[Senate Hearing 106-838]
[From the U.S. Government Printing Office]




                                                        S. Hrg. 106-838

         ``CYBER ATTACK: IMPROVING PREVENTION AND PROSECUTION''

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON TECHNOLOGY, TERRORISM,
                       AND GOVERNMENT INFORMATION

                                 of the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                                   on

   EXAMINING HOW TO COMBAT CYBER ATTACKS BY IMPROVING PREVENTION AND 
                              PROSECUTION

                               __________

                             SCOTTSDALE, AZ

                               __________

                             APRIL 21, 2000

                               __________

                          Serial No. J-106-79

                               __________

         Printed for the use of the Committee on the Judiciary


                    U.S. GOVERNMENT PRINTING OFFICE
69-335                      WASHINGTON : 2001





                       COMMITTEE ON THE JUDICIARY

                     ORRIN G. HATCH, Utah, Chairman

STROM THURMOND, South Carolina       PATRICK J. LEAHY, Vermont
CHARLES E. GRASSLEY, Iowa            EDWARD M. KENNEDY, Massachusetts
ARLEN SPECTER, Pennsylvania          JOSEPH R. BIDEN, Jr., Delaware
JON KYL, Arizona                     HERBERT KOHL, Wisconsin
MIKE DeWINE, Ohio                    DIANNE FEINSTEIN, California
JOHN ASHCROFT, Missouri              RUSSELL D. FEINGOLD, Wisconsin
SPENCER ABRAHAM, Michigan            ROBERT G. TORRICELLI, New Jersey
JEFF SESSIONS, Alabama               CHARLES E. SCHUMER, New York
BOB SMITH, New Hampshire

             Manus Cooney, Chief Counsel and Staff Director

                 Bruce A. Cohen, Minority Chief Counsel

                                 ______

   Subcommittee on Technology, Terrorism, and Government Information

                       JON KYL, Arizona, Chairman

ORRIN G. HATCH, Utah                 DIANNE FEINSTEIN, California
CHARLES E. GRASSLEY, Iowa            JOSEPH R. BIDEN, Jr., Delaware
MIKE DeWINE, Ohio                    HERBERT KOHL, Wisconsin

           Stephen Higgins, Chief Counsel and Staff Director

        Neil Quinter, Minority Chief Counsel and Staff Director

                                  (ii)




                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Kyl, Hon. Jon, U.S. Senator From the State of Arizona............     1

                    CHRONOLOGICAL LIST OF WITNESSES

Panel consisting of Janet Napolitano, Attorney General, State of 
  Arizona; and Guadalupe, Gonzalez, Special Agent In Charge, 
  Phoenix Field Investigation, Federal Bureau of Investigation...     3
Panel consisting of David W. Aucsmith, chief security architect, 
  Intel Corp.; and Jose Grando, senior manager, Ernst & Young 
  LLP, Houston, TX...............................................    89

                ALPHABETICAL LIST AND MATERIAL SUBMITTED

Aucsmith, David W.:
    Testimony....................................................    89
    Prepared statement...........................................    93
Gonzalez, Guadalupe:
    Testimony....................................................    66
    Prepared statement...........................................    71
Granado, Jose:
    Testimony....................................................   102
    Prepared statement...........................................   104
Napolitano, Janet:
    Testimony....................................................     3
    Prepared statement...........................................     5
        Letter from the Attorney General.........................    11
        Summary..................................................    13
        Computer Crimes Act of 2000..............................    15
        Attorney General's Website...............................    54
        News Articles............................................    57

 
         ``CYBER ATTACK: IMPROVING PREVENTION AND PROSECUTION''

                              ----------                              


                         FRIDAY, APRIL 21, 2000

                           U.S. Senate,    
         Subcommittee on Technology, Terrorism,    
                        and Government Information,
                                Committee on the Judiciary,
                                                    Scottsdale, AZ.
    The subcommittee met, pursuant to notice, at 9 a.m., in 
City Council Chambers, Scottsdale, AZ, Hon. Jon Kyl (chairman 
of the subcommittee) presiding.

  OPENING STATEMENT OF HON. JON KYL, A U.S. SENATOR FROM THE 
                        STATE OF ARIZONA

    Senator Kyl. This hearing will please come to order.
    Let me first welcome everyone to this field hearing of the 
Subcommittee on Technology, Terrorism, and Government 
Information of the U.S. Senate Judiciary Committee. It is 
encouraging to see so many people who are interested in this 
critical subject. Before we begin, I want to thank the Mayor of 
Scottsdale, Sam Campana, for hosting us here at the Scottsdale 
City Council chambers and for the assistance of Peggy Carpenter 
from the city of Scottsdale, who helped set up this hearing. I 
also want to thank Ed Denison from the Arizona Software 
Association for his assistance in spreading the word about the 
hearing, and, finally, to say hello to the people watching this 
hearing on the city of Scottsdale's Cable Television channel.
    The danger from cyber attack has recently received a lot of 
attention. The denial-of-service attacks against popular 
Internet sites like Yahoo, eBay, and CNN and the arrest earlier 
this week of a Canadian teenager in the case brought home to 
Americans just how vulnerable we are. This is the seventh 
hearing I have held on the subject in the past 3 years, and it 
won't be the last.
    In examining how to combat cyber attacks, it is important 
to reflect on how the Information Age is rapidly transforming 
our society. Today, virtually every key service is dependent 
upon computers--from electrical power grids, to phone systems, 
air traffic control, banking, military early-warning networks. 
The list goes on and on. Unfortunately, most of these critical 
computer networks were not designed with good security measures 
in mind.
    America's increased dependence on computer networks must 
also be viewed in context of our changing role in the post-cold 
war world. The United States is the world's only superpower, 
and our armed forces enjoy technological superiority on the 
battlefield. I sit on the Senate Intelligence Committee, and I 
receive a lot of briefings from the CIA and others about 
threats facing our country. The overriding trend in these 
briefings is that nations and terrorist groups that are hostile 
to our interests are increasingly choosing not to confront our 
military strengths directly--that is, by trying to field fleets 
of advanced fighter planes or aircraft carriers on a par with 
ours--but, rather, are seeking to exploit our vulner-
abilities, looking hard for our Achilles heel. As the ancient 
Chinese military strategist Sun Tzu said, ``You can be sure of 
succeeding in your attacks if you only attack places which are 
undefended.''
    China's current military strategists appear to have taken 
this lesson to heart. A recent article in the official 
Liberation Army Daily stated that China is considering creating 
a fourth branch of the military for information warriors and 
said ``Internet warfare'' should be equated with air, land, and 
sea combat operations.
    Russia is another country of concern in this area. Last 
year, a series of widespread intrusions were detected on 
computer networks operated by the Defense Department, other 
Federal agencies, and the private sector. The FBI traced these 
intrusions to Russia in an operation dubbed Moonlight Maze. 
According to the FBI, the attacks resulted in the theft of vast 
quantities of unclassified, but still sensitive information 
about defense technological 
research matters. Although the details of the case are 
classified, according to Newsweek Magazine, the primary 
suspects in the intrusions, which have since terminated, are 
``crack cyber spooks from the Russian Academy of Sciences, a 
government-supported organization that interacts with Russia's 
top military labs.'' And Russia and China are not the only 
countries of concern. According to the National Security 
Agency, over a dozen countries are working on information 
warfare techniques.
    U.S. military planners have also begun to try to assess how 
cyber attacks could affect our military's performance and to 
take steps to close those vulnerabilities. In 1997, the Joint 
Chiefs of Staff conducted an exercise called Eligible Receiver 
to find out how easy it would be for an enemy to attack U.S. 
military communication systems and other critical 
infrastructures. During the exercise, a small team of 2 dozen 
people used readily available computer hacking tools to attack 
the military's critical infrastructures and within 4 days 
crippled our ability to respond to a simulated crisis in the 
Pacific theater. They also broke into networks that control the 
electric power grid for the entire United States.
    In addition to being conscious of the threat from foreign 
countries and the need to take steps to improve the security of 
the critical computer networks, we need to combat computer 
hacking by criminals here in the United States, which can also 
have very serious consequences. The number of computer crimes 
is rapidly increasing, and we need to be sure that Federal, 
State, and local law enforcement agencies have the tools they 
need to investigate and prosecute violators.
    Catching and punishing those who commit cyber crimes is 
essential for deterring future attacks. When a cyber attack 
occurs, it is not initially apparent whether the perpetrator is 
a mischievous teenager, a professional hacker, a terrorist 
group, or even a hostile nation. Law enforcement must be 
equipped with the resources and authorities necessary to 
swiftly trace a cyber attack back to its source and 
appropriately prosecute criminals.
    Finally, it is important to recognize that private 
companies own and operate the vast majority of the computer 
networks used to operate our critical infrastructure. We must 
raise awareness in industry about cyber threats, encourage 
companies to take responsible steps to protect themselves, and 
remove roadblocks to effective industry cooperation. For 
example, protection from attack necessitates that information 
about cyber vulnerabilities and threats be communicated among 
companies and with government agencies. Antitrust laws that 
were created to prevent collusion among competitors in an 
industry need to be updated to allow companies to cooperate in 
establishing good cyber security. Furthermore, the Freedom of 
Information Act may need to be updated to encourage companies 
to share information with the Federal Government. Communication 
is critical for protection, and these roadblocks need to be 
removed.
    Our witnesses are well suited to address these issues. On 
our second panel, David Aucsmith, the Intel Corporation's top 
security specialist, will discuss some of the trends and 
challenges in cyber security, and Jose Granado, a senior 
manager of Ernst & Young, will conduct a live computer hacking 
demonstration. Guadalupe Gonzalez, the special agent in charge 
of the FBI's Phoenix Office, will provide the Federal law 
enforcement perspective on cyber crime.
    Before we hear from these three experts, I would like to 
introduce our first witness, Arizona Attorney General Janet 
Napolitano. Ms. Napolitano has served as attorney general since 
January 1999, and prior to her election to this post, she 
served for over 4 years as the U.S. attorney for Arizona.
    Attorney General Napolitano, thank you very much for 
testifying at today's hearing. Your full statement and that of 
all of the witnesses will be included in the record, and I 
would invite you to make any summary remarks at this time.

 PANEL CONSISTING OF JANET NAPOLITANO, ATTORNEY GENERAL, STATE 
 OF ARIZONA; AND GUADALUPE GONZALEZ, SPECIAL AGENT IN CHARGE, 
  PHOENIX FIELD INVESTIGATION, FEDERAL BUREAU OF INVESTIGATION

                 STATEMENT OF JANET NAPOLITANO

    Ms. Napolitano. Thank you, Mr. Chairman, and thank you for 
inviting me to be here today and for your long-time interest in 
the cyber area. You have truly been a national leader in this 
regard, and we are grateful.
    Arizona is one of the leading States, I believe, in 
prosecuting computer crime. In the Attorney General's office, 
we have established a Technology Crimes Unit. The head of that 
unit is with me today, Gail Thackery, who is one of the 
Nation's leading prosecutors in this emerging area.
    We also now have one of the most comprehensive computer 
crime statutes in the country that was passed by the 
legislature this past session, was recently signed into law by 
Governor Jane Hull, and had broad bipartisan support.
    Let me, if I might, divide my summary remarks into three 
brief categories, and I understand my full statement will be 
admitted into the record. But the three categories are what 
kinds of things we're seeing at the State level in Arizona, 
what is in our cyber crime legislation that supports and 
augments what is in some of the proposed Federal legislation, 
and, finally, what we as State prosecutors would like to see 
from the Federal Government.
    But, very briefly, lest we think that all cyber crime takes 
place internationally or in cyberspace somewhere else, we have 
a great deal of it here in Arizona, and it really doesn't 
matter whether you are in urban Arizona or rural Arizona. 
Anywhere you have a PC you have the potential of a cyber crime.
    Currently, we have cases in our office pending involving 
the five following kinds of cyber crime: cyber stalking, online 
school threats, infrastructure attacks and hacker offenses, 
fraud--in fact, in our Consumer Fraud Division in the Attorney 
General's office, we have now created a separate way to track 
the Internet fraud cases so that we can follow the trend line 
more accurately as to what kinds of fraud we are seeing on the 
Internet--and child sexual exploitation cases. We currently 
have task forces involving child sexual exploitation in Tucson 
and Phoenix, and our office is helping Arizona post the 
training agency for law enforcement train investigators and 
prosecutors in this area.
    So you can see we have quite a panoply of different types 
of computer crimes. Some are old kinds of crime committed in 
new ways, i.e., fraud. Some are new crimes that we could not 
have imagined 20 years ago.
    To deal with this, our office proposed the Computer Crime 
Act of 2000 in Arizona, and briefly, Senator, that statute, 
which is attached to part of my testimony, has six parts. One 
is cyber terrorism, and it raises the penalties for disrupting 
operations of things like utilities, emergency services, 
medical institutions, traffic control and the like.
    It contains cyber tools for law enforcement. For the first 
time, for example, our office has the ability to seek the 
source of e-mails through desk subpoenas rather than having to 
go continually to court, a concept I think that the FBI is 
supporting federally.
    It has sections on forgery, fraud, and theft, and 
acknowledges that people have online identities that themselves 
can be the subject of the theft of identity.
    It has a new felony for cyber stalking because the current 
laws were not adequate to deal with the prosecution of those 
offenses.
    It has a felony for computer use and disruption. The denial 
of service attacks you mentioned in your opening statement are 
now felonies in Arizona. I think we are one of the few 
jurisdictions in the country that actually has that.
    And, finally, it has provisions related to child 
pornography on the Internet, and it adds the offense of 
luring--l-u-r-i-n-g--meaning that the offense of sexual 
solicitation of a minor is committed with the solicitation 
itself. It doesn't require any further act in furtherance of 
the crime of meeting the minor in order to be able to charge 
the higher felony. We make the solicitation itself, the luring, 
a crime on the Internet. So that is the new Arizona bill.
    Now, we have a Technology Crimes Unit, as I mentioned, and 
I might like to say that this year the legislature, under the 
leadership of Representative Jim Wyers from the northwest part 
of the valley, passed a bill that provides some monetary 
resources both to the Attorney General's office and to the 
Department of Public Safety to help us meet the increasing 
need. And as good a bill as that is, it is only a first step in 
terms of the resources that State and local prosecutors are 
going to need. The chief thing we need from the Feds, if I can 
use the nickname, right now is training and resources.
    Attorneys, investigators, and prosecutors with computer 
skills are in incredible demand. We are unable to hire people 
with this expertise because State and local public salaries 
simply are not competitive in the current marketplace. That 
means what we need to do and what we are doing is training 
people who are already in public service on how to deal with 
these new kinds of crime. That means training is very, very 
key. It is expensive, and it also requires equipment that is 
continually updated to match what is out there in the field.
    As I have already indicated, the bulk of prosecuting these 
crimes, the bulk of these crimes, be it identity theft, be it a 
child pornography case, be it a luring case, are going to end 
up being prosecuted by State and local authorities because that 
is where the bulk of prosecutions in this country occurs in any 
area. And the same is holding true in cyber crime.
    So we would like to emphasize the need for training 
resources, and there are existing vehicles already in place to 
deliver that training, both through the National District 
Attorneys Association and the National Association of Attorneys 
General. NAAG, by the way, has made cyber crime one of its top 
priorities, and I would ask that the Senate and that you 
consider how we make those training resources available on a 
continual basis, not a one-time thing but continual, because 
the technology keeps changing.
    The other idea I would like to offer to you, Sir, is 
something that is reminiscent of what the Senate and the 
Congress did in the 1970's when they provided seed money to 
Attorneys General to open up or to start antitrust units or 
economic competition units within their offices to handle those 
kinds of cases. Seed money for every Attorney General to have a 
cyber crime unit such as we have in Arizona, or to build on one 
if they already have one, I think would provide a very big bang 
for the buck in the sense of expanding our reach, expanding our 
prosecutorial resources, and expanding what we can do working 
with these new technologies to make sure and to ensure that 
basic law enforcement is being carried out, be it in cyberspace 
or be it on the ground.
    Thank you very much.
    [The prepared statement of Ms. Napolitano follows:]

                 Prepared Statement of Janet Napolitano

    Mr. Chairman, thank you for the opportunity to address your 
subcommittee today. As the Attorney General of Arizona, I am here to 
report on our state's activities in combating and prosecuting 
cybercrime. Cybercrime is an emerging issue in law enforcement as an 
increasing number of crimes are committed using computers and other 
technologies. In fact, while we have seen a decline in violent crime, 
cybercrime has increased exponentially. As crime migrates to the 
Internet and other frontiers of technology, law enforcement must be 
adequately prepared to apprehend and prosecute the criminals.
    Instead, law enforcement has had a difficult time keeping up with 
cybercrime. Laws have been found to be inadequate in dealing with new 
technologies. The speed with which technology advances demands rapid 
and innovative solutions to complex problems. Lastly, there is a 
desperate lack of resources for cybercrime law enforcement. There are 
three issues I want to discuss today--legislation, emerging issues in 
cybercrime and current challenges facing law enforcement.

          ARIZONA LEGISLATION--THE COMPUTER CRIMES ACT OF 2000
    The Office of the Attorney General drafted the Computer Crime Act 
of 2000, which was sponsored and passed by a bi-partisan coalition of 
legislators. HB 2428, recently signed into law by Governor Jane Dee 
Hull, is designed to better protect Arizona citizens from cybercrime, 
which is a threat to private citizens, public infrastructure, 
businesses, and government, as these incidents prove:

     In 1998 a computer user in Arizona hacked his way onto a 
billing database of a public utility, looking to cancel someone's 
account. Once in the system, he gained high-level access to the canal 
controlling system, putting the system at serious risk.
     Just this past year, a young man, angry at his ex-
girlfriend, posted pictures of her and assumed her identity on the 
Internet. Through sexually explicit e-mail with other users, he put the 
young woman in great danger to potentially become a victim of sexual 
assault or worse by inviting people to her home and workplace.
     Phoenix man hacked into the computer of an Internet 
Service Provider in Canada and crashed the server, disabling the entire 
network, including all e-mail services, for a week. Numerous businesses 
and individuals lost valuable information, time and money.

