[Senate Hearing 106-1092]
[From the U.S. Government Publishing Office]



                                                       S. Hrg. 106-1092

                           INTERNET SECURITY

=======================================================================

                                HEARING

                               BEFORE THE

                     SUBCOMMITTEE ON COMMUNICATIONS

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 8, 2000

                               __________


    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation



78-382              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001



       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                     JOHN McCAIN, Arizona, Chairman
TED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina
CONRAD BURNS, Montana                DANIEL K. INOUYE, Hawaii
SLADE GORTON, Washington             JOHN D. ROCKEFELLER IV, West 
TRENT LOTT, Mississippi                  Virginia
KAY BAILEY HUTCHISON, Texas          JOHN F. KERRY, Massachusetts
OLYMPIA J. SNOWE, Maine              JOHN B. BREAUX, Louisiana
JOHN ASHCROFT, Missouri              RICHARD H. BRYAN, Nevada
BILL FRIST, Tennessee                BYRON L. DORGAN, North Dakota
SPENCER ABRAHAM, Michigan            RON WYDEN, Oregon
SAM BROWNBACK, Kansas                MAX CLELAND, Georgia
                       Mark Buse, Policy Director
                  Martha P. Allbright, General Counsel
               Kevin D. Kayes, Democratic Staff Director
                 Moses Boyd, Democratic General Counsel
                                 ------                                

                     Subcommittee on Communications

                    CONRAD BURNS, Montana, Chairman
TED STEVENS, Alaska                  ERNEST F. HOLLINGS, South Carolina
SLADE GORTON, Washington             DANIEL K. INOUYE, Hawaii
TRENT LOTT, Mississippi              JOHN F. KERRY, Massachusetts
JOHN ASHCROFT, Missouri              JOHN B. BREAUX, Louisiana
KAY BAILEY HUTCHISON, Texas          JOHN D. ROCKEFELLER IV, West 
SPENCER ABRAHAM, Michigan                Virginia
BILL FRIST, Tennessee                BYRON L. DORGAN, North Dakota
SAM BROWNBACK, Kansas                RON WYDEN, Oregon
                                     MAX CLELAND, Georgia


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held March 8, 2000.......................................     1
Statement of Senator Abraham.....................................    56
Statement of Senator Bryan.......................................     5
    Prepared statement...........................................     5
Statement of Senator Burns.......................................     1
    Prepared statement...........................................     2
Statement of Senator Hollings....................................     3
    Prepared statement...........................................     4
Statement of Senator Wyden.......................................    37

                               Witnesses

Fuhrman, Michael, Manager, Security Consulting, Cisco Systems....    45
    Prepared statement...........................................    48
Holder, Jr., Eric, Deputy Attorney General, U.S. Department of 
  Justice........................................................     5
    Prepared statement...........................................     7
Misener, Paul, Vice President, Global Public Policy, Amazon.com..    42
    Prepared statement...........................................    44
Reddy, Raj, Ph.D, Herbert A. Simon Professor of Computer Science 
  and Robotics, Carnegie Mellon University.......................    49
    Prepared statement...........................................    52
Reinsch, William, Under Secretary of Commerce, Bureau of Export 
  Administration, U.S. Department of Commerce....................    13
    Prepared statement...........................................    16
Vatis, Michael A., Deputy Assistant Director, Federal Bureau of 
  Investigation, National Infrastructure Protection Programs.....    19
    Prepared statement...........................................    23

                                Appendix

Cleland, Max, U.S. Senator from Georgia, prepared statement......    63

 
                           INTERNET SECURITY

                              ----------                              


                        WEDNESDAY, MARCH 8, 2000

                                       U.S. Senate,
                            Subcommittee on Communications,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 9:35 a.m. in 
room SR-253, Russell Senate Office Building, Hon. Conrad Burns, 
Chairman of the Subcommittee, presiding.

            OPENING STATEMENT OF HON. CONRAD BURNS, 
                   U.S. SENATOR FROM MONTANA

    Senator Burns. The Subcommittee on Communications of the 
Commerce, Science, and Transportation Committee will come to 
order. First, I would like to welcome everyone to today's 
hearing, which is the first of a series of hearings that this 
Subcommittee will hold on the critical issues of Internet 
security and privacy facing our Nation.
    Today's hearing will focus on the unprecedented and 
apparently coordinated recent series of hacker attacks which 
caused some of the most popular Web sites on the Internet to go 
dark. The list of sites that were brought down include such 
Internet mainstays as Amazon.com, eBay, my Auction Barn was 
shut down, no telling how much money it cost me----
    [Laughter.]
    Senator Burns. --cnn.com and e-Trade and Yahoo.
    These attacks are technically called ``distributed denial 
of service attacks,'' which in plain English is like a 
telephone system getting overwhelmed by more calls than it can 
handle. It appears the hackers planned their attacks months in 
advance, going so far as to set up software on many servers all 
over the Internet that was capable of automatically flooding 
targeted Web sites at a certain predetermined time.
    I suppose it is no surprise that these malicious programs 
are called ``daemons,'' spelled d-a-e-m-o-n-s. The hackers 
involved in these attacks have yet to be caught, despite the 
coordinated efforts of our Nation's top law enforcement 
agencies.
    While no consumer data was stolen, real damage was done, 
especially to Internet user's confidence about the security 
systems that they are using. The fear of future attacks was 
enough to cause a massive sell-off in technology stocks in 
early February, when the attacks took place, and the nature of 
these attacks is particularly alarming, as they were 
specifically designed to disrupt electronic commerce.
    The growth of electronic commerce and the Internet has been 
generally astounding. The number of small businesses on the Web 
is doubling every year, and currently over 2 million small 
businesses in the United States have Web sites. In my home 
State of Montana, companies such as Vanns.com and Streaming 
Solutions are showing that all their great work and great ideas 
are coming to fruition. E-commerce potential of the Internet 
still has tremendous up-side, while household spending online 
last year doubled. It is still only about 1 percent of the 
total retail dollars.
    The growth in the Internet is a double-edged sword, 
however. Unfortunately we now live in a world where there are 
malicious criminals who can bring large parts of our Nation's 
critical information infrastructure to a grinding halt. Given 
the seriousness of these attacks, we must act not only quickly 
but effectively. We must think it out and work in the best way. 
In other words, we cannot out-force our enemies. We must out-
think them and be smarter than they are.
    We need to do everything possible to foster better 
coordination between Government and industry in protecting 
Internet security, make sure that our national security and our 
law enforcement agencies have the resources to do their job, 
and to bring our Nation's criminal code up to date with the 
recent development of the Internet. Clearly, the current level 
of coordination between Government agencies and the private 
sector needs to be as seamless and effective as possible.
    A core component of achieving this cooperation is the 
continuing development of the FBI's National Infrastructure 
Protection Center, which was set up 2 years ago to deal with 
the range of potential attacks on the Internet. I strongly 
supported the creation of that center, and I will continue to 
support its full funding. In fact, I want to make it even 
stronger.
    I am concerned, however, that the center is authorized for 
133 employees. We are only up to about 100 now, 40 of whom are 
detailees from other agencies, but I also understand the FBI is 
still short of its goal of hiring 250 field agents to fight 
cybercrime. While I realize that hiring top-level technical 
experts to work in Government is difficult, given the lure of 
Silicon Valley, these positions need to be filled as quickly as 
possible, and that is what I have always argued in the past, 
and I want to make a comment on that this morning.
    Instead of putting a lid on technology we need to fully 
fund and fully support our law enforcement agencies so they are 
abreast of or half a step ahead and working with industry in 
the technology so they can get their job done, so we need a lot 
of work, and I am going to put the rest of my statement in 
here, because I do want to hear from witnesses this morning.
    [The prepared statement of Senator Burns follows:]

   Prepared Statement of Hon. Conrad Burns, U.S. Senator from Montana

    I would like to welcome everyone to today's hearing, which is the 
first in a series of hearings this Subcommittee will be holding on the 
critical issues of Internet security and privacy facing our nation. 
Today's hearing will focus on the unprecedented and apparently 
coordinated recent series of hacker attacks which caused some of the 
most popular websites on the Internet to go dark. The list of sites 
that were brought down included such Internet mainstays as Amazon.com, 
eBay, cnn.com, e-Trade and Yahoo.
    These attacks are technically called ``distributed denial of 
service attacks'' which in plain English is like a telephone system 
getting overwhelmed by more calls than it can handle. It appears the 
hackers planned their attacks months in advance, going so far as to set 
up software on many servers all over the Internet that was capable of 
automatically flooding targeted websites at certain predetermined 
times. I suppose it's no surprise that these malicious programs are 
called ``daemons.'' The hackers involved in theses attacks have yet to 
be caught, despite the coordinated efforts of our nation's top law 
enforcement agencies.
    While no consumer data was stolen, real damage was done-especially 
to Internet users' confidence about the security of the systems they 
are using. The fear of future attacks was great enough to cause a 
massive selloff in technology stocks in early February when the attacks 
took place. The nature of these attacks is particularly alarming, as 
they were specifically designed to disrupt electronic commerce.
    The growth of electronic commerce and the Internet in general has 
been astounding. The number of small businesses on the Web is doubling 
every year, and currently over 2 million small businesses in the United 
States have websites. In my home state of Montana, companies such as 
Vanns.com and Streaming Solutions are showing that all it takes is a 
great idea and hard work to reach global markets through the Internet. 
The e-commerce potential of the Internet still has tremendous upside--
while household spending online doubled last year, it still amounted to 
less than 1 percent of total retail dollars.
    The growth and reach of the Internet is a double-edged sword, 
however. Unfortunately, we now live in a world where malicious 
criminals can bring large parts of the nation's critical information 
infrastructure to a grinding halt.
    Given the seriousness of these attacks, we must act quickly and 
effectively. We need to do everything possible to foster better 
coordination between Government and industry in protecting Internet 
security, make sure our national security and law enforcement agencies 
have the resources to do their jobs and bring our nation's criminal 
code up-to-date with the recent development of the Internet.
    Clearly, the current level of coordination between Government 
agencies and the private sector needs to be as seamless and effective 
as possibe. A core component in achieving this cooperation is the 
continuing development of the FBI's National Infrastructure Protection 
Center, which was setup two years ago to deal with a range of potential 
attacks on the Internet. I strongly supported the creation of the 
Center and continue to support its full funding.
    However, I am concerned that while the Center is authorized for 133 
employees, its staff is still at only 100, 40 of whom are detailees 
from other agencies. I also understand the FBI is still short of its 
goal of hiring 250 field agents to fight cybercrime. While I realize 
that hiring top-level technical experts to work in the Government is 
difficult given the lure of Silicon Valley, these positions need to be 
filled as quickly as possible.
    I want to touch on the issue of criminal penalties on hackers. In 
the recent past, many if not most ``hacker'' attacks were the product 
of intellectual curiosity rather than malicious intent to cause damage. 
Now, however, the vast majority of hacker attacks are done through 
simply downloading pre-existing programs from hacker sites on the web 
and using them to accomplish destructive aims. Rather than stemming 
from misdirected teenage rebellion, current attacks are often engaged 
in by adults who want to inflict the most damage possible. We need to 
severely punish these criminals-and they are criminals. The destruction 
of data belonging to innocent individuals is no less a crime than 
property destruction of the more traditional type. In fact, it can in 
many cases be far worse.
    We are fortunate to have some of the foremost Government and 
industry experts in the field of Internet security with us today. I 
look forward to the testimony of the witnesses in addressing these 
matters of critical importance to the continued development of e-
commerce and the Internet. Thank you.

    Senator Burns. We are joined this morning by Senator 
Hollings. Thank you for coming.

             STATEMENT OF HON. ERNEST F. HOLLINGS, 
                U.S. SENATOR FROM SOUTH CAROLINA

    Senator Hollings. Thank you, Mr. Chairman. If I heard you 
correctly, you said we are going to have to be smarter than 
they are. If we wait on Government to be smarter, that is quite 
a charge.
    Senator Burns.We are not asking for the impossible.
    Senator Hollings. That is near it. We are back--history 
repeats itself. You have got to think of David Sarnoff on the 
Wannamaker Building and the sinking of the LUSITANIA. He picked 
it up. The country went wild over wireless, and by the mid-
twenties everybody was jamming. Everybody in the so-called free 
market of communications came crying to Government, please 
regulate us. Now history repeats itself. They come crying to 
Government, please give us security, please give us privacy, 
because they cannot do it themselves. They say it takes two to 
tango. You cannot have privacy without security.
    So the Justice Department has been working diligently and I 
might add, Mr. Chairman, the Justice Department has grown quite 
a bit in recent years. Slightly over 10 years ago the budget in 
the Justice Department was $4 billion. It is now $23 billion. 
Everybody says cut spending, cut spending, cut spending, but 
the Senators ought to know we have been increasing it like 
gangbusters, and giving the Justice Department everything they 
say they can possibly use, and they have been doing an 
outstanding job.
    In essence, the National Institute of Standards and 
Technology is really onto the technology, and I am delighted to 
hear from the witnesses, and I would ask the remainder of my 
statement be included.
    [The prepared statement of Senator Hollings follows:]

            Prepared Statement of Hon. Ernest F. Hollings, 
                    U.S. Senator from South Carolina

    Senator Burns, thank you for holding this hearing today. It is the 
first hearing in a series that the Committee intends to hold on the 
subject of electronic privacy.
    Internet security and hacking are not generally discussed in the 
context of privacy, but I think that this is an important first topic 
for consideration. No matter what we decide on the right policy to 
protect consumers on the Internet is, no policy can work without a 
secure infrastructure. A company can have the strongest privacy policy 
in the world, but that policy is irrelevant if the company has not 
adequately protected its systems from illegitimate users.
    A month ago at this time, Mr. Misener's company, among others, was 
under attack. That attack highlighted problems which have plagued the 
users of the Internet for some time. Having been brought under the 
media spotlight the question now is: How can we be sure that the 
companies we are doing business with on the Internet are secure? 
Additionally, what do businesses owe their consumers when they are 
victims of computer break in?
    In order to make consumer information safe from hackers, it will be 
necessary to raise the security standards of Internet-based businesses 
as a whole. As we try to craft public policy in this area, we need to 
examine three constructive roles for Government: (1) fostering 
constructive partnerships which enhance private sector security; (2) 
pushing the technological envelope on information infrastructure 
protection; and (3) being a role model through the implementation of 
best security practices.
    In other words, the Government must be prepared to form a 
partnership with industry to share information on new attacks and how 
to stop them. Our research agencies must invest in solving problems 
which will bolster the security of the whole Internet rather than its 
parts. Finally, the Government needs to do a better job of protecting 
its own information. Right now, our departments and agencies are far 
from a shining example of what Internet security can be. We need to 
have in place the right policies, hardware, software, and trained 
personnel to secure Government computer systems. I hope that our 
witnesses will address these areas in their testimony today.
    Already, various agencies of the U.S. Department of Commerce are 
doing important computer security work. Undersecretary Reinsch oversees 
the Critical Infrastructure Assurance Office (CIAO) which is 
coordinating partnerships with the private sector to examine attack 
prevention. The National Institute of Standards and Technology (NIST) 
is a leader in computer security research and, through the 1987 
Computer Security Act, sets standards for securing unclassified 
Government computer systems. The FY 2001 budget request for information 
security would enhance these capabilities at Department of Commerce and 
in other agencies of Government.
    Again, I look forward to hearing the testimony of today's witnesses 
on how we can improve Internet security in this nation and what the 
role of the Government should be in achieving that goal.

    Senator Burns. Thank you, Senator Hollings. Senator Bryan.

              STATEMENT OF HON. RICHARD H. BRYAN, 
                    U.S. SENATOR FROM NEVADA

    Senator Bryan. Mr. Chairman, thank you very much for 
convening this important and timely hearing this morning. As 
Vice Chairman of the Intelligence Committee, we are very much 
aware of the importance, in terms of our national security 
concerns, of computer hacking. All of us have been mindful of 
the recent successful attacks against some of the most 
significant Web sites in the country, and so I will be looking 
forward to hearing the testimony of our distinguished witnesses 
this morning. I would ask unanimous consent that the rest of my 
statement be made a part of the record.
    Senator Burns. Without objection, it sure will.
    [The prepared statement of Senator Bryan follows:]

             Prepared Statement of Hon. Richard H. Bryan, 
                        U.S. Senator from Neveda
    As our society continues to become more reliant on the Internet to 
conduct our daily affairs, the issue of Internet security becomes 
increasingly important for both the public and private sector. As Vice 
Chairman of the Intelligence Committee, I am very familiar with the 
national security concerns confronting our intelligence community on a 
daily basis that result from computer hacking. And as public agencies 
at all levels of Government continue to do more and more of their 
business online, Internet security becomes a paramount issue for 
Government officials. I look forward to hearing from our Government 
witnesses today, especially Deputy Attorney General Holder, on what 
additional law enforcement tools and other measures are needed to 
protect the integrity of the Federal Government's computer systems.
    The recent denial of service attacks against a handful of the top 
U.S. web sites was a good illustration of the vulnerabilities faced by 
the private sector. Perhaps even more alarming, however, are the 
privacy concerns associated with security breaches for companies that 
gather large amounts of personally identifiable information about 
consumers over the Internet. The issues related to online privacy and 
Internet security are clearly interrelated, and I look forward to 
hearing our witnesses comment on what role the Federal Government 
should play in these areas.

    Senator Burns. Our first panel this morning is Mr. Eric 
Holder, Deputy Attorney General, U.S. Department of Justice, 
Mr. William Reinsch, Under Secretary of Commerce for Bureau of 
Export Administration, Department of Commerce, and Michael 
Vatis, Deputy Assistant Director, Federal Bureau of 
Investigation here in Washington, D.C.
    Gentlemen, we welcome you to the table this morning. We 
look forward to your testimony, and the dialog that we may 
present this morning on this subject, and I will just start as 
they are listed.       Mr. Holder, thank you for coming this 
morning. We look forward to your testimony.

 STATEMENT OF ERIC HOLDER, JR., DEPUTY ATTORNEY GENERAL, U.S. 
                     DEPARTMENT OF JUSTICE

    Mr. Holder. Thank you, Mr. Chairman, Senator Hollings, 
Senator Bryan, other members of the Subcommittee. I want to 
thank you for the opportunity to testify on cybercrime, 
including the recent Internet denial of service attacks. The 
Department appreciates the support we have received from 
Congress in providing significant resources and tools we need 
to keep pace with the ever-changing kind of cybercrime. We look 
forward to continuing our cooperation with Congress to ensure 
that law enforcement, in cooperation with the private sector--
and that is very key, in cooperation with the private sector, 
play an appropriate role in protecting American citizens and 
businesses against cyber attacks while also safeguarding the 
privacy rights we hold dear in our country.
    I would be happy to address your questions on the recent 
attacks to the extent that I can without compromising our 
investigation. At this point, I would simply say we are taking 
the attacks very seriously, and that we will do everything in 
our power to identify those who are responsible and to bring 
them to justice.
    We are making, I think, progress in the investigation, and 
in addition to the malicious disruption of the legitimate 
commerce, so-called disruption attacks, they also involve the 
unlawful intrusion into a number of computers. Thus, the number 
of victims in these types of cases can be substantial, and the 
loss and cost to respond to those attacks can run into the tens 
of millions of dollars or more.
    Computer crime investigators in a number of FBI field 
offices and investigators from other agencies are investigating 
these attacks. The agents are also working closely with our 
network of specially trained computer crime prosecutors who are 
available 24 hours a day, 7 days a week to provide legal advice 
and to obtain whatever court orders are necessary. We are also 
obtaining information from victim companies and security 
experts who, like many in the Internet community, condemn these 
recent attacks.
    Now, while the Internet is providing wonderful benefits 
that are transforming our society and countless beneficial 
ways, from providing new high-wage jobs to our economy, to 
improving health care, and in countless other ways, these 
wonderful technologies also provide new opportunities for 
criminals.
    Online crime is rapidly increasing. We are seeing more pure 
computer crime, that is, crimes where the computer is used as a 
weapon to attack other computers, as we saw in the distributed 
denial of service attacks I just spoke about, and in the spread 
of malicious codes like viruses. These crimes not only affect 
our financial well-being and our privacy, they also threaten 
our Nation's critical infrastructure.
    We are also seeing a migration of traditional crimes, 
including threats, child pornography, fraud, gambling, and 
extortion from the physical to the online world. When these 
crimes are carried out online, perpetrators often find that 
they can reach more victims quickly and quite easily, turning 
what were once local scams into crimes that cross interstate 
and even international borders.
    Now, while the Internet has tremendous benefits to our 
society, including greater freedom of expression and economic 
growth, we must also recognize that investigators and 
prosecutors at all levels, international, Federal, State, and 
local, are encountering unique challenges, and these include 
technical challenges that hinder law enforcement's ability to 
find and to prosecute criminals operating online, legal 
challenges resulting from laws, and legal tools needed to 
investigate cybercrime lagging behind technological, 
structural, and social changes.
    And third, we face resource challenges that limit our 
ability to focus adequate investigative, prosecutorial, and 
technical resources on cybercrime. Now, in this regard, the 
Department is seeking an additional $37 million in fiscal year 
2001 to bolster our cybercrime program, including additional 
resources for the FBI, specially trained cyber prosecutors and 
assistants to State and local law enforcement agencies, but we 
recognize that Government will not be able to solve all of 
these problems.
    In fact, we believe that the private sector should take the 
lead in protecting private computer networks through more 
vigilant security efforts, information-sharing and, where 
appropriate, cooperation with Government agencies. The private 
sector can and should take the lead when improving security 
practices, and the development of a more secure Internet 
infrastructure.
    Now, despite the technical, legal, and resource challenges 
we face, the Department has made, we believe, strides in our 
fight against cybercrime. We have and we will continue to 
develop extensive investigatory and prosecutorial programs to 
counter cybercrime. We have established the FBI's National 
Infrastructure Protection Center, NIPC as we call it, and 
specialized squads located in 16 field offices. From the 
prosecutorial side, we have trained attorneys both at 
headquarters and in the field who are experts in legal 
technological and practical challenges involved in 
investigating and prosecuting cybercrime.
    As a result of these programs, the number of cases and 
prosecutions by the Department is growing at a tremendous rate. 
For example, in 1998, U.S. Attorneys Offices filed 85 computer 
crime cases against 116 defendants, and this represents a 29-
percent increase in the number of cases filed and a 51-percent 
increase in the number of defendants compared to the previous 
year. From the same period of time a total of 62 cases against 
72 defendants were terminated, with 78 percent of those 
defendants being convicted.
    On behalf of the Department, I again want to thank Congress 
for the support it has given to our efforts to combat 
cybercrime. Advancements in technology indicate that our 
efforts are really only just beginning. We look forward to 
working with Congress and the private sector to ensure that we 
have a robust and effective long-term plan for combatting 
cybercrime, protecting our Nation's infrastructure, 
safeguarding privacy, and ensuring the Internet reaches its 
full potential for expanding communications, facilitating 
commerce, and bringing countless other benefits to our society.
    I look forward to responding to your questions.
    [The prepared statement of Mr. Holder follows:]

   Prepared Statement of Eric Holder, Jr., Deputy Attorney General, 
                       U.S. Department of Justice

    Mr. Chairman, Senator Hollings, and other Members of the 
Subcommittee, I want to thank you for this opportunity to testify on 
the recent Internet ``denial of service'' attacks and the Federal 
response to these incidents, with a particular focus on the challenges 
facing the Department of Justice in its fight against cybercrime. At a 
time where new technologies abound and our society becomes increasingly 
reliant on computer networks and thus vulnerable to cybercrime, we look 
forward to working with Congress to ensure that law enforcement, in 
cooperation with the private sector, can play an appropriate and 
critical role in protecting the well-being of Americans while also 
respecting fundamental notions of individual privacy that we hold dear 
in this country.

Comments on the Recent Attacks

    I would be happy to address your questions on the recent attacks, 
to the extent I can do so without compromising our investigation. At 
this point, I would simply say that we are taking the attacks very 
seriously and that we will do everything in our power to identify those 
responsible and bring them to justice. In addition to the malicious 
disruption of legitimate commerce, so-called ``denial of service'' 
attacks involve the unlawful intrusion into an unknown number of 
computers, which are in turn used to launch attacks on the eventual 
target computer, in this case the computers of Yahoo, eBay, and others. 
Thus, the number of victims in these types of cases can be substantial, 
and the collective loss and cost to respond to these attacks can run 
into the tens of millions of dollars--or more.

