[Senate Hearing 112-126]
[From the U.S. Government Publishing Office]



                                                        S. Hrg. 112-126
 
CYBER CRIME: UPDATING THE COMPUTER FRAUD AND ABUSE ACT TO PROTECT CYBER 
                   SPACE AND COMBAT EMERGING THREATS

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 7, 2011

                               __________

                          Serial No. J-112-38

                               __________

         Printed for the use of the Committee on the Judiciary




                  U.S. GOVERNMENT PRINTING OFFICE
70-751                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island     LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director


                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa......     2
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................    38

                               WITNESSES

Baker, James A., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC..........................     5
Martinez, Pablo A., Deputy Special Agent in Charge, Criminal 
  Investigative Division, U.S. Secret Service, Washington, DC....     7

                       SUBMISSIONS FOR THE RECORD

American Civil Liberties Union, Laura W. Murphy, Director, 
  Washington Legislative Office; Kelly William Cobb, Executive 
  Director, Americans for Tax Reform's Digital Liberty; Leslie 
  Harris, President and CEO, Center for Democracy & Technology; 
  Fred L. Smith, President, Competitive Enterprise Institute; 
  Marcia Hofman, Senior Staff Attorney, Electronic Frontier 
  Foundation; Charles H. Kennedy, partner, Wilkinson, Barker, 
  Knauer, LLP; Wayne T. Brough, Chief Economist and Vice 
  President, Research FreedomWorks Foundation; Orin S. Kerr, 
  Professor of Law, George Washington University; Paul 
  Rosenzweig, Visiting Fellow, The Heritage Foundation; Berin 
  Szoka, President, TechFreedom, August 3, 2011, joint letter....    27
Baker, James A., Associate Deputy Attorney General, U.S. 
  Department of Justice, Washington, DC..........................    29
Martinez, Pablo A., Deputy Special Agent in Charge, Criminal 
  Investigative Division, U.S. Secret Service, Washington, DC....    40
Nojeim, Gregory T., Director, Project on Freedom, Security & 
  Technology, on Behalf of Center for Democracy & Technology, 
  Washington, DC, statement......................................    48
Stewart, Julie, President, Families Against Mandatory Minimums 
  (FAMM), Washington, DC, statement..............................    63
Wall Street Journal, September 7, 2011, article..................    72


CYBER CRIME: UPDATING THE COMPUTER FRAUD AND ABUSE ACT TO PROTECT CYBER 
                   SPACE AND COMBAT EMERGING THREATS

                              ----------                              


                      WEDNESDAY, SEPTEMBER 7, 2011

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10:09 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Leahy, Whitehouse, Klobuchar, Franken, 
Coons, Blumenthal, and Grassley.

OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM 
                      THE STATE OF VERMONT

    Chairman Leahy. Good morning. Today the Committee is 
holding an important hearing on cyber crime. Protecting 
American consumers and businesses from cyber crime and other 
threats in cyber space has been a priority of this Committee 
for many years--I might say a bipartisan priority--and we 
continue that tradition today. Before we start, I want to thank 
Senator Grassley who has worked closely with me on this hearing 
in a bipartisan way. I think cyber crime impacts all of us, 
regardless of political party or ideology, so I look forward to 
our continued partnership, Chuck, in this Congress and as we 
continue.
    Developing a comprehensive strategy for cyber security is 
one of the most pressing challenges facing our Nation today. I 
think of the days not many years ago when you worried about 
somebody going into a bank and robbing a bank and maybe getting 
$20,000--they were usually caught--or looting a warehouse. Now 
it is a lot different. A study released today by Symantec 
Corporation estimates the cost of cyber crime globally is $114 
billion a year. In just the last few months, we have witnessed 
major data breaches at Sony, Epsilon, RSA, the International 
Monetary Fund, and Lockheed Martin--just to name a few. It is 
not the masked person with the gun walking into a bank. It is 
somebody maybe sitting thousands of miles, even another country 
away and committing the crime.
    Our Government computer networks have not been spared. We 
saw the hacking incidents involving the United State Senate, 
and also the Central Intelligence Agency websites. We cannot 
ignore these threats. We cannot ignore the impact on our 
privacy and security. That is why the Committee will carefully 
examine the Obama administration's proposals for new legal 
tools to help law enforcement investigate and prosecute cyber 
crime today.
    I do want to thank and commend the dedicated men and women 
at the Departments of Justice and Homeland Security, and 
elsewhere across our Government, who are on the frontlines of 
the battle against cyber crime. Every day they are successfully 
investigating and disrupting the growing threats to our cyber 
security.
    In July, the FBI announced that it had arrested more than a 
dozen individuals associated with a group of computer hackers 
called, obviously, ``Anonymous'' after the group launched a 
series of cyber attacks on Government and private networks, 
according to the charges made. The Secret Service recently 
announced a successful cyber crime investigation that led to 
the Federal indictment of an individual alleged to have hacked 
into the computer system at the Massachusetts Institute of 
Technology, MIT, resulting in the theft of more than 4 million 
scientific and academic articles. These are just two examples 
of the many accomplishments of our law enforcement community in 
this area.
    But with every new victory, we are challenged by even 
greater threats and even more cunning cyber thieves. A recent 
report by the computer security firm Symantec found that on any 
given day, an average of 6,797 websites harbor malware, or 
other unwanted programs. That is an increase of slightly over 
25 percent since June 2011. I am pleased that representatives 
from the Department of Justice and the Secret Service are here 
to share their views on this, and later this week the Committee 
will consider these proposals and other privacy measures in my 
comprehensive data privacy and security legislation. I hope 
that the Committee will promptly report this legislation on a 
bipartisan basis, as it has done three times before.
    We are talking about the security of our Nation and our 
people in cyber space, so we have to work together. Again, this 
is not a Democratic or Republican issue. This is something that 
should unite us all. It is a national issue that we have to 
address, so I am hoping that all Members of Congress will join 
in that.
    Again, I thank the distinguished Senator from Iowa for his 
help, and I yield to him.

STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE 
                            OF IOWA