    There are six parts to this legislation:
Cyberterrorism
    We must use every means available to crack-down on attacks on our 
high-tech infrastructure. This section raises judicial penalties for 
disrupting operations of utilities, emergency services, medical 
institutions, traffic control, etc.
Cybertools for law enforcement
    Cybertools strengthen law enforcement's ability to preserve 
electronic evidence and to trace rapidly criminal activity on the 
Internet.
Forgery, fraud and theft
    Private individuals and businesses must be protected from 
electronic forgery, fraud and theft. New provisions such as these 
update our laws, demonstrating that individuals and companies have an 
``online'' identity that can be used by others in criminal or malicious 
activity. Fraud statutes must protect Internet consumers and businesses 
against crimes such as theft of trade secrets, credit card fraud, 
identity theft and forgery.
Cyberstalking
    Current statutes did not provide adequate protection from 
cyberstalking, where physical contact between the victim and stalker 
may never occur. The new legislation includes the unique and technical 
aspect of cyberstalking and provides an effective tool for prosecution 
and prevention.
Computer use and disruption
    When a company or an individual loses their access to the Internet, 
they can lose contact to their customers, business records, financial 
information, and other materials hindering their ability to work, 
retrieve data, and communicate. This section is designed to deter 
several forms of disruption which have not been covered by the current 
statute.
Child pornography
    The section protects computer repair technicians and others who 
report child pornography to the police. It also adds the offense of 
``luring,'' to attack effectively the online solicitation or offering 
of a child with an intent of sexual exploitation. Individuals would be 
held criminally liable for any sexually explicit material knowingly 
transmitted to a school or minor.
    The Computer Crimes Act of 2000 goes into effect July 18, 2000.

                            EMERGING ISSUES
    Law enforcement and the public at large have raised several issues 
that Congress and the states will have to come to terms with in the 
near future. Two of the ones my office is working on are Privacy and 
the Theft of Intellectual Property.
Privacy
    The public is becoming increasingly concerned over the collection 
and ownership of personal identifying information. The traditional 
American model is that organizations that gather information about 
individuals become the owners of that information, and can use it for 
their own purposes or even sell it to others. The phrase seen in hacker 
chat rooms currently is, ``You have no privacy now--get over it.''
    On the other hand, for 25 years or more, many countries have had 
strong privacy protections including transborder data flow statutes 
prohibiting the transfer of personal data across national boundaries, 
and others laws forbidding the ``secondary use'' of personal data 
without permission of the individual. In fact, American corporations 
have just agreed to honor European Union privacy rules which are much 
more stringent than any they observe in this country, in connection 
with our own citizens' data.
    We have made tremendous advances with the use of the Internet in 
numerous fields. But at the same time, the Internet poses a threat to 
individual privacy--and security--on a scale never imaginable in 
earlier times, when records pertaining to individuals were maintained 
by corporations and public agencies in separate files scattered across 
the business and government landscapes.
    The time has come for a comprehensive assessment of our nation's 
business practices with regard to the collection and use of personal 
data. The national epidemic of Identity Theft crimes is proof that we 
also need to establish industry standards for maintaining the security 
and accuracy of information that is collected about individuals. I 
intend to work with Arizona business, consumer and privacy groups in 
the next legislative session to craft legislation that will offer our 
citizens reasonable assurance that they know what information is being 
collected about them, have an opportunity to correct inaccuracies, and 
have some say in what is done with their personal data. I believe that, 
working together, Arizona citizens and businesses can establish a 
reasonable framework for protecting individual privacy in a world where 
all records are online, all the time.
Theft of intellectual property
    The Internet has also caused another revolution--the quick and 
rapid distribution of many perfect copies of the same original. 
Arizona's ``Silicon Desert'' is an important and fast-growing part of 
our economy, and the protection of our information resources is 
critical. Currently, the Federal copyright statute preempts the states 
from enforcing thefts of intellectual property such as software, video 
and music, yet the Federal agencies only have the resources to pursue a 
tiny fraction of the reported offenses. This situation robs our 
American businesses of billions of dollars a year, and allows the 
thieves to flourish.
    As a former United States Attorney, I understand the limitations of 
resources among the Federal agencies. However, every year a number of 
business victims come to our office for help, but the Federal 
preemption of copyright theft leaves us powerless to help them. I know 
that industry would support a change in the copyright law to permit 
enforcement at the state level, and I urge Congress to amend the 
copyright laws to permit enforcement by both Federal and State 
agencies. A strong information economy requires strong protection for 
our information assets.

                     CONCLUSION--CURRENT CHALLENGES
    The Arizona Attorney General's Office is charging ahead in 
partnership with various groups to address Arizona's state of emergency 
regarding cybercrime.

     Law Enforcement--we have created a three-tiered training 
program:

    1. A two-day comprehensive evidence seizure and crime scene 
procedure class. This will be certified by AZ POST and taught by the 
Department of Public Safety, the Attorney General's Office and other 
agencies. The goal is to create regional expert teams, similar to the 
meth lab multi-agency teams, and certify 200 officers in the State.
    2. Police officers training to teach various tools and programs for 
extracting computer evidence and creating a case ready for prosecution.
    3. Detective training to teach the special skills necessary to 
perform investigations in cyberspace.

     Communication Industry--We are working with on-line 
providers to develop standardized policies and forms for legal 
procedures necessary to obtain computer evidence.
     Business--We are working with corporations to assist in 
raising awareness on computer security issues and using their expertise 
to help train law enforcement.
     Schools--We are working closely with schools and school 
districts to deal with the increasing problem of school online threats.
     Public--We are conducting townhalls throughout Arizona to 
educate the public at large particularly seniors and parents, to 
potential dangers on the Internet.

    In addition to the work being done in Arizona, other states have 
also been active: California has established regional task forces; the 
Attorney General of Illinois has established a state level unit to 
investigate and prosecute computer crimes; and the Attorney General of 
South Carolina has, with the assistance of the Office of Juvenile 
Justice and Delinquency Programs in the U.S. Department of Justice, 
created a task force to investigate and prosecute child pornographers 
and pedophiles. In fact, Attorneys General from around the country have 
made cybercrime a high priority for the National Association of 
Attorneys General.
    But like Arizona, states face two major obstacles in setting up 
units or task forces to address computer crimes: staff and equipment. 
Attorneys, investigators and prosecutors with computer skills are in 
high demand. Unable to hire and retain these skilled professionals at 
state salaries, states have turned to grooming these professionals 
within current ranks. Training, however, is expensive and not enough 
police and prosecutors are receiving it. Equipment to investigate these 
crimes is also expensive and must be constantly updated to keep pace 
with technology.
    Participation of the states in protecting the nation's 
infrastructure by investigating and prosecuting computer crimes is 
critical. As in other areas of criminal law, the states will 
undoubtedly carry the bulk of the computer crime investigations and 
prosecutions and, in the area of juvenile prosecutions, the states will 
have the full burden of those cases. This burden is likely to be 
considerable because computers have become ubiquitous in almost every 
type of crime.
    The efforts of Arizona and other states to address computer crimes 
must be nurtured by the Federal Government. The states need direct 
Federal funding to establish computer forensic laboratories.
    The development of a basic curriculum for prosecutors is underway. 
The means to execute the training and to provide ongoing technical 
assistance exists through the National Association of Attorneys General 
and the National District Attorneys Association. Unfortunately, we are 
missing the funding to implement the training and assistance. 
Approximately $1 million a year for 5 years would allow over 100 
prosecutors to be trained each year.
    To combat cybercrime, states need a program to provide seed money 
to assist with hiring knowledgeable staff and buying much needed 
equipment should be established on the Federal level. This program 
would need to provide a minimum of $500,000 per year per state for at 
least 3 years to allow the states to establish programs and begin 
funding them.
    Updates to the law, such as Arizona's Computer Crimes Act 2000, is 
a powerful first step in the battle against cybercriminals. But 
resources, applied intelligently, would revolutionize law enforcement's 
ability to respond swiftly and effectively to cybercrime.
    I look forward to working with this Subcommittee and other Federal 
entities to ensure that we have a coordinated Federal-State effort to 
combat cybercrime.
    Once again, thank you for inviting me to present the perspective of 
the Arizona Attorney General's Office and I would be pleased to answer 
any questions from Subcommittee members.
[GRAPHIC] [TIFF OMITTED] T9335.001

[GRAPHIC] [TIFF OMITTED] T9335.002

[GRAPHIC] [TIFF OMITTED] T9335.003

[GRAPHIC] [TIFF OMITTED] T9335.004

[GRAPHIC] [TIFF OMITTED] T9335.005

[GRAPHIC] [TIFF OMITTED] T9335.006

[GRAPHIC] [TIFF OMITTED] T9335.007

[GRAPHIC] [TIFF OMITTED] T9335.008

[GRAPHIC] [TIFF OMITTED] T9335.009

[GRAPHIC] [TIFF OMITTED] T9335.010

[GRAPHIC] [TIFF OMITTED] T9335.011

[GRAPHIC] [TIFF OMITTED] T9335.012

[GRAPHIC] [TIFF OMITTED] T9335.013

[GRAPHIC] [TIFF OMITTED] T9335.014

[GRAPHIC] [TIFF OMITTED] T9335.015

[GRAPHIC] [TIFF OMITTED] T9335.016

[GRAPHIC] [TIFF OMITTED] T9335.017

[GRAPHIC] [TIFF OMITTED] T9335.018

[GRAPHIC] [TIFF OMITTED] T9335.019

[GRAPHIC] [TIFF OMITTED] T9335.020

[GRAPHIC] [TIFF OMITTED] T9335.021

[GRAPHIC] [TIFF OMITTED] T9335.022

[GRAPHIC] [TIFF OMITTED] T9335.023

[GRAPHIC] [TIFF OMITTED] T9335.024

[GRAPHIC] [TIFF OMITTED] T9335.025

[GRAPHIC] [TIFF OMITTED] T9335.026

[GRAPHIC] [TIFF OMITTED] T9335.027

[GRAPHIC] [TIFF OMITTED] T9335.028

[GRAPHIC] [TIFF OMITTED] T9335.029

[GRAPHIC] [TIFF OMITTED] T9335.030

[GRAPHIC] [TIFF OMITTED] T9335.031

[GRAPHIC] [TIFF OMITTED] T9335.032

[GRAPHIC] [TIFF OMITTED] T9335.033

[GRAPHIC] [TIFF OMITTED] T9335.034

[GRAPHIC] [TIFF OMITTED] T9335.035

[GRAPHIC] [TIFF OMITTED] T9335.036

[GRAPHIC] [TIFF OMITTED] T9335.037

[GRAPHIC] [TIFF OMITTED] T9335.038

[GRAPHIC] [TIFF OMITTED] T9335.039

[GRAPHIC] [TIFF OMITTED] T9335.040

[GRAPHIC] [TIFF OMITTED] T9335.041

[GRAPHIC] [TIFF OMITTED] T9335.042

[GRAPHIC] [TIFF OMITTED] T9335.043

[GRAPHIC] [TIFF OMITTED] T9335.044

[GRAPHIC] [TIFF OMITTED] T9335.045

[GRAPHIC] [TIFF OMITTED] T9335.046

[GRAPHIC] [TIFF OMITTED] T9335.047

[GRAPHIC] [TIFF OMITTED] T9335.048

[GRAPHIC] [TIFF OMITTED] T9335.049

[GRAPHIC] [TIFF OMITTED] T9335.050

[GRAPHIC] [TIFF OMITTED] T9335.051

[GRAPHIC] [TIFF OMITTED] T9335.052

[GRAPHIC] [TIFF OMITTED] T9335.053

[GRAPHIC] [TIFF OMITTED] T9335.054

[GRAPHIC] [TIFF OMITTED] T9335.055

[GRAPHIC] [TIFF OMITTED] T9335.056

[GRAPHIC] [TIFF OMITTED] T9335.057

    Senator Kyl. Thank you very much. That is very helpful, and 
I have got several questions that I have noted.
    But let me first turn to our next witness, Mr. Guadalupe 
Gonzalez, the special agent in charge of the FBI's Phoenix 
Field Office. Mr. Gonzalez has served in his post since August 
1998. Prior to coming to Phoenix, he was the special agent in 
charge of organized crime, drugs, and violent crimes in the 
FBI's Los Angeles office.
    Mr. Gonzalez, thank you very much for testifying at today's 
hearing. As I noted before, your full written statement will be 
placed in the record. I would like to invite you to make any 
summary remarks at this time, and I would note to the people 
who are here, in the hearing that we held a couple of weeks ago 
in Washington, DC, on this same subject, the FBI Director Louis 
Freeh presented his testimony, and in asking him how best to 
relate that testimony to people in Arizona, he suggested that 
we ask Mr. Gonzalez to be his representative here. And we are 
delighted to do that, so thank you.

