the talent to 
deploy their computer security? There are different statistics 
on this. One comes from Congressmen Wolf and Moran when they 
talked to the Partnership on Critical Infrastructure Security, 
an industry group looking at security. Their number was 12. 
Georgia State University tells me it is 9. But whether 12 or 9, 
that is the number of people in the United States who graduated 
with a Ph.D. in computer science last year. Six of them went to 
industry, three of them went to Government, some went back to 
their home country. None of them went into academia.
    So if you look at a model that we need greater computer 
security and we want this generation of experts to teach the 
next generation, that is not happening. And when a small 
business goes out and says, I need a system administrator who 
really understands technology and they are competing with the 
big companies of the world, it is going to be very hard for 
them.
    Thank you.
    [The prepared statement of Mr. Charney follows:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    Chairman Bond. Mr. Charney, that is rather depressing.
    We now turn to a man who may have some of the answers to 
begin the discussion. I have to apologize in advance, I have to 
be someplace at 10:15, but I will be back. The full statements 
of all of you will be submitted and included in the record. I 
will turn this over, when I leave, to Senator Burns.
    Senator Burns. I will turn it over to Paul Conlon.
    Chairman Bond. OK. Paul and Damon will continue the 
discussion.
    But now it is a real pleasure to introduce Roger 
Farnsworth, manager of product marketing of Cisco Systems in 
San Jose, California.
    Mr. Farnsworth, welcome.

           STATEMENT OF ROGER FARNSWORTH, MANAGER OF 
  PRODUCT MARKETING, CISCO SYSTEMS INC., SAN JOSE, CALIFORNIA

    Mr. Farnsworth. Thank you, Chairman Bond, Senator Burns, 
distinguished Members of the Committee and their guests. I want 
to thank you for the opportunity to come here today and speak 
with you. As a professional nerd, it is exhilarating to be able 
to put on a suit and rub shoulders with--
    Chairman Bond. I was going to say what a nice looking suit 
that is.
    Mr. Farnsworth. Thank you very much. My name is Roger 
Farnsworth. As you said, I am a manager of marketing for Cisco 
in the area of network security. As you may know, Cisco is the 
world's largest manufacturer of equipment that connects people 
and businesses to the Internet. We are also widely acknowledged 
as the leader, if not one of the leaders, in providing security 
solutions for the Internet economy. Cisco employs over 26,000 
employees, headquartered in San Jose, California with major 
presences, as Senator Kerry said, in Massachusetts, North 
Carolina, and Texas.
    Questions of security and Internet security are particular 
timely right now, especially with the recent incidents of 
denial of service attacks against high-visibility web sites. 
These issues are important not only to large companies but to 
companies of every size. The No. 1 reason people cite for not 
buying online today is fear for their privacy or the security 
of their transactions. Today I am here to suggest that these 
concerns can be addressed, security fears should not deter 
America's small businessmen and women from going online, and 
encourage all members of the industry to participate in finding 
the technological and operational answers to these problems.
    A few years ago, Cisco Systems boldly predicted that the 
Internet would change the way we work, learn, live, and play. 
At that time these types of hacking incidents probably would 
not have raised the eyebrows and achieved the visibility that 
they are today. Today it is a different story. An attack 
against an online business or the digital domain has far-
reaching ramifications and can be considered an attack against 
all of us because of the way the Internet has transformed our 
lives.
    Some interesting statistics. Today nearly 40 percent of 
small businesses in the United States are now online, up from 
just 19 percent in 1998. Last year the Internet economy 
generated more than $500 billion in revenues and 2.3 million 
jobs in the United States according to a University of Texas 
study. Interestingly, of 3,400 businesses surveyed to measure 
the size of the Internet economy, more than one-third did not 
exist before 1996.
    This expansion so far is astounding, yet the growth is 
likely to continue. Analysts estimate more than 3.5 million 
small businesses will be online next year and the Internet 
economy will be worth $2.8 trillion in 2003.
    Business leaders recognize the strategic role the Internet 
plays in their company's ability to survive and compete in the 
new millennium. If you are a retailer and you did not have a 
yellow pages ad a few years ago, you were severely handicapped 
in your ability to perform your business. If you were a bank in 
the 1980s and you failed to add an ATM machine to your branch, 
you risked losing deposits of business. Today businesses should 
be looking into online banking, bill payment, or lending or 
face severe restrictions in their ability to grow their 
business.
    Making money in the new millennium means facing up to the 
reality that you either go online or go home. This is 
particularly true for small and medium businesses, because 
frankly the competition from large operators has never been 
more fierce. The big dog is not just the chain operation across 
the street; in the Internet economy it can be a company you 
have never seen before because it is out of town, out of State, 
or out of country.
    For some, that is going to be pretty frightening. But there 
is also a great opportunity here for small and medium business 
because everybody is the same size in the box sitting on your 
desk. The Internet levels the playing field between large and 
small businesses.
    Amazon.com, for example, realized it could leverage the 
efficiencies of the Internet to take on the likes of Crown 
Books and Barnes & Noble. Online booksellers can charge just 5 
percent gross margin while equaling the return on investment 
that brick-and-mortar booksellers can only achieve by charging 
30 percent margins. Similar economies of scale can be applied 
to many small and medium business categories and we are 
starting to see companies taking advantage of that.
    Smaller companies will continue to seek online opportunity. 
The key to competing in the Internet economy is recognizing the 
efficiencies of online commerce and moving faster than the 
other guy to take advantage of them. In the Internet economy, 
the big no longer beat the small. The fast defeat the slow. To 
accommodate the new model, the industry has worked very hard to 
build wider digital highways to carry more online traffic more 
quickly. Everyone agrees that faster access to the Web is a 
good thing. But as the recent hacker attacks show, a few 
misguided or challenged 
individuals can cause havoc by blocking these highways.
    Unfortunately, you cannot always stop these people from 
doing their bad deeds. But you can work to more quickly 
recognize these incidents and deal with them. The Internet, by 
and large, is still a very safe place to be. It is an essential 
part of today's business. What we have seen in recent weeks was 
a pothole on the information superhighway. Internet commerce 
did not stop. It slowed at a few sites for a limited amount of 
time.
    Businesses do need to step up and improve their Internet 
security. Security is essential if a company is going to 
successfully compete in the Internet economy. If you have a 
business that is brick-and-mortar you generally have an alarm 
system and locks on your doors. If someone shakes the handle, 
hopefully your alarm contacts the police. You should use the 
same types of technologies to protect your online business.
    Our online consulting team has indicated that the types of 
incidents that have been reported here, tragically, very 
common. We recommend that small businesses take a risk-based 
approach to solving these problems. Use an array of products, 
including firewalls, authentication systems, intrusion 
detection systems, and vulnerability scanning tools to protect 
your business.
    I brought today with me 10 tips for Internet security for 
small and medium businesses. These are by no means a 
comprehensive list of tips. These are probably the most common. 
I would encourage you to go online and look for information on 
Internet security. Cisco has a web site, www.cisco.com/go/
security that can help you understand issues of information 
security and how you might use tools.
    I will further say that as we heard a minute ago, the 
expertise in this area is rather centralized. The good news is 
that many service providers and consulting houses are now 
offering their expertise to small and medium business. In 
addition, companies such as Cisco and others are making 
available lower cost and usable tools for small business to 
use. For example, in the past year Cisco has bundled firewall 
software as well as intrusion detection software in some of our 
low-end routers to allow small businesses to deploy 
connectivity to the Internet in a cost-effective and safe 
manner.
    Again, I want to thank you very, very much for the 
opportunity to speak with you today. Cisco is very interested 
in solving these problems and we feel that one of the most 
important ways to address these issues is through public forums 
such as this where we can come together and talk about methods 
that we can use to 
protect ourselves and each other.
    [The prepared statement and attachment of Mr. Farnsworth 
follow:]
[GRAPHIC OMITTED]

[GRAPHIC OMITTED]

[GRAPHIC OMITTED]

[GRAPHIC OMITTED]

    Senator Burns. Thank you very much, Mr. Farnsworth. Sitting 
here listening to your testimony, and interested in business--
whenever the denial of service thing happened with those major 
businesses, business did not stop. But I think it sent a 
chilling warning through the community of people who use 
services on the Internet. I think what you brought along today 
points out that--they will probably be taken more serious now 
than they would have say just a month ago.
    Education and awareness is probably our biggest challenge 
right now as people try to protect themselves and try to 
protect their web sites.
    Yesterday I asked, is there a technology, in the area of 
denial of service that really jams it up, is there a technology 
that serves like a thermostat when you are nudging up to a 
point where your load is such that it allows you to take some 
actions that may prevent something like the denial of service?
    Mr. Farnsworth. Yes, Senator Burns, one of the things that 
we encourage--
    Senator Burns. I realize this one happened all at once. I 
mean, just instant.