Overview of Investigative Efforts and Coordination

    Computer crime investigators in a number of FBI field offices and 
investigators from other agencies are investigating these attacks. They 
are coordinating information with the National Infrastructure 
Protection Center (NIPC) of the FBI. The agents are also working 
closely with our network of specially trained computer crime 
prosecutors who are available 24 hours a day/7 days a week to provide 
legal advice and obtain whatever court orders are necessary. Attorneys 
from the Criminal Division's Computer Crime and Intellectual Property 
Section (CCIPS) are coordinating with the Assistant United States 
Attorneys in the field. We are also obtaining information from victim 
companies and security experts, who, like many in the Internet 
community, condemn these recent attacks. We are also working closely 
with our counterparts in other nations. I am proud of the efforts being 
made in this case, including the assistance we are receiving from a 
number of Federal agencies.

The Emergence of Cybercrime

    It is worth remembering that just ten years ago, the Internet was 
largely unknown and unavailable to the average person. There was no e-
commerce, no eBay, no Amazon.com. At that time, the Internet was a 
collection of military, academic, and research networks serving a small 
community of trusted users. That world is history. The far-reaching, 
ever-expanding, and ever more rapid advances in computer and software 
technology over the last ten years have combined with the explosive 
growth of the Internet to change the world forever. For the most part, 
the Internet and other technologies are providing wonderful benefits to 
our society--from providing new, high-wage jobs to our economy, to 
expanding educational opportunities, improving health care, and 
allowing family and friends to keep in touch in ways that were simply 
impossible a decade ago.
    Unfortunately, these wonderful technologies also provide new 
opportunities for criminals. Online crime is rapidly increasing. We are 
seeing more ``pure'' computer crimes, that is, crimes where the 
computer is used as a weapon to attack other computers, as we saw in 
the distributed denial of service attacks I just spoke about, and in 
the spread of malicious code, like viruses. Our vulnerability to this 
type of crime is astonishingly high--it was only this past December 
that a defendant admitted, when he pled guilty in Federal and state 
court to creating and releasing the Melissa virus, that he caused over 
80 million dollars in damage. These crimes also include computer 
intrusions designed to obtain information of the most sensitive sort--
such as credit cards, companies' trade secrets, or individuals' private 
information.
    These crimes not only affect our financial well-being and our 
privacy; they also threaten our nation's critical infrastructure. Our 
banking system, the stock market, the electricity and water supply, 
telecommunications networks, and critical Government services, such as 
emergency and national defense services, all rely on computer networks. 
For a real-world terrorist to blow up a dam, he would need tons of 
explosives, a delivery system, and a surreptitious means of evading 
armed security guards. For a cyberterrorist, the same devastating 
result could be achieved by hacking into the control network and 
commanding the computer to open the floodgates.
    We are also seeing a migration of ``traditional'' crimes--including 
threats, child pornography, fraud, gambling, and extortion--from the 
physical to the online world. When these crimes are carried out online, 
perpetrators often find that the can reach more victims quickly and 
quite easily, turning what were once ``local'' scams into crimes that 
cross interstate and international borders. Computers and computer 
networks provide a cheap and powerful means of communications, and 
criminals take advantage of this just like everyone else. In addition, 
sophisticated criminals can readily use the easy anonymity that the 
Internet provides to hide their crimes.

Challenges of Cybercrime

    The Internet and computers have brought tremendous benefits to our 
society, including greater freedom of expression and economic growth. 
But we must also recognize that as a result of our society's increasing 
reliance on technology, investigators and prosecutors at all levels--
international, Federal, state, and local--are encountering unique 
challenges. These challenges generally can be divided into three 
categories:

        (1) Technical challenges that hinder law enforcement's ability 
        to find and prosecute criminals operating online;
        (2) Legal challenges resulting from laws and legal tools needed 
        to investigate cybercrime lagging behind technological, 
        structural, and social changes; and
        (3) Resource challenges to ensure we have satisfied critical 
        investigative and prosecutorial needs at all levels of 
        Government.

    Before I discuss each of these challenges, let me say that we 
recognize that we in Government will not be able to solve all of these 
problems. In fact, we believe strongly that the private sector should 
take the lead in protecting private computer networks, through more 
vigilant security efforts, information sharing, and, where appropriate, 
cooperation with Government agencies. The private sector has the 
resources, the technical ability, and the trained personnel to ensure 
that, as technology continues to develop and change rapidly, the 
Internet is a safer place for all of us. The private sector can and 
should take the lead on improving security practices and the 
development of a more secure Internet infrastructure.
    However, even assuming that private sector, and the broader 
Internet community as a whole, take steps to provide a safe, secure, 
and vibrant Internet, there will be instances where the practices and 
safeguards fail. Criminals rob banks even though banks use numerous 
security measures. In such cases, law enforcement must be prepared and 
equipped to investigate and prosecute cybercriminals in order to stop 
their criminal activity, to punish them, and to deter others who might 
follow the same path. This is the reason that it is so important that 
we work together to address the challenges I am about to discuss.

        Technical Challenges

    When a hacker disrupts air traffic control at a local airport, when 
a child pornographer sends computer files, when a cyberstalker sends a 
threatening e-mail to a public school or a local church, or when credit 
card numbers are stolen from a company engaged in e-commerce, 
investigators must locate the source of the communication. Everything 
on the Internet is communications, from an e-mail to an electronic 
heist. Finding an electronic criminal means that law enforcement must 
determine who is responsible for sending anelectronic threat or 
initiating an electronic robbery. To accomplish this, law enforcement 
must in nearly every case trace the ``electronic trail'' leading from 
the victim back to the perpetrator.
    Tracking a criminal online is not necessarily an impossible task, 
as demonstrated last year when Federal and state law enforcement 
agencies were able to track down the creator of the Melissa virus and 
the individual who created a false Bloomburg News Service website in 
order to drive up the stock price of PairGain, a telecommunications 
company in California. In both cases, technology enabled us to find the 
individuals who were engaging in criminal activity.
    Unfortunately, despite our successes in the Melissa and PairGain 
cases, we still face significant challenges as online criminals become 
more sophisticated, often wearing the equivalent of Internet electronic 
gloves to hide their fingerprints and their identity.
    It doesn't take a master hacker to disappear on a network. 
Ironically, while the public is justifiably worried about protecting 
the legitimate electronic privacy of individuals who use networks, a 
criminal using tools and other information easily available over the 
Internet can operate in almost perfect anonymity. By weaving his or her 
communications through a series of anonymous remailers; by creating a 
few forged e-mail headers with powerful, point-and-click tools readily 
downloadable from many hacker web sites; or by using a ``free-trial'' 
account or two, a hacker, online pornographer, or web-based fraud 
artist can often effectively hide the trail of his or her 
communications.
    As we consider the challenge created by anonymity, we must also 
recognize that there are legitimate reasons to allow anonymity in 
communications networks. A whistleblower, a resistance fighter in 
Kosovo, a battered woman's support group--all of these individuals may 
understandably wish to use the Internet and other new technologies to 
communicate with others without revealing their identities.
    In addition to problems related to the anonymous nature of the 
Internet, we are being challenged to investigate and prosecute 
criminals in an international arena. The Internet is a global medium 
that does not recognize physical and jurisdictional boundaries. A 
criminal no longer needs to be at the actual scene of the crime to prey 
on his or her victims. As a result, a computer server running a web 
page designed to defraud U.S. senior citizens might be located in 
Europe or Asia. A child pornographer may distribute photographs or 
videos via e-mail, sending the e-mails through the communications 
networks of several countries before they reach their intended 
recipients. With more than 190 Internet-connected countries in the 
world, the coordination challenges facing law enforcement are 
tremendous. And any delay in an investigation is critical, as a 
criminal's trail might, in certain circumstances, end as soon as he or 
she disconnects from the Internet.
    Likewise, evidence of a crime can be stored at a remote location, 
either for the purpose of concealing the crime from law enforcement and 
others, or simply because of the design of the network. In certain 
circumstances, the fact that the evidence is stored and held by a third 
party, such as an Internet service provider, might be helpful to law 
enforcement agencies who might be able to use lawful process to get 
that information. However, storing information remotely can also create 
a challenge to law enforcement, which cannot ignore the real-world 
limits of local, state, and national sovereignty and jurisdiction. 
Obtaining information from foreign countries, especially on an 
expedited basis, can be a daunting task, especially when a country may 
be in a different time zone, use a different language, have different 
legal rules, and may not have trained experts available. Consequently, 
even as the Internet and other new technologies have given us new 
abilities to find criminals remotely, our abilities can be hindered if 
we cannot obtain the necessary legal cooperation from our counterparts 
in other countries.
    The vast majority of Internet companies are good corporate citizens 
and are interested in the safety of our citizens. In fact, several 
companies have been engaged in discussions with law enforcement 
regarding our concerns. Despite these efforts, we have learned that we 
cannot take for granted the nature of any Internet service provider's 
services, its record-keeping practices, and its ability or willingness 
to cooperate with us. We have encountered a handful of companies 
involved in criminal activity. In addition, even those companies that 
are not involved in criminal activities might not be able to assist us 
because of business reasons or privacy concerns that have resulted in 
them not keeping the records that will assist in the investigation of a 
particular crime.
    Moreover, users connect to the Internet from anywhere in the world 
over old-fashioned telephone lines, wireless phones, cable modems, and 
satellite systems. Each of these telecommunications systems has its own 
protocols for addressing and routing traffic, which means that tracking 
all the way back to the criminal at his or her computer will require 
agents to be fluent in each technical language. Gathering this evidence 
from so many kinds of providers is a very different proposition from 
the days when we simply obtained an order for a telephone company to 
trace a threatening call.

        Legal Challenges

    Deterring and punishing computer criminals requires a legal 
structure that will support detection and successful prosecution of 
offenders. Yet the laws defining computer offenses, and the legal tools 
needed to investigate criminals using the Internet, can lag behind 
technological and social changes, creating legal challenges to law 
enforcement agencies.
    We may be able to correct some of the legal challenges we encounter 
through legislative action. For example, the Computer Fraud and Abuse 
Act, 18 U.S.C. Sec. 1030, arguably does not reach a computer hacker who 
causes a large amount of damage to a network of computers if no 
individual computer sustains over $5,000 worth of damage. The 
Department of Justice has encountered several instances in which 
intruders have gained unauthorized access to protected computers 
(whether publicly or privately owned) used in the provision of 
``critical infrastructure'' systems and services--such as those that 
hospitals use to store sensitive information and to treat patients, and 
those that the military uses to defend the nation--but where proof of 
damage in excess of $5000 has not been readily available.
    The laws under which we are able to identify the origin and 
destination of telephone calls and computer messages also need to be 
reviewed. For example, under current law we may have to obtain court 
orders in multiple jurisdictions to trace a single communication. 
Obtaining court orders in multiple jurisdictions does not advance any 
reasonable privacy safeguard, yet it can be a substantial impediment to 
a fast-paced investigation. As the Attorney General testified recently, 
it might be extremely helpful, for instance, to provide nationwide 
effect for trap and trace orders.
    Another concern focuses on the problem of online threats and 
serious harassment--that is, cyberstalking. Current Federal law does 
not address those situations where a cyberstalker uses unwitting third 
parties to bombard a victim with messages, transmits personal data 
about a person--such as the route by which the victim's children walk 
to school--in order to place such person or his family in fear of 
injury, or sends an e-mail or other communications under someone else's 
name with the intent to abuse, harass, or threaten that person. We 
believe Federal law may need to be amended to address this gap.
    These aren't hypothetical changes that we are proposing to address. 
Just ask the California woman who was awakened six times in the middle 
of the night to find men knocking on her door offering to rape her. She 
discovered that a man whom she had told she was not romantically 
interested in had posted personal advertisements on a variety of 
Internet services pretending to be her. Each posting, which contained 
her home address and telephone number, claimed that she fantasized 
about being raped. We need to ensure that laws against harassment 
clearly prohibit such horrific actions, particularly since access to 
the Internet means immediate access to a wide audience.
    While we believe changes in Federal law may be necessary to address 
these challenges, we also want to emphasize that any such legislation 
should be tailored to address the challenges we face and should avoid 
unnecessary infringement on personal privacy. We recognize the 
importance the public attaches to individual privacy, and any 
legislation must be carefully balanced to avoid unnecessary 
infringement on the privacy rights we hold dear in this country.

        Resource Challenges

    In addition to technical and legal challenges, we face significant 
resource challenges. Simply stated, we need an adequate number of 
prosecutors and agents--at the Federal, state and local level--trained 
with the necessary skills and properly equipped to effectively fight 
all types of cybercrime.
    While Congress has been very supportive of the Department's 
cybercrime efforts, we need additional resources to ensure we are 
adequately equipped to continue our battle against cybercriminals. The 
President has requested $37 million in new money in FY 2001 to expand 
our staffing, training and technological capabilities to continue the 
fight against computer crime. Together, these enhancements will 
increase the Department's 2001 funding base for computer crime to $138 
million, 28 percent more than in 2000.
    Last, the Department of Justice would like to work with Congress to 
develop a comprehensive, five-year plan--with FY 2001 as our baseline--
to prevent cybercrime and, when it does occur, to locate, identify, 
apprehend and bring to justice those responsible for these types of 
crimes. On February 16th, the Attorney General testified before 
Congress regarding a proposed a 10-point plan to identify the key areas 
we need to develop for our cybercrime capability. The key points of 
this plan she touched upon include:

          Developing a round-the-clock network of Federal, 
        state and local law enforcement officials with expertise in, 
        and responsibility for, investigating and prosecuting 
        cybercrime.
          Developing and sharing expertise--personnel and 
        equipment--among Federal, state and local law enforcement 
        agencies.
          Dramatically increasing our computer forensic 
        capabilities, which are so essential in computer crime 
        investigations--both hacking cases and cases where computers 
        are used to facilitate other crimes, including drug 
        trafficking, terrorism, and child pornography.
          Reviewing whether we have adequate legal tools to 
        locate, identify, and prosecute cybercriminals. In particular, 
        we may need new and more robust procedural tools to allow state 
        authorities to more easily gather evidence located outside 
        their jurisdictions. We also need to explore whether we have 
        adequate tools at the Federal level to effectively investigate 
        cybercrime.
          Because of the borderless nature of the Internet, we 
        need to develop effective partnerships with other nations to 
        encourage them to enact laws that adequately address cybercrime 
        and to provide assistance in cybercrime investigations. A 
        balanced international strategy for combating cybercrime should 
        be at the top of our national security agenda.
          We need to work in partnership with industry to 
        address cybercrime and security. This should not be a top-down 
        approach through excessive Government regulation or mandates. 
        Rather, we need a true partnership, where we can discuss 
        challenges and develop effective solutions that do not pose a 
        threat to individual privacy.
          And we need to teach our young people about the 
        responsible use of the Internet. The Department of Justice and 
        the Information Technology Association of America have already 
        taken steps to do so through the development of the 
        Cybercitizen Partnership, but more needs to be done.

Efforts Against Cybercrime

    Despite the technical, legal, and resource challenges, the 
Department has made strides in our fight against cybercrime. We have 
and will continue to develop extensive investigatory and prosecutorial 
programs to counter cybercrime. Let me take a few moments to details 
some of our efforts to date.
    On the investigatory side, we have the FBI's National 
Infrastructure Protection Center (NIPC) and specialized squads located 
in 16 field offices.
    On the prosecutorial side, we have trained attorneys, both in 
headquarters and in the field, who are experts in the legal, 
technological, and practical challenges involved in investigating and 
prosecuting cybercrime. The cornerstone of our prosecutor cybercrime 
program is the Computer Crime and Intellectual Property Section. CCIPS, 
which currently has 18 attorneys, was founded in 1991 as the Computer 
Crime Unit and was elevated to Section status in 1996. CCIPS works 
closely on computer crime cases with Assistant United States Attorneys 
known as ``Computer and Telecommunications Coordinators'' (CTC's) in 
U.S. Attorneys' Offices around the country. Each CTC is given special 
training and equipment, and serves as the district's expert in computer 
crime cases. As a result of these programs, the number of cases and 
prosecutions by the Department is growing at a tremendous rate. For 
example, in 1998, U.S. Attorneys' Offices filed 85 computer crime cases 
against 116 defendants. This represents a 29 percent increase in the 
number of cases filed and a 51 percent increase in the number of 
defendants, compared to the previous year. During that same period of 
time, a total of 62 cases against 72 defendants were terminated, with 
78 percent of those defendants being convicted.
    At the same time, our prosecutors are working with numerous other 
Federal, state, and local investigators and prosecutors, providing 
assistance in any case involving computers and other high technology, 
such as computer searches and seizure. In sum, the Department and, in 
particular, its investigators and prosecutors take seriously our 
responsibility to protect the nation's computers and the Internet from 
computer crime.
    In addition to the Department's efforts, other agencies including 
the Customs Service, the Secret Service, the Securities and Exchange 
Commission, and the U.S. Postal Service's Inspectors General, have 
played a role in the investigation and prosecution of computer crimes.

Infrastructure Protection

    The Department is also a full partner in ongoing efforts to assure 
our nation's critical infrastructures and to make them less vulnerable 
to the emerging risks of the information age.
    I mentioned before that we believe strongly that the private sector 
should take the lead in protecting private computer networks, through 
more vigilant security efforts, information sharing, and, where 
appropriate, cooperation with Government agencies. Within this 
framework, and apart from prosecuting those who launch criminal attacks 
on our infrastructure (which is our critical responsibility), the 
Department can make important contributions. In the information sharing 
arena, we have continued some of the groundwork started by the 
President's Commission on Critical Infrastructure Protection by more 
closely examining the issues that may impede robust sharing of risk-
related information between private sector entities, between 
Governmental entities, and between Government and the private sector.
    As the private sector protects its networks, so must the 
Government. Therefore, the Department of Justice is working to ensure 
that its own networks are secure. We are also involved in efforts, 
under the auspices of the Critical Infrastructure Coordinating Group of 
the National Security Council, to help Federal agencies expedite and 
simplify the process of performing ``vulnerability assessments,'' in 
order to uncover hidden vulnerabilities of critical Government systems 
before others try to do that for us.
    Finally, the Justice Department also is involved in efforts to 
ensure that all programs arising out of the Federal Government's 
``infrastructure assurance'' efforts are implemented in way entirely 
respects long-standing protections for the privacy rights of 
individuals.

Conclusion

    On behalf of the Department of Justice, I want to thank Congress 
for all the support it has given to our efforts to combat cybercrimes. 
Advancements in technology indicate that our efforts are only just 
beginning. We look forward to working with Congress and the private 
sector to ensure that we have a robust and effective long-term plan for 
combating cybercrime, protecting our nation's infrastructure, 
safeguarding privacy, and ensuring that the Internet reaches its full 
potential for expanding communications, facilitating commerce, and 
bringing countless other benefits to our society.

    Senator Burns. Thank you very much, Mr. Holder. I 
appreciate that. Now we have Mr. William Reinsch, and Bill, 
thank you for coming back today. We have been across the table 
many times on different issues, and I appreciate your openness 
and your willingness to come down and visit with us on issues 
such as this. We are looking forward to your statement.

  STATEMENT OF WILLIAM REINSCH, UNDER SECRETARY OF COMMERCE, 
               BUREAU OF EXPORT ADMINISTRATION, 
                  U.S. DEPARTMENT OF COMMERCE

    Mr. Reinsch. Thank you, Mr. Chairman. It is always a 
pleasure to be here, particularly a pleasure to be here and not 
talk about encryption, so I am delighted to have the 
opportunity to have a different subject at hand.
    My statement begins with some comments about the importance 
of computer networks and the Internet, and there is no 
committee that knows more about it than you all, so I think I 
will just get right into the meat of what I want to tell you 
this morning, Mr. Chairman.
    Senator Burns. Your complete statement will be made a part 
of the record, however, Mr. Secretary.
    Mr. Reinsch. I appreciate that. Protecting our critical 
infrastructure requires that we draw on various assets of the 
Government. When specific incidents or cyber events occur, the 
Government needs the capacity to issue warnings, investigate 
the incident, and develop a case to punish the offenders. The 
National Information Protection Center at the FBI is organized 
to deal with such events as they occur. Over the long term, the 
Government also has a duty to be proactive to ensure that our 
computer systems are protected from attack.
    Critical infrastructure protection involves assets of both 
the Government and the private sector. A number of agencies 
have responsibilities with respect to Government computer 
systems. The Department of Defense is well on its way to 
securing its critical systems, and OMB and NIST have 
responsibility for information resources management of computer 
systems in Federal agencies.
    I want to make clear, Mr. Chairman, the Federal 
Government's responsibility in this area. The commission of 
crimes is only part of the equation. The infrastructures at 
risk are owned and operated by the private sector. The use of 
information technology is so embedded in the core operations 
and customer service delivery systems of industry that 
inevitably it will be they who must work together to take the 
steps necessary to protect themselves. However, we can help.
    The first major step is the elevation of awareness across 
industry of the business case for action for leaders within 
industry. They have a commercial interest in maintaining a 
secure business environment that assures public confidence in 
their institutions. We can also help identify problems, 
identify good practices and management practices and 
strategies, publicize them, encourage planning, promote 
research and development, and convene meetings, which is not a 
small matter.
    In short, we can act as a catalyst for industry to 
mobilize. That is precisely the role the Commerce Department is 
playing in several ways. NTIA is a lead agency for the 
communications information sector. In February 1999, NTIA 
created a private sector coordinator consortium. The consortium 
is filled by representatives from the Information Technology 
Association of America, the Telecommunications Industry 
Association, and the U.S. Telecom Association, all groups I am 
sure you are familiar with.
    Among their initiatives, the consortium has been raising 
awareness among industry through the exchange of information on 
threats and vulnerabilities, conducting information security 
surveys across sectors, and developing and assessing critical 
infrastructure-related standards and best practices. Perhaps 
our most important area right now is the development of what we 
are calling the Partnership for Critical Infrastructure 
Security. The partnership is a collaborative effort between 
industry and Government. It brings representatives of the 
infrastructure sector together in a dialog with each other and 
with other stakeholders, including the risk management and 
investment communities, mainstream businesses, and also State 
and local Governments.
    Secretary Daley, Greg Rohde and I met with senior members 
of over 80 partnership companies in New York in December. We 
met again last month in Washington with over 220 senior members 
of more than 120 partnership companies to encourage business 
leaders to adopt information security as an integral business 
practice.
    The partnership agreed to address such important issues as 
cross-sector vulnerability assessments, information-sharing, 
and R&D requirements. It set up working groups in those areas 
which are continuing to meet throughout the spring, and the 
next meeting of the full partnership will be this summer. The 
Department's Critical Infrastructure Assurance Office, or CIAO, 
also is assisting Federal agencies in conducting analyses of 
their dependencies on critical infrastructures.
    CIAO has just finished an ambitious pilot program that 
identifies the critical assets of the Commerce Department and 
maps out dependencies on Governmental and private sector 
infrastructures. This program will provide important input to 
managers and security officials as they seek to assure their 
critical assets against cyber attacks. The Commerce Department 
through the CIAO also coordinated the development of the 
national plan for information systems protection. President 
Clinton announced the release of version 1.0 of the plan on 
January 7. This is it. If you do not have any, I would be 
pleased to provide you with thousands of them.
    It represents the first attempt by any national Government 
to design a way to protect those infrastructures essential to 
the delivery of electric power, oil and gas, communications, 
transportation services, banking and financial services, and 
vital human services. Increasingly, these infrastructures are 
being operated and controlled through the use of computers and 
computer networks. My full statement, Mr. Chairman, has 
substantial information about the details of the plan that I 
will pass over in the interest of time.
    Finally, let me make a comment about funding. President 
Clinton has proposed increases for critical infrastructure 
protection substantially over the past 3 years, including a 15 
percent increase in his fiscal year 2001 budget to $2.01 
billion. He has also developed and funded new initiatives to 
defend the Nation's systems from cyber attack. For example, 
establishing a permanent export review team at NIST that will 
help agencies conduct vulnerability analyses and develop 
critical infrastructure protection plans, working to recruit, 
train, and retrain Federal information technology experts.
    We have developed and provided fiscal year 2001 funding for 
a Federal cyber services training and education initiative led 
by OPM and the National Science Foundation, which calls for two 
programs. The first is an ROTC-like program, where we pay for 
information technology education in exchange for Federal 
service, and the second is a program to establish competencies 
and to certify our existing IT work force. As I think you, Mr. 
Chairman, or Senator Hollings commented that obtaining and 
retraining information technology workers in the Federal 
Government, whether it is in the law enforcement area or on the 
civilian side, is an extremely difficult thing to do.
    We think this program will be an important first step, in 
addition to funding seven public key infrastructure model pilot 
programs in fiscal year 2001 at different Federal agencies, 
designing a Federal intrusion detection network, or FIDNET, to 
protect vital systems in Federal civilian agencies, and 
ensuring the rapid implementation of system patches for known 
software defects. FIDNET will operate in full compliance with 
all existing privacy laws.
    Developing Federal R&D efforts. R&D investments in computer 
security will grow by 31 percent in the President's fiscal year 
2001 budget. Part of that includes establishing an Institute 
for Information Infrastructure Protection in NIST, as 
recommended by the President's Committee of Advisors on Science 
and Technology, or PiCAST.
    The institute would identify and address serious R&D gaps 
that neither the private sector nor the Government's national 
security community would otherwise address, but that are 
necessary to ensure the robust, reliable operation of the 
national information infrastructure. The President's 2001 
budget provides $150 million for the institute.
    Finally, the National Infrastructure Assurance Council, 
NIAC. The President signed an executive order creating this 
advisory council last year. Its members are now being recruited 
from the senior ranks of the critical infrastructure 
industries, including the information technology, State and 
local Governments, and we expect an announcement about that 
shortly.
    In addition, the President has announced a number of new 
initiatives designed to support efforts for enhancing computer 
security, including the $9 million fiscal year 2000 budget 
supplemental that jump starts several of the key elements of 
next year's budget that I just mentioned.
    In closing, Mr. Chairman, let me simply say that in early 
February Secretary Daley met with the President and 25 senior 
executives concerned about the recent disruptions to the 
Internet. This meeting reinforced the need for further 
cooperation between Government and industry to help the private 
sector to develop its action agenda for cyber security. The 
incidents of early February are not cause, in our judgment, for 
pushing the panic button, but they are a wake-up call for 
action.
    As the President said, I think there is a way that we can 
clearly promote security. The President submitted a budget 
proposal that funds a number of initiatives that address 
critical information systems protection. If we are to reap the 
benefits of the information age, we need to take action to 
maintain public confidence in a secure business environment 
that ensures both our national security and the growth of our 
economy.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Reinsch follows:]

