[Senate Hearing 112-126]
[From the U.S. Government Publishing Office]
S. Hrg. 112-126
CYBER CRIME: UPDATING THE COMPUTER FRAUD AND ABUSE ACT TO PROTECT CYBER
SPACE AND COMBAT EMERGING THREATS
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 7, 2011
__________
Serial No. J-112-38
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
70-751 WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York JON KYL, Arizona
DICK DURBIN, Illinois JEFF SESSIONS, Alabama
SHELDON WHITEHOUSE, Rhode Island LINDSEY GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota JOHN CORNYN, Texas
AL FRANKEN, Minnesota MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware TOM COBURN, Oklahoma
RICHARD BLUMENTHAL, Connecticut
Bruce A. Cohen, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa...... 2
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1
prepared statement........................................... 38
WITNESSES
Baker, James A., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC.......................... 5
Martinez, Pablo A., Deputy Special Agent in Charge, Criminal
Investigative Division, U.S. Secret Service, Washington, DC.... 7
SUBMISSIONS FOR THE RECORD
American Civil Liberties Union, Laura W. Murphy, Director,
Washington Legislative Office; Kelly William Cobb, Executive
Director, Americans for Tax Reform's Digital Liberty; Leslie
Harris, President and CEO, Center for Democracy & Technology;
Fred L. Smith, President, Competitive Enterprise Institute;
Marcia Hofman, Senior Staff Attorney, Electronic Frontier
Foundation; Charles H. Kennedy, partner, Wilkinson, Barker,
Knauer, LLP; Wayne T. Brough, Chief Economist and Vice
President, Research FreedomWorks Foundation; Orin S. Kerr,
Professor of Law, George Washington University; Paul
Rosenzweig, Visiting Fellow, The Heritage Foundation; Berin
Szoka, President, TechFreedom, August 3, 2011, joint letter.... 27
Baker, James A., Associate Deputy Attorney General, U.S.
Department of Justice, Washington, DC.......................... 29
Martinez, Pablo A., Deputy Special Agent in Charge, Criminal
Investigative Division, U.S. Secret Service, Washington, DC.... 40
Nojeim, Gregory T., Director, Project on Freedom, Security &
Technology, on Behalf of Center for Democracy & Technology,
Washington, DC, statement...................................... 48
Stewart, Julie, President, Families Against Mandatory Minimums
(FAMM), Washington, DC, statement.............................. 63
Wall Street Journal, September 7, 2011, article.................. 72
CYBER CRIME: UPDATING THE COMPUTER FRAUD AND ABUSE ACT TO PROTECT CYBER
SPACE AND COMBAT EMERGING THREATS
----------
WEDNESDAY, SEPTEMBER 7, 2011
U.S. Senate,
Committee on the Judiciary,
Washington, DC.
The Committee met, pursuant to notice, at 10:09 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Whitehouse, Klobuchar, Franken,
Coons, Blumenthal, and Grassley.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. Good morning. Today the Committee is
holding an important hearing on cyber crime. Protecting
American consumers and businesses from cyber crime and other
threats in cyber space has been a priority of this Committee
for many years--I might say a bipartisan priority--and we
continue that tradition today. Before we start, I want to thank
Senator Grassley who has worked closely with me on this hearing
in a bipartisan way. I think cyber crime impacts all of us,
regardless of political party or ideology, so I look forward to
our continued partnership, Chuck, in this Congress and as we
continue.
Developing a comprehensive strategy for cyber security is
one of the most pressing challenges facing our Nation today. I
think of the days not many years ago when you worried about
somebody going into a bank and robbing a bank and maybe getting
$20,000--they were usually caught--or looting a warehouse. Now
it is a lot different. A study released today by Symantec
Corporation estimates the cost of cyber crime globally is $114
billion a year. In just the last few months, we have witnessed
major data breaches at Sony, Epsilon, RSA, the International
Monetary Fund, and Lockheed Martin--just to name a few. It is
not the masked person with the gun walking into a bank. It is
somebody maybe sitting thousands of miles, even another country
away and committing the crime.
Our Government computer networks have not been spared. We
saw the hacking incidents involving the United State Senate,
and also the Central Intelligence Agency websites. We cannot
ignore these threats. We cannot ignore the impact on our
privacy and security. That is why the Committee will carefully
examine the Obama administration's proposals for new legal
tools to help law enforcement investigate and prosecute cyber
crime today.
I do want to thank and commend the dedicated men and women
at the Departments of Justice and Homeland Security, and
elsewhere across our Government, who are on the frontlines of
the battle against cyber crime. Every day they are successfully
investigating and disrupting the growing threats to our cyber
security.
In July, the FBI announced that it had arrested more than a
dozen individuals associated with a group of computer hackers
called, obviously, ``Anonymous'' after the group launched a
series of cyber attacks on Government and private networks,
according to the charges made. The Secret Service recently
announced a successful cyber crime investigation that led to
the Federal indictment of an individual alleged to have hacked
into the computer system at the Massachusetts Institute of
Technology, MIT, resulting in the theft of more than 4 million
scientific and academic articles. These are just two examples
of the many accomplishments of our law enforcement community in
this area.
But with every new victory, we are challenged by even
greater threats and even more cunning cyber thieves. A recent
report by the computer security firm Symantec found that on any
given day, an average of 6,797 websites harbor malware, or
other unwanted programs. That is an increase of slightly over
25 percent since June 2011. I am pleased that representatives
from the Department of Justice and the Secret Service are here
to share their views on this, and later this week the Committee
will consider these proposals and other privacy measures in my
comprehensive data privacy and security legislation. I hope
that the Committee will promptly report this legislation on a
bipartisan basis, as it has done three times before.
We are talking about the security of our Nation and our
people in cyber space, so we have to work together. Again, this
is not a Democratic or Republican issue. This is something that
should unite us all. It is a national issue that we have to
address, so I am hoping that all Members of Congress will join
in that.
Again, I thank the distinguished Senator from Iowa for his
help, and I yield to him.
STATEMENT OF HON. CHUCK GRASSLEY, A U.S. SENATOR FROM THE STATE
OF IOWA
Senator Grassley. Before I go to my statement, there are a
couple things I would say.
I think the fact that Majority Leader Harry Reid had a
meeting several months ago on various committees that were
involved in this--and you and I were involved in that--plus the
fact that in our party Senator McConnell has had hearings, I
think that highlights the bipartisanship as well as the
national security reasons for these pieces of legislation.
Also, the second thing I would say is that I think you have
correctly stated that you and I are very, very close on this
legislation, and I can say from the standpoint of this
Committee's work, very close with the administration's
legislation. I may have some ideas that vary a little bit, and
I will refer to a couple of those in my remarks.