                STATEMENT OF GUADALUPE GONZALEZ

    Mr. Gonzalez. Good morning, Mr. Chairman. Thank you for 
inviting me to the field hearing to discuss the growing problem 
of cyber crime and our response to it. Our ability in the field 
to deal with this crime problem requires the support of 
Congress. The recent denial-of-service attacks against Yahoo, 
Amazon.com, eBay, CNN, Buy.com, and other e-commerce websites 
have thrust the security of our information infrastructure into 
the spotlight. But they are only one example of a large and 
growing problem of criminal activity in cyberspace. I would 
like to discuss with you the national challenge of battling 
computer intrusions.
    The cyber revolution has permeated virtually every facet of 
our lives, and we see its effects all around us in the way we 
communicate, do business, and even in the way Government 
operates. Unfortunately, that revolution has affected the 
nature of criminal activity as well. Criminals are increasingly 
seeing the utility of cyber tools to facilitate traditional 
crimes such as fraud, extortion, and dissemination of child 
pornography. And they are also inventing new forms of crime 
which make computers and the information stored on them the 
targets of the crime. Thus, we see criminals intruding into 
computers to steal credit card numbers, to abscond with 
proprietary information, and to shut down e-commerce sites. And 
this is not just a criminal problem. It is also a national 
security problem. This is because our Nation's critical 
infrastructures, by which I mean those services that are vital 
to our economy and national security, such as electrical 
energy, telecommunications, banking and finance, 
transportation, and government operations, are now dependent on 
computer technology for their very operations. And this very 
dependence makes them vulnerable to an attack which, if 
successful, could deny service on a broad scale.
    The same basic types of cyber attack tools, therefore, 
become attractive not only to criminals interested in illicit 
financial gain, but also to foreign intelligence services 
seeking new ways to obtain sensitive government or industry 
information and to terrorists of hostile foreign nations bent 
on attacking U.S. interests.
    The difficulty of dealing with this challenge stems from 
the nature of the cyber environment. The cyber environment is 
borderless, afford easy anonymity and methods of concealment to 
bad actors, and provides new tools to allow for remote access 
to targeted computers. A criminal sitting on the other side of 
the planet is now capable of stealthily infiltrating a computer 
network in Arizona to steal money, abscond with proprietary 
information, or shut down 
e-commerce sites.
    To deal with this problem, law enforcement has retooled its 
workforce, its equipment, and its own information 
infrastructure. It must also forge new partnerships with 
private industry, other agencies, and our international 
counterparts.
    We at the FBI have been doing all of these things for the 
last 2 years, but we must continue to build upon our progress 
to ensure that we can perform our responsibilities to protect 
public safety and national security in the information age.
    My written statement provides an overview of the broad 
spectrum of cyber threats which gives a flavor of the 
incredibly varied nature of the threats we face. The examples 
range from insiders bent on revenge against their employers, to 
hackers seeking bragging rights in the hacking community, to 
criminal groups stealing credit card numbers or money, to 
foreign intelligence agencies or foreign military services who 
target U.S. interests.
    The most common threats we face are from hackers and 
criminals stealing for profit. For example, in March, 
authorities in the United Kingdom, acting in coordination with 
the FBI, arrested two individuals for alleged intrusions into 
e-commerce sites in several countries and the theft of credit 
card information on over 26,000 accounts. One subject used the 
Internet alias ``CURADOR.'' Losses from this case could exceed 
$3 million. The FBI cooperated closely with the Dyfed-Powys 
Police Department in the United Kingdom and the Royal Canadian 
Mounted Police in Canada and private industry.
    Here in Arizona, we are investigating a computer intrusion 
case in which a private enterprise was defrauded of several 
hundred thousand dollars in fraudulent telephone calls that 
were placed to a foreign country.
    We are also concerned about the terrorist threat. Terrorist 
groups are increasingly using new information technology and 
the Internet to formulate plans, raise funds, spread 
propaganda, and to communicate securely. Director of Central 
Intelligence George Tenet has testified that terrorist groups, 
``including Hizbollah, Hamas, the Abu Nidal organization, and 
Bin Laden's al Qa'ida organization are using computerized 
files, e-mail, and encryption to support their operations.''
    While we have not yet seen these groups employ cyber tools 
as a weapon to use against critical infrastructures, their 
reliance on information technology and acquisition of computer 
expertise are clear warning signs.
    Finally, given the presence of military research facilities 
in Arizona, we must be concerned with national security 
threats. As you know, the FBI has observed a series of 
intrusions into numerous Department of Defense and other 
Federal Government computer networks and private sector 
entities. An investigation last year determined that the 
intrusions appear to have originated in Russia. The intruder 
successfully accessed U.S. Government networks and took large 
amounts of unclassified but sensitive information, including 
defense technical research information.
    Here in Arizona, we have seen scans of military computer 
systems by outside intruders. Some of the logs indicate that 
the source of some of these scans may be foreign.
    The recent distributed denial-of-service attacks have 
garnered a tremendous amount of interest in the public. Because 
the FBI is actively investigating these attacks, I cannot 
provide a detailed briefing on the status of our efforts. 
However, I can tell you that all FBI field offices, including 
the Phoenix Division, have been asked to assist on a case to 
the extent that entities in our jurisdiction are involved in 
the matter or to the extent that we can cover leads within our 
jurisdiction.
    In February 1998, the National Infrastructure Protection 
Center, NIPC, was established as a focal point for the Federal 
Government's efforts to protect the critical infrastructures. 
On October 2, 1998, the center was designated a branch of the 
FBI's National Security Division, and the National 
Infrastructure Protection and Computer Intrusion Program was 
approved as an investigative program. This program is a tier 
one priority under the FBI's strategic plan and serves as the 
FBI's vehicle for performing the infrastructure protection 
mission assigned to the NIPC under Presidential Decision 
Directive 63. In October 1999, the program was moved to a 
newly-formed Counterterrorism Division of the FBI, reflecting 
the FBI's high priority on protecting the infrastructures from 
terrorist threats.
    At headquarters, the NIPC has a budget of approximately $21 
million. This is not slated to increase in fiscal year 2001. 
There are currently 193 agents in the field devoted to NIPC 
matters as well as 101 personnel at FBI headquarters. The NIPC 
at headquarters also houses 19 interagency detailees, mainly 
from the law enforcement, defense, and intelligence 
communities. The NIPC works closely with foreign counterparts 
on case-related matters.
    Beyond the NIPC at FBI headquarters, a cyber crime 
investigative program has been created in all FBI field 
offices, including the Phoenix Division. We have special agents 
here who are responsible for investigating computer intrusions, 
viruses, or denial-of-service attacks, and for conducting 
critical liaison activities with private industry. Given the 
amount of work we have and the fact that Phoenix is the sixth 
largest city in the United States, we are seeking to establish 
a full computer intrusion squad in the Phoenix Division by the 
year 2002.
    One major difficulty that distinguishes cyber threats from 
physical threats is determining who is attacking your system, 
why, how, and from where. This difficulty stems from the ease 
with which individuals can hide or disguise their tracks by 
manipulating logs and directing their attacks through networks 
in many countries before hitting their ultimate target. This 
will continue to pose a problem as long as the Internet remains 
rife with vulnerabilities and allows easy anonymity and 
concealment.
    Another significant challenge we face is intrusions 
involving multiple jurisdictions. A typical investigation 
involves victim sites in multiple States and often many 
countries. This is the case even when the hacker and the victim 
are both located in the United States. In the United States, we 
can subpoena records, engage in judicially approved electronic 
surveillance, and execute search warrants on suspects' homes, 
seize evidence, and examine it. We can do none of these things 
ourselves overseas; rather, we depend on the local authorities 
to assist us.
    The most difficult situation will arise, however, when a 
foreign country with interests adverse to our own simply 
refuses to cooperate. In such a situation, we could find that 
an investigation is stymied unless we can find an alternative 
method of tracing the activity back to its source.
    Our challenge lies in continuing to expand our computer 
investigative, analytic, training, and outreach programs. Given 
the explosive and continued growth of computer intrusions, the 
Infrastructure Protection and Computer Intrusion Program needs 
to more than double the current number of field investigative 
personnel and headquarters analysts. In addition, we need to 
leverage our resources by expanding our training programs to 
reach more State, local, and international investigators. 
Finally, NIPC investigators need high-speed computer processing 
and large-capacity storage for investigations.
    I have tried to review with you some of the threats and 
challenges we face. Some of the challenges stem from the 
structure of the present loss governing computer crime. For 
example, we should ask whether the sentencing guidelines for 
computer crime are adequate and whether the $5,000 threshold 
for damage is a useful benchmark, because in many cases the 
true damage cannot be measured in monetary terms. Examples of 
damage difficult to measure monetarily are impairment of 
medical diagnosis, threat to public safety, or damage to 
national security, national defense, or administration-of-
justice computers.
    Another problem we face is having to obtain multiple trap 
and trace orders for different jurisdictions. The Kyl-Schumer 
bill addresses these concerns and other concerns. We support 
the goal of Senate bill 2092 to strengthen the general 
deterrence aspects of the Computer Fraud and Abuse Act and to 
provide some needed procedural enhancements to help us confront 
the expanding criminal threat in this dynamic and important 
part of our national economy, while continuing to protect 
individual privacy interests. The FBI looks forward to working 
with this committee on this important legislation.
    Addressing the threat of cyber crime requires teamwork--
teamwork among Government agencies, teamwork between Federal, 
State, and local law enforcement, and teamwork between the 
Government and the private sector. We have made much progress 
in establishing this sort of teamwork on all three fronts over 
the last 2 years. The FBI is also developing cyber crime task 
forces in partnership with State and local law enforcement 
entities within their jurisdiction to leverage the limited 
resources in this area. The first one was founded in Pittsburgh 
in March. We hope that one can be established in our 
jurisdiction in the next few years as the program expands.
    The partnerships we have established with the private 
sector are particularly important for several reasons. Most of 
the victims of cyber crimes are private companies; therefore, 
successful investigation and prosecution of cyber crimes 
depends on private victims reporting incidents to law 
enforcement and cooperating with investigators. Second, the 
network administrator, who alone knows the intricacies of his 
or her network, often must provide critical assistance to the 
investigation leading him to the evidence of the intruder's 
activity.
    Much has been said over the last few years about the 
importance of information sharing. Here in the Phoenix 
Division, we have an excellent working relationship with our 
private sector counterparts and the community in general. We 
share information on a number of areas, including 
infrastructure protection, and receive information from the 
private sector that greatly assists in protecting the 
community.
    As a result of our close working relationship with the 
private sector, we can detect criminal activity in its initial 
stages and in some cases prevent criminal incidents. The NIPC 
also provides the private sector with warning information which 
also lessens their vulnerability. These warnings assist field 
offices like Phoenix to be better prepared and better protect 
our community. They further allow us the opportunity to respond 
quickly and efficiently to cyber threats. I believe that as 
companies continue to gain experience in dealing with the NIPC 
and the FBI field offices, as we continue to provide them with 
important and useful threat information, and as companies 
recognize that cyber crime requires a joint effort by industry 
and Government together, we will continue to make real progress 
in the area.
    Our Key Asset Initiative facilitates response to threats 
and intrusion incidents by building liaison and communication 
links with the owners and operators of individual companies in 
the critical infrastructure sectors and enabling contingency 
planning. The Key Asset Initiative initially will involve 
determining which assets are key within the jurisdiction of 
each FBI field office and obtaining 24-hour points of contact 
at each asset in cases of emergency. Eventually, if future 
resources permit, the initiative will include the development 
of contingency plans to respond to attacks on each asset, 
exercises to test response plans, and modeling to determine the 
effects of an attack on particular assets.
    Here in the Phoenix Division, we have identified dozens of 
key assets around the State for including in the national list. 
These assets include power generation facilities, water storage 
and distribution centers, transportation assets, military 
installations, research institutions, and key public emergency 
service entities.
    The second is the InfraGard initiative. This is an 
initiative that we have developed in concert with private 
companies and academia to encourage information sharing about 
cyber intrusions, exploited vulnerabilities, and physical 
infrastructure threats. A vital component of InfraGard is the 
ability of industry to provide information on intrusions to the 
local FBI field offices using secure e-mail communications in 
both a sanitized and detailed format. We can use the detailed 
version to initiate an investigation, while NIPC headquarters 
can analyze that information in conjunction with other 
information we obtain to determine if the intrusion is part of 
a broader attack on numerous sites. The NIPC can simultaneously 
use the sanitized version to inform other members of the 
intrusion without compromising the confidentiality of the 
reporting company.
    Here in Phoenix, we are planning to roll out our InfraGard 
Chapter on May 9. We expect to have representatives from in-
state universities, businesses, and some of the critical 
infrastructures on hand.
    We look forward to working with Congress to ensure that law 
enforcement can continue to address the cyber crime problem in 
the year ahead.
    Thank you.
    [The prepared statement of Mr. Gonzalez follows:]

                Prepared Statement of Guadalupe Gonzalez

                              INTRODUCTION
    Mr. Chairman, Members of the Subcommittee: Thank you for inviting 
me to discuss the threats to our Nation's critical infrastructures and 
the FBI's approach in the field to meeting those challenges. In 
February 1998 the National Infrastructure Protection Center (NIPC) was 
established as a focal point for the federal government's efforts to 
protect the critical infrastructures. Following the founding of the 
Center, the National Infrastructure Protection and Computer Intrusion 
Program (NIPCIP) was approved as an FBI investigative program. NIPCIP 
is a Tier One priority under the FBI Strategic Plan and serves as the 
FBI vehicle for performing the NIPC's missions under PDD-63. In October 
1999 the NIPCIP was moved to the newly-formed Counterterrorism Division 
of the FBI, reflecting the FBI's high priority on protecting the 
infrastructures from terrorist threats.
    With the support of Congress and in particular the leadership of 
this committee, the NIPCI program has rapidly developed in FBI field 
offices across the United States, including here in Arizona. Today I 
will focus on the nature of the national security and criminal threats 
we face in cyberspace, the progress we have made in meeting those 
threats in the field, and the continuing challenges we face.

                                THE NIPC
    The NIPC is an interagency Center located at the FBI. Created in 
1998, the NIPC serves as the focal point for the government's efforts 
to warn of and respond to cyber attacks, particularly those that are 
directed at our nation's ``critical infrastructures.'' These 
infrastructures include telecommunications and information, energy, 
banking and finance, transportation, government operations, and 
emergency services. Presidential Decision Directive (PDD) 63 directed 
that the NIPC serve as a ``national critical infrastructure threat 
assessment, warning, vulnerability, and law enforcement investigation 
and response entity.'' The PDD further states that the mission of the 
NIPC ``will include providing timely warnings of intentional threats, 
comprehensive analyses and law enforcement investigation and 
response.''
    In field offices such as Phoenix, we have created a cyber crime 
investigative program called the National Infrastructure Protection and 
Computer Intrusion (NIPCI) Program. This program, managed by the NIPC, 
consists of special agents in each FBI Field Office who are responsible 
for investigating computer intrusions, viruses, or denial of service 
attacks, for implementing our key asset initiative, and for conducting 
critical liaison activities with private industry. Cyber crime task 
forces are being developed in partnership with state and local law 
enforcement entities within their jurisdiction to leverage the limited 
resources in this area. The first one opened in Pittsburgh last month.