  Prepared Statement of William Reinsch, Under Secretary of Commerce, 
      Bureau of Export Administration, U.S. Department of Commerce
    Mr. Chairman, I welcome this opportunity to appear before you to 
discuss the Federal Government's efforts to protect the nation's 
critical infrastructures.
    Interdependent computer networks are an integral part of doing 
business in the Information Age. America is increasingly dependent upon 
computer networks for essential services, such as banking and finance, 
emergency services, delivery of water, electricity and gas, 
transportation, and voice and data communications. New ways of doing 
business in the 21st century are rapidly evolving. Business is 
increasingly relying on E-commerce for its commercial transactions as 
well as for its critical operations. At the same time, recent hacking 
attempts at some of the most popular commercial Web sites underscore 
that America's information infrastructure is an attractive target for 
deliberate attack or sabotage. These attacks can originate from a host 
of sources, such as terrorists, criminals, hostile nations, or the 
equivalent of car thief ``joyriders.'' Regardless of the source, 
however, the potential for cyber damage to our national security and 
economy is evident.
    Protecting our critical infrastructures requires that we draw on 
various assets of the Government. When specific incidents or cyber 
events occur, the Government needs a capacity to issue warnings, 
investigate the incident, and develop a case to punish the offenders. 
The National Information Protection Center at the FBI is organized to 
deal with such events as they occur.
    Over the long term, the Government also has a duty to be proactive 
to ensure that our computer systems are protected from attack. Critical 
infrastructure protection involves assets of both the Government and 
the private sector. A number of agencies have responsibilities with 
respect to Government computer systems. The Department of Defense is 
well on its way to securing its critical systems, and the Office of 
Management and Budget (OMB) and the National Institute of Standards and 
Technology at the Department of Commerce (NIST) have responsibility for 
information resources management of computer systems in Federal 
agencies.
    I want to make clear that the Federal Government's responsibility 
in this area with respect to the commission of crimes is only part of 
the equation. The infrastructures at risk are owned and operated by the 
private sector. The use of information technology is so embedded in the 
core operations and customer service delivery systems of industry that 
inevitably, it will be they who must work together to take the steps 
necessary to protect themselves. We can help. The first major step is 
the elevation of awareness across industry of the ``business case for 
action'' for leaders within industry. They have a commercial interest 
in maintaining a secure business environment that assures public 
confidence in their institutions. We can also help identify problems, 
good practices in management policies and strategies, and publicize 
them, encourage planning, promote research and development, convene 
meetings. In short, we can act as a catalyst for industry to mobilize. 
That is precisely the role the Commerce Department is playing in 
several ways.
    First, the National Telecommunications and Information 
Administration (NTIA) is lead agency for the communications and 
information sector. In February, 1999, NTIA created a Private Sector 
Coordinator Consortium. This role is filled by representatives from the 
Information Technology Association of America (ITAA), the 
Telecommunications Industry Association (TIA), and the U.S. Telecom 
Association (USTA). Among their initiatives, the consortium has been 
raising awareness among industry through the exchange of information on 
threats and vulnerabilities, conducting information security surveys 
across sectors, and developing and asessing CIP-related standards and 
best practices.
    Another active area is the development of the Partnership for 
Critical Infrastructure Security. The Partnership is a collaborative 
effort between industry and Government. This undertaking brings 
representatives of the infrastructure sectors together in a dialogue 
with each other and with other stakeholders, including the risk 
management and investment communities, mainstream businesses, and state 
and local Governments.
    The Partnership complements the work of the Federal lead agencies 
responsible for working directly with the industry sectors in 
developing their critical infrastructure plans, including NTIA's work 
with the communications and information technology industries. It also 
complements the NIPC's focus on cyber-terrorism by encouraging industry 
to collaborate on information security issues.
    Secretary Daley, Assistant Secretary for Communications and 
Information Gregory Rohde, and I met with senior members of over 80 
Partnership companies in December in New York. We met again last month 
in Washington, D.C., with over 220 senior members of more than 120 
Partnership companies to encourage business leaders to adopt 
information security as an integral business practice. The Partnership 
agreed to address such important issues as, cross-sector vulnerability 
assessments, information sharing, and R&D requirements.
    The Commerce Department's Critical Infrastructure Assurance Office 
(CIAO) also is assisting Federal agencies in conducting analyses of 
their own dependencies on critical infrastructures. CIAO has just 
finished an ambitious pilot program that identifies the critical assets 
of the Commerce Department and maps out dependencies on Governmental 
and private sector infrastructures. This program will provide important 
input to managers and security officials as they seek to assure their 
critical assets against cyber attacks.
    The Commerce Department, through the CIAO, coordinated the 
development of the National Plan for Information Systems Protection. 
President Clinton announced the release of Version 1.0 of the Plan on 
January 7.
    It represents the first attempt by any national Government to 
design a way to protect those infrastructures essential to the delivery 
of electric power, oil and gas, communications, transportation 
services, banking and financial services, and vital human services. 
Increasingly, these infrastructures are being operated and controlled 
through the use of computers and computer networks.
    The current version of the Plan focuses mainly on the domestic 
efforts being undertaken by the Federal Government to protect the 
Nation's critical cyber-based infrastructures. Later versions will 
focus on the efforts of the infrastructure owners and operators, as 
well as the risk management and broader business community. Subsequent 
versions will also reflect to a greater degree the interests and 
concerns expressed by Congress and the general public based on their 
feedback. That is why the Plan is designated Version 1.0 and subtitled 
An Invitation to a Dialogue--to indicate that it is still a work in 
progress and that a broader range of perspectives must be taken into 
account if the Plan is truly to be ``national'' in scope and treatment.

II. The Plan: Overview and Highlights.

    President Clinton directed the development of this Plan to chart 
the way toward the attainment of a national capability to defend our 
critical infrastructures by the end of 2003. To meet this ambitious 
goal, the Plan establishes 10 programs for achieving three broad 
objectives. They are:

    Objective 1: Prepare and Prevent: Undertake those steps necessary 
to minimize the possibility of a significant and successful attack on 
our critical information networks, and build an infrastructure that 
remains effective in the face of such attacks.

Program 1 calls for the Government and the private sector to identify 
significant assets, interdependencies, and vulnerabilities of critical 
information networks from attack, and to develop and implement 
realistic programs to remedy the vulnerabilities, while continuously 
updating assessment and remediation efforts.

    Objective 2: Detect and Respond: Develop the means required to 
identify and assess attacks in a timely way, contain such attacks, 
recover quickly from them, and reconstitute those systems affected.

Program 2 will install multi-layered protection on sensitive computer 
systems, including advanced fire walls, intrusion detection monitors, 
anomalous behavior identifiers, enterprise-wide management systems, and 
malicious code scanners. To protect critical Federal systems, computer 
security operations centers will receive warnings from these detection 
devices, as well as Computer Emergency Response Teams (CERTs) and other 
means, in order to analyze the attacks, and assist sites in defeating 
attacks.

Program 3 will develop robust intelligence and law enforcement 
capabilities to protect critical information systems, consistent with 
the law. It will assist, transform, and strengthen U.S. law enforcement 
and intelligence agencies to be able to deal with a new kind of threat 
and a new kind of criminal--one that acts against computer networks.

Program 4 calls for a more effective nationwide system to share attack 
warnings and information in a timely manner. This includes improving 
information sharing within the Federal Government and encouraging 
private industry, as well as, state and local Governments, to create 
Information Sharing and Analysis Centers (ISACs), which would share 
information among corporations and state and local Governments, and 
could receive warning information from the Federal Government. Program 
4 additionally calls for removal of existing legal barriers to 
information sharing.

Program 5 will create capabilities for response, reconstitution, and 
recovery to limit an attack while it is underway and to build into 
corporate and agency continuity and recovery plans the ability to deal 
with information attacks. The goal for Government and the 
recommendation for industry is that every critical information system 
have a recovery plan in place that includes provisions for rapidly 
employing additional defensive measures (e.g., more stringent firewall 
instructions), cutting off or shutting down parts of the network under 
certain predetermined circumstances (through.enterprise-wide management 
systems), shifting minimal essential operations to ``clean'' systems, 
and to quickly reconstitute affected systems.

    Objective 3: Build Strong Foundations: Take all actions necessary 
to create and support the Nation's commitment to Prepare and Prevent 
and to Detect and Respond to attacks on our critical information 
networks.

Program 6 will systematically establish research requirements and 
priorities needed to implement the Plan, ensure funding, and create a 
system to ensure that our information security technology stays abreast 
with changes in the threat environment.

Program 7 will survey the numbers of people and the skills required for 
information security specialists within the Federal Government and the 
private sector, and takes action to train current Federal IT workers 
and recruit and educate additional personnel to meet shortfalls.

Program 8 will explain publicly the need to act now, before a 
catastrophic event, to improve our ability to defend against deliberate 
cyber-based attacks.

Program 9 will develop the legislative framework necessary to support 
initiatives proposed in other programs. This action requires intense 
cooperation within the Federal Government, including Congress, and 
between the Government and private industry.

Program 10 builds mechanisms to highlight and address privacy issues in 
the development of each and every program. Infrastructure assurance 
goals must be accomplished in a manner that maintains, and even 
strengthens, American's privacy and civil liberties. The Plan outlines 
nine specific solutions, which include consulting with various 
communities; focusing on and highlighting the impact of programs on 
personal information; committing to fair information practices and 
other solutions developed by various working groups in multiple 
industries; and working closely with Congress to ensure that each 
program meets standards established in existing Congressional 
protections.

    With respect to funding, President Clinton has proposed increases 
for critical infrastructure protection substantially over the past 
three years, including a 15 percent increase in his FY 2001 budget to 
$2.01 billion. He has also developed and funded new initiatives to 
defend the nation's systems from cyber attack:

  Establishing a permanent Expert Review Team (ERT) at NIST 
that will help agencies conduct vulnerability analyses and develop 
critical infrastructure protection plans. ($5 million).
  Working to recruit, train, and retrain Federal IT Experts. We 
have developed and provided FY2001 funding for a Federal Cyber Services 
Training and Education initiative led by OPM and NSF which calls for 
two programs: the first is an ROTC-like program where we pay for IT 
education (B.S. or M.S.) in exchange for Federal service; and the 
second is a program to establish competencies and certify our existing 
IT workforce. ($25 million).
  Funding seven Public Key Infrastructure model pilot programs 
in FY 2001 at different Federal agencies. ($7 million).
  Designing a Federal Intrusion Detection Network (FIDNET) to 
protect vital systems in Federal civilian agencies, and in ensuring the 
rapid implementation of system ``Apaches'' for known software defects. 
FIDNET will operate in full compliance with all existing privacy laws. 
($10 million).
  Developing Federal R&D Efforts. R&D investments in computer 
security will grow by 31 percent in the FY 2001 budget. ($606 million).
  Establishing an Institute for Information Infrastructure 
Protection. The Institute would identify and address serious R&D gaps 
that neither the private sector nor the Government's national security 
community would otherwise address, but that are necessary to ensure the 
robust, reliable operation of the national information infrastructure. 
The President's FY2001 budget provides funding of $50 million for the 
Institute. Funding would be provided through the Commerce Department's 
National Institute of Standards and Technology (NIST) to this 
organization. The Institute was first proposed by the scientists and 
corporate officials who served on the President's Committee of Advisors 
on Science and Technology, and supported by leading corporate Chief 
Technology officers. ($50 million).
  National Infrastructure Assurance Council (NIAC). The 
President signed an Executive order creating this Advisory Council last 
year. Its members are now being recruited from senior ranks of the 
critical infrastructure industries, including the information 
technology, and state and local Governments.

    In addition, the President announced a number of new initiatives 
designed to support efforts for enhancing computer security, including 
a $9 million FY 2000 budget supplemental to jump-start key elements of 
next year's budget.
    In early February, Secretary Daley met with the President and 25 
senior executives concerned about the recent disruptions to the 
Internet. This meeting reinforced the need for further cooperation 
between Government and industry to help the private sector develop its 
action agenda for cyber security. The incidents of early February are 
not cause for pushing the panic button, but they are a wake up call for 
action. As the President said, ``I think there is a way that we can 
clearly promote security.'' The President has submitted a budget 
proposal that funds a number of initiatives that address critical 
information systems protection. If we are to reap the benefits of the 
Information Age, we need to take action to maintain public confidence 
in a secure business environment that ensures both our national 
security and the growth of our economy.

    Senator Burns. Thank you, Mr. Secretary. Now we hear from 
Mr. Michael Vatis, Deputy Assistant Director of the FBI here in 
Washington, D.C. It is nice to have you with us this morning.

        STATEMENT OF MICHAEL A. VATIS, DEPUTY ASSISTANT 
          DIRECTOR, FEDERAL BUREAU OF INVESTIGATION, 
          NATIONAL INFRASTRUCTURE PROTECTION PROGRAMS

    Mr. Vatis. Thank you, Mr. Chairman, Senator Hollings and 
members of the Subcommittee. I want to thank you for inviting 
me here to discuss the growing problem of cybercrime and its 
impact on commerce. Our ability in law enforcement to deal with 
this growing crime problem will require the support of 
Congress, and I greatly appreciate your support, Mr. Chairman, 
and this Committee's support for the work that we have been 
about these last 2 years.
    The recent denial of service attacks have thrust the 
security of our information infrastructure into the spotlight, 
but they are really only the most recent example of a large and 
growing problem of criminal activity in cyberspace. The cyber 
revolution has permeated many aspects, if not all aspects, of 
our lives, and we see its effects all around us, in the way we 
do business, in the way we communicate, and even in the way 
that Government agencies operate.
    Unfortunately, that revolution has a downside, as you 
mentioned in your own statement, Mr. Chairman, and that 
downside is the effect that cyberspace and the new information 
technologies have on criminal activity, because criminals are 
increasingly seeing the utility of cyber tools both to 
facilitate traditional sorts of crimes like fraud schemes and 
extortion, and also to engage in new types of crimes, where 
computers and the information stored on them are seen as the 
targets of the criminal activity, rather than just facilitators 
of that activity.
    Thus, we have seen criminals intruding into computers to 
steal credit cards, to steal money, to abscond with proprietary 
information, and to shut down e-commerce sites. And this is not 
just a crime problem. It is also a national security problem. 
That is because our Nation's critical infrastructures--
including things such as telecommunications, electrical energy, 
and banking and finance, those things that are vital to our 
national security as well as our national economy--are all 
dependent on computer technology. But that very dependence 
makes them vulnerable to sorts of attacks that did not exist 10 
or 15 years ago.
    So the same basic types of cyber tools that are attractive 
now to criminals who are interested in illicit financial gain 
are also attractive to foreign intelligence services who might 
be seeking ways to obtain sensitive Government or private 
sector information, and also to terrorists or hostile foreign 
nations who are bent on attacking United States interests.
    The difficulty of dealing with this challenge stems from 
the nature of the cyber environment itself. That environment is 
borderless. It affords easy anonymity and methods of 
concealment to bad actors, and it provides new tools that allow 
remote access to targeted computers. A criminal sitting on the 
other side of the planet is just as capable of stealthily 
infiltrating a computer network, or shutting an e-commerce site 
down, as is somebody sitting across the street from his target.
    To deal with this problem in all its novel aspects, law 
enforcement must retool its work force, forge new partnerships 
with private industry and other agencies, and also work closely 
with our international counterparts, because so many of these 
events transcend national boundaries.
    We have been doing all of these things for the last two 
years at the NIPC, but we must ensure that we can continue to 
build on our progress to ensure that we can protect the 
Nation's public safety and national security in the information 
age.
    As you know, the NIPC is an interagency center located at 
the FBI, and we serve as a focal point for the Government's 
efforts, on the one hand, to warn of imminent or impending 
attacks, and also, on the other hand, to respond to any attacks 
that do occur. Regarding the number of our personnel, we have 
94 authorized FBI positions at the NIPC, and we have 82 of 
those 94 people on board, with the other dozen people in the 
pipeline and scheduled to come on board shortly.
    We have a target of 40 detailees from other Government 
agencies--which is simply a target, since we are left, really, 
to the beneficence of other agencies to send people over to us 
to work with us, and we have got about half of our target on 
board, with some candidates in the pipeline as well that will 
come from those other agencies. But one of our challenges is to 
work with other agencies to get some people who have the right 
skills. Unfortunately there is a limited supply of those people 
in the Government, but we are working effectively with other 
agencies to ensure that they are represented at the Center, so 
we can build a good operational partnership.
    We also have, in addition to the Center itself, an 
investigative program across the FBI field offices around the 
Nation, which consists of 193 special agents who are trained in 
conducting network investigations and who also engage in 
critical liaison with the private sector, and, very 
importantly, with State and local law enforcement, since they 
obviously must bear a large share of the load in dealing with 
this crime problem.
    My written statement has a lengthy summary of examples of 
the many different types of cybercrime that we have dealt with 
over the last two years. I will mention here just two recent 
examples which I think point out the challenge and also the 
effects of cybercrime on e-commerce. Last Fall, we had the 
Melissa virus, which was a very quickly disseminating virus 
that affected numerous, customers and businesses. Within 
several days, working with AOL and the New Jersey State police, 
we were able to track down the propagator of that virus, and he 
recently pled guilty to both Federal and State charges. In his 
guilty plea, he admitted to affecting over a million computers 
and causing $80 million in damage from that one virus.
    Then in February of this year, we had the distributed 
denial of service (DDOS) attacks on some of the most popular e-
commerce sites, as the Deputy Attorney General mentioned. I, 
too, am limited in what I can say here about this pending 
investigation, but I can make a couple of points. First, even 
before the investigation, at the end of last year, when we had 
information that some of the malicious DDOS software was being 
implanted in universities and other private sector networks 
that would allow a hacker to take over those systems and use 
them to attack another target, we issued warnings to Government 
agencies and to the private sector so that people could take 
steps to see whether their own networks had been taken over 
without their knowledge, and so that they could remove any 
malicious code.
    We also released a detection tool that we had created 
mainly for investigative uses, but which we also realized had 
possible utility for network protection. We made that tool 
available to private companies and Government agencies so that 
they could determine whether their networks had been taken over 
by a hacker.
    Unfortunately, those efforts did not totally eliminate the 
threat, and at the beginning of last month we did see numerous 
sites being taken offline for several hours. As a result, we 
have initiated several investigations across the country. We 
have numerous special agents following leads. We are also 
working very closely with several international counterparts to 
follow leads in their countries. Although I cannot go into 
detail, I can say we are making excellent progress. I am very 
satisfied with the progress we are making, and I am optimistic 
about the likelihood of having a successful resolution of at 
least some of these investigations.
    Addressing the threat of cybercrime requires teamwork. That 
is the bottom line. We have to have good teamwork among Federal 
agencies, good teamwork between Federal and State and local law 
enforcement, and good teamwork between the Government and 
private sector.
    We have developed partnerships with all of those other 
sectors over the last two years, and the one with the private 
sector is particularly important. Most of the victims of 
cybercrime are private companies, so successful investigation 
really depends on private companies letting us know when they 
have been victimized and working with us to provide us with 
incident information, and sometimes with technical assistance 
so that we can pursue investigations to the end.
    The network administrator in a private company is 
oftentimes in many ways the lead investigator, because he or 
she is the one who really knows how his or her network is set 
up, and can lead an agent through the thicket of the network 
and come up with the important information that is necessary to 
an investigation.
    I think the number of companies that have reported to us 
and have cooperated with us in the DDOS investigations is proof 
of the fact that private companies are realizing that they have 
to deal with law enforcement, and they are willing to engage in 
a good, cooperative venture with us. One of the keys to having 
a successful relationship with the private sector is for us to 
be able to demonstrate that we are capable of investigating 
these sorts of crimes. I think our track record over the last 
two years has shown that competence, and shown that we know how 
to investigate these cases, and our training efforts are 
enhancing our ability to do that.
    We also need to show that we are willing to give 
information back to the private sector. We do not just want 
them to report to us. We are capable and willing to give them 
warnings when we have relevant information, and also to give 
them information about the nature of the threat and some of the 
technical exploits that we are seeing bad guys use. We have a 
number of programs that are geared toward sharing that 
information back to the private sector, which in turn is 
helping us to generate the confidence on the private sector's 
part that they can work with us.
    I think it is a truism that commerce does not thrive in 
anarchy, and as Internet use soars, and e-commerce becomes a 
more significant part of our overall economy, it is in our 
national interest to ensure that the conditions exist that will 
foster the further growth of e-commerce. One of the conditions 
for that growth is enhancing the security of e-commerce sites 
so that customers can be confident that their privacy will be 
protected and that their credit cards will not be stolen, and 
so that businesses can be assured that they will not be knocked 
offline or robbed by cyber criminals.
    Law enforcement has a significant role to play in fostering 
that security and ensuring that that confidence exists in 
cyberspace just as in the physical world. It is important that 
we maintain and enhance our investigation capabilities to help 
establish that confidence and raise the level of security. We 
are only a part of the task, and the private sector bears the 
lion's share of the load in establishing better security on 
their own systems. But our role is a significant one, and we 
are very much tending to the business of ensuring that we can 
meet the challenge. I look forward to working with you, Mr. 
Chairman, and this Subcommittee to ensure that we continue to 
meet that threat.
    Thank you very much.
    [The prepared statement of Mr. Vatis follows:]

  Prepared Statement of Michael A. Vatis, Deputy Assistant Director, 
  Federal Bureau of Investigation, National Infrastructure Protection 
                                Programs
Introduction

    Mr. Chairman, Senator Hollings, and Members of the Subcommittee: 
Thank you for inviting me to discuss the threats to our Nation's 
critical infrastructures and the NIPC's approach to meeting those 
challenges. In 1998 the National Infrastructure Protection Center 
(NIPC) was established as a focal point for the Federal Government's 
efforts to protect the critical infrastructures. Much has happened 
since then to demonstrate both the wisdom of establishing such a Center 
and the seriousness of the problem it was designed to address. In the 
last two years we have seen the spread of destructive computer viruses 
affecting millions of users, a major international intrusion into 
Government computer networks, and denial-of-service attacks against 
some of the most popular e-commerce websites. Today I will focus on the 
nature of the national security and criminal threats we face in 
cyberspace, the progress we have made with our interagency partners in 
meeting those threats, and the continuing challenges we face.

The NIPC

    The NIPC is an interagency Center located at the FBI. Created in 
1998, the NIPC serves as the focal point for the Government's efforts 
to warn of and respond to cyber attacks, particularly those that are 
directed at our nation's ``critical infrastructures.'' These 
infrastructures include telecommunications and information, energy, 
banking and finance, transportation, Government operations, and 
emergency services. In Presidential Decision Directive (PDD) 63, the 
President directed that the NIPC serve as a ``national critical 
infrastructure threat assessment, warning, vulnerability, and law 
enforcement investigation and response entity.'' The PDD further states 
that the mission of the NIPC ``will include providing timely warnings 
of intentional threats, comprehensive analyses and law enforcement 
investigation and response.''