I thank you very much for today's hearing. Given the growth
of the Internet and our society's increased dependence on
computer systems, this is a very important topic. Cyber
criminals are no longer confined by the borders of their
community, their State, or even their country. Cyber space has
allowed criminals to steal money, steal personal identities,
and commit espionage without even leaving their home. Cyber
criminals are now using the Internet to conspire with other
cyber criminals. They collaborate to install malicious
software, commit network intrusions, and affect account
takeovers.
Cyber criminals also target the point-of-sale computers at
restaurants and retailers in order to steal millions of credit
card numbers, as they did at companies such as TJX, BJ's
Wholesale Club, Office Max, Boston Market, Sports Authority,
and I suppose many others.
Moreover, there are online criminal forums that traffic in
stolen credit card numbers, such as the notorious CarderPlanet
forum that traffic in stolen credit card numbers. Cyber
criminals also continue to engage in phishing attacks, denial-
of-service attacks, and web application attacks.
Cyber criminals are smart, and they learn from their
mistakes. They learn from evaluating other cyber attacks, and
they learn from successful prosecution of their peers. Cyber
criminals design relentless new computer viruses and malware as
they attempt to stay one step ahead of the anti--virus
programs.
All of these attacks are serious and dangerous to our
Nation. However, I fear that the threats we have not heard
about or even thought about are likely to be even more
dangerous and devastating. So we must take these cyber attacks
seriously and ensure that our critical system infrastructure is
well protected from cyber criminals.
Accordingly, the Federal Government must take every single
breach of a computer system or potential vulnerability
seriously. For example, I have asked the Department of Defense
Inspector General to properly investigate serious allegations
that Department of Defense employees purchased child
pornography online and were never adequately investigated by
the Defense Criminal Investigative Service. These allegations
include DOD employees possibly purchasing child pornography
from their own work computers. I remain deeply concerned that
DOD employees who purchased child pornography continue to work
in key positions and retain high-level security clearances,
putting the Federal Government and our military computer
systems at risk for intrusion. I want to know what the Defense
Department is doing to stop this sort of behavior, whether
these individuals will be brought to justice, and whether
Government systems could be compromised because of criminal
behavior.
Aside from this example, I generally support the efforts
that the administration is undertaking to work toward a
bipartisan solution on cyber security. However, I have some
concerns with part of the administration's proposal. I also
have reservations about how these sweeping policies will be
implemented and how much they add to an already large
Government bureaucracy.
On top of these concerns, I also question the wisdom of the
administration in some of the personnel appointments that they
have made to critical positions. Example: The administration
recently hired an individual at U.S. Cyber Command, an agency
charged with securing our military capability network. I am
concerned that the Obama administration seemingly failed to
conduct an adequate background investigation of the
individual's qualifications. If they had, I am confident they
would have easily seen that she played a role in the Clinton
administration's alleged loss of subpoenaed e-mail during the
investigation of the 1996 Presidential campaign or that she
allegedly paid a diploma mill thousands of dollars for a
bachelor's, master's, and doctorate degree in computer science.
Ensuring that our Nation's most sensitive networks are safe
from international cyber espionage should not be assigned to
someone who obtained their degrees from a diploma mill.
These types of personnel decisions weaken our ability to
protect our Nation from cyber attack, essentially putting us at
risk. Further, they raise questions about whether the
administration is truly serious about protecting our Nation's
critical infrastructure and military computer systems.
External threats continue to target our infrastructure,
whether that is the financial services industry or retail.
According to a recent data breach study conducted by the U.S.
Secret Service and Verizon, 92 percent of the breaches were
from ``external agents.'' I appreciate that the Secret Service
continues to aggressively combat worldwide financial and
computer cyber crimes. In 2010, the Secret Service arrested
more than 1,200 suspects for cyber crime violations involving
over $500 million in actual fraud and prevented another $7
billion in potential loss. I plan to ask the Secret Service and
the Department of Justice witnesses how we can improve our
protection of cyber space. I am eager to understand how they
are proactively engaging in emerging threats of cyber
criminals, and I also want to know more about why they feel
they need new criminal laws, new bureaucracies, and thousands
of pages of regulations that could hamper virtually all
businesses, large and small, across the country.
Thank you, Mr. Chairman.
Chairman Leahy. Thank you very much.
Our first witness is James Baker. He is an Associate Deputy
Attorney General at the U.S. Department of Justice. I know he
was planning to be here once before for this hearing, and we
had to cancel, and everybody's schedule changed. I told him
earlier this morning that I am glad he is here, and the same
with you, Mr. Martinez. He has worked extensively on all
aspects of national security policy and investigations. As an
official at the U.S. Department of Justice for nearly two
decades, he has provided the United States intelligence
community with legal and policy advice for many years. In 2006,
he received the George H.W. Bush Award for Excellence in
Counterterrorism. I would note that that is the CIA's highest
award for counterterrorism achievement. He also taught at
Harvard Law School and served as a resident fellow at Harvard
University's Institute of Politics.
Mr. Baker, as always, it is good to have you here. Please
go ahead, sir.
STATEMENT OF JAMES A. BAKER, ASSOCIATE DEPUTY ATTORNEY GENERAL,
U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC
Mr. Baker. Thank you, Senator. Chairman Leahy, Ranking
Member Grassley, and members of the Committee, thank you for
the opportunity to testify today on behalf of the Department of
Justice regarding the administration's cyber legislation
proposal.
This Committee knows well that the United States confronts
serious and complex cyber security threats. The critical
infrastructure of our Nation is vulnerable to cyber intrusions
that could damage vital national resources and potentially put
lives at risk. Intruders have also stolen confidential
information and intellectual property. At the Department of
Justice we see cyber crime on the rise with criminal syndicates
operating with increasing sophistication to steal from innocent
Americans. Even more alarming, these intrusions might be
creating future access points through which criminal actors and
others can compromise critical systems during times of crisis
or for other nefarious purposes.
That is why the administration has developed what we
believe is a pragmatic and focused legislative proposal for
Congress to consider as it moves forward on cyber security
legislation. We think that the proposal will make important
contributions toward improving cyber security in a number of
respects. Today I would like to take a moment to highlight the
parts of the administration's proposal aimed at improving the
tools that we have to fight computer crimes.
The administration's proposal includes a handful of changes
to criminal laws aimed at better ensuring that computer crimes
and cyber intrusions can be investigated and punished to the
same extent as other similar criminal activity. Of particular
note, the administration's proposal would clearly make it
unlawful to damage or shut down a computer system that manages
or controls a critical infrastructure, such as electricity
distribution or the water supply.
This narrow, focused approach is intended to provide
deterrence to this class of very serious, potentially life--
threatening crimes. Moreover, because cyber crime has become
big business for organized crime groups, the administration
proposal would make it clear that the Racketeering Influenced
and Corrupt Organizations Act, or RICO, applies to computer
crimes. Also, the proposal would harmonize the sentences and
penalties in the Computer Fraud and Abuse Act, or CFAA, with
other similar laws.