    Senator Grassley. Before I go to my statement, there are a 
couple things I would say.
    I think the fact that Majority Leader Harry Reid had a 
meeting several months ago on various committees that were 
involved in this--and you and I were involved in that--plus the 
fact that in our party Senator McConnell has had hearings, I 
think that highlights the bipartisanship as well as the 
national security reasons for these pieces of legislation.
    Also, the second thing I would say is that I think you have 
correctly stated that you and I are very, very close on this 
legislation, and I can say from the standpoint of this 
Committee's work, very close with the administration's 
legislation. I may have some ideas that vary a little bit, and 
I will refer to a couple of those in my remarks.
    I thank you very much for today's hearing. Given the growth 
of the Internet and our society's increased dependence on 
computer systems, this is a very important topic. Cyber 
criminals are no longer confined by the borders of their 
community, their State, or even their country. Cyber space has 
allowed criminals to steal money, steal personal identities, 
and commit espionage without even leaving their home. Cyber 
criminals are now using the Internet to conspire with other 
cyber criminals. They collaborate to install malicious 
software, commit network intrusions, and affect account 
takeovers.
    Cyber criminals also target the point-of-sale computers at 
restaurants and retailers in order to steal millions of credit 
card numbers, as they did at companies such as TJX, BJ's 
Wholesale Club, Office Max, Boston Market, Sports Authority, 
and I suppose many others.
    Moreover, there are online criminal forums that traffic in 
stolen credit card numbers, such as the notorious CarderPlanet 
forum that traffic in stolen credit card numbers. Cyber 
criminals also continue to engage in phishing attacks, denial-
of-service attacks, and web application attacks.
    Cyber criminals are smart, and they learn from their 
mistakes. They learn from evaluating other cyber attacks, and 
they learn from successful prosecution of their peers. Cyber 
criminals design relentless new computer viruses and malware as 
they attempt to stay one step ahead of the anti--virus 
programs.
    All of these attacks are serious and dangerous to our 
Nation. However, I fear that the threats we have not heard 
about or even thought about are likely to be even more 
dangerous and devastating. So we must take these cyber attacks 
seriously and ensure that our critical system infrastructure is 
well protected from cyber criminals.
    Accordingly, the Federal Government must take every single 
breach of a computer system or potential vulnerability 
seriously. For example, I have asked the Department of Defense 
Inspector General to properly investigate serious allegations 
that Department of Defense employees purchased child 
pornography online and were never adequately investigated by 
the Defense Criminal Investigative Service. These allegations 
include DOD employees possibly purchasing child pornography 
from their own work computers. I remain deeply concerned that 
DOD employees who purchased child pornography continue to work 
in key positions and retain high-level security clearances, 
putting the Federal Government and our military computer 
systems at risk for intrusion. I want to know what the Defense 
Department is doing to stop this sort of behavior, whether 
these individuals will be brought to justice, and whether 
Government systems could be compromised because of criminal 
behavior.
    Aside from this example, I generally support the efforts 
that the administration is undertaking to work toward a 
bipartisan solution on cyber security. However, I have some 
concerns with part of the administration's proposal. I also 
have reservations about how these sweeping policies will be 
implemented and how much they add to an already large 
Government bureaucracy.
    On top of these concerns, I also question the wisdom of the 
administration in some of the personnel appointments that they 
have made to critical positions. Example: The administration 
recently hired an individual at U.S. Cyber Command, an agency 
charged with securing our military capability network. I am 
concerned that the Obama administration seemingly failed to 
conduct an adequate background investigation of the 
individual's qualifications. If they had, I am confident they 
would have easily seen that she played a role in the Clinton 
administration's alleged loss of subpoenaed e-mail during the 
investigation of the 1996 Presidential campaign or that she 
allegedly paid a diploma mill thousands of dollars for a 
bachelor's, master's, and doctorate degree in computer science. 
Ensuring that our Nation's most sensitive networks are safe 
from international cyber espionage should not be assigned to 
someone who obtained their degrees from a diploma mill.
    These types of personnel decisions weaken our ability to 
protect our Nation from cyber attack, essentially putting us at 
risk. Further, they raise questions about whether the 
administration is truly serious about protecting our Nation's 
critical infrastructure and military computer systems.
    External threats continue to target our infrastructure, 
whether that is the financial services industry or retail. 
According to a recent data breach study conducted by the U.S. 
Secret Service and Verizon, 92 percent of the breaches were 
from ``external agents.'' I appreciate that the Secret Service 
continues to aggressively combat worldwide financial and 
computer cyber crimes. In 2010, the Secret Service arrested 
more than 1,200 suspects for cyber crime violations involving 
over $500 million in actual fraud and prevented another $7 
billion in potential loss. I plan to ask the Secret Service and 
the Department of Justice witnesses how we can improve our 
protection of cyber space. I am eager to understand how they 
are proactively engaging in emerging threats of cyber 
criminals, and I also want to know more about why they feel 
they need new criminal laws, new bureaucracies, and thousands 
of pages of regulations that could hamper virtually all 
businesses, large and small, across the country.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you very much.
    Our first witness is James Baker. He is an Associate Deputy 
Attorney General at the U.S. Department of Justice. I know he 
was planning to be here once before for this hearing, and we 
had to cancel, and everybody's schedule changed. I told him 
earlier this morning that I am glad he is here, and the same 
with you, Mr. Martinez. He has worked extensively on all 
aspects of national security policy and investigations. As an 
official at the U.S. Department of Justice for nearly two 
decades, he has provided the United States intelligence 
community with legal and policy advice for many years. In 2006, 
he received the George H.W. Bush Award for Excellence in 
Counterterrorism. I would note that that is the CIA's highest 
award for counterterrorism achievement. He also taught at 
Harvard Law School and served as a resident fellow at Harvard 
University's Institute of Politics.
    Mr. Baker, as always, it is good to have you here. Please 
go ahead, sir.

STATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL, 
           U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC

    Mr. Baker. Thank you, Senator. Chairman Leahy, Ranking 
Member Grassley, and members of the Committee, thank you for 
the opportunity to testify today on behalf of the Department of 
Justice regarding the administration's cyber legislation 
proposal.
    This Committee knows well that the United States confronts 
serious and complex cyber security threats. The critical 
infrastructure of our Nation is vulnerable to cyber intrusions 
that could damage vital national resources and potentially put 
lives at risk. Intruders have also stolen confidential 
information and intellectual property. At the Department of 
Justice we see cyber crime on the rise with criminal syndicates 
operating with increasing sophistication to steal from innocent 
Americans. Even more alarming, these intrusions might be 
creating future access points through which criminal actors and 
others can compromise critical systems during times of crisis 
or for other nefarious purposes.
    That is why the administration has developed what we 
believe is a pragmatic and focused legislative proposal for 
Congress to consider as it moves forward on cyber security 
legislation. We think that the proposal will make important 
contributions toward improving cyber security in a number of 
respects. Today I would like to take a moment to highlight the 
parts of the administration's proposal aimed at improving the 
tools that we have to fight computer crimes.
    The administration's proposal includes a handful of changes 
to criminal laws aimed at better ensuring that computer crimes 
and cyber intrusions can be investigated and punished to the 
same extent as other similar criminal activity. Of particular 
note, the administration's proposal would clearly make it 
unlawful to damage or shut down a computer system that manages 
or controls a critical infrastructure, such as electricity 
distribution or the water supply.
    This narrow, focused approach is intended to provide 
deterrence to this class of very serious, potentially life--
threatening crimes. Moreover, because cyber crime has become 
big business for organized crime groups, the administration 
proposal would make it clear that the Racketeering Influenced 
and Corrupt Organizations Act, or RICO, applies to computer 
crimes. Also, the proposal would harmonize the sentences and 
penalties in the Computer Fraud and Abuse Act, or CFAA, with 
other similar laws.
    For example, acts of wire fraud in the United States carry 
a maximum penalty of 20 years in prison, but violations of the 
CFAA involving very similar conduct carry a maximum of only 5 
years. Such disparities make no sense.
    In addition, the administration proposal would expand the 
scope of the CFAA's offense for trafficking in passwords to 
cover not only passwords but other methods of confirming a 
user's identity, such as biometric data, single-use passcodes, 
or smart cards used to access an account. Such language should 
also cover log-in credentials used to access any protected 
computer, not just Government systems or computers at financial 
institutions. The means to access computers at hospitals, 
nuclear power plants, and air traffic control towers are no 
less worthy of protection. This proposal will help equip law 
enforcement to fight a key area of cyber crime: The theft of 
passwords and means of access for the purpose of committing 
additional crimes.
    The administration also proposes several amendments to the 
CFAA related to forfeiture, including adding a civil forfeiture 
provision. The lack of a civil forfeiture authority in the CFAA 
currently forces Federal prosecutors to use criminal forfeiture 
authorities in instances where civil forfeiture would be more 
appropriate or efficient. Our proposed civil forfeiture 
provision is consistent with similar provisions in Federal law 
that have existed for many decades.
    Finally, some have argued that the definition of ``exceeds 
authorized access'' in the CFAA should be restricted to 
disallow prosecutions based upon a violation of contractual 
agreements with an employer or a service provider. We 
appreciate this view, but we are concerned that restricting the 
statute in this way would make it difficult or impossible to 
deter and address serious insider threats through prosecution. 
My written statement goes into this issue in more depth.
    I would note that we have been working with Chairman Leahy, 
Ranking Member Grassley, and their staffs on a common solution 
to address this issue.
    Mr. Chairman and members of the Committee, this is an 
important topic, as you all know. The country is at risk, and 
there is much work to be done to better protect critical 
infrastructure and improve our ability to stop computer crime. 
I look forward to answering your questions today, and I would 
ask that my full written statement be made part of the record 
of the hearing.
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Chairman Leahy. Thank you, and your full statement will be 
part of the record. I appreciate the statement.
    Next we will hear from Mr. Martinez. He serves as Deputy 
Special Agent in Charge of Cyber Operations for the Criminal 
Investigative Division of the United States Secret Service. In 
nearly two decades at the Secret Service, he oversaw the 
agency's first major cyber operation, Operation Firewall, in 
which over 30 online criminals from across the globe were 
apprehended. Incidentally, very impressive. He is currently 
responsible for the oversight of all cyber training and 
criminal intelligence operations conducted by the Criminal 
Investigative Division. Prior to that assignment, he supervised 
the New York Electronic Crimes Task Force, oversaw multiple 
transnational cyber fraud cases, again, pointing out that none 
of these things happen just in the locality where you are. He 
is a 1990 graduate of the Virginia Military Institute, where he 
received a Bachelor of Arts in economics, then a commission in 
the U.S. Army Reserves.
    Please go ahead.