To accomplish its goals, the NIPC is organized into three sections:

    The Computer Investigations and Operations Section (CIOS) is the 
operational response arm of the Center. It supports and, where 
necessary, coordinates computer investigations conducted by FBI field 
offices and other agencies throughout the country, provides expert 
technical assistance to network investigations, and provides a cyber 
emergency response capability to coordinate the response to a national-
level cyber incident.
    The Analysis and Warning Section (AWS) serves as the ``indications 
and warning'' arm of the NIPC. It provides tactical analytical support 
during a cyber incident, and also develops strategic analyses of 
threats for dissemination to both Government and private sector 
entities so that they can take appropriate steps to protect themselves. 
Through its 24/7 watch and warning operation, it maintains a real-time 
situational awareness by reviewing numerous Governmental and ``open'' 
sources of information and by maintaining communications with partner 
entities in the Government and private sector. Through its efforts, the 
AWS strives to acquire indications of a possible attack, assess the 
information, and issue appropriate warnings to Government and private 
sector partners as quickly as possible
    The Training, Outreach and Strategy Section (TOSS) coordinates the 
vital training of cyber investigators in the FBI field offices, other 
Federal agencies, and state and local law enforcement. It also 
coordinates outreach to private industry and Government agencies to 
build the partnerships that are key to both our investigative and our 
warning missions. In addition, this section manages our efforts to 
catalogue information about individual ``key assets'' across the 
country which, if successfully attacked, could have significant 
repercussions on our economy or national security. Finally, the TOSS 
handles the development of strategy and policy in conjunction with 
other agencies and the Congress.
    Beyond the NIPC at FBI Headquarters, we have also created a 
cybercrime investigative program in all FBI Field Offices called the 
National Infrastructure Protection and Computer Intrusion (NIPCI) 
Program. This program, managed by the NIPC, consists of special agents 
in each FBI Field Office who are responsible for investigating computer 
intrusions, viruses, or denial of service attacks, for implementing our 
key asset initiative, and for conducting critical liaison activities 
with private industry. They are also developing cybercrime task forces 
in partnership with state and local law enforcement entities within 
their jurisdiction to leverage the limited resources in this area.

The Broad Spectrum of Threats

    Over the past several years we have seen a wide range of cyber 
threats ranging from defacement of websites by juveniles to 
sophisticated intrusions that we suspect may be sponsored by foreign 
powers, and everything in between. Some of these are obviously more 
significant than others. The theft of national security information 
from a Government agency or the interruption of electrical power to a 
major metropolitan area would have greater consequences for national 
security, public safety, and the economy than the defacement of a web-
site.
    But even the less serious categories have real consequences and, 
ultimately, can undermine confidence in e-commerce and violate privacy 
or property rights. A web site hack that shuts down an e-commerce site 
can have disastrous consequences for a business. An intrusion that 
results in the theft of credit card numbers from an online vendor can 
result in significant financial loss and, more broadly, reduce 
consumers' willingness to engage in e-commerce. Recent surveys confirm 
this point. According to a poll of Internet users by PC Data Online, 90 
percent of those surveyed are concerned about the recent denial of 
service attacks. One in three surveyed said they were affected by the 
DDOS attacks. Further, over 40 percent of those surveyed said that they 
would be less likely to send credit card information over the Internet 
in the future.
    Such surveys demonstrate the simple fact that the Internet has 
become a major aspect of everyday life for many Americans and is fast 
becoming a major part of our economy. There were over 100 million 
Internet users in the United States in 1999. That number is projected 
to reach 177 million in the United States and 502 million worldwide by 
the end of 2003. Electronic commerce has emerged as a new sector of the 
American economy, accounting for over $100 billion in sales during 
1999, more than double the amount in 1998. By 2003, electronic commerce 
is projected to exceed $1 trillion. It should be no surprise, then, 
that as Internet use and e-commerce continue to grow at a rapid pace, 
the rate of cybercrime is also rising dramatically.
    A significant part of the problem is the lack of adequate security 
on the Internet. As Lou Gerstner, the CEO of IBM said in a speech at 
Boston College on Monday, ``No brick-and-mortar company would ever 
consider opening its doors without locks, video cameras and a security 
staff. Yet every day hundreds of Web enterprises do just that.'' A 
fundamental need, therefore, is to raise the level of security on the 
Internet. This is clearly the role of the private sector. The 
Government has neither the responsibility nor the expertise to act as 
the private sector's system administrator. We can help, however, by 
providing information to the private sector about concrete threats and 
the latest techniques being utilized by cyber criminals, so that 
private companies can take steps to secure their systems against those 
threats. We also need to ensure that law enforcement has the 
capabilities to investigate cybercrime that does occur.

    The following are some of the categories of cyber threats that we 
confront today.

    Insiders. The disgruntled insider (a current or former employee of 
a company) is a principal source of computer crimes for many companies. 
Insiders' knowledge of the target companies' network often allows them 
to gain unrestricted access to cause damage to the system or to steal 
proprietary data. The 1999 Computer Security Institute/FBI report notes 
that 55 percent of respondents reported malicious activity by insiders.
    One example of an insider was George Parente. In 1997, Parente was 
arrested for causing five network servers at the publishing company 
Forbes, Inc., to crash. Parente was a former Forbes computer technician 
who had been terminated from temporary employment. In what appears to 
have been a vengeful act against the company and his supervisors, 
Parente dialed into the Forbes computer system from his residence and 
gained access through a co-worker's log-in and password. Once online, 
he caused five of the eight Forbes computer network servers to crash, 
and erased all of the server volume on each of the affected servers. No 
data could be restored. Parente's sabotage resulted in a two day shut 
down in Forbes' New York operations with losses exceeding $100,000. 
Parente pleaded guilty to one count of violating of the Computer Fraud 
and Abuse Act, Title 18 U.S.C. 1030.
    Hackers. Hackers (or ``crackers'') are also a common threat. They 
sometimes crack into networks simply for the thrill of the challenge or 
for bragging rights in the hacker community. Recently, however, we have 
seen more cases of hacking for illicit financial gain or other 
malicious purposes. While remote cracking once required a fair amount 
of skill or computer knowledge, hackers can now download attack scripts 
and protocols from the World Wide Web and launch them against victim 
sites. Thus while attack tools have become more sophisticated, they 
have also become easier to use. The distributed denial-of-service 
(DDOS) attacks earlier this month are only the most recent illustration 
of the economic disruption that can be caused by tools now readily 
available on the Internet.
    We have also seen a rise recently in politically motivated attacks 
on web pages or email servers, which some have dubbed ``hacktivism.'' 
In these incidents, groups and individuals overload e-mail servers or 
deface web sites to send a political message. While these attacks 
generally have not altered operating systems or networks, they have 
disrupted services, caused monetary loss, and denied the public access 
to websites containing valuable information, thereby infringing on 
others' rights to disseminate and receive information.
    Virus Transmitters. Virus transmitters are posing an increasingly 
serious threat to networks and systems worldwide. Last year saw the 
proliferation of several destructive computer viruses or ``worms,'' 
including the Melissa Macro Virus, the Explore.Zip worm, and the CIH 
(Chernobyl) Virus. The NIPC frequently sends out warnings or advisories 
regarding particularly dangerous viruses, which can allow potential 
victims to take protective steps and minimize the destructive 
consequences of a virus.
    The Melissa Macro Virus was a good example of our two-fold 
response--encompassing both warning and investigation--to a virus 
spreading in the networks. The NIPC sent out warnings as soon as it had 
solid information on the virus and its effects; these warnings helped 
alert the public and reduce the potential destructive impact of the 
virus. On the investigative side, the NIPC acted as a central point of 
contact for the field offices who worked leads on the case. A tip 
received by the New Jersey State Police from America Online, and their 
follow-up investigation with the FBI's Newark Division, led to the 
April 1, 1999 arrest of David L. Smith. Mr. Smith pleaded guilty to one 
count of violating 18 U.S.C. Sec. 1030 in Federal Court, and to four 
state felony counts. As part of his guilty plea, Smith stipulated to 
affecting one million computer systems and causing $80 million in 
damage. Smith is awaiting sentencing.
    Criminal Groups. We are also seeing the increased use of cyber 
intrusions by criminal groups who attack systems for purposes of 
monetary gain. In September, 1999, two members of a group dubbed the 
``Phonemasters'' were sentenced after their conviction for theft and 
possession of unauthorized access devices (18 USC Sec. 1029) and 
unauthorized access to a Federal interest computer (18 USC Sec. 1030). 
The ``Phonemasters'' were an international group of criminals who 
penetrated the computer systems of MCI, Sprint, AT&T, Equifax, and even 
the National Crime Information Center. Under judicially approved 
electronic surveillance orders, the FBI's Dallas Division made use of 
new data intercept technology to monitor the calling activity and modem 
pulses of one of the suspects, Calvin Cantrell. Mr. Cantrell downloaded 
thousands of Sprint calling card numbers, which he sold to a Canadian 
individual, who passed them on to someone in Ohio. These numbers made 
their way to an individual in Switzerland and eventually ended up in 
the hands of organized crime groups in Italy. Cantrell was sentenced to 
two years as a result of his guilty plea, while one of his associates, 
Cory Lindsay, was sentenced to 41 months.
    The Phonemasters' methods included ``dumpster diving'' to gather 
old phone books and technical manuals for systems. They used this 
information to trick employees into giving up their logon and password 
information. The group then used this information to break into victim 
systems. It is important to remember that often ``cybercrimes'' are 
facilitated by old fashioned guile, such as calling employees and 
tricking them into giving up passwords. Good cyber security practices 
must therefore address personnel security and ``social engineering'' in 
addition to instituting electronic security measures.
    Another example of cyber intrusions used to implement a criminal 
conspiracy involved Vladimir L. Levin and numerous accomplices who 
illegally transferred more than $10 million in funds from three 
Citibank corporate customers to bank accounts in California, Finland, 
Germany, the Netherlands, Switzerland, and Israel between June and 
October 1994. Levin, a Russian computer expert, gained access over 40 
times to Citibank's cash management system using a personal computer 
and stolen passwords and identification numbers. Russian telephone 
company employees working with Citibank were able to trace the source 
of the transfers to Levin's employer in St. Petersburg, Russia. Levin 
was arrested in March 1995 in London and subsequently extradited to the 
U.S. On February 24, 1998, he was sentenced to three years in prison 
and ordered to pay Citibank $240,000 in restitution. Four of Levin's 
accomplices pleaded guilty and one was arrested but could not be 
extradited. Citibank was able to recover all but $400,000 of the $10 
million illegally transferred funds.
    Unfortunately, cyberspace provides new tools not only for 
criminals, but for national security threats as well. These include 
terrorists, foreign intelligence agencies, and foreign militaries. 
Director of Central Intelligence George Tenet testified in February 
2000, before the Senate Armed Services Committee, that many of the 
tools and weapons that can be used for information warfare purposes are 
``available on the open market at relatively little cost.'' The DCI 
went on to note that the critical threat of IW lies in its potential as 
a ``force multiplier'' for an adversary of the United States.

    Three major categories of threat actors pose a national security 
challenge to the United States in cyberspace.

    Terrorists. Terrorists groups are increasingly using new 
information technology and the Internet to formulate plans, raise 
funds, spread propaganda, and to communicate securely. In his statement 
on the worldwide threat in 2000, Director of Central Intelligence 
George Tenet testified that terrorists groups, ``including Hizbollah, 
HAMAS, the Abu Nidal organization, and Bin Laden's al Qaeda 
organization are using computerized files, e-mail, and encryption to 
support their operations.'' In one example, convicted terrorist Ramzi 
Yousef, the mastermind of the World Trade Center bombing, stored 
detailed plans to destroy United States airliners on encrypted files on 
his laptop computer. While we have not yet seen these groups employ 
cyber tools as a weapon to use against critical infrastructures, their 
reliance on information technology and acquisition of computer 
expertise are clear warning signs. Moreover, we have seen other 
terrorist groups, such as the Internet Black Tigers (who are reportedly 
affiliated with the Tamil Tigers), engage in attacks on foreign 
Government web-sites and email servers. ``Cyber terrorism''--by which I 
mean the use of cyber tools to shut down critical national 
infrastructures (such as energy, transportation, or Government 
operations) for the purpose of coercing or intimidating a Government or 
civilian population--is thus a very real, though still largely 
potential, threat.
    Foreign intelligence services. Not surprisingly, foreign 
intelligence services have adapted to using cyber tools as part of 
their espionage tradecraft. Even as far back as 1986, before the 
worldwide surge in Internet use, the KGB employed West German hackers 
to access Department of Defense systems in the well-known ``Cuckoo's 
Egg'' case. While I cannot go into specifics about more recent 
developments in an open hearing, it should not surprise anyone to hear 
that foreign intelligence services increasingly view computer 
intrusions as a useful tool for acquiring sensitive U.S. Government and 
private sector information.
    Information Warfare. The prospect of ``information warfare'' by 
foreign militaries against our critical infrastructures is perhaps the 
greatest potential cyber threat to our national security. We know that 
several foreign nations are developing information warfare doctrine, 
programs, and capabilities for use against the United States or other 
nations. Knowing that they cannot match our military might with 
conventional or ``kinetic'' weapons, nations see cyber attacks on our 
critical infrastructures or military operations as a way to hit what 
they perceive as America's Achilles heel--our growing dependence on 
information technology in Government and commercial operations. For 
example, two Chinese military officers recently published a book that 
called for the use of unconventional measures, including the 
propagation of computer viruses, to counterbalance the military power 
of the United States. And a Russian official has also commented that an 
attack on a critical infrastructure could, ``by virtue of its 
catastrophic consequences, completely overlap with the use of [weapons] 
of mass destruction.''
Distributed Denial of Service Tools

    The recent distributed denial of service (DDOS) attacks on e-
commerce sites have garnered a tremendous amount of interest in the 
public and in the Congress. While we do not yet have official damage 
estimates, the Yankee Group, a research firm, estimates the impact of 
the attacks at $1.2 billion due to lost capitalization losses, lost 
revenues, and security upgrades. Because we are actively investigating 
these attacks, I cannot provide a detailed briefing on the status of 
our efforts. However, I can provide an overview of our activities to 
deal with the DDOS threat beginning last year and of our investigative 
efforts over the last three weeks. These attacks illustrate the growing 
availability of destructive, yet easy-to-use, exploits that are widely 
available on the Internet. They also demonstrate the NIPC's two-fold 
mission: sharing information with the private sector and warning of 
possible threats, and responding to actual attacks.
    In the fall of last year, the NIPC began receiving reports about a 
new set of ``exploits'' or attack tools collectively called distributed 
denial of service (or DDOS) tools. DDOS variants include tools known as 
``Trin00,'' ``Tribal Flood Net'' (TFN), ``TFN2K,'' and ``Stacheldraht'' 
(German for ``barbed wire''). These tools essentially work as follows: 
hackers gain unauthorized access to a computer system(s) and place 
software code on it that renders that system a ``master'' (or a 
``handler''). The hackers also intrude into other networks and place 
malicious code which makes those systems into agents (also known as 
``zombies'' or ``daemons'' or ``slaves''). Each Master is capable of 
controlling multiple agents. In both cases, the network owners normally 
are not aware that dangerous tools have been placed and reside on their 
systems, thus becoming third-party victims to the intended crime.
    The ``Masters'' are activated either remotely or by internal 
programming (such as a command to begin an attack at a prescribed time) 
and are used to send information to the agents, activating their DDOS 
ability. The agents then generate numerous requests to connect with the 
attack's ultimate target(s), typically using a fictitious or 
``spoofed'' IP (Internet Protocol) address, thus providing a falsified 
identity as to the source of the request. The agents act in unison to 
generate a high volume of traffic from several sources. This type of 
attack is referred to as a SYN flood, as the SYN is the initial effort 
by the sending computer to make a connection with the destination 
computer. Due to the volume of SYN requests the destination computer 
becomes overwhelmed in its efforts to acknowledge and complete a 
transaction with the sending computers, degrading or denying its 
ability to complete service with legitimate customers--hence the term 
``Denial of Service''. These attacks are especially damaging when they 
are coordinated from multiple sites--hence the term Distributed Denial 
of Service.
    An analogy would be if someone launched an automated program to 
have hundreds of phone calls placed to the Capitol switchboard at the 
same time. All of the good efforts of the staff would be overcome. Many 
callers would receive busy signals due to the high volume of telephone 
traffic.
    In November and December, the NIPC received reports that 
universities and others were detecting the presence of hundreds of 
agents on their networks. The number of agents detected clearly could 
have been only a small subset of the total number of agents actually 
deployed. In addition, we were concerned that some malicious actors 
might choose to launch a DDOS attack around New Year's Eve in order to 
cause disruption and gain notoriety due to the great deal of attention 
that was being payed to the Y2K rollover. Accordingly, we decided to 
issue a series of alerts in December to Government agencies, industry, 
and the public about the DDOS threat.
    Moreover, in late December, we determined that a detection tool 
that we had developed for investigative purposes might also be used by 
network operators to detect the presence of DDOS agents or masters on 
their operating systems, and thus would enable them to remove an agent 
or master and prevent the network from being unwittingly utilized in a 
DDOS attack. Moreover, at that time there was, to our knowledge, no 
similar detection tool available commercially. We therefore decided to 
take the unusual step of releasing the tool to the Department of 
Defense, other Government agencies, and to the public in an effort to 
reduce the level of the threat. We made the first variant of our 
software available on the NIPC web site on December 30, 1999. To 
maximize the public awareness of this tool, we announced its 
availability in an FBI press release that same date. Since the first 
posting of the tool, we have posted three updated versions that have 
perfected the software and made it applicable to different operating 
systems.
    The public has downloaded these tools tens of thousands of times 
from the web site, and has responded by reporting many installations of 
the DDOS software, thereby preventing their networks from being used in 
attacks and leading to the opening of criminal investigations both 
before and after the widely publicized attacks of the last few weeks. 
Our work with private companies has been so well received that the 
trade group SANS awarded their yearly Security Technology Leadership 
Award to members of the NIPC's Special Technologies Applications Unit.
    Last month, we received reports that a new variation of DDOS tools 
was being found on Windows operating systems. One victim entity 
provided us with the object code to the tool found on its network. On 
February 18 we made the binaries available to anti-virus companies 
(through an industry association) and the Computer Emergency Response 
Team (CERT) at Carnegie Mellon University for analysis and so that 
commercial vendors could create or adjust their products to detect the 
new DDOS variant. Given the attention that DDOS tools have received in 
recent weeks, there are now numerous detection and security products to 
address this threat, so we determined that we could be most helpful by 
giving them the necessary code rather than deploying a detection tool 
ourselves.
    Unfortunately, the warnings that we and others in the security 
community had issued about DDOS tools last year, while alerting many 
potential victims and reducing the threat, did not eliminate the 
threat. Quite frequently, even when a threat is known and patches or 
detection tools are available, network operators either remain unaware 
of the problem or fail to take necessary protective steps. In addition, 
in the cyber equivalent of an arms race, exploits evolve as hackers 
design variations to evade or overcome detection software and filters. 
Even security-conscious companies that put in place all available 
security measures therefore are not invulnerable. And, particularly 
with DDOS tools, one organization might be the victim of a successful 
attack despite its best efforts, because another organization failed to 
take steps to keep itself from being made the unwitting participant in 
an attack.
    On February 7, 2000, the NIPC received reports that Yahoo had 
experienced a denial of service attack. In a display of the close 
cooperative relationship that we have developed with the private 
sector, in the days that followed, several other companies (including 
Cable News Network, eBay, Amazon.com, Buy.com, and ZDNET), also 
reported denial of service outages to the NIPC or FBI field offices. 
These companies cooperated with us by providing critical logs and other 
information. Still, the challenges to apprehending the suspects are 
substantial. In many cases, the attackers used ``spoofed'' IP 
addresses, meaning that the address that appeared on the target's log 
was not the true address of the system that sent the messages. In 
addition, many victims do not keep complete network logs.
    The resources required in an investigation of this type are 
substantial. Companies have been victimized or used as ``hop sites'' in 
numerous places across the country, meaning that we must deploy special 
agents nationwide to work leads. We currently have seven FBI field 
offices with cases opened and all the remaining offices are supporting 
the offices that have opened cases. Agents from these offices are 
following up literally hundreds of leads. The NIPC is coordinating the 
nationwide investigative effort, performing technical analysis of logs 
from victims sites and Internet Service Providers (ISPs), and providing 
all-source analytical assistance to field offices. Moreover, parts of 
the evidentiary trail have led overseas, requiring us to work with our 
foreign counterparts in several countries through our Legal Attaches 
(Legats) in U.S. embassies.
    While the crime may be high tech, investigating it involves a 
substantial amount of traditional investigative work as well as highly 
technical work. Interviews of network operators and confidential 
sources can provide very useful information, which leads to still more 
interviews and leads to follow-up. And victim sites and ISPs provide an 
enormous amount of log information that needs to be processed and 
analyzed by human analysts.
    Despite these challenges, I am optimistic that the hard work of our 
agents, analysts, and computer scientists; the excellent cooperation 
and collaboration we have with private industry and universities; and 
the teamwork we are engaged in with foreign partners will in the end 
prove successful.

Interagency Cooperation

    The broad spectrum of cyber threats described earlier, ranging from 
hacking to foreign espionage and information warfare, requires not just 
new technologies and skills on the part of investigators, but new 
organizational constructs as well. In most cyber attacks, the identity, 
location, and objective of the perpetrator are not immediately 
apparent. Nor is the scope of his attack--i.e., whether an intrusion is 
isolated or part of a broader pattern affecting numerous targets. This 
means it is often impossible to determine at the outset if an intrusion 
is an act of cyber vandalism, organized crime, domestic or foreign 
terrorism, economic or traditional espionage, or some form of strategic 
military attack. The only way to determine the source, nature, and 
scope of the incident is to gather information from the victim sites 
and intermediate sites such as ISPs and telecommunications carriers. 
Under our constitutional system, such information typically can be 
gathered only pursuant to criminal investigative authorities. This is 
why the NIPC is part of the FBI, allowing us to utilize the FBI's legal 
authorities to gather and retain information and to act on it, 
consistent with constitutional and statutory requirements.
    But the dimension and varied nature of the threats also means that 
this is an issue that concerns not just the FBI and law enforcement 
agencies, but also the Department of Defense, the Intelligence 
Community, and civilian agencies with infrastructure-focused 
responsibility such as the Departments of Energy and Transportation. It 
also is a matter that greatly affects state and local law enforcement. 
This is why the NIPC is an interagency center, with representatives 
detailed to the FBI from numerous Federal agencies and representation 
from state and local law enforcement as well. These representatives 
operate under the direction and authority of the FBI, but bring with 
them expertise and skills from their respective home agencies that 
enable better coordination and cooperation among all relevant agencies, 
consistent with applicable laws.
    We have had many instances in the last two years where this 
interagency cooperation has proven critical. As mentioned earlier, the 
case of the Melissa virus was successfully resolved with the first 
successful Federal prosecution of a virus propagator in over a decade 
because of close teamwork between the NIPCI squad in the FBI's Newark 
Division and other field offices, the New Jersey State Police, and the 
NIPC.
    The ``Solar Sunrise'' case is another example of close teamwork 
with other agencies. In 1998, computer intrusions into U.S. military 
computer systems occurred during the Iraq weapons inspection crisis. 
Hackers exploited known vulnerabilities in Sun Solaris operating 
systems. Some of the intrusions appeared to be coming from the Middle 
East. The timing, nature, and apparent source of some of the attacks 
raised concerns in the Pentagon that this could be a concerted effort 
by Iraq to interfere with U.S. troop deployments. NIPC coordinated a 
multi-agency investigation which included the FBI, the Air Force Office 
of Special Investigations, the National Aeronautics and Space 
Administration, the Department of Justice, the Defense Information 
Systems Agency, the National Security Agency, and the Central 
Intelligence Agency. Within several days, the investigation determined 
that the intrusions were not the work of Iraq, but of several teenagers 
in the U.S. and Israel. Two juveniles in California pleaded guilty to 
the intrusions, and several Israelis still await trial. The leader of 
the Israeli group, Ehud Tenenbaum, has been indicted and is currently 
scheduled for trial in Israel in April.
    More recently, we observed a series of intrusions into numerous 
Department of Defense and other Federal Government computer networks 
and private sector entities. Investigation last year determined that 
the intrusions appear to have originated in Russia. The intruder 
successfully accessed U.S. Government networks and took large amounts 
of unclassified but sensitive information, including defense technical 
research information. The NIPC coordinated a multi-agency 
investigation, working closely with FBI field offices, the Department 
of Defense, and the Intelligence Community. While I cannot go into more 
detail about this case here, it demonstrates the very real threat we 
face in the cyber realm, and the need for good teamwork and 
coordination among Government agencies responsible for responding to 
the threat.