For example, acts of wire fraud in the United States carry
a maximum penalty of 20 years in prison, but violations of the
CFAA involving very similar conduct carry a maximum of only 5
years. Such disparities make no sense.
In addition, the administration proposal would expand the
scope of the CFAA's offense for trafficking in passwords to
cover not only passwords but other methods of confirming a
user's identity, such as biometric data, single-use passcodes,
or smart cards used to access an account. Such language should
also cover log-in credentials used to access any protected
computer, not just Government systems or computers at financial
institutions. The means to access computers at hospitals,
nuclear power plants, and air traffic control towers are no
less worthy of protection. This proposal will help equip law
enforcement to fight a key area of cyber crime: The theft of
passwords and means of access for the purpose of committing
additional crimes.
The administration also proposes several amendments to the
CFAA related to forfeiture, including adding a civil forfeiture
provision. The lack of a civil forfeiture authority in the CFAA
currently forces Federal prosecutors to use criminal forfeiture
authorities in instances where civil forfeiture would be more
appropriate or efficient. Our proposed civil forfeiture
provision is consistent with similar provisions in Federal law
that have existed for many decades.
Finally, some have argued that the definition of ``exceeds
authorized access'' in the CFAA should be restricted to
disallow prosecutions based upon a violation of contractual
agreements with an employer or a service provider. We
appreciate this view, but we are concerned that restricting the
statute in this way would make it difficult or impossible to
deter and address serious insider threats through prosecution.
My written statement goes into this issue in more depth.
I would note that we have been working with Chairman Leahy,
Ranking Member Grassley, and their staffs on a common solution
to address this issue.
Mr. Chairman and members of the Committee, this is an
important topic, as you all know. The country is at risk, and
there is much work to be done to better protect critical
infrastructure and improve our ability to stop computer crime.
I look forward to answering your questions today, and I would
ask that my full written statement be made part of the record
of the hearing.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Baker appears as a
submission for the record.]
Chairman Leahy. Thank you, and your full statement will be
part of the record. I appreciate the statement.
Next we will hear from Mr. Martinez. He serves as Deputy
Special Agent in Charge of Cyber Operations for the Criminal
Investigative Division of the United States Secret Service. In
nearly two decades at the Secret Service, he oversaw the
agency's first major cyber operation, Operation Firewall, in
which over 30 online criminals from across the globe were
apprehended. Incidentally, very impressive. He is currently
responsible for the oversight of all cyber training and
criminal intelligence operations conducted by the Criminal
Investigative Division. Prior to that assignment, he supervised
the New York Electronic Crimes Task Force, oversaw multiple
transnational cyber fraud cases, again, pointing out that none
of these things happen just in the locality where you are. He
is a 1990 graduate of the Virginia Military Institute, where he
received a Bachelor of Arts in economics, then a commission in
the U.S. Army Reserves.
Please go ahead.
STATEMENT OF PABLO A. MARTINEZ, DEPUTY SPECIAL AGENT IN CHARGE,
CRIMINAL INVESTIGATIVE DIVISION, U.S. SECRET SERVICE,
WASHINGTON, DC
Mr. Martinez. Good morning, Chairman Leahy, Ranking Member
Grassley, and distinguished members of the Committee. Thank you
for the opportunity to participate in this morning's hearing.
One of the significant challenges in producing an analysis
of the cyber criminal underground lies in the diversity of the
online criminal community. For example, criminals may choose to
cluster around a particular set of Internet relay chat
channels, Internet-based chat rooms, or web-based forums. In
some instances, a group of online criminals may come from a
particular geographic area and may know each other in real
life. In other instances, a group may be dispersed across the
globe and know one another only through their online
interaction.
Many venues are populated by those whose capabilities are
unsophisticated; however, other more exclusive groups are
comprised of members who have a decade or more of experience
and extensive contacts in diverse criminal worlds. This
diversity is reflected in the group's interests and aims. One
group may see the researching of vulnerabilities and
development of new exploits as a technical challenge
fundamentally related to the basics of computer security.
Another group may have little or no interest in underlying
technological issues but will happily use exploits developed by
others in order to intrude into third-party computer systems
and harvest data of commercial value. Still other online
criminal communities show even less interest in coding and
exploits but use the Internet as an operating base, taking
advantage of the anonymity and instantaneous communication the
Internet affords them.
Two of the hallmarks that distinguish effective online
criminal groups are organizational structure and access to a
well-developed criminal infrastructure. One striking
manifestation of these trends in online criminality is found in
the web-based online forums that first began to emerge
approximately a decade ago. In the early days, these online
forums were established by hacking groups or by groups of
carders, criminals who traffic in or exploit stolen financial
data. Many of these forums have a strong representation of
members from Eastern Europe. Although membership often spans
the globe and includes members from multiple continents, by
utilizing the built-in capabilities of the forum software, the
people behind the organization are able to set up a system of
foreign administrators and moderators who form the core of the
organization and who maintain order at the site.
Some of these online forums developed into marketplaces for
criminal goods and services. By 2004, forums such as
DumpsMarket, CarderPortal, Shadowcrew, and CarderPlanet were
already well-developed criminal marketplaces overseen by an
experienced group of administrators who were often established
criminals. In reality, these sites serve as a business platform
for a fusion of criminal communities, each of which provides
its own contribution to the development of the organization's
capabilities by making a greater variety of reliable criminal
services available to all members.
Some of the major classes of participants in these forums
include the following broad categories: Carders, hackers,
spammers, malware developers, and specialized hardware
developers, to name just a few.
As evident from the array of criminal service providers I
have just listed, the development of diverse online criminal
organizations has greatly enhanced the criminal infrastructure
available to pursue large-scale criminal activity. The far-
reaching availability of a reliable criminal infrastructure in
combination with other developments on the Internet presents a
global challenge to law enforcement, which has found itself
forced to adapt in order to apprehend and prosecute online
criminals.
The administration is aware that in order to fully protect
American citizens from cyber threats, certain sections of our
current cyber security laws must be updated. This past spring,
the administration released its proposal to address the cyber
security needs of our country. The legislative package proposed
by the administration addresses key improvements for law
enforcement. Secret Service investigations have shown that
complex and sophisticated electronic crimes are perpetrated by
online criminals who organize in networks, often with defined
roles in order to manage and perpetuate ongoing criminal
enterprises dedicated to stealing commercial data and selling
it for profit. The administration's proposal will better equip
law enforcement agencies with additional tools to combat
transnational cyber crime by enhancing penalties against
criminals that attack critical infrastructure and by adding
computer fraud as a predicate offense under the Racketeering
Influenced Corrupt Organizations Act.
Chairman Leahy, Ranking Member Grassley, and distinguished
members of the Committee, the Secret Service is committed to
our mission of safeguarding the Nation's financial
infrastructure and will continue to aggressively investigate
cyber and computer-related crimes to protect American consumers
and institutions from harm. This concludes my prepared
statement. Thank you again for this opportunity to testify on
behalf of the Secret Service.