STATEMENT OF PABLO A. MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE, 
     CRIMINAL INVESTIGATIVE DIVISION, U.S. SECRET SERVICE, 
                         WASHINGTON, DC

    Mr. Martinez. Good morning, Chairman Leahy, Ranking Member 
Grassley, and distinguished members of the Committee. Thank you 
for the opportunity to participate in this morning's hearing.
    One of the significant challenges in producing an analysis 
of the cyber criminal underground lies in the diversity of the 
online criminal community. For example, criminals may choose to 
cluster around a particular set of Internet relay chat 
channels, Internet-based chat rooms, or web-based forums. In 
some instances, a group of online criminals may come from a 
particular geographic area and may know each other in real 
life. In other instances, a group may be dispersed across the 
globe and know one another only through their online 
interaction.
    Many venues are populated by those whose capabilities are 
unsophisticated; however, other more exclusive groups are 
comprised of members who have a decade or more of experience 
and extensive contacts in diverse criminal worlds. This 
diversity is reflected in the group's interests and aims. One 
group may see the researching of vulnerabilities and 
development of new exploits as a technical challenge 
fundamentally related to the basics of computer security. 
Another group may have little or no interest in underlying 
technological issues but will happily use exploits developed by 
others in order to intrude into third-party computer systems 
and harvest data of commercial value. Still other online 
criminal communities show even less interest in coding and 
exploits but use the Internet as an operating base, taking 
advantage of the anonymity and instantaneous communication the 
Internet affords them.
    Two of the hallmarks that distinguish effective online 
criminal groups are organizational structure and access to a 
well-developed criminal infrastructure. One striking 
manifestation of these trends in online criminality is found in 
the web-based online forums that first began to emerge 
approximately a decade ago. In the early days, these online 
forums were established by hacking groups or by groups of 
carders, criminals who traffic in or exploit stolen financial 
data. Many of these forums have a strong representation of 
members from Eastern Europe. Although membership often spans 
the globe and includes members from multiple continents, by 
utilizing the built-in capabilities of the forum software, the 
people behind the organization are able to set up a system of 
foreign administrators and moderators who form the core of the 
organization and who maintain order at the site.
    Some of these online forums developed into marketplaces for 
criminal goods and services. By 2004, forums such as 
DumpsMarket, CarderPortal, Shadowcrew, and CarderPlanet were 
already well-developed criminal marketplaces overseen by an 
experienced group of administrators who were often established 
criminals. In reality, these sites serve as a business platform 
for a fusion of criminal communities, each of which provides 
its own contribution to the development of the organization's 
capabilities by making a greater variety of reliable criminal 
services available to all members.
    Some of the major classes of participants in these forums 
include the following broad categories: Carders, hackers, 
spammers, malware developers, and specialized hardware 
developers, to name just a few.
    As evident from the array of criminal service providers I 
have just listed, the development of diverse online criminal 
organizations has greatly enhanced the criminal infrastructure 
available to pursue large-scale criminal activity. The far-
reaching availability of a reliable criminal infrastructure in 
combination with other developments on the Internet presents a 
global challenge to law enforcement, which has found itself 
forced to adapt in order to apprehend and prosecute online 
criminals.
    The administration is aware that in order to fully protect 
American citizens from cyber threats, certain sections of our 
current cyber security laws must be updated. This past spring, 
the administration released its proposal to address the cyber 
security needs of our country. The legislative package proposed 
by the administration addresses key improvements for law 
enforcement. Secret Service investigations have shown that 
complex and sophisticated electronic crimes are perpetrated by 
online criminals who organize in networks, often with defined 
roles in order to manage and perpetuate ongoing criminal 
enterprises dedicated to stealing commercial data and selling 
it for profit. The administration's proposal will better equip 
law enforcement agencies with additional tools to combat 
transnational cyber crime by enhancing penalties against 
criminals that attack critical infrastructure and by adding 
computer fraud as a predicate offense under the Racketeering 
Influenced Corrupt Organizations Act.
    Chairman Leahy, Ranking Member Grassley, and distinguished 
members of the Committee, the Secret Service is committed to 
our mission of safeguarding the Nation's financial 
infrastructure and will continue to aggressively investigate 
cyber and computer-related crimes to protect American consumers 
and institutions from harm. This concludes my prepared 
statement. Thank you again for this opportunity to testify on 
behalf of the Secret Service.
    [The prepared statement of Mr. Martinez appears as a 
submission for the record.]
    Chairman Leahy. Well, thank you. And I assume you have no 
doubt in your mind these attacks are going to continue, no 
matter how many you have been able to stop in the past. Is that 
correct?
    Mr. Martinez. Yes.
    Chairman Leahy. Mr. Baker, like most Americans, I am 
concerned about the growing threat of cyber crime. If you have 
a business, you worry about that. If you are just an average 
citizen, you worry about somebody stealing your identity. I 
understand the FBI National White Collar Crime Center's 
Internet Crime Complaint Center received more than 300,000 
complaints about cyber crime last year. That is an astounding 
number.
    You discussed in your testimony the need to keep the 
Computer Fraud and Abuse Act up to date. How would the 
administration's proposals to update the Computer Fraud and 
Abuse Act ensure that the statute keeps us with the changes in 
technology?
    Mr. Baker. Well, in particular, on the question of keeping 
up with changes in technology, I would focus on the provision 
regarding trafficking in passwords and other identifying 
information. Right now we think the language is broad enough to 
enable us to do what we need to do, but we think that expanding 
it to include other means of access to computers will clarify 
in the future, as hopefully security systems advance and other 
new technologies are developed to protect access, that this 
would be an easy way to make sure that we can actually get at 
defendants who we are able to bring to court and not have them 
escape on some technicality because a court thinks that the 
definition is not precise enough with respect to this new type 
of technology. So that is one example, Senator.
    Chairman Leahy. Well, I can imagine decades ago any 
predecessor of mine being in here talking about `how do we get 
these bank robbers; how do we get these train robbers'. That is 
pretty simple. I have to assume that no matter how good a 
defense any one of the major companies have somebody is 
constantly trying to figure out a way to get around it. Is that 
not true?
    Mr. Baker. Yes, they are under constant assault. Yes, that 
is why I think you have the large number that you cited.
    Chairman Leahy. Now, one criticism of the Computer Fraud 
and Abuse Act is that the statute has been--this leads from 
your answer, it is interpreted so broadly that it could treat 
relatively innocuous behavior, violating terms of a service 
agreement, for example, as a Federal criminal offense.
    What kind of assurances do we have if we pass this statute 
that either this administration or a future administration 
might abuse the authorities under the law?
    Mr. Baker. Well, certainly one thing is that we are 
accountable to this Committee and to the Congress in terms of 
how we enforce the Act, and we have to come up here and explain 
what it is that we have been doing. I think that if you look at 
our whole record with respect to how we have enforced the Act 
over time, I think we have done it in a responsible way.
    I think we would be happy to work with the Committee under 
your leadership to try to find a way to address those concerns. 
There are perhaps a variety of different things, increased 
reporting requirements, for example, that might be effective, 
but we are certainly willing to work with you to make sure that 
this Committee believes that you have the right information to 
enable you to assess how it is that we are enforcing the Act.
    Chairman Leahy. You know what I am saying. In the normal 
criminal code, you could have some kid who takes a car 
joyriding and leaves it. You can charge him with some minor 
offense, or you can charge him with grand larceny. And most 
prosecutors would not charge him with grand larceny--we want 
you to concentrate on the real cyber crimes and not the minor 
things.
    Mr. Baker. Of course, we agree with that. We have limited 
resources. As you expressed, the threat is large, and we have 
resources but they are limited in terms of the number of people 
we are trying to----
    Chairman Leahy. Let us talk about that. How many 
investigators and prosecutors are there at the Department of 
Justice investigating and prosecuting cyber crime?
    Mr. Baker. In terms of prosecutors dedicated to cyber 
intrusions, if you will, there are approximately 230. Now, if 
you expand that to include other types of fraud, child 
exploitation-type crimes, it is going to be a larger number 
than that. I do not have that exact figure.
    Chairman Leahy. What about investigators?
    Mr. Baker. In terms of that, the difficulty is that the 
exact number of investigators that the FBI has in particular 
dedicated to this, because of the national security aspect of 
it, is classified. We would be happy to share that information 
with you in a different setting.
    Chairman Leahy. Perhaps in a different setting, if you 
could let both Senator Grassley and myself know.
    Mr. Baker. Absolutely.
    Chairman Leahy. Thank you. And do you have sufficient 
resources?
    Mr. Baker. I think we can always use more resources. We, 
the administration, put forward a proposal for fiscal year 2011 
that included a request for some, I think, 160, approximately, 
additional personnel and some $45 million to go along with it. 
And the key is, I think, we want to make sure that we have the 
right resources. This is not something you just throw bodies at 
and solve it. You need to have trained people. You need to 
develop them over a period of time. So what we need to do is 
have sort of a long-term goal and objective in terms of 
bringing people in, training them, and then having them be able 
to work on these issues.
    Chairman Leahy. Well, the same question to you, Mr. 
Martinez. How many people do you have dedicated to this? And do 
you have adequate resources?
    Mr. Martinez. Chairman Leahy, we have put over 1,400 of our 
special agents through some type of computer training. We take 
cyber crime as a serious offense. We have been doing this for a 
while, so much so that part of the training that we now provide 
all of our special agents when they become agents is a specific 
2- to 3-week block of cyber training. So it has now become part 
of our basic training for every special agent that goes through 
the academy.
    In addition to that, with the assistance of the Committee, 
we now have 31 Electronic Crime Task Forces throughout the 
country, 29 of them domestically and 2 overseas. And what we 
have done with that, in addition to the special agents that we 
have that have cyber training, we have also partnered with our 
State and local law enforcement officers throughout these task 
forces and provided them with this training. We do that 
training through the National Computer Forensic Institute down 
in Hoover, Alabama, where we only train State and local law 
enforcement on computer forensics, network intrusion, and in 
basic skills of computers.
    Those individuals, when they leave the NCFI, are then 
either members of our Electronic Crime Task Forces throughout 