    Mr. Farnsworth. Let me point out two things. When the first 
incidents of these types of denial of service attacks occurred 
back in the fall of last year it took approximately 3\1/2\ days 
for the leading consultant teams to determine the source of the 

attacks and put them down. The most recent incidents are being 
detected and responded to and solved in a matter of hours, if 
not minutes. So our skill at detecting these types of attacks 
is improving.
    The other question you raised about a type of thermostat is 
a good question. Cisco has been encouraging our large service 
provider customers as well as our large enterprise customers to 
implement some tools. There is a particular tool called rate 
limiting, for example, that can be placed on certain interfaces 
of the Internet backbone routers which can, in fact, set 
thresholds for this type of traffic. And if those thresholds 
are approached or exceeded, this type of traffic can be 
throttled before it becomes a significant problem to an end 
system.
    The issue there is that this is an issue that everyone has 
to address because it has to be implemented at all areas of the 
network in order to become effective. That is why we are 
encouraging all members of business to take a look at their 
procedures and see if they are addressing this.
    Senator Burns. Now another question I did not get to 
yesterday--by the way, we had a terrific hearing yesterday. Now 
we know that what happened to eBay in this denial of services, 
and Yahoo, was the enlistment of, or the use of computers 
dropping--you know, in other words, very successfully entering 
somebody else's computer, setting a program in there that can 
be triggered by me, and those computers can be found all over 
the United States. I think they finally found some of them 
located in some learning institutions, were found that way.
    Tell me about how do I protect my computer, my system on my 
web site from being--from one of these--I guess you could not 
call it a cookie really--but a program to be imbedded in there 
and to be used by somebody else without my knowledge?
    Mr. Farnsworth. That is interesting. We would call that a 
malicious applet or malicious code being placed on your 
computer.
    Senator Burns. I tell you what, we got to learn a whole new 
vocabulary. Got to get out a new dictionary here.
    Mr. Farnsworth. Your point about educational facilities 
being a primary target is well taken. Historically, those were 
the most publicly available sites that were online 100 percent 
of the time.
    What is very frightening to us now is the emergence of a 
new type of online access for the private home user, digital 
subscriber line service, or DSL service, or cable modem access. 
These types of service mean that home computers that are turned 
on and connected to the Internet become accessible to the 
Internet 24 hours a day. So it is not just the Government and 
educational facilities that we have to worry about now.
    Using virus scanning programs that are able to detect these 
types of malicious applets is something that people should do 
religiously. Not just the educational and Government 
facilities, but every user of a home computer that connects to 
the Internet. Recognize that if traffic can go out from your 
computer to the Internet, it can come in. So make sure that you 
look at your PC or your computing work station and take 
advantage of the advances that virus scanning companies are 
making; companies like McAfee and others. They do a very good 
job of detecting and reacting to the most recent virus profiles 
and malicious code profiles. And you need to be aware of that 
and use these programs as a normal part of--
    Senator Burns. Are you saying then, let us say my computer 
at home. When I leave I should turn it off?
    Mr. Farnsworth. Yes, sir.
    Senator Burns. When it is off, is it accessible to outside 
entry?
    Mr. Farnsworth. Generally speaking, no, sir. Generally 
speaking, once you turn your PC off and there is no longer 
power applied to it, it is not accessible. There are certain 
exceptions to that with systems that are what we would say, 
Energy Star compliant, that can----
    Senator Burns. Can be turned on?
    Mr. Farnsworth [continuing]. Recognize stimulus and wake 
up. But generally speaking, home computers are not vulnerable 
to that type of attack.
    Senator Burns. In other words, when I am not home, turn the 
damn thing off?
    Mr. Farnsworth. That is a very good idea.
    Senator Burns. I will tell you, you know, our kids had to 
teach us how to use these computers. Now you got to remember--
because us old ducks, you know, they were strange and we were 
afraid when we first started fiddling around with them that if 
you hit wrong key, the thing would blow up. But we later found 
out that computers are kind of like mules. You cannot make them 
do what they do not want to do. And you have got to be smarter 
than the mule, and I am having a hard time with that, as you 
well know.
    [Laughter.]
    Senator Burns. I have got to leave and I understand you are 
going to form a dialogue here now with these folks here. But I 
want to--I appreciate you coming today. We did talk about--Ms. 
Riley, I am going to also ask you, if the Secret Service is 
into the enforcement of some laws and then we also have the 
center, we are building a center for the FBI so they can deal 
with these things, have we done an overlap of law enforcement 
agencies that are starting to deal with crimes regarding the 
Internet?
    Ms. Riley. That is an excellent question, Senator. I think 
one of the most important things to note there is that there is 
a concerted effort on the part of all law enforcement, whether 
it is State, local, or Federal, associated with CyberCrime to 
share information on a regular basis. To ensure that if we are 
working an investigation involving a target that has hacked 
into four businesses, that we are sharing that information and 
sharing investigative leads early on. So that if another agency 
is working an investigation into that particular target, that 
we are sharing the information very quickly.
    The issue is that CyberCrime is not defined only by hacking 
activity. The specialized skills that we have, for example, in 
the financial networks or in the telecommunications networks 
used to be some very traditional offenses involving things like 
credit card fraud and bank fraud. A lot of those traditional 
offenses have now migrated onto the Internet. That does not 
change the fact that the expertise we have in those financial 
investigations is not there with our investigators any more. We 
just have to add skill sets to those investigators to work them 
in the Internet environment and in the cyber-arena.
    I think every agency that has traditional offenses, whether 
it is child pornography with Customs, or weapons trafficking 
with ATF, all of those agencies have a very core expertise in 
working those types of cases, and it brings a lot of value into 
our enforcement efforts between all the very different 
agencies. But the key is that we are sharing information 
between agencies.
    Senator Burns. Do we have a central point where we are 
collecting the information, or one particular agency that is in 
charge of that information and building databases of cases?
    Ms. Riley. On all types of CyberCrime?
    Senator Burns. Yes.
    Ms. Riley. No, not one central database. We do--
    Senator Burns. We got to talking yesterday about--you know, 
I am going to bring an old culture forward a little bit. Some 
way or other we have got to put a warning on these--some of 
these hackers and people who cause mischief on the Internet are 
young folks who are just kind of searching and just playing 
games. Some way or other we have got to warn those people that 
they are venturing into an area where they could be prosecuted 
under Federal law.
    I can remember as a child the first thing you learned, even 
though we had open mailboxes, we did not fiddle around with 
somebody else's mail. There was a warning there that said, 
Government property and if you touched somebody else's mail, 
why you could go to jail. I am wondering if we should not do 
that with some technology or something that says, you are 
wandering into an area where you could be prosecuted?
    Yes, Mr. Charney?
    Mr. Charney. Yes, I would like to address that point, 
because first of all many computer systems do have banners 
warning them. But more importantly, it is an ethics and 
education problem. The Justice Department with the Information 
Technology Association of America has announced a cybercitizen 
partnership which is funded by the Justice Department and 
industry and it is an ethical campaign for children, to teach 
children the ethical use of computers.
    Senator Burns. I think that is notable, because awareness 
on this type of thing is very, very important.
    Ms. Neptune. I would also like to make a point on that, 
because this all goes back to the parents. I think that one of 
the problems with the Internet is that it is not regulated, and 
it is not a per-minute service. It started out free. It is not 
regulated, but it is a telecommunication service just like 
regular long distance.
    If it was regulated by the FCC, although there are problems 
there with small business, but if it was regulated by the FCC 
and the telephone companies charged per-minute rates, the 
Internet service providers would have to pass that along to the 
consumer. And when the parents got their bills I think we would 
have a lot of control over the children just like we have had 
elsewhere. I know that is not a very happy thought.
    Senator Burns. I think she has thrown out quite a lot of 
fresh meat here and you guys will have quite a lot to talk 
about.
    Ms. Neptune. I know you Internet users do not like to think 
that way but I do believe that that time will come because the 
Internet service providers cannot make a profit anyway if 
somebody stays on--
    Senator Burns. I have got another appointment here and I am 
going to go take care of that. I am going to throw that out and 
leave it for your discussion. I am going to leave it to these 
gentlemen here, and they will know how to handle all this.
    Thank you for coming and participating in this and for your 
time. We know that you have got other things to do. We happen 
to think that this is very, very important to small business, 
the Small Business Committee, and over on Commerce as far as 
science, technology and communications is concerned. Just like 
I say, with the Justice Department yesterday I asked the 
gentleman then, has he had any communications with Congress and 
how do they want Congress to react to these type things? Should 
we be looking at a different approach and how can we partner on 
trying to prevent what happened to Ms. Neptune and also this 
denial of service shutdown.
    We keep the lines of communication open. We have just got 
to do that because we know that we are dealing with an entirely 
different kind of situation that we have never dealt with 
before. And everyone of us are sort of dumb about this.
    So again I want to thank you for coming, and Paul and Damon 
thank you for inviting them.
    Mr. Conlon. Let me do a little bit of housekeeping first. 