[The prepared statement of Mr. Martinez appears as a
submission for the record.]
Chairman Leahy. Well, thank you. And I assume you have no
doubt in your mind these attacks are going to continue, no
matter how many you have been able to stop in the past. Is that
correct?
Mr. Martinez. Yes.
Chairman Leahy. Mr. Baker, like most Americans, I am
concerned about the growing threat of cyber crime. If you have
a business, you worry about that. If you are just an average
citizen, you worry about somebody stealing your identity. I
understand the FBI National White Collar Crime Center's
Internet Crime Complaint Center received more than 300,000
complaints about cyber crime last year. That is an astounding
number.
You discussed in your testimony the need to keep the
Computer Fraud and Abuse Act up to date. How would the
administration's proposals to update the Computer Fraud and
Abuse Act ensure that the statute keeps us with the changes in
technology?
Mr. Baker. Well, in particular, on the question of keeping
up with changes in technology, I would focus on the provision
regarding trafficking in passwords and other identifying
information. Right now we think the language is broad enough to
enable us to do what we need to do, but we think that expanding
it to include other means of access to computers will clarify
in the future, as hopefully security systems advance and other
new technologies are developed to protect access, that this
would be an easy way to make sure that we can actually get at
defendants who we are able to bring to court and not have them
escape on some technicality because a court thinks that the
definition is not precise enough with respect to this new type
of technology. So that is one example, Senator.
Chairman Leahy. Well, I can imagine decades ago any
predecessor of mine being in here talking about `how do we get
these bank robbers; how do we get these train robbers'. That is
pretty simple. I have to assume that no matter how good a
defense any one of the major companies have somebody is
constantly trying to figure out a way to get around it. Is that
not true?
Mr. Baker. Yes, they are under constant assault. Yes, that
is why I think you have the large number that you cited.
Chairman Leahy. Now, one criticism of the Computer Fraud
and Abuse Act is that the statute has been--this leads from
your answer, it is interpreted so broadly that it could treat
relatively innocuous behavior, violating terms of a service
agreement, for example, as a Federal criminal offense.
What kind of assurances do we have if we pass this statute
that either this administration or a future administration
might abuse the authorities under the law?
Mr. Baker. Well, certainly one thing is that we are
accountable to this Committee and to the Congress in terms of
how we enforce the Act, and we have to come up here and explain
what it is that we have been doing. I think that if you look at
our whole record with respect to how we have enforced the Act
over time, I think we have done it in a responsible way.
I think we would be happy to work with the Committee under
your leadership to try to find a way to address those concerns.
There are perhaps a variety of different things, increased
reporting requirements, for example, that might be effective,
but we are certainly willing to work with you to make sure that
this Committee believes that you have the right information to
enable you to assess how it is that we are enforcing the Act.
Chairman Leahy. You know what I am saying. In the normal
criminal code, you could have some kid who takes a car
joyriding and leaves it. You can charge him with some minor
offense, or you can charge him with grand larceny. And most
prosecutors would not charge him with grand larceny--we want
you to concentrate on the real cyber crimes and not the minor
things.
Mr. Baker. Of course, we agree with that. We have limited
resources. As you expressed, the threat is large, and we have
resources but they are limited in terms of the number of people
we are trying to----
Chairman Leahy. Let us talk about that. How many
investigators and prosecutors are there at the Department of
Justice investigating and prosecuting cyber crime?
Mr. Baker. In terms of prosecutors dedicated to cyber
intrusions, if you will, there are approximately 230. Now, if
you expand that to include other types of fraud, child
exploitation-type crimes, it is going to be a larger number
than that. I do not have that exact figure.
Chairman Leahy. What about investigators?
Mr. Baker. In terms of that, the difficulty is that the
exact number of investigators that the FBI has in particular
dedicated to this, because of the national security aspect of
it, is classified. We would be happy to share that information
with you in a different setting.
Chairman Leahy. Perhaps in a different setting, if you
could let both Senator Grassley and myself know.
Mr. Baker. Absolutely.
Chairman Leahy. Thank you. And do you have sufficient
resources?
Mr. Baker. I think we can always use more resources. We,
the administration, put forward a proposal for fiscal year 2011
that included a request for some, I think, 160, approximately,
additional personnel and some $45 million to go along with it.
And the key is, I think, we want to make sure that we have the
right resources. This is not something you just throw bodies at
and solve it. You need to have trained people. You need to
develop them over a period of time. So what we need to do is
have sort of a long-term goal and objective in terms of
bringing people in, training them, and then having them be able
to work on these issues.
Chairman Leahy. Well, the same question to you, Mr.
Martinez. How many people do you have dedicated to this? And do
you have adequate resources?
Mr. Martinez. Chairman Leahy, we have put over 1,400 of our
special agents through some type of computer training. We take
cyber crime as a serious offense. We have been doing this for a
while, so much so that part of the training that we now provide
all of our special agents when they become agents is a specific
2- to 3-week block of cyber training. So it has now become part
of our basic training for every special agent that goes through
the academy.
In addition to that, with the assistance of the Committee,
we now have 31 Electronic Crime Task Forces throughout the
country, 29 of them domestically and 2 overseas. And what we
have done with that, in addition to the special agents that we
have that have cyber training, we have also partnered with our
State and local law enforcement officers throughout these task
forces and provided them with this training. We do that
training through the National Computer Forensic Institute down
in Hoover, Alabama, where we only train State and local law
enforcement on computer forensics, network intrusion, and in
basic skills of computers.
Those individuals, when they leave the NCFI, are then
either members of our Electronic Crime Task Forces throughout
the country or are providing assistance and support to State
and local municipalities throughout the country. We are proud
to say that we have had State and local law enforcement from
all 50 States of the Union and 2 of its territories. And in
addition to having the State and locals train there, we also
train State judges and State prosecutors because we feel as
important as it is to train our investigators, it is that
important to also train prosecutors and judges so that these
cases get prosecuted and so that judges know how to prosecute
these cases.
The other thing we have taken with the Electronic Crime
Task Force model is that we have partnered with academic
institutions, because a good amount of the research and
development that goes on in this country is done by
universities. So for the last 12 years, we have been at
Carnegie Mellon University and have been a member of the
Software Engineering Institute where we work with Carnegie
Mellon NCI, which is a federally funded research and
development center, to develop software and hardware that helps
our investigators.
In addition to that facility, we have also partnered with
the University of Tulsa where we have a cell phone/PDA forensic
facility to also boost the capabilities of our agents and our
State and local partners.
Chairman Leahy. Thank you very much. I know my little State
of Vermont has had people down there, so I appreciate that.
Senator Grassley.