the country or are providing assistance and support to State 
and local municipalities throughout the country. We are proud 
to say that we have had State and local law enforcement from 
all 50 States of the Union and 2 of its territories. And in 
addition to having the State and locals train there, we also 
train State judges and State prosecutors because we feel as 
important as it is to train our investigators, it is that 
important to also train prosecutors and judges so that these 
cases get prosecuted and so that judges know how to prosecute 
these cases.
    The other thing we have taken with the Electronic Crime 
Task Force model is that we have partnered with academic 
institutions, because a good amount of the research and 
development that goes on in this country is done by 
universities. So for the last 12 years, we have been at 
Carnegie Mellon University and have been a member of the 
Software Engineering Institute where we work with Carnegie 
Mellon NCI, which is a federally funded research and 
development center, to develop software and hardware that helps 
our investigators.
    In addition to that facility, we have also partnered with 
the University of Tulsa where we have a cell phone/PDA forensic 
facility to also boost the capabilities of our agents and our 
State and local partners.
    Chairman Leahy. Thank you very much. I know my little State 
of Vermont has had people down there, so I appreciate that.
    Senator Grassley.
    Senator Grassley. I want to zero in on cyber attacks on our 
infrastructure, like power grids, traffic control. These 
things, where they can be interfered with, control most of our 
important day-to-day operations. As such, our criminal laws 
should reflect the need to protect critical infrastructure by 
sending a signal to would-be criminals that these attacks, 
including even attempted attacks, will not be tolerated. That 
means not only criminalizing the conduct but including tough 
sentences that Federal judges cannot play games with. So, Mr. 
Baker, I would like to ask you questions along this line.
    The administration's cyber security proposal includes a new 
crime for aggravated damage to a critical infrastructure 
computer. This proposal includes a 3-year mandatory minimum 
prison sentence for those who knowingly cause or attempt to 
cause damage to a critical infrastructure computer. Why did the 
administration include this mandatory minimum for this crime 
but not other crimes?
    Mr. Baker. Because we understand the concerns that some 
Members of Congress have with respect to the use of mandatory 
minimums, we believe that it was appropriate in this 
circumstance, given, as you just recited, that it is involving 
damage to critical infrastructure systems that result in the 
substantial impairment of the system, so we thought that under 
those circumstances, given the gravity of the offense, that a 
mandatory minimum of 3 years was appropriate in this 
circumstance, and we thought it was a judicious use of the 
mandatory minimum concept, which is why we attached it to this 
particular offense.
    Senator Grassley. We are scheduled to mark up a Senate bill 
that does not currently include a crime for aggravated damages 
to a critical infrastructure computer. It is my understanding 
that may be added at markup. However, I understand it may not 
include a mandatory minimum. Would the Department support 
including a mandatory minimum, as the President's proposal 
does, as part of the Committee process?
    Mr. Baker. The administration's proposal is to include a 
mandatory minimum. Obviously, we want to work with Congress in 
this area. We understand the concerns, and so we are happy to 
work with the Committee. But we do think that this prohibition, 
this new criminal offense, is something that we do need to 
address and try to include.
    Senator Grassley. Okay. This would be for Mr. Martinez. As 
I stated in my opening remarks, I believe that we must take 
cyber attacks seriously and ensure that our critical systems' 
infrastructure is well protected from cyber criminals. However, 
I am concerned that we provide too broad of a definition for 
things like ``sensitive personal identifiable information,'' 
that we may desensitize that information and create complacency 
within the public. Individuals that constantly receive data 
breach notifications from their banks will begin to maybe 
ignore them. A broad definition of ``sensitive personal 
identifiable information'' could also overburden businesses by 
requiring them to make unnecessary notification for what 
amounts to public information that is easily obtainable through 
Internet searches.
    So how does the Secret Service define ``sensitive 
personally identifiable information'' ?
    Mr. Martinez. Senator Grassley, we identify it the same way 
that it is laid out in the administration's bill and also as it 
appears on the 1028(d)(7). I think what we also need to take 
into account is when we look at what constitutes a data breach, 
it includes the information you are referring to, but it also 
includes Section (b) which states, ``which present a 
significant risk of harm or fraud to any individual.'' So that 
is taken into account along with the definition of ``personally 
sensitive identifiable information'' in order to make 
notification.
    The other way I think we address it also is through 
triggers. I think there are triggers in the bill that define 
when notification needs to be made and when it does not.
    In reference to the broad definition of ``personally 
sensitive identifiable information,'' I will tell you that 
there are individuals in the online criminal community that can 
take that general information and put it together with 
additional information that they have already compromised to 
give you a better idea as to the information involving your 
victim target. So, for example, I could take the first initial 
and last name of an individual, his home address, and provide 
it to one of these online criminal data brokers and say, ``Can 
you run a credit report on an individual at this address with 
this first initial and last name'' ? So that combined 
information can then really cause harm to the victim.
    Senator Grassley. Well, if banks send their customers 
breach notification that involves nothing more than their name 
address, or their mother's maiden name, do you agree that this 
broad definition of ``sensitive personally identifiable 
information'' could potentially desensitize the public 
perception and maybe create a ``boy who cried wolf'' situation?
    Mr. Martinez. There is a possibility that something like 
that could happen, and that is why, again, I go back to the 
administration's proposal that talks about significant risk of 
harm or fraud. I think the organization, the company, needs to 
take that into account, you know, before we start desensitizing 
these intrusions by sending too many of these notices.
    Senator Grassley. Well, if you would support narrowing the 
definition of that term to cover information that leads to a 
significant risk of identity theft, how would you narrow the 
definition?
    Mr. Martinez. I believe in the definition or in that area, 
as it is submitted as part of the administration's proposal, it 
talks about combining the PSII information with the second part 
of it, which is, ``which presents a significant risk of harm or 
fraud to that individual.'' I would add that section to the 
bill as it is laid out in the administration's proposal.
    Senator Grassley. And, last, if Congress were to give 
rulemaking authority to modify the definition in the future, 
what agency or combination of agencies would you suggest be 
given that authority?
    Mr. Martinez. I believe the FTC and I think also in 
consultation with the Department of Justice, because the 
Department of Justice is responsible for prosecuting these 
cases, so I definitely think that the FTC has the expertise in 
this area, and I think consultation with the Department of 
Justice would also be good.
    Senator Grassley. Thank you, Mr. Chairman.
    Chairman Leahy. Well, thank you. And, incidentally, Mr. 
Baker, I think the House of Representatives would find it very 
difficult to accept the mandatory minimum, and certainly I do 
not intend to include it in the bill that I will put forward. 
Just in passing, I want strong penalties, but the mandatory 
minimum is something that I worry can be abused.
    Senator Coons.
    Senator Coons. Thank you, Mr. Chairman.
    I want to start by thanking the Chairman and the Ranking 
Minority for convening this hearing. I think we have heard from 
the Chairman, from the President, and from many leaders in the 
private sector and public sector that this is one of the most 
grave threats facing our Nation, that the number and complexity 
of cyber crimes continues to grow year after year and the cost 
and the impact on victims large and small continues to grow. So 
I am glad we are continuing to press on this. I hope that the 
Senate will, indeed, take the opportunity to move in a 
bipartisan and responsible way to reconsider the CFAA, to amend 
it in ways that deal with overbreadth or last of clarity but 
to, frankly, also strengthen the tools available to law 
enforcement.
    I want to focus on just a few simple points, if I could. 
One is about training and the skill set that is available, both 
in the Department of Justice and in the Secret Service. Mr. 
Martinez, Special Agent Martinez, I was struck in your written 
report about the scope of training available, the 1,400 agents 
having gone through ECSAP training, the 31 ECTFs you referred 
to, the institute in Alabama that I know Delaware law 
enforcement has benefited from as well as many other States, I 
think all States. But I am concerned about the depth of 
training and the breadth of it.
    There was an Inspector General report from the Department 
of Justice just in April of this year that suggested that the 
National Cyber Investigative Joint Task Force, actually a third 
of the agents engaged lacked the necessary expertise in 
networking and counterintelligence to be able to effectively 
participate in intrusion cases, and that many of the field 
offices also lacked the forensic and analytical capability. I 
am clear that training is expense, that we have lots of other 
things on our needs list for the country, but this is not a 
want that strikes me as a critical need. I would be interested 
in comments from both of you, if I might, about what more we 
can and should be doing to strengthen the training, the depth 
and breadth of training by law enforcement.
    And then as a follow-on to that, if I might, Special Agent 
Martinez, you have, I think, a reserve commission. In Delaware 
we have a National Guard unit that takes advantage of a lot of 
the private sector strength and skills in our financial 
services community to also bring them into training and make 
them available as a resource. I wondered if both of you might 
comment on the possibilities or the risks of engaging the 
National Guard and the Reserve as a way to get some of the most 
skilled private sector folks also engaged in some of the 
national security-relevant pieces of ongoing forensic and 
network defense and investigations. If you might, please, 
first.
    Mr. Martinez. Thank you, Senator. Yes, it is an expensive 
undertaking to get these folks trained, and that is why we have 
tried to force multiply, working with our partners. Cyber crime 
is not something that can be solved by any one organization. We 
all have to work in a collaborative way to do that. And we 
think we are--that is what we have been trying to do with our 
task forces, and not only partnering with State and local law 
enforcement and other Federal partners, but also bringing the 
private sector in.
    There is a section of the administration's proposal which 
actually talks about having folks from the private sector come 
in to assist Government and so forth. So there is probably some 
mechanism that is already been used in other parts of the 
Government that can be used to help here.
    One of the other issues that we see from cyber crime is 
that we have a lot of involvement from Eurasian cyber criminal 
organizations or some of the most robust organizations. In 
speaking about the National Guard, there is potentially 
something we should probably look into that is similar to some 
of the activities that other Department of Justice 
organizations, law enforcement organizations have done in the 
past with the assistance of some National Guard entities in 