                     THE BROAD SPECTRUM OF THREATS
Cybercrime threats faced by law enforcement
    Before discussing the FBI's programs and requirements with respect 
to cybercrime, let me take a few minutes to discuss the dimensions of 
the problem. The FBI's case load is increasing dramatically. In fiscal 
year 1998, it opened 547 computer intrusion cases; in fiscal year 1999, 
that had jumped to 1,154. At the same time, because of the opening the 
National Infrastructure Protection Center (NIPC) in February 1998, and 
improving ability to fight cyber crime, more cases were closed. In 
fiscal year 1998, 399 intrusion cases were closed, and in fiscal year 
1999, 912 such cases were closed. However, given the exponential 
increase in the number of cases opened, cited above, the actual number 
of pending cases has increased by 39 percent, from 601 at the end of 
fiscal year 1998, to 834 at the end of fiscal year 1999. In short, even 
though the FBI has markedly improved its capabilities to fight cyber 
intrusions, the problem is growing even faster.
    A few days ago the Computer Security Institute released its fifth 
annual ``Computer Crime and Security Survey.'' The results only confirm 
what we had already suspected given our burgeoning case load, that more 
companies surveyed are reporting intrusions, that dollar losses are 
increasing, that insiders remain a serious threat, and that more 
companies are doing more business on the Internet than ever before.
    The statistics tell the story. Ninety percent of respondents 
detected security breaches over the last 12 months. At least 74 percent 
of respondents reported security breaches including theft of 
proprietary information, financial fraud, system penetration by 
outsiders, data or network sabotage, or denial of service attacks. 
Information theft and financial fraud caused the most severe financial 
losses, put at $68 million and $56 million respectively. The losses 
from 273 respondents totaled just over $265 million. Losses traced to 
denial of service attacks were only $77,000 in 1998, and by 1999 had 
risen to just $116,250. Further, the new survey reports on numbers 
taken before the high-profile February attacks against Yahoo, Amazon 
and eBay. Finally, many companies are experiencing multiple attacks; 19 
percent of respondents reported 10 or more incidents.
    Over the past several years the FBI has seen a range of computer 
crimes from defacement of websites by juveniles to sophisticated 
intrusions that we suspect may be sponsored by foreign powers, and 
everything in between. Some of these are obviously more significant 
than others. The theft of national security information from a 
government agency or the interruption of electrical power to a major 
metropolitan area have greater consequences for national security, 
public safety, and the economy than the defacement of a web-site. But 
even the less serious categories have real consequences and, 
ultimately, can undermine confidence in e-commerce and violate privacy 
or property rights. A website hack that shuts down an e-commerce site 
can have disastrous consequences for a business. An intrusion that 
results in the theft of credit card numbers from an online vendor can 
result in significant financial loss and, more broadly, reduce 
consumers' willingness to engage in e-commerce. Because of these 
implications, it is critical that we have in place the programs and 
resources to investigate and, ultimately, to deter these sorts of 
crimes.
    The following are some of the categories of cyber threats that we 
confront today.
    Insiders. The disgruntled insider (a current or former employee of 
a company) is a principal source of computer crimes for many companies. 
Insiders' knowledge of the target companies' network often allows them 
to gain unrestricted access to cause damage to the system or to steal 
proprietary data. The just-released 2000 survey by the Computer 
Security Institute and FBI reports that 71 percent of respondents 
detected unauthorized access to systems by insiders.
    In January and February 1999 the National Library of Medicine (NLM) 
computer system, relied on by hundreds of thousands of doctors and 
medical professionals from around the world for the latest information 
on diseases, treatments, drugs, and dosage units, suffered a series of 
intrusions where system administrator passwords were obtained, hundreds 
of files were downloaded which included sensitive medical ``alert'' 
files and programming files that kept the system running properly. The 
intrusions were a significant threat to public safety and resulted in a 
monetary loss in excess of $25,000. FBI investigation identified the 
intruder as Montgomery Johns Gray, III, a former computer programmer 
for NLM, whose access to the computer system had been revoked. Gray was 
able to access the system through a ``backdoor'' he had created in the 
programming code. Due to the threat to public safety, a search warrant 
was executed for Gray's computers and Gray was arrested by the FBI 
within a few days of the intrusions. Subsequent examination of the 
seized computers disclosed evidence of the intrusion as well as images 
of child pornography. Gray was convicted by a jury in December 1999 on 
three counts for violation of Title 18 U.S.C. Sec. 1030. Subsequently, 
Gray pleaded guilty to receiving obscene images through the Internet, 
in violation of 47 U.S.C. 223.
    Hackers. Hackers (or ``crackers'') are also a common threat. They 
sometimes crack into networks simply for the thrill of the challenge or 
for bragging rights in the hacker community. Recently, however, we have 
seen more cases of hacking for illicit financial gain or other 
malicious purposes.
    While remote cracking once required a fair amount of skill or 
computer knowledge, hackers can now download attack scripts and 
protocols from the World Wide Web and launch them against victim sites. 
Thus while attack tools have become more sophisticated, they have also 
become easier to use. The distributed denial-of-service (DDOS) attacks 
last month are only the most recent illustration of the economic 
disruption that can be caused by tools now readily available on the 
Internet.
    Another recent case illustrates the scope of the problem. In March, 
authorities in the United Kingdom, acting in coordination with the FBI, 
arrested two individuals for alleged intrusions into e-commerce sites 
in several countries and the theft of credit card information on over 
26,000 accounts. One subject used the Internet alias ``CURADOR.'' 
Losses from this case could exceed $3,000,000. The FBI cooperated 
closely with the Dyfed-Powys Police Service in the United Kingdom, the 
Royal Canadian Mounted Police in Canada, and private industry. This 
investigation involved the Philadelphia Division, seven other FBI field 
offices, our Legal Attache in London, and the NIPC. This case 
demonstrates the close partnerships that we have built with our foreign 
law enforcement counterparts and with private industry.
    We are making some progress in convicting hackers. For example, on 
March 8, 2000, FBI Boston Division and New Hampshire Police arrested 
Dennis M. Moran, aka COOLIO, in association with the unauthorized 
intrusion and changes made to the Drug Abuse Resistance Education's 
(DARE) Web site, violating New Hampshire State Laws 638: 17 and 638: 
18(I), unauthorized access into a computer system, unauthorized changes 
to a computer system and damage to a computer system exceeding 
$1,000.00. It is anticipated that the New Hampshire State Attorney's 
Office will prosecute Moran, who is 17, as an adult. The United States 
Attorney's Office for the District of New Hampshire has therefore 
deferred prosecution of Moran to the State.
    In April, Patrick Gregory, the co-founder of the hacker group known 
as ``Global Hell,'' was convicted of a single count of conspiracy to 
commit telecommunications wire fraud and computer hacking in Texas U.S. 
District Court. He currently awaits sentencing.
    Virus Writers. Virus writers are posing an increasingly serious 
threat to networks and systems worldwide. Last year saw the 
proliferation of several destructive computer viruses or ``worms,'' 
including the Melissa Macro Virus, the Explore.Zip worm, and the CIH 
(Chernobyl) Virus. The NIPC frequently sends out warnings or advisories 
regarding particularly dangerous viruses, which can allow potential 
victims to take protective steps and minimize the destructive 
consequences of a virus.
    The Melissa Macro Virus was a good example of the NIPC's two-fold 
response--encompassing both warning and investigation--to a virus 
spreading in the networks. The NIPC sent out warnings as soon as it had 
solid information on the virus and its effects; these warnings helped 
alert the public and reduce the potential destructive impact of the 
virus. On the investigative side, the NIPC acted as a central point of 
contact for the field offices who worked leads on the case. A tip 
received by the New Jersey State Police from America Online, and their 
follow-up investigation with the FBI's Newark Division, led to the 
April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one 
count of violating 18 U.S.C. Sec. 1030 in Federal Court, and to four 
state felony counts. As part of his guilty plea, Smith stipulated to 
affecting one million computer systems and causing $80 million in 
damage. Smith is awaiting sentencing.
    Criminal Groups. We are also seeing the increased use of cyber 
intrusions by criminal groups who attack systems for purposes of 
monetary gain. In September, 1999, two members of a group dubbed the 
``Phonemasters'' were sentenced after their conviction for theft and 
possession of unauthorized access devices (18 USC Sec. 1029) and 
unauthorized access to a federal interest computer (18 USC Sec. 1030). 
The ``Phonemasters'' were an international group of criminals who 
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even 
the National Crime Information Center. Under judicially approved 
electronic surveillance orders, the FBI's Dallas Division made use of 
new technology in the investigation. One suspect, Mr. Calvin Cantrell, 
downloaded thousands of Sprint calling card numbers, which he sold to a 
Canadian individual, who passed them on to someone in Ohio. These 
numbers made their way to an individual in Switzerland and eventually 
ended up in the hands of organized crime groups in Italy. Cantrell was 
sentenced to two years as a result of his guilty plea, while one of his 
associates, Cory Lindsay, was sentenced to 41 months.
    The Phonemasters' methods included ``dumpster diving'' to gather 
old phone books and technical manuals for systems. They used this 
information to trick employees into giving up their logon and password 
information. The group then used this information to break into victim 
systems. It is important to remember that often ``cyber crimes'' are 
facilitated by old fashioned guile, such as calling employees and 
tricking them into giving up passwords. Good cyber security practices 
must therefore address personnel security and ``social engineering'' in 
addition to instituting electronic security measures.
    Beyond criminal threats in cyber space, we also face a variety of 
significant national security threats
    Terrorists. Terrorists groups are increasingly using new 
information technology and the Internet to formulate plans, raise 
funds, spread propaganda, and to communicate securely. In his statement 
on the worldwide threat in 2000, Director of Central Intelligence 
George Tenet testified that terrorists groups, ``including Hizbollah, 
HAMAS, the Abu Nidal organization, and Bin Laden's al Qa'ida 
organization are using computerized files, e-mail, and encryption to 
support their operations.'' In one example, convicted terrorist Ramzi 
Yousef, the mastermind of the World Trade Center bombing, stored 
detailed plans to destroy United States airliners on encrypted files on 
his laptop computer. While we have not yet seen these groups employ 
cyber tools as a weapon to use against critical infrastructures, their 
reliance on information technology and acquisition of computer 
expertise are clear warning signs. Moreover, we have seen other 
terrorist groups, such as the Internet Black Tigers (who are reportedly 
affiliated with the Tamil Tigers), engage in attacks on foreign 
government websites and e-mail servers. ``Cyber terrorism''--by which I 
mean the use of cyber tools to shut down critical national 
infrastructures (such as energy, transportation, or government 
operations) for the purpose of coercing or intimidating a government or 
civilian population--is thus a very real, though still largely 
potential, threat.
    Foreign intelligence services. Not surprisingly, foreign 
intelligence services have adapted to using cyber tools as part of 
their espionage tradecraft. Even as far back as 1986, before the 
worldwide surge in Internet use, the KGB employed West German hackers 
to access Department of Defense systems in the well-known ``Cuckoo's 
Egg'' case. Foreign intelligence services increasingly view computer 
intrusions as a useful tool for acquiring sensitive U.S. Government and 
private sector information.
    More recently, we observed a series of intrusions into numerous 
Department of Defense and other federal government computer networks 
and private sector entities. Investigation last year determined that 
the intrusions appear to have originated in Russia. The intruder 
successfully accessed U.S. Government networks and took large amounts 
of unclassified but sensitive information, including defense technical 
research information. The NIPC coordinated a multi-agency 
investigation, working closely with FBI field offices, the Department 
of Defense, and the Intelligence Community.
    Information Warfare. The prospect of ``information warfare'' by 
foreign militaries against our critical infrastructures is perhaps the 
greatest potential cyber threat to our national security. We know that 
several foreign nations are developing information warfare doctrine, 
programs, and capabilities for use against the United States or other 
nations. Knowing that they cannot match our military might with 
conventional or ``kinetic'' weapons, some nations see cyber attacks on 
our critical infrastructures or military operations as a way to hit 
what they perceive as America's Achilles heel--our growing dependence 
on information technology in government and commercial operations. For 
example, two Chinese military officers recently published a book that 
called for the use of unconventional measures, including the 
propagation of computer viruses, to counterbalance the military power 
of the United States. And a Russian official has also commented that an 
attack on a national infrastructure could, ``by virtue of its 
catastrophic consequences, completely overlap with the use of [weapons] 
of mass destruction.''
Distributed denial of service tools
    The recent distributed denial of service (DDOS) attacks on e-
commerce sites have garnered a tremendous amount of interest in the 
public and in the Congress. While we do not yet have official damage 
estimates, the Yankee Group, a research firm, estimates the impact of 
the attacks at $1.2 billion due to lost capitalization losses, lost 
revenues, and security upgrades. Because we are actively investigating 
these attacks, I cannot provide a detailed briefing on the status of 
our efforts. However, I can provide an overview of our activities to 
deal with the DDOS threat beginning last year and of our investigative 
efforts. These attacks illustrate the growing availability of 
destructive, yet easy-to-use, exploits that are widely available on the 
Internet. They also demonstrate the NIPC's two-fold mission: sharing 
information with the private sector and warning of possible threats, 
and responding to actual attacks.
    In the fall of last year, the NIPC began receiving reports about a 
new set of ``exploits'' or attack tools collectively called distributed 
denial of service (or DDOS) tools. DDOS variants include tools known as 
``Trin00,'' ``Tribal Flood Net'' (TFN), ``TFN2K,'' and ``Stacheldraht'' 
(German for ``barbed wire''). These tools essentially work as follows: 
hackers gain unauthorized access to a computer system(s) and place 
software code on it that renders that system a ``master'' (or a 
``handler''). The hackers also intrude into other networks and place 
malicious code which makes those systems into agents (also known as 
``zombies'' or ``daemons'' or ``slaves''). Each Master is capable of 
controlling multiple agents. In both cases, the network owners normally 
are not aware that dangerous tools have been placed and reside on their 
systems, thus becoming third-party victims to the intended crime.
    The ``Masters'' are activated either remotely or by internal 
programming (such as a command to begin an attack at a prescribed time) 
and are used to send information to the agents, activating their DDOS 
ability. The agents then generate numerous requests to connect with the 
attack's ultimate target(s), typically using a fictitious or 
``spoofed'' IP (Internet Protocol) address, thus providing a falsified 
identity as to the source of the request. The agents act in unison to 
generate a high volume of traffic from several sources. This type of 
attack is referred to as a SYN flood, as the SYN is the initial effort 
by the sending computer to make a connection with the destination 
computer. Due to the volume of SYN requests the destination computer 
becomes overwhelmed in its efforts to acknowledge and complete a 
transaction with the sending computers, degrading or denying its 
ability to complete service with legitimate customers--hence the term 
``Denial of Service''. These attacks are especially damaging when they 
are coordinated from multiple sites--hence the term Distributed Denial 
of Service.
    An analogy would be if someone launched an automated program to 
have hundreds of phone calls placed to the Capitol switchboard at the 
same time. All of the good efforts of the staff would be overcome. Many 
callers would receive busy signals due to the high volume of telephone 
traffic.
    In November and December, the NIPC received reports that 
universities and others were detecting the presence of hundreds of 
agents on their networks. The number of agents detected clearly could 
have been only a small subset of the total number of agents actually 
deployed. In addition, we were concerned that some malicious actors 
might choose to launch a DDOS attack around New Year's Eve in order to 
cause disruption and gain notoriety due to the great deal of attention 
that was being paid to the Y2K rollover. Accordingly, we decided to 
issue a series of alerts in December to government agencies, industry, 
and the public about the DDOS threat.
    Moreover, in late December, it was determined that a detection tool 
that was developed by the NIPC for investigative purposes might also be 
used by network operators to detect the presence of DDOS agents or 
masters on their operating systems, and thus would enable them to 
remove an agent or master and prevent the network from being 
unwittingly utilized in a DDOS attack. Moreover, at that time there 
was, to our knowledge, no similar detection tool available 
commercially. The NIPC therefore decided to take the unusual step of 
releasing the tool to the Department of Defense, other government 
agencies, and to the public in an effort to reduce the level of the 
threat. The first variant of our software was made available on the 
NIPC web site on December 30, 1999. To maximize the public awareness of 
this tool, we announced its availability in an FBI press release that 
same date. Since the first posting of the tool, we have posted three 
updated versions that have perfected the software and made it 
applicable to different operating systems.
    The public has downloaded these tools tens of thousands of times 
from the web site, and has responded by reporting many installations of 
the DDOS software, thereby preventing their networks from being used in 
attacks and leading to the opening of criminal investigations both 
before and after the widely publicized attacks of the last few weeks. 
The work with private companies has been so well received that the 
trade group SANS awarded their yearly Security Technology Leadership 
Award to members of the NIPC's Special Technologies Applications Unit.
    In February, reports were received that a new variation of DDOS 
tools was being found on Windows operating systems. One victim entity 
provided us with the object code to the tool found on its network. On 
February 18 the binaries were made available to anti-virus companies 
(through an industry association) and the Computer Emergency Response 
Team (CERT) at Carnegie Mellon University for analysis and so that 
commercial vendors could create or adjust their products to detect the 
new DDOS variant. Given the attention that DDOS tools have received in 
recent weeks, there are now numerous detection and security products to 
address this threat, so it was determined that the NIPC could be most 
helpful by giving them the necessary code rather than deploying a 
detection tool ourselves.
    Unfortunately, the warnings that we and others in the security 
community had issued about DDOS tools last year, while alerting many 
potential victims and reducing the threat, did not eliminate the 
threat. Quite frequently, even when a threat is known and patches or 
detection tools are available, network operators either remain unaware 
of the problem or fail to take necessary protective steps. In addition, 
in the cyber equivalent of an arms race, exploits evolve as hackers 
design variations to evade or overcome detection software and filters. 
Even security-conscious companies that put in place all available 
security measures therefore are not invulnerable. And, particularly 
with DDOS tools, one organization might be the victim of a successful 
attack despite its best efforts, because another organization failed to 
take steps to keep itself from being made the unwitting participant in 
an attack.
    On February 7, 2000, the NIPC received reports that Yahoo had 
experienced a denial of service attack. In a display of the close 
cooperative relationship that we have developed with the private 
sector, in the days that followed, several other companies (including 
Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also 
reported denial of service outages to the NIPC or FBI field offices. 
These companies cooperated with us by providing critical logs and other 
information. Still, the challenges to apprehending the suspects are 
substantial. In many cases, the attackers used ``spoofed'' IP 
addresses, meaning that the address that appeared on the target's log 
was not the true address of the system that sent the messages. In 
addition, many victims do not keep complete network logs.
    The resources required in an investigation of this type are 
substantial. Companies have been victimized or used as ``hop sites'' in 
numerous places across the country, meaning that we must deploy special 
agents nationwide to work leads. We currently have seven FBI field 
offices with cases opened and all the remaining offices are supporting 
the offices that have opened cases. Agents from these offices are 
following up literally hundreds of leads. The NIPC is coordinating the 
nationwide investigative effort, performing technical analysis of logs 
from victims sites and Internet Service Providers (ISP's), and 
providing all-source analytical assistance to field offices. Moreover, 
parts of the evidentiary trail have led overseas, requiring us to work 
with our foreign counterparts in several countries through our Legal 
Attaches (Legats) in U.S. embassies. Here in Phoenix we followed up on 
leads resulting from the DDOS attacks.
    While the crime may be high tech, investigating it involves a 
substantial amount of traditional investigative work as well as highly 
technical work. Interviews of network operators and confidential 
sources can provide very useful information, which leads to still more 
interviews and leads to follow-up. And victim sites and ISP's provide 
an enormous amount of log information that needs to be processed and 
analyzed by human analysts.

                CHALLENGES IN COMBATING CYBER INTRUSIONS
    The burgeoning problem of cyber intrusions, viruses, and denial of 
service attacks poses unique challenges to the NIPC. These challenges 
require novel solutions, close teamwork among agencies and with the 
private sector, and adequate human and technical resources.
    Identifying the Intruder. One major difficulty that distinguishes 
cyber threats from physical threats is determining who is attacking 
your system, why, how, and from where. This difficulty stems from the 
ease with which individuals can hide or disguise their tracks by 
manipulating logs and directing their attacks through networks in many 
countries before hitting their ultimate target. The ``Solar Sunrise'' 
case illustrates this point. This will continue to pose a problem as 
long as the Internet remains rife with vulnerabilities and allows easy 
anonymity and concealment.
    Jurisdictional Issues. Another significant challenge we face is 
intrusions involving multiple jurisdictions. A typical investigation 
involves victim sites in multiple states and often many countries. This 
is the case even when the hacker and victim are both located in the 
United States. In the United States, we can subpoena records, engage in 
judicially approved electronic surveillance, and execute search 
warrants on suspects' homes, seize evidence, and examine it. We can do 
none of those things ourselves overseas; rather, we depend on the local 
authorities to assist us. However, some local police forces do not have 
the technical resources or expertise to provide assistance. In other 
cases, these nations may not have laws against computer intrusions and 
are therefore limited in their ability to help us. FBI Legal Attaches 
in 35 embassies abroad provide critical help in building bridges with 
local law enforcement to enhance cooperation on cyber crime and in 
working leads on investigations. As the Internet spreads to even more 
countries, we will see greater demands placed on the Legats to support 
computer crime investigations. The NIPC also has held international 
computer crime conferences and offered cyber crime training classes to 
foreign law enforcement officials to develop liaison contacts and bring 
these officials up to speed on cyber crime issues.
    The most difficult situation will arise, however, in which a 
foreign country with interests adverse to our own simply refuses to 
cooperate. In such a situation, we could find that an investigation is 
stymied unless we find an alternative method of tracing the activity 
back to its source.