Senator Grassley. I want to zero in on cyber attacks on our
infrastructure, like power grids, traffic control. These
things, where they can be interfered with, control most of our
important day-to-day operations. As such, our criminal laws
should reflect the need to protect critical infrastructure by
sending a signal to would-be criminals that these attacks,
including even attempted attacks, will not be tolerated. That
means not only criminalizing the conduct but including tough
sentences that Federal judges cannot play games with. So, Mr.
Baker, I would like to ask you questions along this line.
The administration's cyber security proposal includes a new
crime for aggravated damage to a critical infrastructure
computer. This proposal includes a 3-year mandatory minimum
prison sentence for those who knowingly cause or attempt to
cause damage to a critical infrastructure computer. Why did the
administration include this mandatory minimum for this crime
but not other crimes?
Mr. Baker. Because we understand the concerns that some
Members of Congress have with respect to the use of mandatory
minimums, we believe that it was appropriate in this
circumstance, given, as you just recited, that it is involving
damage to critical infrastructure systems that result in the
substantial impairment of the system, so we thought that under
those circumstances, given the gravity of the offense, that a
mandatory minimum of 3 years was appropriate in this
circumstance, and we thought it was a judicious use of the
mandatory minimum concept, which is why we attached it to this
particular offense.
Senator Grassley. We are scheduled to mark up a Senate bill
that does not currently include a crime for aggravated damages
to a critical infrastructure computer. It is my understanding
that may be added at markup. However, I understand it may not
include a mandatory minimum. Would the Department support
including a mandatory minimum, as the President's proposal
does, as part of the Committee process?
Mr. Baker. The administration's proposal is to include a
mandatory minimum. Obviously, we want to work with Congress in
this area. We understand the concerns, and so we are happy to
work with the Committee. But we do think that this prohibition,
this new criminal offense, is something that we do need to
address and try to include.
Senator Grassley. Okay. This would be for Mr. Martinez. As
I stated in my opening remarks, I believe that we must take
cyber attacks seriously and ensure that our critical systems'
infrastructure is well protected from cyber criminals. However,
I am concerned that we provide too broad of a definition for
things like ``sensitive personal identifiable information,''
that we may desensitize that information and create complacency
within the public. Individuals that constantly receive data
breach notifications from their banks will begin to maybe
ignore them. A broad definition of ``sensitive personal
identifiable information'' could also overburden businesses by
requiring them to make unnecessary notification for what
amounts to public information that is easily obtainable through
Internet searches.
So how does the Secret Service define ``sensitive
personally identifiable information'' ?
Mr. Martinez. Senator Grassley, we identify it the same way
that it is laid out in the administration's bill and also as it
appears on the 1028(d)(7). I think what we also need to take
into account is when we look at what constitutes a data breach,
it includes the information you are referring to, but it also
includes Section (b) which states, ``which present a
significant risk of harm or fraud to any individual.'' So that
is taken into account along with the definition of ``personally
sensitive identifiable information'' in order to make
notification.
The other way I think we address it also is through
triggers. I think there are triggers in the bill that define
when notification needs to be made and when it does not.
In reference to the broad definition of ``personally
sensitive identifiable information,'' I will tell you that
there are individuals in the online criminal community that can
take that general information and put it together with
additional information that they have already compromised to
give you a better idea as to the information involving your
victim target. So, for example, I could take the first initial
and last name of an individual, his home address, and provide
it to one of these online criminal data brokers and say, ``Can
you run a credit report on an individual at this address with
this first initial and last name'' ? So that combined
information can then really cause harm to the victim.
Senator Grassley. Well, if banks send their customers
breach notification that involves nothing more than their name
address, or their mother's maiden name, do you agree that this
broad definition of ``sensitive personally identifiable
information'' could potentially desensitize the public
perception and maybe create a ``boy who cried wolf'' situation?
Mr. Martinez. There is a possibility that something like
that could happen, and that is why, again, I go back to the
administration's proposal that talks about significant risk of
harm or fraud. I think the organization, the company, needs to
take that into account, you know, before we start desensitizing
these intrusions by sending too many of these notices.
Senator Grassley. Well, if you would support narrowing the
definition of that term to cover information that leads to a
significant risk of identity theft, how would you narrow the
definition?
Mr. Martinez. I believe in the definition or in that area,
as it is submitted as part of the administration's proposal, it
talks about combining the PSII information with the second part
of it, which is, ``which presents a significant risk of harm or
fraud to that individual.'' I would add that section to the
bill as it is laid out in the administration's proposal.
Senator Grassley. And, last, if Congress were to give
rulemaking authority to modify the definition in the future,
what agency or combination of agencies would you suggest be
given that authority?
Mr. Martinez. I believe the FTC and I think also in
consultation with the Department of Justice, because the
Department of Justice is responsible for prosecuting these
cases, so I definitely think that the FTC has the expertise in
this area, and I think consultation with the Department of
Justice would also be good.
Senator Grassley. Thank you, Mr. Chairman.
Chairman Leahy. Well, thank you. And, incidentally, Mr.
Baker, I think the House of Representatives would find it very
difficult to accept the mandatory minimum, and certainly I do
not intend to include it in the bill that I will put forward.
Just in passing, I want strong penalties, but the mandatory
minimum is something that I worry can be abused.
Senator Coons.
Senator Coons. Thank you, Mr. Chairman.
I want to start by thanking the Chairman and the Ranking
Minority for convening this hearing. I think we have heard from
the Chairman, from the President, and from many leaders in the
private sector and public sector that this is one of the most
grave threats facing our Nation, that the number and complexity
of cyber crimes continues to grow year after year and the cost
and the impact on victims large and small continues to grow. So
I am glad we are continuing to press on this. I hope that the
Senate will, indeed, take the opportunity to move in a
bipartisan and responsible way to reconsider the CFAA, to amend
it in ways that deal with overbreadth or last of clarity but
to, frankly, also strengthen the tools available to law
enforcement.
I want to focus on just a few simple points, if I could.
One is about training and the skill set that is available, both
in the Department of Justice and in the Secret Service. Mr.
Martinez, Special Agent Martinez, I was struck in your written
report about the scope of training available, the 1,400 agents
having gone through ECSAP training, the 31 ECTFs you referred
to, the institute in Alabama that I know Delaware law
enforcement has benefited from as well as many other States, I
think all States. But I am concerned about the depth of
training and the breadth of it.
There was an Inspector General report from the Department
of Justice just in April of this year that suggested that the
National Cyber Investigative Joint Task Force, actually a third
of the agents engaged lacked the necessary expertise in
networking and counterintelligence to be able to effectively
participate in intrusion cases, and that many of the field
offices also lacked the forensic and analytical capability. I
am clear that training is expense, that we have lots of other
things on our needs list for the country, but this is not a
want that strikes me as a critical need. I would be interested
in comments from both of you, if I might, about what more we
can and should be doing to strengthen the training, the depth
and breadth of training by law enforcement.