other parts of the country, and specifically in the area of 
linguistic capabilities. You know, that is one of our biggest 
challenges, is the fact that a lot of these criminals are 
Eastern European and speak Russian or a Russian dialect. There 
is probably a way to get that same model that we set up in 
narcotics enforcement for language translations and have that 
sort of supplement what we do in cyber crime because these 
individuals primarily communicate through some type of online 
method, whether it is instant message, e-mail, or peer-to-peer, 
and so there probably would be a good venue to get that type of 
linguistic capability up to speed and utilize it in furtherance 
of cyber crime investigations.
    Senator Coons. Thank you. I would be happy to work with 
you, if I can, in furthering that. And if you might, Associate 
Deputy Attorney General Baker, please.
    Mr. Baker. Sure, just a couple quick comments to amplify on 
that.
    I think with respect to the use of the National Guard, I 
agree. We need to use all of our available resources. The key 
there is to make sure we understand what hat they are wearing 
when they are engaged in that role and to make sure that what 
they are doing is consistent with the law and executive branch 
policy, and then to make sure that we have appropriate privacy 
protections in place and appropriate oversight to make sure 
when any element of DOD, assuming they are acting in that 
capacity and in that way, is engaged in these kinds of 
activities. But I agree with your general point that we need to 
make sure that we have the resources--that we use all the 
resources that are available, especially if these people are 
coming with particular skill sets that they have developed in 
the private sector. That is absolutely critical.
    Just real quickly on the IG report with respect to the FBI, 
I would just note that the FBI, it was my understanding, 
accepted all the recommendations from the IG, so they 
understand it. They place a huge amount of importance on this, 
and they get it as well.
    Senator Coons. Great. Thank you. As we try to move 
responsibly to strengthen law enforcement's toolkit, I also 
want to make sure that we are striking the right balance, as 
you mentioned, between privacy and continuing to be certain 
that there are robust divisions between DOD authority and 
domestic law enforcement, and that we are respecting the rights 
of Americans and protecting individual liberties.
    Thank you for your answers.
    Senator Whitehouse [presiding]. I will be chairing the 
remainder of the hearing, so that means I will be here until 
the end. So to expedite my colleagues, let me defer my 
questioning until the end, and so unless a Republican colleague 
arrives, we will have Senator Klobuchar, then Senator Franken, 
then Senator Blumenthal. Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Mr. Chair, and 
thank you to both of you for working on this very difficult and 
important area. I am glad that we are holding this hearing, 
obviously, but also that we are moving ahead on legislation, 
because I have heard time and time again, whether it is 
confidential briefings with our Defense Secretary and others 
about the concern of the cyber attack issue--and I certainly 
have seen in a much smaller way in my previous job a prosecutor 
for 8 years just the growing, escalating number of cases that 
we had involving just individuals being hacked or data stolen. 
And I have introduced a number of bills in this area, and I 
wanted to talk through some of those and how they could work 
with the larger bill that we are working on.
    Senator Hatch and I introduced a bill aimed at child 
pornography that would require Internet service providers to 
retain information on the IP addresses they assign to customers 
for a minimum amount of time. This is information that the 
providers already have and already retain, but some providers, 
we have learned, keep it for longer periods than others, and 
the bill would simply set a minimum retention period. The 
providers would not be required to retain any content of a 
person's online activity. It simply mean that if law 
enforcement sees illegal activity online, then they can tell 
that it is emanating from a certain computer or device. They 
would then be able to go to the Internet service provider and 
get information on who owned that computer or device, and, of 
course, they would need a subpoena to do that.
    It seems to me that this could be an important reform not 
just for child pornography cases but also for many of the types 
of crimes that we have been talking about today. I do not know 
if either of you would like to comment on that. Mr. Baker.
    Mr. Baker. Yes, thank you, Senator. Just briefly, we agree 
completely that this is a significant issue and it potentially 
impacts a whole range of cases, including child exploitation, 
gangs, other types of--you know, terrorism potentially, 
national security crime. So we think it is a significant 
problem.
    We do not, unfortunately, have a cleared administration 
position on how long and what types of data to retain and so 
on, but I agree with your characterization of the basic idea 
with respect to the proposals that we have seen. It is 
certainly something we would like to work with you on because 
it is a very, very important issue.
    Senator Klobuchar. Agent Martinez.
    Mr. Martinez. Yes, Senator. Digital crime scenes tend to 
evaporate more quickly than traditional crime scenes, so 
preserving data is an important part of any type of cyber 
investigation. So we concur with Mr. Baker's comments that, you 
know, some type of retention would be good to cyber 
investigations.
    Senator Klobuchar. Then another area is cloud computing, 
and I think we are seeing more and more of that, for good 
reasons: bringing down the cost of data storage, computing for 
businesses, consumers, and government alike. However, we need 
to also ensure that our laws are keeping up with the new 
technology. Cloud computing represents a unique challenge. The 
way the data is stored and accessed in the cloud makes it 
sometimes hard to prove the damages that are currently required 
by the Computer Fraud and Abuse Act. And so we are looking at 
how we can make sure that those damages can be proved when you 
are dealing with the cloud, and I do not know if you want to 
comment at all about that and what is happening with hacking.
    Mr. Martinez. Again, I go back to the crime scene. A cloud 
crime scene is much more difficult to solve than to try to get 
evidence from a traditional crime scene. So it is going to be a 
challenge to make sure that when we respond to an organization 
that is storing information in the cloud, that that 
organization knows exactly where that information is at and, 
you know, make sure that law enforcement can access that 
information in a quick manner.
    I go back to, you know, the fact that digital evidence 
evaporates a lot quicker, so it is going to be incumbent on 
organizations that establish some type of cloud computing 
environment that they know the layout or the topography of 
their information. And the other challenge that we also face 
is, you know, if the information is stored in the cloud and 
that cloud is out of the jurisdiction of the United States, 
what challenges might that pose to us?
    Senator Klobuchar. And that is why we are trying to put in 
here some structure for other countries to work together on 
these things, because that is going to be key as we move 
forward.
    Shifting to another topic, do you think the jail terms and 
the fines in the current law are severe enough to have a 
substantial effect in deterring or reducing cyber attacks? And 
how about in the proposal before us?
    Mr. Martinez. I think the administration's proposal does a 
very good job of addressing that. And, in fact, I used some 
examples where we have charged cyber criminals with other 
offenses as identified by Mr. Baker, where these individuals 
were charged with either wire fraud or credit card fraud or 
bank fraud that received significant jail terms, in excess of 
10, 15, 20 years. That is definitely a deterrent to criminals 
that conduct this type of activity.
    If you look at our Verizon data breach investigative 
report, we see a larger number of intrusions occurring right 
now, but we do not see as many of the large-scale intrusions 
that we have seen in the past. We think part of the reason for 
that is the deterrent factor that these stiff sentences have 
had on these criminal organizations. So to get a statute like 
1030, the Computer Fraud and Abuse Act, up to par with some of 
these other ones we believe will make a deterrent against 
criminals that are undertaking these types of intrusions.
    Senator Klobuchar. Okay. Then just one last question, Mr. 
Chair, if I could. Economic espionage is clearly a drain on the 
American investment in our country, our talent, whether it is 
blueprints to the way a manufacturing facility is set up or a 
design of a dress. Does, do you believe, the Computer Fraud and 
Abuse Act adequately combat the problem of economic espionage? 
And do you think the administration proposals helps with this? 
Are there more things that we should be doing as we look even 
away from the cyber attacks on Government and look into what 
has been going on in the private sector?
    Mr. Martinez. I think Mr. Baker could better answer that 
than I.
    Senator Klobuchar. Mr. Baker.
    Mr. Baker. Absolutely. I mean, the focus of the Computer 
Fraud and Abuse Act is sort of on the means that are used to 
perpetrate the crime that I think you are talking about. We 
would fully support efforts to try to make sure that we can 
address the type of crime that you are concerned about because 
we are very concerned about it as well. I think that our 
proposals in the administration's legislation would be 
effective in addressing the type of crime. But if there were 
particular things that we should focus on, we would be happy to 
work with you on that because it is a huge problem, and the 
theft of our intellectual property is a very, very significant 
problem for the country.
    Senator Klobuchar. Have you seen instances of retaliatory 
hacking where groups actually go after people that are working 
on this, these issues?
    Mr. Baker. Groups go after a lot of different people 
working on a whole range of issues, and, you know, I guess I 
would defer to Special Agent Martinez on the cases because--
well.
    Mr. Martinez. Yes, I think no one is immune from these 
types of intrusions and attacks. I think we have seen a lot of 
these types of attacks have been reported in the media, and 
there is a lot that happen. So I do not think anybody is immune 
from this type of cyber attack.
    Senator Klobuchar. Thank you very much.
    Senator Whitehouse. Senator Franken.
    Senator Franken. Thank you, Mr. Chairman.
    Mr. Baker, I want to ask you a question to follow up on a 
question from Chairman Leahy. In recent cases the Department of 
Justice has actually argued that the violation of a website's 
term of service or an employer's computer use policy can 
constitute a Federal crime under the Computer Fraud and Abuse 
Act. In other words, under this interpretation of the statute, 
people could conceivably be guilty of a Federal crime for 
checking their gmail or the weather if their employer's 
computer policy prohibits them from using their computers for 
personal reasons. Two Federal judges have found this reading of 
the statute to be unconstitutional because people do not read 
those policies, and when they do, they can be, as you know, 
long and complex and full of fine print.
    Don't you think it would be worthwhile to somehow address 
the concerns of those Federal judges in updating this statute?
    Mr. Baker. Thank you for that question. As I said earlier, 
Senator, we would be happy to work with folks to address these 
kinds of concerns. I think that the challenge is to address 
those concerns and at the same time not create a significant 
loophole that would allow somebody, for example, who worked at 
the Social Security Administration, the IRS, the U.S. passport 
office, or a bank to take information in violation of their 
employer's policies and misuse it for some purpose, either to 
spy on somebody that they know or to take information and pass 
it others to actually steal money. So I think this insider case 
where somebody violates the rules of their employer using a 
computer is a very challenging thing to address and at the same 
time address the types of concerns that you suggest.