                          THE LEGAL LANDSCAPE
    To deal with this crime problem, we must look at whether changes to 
the legal procedures governing investigation and prosecution of cyber 
crimes are warranted. The problem of Internet crime has grown at such a 
rapid pace that the laws have not kept up with the technology. The FBI 
is working with the Department of Justice to propose a legislative 
package for your review to help keep our laws in step with these 
advances.
    One example of some of the problems law enforcement is facing is 
the jurisdictional limitation of pen registers and trap-and-trace 
orders issued by federal district courts. These orders allow only the 
capturing of tracing information, not the content of communications. 
Currently, in order to track back a hacking episode in which a single 
communication is purposely routed through a number of Internet Service 
Providers that are located in different states, we generally have to 
get multiple court orders. This is because, under current law, a 
federal court can order communications carriers only within its 
district to provide tracing information to law enforcement. As a result 
of the fact that investigators typically have to apply for numerous 
court orders to trace a single communication, there is a needless waste 
of time and resources, and a number of important investigations are 
either hampered or derailed entirely in those instances where law 
enforcement gets to a communications carrier after that carrier has 
already discarded the necessary information. For example, Kevin Mitnick 
evaded attempts to trace his calls by moving around the country and by 
using cellular phones, which routed calls through multiple carriers on 
their way to the final destination. It was impossible to get orders 
quickly enough in all the jurisdictions to trace the calls.
    Finally, we should consider whether current sentencing provisions 
for computer crimes provide an adequate deterrence. Given the degree of 
harm that can be caused by a virus, intrusion, or a denial of service--
in terms of monetary loss to business and consumers, infringement of 
privacy, or threats to public safety when critical infrastructures are 
affected--it would be appropriate to consider, as S. 2092 does, whether 
penalties established years ago remain adequate.
    Evaluation of the effectiveness of 18 U.S.C. Sec. 1030 and the 
tools to enforce it under both current law and under S. 2092.--
Generally, 18 U.S.C. Sec. 1030 has enabled the FBI and other law 
enforcement agencies to investigate and prosecute persons who would use 
the power of the Internet and computers for criminal purposes. 
Nonetheless, just as computer crime has evolved over the years, so too 
must our laws and procedures evolve to meet the changing nature of 
these crimes.
    One persistent problem is the need under current law to demonstrate 
at least $5,000 in damage for certain hacking offenses enumerated by 18 
U.S.C. Sec. 1030(a)(5). In some of the cases investigated by the FBI, 
damages in excess of $5,000 on a particular system are difficult to 
prove. In other cases, the risk of harm to individuals or to the public 
safety posed by breaking into numerous systems and obtaining root 
access, with the ability to destroy the confidentiality or accuracy of 
crucial--perhaps lifesaving information--is very real and very serious 
even if provable monetary damages never approach the $5,000 mark. In 
investigations involving the dissemination or importation of a virus or 
other malicious code, the $5,000 threshold could potentially delay or 
hinder early intervention by Federal law enforcement.
    S. 2092 significantly adjusts the $5,000 threshold and other 
provisions in the current law by: (1) creating a misdemeanor offense 
for those cases where damages are below $5,000, while simultaneously 
adjusting the minimum mandatory sentences under the Sentencing 
Guidelines; and (2) moving the aggravating factors previously included 
in the definition of``damage'' under 18 U.S.C. Sec. 1030(e)(8) (such as 
impairment of medical diagnosis, physical injury to any person, threat 
to public health or safety or damage to nation security, national 
defense or administration of justice computers) to the general 
sentencing provisions of Sec. 1030(c) (where they will be on par in 
serious cases with the existing $5,000 threshold requirement and will 
expose offenders to an enhanced 10-year period of imprisonment up from 
the current maximum of 5 years). The critical element here is that the 
criminal intended to cause damage, not the specific amount of damage he 
intended to cause
    Another issue involves the alarming number of computer hackers 
encountered in our investigations who are juveniles. Under current law, 
Federal authorities are not able to prosecute juveniles for any 
computer violations of 18 U.S.C. Sec. 1030. S. 2092 would authorize 
(but not require) the Attorney General to certify for juvenile 
prosecution in Federal court youthful offenders who commit the more 
serious felony violations of section 1030. Recognizing that this change 
will, over time, result in the prosecution of repeat offenders, S. 2092 
also defines the term ``conviction'' under Sec. 1030 to include prior 
adjudications of juvenile delinquency for violations of that section. 
This is intended to provide greater specific deterrence to juveniles 
who are adjudicated delinquent for computer hacking. Similarly, a 
majority of the States have enacted criminal statutes prohibiting 
unauthorized computer access analogous to the provisions of section 
1030. As State prosecutions for these offenses increase, the likelihood 
of encountering computer offenders in Federal investigations who have 
prior State convictions will similarly rise. The Department is studying 
whether prior state adult convictions for comparable computer crimes 
justify enhanced penalties for violations of section 1030, just as 
prior State convictions for drug offenses trigger enhanced penalties 
for comparable Federal drug violations.
    Law enforcement also needs updated tools to investigate, identify, 
apprehend and successfully prosecute computer offenders. Today's 
electronic crimes, which occur at the speed of light, cannot be 
effectively investigated with procedural devices forged in the last 
millennium during the infancy of the information technology age. 
Statutes need to be rendered technology neutral so that they can be 
applied regardless of whether a crime is committed with pen and paper, 
e-mail, telephone or geosynchronous orbit satellite personal 
communication devices.
    As discussed above, a critical factor in the investigation of 
computer hacking cases is law enforcement's ability to swiftly identify 
the source and the direction of a hacker's communications. Like all law 
enforcement agencies, the FBI relies upon the pen register and trap and 
trace provisions contained in 18 U.S.C. Sec. 3121 et seq. to seek court 
approval to acquire data identifying non-content information relating 
to a suspect's communications. Our ability to identify the perpetrators 
of crimes like computer hacking is directly proportional to our ability 
to quickly acquire the necessary court orders and quickly serve them 
upon one or more service providers in a communications chain. Under 
current law, however, valuable time is consumed in acquiring individual 
court orders in the name of each communications company for each newly 
discerned link in the communications chain even though the legal 
justification for the disclosure remains unchanged and undiminished. S. 
2092 would amend 18 U.S.C. Sec. 3123(a) to authorize Federal courts to 
issue one nation-wide order which may then be served upon one or more 
service providers thereby substantially reducing the time necessary to 
identify the complete pathway of a suspect's communication. Second, S. 
2092 makes the statute more technology neutral by, among other things, 
inserting the terms ``or other facility'' wherever ``telephone'' 
appears. This change codifies Federal court decisions that apply the 
statute's provisions not merely to traditional telephone, but to an 
ever expanding array of other, communications facilities. Together, 
these are important changes that do not alter or lower the showing 
necessary for the issuance of the court order but which do enhance the 
order's usefulness to law enforcement.
    We support the goal of S. 2092 to strengthen the general deterrence 
aspects of the Computer Fraud and Abuse Act, and to provide some needed 
procedural enhancements to help us confront the expanding criminal 
threat in this dynamic and important part of our national economy while 
continuing to protect individual privacy interests. The FBI looks 
forward to working with the Committee on this important legislation.

                        INTERAGENCY COOPERATION
    The broad spectrum of cyber threats described earlier, ranging from 
hacking to foreign espionage and information warfare, requires not just 
new technologies and skills on the part of investigators, but new 
organizational constructs as well. In most cyber attacks, the identity, 
location, and objective of the perpetrator are not immediately 
apparent. Nor is the scope of his attack--i.e., whether an intrusion is 
isolated or part of a broader pattern affecting numerous targets. This 
means it is often impossible to determine at the outset if an intrusion 
is an act of cyber vandalism, organized crime, domestic or foreign 
terrorism, economic or traditional espionage, or some form of strategic 
military attack. The only way to determine the source, nature, and 
scope of the incident is to gather information from the victim sites 
and intermediate sites such as ISP's and telecommunications carriers. 
Under our constitutional system, such information typically can be 
gathered only pursuant to criminal investigative authorities. This is 
why the NIPC is part of the FBI, allowing us to utilize the FBI's legal 
authorities to gather and retain information and to act on it, 
consistent with constitutional and statutory requirements.
    But the dimension and varied nature of the threats also means that 
this is an issue that concerns not just the FBI and law enforcement 
agencies, but also the Department of Defense, the Intelligence 
Community, and civilian agencies with infrastructure-focused 
responsibility such as the Departments of Energy and Transportation. It 
also is a matter that greatly affects state and local law enforcement. 
This is why the NIPC is an interagency center, with representatives 
detailed to the FBI from numerous federal agencies and representation 
from state and local law enforcement as well. These representatives 
operate under the direction and authority of the FBI, but bring with 
them expertise and skills from their respective home agencies that 
enable better coordination and cooperation among all relevant agencies, 
consistent with applicable laws.
    In Phoenix, we work closely with the U.S. military as well as other 
government agencies. For example, we have worked with U.S. military 
installations located in Arizona on attempted intrusions into their 
systems. The expansion of cyber task forces, such as the one just 
started in Pittsburgh, to other field divisions such as Phoenix, should 
assist us with interagency cooperation.

                       PRIVATE SECTOR COOPERATION
    Our success in battling cyber crime also depends on close 
cooperation with private industry. This is the case for several 
reasons. First, most of the victims of cyber crimes are private 
companies. Therefore, successful investigation and prosecution of cyber 
crimes depends on private victims reporting incidents to law 
enforcement and cooperating with the investigators. Contrary to press 
statements by cyber security companies that private companies won't 
share information with law enforcement, many private companies have 
reported incidents and threats to the NIPC or FBI field offices. While 
there are undoubtedly companies that would prefer not to report a crime 
because of the subsequent loss of consumer confidence, the situation 
has improved markedly. Companies increasingly realize that deterrence 
of crime depends on effective law enforcement, and that the long-term 
interests of industry depend on establishing a good working 
relationship with government to prevent and investigate crime.
    Second, the network administrator at a victim company or ISP is 
critical to the success of an investigation. Only that administrator 
knows the unique configuration of their system, and the administrator 
typically must work with an investigator to find critical transactional 
data that will yield evidence of a criminal's activity.
    Third, the private sector has the technical expertise that is often 
critical to resolving an investigation. It would be impossible for us 
to retain experts in every possible operating system or network 
configuration, so private sector assistance is critical. In addition, 
many investigations require the development of unique technical tools 
to deal with novel problems. Private sector assistance has been 
critical there as well.
    We have several other initiatives devoted to private sector 
outreach that bear mentioning here. The first is called ``InfraGard.'' 
This is an initiative that we have developed in concert with private 
companies and academia to encourage information-sharing about cyber 
intrusions, exploited vulnerabilities, and physical infrastructure 
threats. A vital component of InfraGard is the ability of industry to 
provide information on intrusions to the local FBI field office using 
secure e-mail communications in both a ``sanitized'' and detailed 
format. The local FBI field offices can, if appropriate, use the 
detailed version to initiate an investigation; while NIPC Headquarters 
can analyze that information in conjunction with other information we 
obtain to determine if the intrusion is part of a broader attack on 
numerous sites. The NIPC can simultaneously use the sanitized version 
to inform other members of the intrusion without compromising the 
confidentiality of the reporting company. The key to this system is 
that whether, and what, to report is entirely up to the reporting 
company. A secure web site also contains a variety of analytic and 
warning products that we make available to the InfraGard community. The 
success of InfraGard is premised on the notion that sharing is a two-
way street: the NIPC will provide threat information that companies can 
use to protect their systems, while companies will provide incident 
information that can be used to initiate an investigation and to warn 
other companies.
    Here in Phoenix, we are planning to roll-out our InfraGard Chapter 
on May 9. We expect to have representatives from in state universities, 
businesses, and some of the critical infrastructures on hand.
    Our Key Asset Initiative (KAI) is focused more specifically on the 
owners and operators of critical components of each of the 
infrastructure sectors. It facilitates response to threats and 
incidents by building liaison and communication links with the owners 
and operators of individual companies and enabling contingency 
planning. The KAI began in the 1980's and focused on physical 
vulnerabilities to terrorism. Under the NIPC, the KAI has been 
reinvigorated and expanded to focus on cyber vulnerabilities as well. 
The KAI currently involves determining which assets are key within the 
jurisdiction of each FBI Field Office and obtaining 24-hour points of 
contact at each asset in cases of emergency. Eventually, if future 
resources permit, the initiative will include the development of 
contingency plans to respond to attacks on each asset, exercises to 
test response plans, and modeling to determine the effects of an attack 
on particular assets. FBI field offices are responsible for developing 
a list of the assets within their respective jurisdictions, while the 
NIPC maintains the national database. The KAI is being developed in 
coordination with DOD and other agencies. Currently the database has 
about 2,600 entries. This represents 2,600 contacts with key private 
sector nodes made by the NIPC and FBI field offices.
    Here in the Phoenix Division, we have identified dozens of key 
assets around the state for inclusion in the national list. These 
assets include power generation facilities, water storage and 
distribution centers, transportation assets, military installations, 
research institutions, and key public emergency service entities.
    Much has been said over the last few years about the importance of 
information sharing. Here in the Phoenix Division, we have an excellent 
working relationship with our private sector counterparts and the 
community in general. We share information on a number of areas, 
including infrastructure protection, and receive information from the 
private sector that greatly assist us in protecting the community. As a 
result of our close working relationship with the private sector we can 
detect criminal activity in its initial stages and in some cases 
prevent criminal incidents. The NIPC also provides the private sector 
with warning information which also lessens their vulnerability. These 
warnings assist field offices like Phoenix to be better prepared and 
better protect our community. They further allow us the opportunity to 
respond quickly and efficiently to cyber threats. I believe that as 
companies continue to gain experience in dealing with the NIPC and FBI 
field offices, as we continue to provide them with important and useful 
threat information, and as companies recognize that cyber crime 
requires a joint effort by industry and government together, we will 
continue to make real progress in this area.

                    MEETING THE GROWING CYBER THREAT
    As Internet use continues to soar, the number of cyber attacks is 
also increasing exponentially. Nationally there are over 1000 open 
computer intrusion cases. Further, this figure does not count computer 
facilitated crimes such as Internet fraud, child pornography, or e-mail 
extortion efforts. In these cases, the NIPC and NIPCI squads often 
provide technical assistance to traditional investigative programs 
responsible for these categories of crime.
    We can clearly expect these upward trends to continue, and for the 
threats to become more serious. While insiders, hackers, and criminal 
groups make up much of our case load at the moment, we can anticipate a 
growing number of national security cases in the near future. To meet 
this challenge, we must ensure that we have adequate resources, 
including both personnel and equipment, both at the NIPC and in FBI 
field offices. We currently have 193 agents nationwide dedicated to 
investigating computer intrusion and virus cases. In order to maximize 
investigative resources the FBI has taken the approach of creating 
regional squads in 16 field offices that have sufficient size to work 
complex intrusion cases and to assist those field offices without a 
NIPCI squad. In those field offices without squads, the FBI is building 
a baseline capability by having one or two agents work NIPC matters, 
i.e. computer intrusions (criminal and national security), viruses, 
InfraGard, state and local liaison, etc.
    The Phoenix office has a three agent team working on infrastructure 
protection and computer intrusion matters. Three agents are assigned to 
investigate cyber child pornography, and additional four agents are 
assigned to the Computer Assisted Response Team (CART), which is 
responsible to provide cyber forensics in support of all the cyber 
investigations in the Phoenix office. Since January 1, 2000 the Phoenix 
office has opened 9 new computer intrusion cases. This represents an 
almost 100 percent increase in computer intrusion cases opened in 1999.
    Currently, at NIPC Headquarters, there are 101 personnel on board, 
including 82 FBI employees and 19 detailees from other government 
agencies. This cadre of investigators, computer scientists, and 
analysts perform the numerous and complex tasks outlined above, and 
provide critical coordination and support to field office 
investigations. As the crime problem grows, we need to make sure that 
we keep pace by bringing on board additional personnel, including from 
other agencies and the private sector.
    In addition to putting in place the requisite number of agents, 
analysts, and computer scientists in the NIPC and in FBI field offices, 
we must fill those positions by recruiting and retaining personnel who 
have the appropriate technical, analytical, and investigative skills. 
This includes personnel who can read and analyze complex log files, 
perform all-source analysis to look for correlations between events or 
attack signatures and glean indications of a threat, develop technical 
tools to address the constantly changing technological environment, and 
conduct complex network investigations. There is a very tight market 
for information technology professionals. The Federal Government needs 
to be able to recruit the very best people into its programs. 
Fortunately, we can offer exciting, cutting-edge work in this area and 
can offer agents, analysts, and computer scientists the opportunities 
to work on issues that no one else addresses, and to make a difference 
to our national security and public safety. In addition, Congress 
provided the FBI with a pilot program that exempts certain technical 
personnel from the Title V civil service rules, which allows us to pay 
more competitive salaries and recruit and retain top notch personnel. 
Unfortunately, this pilot is scheduled to expire in November unless 
extended
    Training and continuing education are also critical, and we have 
made this a top priority at the NIPC. In fiscal year 1999, we trained 
383 FBI and other-government-agency students in NIPC sponsored training 
classes on network investigations and infrastructure protection. The 
emphasis for 2000 is on continuing to train federal personnel while 
expanding training opportunities for state and local law enforcement 
personnel. During fiscal year 2000, we plan to train approximately 740 
personnel from the FBI, other federal agencies, and state and local law 
enforcement.
    Developing and deploying the best equipment in support of the 
mission is also very important. Not only do investigators and analysts 
need the best equipment to conduct investigations in the rapidly 
evolving cyber system but the NIPC must be on the cutting edge of cyber 
research and development. Conducting a network intrusion or denial-of-
service investigation often requires analysis of voluminous amounts of 
data. For example, one network intrusion case involving an espionage 
matter currently being investigated has required the analysis of 17.5 
Terabytes of data. To place this into perspective, the entire 
collection of the Library of Congress, if digitized, would comprise 
only 10 Terabytes. The Yahoo DDOS attack involved approximately 630 
Gigabytes of data, which is equivalent to enough printed pages to fill 
630 pickup trucks with paper. Technical analysis requires high capacity 
equipment to store, process, analyze, and display data. Again, as the 
crime problem grows, we must ensure that our technical capacity keeps 
pace. We are also working closely with other agencies to ensure that we 
leverage existing resources to the fullest extent possible.

                      THE ROLE OF LAW ENFORCEMENT
    Finally, I would like to conclude by emphasizing two key points. 
The first is that our role in combating cyber crime is essentially two-
fold: (1) preventing cyber attacks before they occur or limiting their 
scope by disseminating warnings and advisories about threats so that 
potential victims can protect themselves; and (2) responding to attacks 
that do occur by investigating and identifying the perpetrator. This is 
very much an operational role. Our role is not to determine what 
security measures private industry should take, or to ensure that 
companies or individuals take them. It is the responsibility of 
industry to ensure that appropriate security tools are made available 
and are implemented. We certainly can assist industry by alerting them 
to the actual threats that they need to be concerned about, and by 
providing information about the exploits that we are seeing criminals 
use. But network administrators, whether in the private sector or in 
government, are the first line of defense.
    Second, in gathering information as part of our warning and 
response missions, we rigorously adhere to constitutional and statutory 
requirements. Our conduct is strictly limited by the Fourth Amendment, 
statutes such as Title III and ECPA, and the Attorney General 
Guidelines. These rules are founded first and foremost on the 
protection of privacy inherent in our constitutional system. Respect 
for privacy is thus a fundamental tenet in all of our activities.

                               CONCLUSION
    I want to thank the subcommittee again for giving me the 
opportunity to testify here today. The cyber threat is real, 
multifarious, and growing. The FBI is moving aggressively to meet this 
challenge by training investigators and analysts to investigate 
computer intrusion cases, equipping them with the latest technology, 
developing our analytic capabilities and warning mechanisms to head off 
or mitigate attacks, and closely cooperating with the private sector. 
We have already made considerable progress in developing our 
capabilities to protect public safety and national security in the 
Information Age. I look forward to working with Congress to ensure that 
we continue to be able to meet the threat as it evolves and grows. 
Thank you.