Private Sector Cooperation

    Our success in battling cybercrime also depends on close 
cooperation with private industry. This is the case for several 
reasons. First, most of the victims of cybercrimes are private 
companies. Therefore, successful investigation and prosecution of 
cybercrimes depends on private victims reporting incidents to law 
enforcement and cooperating with the investigators. Contrary to press 
statements by cyber security companies that private companies won't 
share information with law enforcement, many private companies have 
reported incidents and threats to the NIPC or FBI field offices. The 
number of victims who have voluntarily reported DDOS attacks to us over 
the last few weeks is ample proof of this. While there are undoubtedly 
companies that would prefer not to report a crime because of fear of 
public embarrassment over a security lapse, the situation has improved 
markedly. Companies increasingly realize that deterrence of crime 
depends on effective law enforcement, and that the long-term interests 
of industry depend on establishing a good working relationship with 
Government to prevent and investigate crime.

    Testimony two weeks ago before the Senate Appropriations 
Subcommittee for Commerce, State, and Justice by Robert Chesnut, 
Associate General Counsel for eBay, illustrates this point:

        Prior to last week's attacks, eBay had established a close 
        working relationship with the computer crimes squad within the 
        Northern California office of the Federal Bureau of 
        Investigation (``FBI''). eBay has long recognized that the best 
        way to combat cybercrime, whether it's fraud or hacking, is by 
        working cooperatively with law enforcement. Therefore, last 
        year we established procedures for notifying the FBI in the 
        event of such an attack on our web site. As result of this 
        preparation, we were able to contact the FBI computer intrusion 
        squad during the attack and provide them with information that 
        we expect will assist in their investigation. In the aftermath 
        of the attack, eBay has also been able to provide the FBI with 
        additional leads that have come to our attention.

    Second, the network administrator at a victim company or ISP is 
critical to the success of an investigation. Only that administrator 
knows the unique configuration of her system, and she typically must 
work with an investigator to find critical transactional data that will 
yield evidence of a criminal's activity.
    Third, the private sector has the technical expertise that is often 
critical to resolving an investigation. It would be impossible for us 
to retain experts in every possible operating system or network 
configuration, so private sector assistance is critical. In addition, 
many investigations require the development of unique technical tools 
to deal with novel problems. Private sector assistance has been 
critical there as well.
    We have several other initiatives devoted to private sector 
outreach that bear mentioning here. The first is called ``InfraGard.'' 
This is an initiative that we have developed in concert with private 
companies and academia to encourage information-sharing about cyber 
intrusions, exploited vulnerabilities, and physical infrastructure 
threats. A vital component of InfraGard is the ability of industry to 
provide information on intrusions to the local FBI field office using 
secure e-mail communications in both a ``sanitized'' and detailed 
format. The local FBI field offices can, if appropriate, use the 
detailed version to initiate an investigation; while NIPC Headquarters 
can analyze that information in conjunction with other information we 
obtain to determine if the intrusion is part of a broader attack on 
numerous sites. The NIPC can simultaneously use the sanitized version 
to inform other members of the intrusion without compromising the 
confidentiality of the reporting company. The key to this system is 
that whether, and what, to report is entirely up to the reporting 
company. A secure web site also contains a variety of analytic and 
warning products that we make available to the InfraGard community. The 
success of InfraGard is premised on the notion that sharing is a two-
way street: the NIPC will provide threat information that companies can 
use to protect their systems, while companies will provide incident 
information that can be used to initiate an investigation and to warn 
other companies.
    Our Key Asset Initiative (KAI) is focused more specifically on the 
owners and operators of critical components of each of the 
infrastructure sectors. It facilitates response to threats and 
incidents by building liaison and communication links with the owners 
and operators of individual companies and enabling contingency 
planning. The KAI began in the 1980s and focused on physical 
vulnerabilities to terrorism. Under the NIPC, the KAI has been 
reinvigorated and expanded to focus on cyber vulnerabilities as well. 
The KAI currently involves determining which assets are key within the 
jurisdiction of each FBI Field Office and obtaining 24-hour points of 
contact at each asset in cases of emergency. Eventually, if future 
resources permit, the initiative will include the development of 
contingency plans to respond to attacks on each asset, exercises to 
test response plans, and modeling to determine the effects of an attack 
on particular assets. FBI field offices are responsible for developing 
a list of the assets within their respective jurisdictions, while the 
NIPC maintains the national database. The KAI is being developed in 
coordination with DOD and other agencies. Currently the database has 
about 2600 entries. This represents 2600 contacts with key private 
sector nodes made by the NIPC and FBI field offices.
    A third initiative is a pilot program we have begun with the North 
American Electrical Reliability Council (NERC). Under the pilot 
program, electric utility companies and other power entities transmit 
cyber incident reports in near real time to the NIPC. These reports are 
analyzed and assessed to determine whether an NIPC warning, alert, or 
advisory is warranted. Electric power participants in the pilot program 
have stated that the information and analysis provided by the NIPC back 
to the power companies fully justify their participation in the 
program. It is our expectation that the Electrical Power Indications 
and Warning System will provide a full-fledged model for the other 
critical infrastructures.
    Much has been said over the last few years about the importance of 
information sharing. Since our founding, the NIPC has been actively 
engaged in building concrete mechanisms and initiatives to make this 
sharing a reality, and we have built up a track record of actually 
sharing useful information. These efforts belie the notions that 
private industry won't share with law enforcement in this area, or that 
the Government won't provide meaningful threat data to industry. As 
companies continue to gain experience in dealing with the NIPC and FBI 
field offices, as we continue to provide them with important and useful 
threat information, and as companies recognize that cybercrime requires 
a joint effort by industry and Government together, we will continue to 
make real progress in this area.

Meeting the Growing Cyber Threat

    As Internet use continues to soar, the number of cyber attacks is 
also increasing exponentially. Our case load reflects this growth. In 
FY 1998, we opened 547 computer intrusion cases; in FY 1999, that 
number jumped to 1154. Similarly, the number of pending cases increased 
from 206 at the end of FY 1997, to 601 at the end of FY 1998, to 834 at 
the end of FY 99, and to over 900 currently. These statistics include 
only computer intrusion cases, and do not account for computer 
facilitated crimes such as Internet fraud, child pornography, or e-mail 
extortion efforts. In these cases, the NIPC and NIPCI squads often 
provide technical assistance to traditional investigative programs 
responsible for these categories of crime.
    We can clearly expect these upward trends to continue, and for the 
threats to become more serious. While insiders, hackers, and criminal 
groups make up much of our case load at the moment, we can anticipate a 
growing number of national security cases in the near future. To meet 
this challenge, we must ensure that we have adequate resources, 
including both personnel and equipment, both at the NIPC and in FBI 
field offices. We currently have 193 agents nationwide dedicated to 
investigating computer intrusion and virus cases. In order to maximize 
investigative resources the FBI has taken the approach of creating 
regional squads in 16 field offices that have sufficient size to work 
complex intrusion cases and to assist those field offices without a 
NIPCI squad. In those field offices without squads, the FBI is building 
a baseline capability by having one or two agents to work NIPC matters, 
i.e. computer intrusions (criminal and national security), viruses, 
InfraGard, state and local liaison, etc.
    At the NIPC, we currently have 101 personnel on board, including 82 
FBI employees and 19 detailees from other Government agencies. This 
cadre of investigators, computer scientists, and analysts perform the 
numerous and complex tasks outlined above, and provide critical 
coordination and support to field office investigations. As the crime 
problem grows, we need to make sure that we keep pace by bringing on 
board additional personnel, including from other agencies and the 
private sector.
    In addition to putting in place the requisite number of agents, 
analysts, and computer scientists in the NIPC and in FBI field offices, 
we must fill those positions by recruiting and retaining personnel who 
have the appropriate technical, analytical, and investigative skills. 
This includes personnel who can read and analyze complex log files, 
perform all-source analysis to look for correlations between events or 
attack signatures and glean indications of a threat, develop technical 
tools to address the constantly changing technological environment, and 
conduct complex network investigations. There is a very tight market 
for information technology professionals. The Federal Government needs 
to be able to recruit the very best people into its programs. 
Fortunately, we can offer exciting, cutting-edge work in this area and 
can offer agents, analysts, and computer scientists the opportunities 
to work on issues that no one else addresses, and to make a difference 
to our national security and public safety. In addition, Congress 
provided the FBI with a pilot program that exempts certain technical 
personnel from the Title V civil service rules, which allows us to pay 
more competitive salaries and recruit and retain top notch personnel. 
Unfortunately, this pilot is scheduled to expire in November unless 
extended.
    Training and continuing education are also critical, and we have 
made this a top priority at the NIPC. In FY 1999, we trained 383 FBI 
and other-Government-agency students in NIPC sponsored training classes 
on network investigations and infrastructure protection. The emphasis 
for 2000 is on continuing to train Federal personnel while expanding 
training opportunities for state and local law enforcement personnel. 
During FY 2000, we plan to train approximately 740 personnel from the 
FBI, other Federal agencies, and state and local law enforcement.
    Developing and deploying the best equipment in support of the 
mission is also very important. Not only do investigators and analysts 
need the best equipment to conduct investigations in the rapidly 
evolving cyber system but the NIPC must be on the cutting edge of cyber 
research and development. Conducting a network intrusion or denial-of-
service investigation often requires analysis of voluminous amounts of 
data. For example, one network intrusion case involving an espionage 
matter currently being investigated has required the analysis of 17.5 
Terabytes of data. To place this into perspective, the entire 
collection of the Library of Congress, if digitized, would comprise 
only 10 Terabytes. The Yahoo DDOS attack involved approximately 630 
Gigabytes of data, which is equivalent to enough printed pages to fill 
630 pickup trucks with paper. Technical analysis requires high capacity 
equipment to store, process, analyze, and display data. Again, as the 
crime problem grows, we must ensure that our technical capacity keeps 
pace. We are also working closely with other agencies to ensure that we 
leverage existing resources to the fullest extent possible.

Challenges in Combating Cyber Intrusions

    The burgeoning problem of cyber intrusions, viruses, and denial of 
service attacks poses unique challenges to the NIPC. These challenges 
require novel solutions, close teamwork among agencies and with the 
private sector, and adequate human and technical resources.
    Identifying the Intruder. One major difficulty that distinguishes 
cyber threats from physical threats is determining who is attacking 
your system, why, how, and from where. This difficulty stems from the 
ease with which individuals can hide or disguise their tracks by 
manipulating logs and directing their attacks through networks in many 
countries before hitting their ultimate target. The ``Solar Sunrise'' 
case illustrates this point. This will continue to pose a problem as 
long as the Internet remains rife with vulnerabilities and allows easy 
anonymity and concealment.
    Jurisdictional Issues. Another significant challenge we face is 
intrusions involving multiple jurisdictions. A typical investigation 
involves victim sites in multiple states and often many countries. This 
is the case even when the hacker and victim are both located in the 
United States. In the United States, we can subpoena records, engage in 
judicially approved electronic surveillance, and execute search 
warrants on suspects' homes, seize evidence, and examine it. We can do 
none of those things ourselves overseas; rather, we depend on the local 
authorities to assist us. In some cases the local police forces simply 
do not understand or cannot cope with the technology. In other cases, 
these nations simply do not have laws against computer intrusions and 
are therefore limited in their ability to help us. FBI Legal Attaches 
in 35 embassies abroad provide critical help in building bridges with 
local law enforcement to enhance cooperation on cybercrime and in 
working leads on investigations. As the Internet spreads to even more 
countries, we will see greater demands placed on the Legats to support 
computer crime investigations. The NIPC also has held international 
computer crime conferences and offered cybercrime training classes to 
foreign law enforcement officials to develop liaison contacts and bring 
these officials up to speed on cybercrime issues.
    The most difficult situation will arise, however, in which a 
foreign country with interests adverse to our own simply refuses to 
cooperate. In such a situation, we could find that an investigation is 
stymied unless we find an alternative method of tracing the activity 
back to its source.

The Role of Law Enforcement

    Finally, I would like to conclude by emphasizing two key points. 
The first is that our role in combating cybercrime is essentially two-
fold: (1) preventing cyber attacks before they occur or limiting their 
scope by disseminating warnings and advisories about threats so that 
potential victims can protect themselves; and (2) responding to attacks 
that do occur by investigating and identifying the perpetrator. This is 
very much an operational role. Our role is not to determine what 
security measures private industry should take, or to ensure that 
companies or individuals take them. It is the responsibility of 
industry to ensure that appropriate security tools are made available 
and are implemented. We certainly can assist industry by alerting them 
to the actual threats that they need to be concerned about, and by 
providing information about the exploits that we are seeing criminals 
use. But network administrators, whether in the private sector or in 
Government, are the first line of defense.
    Second, in gathering information as part of our warning and 
response missions, we rigorously adhere to constitutional and statutory 
requirements. Our conduct is strictly limited by the Fourth Amendment, 
statutes such as Title III and ECPA, and the Attorney General 
Guidelines. These rules are founded first and foremost on the 
protection of privacy inherent in our constitutional system. Respect 
for privacy is thus a fundamental guidepost in all of our activities.
Conclusion

    I want to thank the Subcommittee again for giving me the 
opportunity to testify here today. The cyber threat is real, 
multifarious, and growing. The NIPC is moving aggressively to meet this 
challenge by training investigators and analysts to investigate 
computer intrusion cases, equipping them with the latest technology, 
developing our analytic capabilities and warning mechanisms to head off 
or mitigate attacks, and closely cooperating with the private sector. 
We have already made considerable progress in developing our 
capabilities to protect public safety and national security in the 
Information Age. I look forward to working with Congress to ensure that 
we continue to be able to meet the threat as it evolves and grows. 
Thank you.

    Senator Burns. Thank you very much, Mr. Vatis.
    We have been joined by Senator Wyden. Do you have a 
statement, Senator?
    Senator Wyden. Thank you, Senator. I will just wait for 
questions.
    Senator Burns. Thank you.
    I want to preface my line of thinking here just a little 
bit. We have an economic thing that is happening right now in 
the American business world, and in fact our whole economics, 
and we have this terrific increase in energy prices, which is 
going to create a little more pressure, I think, on the 
Internet, the way we move information, the way we do business, 
because of the cost of transportation to be right honest with 
you.
    I think before the summer is out you are going to see we 
are going to be in a crisis situation. I cannot imagine right 
now my farmers, and this is a long way from what we are talking 
about, but I cannot imagine doubling the cost of fuel and 
trying to sell a product off the farm now that is not making 
any money under the conditions of last year, and now we are 
going to double our input cost and expect the same price this 
year.
    I cannot imagine me even cranking the first flywheel on a 
tractor, to be right honest with you, but we have that moving, 
and I have a feeling this is going not only in the way we move 
information but also our e-commerce is going to have new 
pressures, as far as volume is concerned, in the upcoming year 
as we face this energy situation for the rest of the year, so I 
want to preface that, and that is what I am kind of concerned 
about.
    Then we talk about security. Mr. Holder, with the exception 
to formal hearings, have you been in any communications with 
any of the Members of Congress regarding this situation to 
describe to them what your concerns are and the needs we are 
going to have?
    Now, the representative from the Federal Bureau of 
Investigation says it is going to take a lot of teamwork 
between industry, Government, between Government agencies 
within the Government, and I am saying that I do not think I 
have had one call from one agency saying we have got a 
phenomenon out here that is working and some way or another we 
are going to have to deal with this.
    And Congress I think will play a role and has to play a 
role in the future, but have you had any kind of meetings with 
Congress to bring us, Senator Hollings or whoever, up to date 
on the role that we should be playing, and especially your 
concerns about security and these kinds of situations?
    Mr. Holder. To my knowledge there has been work, I think, 
at the staff level. I have not convened any meetings with any 
Members of Congress, but I think we have had meetings at the 
staff level to talk about the needs we have identified both 
with regard to legislation and resources.
    The Attorney General has talked about the creation of a 5-
year plan starting in the next fiscal year to figure out 
exactly what challenges we think we are going to face, what 
resources we think we are going to need to face those 
challenges, and we think in that regard, in the formulation of 
that plan in particular, that interaction with Congress on the 
Senate side and the House side would be particularly important.
    Senator Burns. I say that because sometimes in these 
situations we are kind of behind the curve, even though you may 
have some facts that maybe we can prevent--and I am not saying 
that we have got the answers, but I am saying, though, that 
Congress finally has to play a role somewhere along the line in 
consultation between the agencies and Congress.
    It would certainly help us, some of us--and even on the 
security side, can you give me, any of you can give me a 
profile of what kind of personalities engage in these 
destructive and senseless attacks like we have experienced?
    Mr. Vatis. I am actually reluctant to state any one profile 
because there is a tremendous range of different types of 
actors that we see, ranging from the insider, an employee or a 
former employee at a company who wants to take revenge against 
his employer and so steals information to give to a competitor, 
or shuts down the system just to spite his employer. Teenage 
hackers who are breaking into systems just for bragging rights 
in the hacker community, or for the challenge of doing it.
    More and more, organized groups of often young people but 
not necessarily juveniles who are breaking into systems to 
steal things for financial gain, and then all the way on the 
other end of the spectrum, foreign intelligence services that 
we are seeing looking at these new tools as a new mechanism for 
gathering information, so it really runs the gamut across that 
broad range.
    Senator Burns. Senator Hollings.
    Senator Hollings. I am encouraged by the appearance of each 
of you, and particularly Mr. Vatis, that the FBI is on top of 
it. We have had the Appropriations Committee hearings on this, 
and topic currently, under Senator Gregg's leadership we have 
been getting into child pornography and other internet-related 
issues.
    The grasp of these subjects is necessary, but I would 
dissent from the idea expressed, and the timidity, about how 
the private sector should do this. Look here, if the private 
sector could do it they would find money in it and do it.
    We got into the Internet to secure our communications. We 
said back in the late sixties, suppose they drop a bomb on the 
Pentagon and we have got all the troops out there--divisions 
and tanks and planes--but nobody can communicate. So then we 
started tying together research endeavors on the various 
university campuses, and ergo, the Internet. Now it is our 
responsibility of the infrastructure to get the security.
    I have got to go, Mr. Chairman, right down to the 
conference on the FAA authorization bill. Before I go, let me 
note that we have to make sure that our transportation systems 
line air transportation are secure. You would not want somebody 
to muck up the radar and everything else at Reagan National and 
suddenly have the planes start crashing all around. None of us 
wants to go to an interview and say, ``well, you know, we just 
had a hearing on it, and we all agreed it is the private 
sector's responsibility. Let the planes crash.'' I mean, come 
on.
    Let's get away from this argument that security is a 
private sector responsibility. After all this industry is 
developing pell-mell into oligopolies where two or three more 
or less control the market and whereby no one else can get in.
    We find Microsoft, for example, buying up some 200 
different individual little endeavors, anytime anybody comes in 
with a new idea, the oligopoly comes in and says, whoopee, we 
will pay you so much or we will extinguish it. So you take the 
money, and that ends that.
    The Government has a fundamental role in the Internet. 
Let's stop waiting on the partnerships and let's face our 
responsibility to secure our own infrastructure. We need to 
protect our own departments, communications, power, 
transportation, and otherwise. Can we do it? Is it possible? 
Who can answer that? Can we really make it secure, do you 
think?
    Mr. Vatis. I will just briefly address that. I think we 
absolutely can. I think the technology exists, and is being 
developed, to secure our systems. I think there has been a rush 
to market with new features for competitive reasons, and 
security has lagged behind as a concern of the manufacturers.
    Senator Hollings. What you are telling me, and you can 
interrupt me, is if I can make it secure, then I can certainly 
guarantee the privacy, because I can make certain that that 
security is not invaded, is that right, and logical?
    Mr. Vatis. I think the means exist to protect privacy, to 
protect the operability of systems, and I think we are seeing 
some significant strides in that direction.
    I think I agree with you that the Federal Government does 
have primary responsibility, certainly for securing its own 
systems, and certainly for carrying out law enforcement 
responsibilities. which is a fundamental task of Government, 
and for issuing warnings about attacks.
    But the one place I think that the private sector does have 
the primary responsibility is for ensuring its own security. If 
a business goes into e-commerce and puts out a Web site through 
which it transacts business with customers, it cannot be our 
responsibility in the Government to tell them how to secure 
that system, or to regulate how they do that. That is what I 
mean by security being primarily the private sector's 
responsibility.
    Senator Hollings. At DARPA, we gave all our research 
technology over to Boeing and Lockheed, and they are going like 
gangbusters. There is a similar situation at the National 
Institute of Standards and Technology. We farm out all of that 
technology. We are not trying to hold it, but we are trying to 
find it.
    It is very interesting, Mr. Chairman, because your bill got 
this gentleman, Mr. Reinsch--it is interesting that he is from 
the Export Administration. He is not from any security--he is 
not from any technology. He is from exports, and here he 
appears from the Export Administration. Now, correct me, and 
tell me about your technology.
    Mr. Reinsch. What my bureau does, Senator Hollings, is 
control the export of critical technology products for national 
security reasons.
    Senator Hollings. That is how you got in it, and that is 
the only reason that we woke up here, at the congressional 
level, because of the export of the technology. It was not 
because of the import, the use, the development, the securing, 
or the infrastructure of the U.S. Government.
    Mr. Reinsch. Well, if I could comment on several of your 
points, that part I think has proven to be an area of much 
broader agreement, and typically in a debate environment, there 
is less attention paid to it. If you will look at the plan, you 
will find most of it and most of the Government's resources 
right now, in fact, are devoted to precisely what you are 
talking about, which is the protection of Federal Government 
critical systems and assets.
    Senator Hollings. Is there any need otherwise in what you 
have outlined? I like the President's plan, but you know from 
experience you have got all the resources. You are heading it 
up. Do you need any help, and do we need to pass any law or 
fund any policy that you can think of?
    Mr. Reinsch. Let me say tactfully, Senator Hollings, that 
the Appropriations Committees have been very generous to law 
enforcement and national security, and less generous to the 
Commerce Department and civilian agencies that have some of 
these same responsibilities.
    Senator Hollings. How much more do you need at the Commerce 
Department?
    Mr. Reinsch. Well, we support the President's request, for 
2001.
    Senator Hollings. How about your request? What else would 
you like to have?
    Mr. Reinsch. For my particular bureau? You do not want me 
to start on that.
    [Laughter.]
    Senator Hollings. In all fairness, tell us what you need to 
do the job.
    Mr. Reinsch. For this function, we have requested and could 
use actually sooner than next year an additional $3\1/2\ 
million, which is peanuts compared to the whole thing.
    Senator Hollings. I worry about it, because you three have 
got a grasp on exactly what my concern is, that the Government 
gets in here and gets on top of infrastructure security that 
these functions are properly funded and properly coordinated. 
From your presentations here this morning, the coordination 
seems to be there, but it is a mammoth task. If industry could 
do it, they would have already done it and sold it, you know 
what I mean?
    Thank you very much, Mr. Chairman.
    Mr. Reinsch. There are areas, Mr. Chairman, if I could 
comment, where we think industry is not going to do it, 
frankly, because there is not any money in it.
    Senator Hollings. Thank you. We have had a hearing.
    [Laughter.]
    Mr. Reinsch. That is the genesis in part of the NIST 
request for its institute.
    Senator Hollings.
    Senator Burns. Is the hearing over?
    [Laughter.]
    Senator Hollings. No. We finally got what we wanted.
    Senator Burns. Senator Wyden.