    The difficulty is that, you know, we have to think about 
how and whether we should have a regime that is parallel to the 
actual physical world. So if an employer says, ``Well, you can 
use the petty cash for certain purposes but not for other 
purposes,'' and somebody takes the cash and spends it on 
something that they are not supposed to, we would prosecute 
them, potentially, depending upon the amount, for fraud. And so 
the question is or the issue is employers all the time set 
rules about what can be done with their resources. Do we want 
to make a difference--or how do we want to differentiate the 
cyber world from the physical world? So I think these are real 
challenges, but we understand what you are saying, and 
obviously we have read those opinions, and we have heard loud 
and clear what the judges were saying, and in the Drew case, in 
particular, we decided not to appeal in that case.
    Senator Franken. Okay. Thank you.
    Again, Mr. Baker, I know that this is not technically the 
subject of the hearing, but since you are here, I want to ask 
you about the administration's data breach proposal. The 
administration's proposal would require certain companies 
holding ``sensitive personally identifiable information'' to 
notify their customers if that information is breached. I was 
surprised to see that the administration's definition of 
``sensitive personally identifiable information'' did not 
include an individual's geolocation. Today many companies 
literally have minute-to-minute records of everywhere a 
smartphone user has been over a period of months. In my mind, 
that information can be just as sensitive, if not more 
sensitive, than one's home address, which is covered under the 
definition.
    Would you consider amending your proposal to include 
geolocation in the definition of ``sensitive personally 
identifiable information'' ?
    Mr. Baker. I think certainly, Senator, we would be open to 
looking at that issue. I would have to look at it again. There 
may be parts of this that would cover that type of information, 
depending on how it was stored in an account or something 
already. But in terms of focusing on it directly, I think we 
would be open to that.
    I would just note that, because we looked at the 
geolocation question in a variety of different contexts, 
defining geolocation information is tricky, and so we would 
have to make sure that we got that right in order to include 
the kinds of things that you are concerned about but not sweep 
in a bunch of other stuff. But I would be happy to work with 
you on that, or the Department would be happy to work with you 
on that.
    Senator Franken. Good. Thank you.
    I also noticed that this proposal gives companies up to 60 
days to notify their customers of a breach of their sensitive 
personally identifiable information. That period seems long to 
me. A criminal can do a lot of damage with someone's Social 
Security number in 2 months. Why can't we have a quicker 
deadline or shorter deadline for notification?
    Mr. Baker. I think on that as well, Senator, we would be 
happy to work with you on that, because the one thing to think 
about, though, is there is invariably some lag time, because 
there will be a breach and it might take a short period of time 
for the company to become aware of it. And then I think you 
want some period of time where the company is required to go to 
law enforcement and law enforcement can make some assessment 
about whether we want them to report. We may have an undercover 
operation ongoing, let us say, to try to target these people. 
They have been doing a variety of different breaches, and so we 
have an operation. We do not want them to know that we are on 
to them. So we may in a particular circumstance ask the company 
to hold off on the notification because it might harm----
    Senator Franken. Okay.
    Mr. Baker. So we want some period of lag time. The trick is 
to find out what that is, and so I think we would be happy to 
work with you on that. I do not think there is any magic with 
respect to the 60-day number.
    Senator Franken. Okay. It looks like we have got a lot of 
little things to work on.
    Mr. Baker. Sure.
    Senator Franken. Okay. Thank you, Mr. Baker.
    Mr. Baker. Okay.
    Senator Franken. Thank you, Mr. Chairman.
    Senator Whitehouse. Senator Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman, and thank you 
both for being here today. I want to second the concerns just 
raised by Senator Franken about the 60-day period, which I 
think is way too long in the majority of instances. I recognize 
there may be some law enforcement activity that requires some 
lag time, but it seems to me that an exception can be carved 
out for that kind of specific--and I do mean explicit and 
specific--law enforcement activity that justifies a delay 
rather than having a blanket 60-day period, which seems 
excessively long.
    I want to focus--and I was very interested and impressed by 
your comments on infrastructure vulnerability and potential 
assaults on that aspect of our economic and security activity. 
We hear a lot of talk about potential cyber assaults on our 
information, whether it is electric or gas. Should there be a 
stronger requirement for those facilities or companies 
themselves to take proactive and preventive measures? Right now 
it seems to me if there are any provisions, they are 
egregiously weak in light of the public responsibility of those 
private institutions. And so I wonder whether you would care to 
comment on that.
    Mr. Baker. Yes, Senator, thank you. I think that is 
addressed in other parts of the bill where the role of the 
Department of Homeland Security with respect to helping to set 
standards and then monitoring compliance with standards, I 
think that is more directed at the kind of concern, very 
legitimate and absolutely correct concern that you have with 
respect to that. I am not sure--I would have to think about it 
for a minute, but I am not sure that the specific proposal we 
are talking about with respect to the CFAA, for example, would 
address that. But I think that the larger concern about the 
critical infrastructure--and, you know, again, the whole point 
of all this is to prevent anything from happening. It is one 
thing to prosecute after the fact, but we want to prevent 
things from happening. We want to deter activity, and we want 
to make sure that entities have in place the appropriate means 
to protect themselves and the incentives to do that.
    I think we would be happy to work with you on any way that 
is reasonable that would further those goals.
    Senator Blumenthal. And I agree, deterrence is one way to 
prevent criminal activity, but not always an effective way in 
light of the interests and stakes. And you mentioned extortion. 
A potential penalty of 3 years, even if it is a minimum, may 
not be enough to deter someone from this kind of----
    Mr. Baker. That is right.
    Senator Blumenthal. Do other parts of your--meaning the 
Federal Government's--proposals include penalties, whether 
civil or criminal, for the failure of these infrastructure 
institutions to take preventive measures?
    Mr. Baker. They do not include criminal prohibitions or 
penalties for failing to take these types of measures. I think 
the idea was to have a lighter touch with respect to building 
incentives into the system to try to get entities to enhance 
their cyber security. So I do not think that that is part of 
the proposal.
    Senator Blumenthal. What about civil penalties?
    Mr. Baker. The same thing. I think the idea is not to incur 
civil penalties, but to provide appropriate information and 
disclosures with respect to the state of affairs with respect 
to particular entities.
    Senator Blumenthal. Because that really is the thrust of my 
question to you, whether there should be--taking a broader 
view, I recognize it is Homeland Security, not the Department 
of Justice, but if there is no effective remedy for the failure 
to take such measures, I wonder how effective the standards and 
advice and counseling will really be, given the economic 
pressures that these companies may have and given their 
relative lack of sophistication in this area. Financial 
institutions are much more likely to be deep into this subject 
because of the nature of what they do. Their entire business is 
conducted with computers, and so they are familiar with making 
those computers less--and more so the other infrastructure 
every day where smart energy use involves this kind of work. 
But I guess my point to you is that I think that we do need to 
consider some kind of stick as well as carrot in this area.
    Mr. Baker. I agree, Senator, and I think there are existing 
incentives that some folks have just not focused on, I think. 
For example, there is a loss of good will with your customers 
when you face a serious breach. That is one thing. You are 
losing money. You are losing your intellectual property. You 
have obligations to your shareholders to inform them about the 
state of affairs with respect to your company. That may be 
something that the SEC is looking at--or should look at, I 
guess. Others have suggested that. Senator Whitehouse, in fact, 
I think suggested that with perhaps Senator Rockefeller.
    And so there are a whole range of different incentives 
built into the system today that I guess you would have to say 
do not seem to be effective because we still have a very 
significant problem that we need to address, as you have 
suggested.
    Senator Blumenthal. And my time has expired, but again I 
want to thank you, and I would just suggest that if we are that 
concerned about the information vulnerability, maybe those 
incentives are not working as well as they should.
    Thank you.
    Senator Whitehouse. Mr. Baker, welcome back.
    Mr. Baker. Thank you, Senator.
    Senator Whitehouse. A quick question. Is it clear that the 
cloud is a computer within the meaning of the statute?
    Mr. Baker. The current statute? Well, I think that the 
elements of the cloud are. I would have to look at it. I can 
pull out the definition of a ``protected computer.'' But I 
would think that because it generally includes any computer 
connected to the Internet, the cloud itself at a particular 
cloud provider is going to be included within the definition of 
a ``protected computer.''
    Senator Whitehouse. When was the statute, 2008?
    Mr. Baker. Yes, I think that is right.
    Senator Whitehouse. So that is, believe it or not, in cyber 
time a generation or so, and it kind of dates back to when it 
was presumed that data was actually in a computer. And since 
that is no longer the way this works, I just wonder that you 
may find that you run into definitional problems, particularly 
if criminal statutes are intended to be narrowly construed. 
Anyway----
    Mr. Baker. I agree with that, and as I think I suggested, 
if we expand anything with respect to something called ``the 
cloud,'' we need to make sure that we define that 
appropriately.
    Senator Whitehouse. Where do you think your defendants are 
most likely to be under this provision of law?
    Mr. Baker. We face substantial threats--and I will defer to 
Special Agent Martinez on this as well, but we face substantial 
threats from domestic actors, domestic malicious actors, as 
well as international. So, as you know very well, there is a 
very substantial threat that we face from actors based 
overseas.
    Senator Whitehouse. Yes, and it worries me to go back to 
Chairman Leahy's question. You said that there are 230 
prosecutors who are working in this area. Where do you get the 
230 number? Does that include the people assigned to the United 
States Attorney's Offices who are the designated cyber 
prosecutors?
    Mr. Baker. Yes. That includes those people plus folks at 
Main Justice who are dedicated to this type of activity. Again, 
it does not include necessarily the fraud prosecutors, the 
child exploitation prosecutors, because they are dealing with 
criminal activity on the Net as well.
    Senator Whitehouse. So you and I both know that out in the 
United States Attorney's Offices the designated cyber 
prosecutors are doing other stuff.
    Mr. Baker. Absolutely.
    Senator Whitehouse. So the number in terms of FTE, or 
whatever you would want to call it, is actually considerably 
less than 230. Because these cases very often involve overseas 
activity, you have added a RICO predicate here, which I think 
is great. But RICO cases are complicated. I do not know to what 