    Senator Kyl. Thank you very much, Mr. Gonzalez.
    Let me begin by asking both of you a question. Mr. 
Gonzalez, you mentioned the multiple trap and trace issue, and 
I would like to ask both of you a question about that. For the 
benefit of those who aren't familiar with it, currently Federal 
law requires that law enforcement obtain a separate court order 
for trap and trace authority in each jurisdiction through which 
a cyber attack travels. Obviously, it is important for law 
enforcement to be able to quickly trace a source of an attack, 
as both witnesses have mentioned.
    Could either of you give some examples of how 
investigations have been bogged down by the need to get this 
trap and trace authority in each jurisdiction and how the 
legislation that Senator Schumer and I have introduced, which 
would provide for national trap and trace authority, would 
resolve that issue? Mr. Gonzalez.
    Mr. Gonzalez. Yes, Sir. Well, in terms of the ability to 
obtain the national trap and trace orders, as you mentioned, 
timeliness is of the essence. And because of the different 
nature of how companies involved in information technology deal 
with their records and their record systems, some records are 
destroyed faster than others, it is imperative that we be able 
to get those orders in a timely fashion and be able to get out 
to the place where we need to deliver the orders to recoup the 
information.
    If in the cases we mentioned--we talked about a case, for 
example, where the hacker's victims are in three different 
States and to get there we go through, say, multiple providers 
of either communications services or Internet technology 
services in different jurisdictions, we have to individually go 
to each one of those areas, provide the necessary information 
to get the court order. If we were able to do it at one time, 
it would save us a tremendous amount of time, and we could 
almost simultaneously be at all those different locations at 
one time and obtaining the information we need.
    Senator Kyl. Attorney General Napolitano.
    Ms. Napolitano. Yes, Senator, in response to your question, 
there is a very big need for a Federal hot pursuit statute in 
cyberspace, and the bill that you and Senator Schumer have put 
forward I think is going to be very, very valuable in that 
respect for many of the problems that Special Agent Gonzalez 
has mentioned.
    Let me give you two examples of cases where we have gotten 
bogged down and have had to do an inordinate amount of work to 
get a result.
    One is the very recent case in Scottsdale where a juvenile 
sent a threat via e-mail and basically shut down one of the 
middle schools in Scottsdale while the police department and 
the bomb dogs came out and looked to see whether there was 
anything to the threat. While that was going on, our office was 
tracking down and working with law enforcement to track down 
the source of the 
e-mail, and we were trying to do it very, very quickly both 
because of the school disruptions and because we didn't know 
whether it was a serious threat or not a serious threat.
    To do that, we ultimately in the course of that 
investigation had to obtain separate court orders in both 
California and Virginia to identify the source of the e-mail. 
It would have been much better as a State if we had access to a 
Federal hot pursuit law that would have allowed us to get 
basically nationwide service of an order to track that source.
    A second example is one you may be familiar with, and it 
involved hacking into a local utility company. That ultimately 
required the prosecutors to get orders in very many States all 
over the country to identify the source of the hacking into a 
utility company here.
    So two concrete examples where we have been slowed down, 
have had to do a lot of extra work, and it illustrates the need 
for us to be able to speed up the process.
    Senator Kyl. And just to ensure that there is no invasion 
of privacy or inhibition of exercise of constitutional rights, 
would this nationwide trap and trace authority in any way 
diminish the constitutional rights of any of the entities from 
whom you are trying to obtain information?
    Ms. Napolitano. No, it would not. You would still have to 
comply with the fourth amendment.
    Senator Kyl. And the fourth amendment requirements would 
require that the law enforcement officials do what with respect 
to obtaining an order?
    Ms. Napolitano. In terms of getting a trap and trace order?
    Senator Kyl. Yes.
    Ms. Napolitano. You would still have to get an order issued 
by a court. The difference would be it would have nationwide 
application.
    Senator Kyl. So you would still have to prove the same kind 
of probable cause to a judge for the issuance of the warrant 
that would exist in any other situation?
    Ms. Napolitano. Yes. I assume the basic statutory and 
constitutional requirements for obtaining orders for traps and 
traces would apply. The difference would be that we wouldn't 
have to do it over and over again for basically the same 
search.
    Senator Kyl. Right. This is a good example, it seems to me, 
of the law needing to evolve with technology, or technology is 
going to get way ahead of law enforcement's ability to protect 
the citizens of the country.
    Ms. Napolitano. That is right, because even a delay of a 
few hours while you go to another courthouse in Virginia or 
California can be very critical in these kinds of cases.
    Senator Kyl. Now, I gather it would be safe to say, from 
what both of you have testified, that in Arizona you have seen 
a significant increase in the amount of cyber crime. Would that 
be fair, Mr. Gonzalez?
    Mr. Gonzalez. Yes, Sir. We have had a significant increase, 
in fact, specifically since the beginning of this year. Our 
caseload has increased probably 5 times, and we suspect it will 
continue to increase.
    Senator Kyl. One of the cases that I believe you alluded to 
in your prepared testimony but you didn't mention in your 
summary was a situation involving a very potentially dangerous 
situation with the dams in the State of Arizona. Could you 
describe that in just a little bit of detail?
    Ms. Napolitano. Yes. This is a case--I believe it happened 
in 1995. There is a typo in the testimony. But what happened in 
this instance was a computer user hacked his way into the 
billing database of the Salt River Project. He was looking to 
cancel someone's account. He then thereafter gained access, 
high-level access to the canal controlling system.
    Now, when that crime occurred, we didn't have the bill I 
was describing to you, Senator. He was actually, I think, 
charged with a class III computer fraud felony. He subsequently 
provided a great deal of cooperation in some other cases, and 
so he pled down to a probation-eligible offense. And I believe, 
ironically, he is working in computer security in the private 
sector now, be that as it may.
    Under the new law in Arizona, such hacking into a vital 
infrastructure, which is a defined term in the law, would be a 
class II felony. Under our statutory scheme, that is the next 
most serious offense to a first-degree murder.
    Senator Kyl. And when will this new law take effect?
    Ms. Napolitano. July 18.
    Senator Kyl. OK. Great.
    Just a few more questions here. Are there any--I alluded to 
this in my opening statement, the possibility that there are 
legal impediments to the sharing of information, particularly 
by the private sector, with law enforcement. How would you 
characterize the cooperation between industry and law 
enforcement during the investigation of cyber crimes? And are 
there any disincentives that you are aware of that need to be 
removed for companies to come forward once they have 
experienced an attack? I will address that to both of you.
    Mr. Gonzalez. Well, Sir, I think the cooperation is good. 
It is getting better. There is a tendency sometimes on the part 
of the private sector to be a little hesitant, maybe, in say 
reporting either attempted intrusions or intrusions because of 
the fear of the impact that it may have on their status in the 
community where they are working. However, I think as part of 
the InfraGard program that we talked about where we are 
basically being able to--we are starting to form partnerships 
with the private sector to where they have an ability to 
anonymously join that program and provide us information that 
we can either use specifically with detail to initiate case or 
sanitize for NIPC to use to disseminate to other members of the 
program in terms of potential either attempted intrusions or 
intrusions. I think as we work more through that system and 
basically show and convince the industry that it is a viable 
system and it can only help in terms of deterring attempted 
intrusions and in the case of where the intrusions are 
successful prosecuting the offenders, I think as we develop 
more of a track record in that area the industry will be much 
more willing to continue and move forward with that cooperative 
effort.
    Senator Kyl. Now, some people in industry have expressed a 
concern that their computers could be confiscated or critical 
components of their operations could be brought down during the 
course of an investigation, which would essentially paralyze 
their ability to do business. What kind of assurance can you 
give them that this would not occur?
    Mr. Gonzalez. Actually, it would be almost the opposite. 
What we need from the industry is, first of all, if they have 
either an attempted intrusion or an intrusion, we need a timely 
notification almost immediately so that we can respond. And the 
other thing is we need their assistance in terms of whether it 
be their systems administrators or people from their companies 
or businesses that have the expertise in their systems to help 
us go through their system and identify the information and the 
evidence that can either provide leads for us, investigative 
leads, or determine how the intrusion occurred.
    We do not seize their computers. We will not seize their 
computers, and we do our best to be as unobtrusive in terms of 
affecting their business operations. But we need their help and 
assistance in doing that, one, in the timeliness of the 
reporting of the 
intrusions and, two, in the use of their technical expertise 
for their systems to get us through the investigative process.
    Senator Kyl. Now, another related concern is going public 
with information, and, General Napolitano, let me ask you as 
well as Mr. Gonzalez this. Let's say a classic bank fraud 
intrusion occurs, or, as you say, somebody hacks into the 
utility to cancel out their bill, but let's say it is a bank 
and there is a suggestion here that the bank is potentially 
exposed to lose hundreds of millions of dollars as a result of 
this intrusion. They discover that internally. They obviously 
don't want the evening news to carry the story: ABC Bank losing 
hundreds of millions of dollars to a hacker. That would suggest 
to their customers that it is not a safe place to keep their 
money and so on.
    How can the law enforcement and prosecution authorities 
ensure that that won't happen and, therefore, provide a good 
incentive for people to cooperate with law enforcement as soon 
as possible to get the critical information to law enforcement 
so that the perpetrators can be brought to justice?
    Ms. Napolitano. Senator, that is a difficult question 
because we find it in a lot of different areas where entities 
that are actually the victims of crime are reluctant to report 
it because of likely media attention. And certainly you 
sometimes cannot control the media. I know this will come as a 
shock, but sometimes they find their own things of interest.
    But a couple of very concrete things can be done to 
increase, I think, the security that a business can have in 
working with law enforcement. One is to make greater use of and 
have the ability to make greater use of sealing orders in court 
to protect things like trade secret information, proprietary, 
computer security information, and the like. After all, the 
long-term damage to an institution or a business is not the 
one-day news story. It is having the actual data put into the 
public domain that would enable someone else to commit a 
similar crime. The new bill in Arizona that I described 
actually has some express statutory provisions in that regard. 
I believe in terms of sealing trade secret information, Federal 
law already had a provision. Most States don't have something 
similar.
    Senator Kyl. Mr. Gonzalez, anything to add?
    Mr. Gonzalez. I would offer a couple of comments, Sir. In 
terms of publicity and public awareness, generally speaking, 
with the FBI and with the numerous Attorney General guidelines 
we have regarding the contacts with the media, information that 
is relayed to us or is reported to us a potential crime does 
not necessarily intimate that it is going to be made public any 
time soon or any time in the near future.
    Senator Kyl. Well, they would need a lot better assurance 
than that, though.
    Mr. Gonzalez. That is generally--that is our process.
    The other thing that I would intimate is there is a 
particular case that I am pretty sure has been resolved where a 
bank, in fact, was defrauded of about 10 or so million dollars, 
and we were able to recover all that money based on the 
company's willingness to report. I think we recovered all but 
$800,000 of the $10 million or so that were taken.
    So I think the upside or the benefits to private industry 
and to these companies that have the potential of being 
defrauded is much better in joining forces with law enforcement 
to try to resolve the issue as opposed to not reporting.
    Senator Kyl. I believe that, you believe that, and it makes 
intuitively good sense. Obviously, it is going to be necessary 
to continue to operate in a way that assures the public that 
this kind of protection of their sensitive information will 
occur with law enforcement so that they will have an incentive 
to fully cooperate.
    Let me ask you about the arrest earlier this year. Maybe 
you are not totally familiar with the inside details of it, but 
perhaps you could share some information with us here about the 
Canadian law enforcement officials' arrest of the young man in 
Canada, a 15-year-old teenager, as I understand it, who is 
suspected of being at least one of the people responsible for 
the recent denial-of-service attacks on the Internet sites in 
the United States. Can you tell us a little bit more about how 
the investigation of that case was conducted by the FBI and 
what the status of it is?
    Mr. Gonzalez. I can tell you in general terms the processes 
that we went through that I think resulted in some of the 
successes.
    First of all, there was an almost immediate reporting of 
the intrusions or the denial-of-service attacks by the 
companies affected, which obviously triggered a response from 
the FBI. With the FBI's structure as it is nationwide, where we 
have nationwide offices, in each of those offices we may not 
have fully fledged computer intrusion squads, but we have 
agents that are assigned to those matters across the country. 
We were able to almost simultaneously develop information that 
had leads, as we call them, all over the country and able to 
address those simultaneously with the use of the National 
Infrastructure Protection Center, which one of their roles is 
the coordination of these types of investigations because of 
their national scope and international scope.
    So all those things occurred almost, again, I will use the 
term simultaneously, because once it was reported, it put 
several processes into action, including the coordination 
efforts by NIPC, the individual field divisions getting out and 
addressing the particular leads they had, which we had some in 
Phoenix, and at the same time, once it was determined that 
there was a nexus to Canada, our legal attache office in Canada 
was able to have liaison with the RCMP and able to make the 
information either available or pass it and a lot for the 
successful processing of the information to the Canadian 
authorities so they could make the arrest.
    But as you can see, it is a multifaceted process that we 
went through. It would be extremely difficult to do that if we 
didn't have the national resources available and on hand to 
conduct the adequate investigation.
    Senator Kyl. It sounds like another good example for the 
need for a multiple or nationwide trap and trace authority as 
well.
    Mike Vatis in Washington, DC, in our hearing there, the 
Director of the FBI's National Information Protection Center, 
the NIPC----
    Mr. Gonzalez. Infrastructure.
    Senator Kyl. Yes, I misstated that. He discussed two 
programs called InfraGard and Key Asset Initiative. Can you 
describe those two programs and how they are being carried out 
here?
    Mr. Gonzalez. Yes, Sir. The Key Asset Initiative involves 
each field division of the FBI within their jurisdiction in 
identifying key assets that are involved, whether it be 
providing infrastructure services, whether it be 
communications, transportation, academia, identifying these 
assets and making contact with them and obtaining--and setting 
up with them a system whereby we have 24-hour points of contact 
with those different assets so that in the event there is 
either an intrusion or an attempted intrusion, that we can be--
we will have access to those different entities.
    The InfraGard program involves an information-sharing 
initiative that is coming out--that is actually in place in a 
lot of areas. We are getting ready to implement it in Arizona. 
But what we do is, we offer anonymity to any company that wants 
to join us, and it will do things. It will give them the 
ability to provide the FBI and NIPC with information regarding 
either intrusions or potential--or attempted intrusions into 
their system through an encrypted e-mail capability, and also 
as being part of that program, it will allow them to receive 
warnings or threat warnings or intrusion warnings from NIPC as 
they are doing their national review of these particular 
incidents.
    So the Key Asset Initiative identifies areas in industry 
and in business that have potential for being either attacked 
or have potential of affecting our infrastructure and our 
commerce, and then the InfraGard initiative includes those 
entities and other entities in private business, private 
enterprise, that have a need to be advised of either threats or 
potential threats through the encrypted e-mail system.
    Senator Kyl. So are you actually going out to industry and 
visiting with them about their potential participation?
    Mr. Gonzalez. Yes, Sir. We are currently in the process of 
doing that.
    Senator Kyl. Let me ask each of you a last question just to 
indicate to the audience here we have to conclude the hearing 
by 11 o'clock. We have two more witnesses. So even though I 
can--I love getting information from these folks, and I could 
sit here all day. But we will have to close it off and move on 
to our next witnesses here.
    But let me ask both of you, Attorney General Napolitano, 
you mentioned desk subpoenas in your testimony, and Director 
Louis Freeh testified about administrative subpoenas necessary 
to effectively track cyber crime. Could you describe what those 
are and how that relates to our need for modifying law or 
procedures?
    Mr. Gonzalez. In terms of the FBI, they are referred to as 
administrative subpoenas. The FBI currently has that and some 
other Federal law enforcement agencies have that ability in 
drug investigations, in health care fraud investigations, and 
in crimes against children investigations. It basically allows 
the head of an office or one of his designees to issue a 
subpoena for information when it regards one of those types of 
investigations.
    What that does, it is actually two-fold: Again, it goes to 
the timeliness. We have an ability to do that almost at a 
moment's notice if needed in a particular investigation; and, 
No. 2, the information we gain from those subpoenas, there are 
no restraints in terms of us sharing it with other State and 
local law enforcement agencies or anyone else that would have a 
need to know in terms of getting that information as opposed to 
comparing it to a Federal grand jury.
    Senator Kyl. Is there a difference between an 
administrative subpoena and a desk subpoena?
    Ms. Napolitano. Well, we use the term desk subpoena as 
shorthand for a subpoena that a prosecutor signs as opposed to 
continually going back to the grand jury to get another 
subpoena duces tecum. So what Arizona law will provide when 
this provision takes effect is that on the certification of the 
prosecutor that this is relevant to an ongoing criminal 
investigation, we can issue based on that signature on a 
subpoena duces tecum to a service provider without having to 
continually go back to the grand jury and get a subpoena. It is 
very important because in a lot of these cases, as you see, we 
are following, say, for example, an e-mail to its source, and 
we can literally go around the country and end up in Glendale. 
But this way we can do it very quickly. We can do it at night. 
We can do it on weekends when the grand jury is not in session, 
and oftentimes we need to be able to do that.
    Senator Kyl. And the legal protection is that the evidence 
is obviously not usable if it has exceeded the probable cause 
requirements that you would ordinarily have to seek from a 
judge.
    Ms. Napolitano. Right. And the purpose is not to get the 
content of the e-mail. This is simply to be able to track where 
it--the chain of where it is coming from. So that is the 
primary purpose of this, not to get the actual content but to 
be able to find out the source of the e-mail. And as I 
mentioned earlier, Senator, many times we have to do that at 
night and over the weekends where continually going back to get 
a subpoena is impossible.
    Senator Kyl. I hope if our viewers have picked up anything 
from this hearing, they will appreciate the challenge that law 
enforcement is faced with in investigating these kinds of 
crimes because of the huge technological challenges that are 
presented and the very limited resources that you alluded to, 
Ms. Napolitano, and some of the legal--the very strict legal 
requirements that we impose in this country to make sure that 
people's constitutional rights are not in any way invaded, and 
that sets up some very high barriers for law enforcement but 
that obviously we intend to continue to abide by those 
requirements. It makes it tough for law enforcement, but you 
can still get your job done if you have adequate cooperation 
with the people who are reporting the crimes, and from the 
Congress perhaps and the State legislature, as you have noted, 
in providing the kind of legal authority and resources 
necessary to do the job.
    It is a very difficult challenge. It will evolve as time 
goes on, and I commend both of you and your offices for the way 
that you have jumped on this very quickly. And certainly as you 
have pointed out, General Napolitano, Arizona being the leader 
in developing both the legal authority and within your office 
the ability to quickly deal with these kinds of cyber attacks.
    I commend you both, and I appreciate you testifying here. 
We will have the record open for a period of time for any other 
comments you would like to make, and naturally I am always 
appreciative of your advice on the subject. So thank you very, 
very much.
    Mr. Gonzalez. Thank you.
    Ms. Napolitano. Thank you, Senator.
    Senator Kyl. Our next witness is David Aucsmith, the chief 
security architect for the Intel Corporation. Mr. Aucsmith is a 
recognized expert in the computer security field and will be 
making the U.S. industry presentation at the upcoming G-8 
summit on cyber crime in May in Paris, France.
    Mr. Aucsmith, your full statement will be placed in the 
record, and I would invite you to make summary remarks at this 
time. And, again, I very much appreciate your presence here.