And then as a follow-on to that, if I might, Special Agent
Martinez, you have, I think, a reserve commission. In Delaware
we have a National Guard unit that takes advantage of a lot of
the private sector strength and skills in our financial
services community to also bring them into training and make
them available as a resource. I wondered if both of you might
comment on the possibilities or the risks of engaging the
National Guard and the Reserve as a way to get some of the most
skilled private sector folks also engaged in some of the
national security-relevant pieces of ongoing forensic and
network defense and investigations. If you might, please,
first.
Mr. Martinez. Thank you, Senator. Yes, it is an expensive
undertaking to get these folks trained, and that is why we have
tried to force multiply, working with our partners. Cyber crime
is not something that can be solved by any one organization. We
all have to work in a collaborative way to do that. And we
think we are--that is what we have been trying to do with our
task forces, and not only partnering with State and local law
enforcement and other Federal partners, but also bringing the
private sector in.
There is a section of the administration's proposal which
actually talks about having folks from the private sector come
in to assist Government and so forth. So there is probably some
mechanism that is already been used in other parts of the
Government that can be used to help here.
One of the other issues that we see from cyber crime is
that we have a lot of involvement from Eurasian cyber criminal
organizations or some of the most robust organizations. In
speaking about the National Guard, there is potentially
something we should probably look into that is similar to some
of the activities that other Department of Justice
organizations, law enforcement organizations have done in the
past with the assistance of some National Guard entities in
other parts of the country, and specifically in the area of
linguistic capabilities. You know, that is one of our biggest
challenges, is the fact that a lot of these criminals are
Eastern European and speak Russian or a Russian dialect. There
is probably a way to get that same model that we set up in
narcotics enforcement for language translations and have that
sort of supplement what we do in cyber crime because these
individuals primarily communicate through some type of online
method, whether it is instant message, e-mail, or peer-to-peer,
and so there probably would be a good venue to get that type of
linguistic capability up to speed and utilize it in furtherance
of cyber crime investigations.
Senator Coons. Thank you. I would be happy to work with
you, if I can, in furthering that. And if you might, Associate
Deputy Attorney General Baker, please.
Mr. Baker. Sure, just a couple quick comments to amplify on
that.
I think with respect to the use of the National Guard, I
agree. We need to use all of our available resources. The key
there is to make sure we understand what hat they are wearing
when they are engaged in that role and to make sure that what
they are doing is consistent with the law and executive branch
policy, and then to make sure that we have appropriate privacy
protections in place and appropriate oversight to make sure
when any element of DOD, assuming they are acting in that
capacity and in that way, is engaged in these kinds of
activities. But I agree with your general point that we need to
make sure that we have the resources--that we use all the
resources that are available, especially if these people are
coming with particular skill sets that they have developed in
the private sector. That is absolutely critical.
Just real quickly on the IG report with respect to the FBI,
I would just note that the FBI, it was my understanding,
accepted all the recommendations from the IG, so they
understand it. They place a huge amount of importance on this,
and they get it as well.
Senator Coons. Great. Thank you. As we try to move
responsibly to strengthen law enforcement's toolkit, I also
want to make sure that we are striking the right balance, as
you mentioned, between privacy and continuing to be certain
that there are robust divisions between DOD authority and
domestic law enforcement, and that we are respecting the rights
of Americans and protecting individual liberties.
Thank you for your answers.
Senator Whitehouse [presiding]. I will be chairing the
remainder of the hearing, so that means I will be here until
the end. So to expedite my colleagues, let me defer my
questioning until the end, and so unless a Republican colleague
arrives, we will have Senator Klobuchar, then Senator Franken,
then Senator Blumenthal. Senator Klobuchar.
Senator Klobuchar. Thank you very much, Mr. Chair, and
thank you to both of you for working on this very difficult and
important area. I am glad that we are holding this hearing,
obviously, but also that we are moving ahead on legislation,
because I have heard time and time again, whether it is
confidential briefings with our Defense Secretary and others
about the concern of the cyber attack issue--and I certainly
have seen in a much smaller way in my previous job a prosecutor
for 8 years just the growing, escalating number of cases that
we had involving just individuals being hacked or data stolen.
And I have introduced a number of bills in this area, and I
wanted to talk through some of those and how they could work
with the larger bill that we are working on.
Senator Hatch and I introduced a bill aimed at child
pornography that would require Internet service providers to
retain information on the IP addresses they assign to customers
for a minimum amount of time. This is information that the
providers already have and already retain, but some providers,
we have learned, keep it for longer periods than others, and
the bill would simply set a minimum retention period. The
providers would not be required to retain any content of a
person's online activity. It simply mean that if law
enforcement sees illegal activity online, then they can tell
that it is emanating from a certain computer or device. They
would then be able to go to the Internet service provider and
get information on who owned that computer or device, and, of
course, they would need a subpoena to do that.
It seems to me that this could be an important reform not
just for child pornography cases but also for many of the types
of crimes that we have been talking about today. I do not know
if either of you would like to comment on that. Mr. Baker.
Mr. Baker. Yes, thank you, Senator. Just briefly, we agree
completely that this is a significant issue and it potentially
impacts a whole range of cases, including child exploitation,
gangs, other types of--you know, terrorism potentially,
national security crime. So we think it is a significant
problem.
We do not, unfortunately, have a cleared administration
position on how long and what types of data to retain and so
on, but I agree with your characterization of the basic idea
with respect to the proposals that we have seen. It is
certainly something we would like to work with you on because
it is a very, very important issue.
Senator Klobuchar. Agent Martinez.
Mr. Martinez. Yes, Senator. Digital crime scenes tend to
evaporate more quickly than traditional crime scenes, so
preserving data is an important part of any type of cyber
investigation. So we concur with Mr. Baker's comments that, you
know, some type of retention would be good to cyber
investigations.
Senator Klobuchar. Then another area is cloud computing,
and I think we are seeing more and more of that, for good
reasons: bringing down the cost of data storage, computing for
businesses, consumers, and government alike. However, we need
to also ensure that our laws are keeping up with the new
technology. Cloud computing represents a unique challenge. The
way the data is stored and accessed in the cloud makes it
sometimes hard to prove the damages that are currently required
by the Computer Fraud and Abuse Act. And so we are looking at
how we can make sure that those damages can be proved when you
are dealing with the cloud, and I do not know if you want to
comment at all about that and what is happening with hacking.
Mr. Martinez. Again, I go back to the crime scene. A cloud
crime scene is much more difficult to solve than to try to get
evidence from a traditional crime scene. So it is going to be a
challenge to make sure that when we respond to an organization
that is storing information in the cloud, that that
organization knows exactly where that information is at and,
you know, make sure that law enforcement can access that
information in a quick manner.
I go back to, you know, the fact that digital evidence
evaporates a lot quicker, so it is going to be incumbent on
organizations that establish some type of cloud computing
environment that they know the layout or the topography of
their information. And the other challenge that we also face
is, you know, if the information is stored in the cloud and
that cloud is out of the jurisdiction of the United States,
what challenges might that pose to us?