extent the Department requires departmental oversight of this. 
If you do, for instance, a public corruption case and you are a 
U.S. Attorney, you have to check in with the Department all the 
time on that, and it adds a lot of work and effort and burden 
to the case, probably with good reason. How closely does the 
Department supervise and require engagement with a U.S. 
Attorney's Office that is prosecuting a cyber case? If you are 
doing a Hobbs Act case, you are kind of on your own. The 
Department really barely ever checks in if you are doing a--
where on the spectrum is this in terms of the Department 
requiring a lot of back-and-forth with the U.S. Attorney's 
Office?
    Mr. Baker. Just a quick comment on the RICO case. If 
adopted by the Congress, the RICO provision would be subject to 
the same type of oversight by the Department, so just to make 
sure that is clear.
    With respect to existing criminal activities with respect 
to cyber crimes, there is a range. Some U.S. Attorney's Offices 
have a significant number of trained prosecutors who know how 
to do this. You know, they are in large offices, and so they 
consult with Main Justice as needed. Other districts where they 
do not encounter this type of activity as much or do not 
prosecute the cases as much, they are going to rely more 
extensively on our computer fraud----
    Senator Whitehouse. So if a U.S. Attorney's Office has the 
internal capability to handle a significant cyber case, they 
can run with it on their own without a lot of supervision by 
Main Justice?
    Mr. Baker. That is essentially correct, I think, yes.
    Senator Whitehouse. Well, that lifts at least one burden 
off of this, but still, when you divide the 230 down for the 
extent to which those are people who are actually doing 
something different, and when you look at the complexity of 
RICO cases of chasing people down internationally, probably 
having to coordinate with our intelligence services to get 
information about the foreign bad actors, I just continue to 
worry that we are sorely, sorely understaffed for this.
    How would you evaluate, how does the Department evaluate 
the risk of a cyber attack on the country and the constant 
regular day-to-day onslaught of cyber attacks in the Nation's 
priorities?
    Mr. Baker. In the Nation's priorities, I mean, I think that 
the threat of a cyber attack or addressing the threat of a 
cyber attack is very high on the list of priorities for the 
Nation, not only for the Department of Justice but for the 
entire Defense Department, the intelligence community, and all 
elements of Government. We are very, very concerned about that 
kind of thing. So it is very high on the list of priorities.
    Senator Whitehouse. And just day to day, there are tens of 
thousands of attacks. We are having a hemorrhage of our 
intellectual property, mostly over to China, but to other 
places. There is an immense amount of crime and fraud that 
takes place, and that is kind of the baseline. If you put the 
baseline together with the risk of a really significant knock-
down cyber attack on the country, doesn't that equate in terms 
of risk to national security of, for instance, our exposure to 
drug crime or our exposure to the hazard of alcohol, tobacco, 
firearms, and explosives?
    Mr. Baker. As you know, there is a huge problem with many 
elements to it. We have to address all of them basically 
simultaneously because there is an onslaught of attacks, as you 
have described, every day. ``Attacks'' ? Let me back up. There 
is an onslaught and intrusions and computer activity, malicious 
activity all the time. Whether something is an attack or not, 
let us put that aside for a second.
    Senator Whitehouse. Yes, understood.
    Mr. Baker. Let me back up 1 second. It is important to make 
sure that we have adequate resources to deal with these crimes 
and these activities. It is also important that we make sure we 
have in place, when we catch someone, the appropriate 
penalties, the appropriate language in various statutes to make 
sure that somebody does not get out on a technicality and 
things like that. So what I think we are focused on today, at 
least in my comments, on the CFAA is to make sure that we have 
the statutory structure to address the crime. What we need to 
do then is go after the criminals, and we need to have all the 
kinds of resources that we have been talking about today, the 
Secret Service, the FBI, and that other elements of the 
Government have.
    Senator Whitehouse. I understand that. I am just worried 
that we are going to pass this bill as it ends up being 
amended, that it will go into effect, and we are going to pat 
ourselves on the back for having done something good about 
protecting America from cyber crime and from cyber attack, and, 
in fact, what we have done is overlooked the resource 
disadvantage that we have put ourselves at.
    Mr. Baker. Well, I agree completely. When you look at how 
the Nation has faced the threat from counterterrorism since 9/
11, we have not just done one piece. We have done a whole range 
of things since then, and we need to dedicate ourselves to that 
kind of effort for a prolonged period of time in terms of 
dealing with this cyber threat. It is going to evolve over 
time. The adversaries have significant resources themselves 
devoted to it, and we face substantial risks if they are 
successful.
    Senator Whitehouse. When DNI Clapper had his confirmation 
hearing in the Intelligence Committee, he listed the threats to 
America's national security. The No. 1 was cyber.
    I wanted to just follow up quickly on the question that I 
think Senator Franken asked, and I think Chairman Leahy did 
also, about violating the terms of a service agreement and 
criminalizing basically contracts with--violations of contracts 
with your provider. When you were asked that question, you 
responded with an example of somebody who was stealing large 
amounts of petty cash. I would just suggest to you that there 
is a difference between stealing petty cash, which I think 
every American understands that stealing cash is a bad thing to 
do, with violating the terms of fine print in contracts. I do 
not think there has ever been a society more bedeviled by fine 
print in contracts than America is right now. The average 
American has so much fine print in all of the computer programs 
they download, in all of their service agreements, in the cell 
phone contract. I mean, wherever you look, everything you do 
with the bank has pages, your credit card agreement is probably 
20 pages long of fine print. Americans are absolutely tormented 
with fine print. And I do think that it would be very salutary 
for the Department of Justice to put out a proper, solid 
prosecution policy that would reassure Americans that it is not 
the Department of Justice's intention in pursuing these 
criminal offenses to go after somebody who comes in under the 
wrong name on Facebook or who, you know, one way or another is 
out of compliance with a private contract that they have 
entered into that is probably a contract of adhesion more or 
less in the sense that they did not really negotiate it and it 
is multiple pages long and the average person does not even 
read it.
    I think you want to be out of that business, and I think 
the cases that raise that question really throw the 
Department's prosecution in this area, its activities in this 
area in a pretty bad light. They have had a lot of attention 
today. It is attention that I do not think you need, and I 
think there is a clear difference between going after somebody 
who goes into the petty cash drawer and takes money out, which 
everybody knows is wrong, and somebody who sends an 
unauthorized e-mail or accesses a program that they are not 
supposed to. I just think you need to be a lot more careful 
about that and make sure you are going after who you should be, 
and that I think will calm down a lot of the concern about 
this, because it really does lend itself to abuse if it becomes 
a Federal crime to violate the fine print of all the 
innumerable contracts that Americans are now subjected to.
    Mr. Baker. I do not think that we have actually done that. 
I think that our performance with respect to enforcing the CFAA 
has been better than that. And so I would submit that, you 
know, consistent and pursuant to oversight of this Committee in 
particular, we have not done that. I think the case that people 
are concerned about, the Drew case, did not involve--it was not 
just some random case of somebody who happened to violate some 
terms of a service agreement. It was a case involving 
individuals essentially goading a 13-year-old girl into 
committing suicide, and I think it is understandable that law 
enforcement would take a dim view of that and try to address 
that kind of situation to the fullest extent of the law. In 
that particular situation, as I noted, the judge disagreed 
strongly with our interpretation of the statute. We reviewed 
his decision, and we decided not to appeal. And I do not think 
it is accurate for those who--I mean, we understand why people 
are concerned about the kinds of issues that you have raised 
with respect to terms of a service agreements and all these 
different contracts and so on. We get that. We understand that 
completely.
    What we are trying to do is find a way to address those 
concerns and at the same time not let people off the hook who 
are insiders in particular companies.
    Let me back up. The key thing is this term ``exceeds 
authorized access'' in the statute.
    Senator Whitehouse. Yes.
    Mr. Baker. As you well know. And so the key is: How do you 
avoid the kind of cases that you are very concerned about and 
yet at the same time not let off the hook somebody who works, 
again, at the IRS, the Social Security Administration, you name 
it, or some bank, to go in, take information, and misuse it for 
some particular purpose.
    So we are happy to work with people to address these kinds 
of concerns. I will definitely take back your suggestion about 
issuing some clear policy statement. Maybe that would be 
helpful in this area.
    Senator Whitehouse. I think you are better off doing it 
yourself than counting on Congress to try to draw that fine 
line and that moving line. So I would recommend that.
    Well, I have gone well beyond my time, which I was able to 
do since nobody else is here, so it was no prejudice to any 
colleague. And I want to express my appreciation, Special Agent 
Martinez, to you for the work that you and the Secret Service 
are doing in this area, and to you, Mr. Baker, for the work the 
Department of Justice is doing and for your long and very 
meritorious service to our country in these areas of national 
security.
    As you know, I continue to believe that we are sorely 
underresourced in this area and that if you put the 230 
prosecutors, many of whom are part-time--or no-time, depending 
on the nature of the district's caseload--up against, say, the 
Drug Enforcement Administration and ATF and major organizations 
like that that are working diligently and properly on threats 
to our National security and to our National well-being that 
are probably no greater than the threat we have from cyber 
crime and cyber attack, there is a huge disconnect. And I would 
urge that you and the administration ramp up a more energized 
proposal about how we can go after these folks, particularly 
bearing in mind how immensely complicated each one of these 
cases is going to be as you have to track down people in 
foreign countries and work through all of the complexities of 
engaging with foreign law enforcement authorities and dealing 
with the RICO statute. These are not easy cases, and they take 
an immense amount of work just to do the forensic preparation 
of the case.
    So as I said, my message is good job on the statute. 
Obviously, we are not going to agree with everything you have 
put in, but I think we do need to improve it. But the 
rhinoceros in the living room is the resource question, and it 
is fine to improve the statute, but we have really got, I 
think, to be much more aggressive about this in terms of--I 
know that individually everybody is doing a wonderful job. It 
is not your fault that there are not more of you to do this. 
But I think it is important for Congress to act in this area.
    Thank you very much. We will keep the record open for 1 
week, if anybody cares to add anything to it, and the hearing 
is adjourned. Thank you.
    [Whereupon, at 11:30 a.m., the Committee was adjourned.]
    [Submissions for the record follow.]