Before we go around and introduce all our participants, if 
there are any participants in the audience that have not come 
up and taken their seats, it is an opportunity now to come up. 
Would you like to go ahead and introduce yourself, Mr. Keam?
    Mr. Keam. Sure. My name is Mark Keam. I am assistant chief 
counsel with the Office of Advocacy at the Small Business 
Administration.
    Mr. Glover. Jere Glover, chief counsel for Advocacy.
    Mr. Duggan. Marty Duggan, Small Business Exporters 
Association.
    Mr. DeBow. Charles DeBow, National Black Chamber of 
Commerce.
    Mr. Barton. Richard Barton with the Direct Marking 
Association and also the Association for Interactive Media and 
the Internet Alliance which is part of our group.
    Ms. Bahret. Mary Ellen Bahret with the National Federal of 
Independent Business.
    Mr. Dozier. Damon Dozier, Senate Small Business Committee 
minority staff.
    Mr. Conlon. Paul Conlon, Senate Small Business Committee.
    Abe Schneier. Abe Schneier representing the National 
Alliance of Sales Representatives Associations.
    Ms. Rivera. I am Maritza Rivera with the U.S. Hispanic 
Chamber of Commerce.
    Mr. Page. Matthew Page with the Small Business Legislative 
Council.
    Mr. Morrison. James Morrison with the National Association 
for the Self-Employed.
    Mr. Lane. Rick Lane with the U.S. Chamber of Commerce.
    Ms. Jacques. Veronica Jacques with the Direct Selling 
Association.
    Mr. Conlon. Before I open the discussion I just want to ask 
one quick question to Ms. Neptune. What advice would you give 
to 
another small business given the experience that you have had?
    Ms. Neptune. It is very difficult to say but Mr. Charney's 
remarks were right on key. I mean, every point that he made is 
a problem for small business. We were unique because we were an 
Internet service provider so our concerns would be different 
than a small business who is doing e-commerce over the net.
    I do believe that you have to get a very good systems 
administrator, and there are problems finding that. You have to 
invest in some firewall software, virus detection that 
automatically comes up on your computer every morning. It is 
not going to catch everything, but it does help. Changing your 
passwords and make sure your systems are behind firewalls and 
you turn those systems off. It is not going to protect you all 
of the time.
    He also made a very good point, technology changes every 
day and small business does not have the money to go out and do 
that. We can only do as much as we can.
    I would also say that small businesses should join trade 
associations where they can pool their resources and share the 
information.
    Mr. Dozier. I think it is probably appropriate at this 
point if a member of the forum here would like to be 
recognized, it is probably best if you turn your card up so 
that we can acknowledge you, and then we will try to get 
everyone's comments in turn.
    I think one of the comments that got the most head-shaking 
was the comment about regulation of the Internet which seems to 
be a very, very controversial issue. I think Mr. Lane wanted to 
say something about that, with Paul's permission.
    Mr. Conlon. Go ahead.
    Mr. Lane. Probably one of the most stifling aspects of the 
EU (European Union) is that they do charge a per minute charge 
for the Internet and it does stifle innovation and its use. We 
have seen it grow. So we would not support a permanent charge 
for the Internet, nor certain regulations of e-commerce.
    I am the co-chair for the policy committee for the 
Partnership for Critical Infrastructure Protection, and we are 
looking at a lot of the policy issues. Partnership for Critical 
Infrastructure Protection is a group of about over 120 
corporations that are working together, trying to figure out a 
lot of the issues that we are discussing today.
    But some of the general consensus is that the Government 
should not mandate the level of security. Security changes too 
quickly. You just cannot keep up and say here is the standard, 
because as we know, security is a process and it is constantly 
changing and there is a cost associated with constantly trying 
to update to standards that are constantly changing.
    The marketplace does a pretty good job of doing that, such 
as web-hosting facilities where small businesses can sell or 
use a web-hosting facility to help protect their Internet.
    One of the things that small businesses and the Government 
should be working on is a sharing of information. We should 
look at FOIA (Freedom of Information Act), so businesses can 
share 
information with one another. We should also look at increasing 
punishments for those who are hacking.
    We should make sure that we are not putting liabilities on 
small businesses, because they already face liabilities. I 
think Ms. Neptune hit the nail right on the head. Her cost of 
her business, it was just decimated. So to add on top of that, 
additional liability to small businesses when they do get 
broken into would just be ridiculous, because they already pay 
a heavy, heavy price as we see things moving forward.
    Security is a process and we need to ensure that we are 
educating our employees. Most of the trouble does not come from 
the outside; most of the trouble comes from employees from 
within who are stealing that information.
    One of the other things that we need to look at that is 
being discussed a lot here in Washington, is access to personal 
information. The problem with that is if you allow easy access 
to my information on a web site, that means you make it easier 
for everybody else to access that information. So we need to be 
very careful when we are talking about access, and you hear 
about that a lot, that we think we are not, in fact, 
compromising security, when actually we are.
    Mr. Conlon. Would anyone else like to add something to 
that? Mr. Duggan?
    Mr. Duggan. I think that the things that you talked about 
were all preventive type things that corporations could do, and 
I think that that is each corporation's responsibility. They 
should have due diligence in everything that they are doing.
    I think that from the standpoint of the hackers, the people 
who are abusing the system and taking advantage of the system, 
is that I would think there needs to be, if there is not 
already, Federal legislation where you have got uniform or 
mandatory sentences where people know that there is a price to 
pay--that they cannot go in there and wreak havoc on somebody's 
business, and to the cost to a small company of a half a 
million dollars, and for others maybe in the billions by the 
time they get through, that there is going to be one hell of a 
price to pay.
    I think the deterrence has to be part of the education 
which was mentioned earlier. You let hackers know that there is 
going to be one big price that they are going to have to pay 
for doing what they do.
    Mr. Charney. Can I respond to that comment? The U.S. 
Sentencing Guidelines do, of course, have penalties for 
computer crime. And if you are convicted under 18 USC 1030(a)4, 
the fraud provisions, or (a)5, the damage provisions, there is 
a mandatory sentence.
    The difficulty is twofold. First, in the case that we heard 
about, the defendant was not in the United States. A country 
may not extradite their own nationals and you cannot impose 
U.S. law on foreign countries. So the international cases are 
tough.
    Second, the real deterrence is more the certainty of 
getting caught rather than the actual sentence you will 
receive. Because defendants do not sit back and say, ``I think 
I will do this because I will only get 3 months as opposed to 
6.'' What they worry about is, ``Am I going to get caught in 
the first instance?''
    If you look at the clearance rate for computer crimes, that 
is the number of computer crimes solved in the hacker 
environment, it is incredibly low. Homicides run from 70 to 90 
percent. Hacker cases are very, very low.
    The reasons for that are many, but the bottom line is the 
Internet allows for a large degree of anonymity, global reach, 
and there is no traceability. When someone is victimized, you 
now need evidence to find the source?
    In the United States, due to market forces and privacy 
concerns, providers do not keep data. In Europe, you have the 
European data directives and telecom directives, and they are 
not allowed to keep data. Which means there is no way to do a 
historical investigation and there is no way to catch anybody.
    So if you really want to look at the fundamental problem, 
about why people are not deterred, you have to look at the 
clearance rates and ask, ``Why is the Government not finding 
more people?'' That is not a criticism of the Government, 
because I was there up until 4 months ago and did this for 9 
years. The technology does not support finding people.
    For some reasons that is good, if you are exercising first 
amendment rights and shopping, that is fine. But bad guys are 
not held accountable. That is a problem and it is going to be 
here for a while because of the competing interests. You just 
cannot have traceability on the Internet. It raises too many 
technical concerns, Government mandate concerns, and privacy 
concerns.
    Mr. Lane. There is also the Digital Millennium Copyright 
Act that is out there, as well, which makes it both a civil and 
criminal crime to circumvent what is known as a copy control 
technology. So if you bypass somebody's password to get at 
copyrighted information--which you can argue most information 
is except for factual data--you can go after them both for 
civil and criminal penalties.
    We want to make sure that ``yes,'' there is no 
traceability, but we do not want to trample on civil liberties, 
because there is a fear factor out there. We need to make sure 
that we have a very balanced approach, so that way those 
individuals who do want to be anonymous, if you think about 
China, for example, where they are not anonymous and they can 
go after them, I do not think we want to have that type of 
oversight here in the United States.
    At the same time, I do not know what the answer is. I am 
not going to come up with a solution, but it is a very 
difficult balancing act and we just have to make sure we are 
not trampling on civil liberties here, as well.
    Mr. Duggan. I think what Mr. Charney said about the number 
of prosecutions, I think last year there were six. Certainly 
the abuse is a hell of a lot higher than that.
    Mr. Charney. Believe me, the Government has been throwing a 
lot of resources at this. I mean, Ms. Riley can talk about what 
the Secret Service has been doing, the growth at the FBI, the 
10 National squads and NIPC agents in every office. It is a 
fundamental problem.