Senator Klobuchar. And that is why we are trying to put in
here some structure for other countries to work together on
these things, because that is going to be key as we move
forward.
Shifting to another topic, do you think the jail terms and
the fines in the current law are severe enough to have a
substantial effect in deterring or reducing cyber attacks? And
how about in the proposal before us?
Mr. Martinez. I think the administration's proposal does a
very good job of addressing that. And, in fact, I used some
examples where we have charged cyber criminals with other
offenses as identified by Mr. Baker, where these individuals
were charged with either wire fraud or credit card fraud or
bank fraud that received significant jail terms, in excess of
10, 15, 20 years. That is definitely a deterrent to criminals
that conduct this type of activity.
If you look at our Verizon data breach investigative
report, we see a larger number of intrusions occurring right
now, but we do not see as many of the large-scale intrusions
that we have seen in the past. We think part of the reason for
that is the deterrent factor that these stiff sentences have
had on these criminal organizations. So to get a statute like
1030, the Computer Fraud and Abuse Act, up to par with some of
these other ones we believe will make a deterrent against
criminals that are undertaking these types of intrusions.
Senator Klobuchar. Okay. Then just one last question, Mr.
Chair, if I could. Economic espionage is clearly a drain on the
American investment in our country, our talent, whether it is
blueprints to the way a manufacturing facility is set up or a
design of a dress. Does, do you believe, the Computer Fraud and
Abuse Act adequately combat the problem of economic espionage?
And do you think the administration proposals helps with this?
Are there more things that we should be doing as we look even
away from the cyber attacks on Government and look into what
has been going on in the private sector?
Mr. Martinez. I think Mr. Baker could better answer that
than I.
Senator Klobuchar. Mr. Baker.
Mr. Baker. Absolutely. I mean, the focus of the Computer
Fraud and Abuse Act is sort of on the means that are used to
perpetrate the crime that I think you are talking about. We
would fully support efforts to try to make sure that we can
address the type of crime that you are concerned about because
we are very concerned about it as well. I think that our
proposals in the administration's legislation would be
effective in addressing the type of crime. But if there were
particular things that we should focus on, we would be happy to
work with you on that because it is a huge problem, and the
theft of our intellectual property is a very, very significant
problem for the country.
Senator Klobuchar. Have you seen instances of retaliatory
hacking where groups actually go after people that are working
on this, these issues?
Mr. Baker. Groups go after a lot of different people
working on a whole range of issues, and, you know, I guess I
would defer to Special Agent Martinez on the cases because--
well.
Mr. Martinez. Yes, I think no one is immune from these
types of intrusions and attacks. I think we have seen a lot of
these types of attacks have been reported in the media, and
there is a lot that happen. So I do not think anybody is immune
from this type of cyber attack.
Senator Klobuchar. Thank you very much.
Senator Whitehouse. Senator Franken.
Senator Franken. Thank you, Mr. Chairman.
Mr. Baker, I want to ask you a question to follow up on a
question from Chairman Leahy. In recent cases the Department of
Justice has actually argued that the violation of a website's
term of service or an employer's computer use policy can
constitute a Federal crime under the Computer Fraud and Abuse
Act. In other words, under this interpretation of the statute,
people could conceivably be guilty of a Federal crime for
checking their gmail or the weather if their employer's
computer policy prohibits them from using their computers for
personal reasons. Two Federal judges have found this reading of
the statute to be unconstitutional because people do not read
those policies, and when they do, they can be, as you know,
long and complex and full of fine print.
Don't you think it would be worthwhile to somehow address
the concerns of those Federal judges in updating this statute?
Mr. Baker. Thank you for that question. As I said earlier,
Senator, we would be happy to work with folks to address these
kinds of concerns. I think that the challenge is to address
those concerns and at the same time not create a significant
loophole that would allow somebody, for example, who worked at
the Social Security Administration, the IRS, the U.S. passport
office, or a bank to take information in violation of their
employer's policies and misuse it for some purpose, either to
spy on somebody that they know or to take information and pass
it others to actually steal money. So I think this insider case
where somebody violates the rules of their employer using a
computer is a very challenging thing to address and at the same
time address the types of concerns that you suggest.
The difficulty is that, you know, we have to think about
how and whether we should have a regime that is parallel to the
actual physical world. So if an employer says, ``Well, you can
use the petty cash for certain purposes but not for other
purposes,'' and somebody takes the cash and spends it on
something that they are not supposed to, we would prosecute
them, potentially, depending upon the amount, for fraud. And so
the question is or the issue is employers all the time set
rules about what can be done with their resources. Do we want
to make a difference--or how do we want to differentiate the
cyber world from the physical world? So I think these are real
challenges, but we understand what you are saying, and
obviously we have read those opinions, and we have heard loud
and clear what the judges were saying, and in the Drew case, in
particular, we decided not to appeal in that case.
Senator Franken. Okay. Thank you.
Again, Mr. Baker, I know that this is not technically the
subject of the hearing, but since you are here, I want to ask
you about the administration's data breach proposal. The
administration's proposal would require certain companies
holding ``sensitive personally identifiable information'' to
notify their customers if that information is breached. I was
surprised to see that the administration's definition of
``sensitive personally identifiable information'' did not
include an individual's geolocation. Today many companies
literally have minute-to-minute records of everywhere a
smartphone user has been over a period of months. In my mind,
that information can be just as sensitive, if not more
sensitive, than one's home address, which is covered under the
definition.
Would you consider amending your proposal to include
geolocation in the definition of ``sensitive personally
identifiable information'' ?
Mr. Baker. I think certainly, Senator, we would be open to
looking at that issue. I would have to look at it again. There
may be parts of this that would cover that type of information,
depending on how it was stored in an account or something
already. But in terms of focusing on it directly, I think we
would be open to that.
I would just note that, because we looked at the
geolocation question in a variety of different contexts,
defining geolocation information is tricky, and so we would
have to make sure that we got that right in order to include
the kinds of things that you are concerned about but not sweep
in a bunch of other stuff. But I would be happy to work with
you on that, or the Department would be happy to work with you
on that.
Senator Franken. Good. Thank you.
I also noticed that this proposal gives companies up to 60
days to notify their customers of a breach of their sensitive
personally identifiable information. That period seems long to
me. A criminal can do a lot of damage with someone's Social
Security number in 2 months. Why can't we have a quicker
deadline or shorter deadline for notification?
Mr. Baker. I think on that as well, Senator, we would be
happy to work with you on that, because the one thing to think
about, though, is there is invariably some lag time, because
there will be a breach and it might take a short period of time
for the company to become aware of it. And then I think you
want some period of time where the company is required to go to
law enforcement and law enforcement can make some assessment
about whether we want them to report. We may have an undercover
operation ongoing, let us say, to try to target these people.