                 STATEMENT OF HON. RON WYDEN, 
                    U.S. SENATOR FROM OREGON

    Senator Wyden. Thank you, Mr. Chairman. A couple of 
questions for you if I could, Mr. Holder. My judgment is that 
the challenge here is more one of enforcement of existing law, 
rather than trying to develop a whole lot of new laws to deal 
with that threat. Would you agree with that?
    Mr. Holder. I think there are some changes we might want to 
consider with regard to existing law. There are problems, for 
instance, with the current jurisdictional limit, where Federal 
jurisdiction, criminal jurisdiction begins there is a $5,000 
limit we have to meet. We think that is an artificially high 
limit.
    The question of how we are able to use our technology to 
detect who is actually perpetrating these crimes, we have to, 
for instance, go from court to court to court as we are trying 
to trace back who engages in these kinds of attacks, and every 
time we go to a different State or a different jurisdiction we 
have to come up with a new court order, and the thought about 
maybe having a national court order that would allow us to get 
access to that information, I mean, there are a number of 
things that we are thinking about.
    In terms of legislation we might propose, any legislation 
we propose would have to be balanced between the investigative 
needs that we have and the privacy interests that are really 
paramount in this area.
    Senator Wyden. I can tell you, I think the American people 
are going to be real concerned about the discussion about 
national court orders, legislation in that area. As you know, 
there is enormous concern right now about privacy, and it has 
now emerged as one of the two or three most important concerns 
to people.
    And the reason I asked you the question about whether you 
think this is more of an enforcement issue rather than a 
question of needing new laws is that the whole history of these 
kinds of debates is that we have these threats, and 
particularly now, where we are clearly dealing with people who 
are not technologically simpletons--these are very, very 
sophisticated people--is that we have these attacks, and the 
call goes out for a variety of new laws, and very often I think 
there is the potential to have the cure worse than the ailment.
    I guess I would ask next, what would you say to those who 
are troubled by the prospects that there could be further 
encroachments on privacy as a result of some of these ideas 
that you are advancing, and I was not familiar in detail with 
this national court order, and I follow this area pretty 
closely. What would you say to those who are concerned about 
the prospect that this could further erode privacy rights, and 
what assurance would you want to provide to them this morning?
    Mr. Holder. Well, I would say first off the requests that 
we are considering are really ones that are, I think, very 
modest in scope. The notion, for instance, about the court 
order that would have Nation-wide effect, as we try to track 
these things down--somebody in New Jersey does something that 
attacks a network, a computer Web site in Oregon and runs it 
through Wisconsin and Texas.
    As we go to try to trace this thing back, and time is 
important in trying to find out who is the perpetrator of this, 
we get to Wisconsin, we get to Texas, and each time we want to 
go back we have to get yet another court order.
    Our proposal, one we are thinking about, is that we would 
have the ability to go to a judge and ask for an order that 
would allow us, as we get to these different States, not to 
have to go to get another judge to get essentially what the 
first judge has already given us.
    I do not think that really encroaches on privacy, and I 
think that to assure people, I think everyone should understand 
that the proposals we are making are, as I said, very modest in 
scope, and are made by people who are very sensitive to the 
concerns that people have raised about privacy. The reality is, 
the Internet really can only be successful if those privacy 
interests are considered and, in fact, if they are protected.
    Senator Wyden. But understand as well that you are asking 
for powers that the Federal Government would have that largely 
expand the privacy threats to people already who are concerned 
about it in the private sector. Now, your obligation is 
obviously different than the obligations in the private sector, 
and I recognize that, but at the same time I think you are 
going to have to be very vigilant in terms of addressing these 
privacy issues.
    And let me suggest a model that I talked about when we had 
the encryption debate, and one of the things that concerns me 
is that I do not want to see this discussion go the same route 
as that debate, where essentially we were gridlocked for years 
in terms of how to address both national security and the 
desire for companies to be able to export these products.
    If the focus is primarily on enforcement, rather than the 
passage of new laws, I think having ongoing discussion with 
people in the private sector so that they can try to tell you 
how to get out in front of the innovation curve, so to speak, 
where the criminals are always more inventive and always more 
innovative, is the best way to deal with this, rather than to 
go out and try to advance new laws, which any way I look at it 
seem to give the Federal Government more power in areas that 
will raise privacy questions.
    Mr. Holder. Well, I agree with you, we have to have that 
interaction with private industry and, as I have indicated, I 
think in terms of protecting the Internet, at least with regard 
to the initial parts of it, I think the responsibility should 
lie with private industry, but in terms of legislation, we have 
also thought about the proposal that what we would like to do 
is have electronic communications subject to the same 
consideration, the same kinds of privacy safeguards as oral and 
wire communications, so we would actually enhance the privacy 
considerations.
    Senator Wyden. I think those kinds of things will be well-
received. Senator Burns and I have a privacy bill, and if that 
is the kind of thing you are interested in, I think we would be 
very open to looking at something like that.
    Even in the context of the privacy discussion it may not be 
solely within the province of our committee, but we are very 
hopeful. We have spent well over a year trying to develop a 
bipartisan privacy bill. We are very hopeful that we are going 
to be able to see progress on this and get it out on the floor 
of the Senate, given the public concern, and that is the kind 
of idea that I think makes a lot of sense, because in effect 
you do advance privacy rights.
    You are addressing what is a concern of law enforcement, 
but I can tell you that if you stand up at a town hall meeting 
in my home State and start talking about national court orders 
and some of the other things that I have seen discussed, I 
think we may well end up with the same sort of gridlock we had 
on the encryption issue, and I do not want to see us go that 
route. There is too much goodwill, I think, in both the law 
enforcement community and in the private sector for us to just 
go back to that sort of encryption model, where everybody is 
gridlocked for years and years.
    I felt for a long time that we were pursuing in the 
encryption area an approach that instead of a win-win was a 
lose-lose. It was not getting you what you needed in terms of 
law enforcement, and we were losing out in terms of 
international markets because we had this outdated standard in 
terms of the bit measure and the like for exports.
    So let's pursue a different model. You give us ideas about 
the oral and written communication that make it easier for you 
to do your job and for us to be able to say in Montana and 
Oregon we are advancing people's privacy, and I think we are on 
our way to a winner, but some of these other suggestions I 
would urge you to be pretty cautious about.
    Mr. Holder. I really think there is an ability, if we 
really talk with one another--there are I think sometimes 
instinctive reactions, negative reactions to the notion that we 
want to have additional legislation, and yet when we have 
interacted with industry and specifically told them these are 
the kinds of things we are thinking about, the reaction we have 
had has actually been pretty favorable, and people seem 
somewhat surprised when we say we also want to do things on the 
privacy side and have requirements that apply to wire and oral 
communications also apply to electronic communications.
    I think that shows the necessary sensitivity that I think 
we have in the Government as we formulate these proposals.
    Senator Wyden. Clearly, a prospect that we can start 
bringing to the online world some of these approaches that we 
have used offline is a very, very promising orientation, and I 
like that.
    What I think is going to raise the decibel level and 
generate much more controversy are some of these issues 
relating to court orders, the evidentiary standards that have 
been talked about concering how to gather some of this 
information, and the techniques for gathering it.
    That is what I want us to be cautious about, because in 
that area I think we might harm privacy rights and, set back 
the legitimate businesses that you are understandably concerned 
about, as I am. The unintended consequences prospect is very 
much alive when you talk about things involving evidence, 
techniques for gathering information, the court orders and the 
like. I appreciate your sensitivity and look forward to talking 
with you.
    Thank you, Mr. Chairman.
    Senator Burns. Thank you.
    You know, going along this same line, this may be the wrong 
question to the wrong panel, but instead of asking for new laws 
and new ways of pursuit of people who would hack, I go back 
to--we were raised--I bet every one of us sitting in here 
today, we were raised in a culture that even though we had open 
mail boxes out on the farm, you just did not touch another 
man's mail box because there was a Government warning there 
that you are violating the mails.
    Do we have any way of posting warnings--FBI warnings on 
dubbing old VCR's, you know. Do we have any way of putting up 
there, it is a violation, a Federal violation to wander even 
into cyberspace in areas where you are unauthorized? I do not 
know, I am just thinking about it as he was talking about it. 
You know, the direction we are going, how do we know these 
people think that they are in violation of doing something and 
there are severe penalties for doing so?
    Mr. Holder. I suppose there are technical ways to do that. 
I would really defer to industry as to how effective they think 
those kinds of things might be and whether, frankly, there 
might be some chilling effect in having those kinds of 
warnings, but again, it is not something I have really thought 
about.
    Mr. Vatis. We do have banners on Federal computers that 
warn people who are coming into a system that if they are 
intruding without authorization, that constitutes a Federal 
crime, and that their activities that are subject to being 
monitored and investigated.
    There are not, as far as I know, similar banners on all 
private sector systems, but it would certainly be technically 
feasible and fully legal for someone to put such a banner on a 
private sector system and say, ``If you intrude into my system 
I will report the incident to law enforcement and I will seek 
to have you prosecuted if you violate Federal law.''
    Senator Burns. Well, I am just saying, you know, even 
though we walked by our neighbor's mail boxes every day, you 
just did not fiddle around with another man's mail, and there 
was a post--every mail box we ever bought there was a 
Government message there, even though it was never locked or 
anything like that, and we were raised in that culture. You 
were taught that when you were a little child in your 
neighborhoods.
    Mr. Holder. I think that is an important point, and a very 
good one, in that we need to do something with our young people 
in particular, but I think people more generally--people tend 
not to take the kinds of lessons that we learn with other 
things and apply them to the Internet.
    There are privacy concerns that people have. There are 
certain things that you would not do in the material, the real 
world that people seem to do when it gets to the cyber world, 
or to the Internet, and we need to train people to make them 
more sensitive, make them aware that the kinds of don'ts, 
things you would not do in the real world you should also not 
do when it comes to the cyber world, so it is a question, I 
think, of educating people and training them.
    Senator Burns. I was just thinking, in the conversation, 
the culture you were raised in, and that if you did monkey with 
somebody else's mailbox, they would usually beat you home and 
they called your mom and dad up and you got quite a beating 
when you got home.
    But I just wonder if there is some way, even when signing 
on, if the operating bed or the operating system that you have 
got, there is not a warning that you have a certain 
responsibility, you are licensed to use this, but you have a 
certain responsibility that goes along with it. And I am 
wondering if something like that can be done and would scare 
off maybe some of the folks who would tend to wander into areas 
where they are not supposed to be.
    We want to thank you for your testimony this morning. The 
industry comes up next. I want to beg of you to let us know, 
Members of Congress. It does not hurt, even in the security 
area, where we cannot discuss things maybe in an open forum, 
but we can in a private forum, either in your office or, it 
does not make any difference. But keep us abreast, if you 
would, of what is going on out here.
    I am going to ask a question. How serious is this business? 
Extortion is a terrible, terrible thing that happens in any 
society. Is it a big problem in the Internet world?
    Mr. Vatis. There have been numerous instances of extortion 
plots carried out via e-mail, and threats delivered by e-mail. 
There have also been specifically computer-related extortion 
efforts, where criminals have said, ``Unless you pay me a 
certain amount of money, I am going to shut down your system or 
I am going to do something else to harm you.''
    Before these denial of service attacks took place, the last 
highly publicized example of a cybercrime was exactly that sort 
of extortion attempt, where somebody broke into a company 
called CD Universe (which sells CD's online), stole numerous 
credit card numbers from that company, and then threatened the 
company by saying that, unless CD Universe paid a certain 
amount of money, the hacker would post those credit card 
numbers on a Web site--which he subsequently did. That is 
another case that we have under investigation, but it is only 
one example of a rising trend in that sort of extortion scheme.
    Senator Burns. Well, that does not scare me much, because 
my wife keeps our credit cards right up to the limit, so they 
are not going to be OKed anyway. [Laughter.]
    No, not really. She is coming back to town. We have got to 
clear that from the record. [Laughter.]
    But I just wondered how bad that situation was, because I 
know that is a terrible, terrible, terrible crime. And thank 
you again this morning for your time and your testimony. We 
appreciate that very much. And if other Senators do have 
questions, I will direct them to you. And if you could respond 
to them and the committee, it would certainly help. And your 
full statements will be made part of the record. And we thank 
you for coming this morning.
    We move now to the second panel, made up of Mr. Michael 
Fuhrman, who is Manager, Security Consulting, Cisco Systems, 
out of San Jose, California; Paul Misener, who is Vice 
President of Amazon, out of Seattle; and Raj Reddy, from 
Herbert A. Simon Professor of Computer Science and Robotics, 
Carnegie Mellon University, out of Pittsburgh, Pennsylvania.
    Gentlemen, we appreciate you coming this morning and 
sharing your information with us. Again, you can summarize your 
statements, and rest assured that your full statements will be 
made a part of the record. Again, I thank you for coming this 
morning.
    Mr. Misener, we will start off with you this morning.

          STATEMENT OF PAUL MISENER, VICE PRESIDENT, 
                GLOBAL PUBLIC POLICY, AMAZON.COM

    Mr. Misener. Good morning, Chairman Burns. It is very good 
to see you again, in particular. I thank you very much for 
inviting me.
    My name is Paul Misener, and I am Amazon.com's Vice 
President for Global Public Policy. Amazon.com opened its 
virtual doors in July 1995, with a mission to use the Internet 
to transform book buying into the fastest, easiest, and most 
enjoyable shopping experience possible. Today, Amazon.com also 
offers consumer electronics, toys, CD's, videos, DVD's, home 
improvement tools, and much more. Seventeen million people in 
more than 160 countries have made us the leading online 
shopping site. And we also have a thriving auctionsite, Mr. 
Chairman.
    Amazon.com greatly appreciates the opportunity to testify 
before your Subcommittee.
    Senator Burns. You are starving us old auctioneers to 
death.
    [Laughter.]
    Mr. Misener. Please join us there.
    Amazon.com greatly appreciates this opportunity to testify 
before your Subcommittee on the recent distributed denial of 
service attacks. We look forward to working with Congress to 
address these incidents and other important Internet policy 
issues.
    Because the Internet and electronic commerce is the driving 
factor in the current booming economy, our Nation's economic 
well-being depends in part on stopping illegal activity that 
impedes e-commerce. We particularly support the Federal 
Government's involvement in fighting criminal behavior on the 
Internet. And we recognize and appreciate, however, your 
Subcommittee's important role in overseeing communications 
commerce.
    Mr. Chairman, although the distributed denial of service 
incidents that occurred last month have been described many 
times in the press and elsewhere, a short description of what 
specifically happened to Amazon.com bears repeating. In 
essence, for about an hour on February 8, 2000, a large amount 
of so-called junk traffic was directed to our Internet site. 
This junk traffic degraded the technical quality of service at 
the site. To be clear, this was not a break-in at our online 
premises, but rather a deliberate and illegitimate crowding of 
virtual driveways and sidewalks around our online store. This 
crowding somewhat hinders our customers' ability to visit and 
shop.
    At all times during this crowding, however, our customers' 
information was safe and secure, and many customers were able 
to enter our store and shop. Nonetheless, for about an hour, 
our customers experienced congestion-related delays when 
visiting the site. For Amazon.com customers', who have come to 
expect the world's best online shopping experience, even such a 
relatively minor inconvenience was frustrating.
    This is a key point for these hearings, Mr. Chairman. 
Consumers are the ones inconvenienced by distributed denial of 
service attacks. Indeed, millions of consumers have come to 
rely on the Internet to communicate, shop, invest, obtain news, 
and learn online. The denial of service attacks last month 
interrupted these important consumer activities and, thus, it 
is on behalf of consumers that all of us must work to prevent 
these attacks in the future.
    So what can the Federal Government do about denial of 
service attacks? Amazon.com believes the Government's key role 
should be to prosecute the perpetrators of these and other 
online criminal activities. Currently laws have been used 
successfully in recent cases. In addition, some have suggested 
extending existing laws or enacting new laws, and others have 
suggested establishing stiffer penalties under existing 
statutes.
    On behalf of our current and future customers, Amazon.com 
would be happy to work with Congress on any new legislation to 
address Internet crime issues.
    Successful prosecutions, of course, also rely on adequate 
resources with which to conduct investigations. Amazon.com 
believes that additional resources should be applied in at 
least four areas: law enforcement training, personnel 
retention, public education, and agency coordination.
    Let me say a few things about each area. First, continuous 
training of law enforcement personnel in the latest digital 
forensic techniques, as well as current Internet technologies, 
should be at the top of any list for additional funding. In 
particular, additional training in electronic evidence handling 
is necessary, for preservation of digital evidence is as 
important for cybercrime prosecutions as preservation of 
fingerprints is for physical crimes.
    Second, given the strong demand for information technology 
experts, both within and outside of Government, law enforcement 
agencies need additional resources to retain senior IT 
professionals and attract new ones.
    Third, Federal law enforcement agencies should have 
sufficient resources to help educate private industry and 
consumers on preventing Internet-related crime.
    Finally, better coordination and communication among 
Federal, State, local, and international law enforcement 
agencies is needed. The recent incidents were not 
geographically localized, and there is no reason to expect 
future Internet crime to be.
    In all of these areas, increased Government interaction 
with private industry would help. Amazon.com already is engaged 
in this sort of informal partnership. In addition to existing 
ongoing investigations, our technologists are working with 
various law enforcement personnel on the latest developments in 
Internet technology and techniques. We believe it would be 
premature, however, to formalize this partnership.
    Absent from our suggested Federal response is a role for 
the Federal Communications Commission. The reason is 
straightforward: The distributed denial of service attacks 
involved coordinated and criminal transmission of content over 
the Internet. It is hard to see how the FCC has statutory 
authority over such matters. And even if it had or were given 
such authority, the agency currently lacks the resources and 
expertise to do what is necessary at this point; namely, to 
fight the criminal activity.
    Simply put, useful FCC involvement would require statutory 
changes, additional resources and additional expertise to 
succeed. This is work better left to law enforcement agencies.
    In conclusion, Mr. Chairman, we applaud your effort to 
address these denial of service attacks and to formulate an 
appropriate Federal response. As indicated, we believe the 
situation currently is best handled using law enforcement 
mechanisms. But we would appreciate your Subcommittee's 
continued interest in the matter.
    On behalf of our current and future customers, Amazon.com 
stands ready to help. Thank you very much for the opportunity 
to testify before your Subcommittee. I would be pleased to 
answer your questions and I look forward to working with you.
    [The prepared statement of Mr. Misener follows:]

          Prepared Statement of Paul Misener, Vice President, 
                    Global Public Policy, Amazon.com
    My name is Paul Misener, and I am Amazon.com's Vice President for 
Global Public Policy. Amazon.com opened its virtual doors in July 1995 
with a mission to use the Internet to transform book buying into the 
fastest, easiest, and most enjoyable shopping experience possible. 
Today, Amazon.com also offers consumer electronics, toys, CDs, videos, 
DVDs, home improvement tools, and much more. Seventeen million people 
in more than 160 countries have made us the leading online shopping 
site.
    Amazon.com greatly appreciates the opportunity to testify before 
your Subcommittee on the recent distributed denial of service attacks. 
We look forward to working with Congress to address these incidents and 
other important Internet policy issues. Because electronic commerce is 
the driving factor in the current booming economy, our nation's 
economic well-being depends in part on stopping illegal activity that 
impedes e-commerce.
    We particularly support the Federal Government's involvement in 
fighting criminal behavior on the Internet. We recognize and 
appreciate, however, your Subcommittee's important role in overseeing 
communications commerce.
    Mr. Chairman, although the distributed denial of service incidents 
that occurred last month have been described many times in the press 
and elsewhere, a short description of what specifically happened to 
Amazon.com bears repeating.
    In essence, for about an hour on February 8, 2000, a large amount 
of so-called ``junk traffic'' was directed to our Internet site. This 
junk traffic degraded the technical quality of service at the site.
    To be clear: this was not a break-in at our online premises but, 
rather, a deliberate and illegitimate crowding of the virtual 
``driveways and sidewalks'' around our online store. This crowding 
somewhat hindered our customers' ability to visit and shop.
    At all times during this crowding, however, our customers' 
information was safe and secure, and many customers were able to enter 
and shop at our store. Nonetheless, for about an hour, our customers 
experienced congestion-related delays when visiting the site. For 
Amazon.com's customers, who have come to expect the world's best online 
shopping experience, even such a relatively minor inconvenience was 
frustrating.
    This is a key point for these hearings: consumers are the ones 
inconvenienced by distributed denial of service attacks. Indeed, 
millions of consumers have come to rely on the Internet to communicate, 
shop, invest, obtain news, and learn online. The denial of service 
attacks last month interrupted these important consumer activities and, 
thus, it is on behalf of consumers that all of us must work to prevent 
these attacks in the future.
    So what can the Federal Government do about denial of service 
attacks? Amazon.com believes the Government's key role should be to 
prosecute the perpetrators of these and other online criminal 
activities. Current laws have been used successfully in recent cases. 
In addition, some have suggested extending existing law or enacting new 
laws, and others have suggested establishing stiffer penalties under 
existing statutes.
    On behalf of our current and future customers, Amazon.com would be 
happy to work with Congress on any new legislation to address Internet 
crime issues.
    Successful prosecutions, of course, also rely on adequate resources 
with which to conduct investigations. Amazon.com believes that 
additional resources should be applied in at least four areas: law 
enforcement training, personnel retention, public education, and agency 
coordination. Let me say a few things about each area.
    First, continuous training of law enforcement personnel in the 
latest digital forensic techniques, as well as current Internet 
technologies, should be at the top of any list for additional funding. 
In particular, additional training in electronic evidence handling is 
necessary, for preservation of digital evidence is as important for 
cybercrime prosecutions as preservation of fingerprints is for physical 
crimes.
    Second, given the strong demand for information technology experts, 
both within and outside of Government, law enforcement agencies need 
additional resources to retain senior IT professionals and attract new 
ones.
    Third, Federal law enforcement agencies should have sufficient 
resources to help educate private industry and consumers on preventing 
Internet-related crime.
    Finally, better coordination and communication among Federal, 
state, local, and international law enforcement agencies is needed. The 
recent incidents were not geographically localized, and there is no 
reason to expect future Internet crime to be.
    In all of these areas, increased Government interaction with 
private industry would help. Amazon.com already is engaged in this sort 
of informal partnership: in addition to assisting the ongoing 
investigations, our technologists are working with various law 
enforcement personnel on the latest developments in Internet technology 
and techniques. We believe it would be premature, however, to formalize 
this partnership.
    Absent from our suggested Federal response is a role for the 
Federal Communications Commission. The reason is straightforward: the 
distributed denials of service attacks involve coordinated and criminal 
transmission of content over the Internet. It is hard to see how the 
FCC has statutory authority over such matters. Yet even if it had, or 
were given, such authority, the agency currently lacks the resources 
and expertise to do what is necessary at this point, namely, to fight 
the criminal activity. Simply put, useful FCC involvement would require 
statutory changes, additional resources, and additional expertise to 
succeed. This is work better left to law enforcement agencies.
    In conclusion, Mr. Chairman, we applaud your effort to address 
these denials of service attacks and to formulate an appropriate 
Federal response. As indicated, we believe the situation currently is 
best handled using law enforcement mechanisms, but we would appreciate 
your Subcommittee's continued interest in the matter. On behalf of our 
current and future customers, Amazon.com stands ready to help.
    Thank you very much for the opportunity to testify before your 
Subcommittees. I would be pleased to answer your questions and I look 
forward to working with you.

    Senator Burns. Thank you very much, Mr. Misener.
    Now we have Michael Fuhrman, who is Manager, Security 
Consulting, Cisco Systems. Welcome before the Subcommittee. We 
look forward to your testimony.