    Ms. Riley. I would like to point out too though, that the 
statistics may not exactly mirror the efforts on the part of 
law enforcement in prosecution. For example, in the 
investigation involving Ms. Neptune's company, that was 
centered around credit card fraud. So when you pull a hard 
statistic from the national criminal information databases, it 
is going to reflect a credit card fraud investigation rather 
than a hacking investigation.
    So a lot of times where the Internet was used and was 
certainly a tool of the criminal activity, the actual offense 
that is listed in all of these statistics that are commonly 
cited, may certainly be reflective of the actual hacking 
activity but another type of crime.
    We actually have gotten better sentencing, had this been in 
the United States for example, as was mentioned, this person 
was prosecuted in Germany. The good news is they did have 
computer crime laws that were applicable to the activity. That 
is not true in all countries. There are certain areas of the 
world where it is not a crime to do what they had done to Ms. 
Neptune's company.
    But the United States, many times in consultation with the 
prosecutors--we used to have these conversations with Mr. 
Charney on a regular basis--the question was how can we get the 
best sentencing? How can we most effectively prosecute this 
case? And which statute, whether it is hacking or another type 
of criminal activity or another criminal violation, best 
applies to the activity that is here.
    So I hate to hinge all of our prosecution investigative 
efforts in law enforcement based on statistics from only the 
computer crime statutes, because there are a lot of other 
violations that are charged that are really related to that 
activity.
    Mr. Lane. Remember, Al Capone was charged on tax evasion.
    Mr. Conlon. Mr. Glover.
    Mr. Glover. There are a couple of things that are fairly 
exciting about this. No. 1, it is an industry made almost 
entirely of small business alumni, 10 years ago everybody in 
this industry was small business. It is really interesting. We 
just did a study that 76 percent of all of the jobs created in 
the whole information industry area are still small business, 
so it is still a small business industry.
    But let me focus specifically on an area of fraud and crime 
that I think is going to become much more prevalent. We all 
know what is referred to as the toner cartridge scams that 
exist, where people call up and sell office supplies at 
multiple times what they were worth.
    There is going to be a whole other assault on truly the 
small business users, and that is going to be real interesting 
because they are huge problems that we are all dealing with. 
There is another level of crimes that are going to be out 
there, and that will shake the foundation of a lot of people 
who start getting burned by buying and finding out that the 
funds they send through the Internet get flipped four or five 
times and may well end up internationally somewhere they cannot 
follow them. So there is a much lower level of crime affecting 
individual purchasers one at a time.
    We spend a good bit of our time and resources in working 
with the SEC (Securities and Exchange Commission) and the FCC 
(Federal Communications Commission) and other agencies looking 
at making sure the general system works. But investor fraud, 
there are a whole bunch of areas where I think you are going to 
see a lot of things popping up very quickly. What I am afraid 
of is that the Government is going to be behind the learning 
curve and we are not going to react to these kinds of problems 
quickly enough, and we will see thousands of small businesses 
get burned on a one-on-one basis.
    Mr. Conlon. Ms. Riley, maybe you want to follow up a little 
bit on that, in relation to what law enforcement in the United 
States is doing to reach out to law enforcement in other 
countries?
    Ms. Riley. Sure. There are several initiatives underway 
involving United States law enforcement with our international 
counterparts to address the high-tech crime issues and the 
traceability options that we have, in working these 
investigations across borders. There are a great number of 
restrictions that we are faced with in trying to work 
internationally. And that works both ways.
    International law enforcement has those same restrictions 
in trying to trace criminal activity into the United States.
    What is happening in one form, for example, the G-8 
countries have a high-tech subcommittee that has been dedicated 
to working through options for law enforcement to be able to 
follow investigative leads, investigative traffic across 
borders quickly. Our biggest problem in high-tech law 
enforcement is that the records that we need to successfully 
investigate a case are only there and available to us for a 
limited amount of time. So speed is definitely of the essence.
    Some of the work that is being done in this international 
forum is really geared toward expediting the political issues 
and the legislative judicial issues, in working through the 
international concerns that are there, and being able to work 
these cases through.
    Now I have to say one of the most effective things that we 
have had though, and was especially true in the case involving 
Ms. Neptune's company, was that we had agents already stationed 
in foreign countries. They already had a relationship 
established with the local law enforcement.
    So it was a case, in that particular instance, the German 
officials were able to open an investigation because of 
criminal activity that did occur in Germany and work through 
the case very, very quickly. The relationships that we had 
already established worked very much the same way if we were to 
go into another city within the United States and work with 
another law enforcement agency.
    So those partnerships were really key and we, as well as 
many other law enforcement agencies, intend to continue 
building those partnerships to be effective and quick at 
dealing with these types of investigations.
    From the time Ms. Neptune called us to the time the German 
student was identified was only about 9 days. That is how quick 
all of this worked through. And it had to work that fast, or we 
would not have had the records to trace.
    Ms. Neptune. It seemed a lot longer to me, Mary.
    But I would like to ask one question, now that I hear a lot 
of the concerns. Thinking back, I am very surprised, like what 
would I have done if it was not credit card and my corporate 
attorney--and I could afford a high-priced corporate attorney, 
some small businesses cannot--what would I have done? Because I 
would have had the threat, even if I sent the $30,000, I would 
have had the threat of this gentleman always coming back for 
more and more money.
    So what would another small business do in that instance? 
Even now, where do they go? Local law enforcement?
    Mr. Lane. That is one of the biggest problems. The Critical 
Partnership is looking at that, because when you get robbed in 
a small business you always go to your local police. And then 
if it is credit card fraud or something, you may go to the 
State level and then finally to the Federal level.
    It is a similar type of process that you do go through. But 
for you, you were in 1996, so the computer security bill that 
we were just talking about was not enacted until I think 1998. 
And so now you can go to the Federal FBI and others, to have 
them come and try to take a look at this.
    Ms. Neptune. But would small business know that? It is very 
intimidating to say I think I will call up the FBI.
    Mr. Lane. That is one of the things that the United States 
Chamber is doing. We are actually holding a network security 
conference on March 23 to talk about network security, where we 
will be web casting it, having our local chambers tying into 
that.
    There is a whole host of education. The Small Business 
Administration is having small business week during, what is 
the week of that?
    Mr. Glover. May 24.
    Mr. Lane. So part of their effort is to educate. So 
education of small businesses, as Senator Burns was talking 
about when we were talking about DSL and cable modems, most 
individuals--and my brother is one--did not realize the threat 
that he has a cable modem, and the impact.
    When I called him and said you realize all your financial 
information that is on that computer when you are doing taxes 
and Intuit and all the other fun stuff is compromised. And he 
did not know that.
    So it is part of a massive education that we could partner 
with the Government, with the Small Business Administration, 
and other groups around this table to be in a massive education 
effort, just as we are trying to do on the privacy issue, as 
well.
    Ms. Neptune. I do have one other question for the Small 
Business Administration. Is there a possibility that, just as 
you offered special loans for equipment that was necessary for 
Y2K, which nobody knew about when I called the SBA I might add, 
is there a possibility that you could offer some guidance and 
some loans for people, with some guidance on what they need to 
purchase for better security systems?
    Mr. Glover. One of the interesting things when we talk to 
bankers, and we do most of our lending through bankers, we find 
that financing businesses in the information technology area is 
new for bankers and it is certainly new for everybody in the 
Small Business Administration. Historically, our lending 
patterns were based on brick-and-mortar and we are trying very 
hard to change that.
    The Congress gave us special authority in Y2K to make those 
kinds of loans. I think it has done some good, to make sure 
that we learn a lot more about the people who need the money 
the most to grow in the new technology. But there still is a 
significant amount of resistance in banks about lending to 
information technology companies. They simply, all too often, 
are forced to go get venture capital or fail because nobody 
else understands the industry.
    Ms. Neptune. Because they want you to be in business 2 
years and be profitable for a year. So it is very difficult to 
go to banking.
    Mr. Glover. The life cycle of an awful lot of technologies 
today is so short that by the time you meet traditional 
standards it is too late.
    Mr. Conlon. Can I just throw the previous issue back to Mr. 
Charney and Ms. Riley? Who does small business call?
    Mr. Charney. I want to go back to the issue of division of 
resources between Federal, State and local because it raises 
some very serious issues. Originally, the Federal Government 
got involved in CyberCrime in a big way because there were a 
couple of incidents, like getting hacked by the KGB, which 
required the Government to mobilize and become quickly 
knowledgeable. Because so many cases were interstate or 
international in nature, the Federal Government had a huge role 
to play.
    But as the technology has simply exploded and you have more 
and more of this criminal activity, there is an increasing 
burden because the Federal Government cannot do it all. So the 
State and locals have to pull up and do some of this stuff.
    There are programs underway, like the National CyberCrime 
Training Partnership which is a DOJ/State/local venture, to 
train State and local law enforcement. The difficulty is in 
large cities where they can dedicate some people to computer 
crime work, like New York and Los Angeles. In smaller towns it 
is much, much harder to do that because the resources are not 
there.