     PANEL CONSISTING OF DAVID W. AUCSMITH, CHIEF SECURITY 
ARCHITECT, INTEL CORP.; AND JOSE GRANADO, SENIOR MANAGER, ERNST 
                    & YOUNG LLP, HOUSTON, TX

                 STATEMENT OF DAVID W. AUCSMITH

    Mr. Aucsmith. Thank you very much, Senator.
    The purpose, I think, of my presentation is to talk about 
the technological trends and challenges facing the protection 
of critical infrastructures as we move forward.
    Intel's former CEO, Andy Grove, was very fond of starting a 
lot of his presentations with the statement that we are rapidly 
approaching a time of a billion connected computers. That is 
actually a fairly fantastic statement. He said there are 
roughly a billion connected computers simultaneously exchanging 
data. And the computers that we are talking about are not just 
PC's. As was mentioned earlier, we are talking about the 
controls to an irrigation system. We are talking about national 
power grids, airline reservations, financial information from 
Wall Street, accessible by a billion connected computers.
    Why is this done? The obvious reason is to improve cost and 
efficiency. It lowers the cost if there are common 
infrastructures 
allowing communications and information to take place, and it 
significantly raises the efficiency. In fact, a year or so ago, 
the Department of Commerce credited that efficiency with 
keeping the level of inflation a whole percentage point lower 
than it would have been otherwise.
    However, this same efficiency also created quite a number 
of vulnerabilities, which is what this hearing is basically 
about. Those efficiencies mean that we have just-in-time 
inventory management, we have just-in-time commission and 
movement. That leaves very, very little room for error when 
that system is disrupted. That just-in-time inventory also 
applies to critical components of the national power grid and 
transportation sectors.
    Basically what we have seen so far is vandals on the 
Internet, as another way of putting it. That is the majority of 
the cases. If you have a billion connected computers, one way 
to look at that is you have a billion minus one potential 
attackers to your particular computer system.
    Another way from my end that we look at this is that we 
basically have a billion connected computers each of which has 
a billion different security policies. We actually can't seem 
to agree on precisely what is the right way to defend or to 
state even how we should defend each of the individuals sites.
    The statistics are rather frightening. It includes major 
companies such as Intel and others attacked somewhere around 
the neighborhood of 6,000 a day. You have cable modem users who 
would reflect around 250 attacks or so a week. And it is a 
fairly phenomenal amount.
    Now, most of these attacks are the equivalent of vandalism. 
I like to point out it is somewhat like spray painting in 
cyberspace. It is about the same equivalent. The problem, of 
course, is that you really can't tell which of those are 
potential spray painters and which of those are potentially 
serious fraud or an intelligence-
gathering operation.
    One way to look at it is if you were a business you 
wouldn't tolerate a few thousand people a day walking up and 
rattling your front doors or trying to see if there is an open 
window where they could come into your business, yet in 
cyberspace, we have sort of grown up and accept these just as a 
matter of fact. We can't live with this as a basic problem. In 
fact, when vandalism gets out of hand, you end up with the 
distributed denial-of-service attacks that we have just had. 
That's what happens if several thousand people show up at your 
front door at once.
    There are other problems which is just essentially the 
cascading destruction that occurs when one part of the system 
fails due to a vandalism or a malicious attack or a terrorist 
incident or whatever. The interconnectivity causes a great deal 
of things to happen all through.
    But I don't want to dwell on vandalism. There is a great 
statement from the bank robber of the 1950's, Willie Sutton. 
When he was asked why did he rob banks, he said, ``Because 
that's where the money is.'' Well, right now e-commerce is 
where the money is. In fact, it is very likely that we will see 
serious criminals--and we are beginning to see them--move into 
cyberspace because that is where the money is.
    We have seen this in the case of credit card theft and a 
number of others. Basically cyberspace offers precisely the two 
things that criminals need: anonymity and mobility. Those 
happen to be the things that generally e-commerce also needs, 
but they do facilitate the bad guys.
    Most security domains as they are set up now approach what 
we call the nougat method of security, which is they have a 
very hard shell on the outside and they are soft and chewy on 
the inside. So all you have to do is break through that outer 
barrier and people do not practice defense in depth in general.
    That is not to say that people aren't trying. There is a 
great deal of standards development going on within the 
industry. The international standards is essentially the glue 
that binds cyberspace together, and there is a lot of work, 
including IP security standards for telecommunications, use of 
better identification methods like smart cards and biometrics. 
All of those things are happening, but it is important to 
stress that standards development is extremely slow. Because it 
is an international endeavor, it does not move at cyber speed.
    Also, security is traditionally a form of insurance. We 
didn't put up metal detectors in airports until after airlines 
were hijacked. We are unlikely to put in strong security in 
cyberspace until after major incidents. It is just very hard to 
get people motivated otherwise.
    One of the perhaps best things that we can do is to provide 
some assistance for law enforcement and others in dealing with 
the current problems. The technology that we deal with is 
extremely complex. Its very efficiencies frequently frustrate 
the ability to catch criminals in cyberspace. It is complex and 
esoteric. Experts typically are hard to find and have to be 
paid a great deal. It is very difficult for law enforcement to 
deal with that.
    Intel might be regarded as being at the forefront of this 
technological revolution, certainly one of the companies, and 
it is very difficult for us to keep up with the technology, and 
we dedicate a great number of people to doing that.
    The best thing that we can do is to have good cooperation 
amongst industry components and with governments to help make 
the Internet a safer place and to protect the critical 
infrastructures. There are several good examples of that 
cooperative effort. Some of them have already been alluded to. 
There are others such as the information technology study 
group, which is a joint industry and FBI initiative to look at 
strategic directions in solving these problems.
    However, there are problems with that cooperation. Some of 
them have been alluded to. We are now having a collection of 
industry competitors coming together to share information. That 
brings up antitrust issues. Certainly from the strategic 
standpoint, we have companies disclosing vulnerabilities and 
other intellectual property about their products that is 
subject to discovery and may end up in a court of law. That is 
not something generally wanted by industry.
    There are problems with funding of those cooperative 
efforts. Industry is pretty much consenting to do this on a pro 
bono basis, gratis, if you will, but the government sectors of 
those require funding in order to do the Administration and 
make the best use of that.
    Congress also will have to address other problems. The 
biggest problem looming on the horizon is that having to do 
with jurisdictional issues. Cyber crime occurs all over the 
world. It is very difficult to figure out who exactly has 
jurisdiction and in what cases. Some of that is being 
addressed.
    So, basically, in closing, though I don't want to leave you 
with too bleak a view here, the technology is basically amoral. 
It is just moving at a very rapid pace. It is being used for 
good and, of course, bad guys will move in, too. Traditionally, 
law enforcement and national security interests have been able 
to adapt to changes in technology from the automobile, the 
telephone, and others over time. I am sure that in time we will 
be able to adapt to create effective order in the new 
technologies. It is perhaps fitting, if you will, that this is 
being held in Arizona. It somewhat resembles the Wild West at 
this point of view, and it is merely a need to slowly but 
surely civilize it. That is one way to look at it.
    Thank you very much, Senator.
    [The prepared statement of Mr. Aucsmith follows:]
    [GRAPHIC] [TIFF OMITTED] T9335.058
    
    [GRAPHIC] [TIFF OMITTED] T9335.059
    
    [GRAPHIC] [TIFF OMITTED] T9335.060
    
    [GRAPHIC] [TIFF OMITTED] T9335.061
    
    [GRAPHIC] [TIFF OMITTED] T9335.062
    
    [GRAPHIC] [TIFF OMITTED] T9335.063
    
    [GRAPHIC] [TIFF OMITTED] T9335.064
    
    [GRAPHIC] [TIFF OMITTED] T9335.065
    
    [GRAPHIC] [TIFF OMITTED] T9335.066
    
    Senator Kyl. Well, thank you very much, Mr. Aucsmith. Of 
course, we wanted to put one of our premier corporations on 
display as well, and since you are a leading technology expert 
in the area, we thought this would be a good forum in which to 
discuss this. I am not sure whether we should have had you 
before or after our next witness, though, because our next 
witness is going to demonstrate to us how this hacking is done.
    Now, I have some assurances that with the law enforcement 
officials here, this will all be done in a quasi-legal way, but 
I take no--I give no assurances in that regard. Let me properly 
introduce to you Jose Granado. He is a senior manager at Ernst 
& Young, a highly qualified accounting firm in the country, no 
fly-by-night hacking outfit, I would hasten to point out. And 
recently it was named as the outstanding information security 
organization, as I understand it, by the Information Systems 
Security Association. So Jose also comes by his expertise 
rightly.
    He has been involved with information security for the last 
12 years. He is a frequent speaker on the topic. We thank you 
for testifying today, and as I have mentioned to the others, 
your full statement will be placed in the record, and we would 
appreciate a summary of your remarks at this time.

                   STATEMENT OF JOSE GRANADO

    Mr. Granado. Good morning, Mr. Chairman. Thank you for the 
opportunity to testify today regarding improving prevention and 
prosecution against cyber attacks. As you mentioned, I am a 
senior manager with Ernst & Young's eSecurity Services group. I 
direct a team of ``white hat hackers'' who perform network 
assessments on client networks. Their objective is to identify 
existing weaknesses in computer systems that will lead to 
unauthorized access. My perspective comes from having led over 
100 network security assessments over the past several years. 
Assisting me today is Ron Nguyen, a manager with our eSecurity 
Services group. Today we will describe and demonstrate the 
process we utilize to perform these assessments.
    When performing these assessments, we obtain a snapshot in 
time of an organization's network security posture. This 
snapshot allows us to identify potential points of entry to 
gain unauthorized access to a network. The demand for these 
assessments has been generated by several factors: increased e-
commerce initiatives, increased Internet dependency, which has 
generated a need for independent security reviews, increased 
discovery of operating system and application level 
vulnerabilities, and increased publicity, as we have seen 
recently with the denial-of-service attacks on eBay, Yahoo, and 
others.
    Although our team is extremely skilled, over 75 percent of 
our initial access into client networks is gained via 
relatively simple methods and techniques. Our success is 
facilitated by three factors: poor selection of user ID's and 
passwords, poor system configuration from a security 
perspective, and the inability for organizations to implement 
solutions on a realtime basis to existing vulnerabil-
ities.
    Hundreds of websites exist that contain system security 
information. The network used to exchange this type of 
information transcends physical, geographical, and cultural 
boundaries. Internet chat sites, informal gatherings, and 
conferences also help to facilitate the flow of information.
    During today's online demonstration, we will identify a 
live computer system, scan the computer system for potential 
entry points, gain access to the system, eavesdrop and control 
the system remotely, crack the password file, and, finally, 
execute a denial-of-service attack.
    Our demonstration network is comprised of two Windows NT 
laptop computers. The computer labeled ``attack,'' the one on 
the larger screen, will be performing the hacking activity. The 
computer labeled ``victim,'' the one on the smaller screen, 
will be the recipient of the attacks. Although these computers 
comprise their own mini network, the techniques demonstrated 
today can be performed against any live computer on the 
Internet that is in a similar security state as our victim 
system.
    An attacker can run a ping utility to randomly identify a 
range of targets on the Internet. The attacker can also target 
a specific victim to attack. For our demonstration, we will 
ping www.
victim.com.
    The ping utility has identified one live system on our 
network designated by the IP address 192.168.10.10. An IP 
address is a numerical designation that identifies a computer 
on a network. Once we identify a live target, there are a 
number of freely available vulnerability scanning tools that 
can be used to identify potential entry points. For our 
demonstration, we will use the freeware tool called 
``Superscan'' on our attack system to scan our victim.
    The scanner has identified potential entry points on our 
target system--specifically, ports 21, 80, 135, and 139. A port 
is a numerical designation for a specific network function. 
Part of the system access process is mapping vulnerabilities 
associated with these open ports to exploit tools. Our scan 
identified port 80, which is associated with Web browsing, as 
open. For our demonstration, we will launch the iishack tool on 
our attack system to gain access to our victim.
    We now have gained access to our victim system. The attack 
was successful. The iishack tool the attacker used exploited a 
buffer overflow vulnerability on the target system. A buffer 
overflow condition is caused by the transmission of unexpected 
data to a target system, causing it to accept commands from an 
attack system. The hack tool launched a listening service that 
the attacker can now use to remotely control the system. This 
listening service allows the attacker to eavesdrop on the 
victim system by using a standard Web browser. For our 
demonstration, the attack system will monitor a letter being 
typed by the victim system.
    As you can see, the attack system now actually has the 
screen of the victim system displayed on it. The victim 
computer is typing a letter with the notepad function, and what 
he is typing keystroke by keystroke is now appearing on the 
bigger screen, which is the attack system.
    With remote control access, the attacker can leverage the 
target system as a launchpad to attack other systems, start 
programs, access and view files. For our demonstration, we will 
access and view files on the victim system from our attack 
system.
    As you can see, the attack system here is going through the 
contents of the C drive on the victim system and actually 
bringing up documents that are on the victim system and 
actually appearing on the screen of the attack system. The 
documents, as you can see, appear in their complete entirety.
    Now that the attacker has full control of the target 
system, one of the most popular activities is password 
cracking. The attacker can download the password file from the 
remote system and run a password cracker to discover user 
passwords. For our demonstration, we will download the password 
file to our attack system and using the lopht crack program 
demonstrate how quickly passwords can be cracked.
    We have located the password file on the victim system. We 
have dragged it to the desktop of our attack system. We are now 
bringing up the lopht crack tool and feeding that password file 
to the cracking tool. And as you can see, in a matter of 
seconds 18 of 21 passwords were cracked, and that took probably 
2 or 3 seconds.
    If the attacker is simply looking for targets to crash, 
they can easily launch a denial-of-service attack directed 
specifically at the target system. For our demonstration today, 
we will launch a denial-of-service attack on our attack system 
to disable our victim.
    The IP address of the victim system is being inputted into 
the denial-of-service tool, and after pressing the nuke button, 
we see that our victim system has been disabled as evidenced by 
the blue screen with all the error messages that are on it. And 
now that that system is disabled, it needs to be restarted to 
get back to its original state.
    Thank you for the opportunity to testify today at this 
hearing, and subject to your questions, this concludes our 
quick demonstration.
    [The prepared statement of Mr. Granado follows:]

                   Prepared Statement of Jose Granado

                         POWERPOINT TITLE SLIDE
Introduction
    Mr. Chairman and distinguished members of the Subcommittee, thank 
you for the opportunity to testify today regarding improving prevention 
and prosecution against Cyber Attacks.
    My name is Jose Granado. I am a Senior Manager with Ernst & Young's 
eSecurity Services group. I direct a team of ``white hat hackers'' who 
perform network assessments on client networks. Their objective is to 
identify existing weaknesses in computer systems that will lead to 
unauthorized access. My perspective comes from having led over 100 
network security assessments over the past several years. Assisting me 
today is Ron Nguyen, a manager with our eSecurity Services group. Today 
we will describe and demonstrate the process we utilize to perform 
these assessments.
                          POWERPOINT SLIDE ONE
Introduction to White Hat Hacking
    When performing these assessments we obtain a ``snapshot'' in time 
of an organization's network security posture. This snapshot allows us 
to identify potential points of entry to gain unauthorized access to a 
network. The demand for these assessments has been generated by several 
factors:

     Increased eCommerce initiatives.
     Increased Internet dependency--which has generated a need 
for independent security reviews.
     Increased discovery of operating system and application 
level vulnerabilities.
     Increased publicity--as we have seen recently with the 
Denial of Service Attacks on eBay, Yahoo and others.