            STATEMENT OF MICHAEL FUHRMAN, MANAGER, 
               SECURITY CONSULTING, CISCO SYSTEMS

    Mr. Fuhrman. Thank you, Chairman Burns.
    I am Michael Fuhrman of Cisco Systems. As you know, 
Chairman, we are the largest manufacturer of equipment that 
connects people and businesses to the Internet. We are based in 
San Jose, California, and we have large operations in 
Massachusetts, North Carolina and Texas.
    Senator Burns.  Did you ever consider Montana?
    [Laughter.]
    Mr. Fuhrman. We do have sales offices in Montana, yes.
    In particular, I manage our company's Security Consulting 
Services Group, which helps to ensure the security of some of 
the best known sites on the Internet. My team of engineers and 
specialists evaluate the protective measures being employed by 
our customers. We help them respond to anyone or anything that 
threatens the integrity of their systems. And as last month's 
hacker attacks on some of the world's busiest Web sites 
graphically demonstrated, this is a task that requires constant 
vigilance.
    Cisco security specialists were among those who responded 
to the denial of service attacks that temporarily blocked 
access to several sites, beginning on February 7th. I am happy 
to tell you that we were able to help some of our customers 
quickly identify the technology being used in the attacks, 
employ effective countermeasures, and beat back repeat efforts 
by hackers to obstruct access.
    Now, in a nutshell, the hackers initially were able to 
briefly shut customers out of some targeted Web sites, as Mr. 
Misener said, by bombarding these sites with more information 
than they could process at the time. In a way, we liken it to 
the Internet equivalent of trying to go shopping the day after 
Thanksgiving. The crowds are overwhelming and the parking lots 
are full. The difference in this case is, however, that people 
were not prepared for this activity.
    Now, after these assaults, there was some heated 
speculation about whether the public can depend on the Internet 
as a reliable means of doing business and sharing information. 
Now, the lesson to be learned from the attacks is not that the 
hackers have some sort of technological edge. On the contrary, 
the technology that is employed in these attacks is well-known 
to those of us in the systems security field. Proper defenses 
for a majority of these, the technology does exist.
    The lesson is that events like this can be anticipated and 
managed with the proper diligence and planning. The technology 
community showed that it can respond swiftly and effectively, 
taking steps to quickly mitigate the attacks and to make it 
harder for future attacks in the future.
    Now, it is important to note, in all of these assaults, 
targeted Web sites were interrupted only for relatively brief 
periods. It is also important to note, again, as Mr. Misener 
stated, these attacks blocked access to some systems, but did 
not penetrate into the internal systems of these companies.
    The technology community has already joined with the 
Federal Government to respond more effectively should attacks 
like these be repeated in the future. The community and the 
Government are forming an organization that will disseminate 
critical information quickly and widely if the Internet is 
threatened.
    We at Cisco keenly understand the importance of this task. 
We will conduct $12 billion of business over our Web site this 
year. Our employees perform 95 percent of their tasks on our 
Web site. My consulting group in particular recently conducted 
a 6-month survey of 33 businesses connected to the Internet, 
where we measured their state of security. We found that, on 
average, one out of every three of the companies' devices 
connected to the Internet were vulnerable to some form of 
attack or another.
    We also found, however, that 90 percent of the 
vulnerabilities could be solved with technology that was 
readily available today, if the technology is properly employed 
and consistently updated. Now, this, of course, is easy to say 
and extraordinarily difficult to do.
    We have to remember that a decade ago the Internet was 
little more than a clunky mechanism that a few educational 
research institutions used to trade messages we now all know as 
E-mail. The blazing speed at which the Internet has developed 
and the equally rapid pace at which threats to the Internet's 
security have evolved make it hard even for those who build and 
maintain Web sites to keep pace.
    But businesses and others who operate Web sites are 
learning that security must become an ever more important 
concern. The number of companies who come to Cisco, for 
instance, in assistance in securing their networks has grown by 
over 50 percent over the last 12 months alone--a very 
encouraging statistic. And we have all learned that one thing 
the technology can do collectively is to increase the sharing 
of information about up-to-the-minute developments in security.
    We believe that this public/private partnership is the most 
effective response to the recent attacks. In the private 
sector, incentives must be put into place to encourage all Web 
sites to deploy security technologies, to protect themselves 
and their customers from hacker attacks. In the public sector, 
we are grateful that the Federal Bureau of Investigation has 
devoted significant resources to investigating these attacks. 
And we hope that the perpetrators will be prosecuted to the 
fullest extent of the law.
    We encourage the Federal Government to serve as a role 
model for private industry, by equipping its own computer 
systems with the best security measures possible. This, too, of 
course, will not be easy. Both the Government and private 
enterprise are having difficulty attracting and retaining 
enough skilled professionals in the field of systems security. 
I am happy to tell you that the private sector has joined with 
the Office of Personnel Management to help the Government in 
the area by developing training and mentoring programs. Again, 
we regard this as an excellent example of public/private 
partnership.
    At this time, however, we do not ask Congress for new laws 
in the area of Internet security. Cooperation, not regulation, 
not legislation, will ensure that the Internet remains secure 
and, at the same time, open to the broadest public access. The 
Internet is and always should remain an open medium. No one can 
insulate the Internet and everything connected to it from all 
threats, or guarantee that no attack on any particular Internet 
site will succeed.
    Even our oldest, most established public infrastructures 
pause on occasion. Power and telephone lines come down, water 
mains break, highways become clogged. And like them, the 
Internet will occasionally have localized difficulties. These 
are but potholes on the information superhighway, which we will 
fill in as fast as they appear, learning how to prevent similar 
potholes in the future.
    The recent attacks actually demonstrated that the 
technology community can quickly identify threats to the 
Internet, quickly act to eliminate them, and quickly take 
measures that will reduce the impact of similar threats in the 
future. This spirit of innovation and rapid development propels 
the Internet's exponential growth and ensures that the Internet 
will remain secure as it continues to grow.
    Thank you. I look forward to your questions.
    [The prepared statement of Mr. Fuhrman follows:]

            Prepared Statement of Michael Fuhrman, Manager, 
                   Security Consulting, Cisco Systems
    Chairman Burns and distinguished senators, I am Mike Fuhrman of 
Cisco Systems. As you may know, Cisco is the world's largest 
manufacturer of equipment that connects people and businesses to the 
Internet. We are based in San Jose, California and have substantial 
operations in Massachusetts, North Carolina and Texas.
    I manage our company's Secure Consulting Services Group, which 
helps ensure the security of some of the best-known sites on the 
Internet. My team of engineers and specialists evaluates the protective 
measures being employed by our customers and helps them respond to 
anyone or anything that threatens the integrity of their systems. As 
last month's hacker attacks on some of the world's busiest web sites 
graphically demonstrated, this is a task that requires constant 
vigilance.
    Cisco's security specialists were among those who responded to the 
so-called ``denial of service attacks'' that temporarily blocked access 
to several web sites beginning Feb. 7. I'm happy to tell you that we 
were able to help some of our customers quickly identify the technology 
being used in these attacks, employ effective countermeasures and beat 
back repeat efforts by hackers to obstruct access.
    In a nutshell, hackers initially were able to briefly shut 
customers out of some targeted web sites by bombarding those sites with 
more information, some of it more false or misleading, than they were 
able to process. In a way, it was the Internet equivalent of trying to 
shop on the day after Thanksgiving, when the crowds are overwhelming. 
But in this case, the problem was nobody knew the rush was coming and 
therefore we weren't quite prepared to handle it.
    After these assaults, there was some overheated speculation about 
whether the public can depend on the Internet as a reliable means of 
doing business and sharing information. The lesson to be learned from 
these attacks is not that hackers have some kind of technological edge 
that enabled them to do what they did. On the contrary, the technology 
employed in these attacks is well known to those of us in the systems 
security field and proper defenses against that technology are widely 
available.
    The lesson is that events like these can be anticipated and managed 
with diligence and proper planning. The technology community showed 
that it can respond swiftly and effectively, taking steps to quickly 
mitigate the attacks and to make it harder for similar assaults to 
succeed in the future.
    It's important to note that, in all of these assaults, service to 
targeted web sites was interrupted only for relatively brief periods. 
It's also important to note that while these attacks blocked access to 
some targeted computer systems, they do not appear to have penetrated 
the outer defenses of these systems. We know of no case in which 
hackers obtained access to confidential customer information, such as 
credit card numbers, or did lasting damage to any of the targeted 
sites.
    And it's important to note that the technology community has 
already joined with the Federal Government to respond more effectively 
should attacks like these be repeated in the future. The community and 
the Government are forming an organization that will disseminate 
critical information quickly and widely if the Internet is threatened.
    We at Cisco Systems keenly understand the importance of this task. 
We will conduct $12 billion worth of business over our own web site 
this year, and our employees are able to perform about 95 percent of 
their work on the site.
    Cisco Secure Consulting Services recently conducted a six-month 
survey of 33 businesses connected to the Internet and measured their 
``state of security.'' We found that, on average, one out of every 
three devices connected to the Internet was vulnerable to some form of 
attack. But we also found that over 90 percent of the vulnerabilities 
could be solved with technology that is readily available, if the 
technology is properly employed and constantly updated.
    This is easy to say and extraordinarily difficult to do. A decade 
ago, the Internet was little more than a clunky mechanism that a few 
educational and research institutions used to trade messages we now 
know as email. The blazing speed at which the Internet has developed--
and the equally rapid pace at which threats to Internet security have 
evolved--make it hard even for those who build and operate web sites to 
keep pace.
    But businesses and others who operate web sites are learning that 
security must become an ever-more-important concern. The number of 
companies who have come to Cisco for assistance in securing their 
networks has grown by over 50 percent during the last 12 months alone--
a very encouraging statistic. And we have all learned that one thing 
the technology community can do collectively to increase is to share 
information about up-to-the-minute developments in systems security.
    The community has joined with the Federal Government to do just 
this. Even before last month's attacks, industry leaders had joined to 
form the Partnership for Critical Infrastructure Security. The PCIS is 
a voluntary organization that is working to share information about 
threats to the Internet and other crucial networks, and determine how 
best to respond to those threats. About 120 companies are cooperating 
in this effort.
    And last month at the White House information technology summit, 
Cisco was one of about 40 Internet companies that agreed to develop a 
structured mechanism to react to events like the recent hacker attacks. 
As with the PCIS, industry is coordinating its activities with the 
Federal Government.
    We believe that this public-private partnership is the most 
effective response to these recent attacks. In the private sector, 
incentives must be put into place to encourage all web sites to deploy 
security technologies to protect themselves and their customers from 
hacker attacks.
    In the public sector, we are grateful that the Federal Bureau of 
Investigation has devoted significant resources to investigating these 
attacks and we hope the perpetrators will be prosecuted to the fullest 
extent of the law. We encourage the Federal Government to serve as a 
model for private industry by equipping its own computer systems with 
the best security measures possible.
    This, too, will not be easy. Both the Government and private 
enterprise are having difficulty attracting and retaining enough 
skilled professionals in the field of systems security. I'm happy to 
tell you that the private sector has joined with the Office of 
Personnel Management to help the Government in this area by developing 
training and mentoring programs. Again, we regard this as an excellent 
example of public-private partnership.
    At this time, however, we do not ask Congress for new laws in the 
area of Internet security. Cooperation, not regulation or legislation, 
will insure that the Internet remains secure and at the same time open 
to the broadest possible public access.
    The Internet is, and should always remain, an open medium. No one 
can insulate the Internet and everything connected to it from all 
threats or guarantees that no attack on any particular Internet site 
will succeed. Even our oldest, most established public infrastructures 
pause on occasion--power and telephone lines come down, water mains 
break, highways become clogged--and, like them, the Internet will 
occasionally have localized difficulties. These are but potholes on the 
information superhighway, which we will fill in as fast as they 
appear--learning how to prevent similar potholes in the future.
    These recent attacks actually demonstrated that the technology 
community can quickly identify threats to the Internet, quickly act to 
eliminate them and quickly take measures that will reduce the impact of 
similar threats in the future. This spirit of innovation and rapid 
development propels the Internet's exponential growth and ensures that 
the Internet will remain secure as it continues to grow.
    Thank you. I look forward to your questions.

    Senator Burns. Thank you, Mr. Fuhrman.
    Dr. Reddy, welcome to our Subcommittee.
    And can I get your statement right after this?
    Senator Abraham. Why do we not let him go.
    Senator Burns. I think that is wise. Thank you.
    Dr. Reddy, thank you very much for coming this morning. We 
look forward to your testimony.

        STATEMENT OF RAJ REDDY, PH.D., HERBERT A. SIMON 
          PROFESSOR OF COMPUTER SCIENCE AND ROBOTICS, 
                   CARNEGIE MELLON UNIVERSITY

    Dr. Reddy. Thank you, Mr. Chairman. This is a great 
opportunity for us to testify before the Subcommittee.
    My name is Raj Reddy. I am the Herbert A. Simon Professor 
of Computer Science and Robotics at Carnegie Mellon University. 
I also serve as the Co-Chair of the President's Information and 
Technology Advisory Committee, commonly known as PITAC.
    In the PITAC February 1999 report to the President, labeled 
``Information Technology: Investing in our Future,'' we 
highlighted the need for increased investments in national 
security--about 15 months ago--as well as a number of other 
research areas.
    Today, on behalf of PITAC, I will provide you with insights 
into the state of the Internet security in our country and 
outline some of the PITAC recommendations that will help our 
Nation to build and support a more reliable, available, secure, 
and scalable Internet. I will also provide some personal 
observations on, besides legal and administrative remedies, 
what research and technology remedies might exist to solve this 
problem of denial of service.
    While advances in information technology have created 
unprecedented economic growth and transformed our lives in 
thousands of positive ways, weaknesses still remain that enable 
malicious hackers to disrupt Internet service and overload 
popular Web sites. An analysis of these highly visible 
disruptions to the Internet reveals a wide range of causes, 
including denial of service from hackers.
    The PITAC shares Congress' concern about these recent 
hacker attacks. In our February 1999 report, we observed that 
the Internet has grown well beyond the intent of its original 
designers 25 years ago, and that our ability to extend its use 
has created enormous challenges. In our report, we recommended 
a research agenda to help ensure the survivability of our 
information infrastructure in the face of malicious attacks, 
equipment and software failures, and legal overload, where a 
large number of people call in a Schwab account site on a busy 
stock market day.
    We concluded that the support for critical, long-term 
fundamental research in IT is diminishing, and that the current 
research is too focused on near-term problems related to agency 
missions. To help maintain the U.S. leadership in IT, 
information technology, and restore a commitment to high-risk, 
high-return research, we recommended that the Federal 
Government create a strategic initiative in long-term R&D 
funding, and increase the funding for R&D over the next 5 years 
by $1.4 billion.
    Our report recommended a balanced research agenda in 
software, scalable information infrastructure, high-end 
computing, and work force implications. Specifically, we 
recommended research to support scalable information 
infrastructure, authentication and security mechanisms, 
mechanisms for detecting system intrusion, mechanisms for 
detecting mitigating and responding and recovering from human 
error in the creation and the use of the infrastructure, 
mechanisms for assuring information quality, and a number of 
others.
    PITAC is encouraged by the strong bipartisan support for 
the information technology research and development and by the 
$235 million increased appropriation this year for the Federal 
IT R&D programs. Based largely on our recommendations, the 
administration proposal for the fiscal year 2001 budget 
includes a $600 million increase in investments for a balanced 
information technology R&D program, which includes funding for 
networking and software research to enable more secure, 
reliable, dependable networks.
    We applaud the Senate's past leadership in supporting this 
information technology R&D, and we hope you will support the 
full set of research priorities we recommended in our report.
    Now I would like to make some personal observations on the 
specific problem of Internet security. Remedies to the problems 
of denial of service attacks and security loopholes and insider 
risks, there are a number of different ways of skinning this 
cat. One is legal; the other is administrative; and, finally, 
there is also an opportunity to use research and technology to 
stop many of these problems. And I would like to share with you 
some ideas on that topic.
    I propose that we establish a national network test bed 
that can be used to develop and demonstrate what I will refer 
to as an ultra-dependable, self-healing Internet. The purpose 
of this test bed is to try out new approaches without 
disrupting the crucial production infrastructure. It is an R&D 
vehicle. The proposed test bed will be similar to the ultra 
high-speed network test bed, NGI, Next Generation Internet, 
that has been funded in the last few years.
    It will include attributes such as reliability, 
availability, scalability, in addition to security. The 
operative issue is not security alone, as interpreted narrowly, 
but how to create a dependable Internet that we can all trust, 
like we trust the telephone system today. The ultra-dependable 
Internet would be used to develop technologies to enable self-
healing networks.
    A self-healing network would work similar to the human 
immune system. It would continuously monitor the system--in 
this case, the network--analyze what is happening in the 
system, what packets are going through, and it would detect 
abnormal patterns automatically and immediately begin actions 
to remedy this problem. It would use software agents, capable 
of self-monitoring, self-diagnosing, and self-repair, much as 
the human immune system uses distributed antibodies to disable 
antigens and restore balance in the human body.
    Just as in the human system, where a few people may 
occasionally get sick but the society as a whole continues to 
function, we may accept an occasional denial of Internet 
service in a particular location, as long as most of the users 
are able to access most of the Web sites most of the time 
without any degradation of service. The proposed self-healing 
network will increase the packet handling overhead and perhaps 
make the system slower. We believe, with the exponential growth 
in technology, this will not be a serious problem in the 
future.
    In addition to the research needed to develop the faster 
networks, we will also need research in data warehousing of 
meta-data contained in the packet headers, data mining of the 
statistical parameters that would classify normal and abnormal 
traffic, and repair strategies for generating signals that 
would make abnormal requests detectable.
    In conclusion, I believe the creation of a dependable 
Internet infrastructure, as dependable as the telephone 
service, is essential to the future of the economic growth and 
security of this Nation. To accomplish this, we need bold new 
research initiatives and uniform application of ideas across 
the international Internet infrastructure. Support for the 
increased Federal investments in IT R&D is a positive first 
step. But continued dialog among Federal researchers, industry 
and academia is essential to create bold new ideas like a self-
healing, dependable information infrastructure.
    In summary, Mr. Chairman, it is estimated that the market 
capitalization of the Internet-based industries created since 
1990 exceeds $1 trillion, resulting in capital gains taxed paid 
to the Nation of over $200 billion. Investing a small fraction 
of this national income in research toward creating an ultra-
dependable, self-healing Internet will help ensure the 
continuation of this engine of growth.
    Thank you.
    [The prepared statement of Dr. Reddy follows:]

 Prepared Statement of Raj Reddy, Ph.D., Herbert A. Simon Professor of 
       Computer Science and Robotics, Carnegie Mellon University
Introduction

    Mr. Chairman and Members of the Subcommittee, thank you for this 
opportunity to testify about important research and development efforts 
aimed at increasing Internet security and protecting our Nation's 
Information Infrastructure.
    My name is Raj Reddy, and I am the Herbert A. Simon University 
Professor of Computer Science and Robotics at Carnegie Mellon 
University. I also serve as Co-Chair of the President's Information 
Technology Advisory Committee, commonly known as PITAC. In the PITAC's 
February 1999 report to the President, ``Information Technology 
Research: Investing in Our Future,'' we highlighted the need for 
increased investment in network security, as well as other important 
research areas. Today, on behalf of PITAC, I will provide you with 
insight into the state of Internet security in our country and outline 
some of the PITAC recommendations that will help our Nation build and 
support a more reliable, available, secure, and scalable Internet. I 
will also present my personal views on an R&D strategy for developing 
and demonstrating highly dependable networks.

Background

    While advances in information technology have created unprecedented 
economic growth and transformed our lives in thousands of positive 
ways, weaknesses still exist that enable malicious hackers to disrupt 
Internet service and overload popular Web sites. An analysis of the 
highly visible disruptions to Internet access reveals a wide range of 
causes, including denial of service attacks from malicious hackers 
using insecure hosts infected with ``zombie'' diseases (Yahoo!), 
software bugs (Ameritrade), insecure configurations (Schwab), change 
management (E-trade), and security loopholes (Hotmail, Melissa).
    PITAC shares Congress' concern about these recent hacker attacks. 
In our report to the President, we observed that ``the Internet is 
growing well beyond the intent of its original designers and our 
ability to extend its use has created enormous challenges. As the size, 
capability, and complexity of the Internet grows, it is imperative that 
we do the necessary research to learn how to build and use large, 
complex, highly-reliable, and secure systems . . . It is therefore 
important that the Federal Government undertake research on topics 
ranging from network reliability and bandwidth, to robust, reliable, 
secure ways to deliver and to protect critical information.'' In our 
report, we recommended a research agenda to help ensure the 
survivability of our information infrastructure in the face of 
malicious attacks or viruses, equipment or software failures, and 
overload. Before I discuss the specifics of the R&D agenda for Internet 
security, I would first like to briefly summarize the findings and 
recommendations of our report.

The PITAC Report Findings and Recommendations

    The PITAC was established pursuant to the High Performance 
Computing Act of 1991 and was tasked to look at a number of issues in 
high performance computing and communications. After a detailed review 
of the Federal IT R&D programs, we concluded that U.S. leadership in IT 
provides an essential foundation for promoting economic growth, 
education and research, environmental stewardship, public health, and 
national security. We also concluded that there has been an erosion of 
support for long-term fundamental research in IT and that current 
research is too focused on near-term problems linked to agency 
missions. Our Committee recommended that the Federal Government create 
a strategic initiative for long-term R&D and increase funding for IT 
R&D by $1.4 billion by fiscal year 2004 over the fiscal year 1999 base 
programs funding level. Our report recommended a balanced research 
agenda, with priority for the following areas:

          Software: Methods for efficiently creating and 
        maintaining high-quality software of all kinds and for ensuring 
        the reliability of the complex software systems that now 
        provide the infrastructure for much of our Government and our 
        economy.
          Scalable Information Infrastructure: Techniques for 
        ensuring that the National Information Infrastructure 
        consisting of communications systems, the Internet, large data 
        repositories, and other emerging systems is reliable and 
        secure, and can grow gracefully to accommodate the massive 
        numbers of new users (perhaps billions) and applications 
        expected over the coming two decades.
          High End Computing : Continued invention and 
        innovation in the development of fast, powerful computing 
        systems and the accompanying communication systems are needed 
        to implement critical science, engineering, and business 
        applications ranging from aircraft design to weather and 
        climate modeling.
          Social, Economic, and Workforce Implications of IT: 
        Research directed towards better understanding the sociological 
        and economic impacts of innovations in information technology 
        and toward growing the workforce to meet the national need for 
        information technology professionals.

    Our recommendation for research to support a scalable information 
infrastructure included topics to enable the survivability of our 
networks and information. Survivability means that services will be 
available when needed and information will be delivered in a timely 
fashion. The recommended research agenda includes:

          Authentication and security mechanisms for a large, 
        heterogeneous, and evolving infrastructure
          Mechanisms for detecting system intrusion and 
        information software corruption
          Mechanisms for detecting, mitigating, responding to, 
        and recovering from, or for preventing, human error in the 
        creation and use of the infrastructure
          Mechanisms for assuring information quality
          Scalable information and service replication 
        strategies
          Mechanisms for monitoring services to ensure correct 
        operation within given quality-of-service bounds
          Repositories for guaranteed long-term preservation of 
        information

    Our report recommendations have received strong bi-partisan support 
and we were encouraged by the $235 million increase for IT R&D 
appropriated in this year's budget. The President's fiscal year 2001 
budget proposes an increase of nearly $600 million in IT R&D in a 
balanced research program that addresses the recommendations in the 
PITAC report. Proposed funding includes networking and software 
research directed towards technologies to enable more secure, reliable, 
and dependable networks. The PITAC applauds the Senate's past support 
and leadership for IT R&D and hopes the Senate will support the full 
set of research priority areas recommended in our report.
    The PITAC report provides broad concepts for a balanced IT R&D 
program. While we recognized the importance of network security, 
reliability, and dependability, we did not develop a detailed R&D 
agenda for Internet security. Our recommendations cover a range of 
important topics to be addressed, rather than proposals for specific 
research projects.

The Impact of Internet Downtime on Businesses and Society

    Denial of service happens when the network fabric is overloaded 
through intentional and unintentional (``legal'') overloading of the 
system with too many requests. This is analogous to a large number of 
people calling California in the event of an earthquake report, or a 
computer calling a phone continuously thereby blocking anyone else 
getting through in case of an emergency. The cost of denial of service 
and overloading can be substantial. The Yankee Group estimates that the 
online industry may have lost $1.2 billion in revenue from the Web site 
attacks earlier this month. (WSJ, Feb 24, 2000). A Gartner Group study 
showed that the average cost of downtime in brokerage operations is 
about $6.5 million per hour! According to the Boston-based market 
research firm, $29 million in refunds were paid out by MCI to customers 
affected by the 10 day outage of its frame relay network in August 
1999. Three thousand companies were affected. (Online News, 10/28/99). 
eBay paid $3.9 million in credits to its customers for the service 
outage that halted bidding completely at its popular service for an 
unprecedented 22 hours in June 1999. Distributed network sites can lose 
$20,000 to $80,000 per hour. (Computer Reseller News, 1998). At a cost 
of $80,000 per hour, the average company will lose $7.1 million per 
year in centralized network downtime.
    These costs are expected to increase as companies incur indirect 
costs in the form of lawsuits, regulatory scrutiny, impact on brand 
name and public image, loss of customer base, lower employee morale and 
productivity, and higher employee stress.
    The impact on businesses of system outage can be even more 
devastating. In an April 1999 survey of consumers, research firm 
Jupiter Communications found that 46 percent leave a preferred site if 
they experience technical or performance problems. Statistics from 
McGladrey and Pullen show that for every five organizations affected by 
a disaster, two will be unable to maintain their critical business 
functions and make a recovery. Of the remaining three, one will not 
survive the next two years. In fact, a company that experiences a 
computer outage lasting more than 10 days will never fully recover 
financially (``Disaster Recovery Planning: Managing Risk and 
Catastrophe in Information Systems'' by Jon Toigo).
    According to Cahners in-stat group, Internet downtime hits 
businesses financially, (http://www.instat.com/abstracts/ia/1999/
is9906sp--abs.htm), affecting direct revenue/customer base, 
compensatory payments, inventory cost, and depreciation of capital. It 
also affects business in ways not seen on the balance sheet, such as 
market capitalization loss, employee downtime, and delays to market 
items that may prove more financially damaging than the explicit losses 
associated with an outage. The report ``Data Failure: The Financial 
Impact on Internet Business'' quantifies the real-cost damages for site 
outages based on SEC filings and publicly released information. The 
report compares two e-commerce business models and illustrates how much 
is at stake in the event of data failure.