    The difficulty is not just the amount of expertise needed 
to do these cases, which requires a lot of training, but also 
the budget implications of developing a CyberCrime unit in 
practice. I was a local prosecutor in Bronx County for 7 years 
in New York City. And when police officers came out of the 
police academy, they were given a gun, a memo pad, and a 
flashlight. Twenty years later they turn those three things in, 
they still had them. They change bullets and paper and 
batteries, and that was it.
    Now you go to the CyberCrime area and you go into a town, 
because we do a lot of roving training, and we go out and say 
``OK, you are going to need to buy all of this computer 
equipment and all of this training so you can do CyberCrimes''. 
And they look at that as a percentage of your law enforcement 
budget and they panic. Then you hit them with the best thing, 
which is 2 years from now you are going to have to buy it all 
again, because it is all obsolete and you have got to start 
over.
    The way the budgeting for this matter works has made it 
difficult for the Federal Government to keep up. The burden on 
State and locals is phenomenal in law enforcement, and the 
Congress is really going to have to rethink how to fund State 
and local initiatives on CyberCrime.
    If you do not do that, they are not going to have the 
resources, it is not going to happen. The burden is going to 
fall completely on the Feds, the Feds are not going to be able 
to do all the cases that come in the door, and the system is 
going to collapse.
    Mr. Conlon. Ms. Riley, if I am a small business and I have 
been the victim of some form of computer crime, I am not 
certain exactly what the details are, who do I call? What do I 
do?
    Ms. Riley. There are a couple of issues there. First of 
all, Mr. Charney is absolutely right. There is no way the 
Federal law enforcement can take every case that is out there. 
But in that vein, it is also incumbent upon us, with the 
experience that we have been able to build up over the last 15 
years of working these cases, to train our local law 
enforcement counterparts to be able to respond to some of these 
investigations, as well.
    To answer your question quickly, though, if you were the 
victim of a crime like this, call your State, local or Federal 
law enforcement agency. Picking up the phone and calling cold 
is OK, too. We get calls like that on a routine basis. If it is 
not the right place to call, if you have not called the right 
agency, who has the right expertise for your type of 
investigation, we make common referrals.
    In fact, what is very common for us, if we know that a 
particular case does not meet a prosecutive threshold--and that 
happens and especially in some of the larger cities--if the 
case does not have a certain degree of loss associated with it 
or there is another prosecutive threshold that we are unable to 
meet on the Federal side, we do not want the case just to go 
away and the person to get away with it because of these 
thresholds. We will call our local counterparts and either work 
a joint investigation with them if they need our expertise or 
work with them through the investigation until they are 
comfortable taking that over.
    There are some phenomenal CyberCrime units within a lot of 
State and local police departments. They are intent on 
increasing their technology and increasing their ability in 
these CyberCrimes. One example of an initiative like this was 
conducted between our agency and the International Association 
of Chiefs of Police.
    They were concerned that State and local law enforcement at 
every level did not have the expertise to be able to 
appropriately seize computer evidence, whether they saw it in a 
traffic stop or they ran into it in connection with a homicide 
investigation or some other non-traditional CyberCrime, they 
did not want them ignoring that evidence, that was very 
important, just because of a lack of training.
    They requested that we work together in an initiative to 
put a quick guide together that could be distributed to all law 
enforcement; it was written at a level all law enforcement 
could understand. That is not to say that only State and local 
needed it. We needed it at the Federal level, as well.
    What they came up with was this guide that has been 
distributed now, we have distributed nearly 100,000 of these to 
State, local, and Federal law enforcement, that quickly 
identifies high-tech evidence and how to safely seize that 
evidence without losing any integrity of that evidence. That is 
only the first step, but this was done as a concerted effort 
between State and local law enforcement agencies ranging in 
size from the Lubbock, Texas police department all the way up 
to the New York City police department. Every size department 
was involved in the development of this, was given the 
opportunity to provide comment and ensure that it was 
applicable to everyone involved in the initiative.
    It was very effective. It is something that we have to 
continue to make sure that we are all dealing with these cases 
at the same level and sharing our experience and our training 
initiatives as much as we possibly can.
    [The guide follows:]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    Mr. Schneier. You can hardly go to a hotel, even a Holiday 
Inn, these days without having access for your computer. Many 
of the members that I represent here spend most of their time 
on the road, traveling, and they are increasingly using their 
computers from these remote locations.
    Do they face any greater level of risk because they are 
working from these remote locations and maybe dealing with a 
local network out of their personal residences or out of some 
other location?
    Mr. Farnsworth. Generally speaking, folks who move around 
like that and log in from remote locations are issued a new 
network address each time they log in, which makes them 
significantly less vulnerable, I would say. However, the fact 
that they are logging into a central location makes that 
central location more vulnerable because it has to be set up in 
order to accept communication calls.
    So there is a double-edged sword there. Certainly, take 
protections on the individual laptops to make sure that if they 
are compromised electronically, lost, or stolen, that the 
information that they contain is protected. Local cryptography 
programs can help you with that. Virtual private networking 
tools can assist with that.
    But more importantly, look at the site to which they are 
dialing and make sure that you have a strong authentication 
mechanism in place to make sure that the connections coming in 
are, in fact, from legitimate users.
    Mr. Lane. A lot of businesses for the sales reps that are 
out there are buying the high-speed modems because they are 
transferring a lot of information, which gets back to: Are they 
leaving them on all the time? So all of the sudden, that 
information becomes critical because what they do is they dial 
into your system and then they are able to get all that 
information and then dial back to the central server with all 
the information intact. You then totally compromise the site, 
no matter what you have done at the central site to begin with.
    So you need to, again, educate those individuals that if 
they have open lines all the time, they should close them down. 
The businesses that are supplying them with the technology 
should have the firewalls in place, both in the laptops and in 
the system.
    Mr. Charney. I would like to point out, your question 
reveals how difficult this is, particularly for small 
businesses. It is absolutely true, if you have got a lot of 
mobile people with laptops you want to protect their data. But 
you can educate your users so if one of your users said, ``I 
really want to protect my data in case my laptop is stolen from 
the hotel. So I am going to encrypt all my data.'' This is a 
good thing to do.
    Then he goes out, he follows 20 sales leads, gets lots of 
information, he encrypts all that data in case his laptop is 
stolen, and then he gets hit by a bus. The laptop is given back 
to the company, and they cannot get any of the data because he 
encrypted it.
    Therefore, if you are going to use encryption, now you have 
to think about key recovery. What kind of encryption are you 
going to use that if the employee either goes bad or just has 
some sort of accident and is unavailable, the company can gets 
its data back? That is part of the problem, none of this stuff 
is simple. And for small businesses, it is very hard to find 
people who would think: We need an encryption scheme with key 
recovery so the company can be protected, and then we have to 
implement it, educate users, and manage the keys. It is not 
easy.
    Mr. Schneier. I was feeling better there for a moment.
    Mr. Dozier. Mr. Charney, then in light of your comments, 
what do we do to protect consumer confidence? I do not 
necessarily mean just consumers purchasing from small 
businesses, but small businesses also purchasing from their 
suppliers. From what we have heard today, the rate of incidents 
are going up. From what we have heard today, there is an 
overlap of enforcement mechanisms. From what we have heard 
today there is not really a one-stop shop, in terms of going to 
one place to make a complaint or to say that your system has 
been compromised in some sort of way.
    The Internet is a lot like the dollar bill. There is 
nothing behind it, we just have confidence in it because people 
say it is worth something.
    So what do we do, and what do the representatives around 
the table do to protect that consumer confidence in the 
Internet? To say that this is a safe place to shop, this is a 
safe place to purchase, this is a safe place to transact?
    Mr. Charney. I think there are two things, there is reality 
and perception, and both are important. On the reality side, I 
think small businesses, through their associations, need to 
continue their dialogue with vendors about how to have security 
built into products that are easy to implement. So, when you 
look at browsers today that use secure socket layer, for 
example, if you build that stuff into the products and 
consumers can use their credit card on the Internet, it will be 
encrypted from their home machine to the merchant, and that 
works seamlessly. Because it is deployed in the product, it is 
very cheap and it is spread out over the whole group. So there 
are some real basic security things that can be done by the 
vendors.
    The perception is a separate problem. People will not use 
the Internet if they perceive it is not secure, even if it is 
secure.
    Mr. Dozier. The Committee has held a lot of forums and we 
have heard from small businesses that said they are terrified 
of the Internet. We have seen a lot of fraud schemes and I 
think we investigated that at one time. We also talked about 
barriers, in terms of people wanting to get on the Internet and 
transact, whether that be importing or exporting to other 
countries.
    So we are very concerned about basically how safe it is.
    Mr. Farnsworth. Let me just speak to that very quickly. The 
chart that shows the number of incidents spiking there is a 
very frightening chart. But if you overlay that with the chart 
that shows the overall growth of the Internet, your perception 
changes.