    Although our team is extremely skilled, over 75 percent of our 
initial access into client networks is gained via relatively simple 
methods and techniques. Our success is facilitated by three factors:

     Poor selection of userids and passwords.
     Poor system configuration from a security perspective.
     Challenges organizations face in keeping up the large 
volume of vulnerabilities discovered on a daily basis.
                          POWERPOINT SLIDE TWO
    Hundreds of web sites exist that contain system security 
information. The network used to exchange this type of information 
transcends physical, geographical, and cultural boundaries. Internet 
Chat sites, informal gatherings and conferences also help to facilitate 
the flow of information.
                         POWERPOINT SLIDE THREE
    During today's online demonstration we will:

     Identify a ``live'' computer system.
     Scan the computer system for potential entry points.
     Gain access to the system.
     Eavesdrop and control the system remotely.
     Crack the password file.
     Execute a denial of service attack.
                               START DEMO
Demonstration
    Our demonstration network is comprised of 2 Windows NT laptop 
computers. The computer labeled ``attack'' will be performing the 
hacking activity. The computer labeled ``victim'' will be the recipient 
of the attacks. Although these computers comprise their own mini 
network, the techniques demonstrated today can be performed against any 
``live'' computer on the Internet that is in a similar security state 
as our victim system.
Identifying a ``live system''
    An attacker can run a ping utility to randomly identify a range of 
targets on the Internet. The attacker can also target a specific victim 
to attack. For our demonstration we will ping www.victim.com.
Scanning a system for potential vulnerabilities
    The ping utility has identified one live system on our network 
designated by the IP address 192.168.10. 10 An IP address is the 
numerical designation that identifies a computer on a network. Once we 
identify a live target, there are a number of freely available 
vulnerability scanning tools that can be used to identify potential 
entry points. For our demonstration, we will use the freeware tool 
``Superscan'' on our attack system to scan our victim.
Gaining access to a system
    The scanner has identified potential entry points on our target 
system. Specifically, ports 21, 80, 135 and 139. A port is a numerical 
designation for a specific 
network function. Part of the system access process is mapping 
vulnerabilities associated with these open ports to exploit tools. Our 
scan identified port 80 which is associated with web browsing as open. 
For our demonstration we will launch the iishack tool on our attack 
system to gain access to our victim.
Eavesdropping on a system remotely
    The iishack tool the attacker used exploited a buffer overflow 
vulnerability on the target system. A buffer overflow condition is 
caused by the transmission of unexpected data to a target system, 
causing it to accept commands from an attack system. The hack tool 
launched a listening service that the attacker can now use to remotely 
control the system. This listening service allows the attacker to 
eavesdrop on the victim system by using a standard web browser. For our 
demonstration the attack system will monitor a letter typed by the 
victim system.
Controlling a system remotely
    With remote control access, the attacker can leverage the target 
system as a launchpad to attack other systems, start programs, access 
and view files. For our demonstration we will access and view files on 
the victim system from our attack system.
Cracking passwords
    Now that the attacker has full control of the target system, one of 
the most popular activities is password cracking. The attacker can 
download the password file from the remote system, and run a password 
cracker to discover user passwords. For our demonstration we will 
download the password file to our attack system and using the lopht 
crack program demonstrate how quickly the passwords are cracked.
Executing a Denial of Service Attack
    If the attacker is simply looking for targets to crash, they can 
easily launch a denial of service attack directed specifically at the 
target system. For our demonstration, we will launch a denial of 
service attack on our attack system to disable our victim.
    Subject to any questions this concludes the presentation.

    Senator Kyl. Thank you very much.
    Did the FBI get all of that down? [Laughter.]
    You were taking good notes.
    Obviously, this simulation attack is designed to illustrate 
how people with a little bit of expertise--and I know that our 
witness here has a lot of expertise, but I am going to ask him 
as kind of a first question how much expertise you need to do 
this--can quickly get into, can disable, can secure information 
from or deface a system, whether it be a business or commercial 
system, a government computer, a research or university 
computer, or certainly a private computer.
    Let me begin by asking, Mr. Granado, just how experienced 
do you have to be to be able to do the kind of thing that you 
just now did?
    Mr. Granado. The experience is not what one would think. We 
often find that individuals involved in this kind of activity 
have a love for technology. These are folks that stay up until 
2, 3 or 4 a.m. reading everything they can get their hands on 
on systems and vulnerabilities and things of that nature. These 
kind of folks aren't individuals that have to go to Harvard to 
get this kind of experience. So the love for technology, a 
basic understanding of computer systems and networks is really 
at the foundation level all that is required.
    Now, as I mentioned during my testimony, the voluminous 
amount of information that is out there on the Internet on how 
to go at these systems actually helps to facilitate the 
knowledge process for folks that want to get involved in this 
kind of activity. But the experience needed to do this is not 
great. It is just a general understanding of computers and 
networks, and then all the information that is available out 
there kind of helps snowball your experience level so that you 
can perform these kind of activities.
    Senator Kyl. I think illustrative of that is the fact that 
the first person arrested in connection with the denial of 
service of the various sites in the United States, the young 
Canadian, was 15 years old. And I will mention another 
operation. During the time the United States was preparing an 
attack on Iraq, there was an intrusion into some U.S. 
Government computers that was serious enough that it got the 
highest levels of our Government. We dubbed the exercise 
``Solar Sunrise.'' We eventually found that there were three 
people under the age of 20 in I think two different countries 
that were involved in that attack. They were fortunately 
brought to justice.
    But the point is that this seems to be coming a lot from 
young people who obviously don't have the college degree you 
are speaking of but have acquired the capability to cause great 
mischief.
    Mr. Granado. Absolutely.
    Senator Kyl. Let me ask Mr. Aucsmith, at our hearing in 
Washington, DC, Harris Miller, who I am sure you know--he is 
president of the Information Technology Association of 
America--testified and he said one of the inhibitions of 
sharing information between the private sector and the 
Government regarding these vulnerabilities and threats is that 
companies naturally don't want their vulnerabilities and the 
attacks that have actually occurred against them to be publicly 
known since this could easily impact on consumer confidence in 
their particular sites and people then might not want to use 
their website. He said that unless companies are given an 
exemption from the Freedom of Information Act so that 
information they disclose to the Government can't be obtained 
by any other person that files the paperwork, that they would 
not want to voluntarily submit information to the Government in 
the name of cyber security.
    Do you share this view? Do you think we need that kind of 
protection of private information from being acquired under the 
Freedom of Information Act?
    Mr. Aucsmith. Yes, Sir, I actually do, very much so. There 
are two issues at stake here, and it depends on for what the 
information is being used. If it is tactical information, the 
FBI may be needed to solve the problem.
    Senator Kyl. Meaning on how to--sort of to understand the 
kind of thing that Mr. Granado just now did, how does this 
system work so that we can track back the perpetrator.
    Mr. Aucsmith. Right. And for that, our concern is if we 
share that information, we may end up as a witness in a 
discovery process. No company wants to end up in a criminal 
proceeding with their product. The second, somewhat longer 
range, has to do with we are aware--as much as we may try, we 
can't produce perfectly secure systems. It is just not 
economically feasible. In many cases, it is not even 
technically feasible. So we are made aware of vulnerabilities, 
but we are sort of constantly trying to fix those 
vulnerabilities in each new product revolution. So what you 
basically have is a sliding window of vulnerabilities that go 
along, and industry is very reluctant to make that public 
because, clearly, that is only helping the bad guy. It 
certainly could be used by your competition to weaken your 
product. So there is some need--there is a need to come up with 
some solution for allowing--sharing the strategic 
vulnerabilities, helping your practical situation with 
knowledge that we have in a way that doesn't adversely affect 
the security of a company or the infrastructure that are built 
off of those products. Something needs to be done.
    Senator Kyl. Well, Congress is looking--I was involved in 
the Y2K legislation which gave some temporary time-outs for 
liability on sharing of information in order to ensure that in 
that run-up to the Y2K turnover that we wouldn't have an excess 
of problems. And that seemed to work pretty well.
    So you would be supportive of Congress looking into the 
Freedom of Information Act, the potential for class action 
liability, antitrust liability, in a way to try to balance the 
need to share this information with the protections needed if 
the information is shared.
    Mr. Aucsmith. That is correct. Clearly, we are not 
advocating removal of FOIA. But what we are advocating is 
giving some level of protection where such vulnerabilities are 
so terribly sensitive.
    Senator Kyl. Now, Mr. Granado, one of the issues here is 
insider threat. In addition to hacking in from the outside, 
clearly there are some problems of the insiders. Could you 
comment a little bit about your concern there?
    Mr. Granado. Yes, Sir, absolutely. I mentioned during my 
testimony that our access into computer networks 75 percent of 
the time is through simple methods and techniques, and that 
specific statistic was for attacks from the outside in. When we 
are invited into an organization to perform our assessments, 
our success rate is 100 percent. The reasoning there is 
obviously there is a certain level of trust that is assumed 
when an individual or a group of individuals are inside an 
organization, the security problem I think becomes twice as 
difficult because of that assumed level of trust, and the 
security controls that an organization implements, they need to 
be perimeter-based for external threat, but there also needs to 
be auditing and monitoring tools on the inside so that the 
activities of users on the inside could be monitored so that if 
any weird activities are occurring they can be flagged and 
acted upon.
    Senator Kyl. This is the so-called defense in depth concept 
that Mr. Aucsmith mentioned.
    Mr. Granado. So there is no question that the insider 
threat is greater from my perspective than the outside threat. 
Again, that assumed level of trust of someone that you let 
inside your facility, they have already beaten one hurdle. They 
now just have to get to your network and access systems.
    Senator Kyl. I want to ask both of you a question here, and 
this goes right to the point Mr. Aucsmith made a minute ago. 
Maybe neither one of you want to reveal this nasty little 
secret to the public here, but I think it is important to do so 
in order to help do the job that both of you do.
    I would like for you to describe just how vulnerable anyone 
on the Internet is, and let me put it in this context. Suppose 
I buy one of the new encryption products and let's call it 
pretty good security, and I buy that and I think, great, I am 
encrypted now, and unless some organization like the CIA tried 
to crack it, it is not going to be crackable. So I am home free 
here.
    How foolish is that attitude? Just how vulnerable is anyone 
on the Internet? How easy is it and how many different ways are 
there to break into these kind of systems?
    Mr. Aucsmith. You have actually gone a reasonable step 
towards achieving security from a particular type of threat. 
That particular type of threat is collecting tactics at some 
intermediate point. What you have done nothing for is to 
protect the endpoint systems where that information originates 
or the destination of where it goes. In fact, given most 
encryption systems, the vulnerability is actually to break into 
the system and record the information before it is ever 
encrypted, which basically could be done in the attack you just 
saw here, or to go hunting around in the computer itself for 
the keystrokes that were used to invoke the unknown--or the 
key, the encryption key. You would solve one of the problems, 
but probably not the hardest one, quite frankly. And how 
vulnerable are they? If you were to take this scenario that I 
just went through here, and instead of launching the particular 
attack I did, but start downloading the swap file, which is 
where the operating system puts intermediate material as it is 
being processed for efficiency, and then scan that for the 
invocation of your particular encryption program and the 
keystrokes that were used to invoke it, you will most likely 
recover the key.
    Senator Kyl. Can you describe this in terms of an analogy? 
I know you used the analogy of leaving the window open in the 
home. But can you think of a good analogy to bring home to 
people how you may have provided security at points D through 
F, but that is not all the way from A to Z.
    Mr. Aucsmith. The analogy that we frequently talk about is 
putting an armory on a screen door. I think basically you have 
armored the front door and left all the windows open.
    Senator Kyl. Mr. Granado, do you want to add anything to 
that?
    Mr. Granado. Sure. The way I would like to comment on that, 
Senator, Ernst & Young is very active in providing this kind of 

information to the IT community. We have a website, www. 
esecurityonline.com, which provides vulnerability information 
for IT folks who are interested on what the latest threats are. 
And we also provide a separate section for clients. We give 
them customized vulnerability information based on the types of 
computers they have.
    Anyway, my point is, for anyone to think that if they have 
a security product that they just purchased today and that 
makes them secure for the rest of time, it is extremely 
foolish. From a statistical perspective, we discover about 7 to 
10 vulnerabilities a day that we either discover through our 
research labs or that we just gain information from other 
folks.
    So as you can see, you think you are secure today, 
tomorrow, and the next day, but next week you may not be. You 
know, this issue is something that organizations need to 
consider a more proactive approach versus a reactive approach 
to security. And security is a process. It is not a matter of 
plugging a hole and then you are done. It is a process where 
you need to test, you need to implement solutions, and then you 
need to monitor those solutions. And that needs to be 
recurring. And that is the only way that we are going to be 
able to get ahead of the game with respect to these kinds of 
attacks.
    Mr. Aucsmith. Senator, one more follow-up to that. What the 
people from Ernst & Young are talking about is exactly correct. 
But I think we need to emphasize that the scenario they just 
painted is that for an IT organization or business. The same 
scenario is very difficult to work when you are talking about a 
home user. And one of our problems is my industry has been 
pushing very much to get everybody online all the time, always 
connected. We have been a little bit behind on sharing with 
them the vulnerabilities of being online and always connected. 
And the same set of methodologies that work for businesses are 
unlikely to work in the home users. I can't imagine my mother 
being able to discern the information required to make a system 
secure.
    So what we have to do as an industry is make security 
somewhat more seamless and automatic and easier to deal with. 
We have a ways to go on that. We are working very hard, but it 
is a very hard problem.
    Senator Kyl. I think that is a very candid and excellent 
statement of the state of play right now in the industry coming 
from one of the leading industry drivers here, acknowledging 
that in making this wonderful new tool so available to so many 
people so fast, we have got to catch up in terms of security 
and that that is going to require a significant degree of 
effort.
    I think that our hearing today, if it will do nothing else, 
will be to demonstrate to people that there is a significant 
lack of security, but that shouldn't deter people from using 
the Internet, but that they should be very, very careful to the 
extent that what they have on there is private and they want to 
keep it private, and that industry generally and individuals 
are going to have to make good recommendations to the 
Government about what kind of protections they need in order to 
provide the fullest possible cooperation with law enforcement 
for law enforcement to do its job.
    This is something that we want to do our best to cooperate 
on, and I just would reiterate to the audience here, my 
subcommittee deals with three subjects, and in this one area 
they all tie together: technology, terrorism, and Government 
information. And so we are right on the cusp of this. I have 
introduced several pieces of legislation, some of which have 
already been signed into law, some of which are pending, as you 
heard before, and designed to try to begin to resolve these 
issues. But perhaps the biggest point that I would make--and I 
would like to have the witnesses comment on this, and then we 
will--again, I could talk to these guys all day long. I 
wouldn't understand a lot of what they say, but I can at least 
appreciate the point they are trying to make. But we will need 
to cut our hearing off here in a moment.
    We need to create an atmosphere of understanding and mutual 
commitment and trust that will enable private users, the 
private commercial sector, and the Government policymakers and 
Government law enforcement people to work together in order to 
ensure that there is the maximum protection so that there can 
be the maximum use. And if we do that, I think we will continue 
to lead the world and improve the quality of life in this 
country dramatically.
    But to the extent that there continues to be a residue of 
mistrust and an unwillingness to work together, it inhibits 
this wonderful opportunity that we have.
    Actually, there is one last question I would like to ask 
both of you because I think it is important for particularly 
our viewers and people who came to this hearing to appreciate. 
If you want to know more about how to make your own systems 
secure, let's say you are a small business here in Arizona, 
what is the best advice you have to individuals or small 
businesses? I am sure big businesses have found their way to 
your doorstep, but how does a small business do the best it can 
in an economic way to provide the security that it needs?
    Mr. Granado. There are a lot of organizations that folks 
and small businesses can join--Information Systems Security 
Organization is just one--where members of small businesses can 
join these organizations, and they have monthly meetings of 
security professionals within that specific community to 
discuss vulnerability issues, strategic issues, tactical issues 
with respect to systems security. So that would be one good 
economic avenue to gain knowledge on this issue.
    Then the other point, again, what I alluded to earlier, the 
Internet is just full of information that is free and easily 
accessible. You know, I described today the hacking-related 
information. There is just as much information out there on how 
to secure your system, and step by step how to secure it, that 
people can just do searches on the Internet, pull that 
information, pull out what is specific to their machines, and 
work on securing their systems, again, free and all that is 
required is Internet access.
    Mr. Aucsmith. And that is the nice thing about the 
Internet, its opportunities. There are bad guys out there, but 
there are also good guys. You can find lists of places to go 
for the good guys. There is a variety of sources for finding 
that, just a general search will probably help, but you can 
start with CERT, which is an organization at Carnegie Mellon. 
The Computer Emergency Response Team has a wide range of links 
that you can go to where the good guys are. The problem with 
all of that is it is necessary to have the technical competence 
to make that a reality in small business, and many small 
businesses lack that resource, in which case, much as you might 
call a locksmith or a burglar alarm company to help protect 
your physical security, you may very well need to make the 
investment of contacting a security professional to help you 
with your cyber security.
    Senator Kyl. And probably one of the most important points 
is, even though you develop what you think is a secure system, 
always understand that there are numerous vulnerabilities, and 
you have got to constantly be alert to the little things, you 
know, leaving your password taped to the top of your computer, 
as I saw one time, by the way--I mean, it sounds silly, but 
there are a lot of vulnerabilities that people just don't stop 
to think, basically, about what they need to do to make their 
systems secure.
    Mr. Aucsmith. We put them underneath the keyboards.
    Senator Kyl. Yes, right. [Laughter.]
    That is a good metaphor for the need to always be alert 
that there could be a problem, even though you have secured 
what you think is a pretty good system. But the first step is 
to try to take advantage of this.
    I am informed and we learned at our hearing in Washington 
that this Carnegie Mellon entity which Mr. Aucsmith alluded to 
had developed good counter-software to the kind of denial-of-
service attack that occurred against some of the sites that we 
have been referring to today. Some entities took advantage of 
that software. Some did not. Those that did didn't experience 
that denial of service.
    So take advantage of that which is available to you as has 
been described and remain alert to the possibility that even 
that won't necessarily deter a determined hacker. I guess those 
would be the two watch words.
    I really appreciate your demonstration, Mr. Granado, and, 
Mr. Aucsmith, your expertise in this. I will hope to continue 
to plumb the depths of that expertise as we try to fashion the 
kind of national policy and legislative solution to develop 
this cooperation that is going to be so essential to the 
future, and I look forward to continuing to cooperate with you.
    I thank all of you who have joined us at this hearing 
today. As I said at the beginning, this is an official hearing 
of the U.S. Senate Judiciary Committee's subcommittee which I 
chair, and anyone who wishes to communicate with us, we can put 
your comments in the record if they are appropriate. If you 
have questions, obviously submit them through me, and perhaps 
we will have an opportunity to share those with our witnesses 
here today.
    If there is nothing further, then I will declare this 
meeting adjourned.
    [Whereupon, at 10:30 a.m., the subcommittee was adjourned.]