Steps Towards a Secure and Dependable Internet

    Many of the problems of Internet access can be avoided by taking 
some simple common sense precautions. For example:

    Online businesses can:

          Educate users on cyber hygiene, security tools, and 
        procedures such as use of the firewalls, intrusion detection 
        systems, anti-virus software, automatic daily disinfecting 
        tools, etc.
          Discourage masquerading and spoofing attacks by 
        ensuring that network traffic exiting from the local area 
        network of an organization carries the address consistent with 
        the valid set of addresses for that organization.
          Protect against inside hacker risk by providing 
        backup and retrieval from an off-site storage service provider. 
        Disaster tolerance backup facilities are offered by many 
        suppliers. Such services guarantee constant availability of 
        data in the face of technical or natural catastrophe, including 
        surge capabilities for unplanned swells in site traffic.
          Provide 24 hour-per-day, 7 day-a-week physical 
        security to central facilities and server farms. Alternatively, 
        use the backup and retrieval from an off-site storage service 
        as described in the previous bullet.

    Industry can:

          Release hardware and software that prevents insecure 
        configurations, and provide tools for intrusion detection.
          Re-engineer operating systems and applications to 
        make them immune to the effects of viruses and other forms of 
        malicious code.
          Identify and close the security loopholes and 
        backdoors by working with major vendors to provide access to 
        the source code and encourage open source movement.
          Develop and deploy a secure communications 
        infrastructure that can be used by network operators and 
        Internet service providers to enable real-time collaboration 
        when dealing with attacks.

    Many of the common sense measures listed above depend on the 
voluntary compliance of more than a 100 million Internet users and 
organizations that provide Internet service. However, history has shown 
us that compliance failures will occur, either unintentionally or 
maliciously. Rather than leaving the Internet vulnerable because a few 
persons or organizations are careless or reckless, we should develop an 
information infrastructure that is not dependent on voluntary 
compliance of security practices and policies.
Personal Views on a Strategy for a National Self Healing Network 
Testbed

    I would now like to make some personal observations and make a 
specific recommendation for creating a national self healing network 
testbed. The PITAC recommended an aggressive new program in networking 
research, including network security. We also recommended expanded 
research to explore ways that laws protecting privacy, intellectual 
property, and other rights are extended effectively into this new 
media. We continue to support increased funding in these critical 
areas.
    The PITAC is currently reviewing Federal research plans and will be 
issuing new recommendations later this year. Since these new 
recommendations are not available, I would like to present my personal 
views on logical next steps.
    By now we understand the sources of highly publicized Internet 
crashes: malicious hacker attacks and ``legal'' users overloading 
popular web sites. Many of the remedies require straightforward 
implementation of known solutions, either administrative or legal. 
However, herein lies the problem--we simply cannot depend on every 
system to be properly administered or every person to behave as 
desired. Instead, we should strive to develop an Internet 
infrastructure in which it does not matter if someone is careless or 
reckless. In my view, one of the key goals of networking research over 
the next few years should be development of a ``self healing'' network. 
A self healing network would work similar to the human immune system. 
It would constantly monitor the system (in this case, the network), 
analyze what is in the system, and if it finds something wrong within 
the system, immediately begin actions to remedy the problem. A self 
healing network would be capable of self-monitoring, self-diagnosing 
and self-repairing. To accomplish this, we should establish a national 
network testbed that can be used to develop and demonstrate what I will 
refer to as an ``ultra-dependable Internet.'' This is similar to an 
ultra-high speed network, but with the focus on dependability rather 
than speed.
    I will use the phrase ``dependable Internet'' to specifically 
include attributes such as reliability, availability, and scalability 
in addition to security. The operative issue is not ``security'' as 
interpreted narrowly in the research circles but rather ``how to create 
a dependable Internet Infrastructure'' that is as reliable as the 
current telephone system. By dependable, I mean a system (``as if my 
life depended on it'') that is:

          reliable, i.e., always up, accessible, accurate, and 
        consistent,
          available, i.e., a system with no world-wide-wait and 
        a response time of under 200 milliseconds most of the time,
          scalable, i.e. an infrastructure capable of scaling 
        to a billion simultaneous users and a trillion inter-connected 
        devices, and
          secure, i.e. no fear of loss of privacy and immunity 
        to sniffing and spoofing.

    The goal of a self healing network is to provide mechanisms for 
detecting unauthorized use of networking equipment, tracking 
inappropriate uses, and identifying the individuals using networks for 
malicious intent, without compromising individual rights to privacy and 
security on the network. Over the years we have found ways to balance 
privacy and security in traditional commerce. Applying these precedents 
to the new networked world will require combining the skills of 
technologists and people knowledgeable of the legal, economic, and 
social issues. Clearly this is an enormous challenge, but I believe it 
is a critical national research challenge and deserves an appropriate 
response.

A Self Healing Network

    A self healing network is one which continuously monitors all the 
traffic within the system (every packet entering the system is 
validated before it can proceed) with a view to detect and disable 
abnormal traffic patterns. It is predicated on using ``software 
agents'' capable of self-monitoring, self-diagnosis, and self-repair 
much as the human immune system uses (distributed) anti-bodies to 
disable antigens and restore balance in the human body. Just as in 
human systems where a few people may get sick some of the time, but 
society as a whole continues to function, we may accept an occasional 
denial of service as long as most users are able to access most of the 
web sites without any degradation of service.
    Self monitoring within the Internet core fabric requires agents 
capable of continuous and autonomous monitoring of ``packet'' traffic 
using ``software sensors.'' ``Self repair agents'' undertake a set of 
autonomous corrective actions against the offending source that is 
generating the unusual traffic by dropping the packets or limiting it 
to a ``fair share'' the number of packets entering the fabric. The work 
of these agents and the humans tracking network security could be 
helped if the new generation of routers add information packets that 
make it easier to detect malicious patterns of use and to track the 
attacks to their source.
    The proposed self healing network will add to the packet handling 
overhead at each router in the fabric and has the potential to make the 
system slower, waste bandwidth, and compromise privacy. At first blush, 
this requirement appears to be impractical, as the Internet is expected 
to handle trillions of packets every day and would require expensive 
retrofitting of the existing commercial Internet Service Providers 
(ISPs). However, such a transition is not only essential to the future 
economic growth and security of the nation, but also practical given 
the expected exponential advances in processor, memory, and optical 
networking technologies. The expected additional overhead in packet 
handling will be ameliorated by better algorithms, exponential 
improvements in processor (predicted by Moore's law), memory, and 
bandwidth technologies and increasing locality of Internet traffic 
patterns (``Internet is global and the traffic is local'').
    In addition to the research needed to develop terabit networks, 
faster routers, efficient algorithms, and distributed computation 
techniques, research will also be needed for data warehousing of meta-
data contained in packet headers, data mining of this data to establish 
statistical parameters that can be used to classify normal and abnormal 
traffic requests, and repair strategies for generating a signal 
(analogous to the busy signal used in voice telephony) to sites making 
abnormal requests without prior arrangement for surge capacity.

Conclusion

    In conclusion, creating a dependable Internet infrastructure that 
is as dependable as telephone service is essential to the future 
economic growth and security of the nation. It is possible to create a 
system capable of achieving these goals while ensuring absolute 
protection of personal privacy and without major reductions in 
networking speed. Indeed, rapid advances in computing power and 
networking speed should make the new security systems nearly invisible 
to users. The main challenge is to find the right balance between 
having a dependable Internet infrastructure without compromising the 
ease of use by non-experts and protecting the privacy of the 
individuals connected to the infrastructure. To accomplish this will 
require both new research ideas and the uniform application of known 
and new ideas across the Internet infrastructure. It makes sense to 
apply the creative energies of academe to these social problems.
    Development of networks capable of meeting our goals for security 
and privacy will only happen with a concerted research investment 
supported by both Government and industry. One strategy would be to 
support a network testbed designed with the specific goal of evaluating 
innovative strategies for network protection--including commercial 
concepts. Such a testbed would provide useful networking services and 
at the same time let commercial operators and Government research 
organizations evaluate advanced networking security concepts.
    It is estimated that market capitalization of Internet based 
industries created since 1990 is more than a trillion dollars resulting 
in capital gains taxes of more than $200 billion to the nation. 
Investing a small fraction of this national income in research towards 
creating a self healing Internet will ensure the continuation of this 
engine of growth!

Acknowledgements

    This paper has benefited from the comments and suggestions from 
several PITAC members: Jim Gray, Irving Wladawsky-Berger, Vint Cerf and 
Bob Kahn and from other colleagues: Anish Arora, V.S. Arunachalam, Ed 
Lazowska, and Rich Pethia. Please send comments to [email protected].

    Senator Burns. Thank you, Doctor. Those are interesting 
comments.
    I am going to move to Senator Abraham, who has joined us 
now. If you would like to either make your statement or 
summarize or present it for the record, and if you have 
questions for this panel, we would entertain those at this 
time. And then I will followup.

              STATEMENT OF HON. SPENCER ABRAHAM, 
                   U.S. SENATOR FROM MICHIGAN

    Senator Abraham. Thank you very much, Senator Burns. And 
thank you for your leadership on the Subcommittee level and on 
the full committee level on these issues. We appreciate what 
you do on a variety of these key topics.
    I just will make a brief statement. I have got two or three 
conflicting hearings this morning and other events, but I 
wanted to come by because I think this is a really important 
topic for us to focus on.
    I drew from this panel conclusions similar to ones I 
reached based on some meetings I had immediately in the wake of 
the recent spate of hacker activity. I was out in the Bay Area, 
Silicon Valley, and met with representatives from about 20 
companies at that time, which was just in the week afterward, 
and with a group of businesses in my own State. Although 
Michigan is not as well-known as a high-tech center perhaps as 
other parts of the country, we actually do have a real growing 
industry there. And I came away with conclusions very similar 
to the ones expressed by the panelists.
    I do not think there is any question that we need to 
proceed in a careful way here. We have to recognize the extent 
to which Government regulations are going to be effective are 
limited. I do think that we need to continue to focus on some 
of the things we can do with respect to penalties that can be 
invoked against people who commit computer-related crimes. I am 
not sure the current penalty structure really is adequate based 
on what I studied.
    I think the panels at the current time are kind of low. I 
think we need to establish Federal and civil criminal penalties 
against electronic identify theft, attacking one of the tools 
which is often used by cyber-terrorists and techno-thieves. I 
think we also need to examine Federal, civil and criminal 
penalties with respect to unauthorized access to information 
systems. I think these are areas where we can do some things 
that do not put such impediments in place that we constrict the 
development of the Internet and the development of e-commerce 
activities that are going to be going on.
    I also think that we need to encourage Governmentwide 
policies to improve the security of Federal information 
systems. That is not so much under our domain in this 
particular committee, but I think it is an area that we need 
to, based on these recent developments, that we need to perhaps 
as a Congress focus more attention on. And I know that Senator 
Thompson, in his committee, has focused on this and begun to 
introduce legislation along that line.
    And then I also serve on the Judiciary Committee, and we 
have looked at ways that we could create Federal grant programs 
to assist State and local law enforcement agencies in 
deterring, investigating and prosecuting computer crimes. 
Because obviously some of the resources available at the local 
level tend to maybe not be adequate to meet some of the 
challenges that the high-tech criminals pose. And I think that 
that is a reasonable area for us to both be part of and to look 
into.
    So these are some of the things I am going to be working 
on. But I think we also have to appreciate that there is sort 
of, obviously, a need to recognize the proprietary nature of 
information that is accumulated by industries, of technologies 
that are developed. And this is where I think some of the 
comments made in your earlier statements are particularly 
relevant. We have to appreciate that and understand that we can 
always come up with, I think, anti-crime legislation that can 
potentially be effective, but sometimes it is so effective that 
it completely inhibits normal human discourse and activity.
    I was saying in my meetings in Michigan, we could 
presumably stop most, if not all, bank robberies if we strip 
searched everybody who went into a bank. But that probably 
would mean that very few people went into banks. Similarly, we 
can probably come up with a variety of processes that would 
minimize the potential for Internet crime or cyber-terrorism, 
but at such a level that there would be no more activity of an 
e-commerce nature or anything else.
    We can always overreach. I think we have to be very careful 
not to. And so I appreciate what you are trying to accomplish 
today. I look forward to working with you. And I thank the 
panel. I appreciate very much their participation.
    Senator Burns. Thank you, Senator.
    I have just a couple of questions, and then we will just 
start the dialog. I am concerned. I think Senator Hollings kind 
of hit on it a while ago, and even the panel on law enforcement 
or those people who are in charge of monitoring these kind of 
activities. While I realize that you have got to watch the 
bottom line--I mean, we are all in business, we have to make a 
living and we have an obligation to our board of directors and 
our obligations to our own industry--and given the 
competitiveness of this industry so far, and we have tried to 
maintain this to be very open, very competitive, let 
entrepreneurialship and imagination and ingenuity flow, it 
seems like we have not really given an extra measure to 
security until we had this incident happened with this 
information.
    Business and security should be complementary, not mutually 
exclusive. And I am wondering if you could comment on this. 
They say you have run out of interest after a while in 
discussions about security. How can we increase this dialog? 
And how can we heighten the interest in security and the 
working between Government and law enforcement?
    I want you all to take a shot at this. So, Mr. Misener, if 
you want to lead it off.
    Mr. Misener. Certainly, Mr. Chairman. There is a need for 
both locks and police. We spent a lot of time talking about the 
police today and a little bit recently on the lock side. We at 
Amazon.com take security very seriously, and it is very 
important to us as a business and to our customers. As 
indicated before, we did not experience a break-in at our 
premises. Rather, it was this surrounding of the premises by 
this junk traffic that was directed toward our site.
    And so, to that extent, to the extent that there was this 
criminal behavior, we do believe that in addition to the locks 
that we put on our house, that we also need the police to help 
enforce against the criminal activity or prosecute the 
perpetrators of that criminal activity around the outside of 
the house.
    Senator Burns. Dr. Reddy.
    Dr. Reddy. Mr. Chairman, besides the locks and the police, 
there is a third option. Normally, when we build any 
infrastructure, whether it is the interstate highway system or 
anything else, the Government takes responsibility at certain 
levels. Unfortunately, the Internet fabric, everybody has their 
own sites and they can secure those, but no one person is 
responsible for the Internet fabric. And that is by design. 
That is the way it was designed in 1969, because we wanted it 
to be scalable.
    However, that particular design has run its course. I think 
we need new research and new test beds to demonstrate an ultra-
dependable network which has all the same features, and it can 
be shown and it can be used and demonstrated. And that is the 
responsibility of the Government, in the sense of what Senator 
Hollings was talking about and what you are also saying. It is 
not a question of increasing police, or it is not a question of 
telling private industry to put on more locks. There is another 
piece in between, the Internet fabric, that no person is 
responsible for. And therefore, the Government has to take 
responsibility for it.
    Senator Burns. Mr. Fuhrman.
    Mr. Fuhrman. Thank you, Chairman. If I could add, if we 
step back a second, everybody looks through their glasses on 
life and their perspectives are built upon their experiences 
that they have gone through or others that they have observed. 
And so I think an unfortunate step that we have taken here at 
this point is that we have had to wait, in essence, for some of 
these attacks to occur for folks to wake up and go through the 
experience and realize that this is now something that they 
before had either discounted or just had not gotten to yet that 
is now something to be added up to my priority list.
    And I think, as we continue to step closer and we make 
great progress as we go forward, we are going to see businesses 
and customers start taking security even more seriously than 
they have in the past.
    Senator Burns. It is very interesting, the field called 
biometrics, where users verify their identity through a pad 
that scans either fingerprints or a monitor that scans retinas, 
among other devices. Does biometrics have a role to play in 
increasing security on the Internet in coming years? What is 
the potential? Anybody can take a shot at that.
    Dr. Reddy. Mr. Chairman, biometrics has the same privacy 
problems. There is even a simpler solution than biometrics. 
Intel has designed into every chip an I.D. So when a packet is 
transmitted from a computer, you can add that I.D. But there 
was a big hue and cry about the privacy issues, and the whole 
thing stopped dead. Anybody that tries to put biometrics or 
anything else which involves identification of the individual, 
as opposed to just the machine that perpetrated the thing, will 
probably cause the same kinds of issues. So I do not know what 
the right answer is.
    Senator Burns. Mr. Misener.
    Mr. Misener. Mr. Chairman, I share the assessment that this 
would cause perhaps a hue and cry if discussed as a viable 
option, although I would recognize that biometrics and other 
forms of personal identification are important to protecting 
actual true security issues as opposed to sort of online e-
commerce issues.
    Senator Burns. Mr. Fuhrman, you can comment on this. But I 
was struck by the fact of what you said a while ago. I really 
had not thought of it in the context that they did not actually 
get into your shop, but they surrounded your shop, and 
prevented anybody else from your normal daily activities. And 
therein lies the problem, more than the security of gaining 
entry into your shop.
    Is that a correct assessment?
    Mr. Misener. That is correct. But recognize also, sir, that 
there were security breaches at other sites that allowed the 
hack attacks to occur. For example, at some universities there 
were security breaches, true intrusions of their systems, that 
allowed these distributed denial of service attacks to take 
place against other systems. And those systems were less well 
protected than others on the in terms of.
    Senator Burns. It was my understanding that it took several 
computers to do all this. And if this person that perpetrated 
this thing, if he had to buy all the computers, he probably 
would not do it. But he could enter other computers and tell 
them what to do.
    Dr. Reddy. Mr. Chairman, there is a problem here. There is 
also legal traffic that can demonstrate the same properties as 
a hacker attack. For example, when Victoria's Secret announced 
that they were going to have a Web site where they were showing 
their new fashions, everybody and his brother wanted to see it. 
And the same denial of service happened there. There is nothing 
illegal there. It just happened.
    It is like what happens when there is an earthquake in 
California: everybody calls in to make sure that their loved 
ones are safe. You cannot get through. So it is not just 
illegal, malicious attacks. Legal things can also cause this 
problem. That is why you need a self-monitoring, self-healing 
network, which says, sorry, there is a lot of traffic going, 
you cannot use it. There is a busy signal.
    So some people at least get through, as much as the traffic 
would permit, at Amazon.com. The rest of the people are not 
able to get through. Rather than everybody being stopped.
    Senator Burns. The other day I visited a facility that 
monitors telephone traffic. It tells them where they have a 
problem, they have a line outage. And it tells them that they 
are rerouting. And also during particular times of day their 
traffic is such that there is a potential that they have to add 
another line or to reroute the traffic or then protect what 911 
does and all of this. Are we saying that?
    Dr. Reddy. The same thing.
    Senator Burns. The same thing. We are going down the same 
line.
    Dr. Reddy. It is what is called a network management 
system. We need an Internet network management system. And what 
happens now is, as we heard from the previous panel, the 
Government is somehow going to protect each of their sites. But 
I can still disable people from getting through to your site. 
And what we need is to stop it at the source, not at the 
destination. And that requires a complete concept of knowing 
exactly the overall well-being of the entire network all the 
time. That is the kind of thing you saw in the telephone 
systems. We do not have that.
    Senator Burns. Do you envision an automatic thermostat, so 
to speak?
    Dr. Reddy. Yes, that is exactly it. The whole idea is to 
build a dependable network in which there is a continuous 
monitoring of the entire traffic from everybody, and knowing 
where the abnormal behavior is happening, and then shut them 
down at the source rather than letting them come all the way to 
the Government site and there trying to block them from getting 
in.
    Senator Burns. It offers interesting challenges. It really 
does. Any closing statements by any of you?
    [No response.]
    Senator Burns [continuing]. None at all. Well, we 
appreciate your coming here today and sharing this information. 
We will probably investigate this further.
    Dr. Reddy, I am very interested in what your testimony is 
here today, and I would hope that the rest of the Senators on 
this Committee read it. And I think that they will, because you 
offer several suggestions in there that I think we should take 
note of. And all of you who have offered suggestions, I 
appreciate that.
    Again, industry, the teamwork thing has to happen. Because 
I am not convinced right now that there has to be new laws or 
anything like that. I am saying that we as an industry have to 
come together. And it is like I said a while ago, in security, 
we were all raised that you do not fool around with somebody 
else's mailbox, but I do not see any warning out there like I 
saw on a mailbox or our folks got on us about that. I know 
those things have to be taken into account.
    Thank you very much. These hearings are closed.
    [Whereupon, at 11:20 a.m., the hearing was adjourned.]
                                APPENDIX

      Prepared Statement of Max Cleland, U.S. Senator from Georgia
    Good morning Mr. Chairman and distinguished guests. The tremendous 
advances being made in the computer and telecommunications industries 
are forever changing the way we do business in this country and abroad. 
This new digital age in which we are living has ushered in the ability 
to trade stock, shop for a car, buy air line tickets and to buy, sell 
and trade just about anything else using the Internet. Many of the 
firms that are engaging in this new way of doing business didn't exist 
a few years or even months ago. The growth of e-commerce has been so 
rapid that projections made about how much business will be conducted 
over the Internet were often outdated as soon as they are published. On 
March second of this year the Commerce Department released the first 
ever estimate of retail e-commerce sales or e-tail sales. Reported e-
tail sales over the Internet and other electronic networks have reached 
a historic $5.3 billion in the fourth quarter of 1999.
    While there are now new opportunities for the good people of our 
nation to gain greater productivity and have access to a wider 
selection of goods and services, there is an attendant menace to on-
line businesses which threatens to disrupt the way commerce is 
conducted over the Internet. This menace is HACKERs who are seeking to 
gain unauthorized access to systems for the purpose of destroying, 
corrupting, stealing or monitoring information vital to the operation 
of computer systems owned by others.
    These hackers have distinguishing screen names, or aliases, and are 
apparently very bright, intelligent people with deviant, malicious 
minds and a hankering for chaos. One suspected hacker is a 17 year-old 
New England boy who told investigators that he has been using computers 
since he was three and spends 16 hours a day on the Internet.
    All businesses must be protected from the hackers, but no where is 
it more important than the businesses and industries that are vital to 
the nation's health, wealth and security and make up our nation's 
critical infrastructure. These critical infrastructure businesses and 
industries are engaged in information and communications, banking and 
finance, basic utilities, aviation, mass transit, public health 
services, and oil and gas production and storage. On the Government 
side, the critical infrastructure consists of internal security, 
Federal law enforcement, foreign intelligence, foreign affairs and 
national defense. All of these activities must be protected from the 
destructive, corruptive, stealing or monitoring of information by 
unauthorized persons. Anyone attempting to hack into these systems must 
be stopped because their actions threaten our country's security.
    A GAO report released March second of this year provides commentary 
on the proposed Government Information Security Act and cites some very 
disturbing facts about the state of the Government's computer security:

        The Environmental Protection Agency has had invasions of its 
        systems that resulted in damage and disruption to that agency's 
        operations.
        The Department of Veterans Administration has been cited for 
        weaknesses in its computer systems that could compromise 
        sensitive medical and benefit payment information of our 
        nation's veterans.
        A test on the National Aeronautics and Space Administration's 
        systems reveled that their systems could have been penetrated 
        posing serious threats to orbiting spacecraft and the 
        scientific data received from these spacecrafts.
        The State Department's computers are also vulnerable to attack 
        and unauthorized access by hackers, terrorists or other 
        unauthorized individuals.

    It appears that from this listing that there is a pressing need to 
improve computer security planning and management and to make the cases 
like these just cited the exception, not the rule in the Government's 
systems.
    Fear, mistrust and the uncertainties created by hackers can slow 
the economic growth and prosperity that many public and private sector 
experts envision for the Internet. As the Government sets out to 
continue to protect our nation's critical infrastructure from domestic 
and foreign intruders and e-businesses set out to reduce the costs of 
theft and destruction of data and hardware by hackers, we must ensure 
that people seeking to do business over the Internet are safe from 
hackers, and that sufficient cooperation and coordination between the 
Government and private industry is encouraged. Most recently this 
cooperation resulted in a smooth transition to the year 2000. We can 
and must replicate these results in the area of computer security.
    I am very interested in hearing from the panel about your thoughts 
with regard to the scope and magnitude of the hacker problem and what 
your recommendations are for putting hackers out of business.