    Mr. Dozier. So the percentages are actually down?
    Mr. Charney. No, level.
    Mr. Farnsworth. And the thing is, despite personal 
occurrences and the traumatization that they cause, it is 
statistically very improbable that someone will be attacked on 
the Internet.
    I also want to point out, while we talk about law 
enforcement efforts and the efforts to get information to 
people about who to go to, many of our educational efforts in 
the past that dealt with traditional crime in brick-and-mortar 
institutions dealt with educational programs to say leave a 
light on, trim the bushes back away from the windows, get an 
alarm that is centrally monitored.
    These are all good ideas in cyberspace, as well. The idea 
here is not that if you are turning the light on and locking 
the door and trimming the bushes back and a burglar comes down 
the street, your intent is not to cause that person to look 
inside themselves and say. ``I do not want to be a burglar 
anymore.'' Your intent is for them to say, ``Oh, this guy has 
got a dog, the house is lit up, there is a sign from an alarm 
company. I am going to go around the block and see if there is 
an easier target.''
    Small businesses, if they stay in the herd, implement best 
practices, and take a responsible approach to Internet 
security, can be safe as a herd. It is when you overlook these 
things that you become statistically more prone to these types 
of attacks.
    Mr. Charney. We have to remind consumers that the physical 
world is a dangerous place, too. They may get carjacked or have 
a car accident and they do not give up their car. When 
consumers say they do not want to use their credit card on the 
Internet, what we used to say to them is, ``Well, do you give 
it to the waiter in the restaurant?'' What does he do? He goes 
in the back with it. OK, so what is your concern?
    I mean part of it is really an educational problem.
    Ms. Neptune. Is it not also true that most of the credit 
card crime is not from them sending it to buy things, but where 
all of the credit cards are stored? So even if you called up 
and gave them your credit card, they would be under the same 
amount of risk. So it is really not sending it.
    Mr. Farnsworth. That is right. The actual transmission of 
the card data, whether it is encrypted or not, the odds of 
intercepting that particular transmission, putting the numbers 
in order, and getting useful information from that is just 
infinitesimal, given the volume of traffic that is going over 
the electronic media every day.
    Mr. Morrison. It seems to me, from what I know of this, 
that some of this problem is rooted in the genesis of the 
Internet as a way mostly for universities to communicate to one 
another. The notion of commerce going over the Internet was not 
even really thought of as part of the picture, when the system 
was created.
    We are now hearing about a successor network and, maybe in 
2003 or something, Internet II. Is it possible to engineer 
better security into a successor network? And what might we 
look forward to in that respect?
    Mr. Farnsworth. Absolutely. Actually, a lot of the work 
that is going into the next generation Internet protocol is 
being retrofitted into our existing infrastructure today, and 
concepts that include digital authentication or certification 
of users and encryption or authentication of traffic actually 
had been developed for deployment in the next generation 
infrastructure and is being employed in today's networks.
    Your comment about the size, when the Internet was designed 
we were talking about tens of hosts and communicating largely 
between military and educational facilities. Today we have, I 
believe, over 40 million hosts connected to the Internet.
    So the foundation which was built to facilitate open 
communication is being stressed severely in that space. What we 
have seen is a large amount of entrepreneurial spirit on the 
part of small businesses to come up with products like 
firewalls, which are extremely useful in this space. Those 
companies, there are several that I can think of right off the 
top of my head, who have been wildly successful at deploying 
that technology. I think that is going to continue. It will be 
innovators and small organizations that are very bright and can 
evolve these products who will fill the need until the next 
generation infrastructure can be deployed.
    I think it is also important to point out that whatever we 
deploy for the next generation infrastructure will probably 
have an equally long lifetime. So making sure that that 
infrastructure supports sophisticated security mechanisms as an 
integral part of its evolution is important.
    Ms. Riley. I think from the law enforcement perspective, 
and having chased some of the activity around, I have to 
emphasize, too, though the consistency and the completeness of 
that type of security. While the network and certain offerings 
can certainly add more security features and allow for more 
consistency between the users of the Internet, if the entire 
security package is not reviewed, the holes are still going to 
be there.
    I think, Mr. Lane, you made the point that it is a process. 
If you have all of the security and all the encryption built 
into your computer, but you forgot to lock the front door on 
your way out, the vulnerability remains. So the emphasis has to 
be placed on the issue that we need to be consistent in the 
types of security mechanisms that are being deployed, so if one 
place plugs the hole and the other one leaves it open, we are 
not gaining anything there.
    And that those that are deploying security are looking at 
it as a complete issue and not focused only on the network, but 
on all the components of security associated with their 
business.
    Mr. Page. Mr. Charney, you mentioned earlier in your 
testimony that there is what you called a lack of talent, or 
that there is a drain in talent? Do you have a proposal or 
suggestion to the panel here, to the Small Business Committee, 
or even the Small Business Administration that would help 
assist small businesses that are starting to wade into the 
Internet who are using the Internet commerce as a means of 
educating their staff or whoever is in that small business, and 
it may even be a part-time employee, who all of a sudden takes 
on the systems administration responsibilities. What can we be 
doing to better educate these employees who ultimately hold the 
keys to security to the business?
    Mr. Charney. There are a couple of things that both 
businesses can do and that the Governments have to do. On the 
business level the problem is one of cost. In the early years, 
when I started doing computer crime, you found that many system 
administrators were secretaries who were really good at word 
processing. When it came time for someone to manage the network 
they said, ``You are really good with your computer, you are 
now the systems administrator.'' And she would say, ``That is 
great. What is that?''
    Then when you talked about doing it right it meant OK, you 
have to start taking training courses. You may have computer 
literacy and you are not computer phobic, but you need to go 
take courses. There are lots of them by lots of organizations. 
You can take courses from the CERT team at Carnegie Mellon on 
how to do emergency response and set up a computer emergency 
response team within a company.
    The difficulty is for a small company that is a large 
resource drain. You are going to take someone and give them 80 
hours of training at the start. Then because the technology 
changes, like in my company, constant training is required. 
Every year people have to go back and back and back. Windows 
2000 is out. OK, time to go get Windows 2000 training.
    So it is very, very difficult for a small business to say, 
``Not only are we going to tell you that you are the systems 
administrator, but at the same time we are going to allow you 
all this funding to take training and the time to take the 
training,'' which means that employee is out-of-pocket. But 
companies do need to do that.
    The second thing is we have to increase the supply of 
technically literate people. There are some proposals to do 
that now. For example, the Government is looking at an ROTC-
like program for systems administrators. The Government will 
pay for your education if you get your degree in computer 
security, and then devote 4 years to computer security. That is 
just one example.
    But the supply/demand ratio is way out of whack. That not 
only means you cannot find talent, but what talent is there is 
very, very highly priced talent. So it is very hard for smaller 
companies to grab that talent.
    Mr. Farnsworth. Along with that, what we have seen is a 
redeployment of that talent. It used to be that the folks who 
knew what they were doing with security would not only set the 
policy, but would be responsible for implementing and managing 
that policy, to the point where they would be behind the 
keyboard making rules changes to firewalls and access control 
on the infrastructure.
    What we are seeing now is a redeployment of talent and a 
new generation of products. For example, products that Cisco 
has brought to market that allow the network management people 
who are already doing things like the telecom and links 
management to actually take the steps to enforce policy. And 
the people who are aware of information security technologies 
become sort of the mentors and the policy setters who state 
what needs to be done and the dates by which it needs to be 
done.
    So what we are seeing is that the centralization of these 
resources, and the people who know what they are doing, moving 
to more strategic roles within organizations.
    Mr. Charney. And somewhat of an automation of the process, 
as well. I have a client, for example, who can have his servers 
reach out to a main server and give a little command. Then the 
main server will attack the servers and do attack and 
penetration and check settings and do all this stuff in an 
automated way. It is not foolproof by a long shot. The 
technology is a bit too complex to automate the whole process. 
There needs to be some intuitive human intervention. But you 
will see more automation, I think, of security to take it out 
of the hands of the people.
    Ms. Neptune. That would help, because even if you train 
people and you give them all that, you know in a year you are 
going to lose them because they are going to get a fantastic 
offer from somebody else.
    Mr. Lane. This ties in to a more controversial issue which 
is the whole H1-B visa issue. I mean, if you lift the caps of 
H1-Bs and you allow technically literate people to come into 
the United States, it helps fill some of the gaps that are out 
there. So it is very important for small businesses to support 
the lifting of the caps on the H1-B visas.
    In addition, technology does provide security. There is a 
new company out there that has developed, for lack of a better 
system, a credit card system that is the size of a credit card 
but fits on your CD-ROM. What it does is it sends encrypted 
information to the business with your account information, but 
the business does not collect that information. What the 
business does is it forwards it to the bank and the bank 
decrypts it and then wire transfers the money back to the small 
business or the large business, depending on the clientele.