    [GRAPHIC] [TIFF OMITTED] T0751.001
    
    [GRAPHIC] [TIFF OMITTED] T0751.002
    
    [GRAPHIC] [TIFF OMITTED] T0751.003
    
    [GRAPHIC] [TIFF OMITTED] T0751.004
    
    [GRAPHIC] [TIFF OMITTED] T0751.005
    
    [GRAPHIC] [TIFF OMITTED] T0751.006
    
    [GRAPHIC] [TIFF OMITTED] T0751.007
    
    [GRAPHIC] [TIFF OMITTED] T0751.008
    
    [GRAPHIC] [TIFF OMITTED] T0751.009
    
    [GRAPHIC] [TIFF OMITTED] T0751.010
    
    [GRAPHIC] [TIFF OMITTED] T0751.011
    
    [GRAPHIC] [TIFF OMITTED] T0751.012
    
    [GRAPHIC] [TIFF OMITTED] T0751.013
    
    [GRAPHIC] [TIFF OMITTED] T0751.014
    
    [GRAPHIC] [TIFF OMITTED] T0751.015
    
    [GRAPHIC] [TIFF OMITTED] T0751.016
    
    [GRAPHIC] [TIFF OMITTED] T0751.017
    
    [GRAPHIC] [TIFF OMITTED] T0751.018
    
    [GRAPHIC] [TIFF OMITTED] T0751.019
    
    [GRAPHIC] [TIFF OMITTED] T0751.020
    
    [GRAPHIC] [TIFF OMITTED] T0751.021
    
    [GRAPHIC] [TIFF OMITTED] T0751.022
    
    [GRAPHIC] [TIFF OMITTED] T0751.023
    
    [GRAPHIC] [TIFF OMITTED] T0751.024
    
    [GRAPHIC] [TIFF OMITTED] T0751.025
    
    [GRAPHIC] [TIFF OMITTED] T0751.026
    
    [GRAPHIC] [TIFF OMITTED] T0751.027
    
    [GRAPHIC] [TIFF OMITTED] T0751.028
    
    [GRAPHIC] [TIFF OMITTED] T0751.029
    
    [GRAPHIC] [TIFF OMITTED] T0751.030
    
    [GRAPHIC] [TIFF OMITTED] T0751.031
    
    [GRAPHIC] [TIFF OMITTED] T0751.032
    
    [GRAPHIC] [TIFF OMITTED] T0751.033
    
    [GRAPHIC] [TIFF OMITTED] T0751.034
    
    [GRAPHIC] [TIFF OMITTED] T0751.035
    
    [GRAPHIC] [TIFF OMITTED] T0751.036
    
    [GRAPHIC] [TIFF OMITTED] T0751.037
    
    [GRAPHIC] [TIFF OMITTED] T0751.038
    
    [GRAPHIC] [TIFF OMITTED] T0751.039
    
    [GRAPHIC] [TIFF OMITTED] T0751.040
    
    [GRAPHIC] [TIFF OMITTED] T0751.041
    
    [GRAPHIC] [TIFF OMITTED] T0751.042
    
    [GRAPHIC] [TIFF OMITTED] T0751.043
    
    [GRAPHIC] [TIFF OMITTED] T0751.044
    
    [GRAPHIC] [TIFF OMITTED] T0751.045
    
    [GRAPHIC] [TIFF OMITTED] T0751.046
    
    [GRAPHIC] [TIFF OMITTED] T0751.047
    
                                 