    So that way, the issue of security of credit cards is not 
compromised because it is at the host which would be the bank, 
which supposedly would have the best encryption and the best 
security mechanisms and serve the small businesses, without 
having the 
liability of holding these credit card numbers on their site.
    So technology again is working to try to help small 
businesses.
    Mr. Dozier. What type of internal controls are available to 
a small business, or a large business for that matter? I mean 
in the context of let us say you have a disgruntled employee or 
something, who then could take the password and sell it at a 
profit, or just corrupt the system because they are having a 
bad day. In my thinking, that is a form of crime as well.
    So what can a business do to sort of protect its assets 
internally, as well as externally?
    Mr. Conlon. Can I just jump in and say something on that? 
In a prior life, before coming up here, I worked for a 
technology company where we used to see people attempting to 
get at the accounting servers in the company on a daily basis. 
It never ceased to amaze me.
    This is related to Damon's question, the insider angle. You 
know, threat from inside.
    Mr. Charney.
    Mr. Charney. Clearly, the insider threat is larger than the 
outsider threat. That is absolutely true. The reason for that 
is you have given insiders access to your systems, so they do 
not have to break in.
    There are reasons the outsider threat gets more attention, 
and we can talk about that later. But there are internal 
controls in businesses that have been used in the paper world 
that also work in the technical world. Basically what you need 
to do is a combination of personnel security, physical 
security, and IT security. And you need to monitor systems for 
anomalous transactions.
    You cannot necessarily stop a secretary or an employee from 
giving their password to a bad guy, but you can require that 
passwords be changed regularly and you can monitor the use of 
the password. So for example, if you see that someone is 
dialing in and using this password and the employee is also 
logged on internally with this password, you know instantly you 
have a problem.
    Mr. Dozier. But is that not sort of crossing the line, in 
terms of the privacy issue we raised before? I mean, I 
understand that there are certain keystroke programs that you 
have where you can watch every key stroke. But do you not get 
into a situation where you are having very, very aggressive 
oversight of your employees, if you are watching every step 
that they take?
    Mr. Charney. First of all, it depends on what you are 
watching. I think most employees expect that businesses will 
keep logs of who signs on and that their user names and 
passwords are valid. Those do not raise the same kind of 
privacy concerns as, for examples, reading employees' e-mails, 
especially when you have told 
employees that short personal messages are OK and you reserve 
the right to read them.
    Now under Federal law, the Electronic Communications 
Privacy Act, in fact, companies can read electronic mail. It 
does not violate the wiretape statute. Although some employees 
have sued for invasion of privacy in State courts, they have 
generally lost those suits and the courts have held that 
businesses do have a right to protect their business interests 
by monitoring the activities of employees on their own network.
    It is more complicated for businesses that are offering 
services to the public because monitoring of public activities, 
and particularly things like chat rooms where you have huge 
first amendment interests, obviously raise a different level of 
concern than it does when you tell employees--and I wrote the 
Justice Department monitoring policy for the criminal 
division--when you tell employees, ``Look, we have an 
obligation to make sure that Government equipment is used for 
Government purposes and we reserve the right to watch what is 
happening on our networks.'' Most employees are fine with that.
    The key is notification and education so they do not feel 
they are being surreptitiously monitored, which creates a ton 
of bad morale.
    Mr. Schneier. Ms. Neptune, you mentioned in your 
presentation that your insurance carrier was helpful to you. 
Was this coverage part of your normal liability package? Or was 
this something that you had to buy in addition? And is it 
something that most small business owners should be looking at?
    Ms. Neptune. We had a very extensive insurance policy. You 
know, with the Internet now, every year there was a new policy 
you had to do. Computer fraud, copyright, patent right, because 
I had a site service. It was very expensive, but I happened to 
purchase business-income loss, which as we all know is a very 
expensive policy. If I did not have that, I would not have 
gotten any reimbursement.
    Mr. Schneier. But was it an additional rider that you had 
to get?
    Ms. Neptune. Yes, it was because it is not covered under 
normal theft. It is specifically for loss of business income. 
It kicks in based on how much you want to pay. Do you want it 
to kick in in 10 hours, 24 hours, a certain level or whatever? 
And these are very expensive.
    I might also add, we were cancelled the next year, of 
course, from the insurance carrier. Now go find it from 
somebody else. So it has a rolling effect.
    Mr. Conlon. Mr. Farnsworth and Mr. Charney, I will direct 
this one to both of you. How much does all of this cost? There 
are a lot of incidents going on, some of them are reported, a 
lot of them are not. Is there any kind of ballpark figure of 
how much this costs the business world?
    Mr. Farnsworth. There is a wide range of solutions with a 
wide range of costs. What we have found is that it is very 
much, as we just heard about the insurance industry, folks are 
more likely to spend more money if they have been victimized 
than if they have not been. Small businesses can subscribe to 
services from service providers who take advantages of 
economies of scale to provide secure web hosting, secure 
content hosting services at a reasonably low cost.
    Businesses who are engaged in controversial business 
practices, if you make baby harp seal fur coats, for example, 
there is some segment of the population that might take 
exception to that, thus raising your visibility and your 
vulnerability. Those folks will necessarily have to spend more 
money in order to protect their resources.
    You can get something as simple as a personal firewall 
software package for $20 to $30 and download it over the 
Internet. You can go as high as hundreds of thousands of 
dollars to provide state-of-the-art high-capacity firewalling 
with intrusion detection and centralized-monitoring services. 
It is a risk assessment and risk vulnerability issue, though.
    Mr. Charney. If you are talking about the cost of computer 
crime generally, several years ago I started looking at the 
public literature. The public literature ranged from computer 
crime is costing businesses $50 million a year to $5 billion a 
year, which basically tells you that no one has a clue. I mean, 
you can discount the high-end one as lunacy. But if you look at 
the CSI surveys, they try and quantify the cost. But if you 
remember that most computer crime is not detected nor reported, 
it is really hard to get an accurate figure.
    Mr. Conlon. We included the computer security study in the 
packets we distributed.
    A question for Agent Riley. Mr. Charney, in his testimony, 
talked about the kind of impact on, I believe it was a bank, 
that had suffered a computer crime when you have to go public 
with this. And the same kind of issue with Ms. Neptune, with 
reduced consumer confidence.
    How much of a challenge is this to law enforcement? And 
what has law enforcement been doing to kind of get over the 
issue of consumer confidence and confidentiality.
    Ms. Riley. That is a good question. As I pointed out 
earlier, when we train agents to work CyberCrime, we train them 
not only in the technical aspects of how to follow the leads 
and how to work through to an investigation, but we also focus 
very heavily on the impact of any publicity and any actions by 
law enforcement, and how that will affect the victim after we 
come into the scene.
    I cannot emphasize enough that all of the work that was 
done on the investigation that was described for you this 
morning was done in partnership. I think Ms. Neptune will 
certainly agree that everything that was done associated with 
that case was discussed at great length with both the law 
enforcement representatives, the Secret Service agents from the 
local Miami field office, along with the company, so that we 
could explore any actions that we might take and the resulting 
impact that is there. I cannot emphasize those partnerships 
enough, before, during, and after the investigation.
    As far as publicity goes, within our own agency we have a 
very strict policy, which is that no press releases are put out 
about any investigations by our agency. Rather, that is done by 
the United States Attorney and the prosecutor's office. At 
times there is a careful balance that is weighed there.
    At certain times, the publicity associated with the case 
may more importantly come from the Government or the prosecutor 
and put the perspective on the case and the way that it was 
worked out rather than a defense attorney, for example. So 
publicity is not 
always bad. It also serves as a deterrent factor, to put the 
word out that you can be caught when you do these types of 
investigations.
    But again, as was done in the Boston case, where the 
telephone companies were heavily victimized, they actually 
participated in the press release. The message that they wanted 
to get across as a victim was that we are not going to tolerate 
this type of activity.
    So I think there is good and bad associated with the type 
of 
activity we have to do in releasing information about an 
investigation, but it is very important that we consider the 
partnerships with the victim and with the other affected 
industry members when trying to weigh how to release 
information about an investigation.
    Mr. Conlon. If there were a single message from law 
enforcement to the participants around the table here, what 
would that be? Something that they can take back to the members 
of their 
associations.
    Ms. Riley. I actually would have to support the comments 
made by several of my colleagues here on the panel, which is 
share information. The prevention is really a key. Preventing 
this type of 
activity by sharing information, we are happy to do that from 
the law enforcement perspective, especially with trade 
associations. Ms. Neptune made a great point, the trade 
associations give us a mechanism in law enforcement to share 
that hindsight with larger segments of industry and try to 
effectively help in the prevention techniques.
    The types of techniques or the tips that were provided by 
Mr. Farnsworth today, for example, we absolutely support the 
initiatives underway within industry to prevent these types of 
crimes. But when they do occur, we have got to learn from 
those. And we are committed, in law enforcement, to help 
industry do that.
    Mr. Conlon. I believe Senator Bond will be returning in a 
few minutes so I guess we will take the opportunity to wrap up. 
Mr. Lane has a comment?
    Mr. Lane. Consumer confidence is critical to small 
businesses when you are getting onto the web as a small 
business. I have started my own software company. It is four 
guys sitting around a table deciding to come up with a product. 
The best thing to do is try to get eyes to your sight or get 
consumer confidence in the product that you are developing.
    But what is really hurting us right now is, I hate to say 
it, but the press focusing on a small amount of cases. Even the 
title of this forum, ``CyberCrime: Can Small Business Protect 
Itself?'' sends out a message that my god, I better not go to 
the small businesses. I better go to the Amazon.coms of the 
world who are, in fact, being attacked.
    We have to make sure that we are not sending out a message 
of fear that inhibits the ability of the Internet to grow. Just 
like any business, consumers go into places where they feel 
comfortable. They go into the stores where they feel 
comfortable. Small businesses have to work to build up consumer 
confidence, but it does not help when we have a fear factor for 
either political reasons and we say, ``Oh my gosh, we need to 
do something and vote for me next November,'' or something 
else.
    We need to make sure that we are providing quality 
information out there, which gets back to the other issue of 
sharing information. On the Y2K example, the Y2K liability was 
a perfect example for businesses to share. There were a lot of 
antitrust issues that businesses could not talk to one another 
and share information about because of antitrust concerns. What 
do we do about that? How can we allow the sharing of 
information?
    Then on the association side, if we put out information and 
it is inaccurate, are we now liable? Again, the Y2K liability 
and the legislation on the Y2K sharing of information took care 
of that. But we need to look at this as a whole because right 
now we are not going to put anything up on our site that makes 
us liable. We cannot ask our businesses to talk to one another 
and say you are not going to be slammed by an antitrust suit.
    So we need to look at all this, plus the FOIA information 
that is out there, as well.
    Mr. Burton. I just want to take a minute just to completely 
underline what you said from the viewpoint of direct marketing, 
not only in terms of liability which is something of very great 
concern to us that we want to try to work around it, but 
probably more than almost any type of business, direct 
marketing depends on consumer confidence. We have, since the 
beginning of the Sears Roebuck catalog, had to depend on arms-
length transactions where you do not know the people you are 
dealing with and you have to trust the process.
    So we have had a lot of experience before the Internet even 
came in trying to create a trust process. It is totally and 
absolutely critical that we have a process we can trust.
    I agree, though I do not like to attack the media in any 
way, I agree that I think that from a consumer perspective the 
problem has been overdramatized. In other words, I feel 
perfectly safe, much safer conducting business on the Net with 
companies that I know or at least can trust, than I do giving 
it to a restaurant.
    In fact, I have had my identity stolen twice. Once it went 
all the way to Paris. In both of those cases it was because of 
a waiter in a restaurant. I have never been to Paris, but my 
credit card has been there.
    So I just want to underline that I think that forums like 
this are very, very important. We, of course, commit ourselves, 
to working with law enforcement officials and people who 
provide security on the Net, so that we can be sure that we 
have this consumer confidence. Because the wave of the future 
is going to be buying on the Net.
    Mr. DeBow. I concur that there are a lot of positive things 
that we can compliment, particularly law enforcement and all 
the different organizations that are working hard to try and 
keep pace. But one of the things that I feel we would be remiss 
if we did not consider is that there is a tremendous marketing 
assault to get those people which may have been considered to 
be technologically phobic, or, for whatever reason not 
accessible to the Internet, to come to the Internet.
    I think when you look at these major corporations that are 
practically giving away computers to their employees, you have 
got products now that are designed in the $100 price range to 
be particularly directed towards the Internet. There are a lot 
of things which we can anticipate which would probably be 
somewhat of a repetition of things we have already identified. 
There are areas that need to be prepared for and anticipated 
including an exchange of information or some type of 
educational process.
    One of the things that, in our particular organization, 
which is the National Black Chamber of Commerce, which we are 
being questioned about and are confronting is a reverse side of 
the caveat emptor aspect of the card services providers--in 
that when there is a dispute or something that is questionable, 
where the consumer wants to challenge the charge on the credit 
card, those companies traditionally immediately either freeze 
those funds that are in that merchant's account, or they are 
immediately removed. There are basically, I think, two major 
companies that are providing that service. They go about the 
judicious process of determining whether it is a valid dispute, 
or perhaps maybe the consumer did use the product and just 
chose not to want to keep it or whatever.
    The education and information to other small businesses, 
which probably is going to be an ever increasing density of the 
existence of those businesses as well as these type of 
circumstances where they do, in fact, feel somewhat defenseless 
in their ability to protect the sale because they have, in 
fact, shipped the goods or provided the services. It is gone 
from their inventory. It is gone from their business. And now 
the funds and the reciprocal for that are in question.
    So with that in mind, is there a place: (1) where we can go 
and see some type of statistics on consumer satisfaction or 
dissatisfaction with these particular companies? And (2) what 
do you do if you feel you have been unjustly dealt in one of 
those circumstances? I would just throw that out to anybody.
    Mr. Lane. The problem with online transactions is that the 
company is responsible. It is not reimbursed by Visa or 
Mastercard or American Express, the $50 limit. The business 
itself, because it is unsigned, eats that cost. So there is a 
huge incentive to try to make sure that that is a valid 
transaction.
    That is the way it is for a phone call, anything where 
there is not an underlying signature of a transaction. So there 
is a huge concern for small businesses.
    We heard last year from a small business that sold lobsters 
from Maine. The problem with that is you cannot return the 
product. It is either eaten or it has been dead for too long 
and you cannot resell it. They were estimating almost 30 
percent of their sales were in conflict, people saying we did 
not receive it or saying that we did not like it or trying to 
dispute it. The company had to eat those costs. So it is a huge 
risk to businesses. I do not know what the underlying answer 
is, but it is real.
    Chairman Bond. That is something we are going to work on. I 
know we have reached the hour we said that we were going to 
close.
    First, I want to express my sincere thanks to all of you 
for participating today. Obviously, this is a question of great 
import-
ance, not just for small business but for everybody involved in 

e-Commerce. I want to offer a special thanks to the panelists 
for joining us, for providing what my staff tells me has been 
very interesting and informative testimony. We have had some 
great insights into what the real life problems are.
    There is no question that Government can provide a lot of 
information that will be of assistance to the small business 
community. I think that is something that we need to explore 
and we will continue to work on that.
    But there is one question, I guess, that has kind of 
floated around without an answer and I have a suggestion that I 
am going to propose. What does a small business do when they 
have been hit? Who do you call? What is the 911 if you find out 
there has been a problem? Obviously, Ms. Neptune was able to 
get in touch with the Secret Service.
    I propose to write to FBI Director Louis Freeh to ask him 
to 
ensure that the National Infrastructure Protection Center 
undertakes outreach initiatives to the small business 
associations around this table and to small business generally, 
to Government-funded business development programs, to Small 
Business Development Centers, the Business Information Centers, 
and the Service Corps of Retired Executives who were unable to 
join us today.
    I will be writing to Attorney General Janet Reno to request 
that a toll-free number be set up to provide a single point of 
contact for small business consumers and others to report 
computer crimes and computer security issues related to law 
enforcement. We have seen a similar system in the FTC with the 
toll-free number, 1-877-FTC-HELP, which I think has provided 
small businesses with good access to information, and given 
business owners a place to go.
    I think that given the overlapping jurisdictions of the 
various law enforcement organizations, it is important that 
some centralized entity provide a common point of contact for 
small businesses and others to reach law enforcement 
organizations. We will work with you and would like your 
comments and suggestions on that.
    Obviously, this is a subject which we have just begun to 
discuss. We intend to continue to work with it, Paul and Damon 
and our Committee Members' staffs here, along with you as we 
determine how best we can deal with the problem. As we can see, 
the problem is rising. As Mr. Charney said, it may be rising a 
whole lot faster than we even know.
    I think that the time has come, if not even past, for us to 
be serious about providing some comprehensive assistance. I 
know the private sector, Mr. Farnsworth and others, are working 
to assure that we have the technology and the equipment. We do 
not want to do anything that would interfere with the ability 
of the industry and all the related organizations to develop 
appropriate response mechanisms. That is where we need your 
guidance.
    How can you all handle it best through technology? To the 
extent that there is Government assistance needed, we would 
like your advice and counsel on that. You have given us a lot 
of good ideas to follow up.
    Again, my sincere thanks to all of you for joining us 
today, for discussing what is emerging as a very serious 
problem, particularly for a lot of small businesses who may not 
realize that they are at risk. As always, you have been very 
helpful and I appreciate the time and the information that you 
have presented us.
    Thank you very much and the hearing is adjourned.
    [Whereupon, at 11:42 a.m., the forum was adjourned.]
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
    [GRAPHIC OMITTED]
    