They have been doing a variety of different breaches, and so we
have an operation. We do not want them to know that we are on
to them. So we may in a particular circumstance ask the company
to hold off on the notification because it might harm----
Senator Franken. Okay.
Mr. Baker. So we want some period of lag time. The trick is
to find out what that is, and so I think we would be happy to
work with you on that. I do not think there is any magic with
respect to the 60-day number.
Senator Franken. Okay. It looks like we have got a lot of
little things to work on.
Mr. Baker. Sure.
Senator Franken. Okay. Thank you, Mr. Baker.
Mr. Baker. Okay.
Senator Franken. Thank you, Mr. Chairman.
Senator Whitehouse. Senator Blumenthal.
Senator Blumenthal. Thank you, Mr. Chairman, and thank you
both for being here today. I want to second the concerns just
raised by Senator Franken about the 60-day period, which I
think is way too long in the majority of instances. I recognize
there may be some law enforcement activity that requires some
lag time, but it seems to me that an exception can be carved
out for that kind of specific--and I do mean explicit and
specific--law enforcement activity that justifies a delay
rather than having a blanket 60-day period, which seems
excessively long.
I want to focus--and I was very interested and impressed by
your comments on infrastructure vulnerability and potential
assaults on that aspect of our economic and security activity.
We hear a lot of talk about potential cyber assaults on our
information, whether it is electric or gas. Should there be a
stronger requirement for those facilities or companies
themselves to take proactive and preventive measures? Right now
it seems to me if there are any provisions, they are
egregiously weak in light of the public responsibility of those
private institutions. And so I wonder whether you would care to
comment on that.
Mr. Baker. Yes, Senator, thank you. I think that is
addressed in other parts of the bill where the role of the
Department of Homeland Security with respect to helping to set
standards and then monitoring compliance with standards, I
think that is more directed at the kind of concern, very
legitimate and absolutely correct concern that you have with
respect to that. I am not sure--I would have to think about it
for a minute, but I am not sure that the specific proposal we
are talking about with respect to the CFAA, for example, would
address that. But I think that the larger concern about the
critical infrastructure--and, you know, again, the whole point
of all this is to prevent anything from happening. It is one
thing to prosecute after the fact, but we want to prevent
things from happening. We want to deter activity, and we want
to make sure that entities have in place the appropriate means
to protect themselves and the incentives to do that.
I think we would be happy to work with you on any way that
is reasonable that would further those goals.
Senator Blumenthal. And I agree, deterrence is one way to
prevent criminal activity, but not always an effective way in
light of the interests and stakes. And you mentioned extortion.
A potential penalty of 3 years, even if it is a minimum, may
not be enough to deter someone from this kind of----
Mr. Baker. That is right.
Senator Blumenthal. Do other parts of your--meaning the
Federal Government's--proposals include penalties, whether
civil or criminal, for the failure of these infrastructure
institutions to take preventive measures?
Mr. Baker. They do not include criminal prohibitions or
penalties for failing to take these types of measures. I think
the idea was to have a lighter touch with respect to building
incentives into the system to try to get entities to enhance
their cyber security. So I do not think that that is part of
the proposal.
Senator Blumenthal. What about civil penalties?
Mr. Baker. The same thing. I think the idea is not to incur
civil penalties, but to provide appropriate information and
disclosures with respect to the state of affairs with respect
to particular entities.
Senator Blumenthal. Because that really is the thrust of my
question to you, whether there should be--taking a broader
view, I recognize it is Homeland Security, not the Department
of Justice, but if there is no effective remedy for the failure
to take such measures, I wonder how effective the standards and
advice and counseling will really be, given the economic
pressures that these companies may have and given their
relative lack of sophistication in this area. Financial
institutions are much more likely to be deep into this subject
because of the nature of what they do. Their entire business is
conducted with computers, and so they are familiar with making
those computers less--and more so the other infrastructure
every day where smart energy use involves this kind of work.
But I guess my point to you is that I think that we do need to
consider some kind of stick as well as carrot in this area.
Mr. Baker. I agree, Senator, and I think there are existing
incentives that some folks have just not focused on, I think.
For example, there is a loss of good will with your customers
when you face a serious breach. That is one thing. You are
losing money. You are losing your intellectual property. You
have obligations to your shareholders to inform them about the
state of affairs with respect to your company. That may be
something that the SEC is looking at--or should look at, I
guess. Others have suggested that. Senator Whitehouse, in fact,
I think suggested that with perhaps Senator Rockefeller.
And so there are a whole range of different incentives
built into the system today that I guess you would have to say
do not seem to be effective because we still have a very
significant problem that we need to address, as you have
suggested.
Senator Blumenthal. And my time has expired, but again I
want to thank you, and I would just suggest that if we are that
concerned about the information vulnerability, maybe those
incentives are not working as well as they should.
Thank you.
Senator Whitehouse. Mr. Baker, welcome back.
Mr. Baker. Thank you, Senator.
Senator Whitehouse. A quick question. Is it clear that the
cloud is a computer within the meaning of the statute?
Mr. Baker. The current statute? Well, I think that the
elements of the cloud are. I would have to look at it. I can
pull out the definition of a ``protected computer.'' But I
would think that because it generally includes any computer
connected to the Internet, the cloud itself at a particular
cloud provider is going to be included within the definition of
a ``protected computer.''
Senator Whitehouse. When was the statute, 2008?
Mr. Baker. Yes, I think that is right.
Senator Whitehouse. So that is, believe it or not, in cyber
time a generation or so, and it kind of dates back to when it
was presumed that data was actually in a computer. And since
that is no longer the way this works, I just wonder that you
may find that you run into definitional problems, particularly
if criminal statutes are intended to be narrowly construed.
Anyway----
Mr. Baker. I agree with that, and as I think I suggested,
if we expand anything with respect to something called ``the
cloud,'' we need to make sure that we define that
appropriately.
Senator Whitehouse. Where do you think your defendants are
most likely to be under this provision of law?
Mr. Baker. We face substantial threats--and I will defer to
Special Agent Martinez on this as well, but we face substantial
threats from domestic actors, domestic malicious actors, as
well as international. So, as you know very well, there is a
very substantial threat that we face from actors based
overseas.
Senator Whitehouse. Yes, and it worries me to go back to
Chairman Leahy's question. You said that there are 230
prosecutors who are working in this area. Where do you get the
230 number? Does that include the people assigned to the United
States Attorney's Offices who are the designated cyber
prosecutors?
Mr. Baker. Yes. That includes those people plus folks at
Main Justice who are dedicated to this type of activity. Again,
it does not include necessarily the fraud prosecutors, the
child exploitation prosecutors, because they are dealing with
criminal activity on the Net as well.
Senator Whitehouse. So you and I both know that out in the
United States Attorney's Offices the designated cyber
prosecutors are doing other stuff.
Mr. Baker. Absolutely.
Senator Whitehouse. So the number in terms of FTE, or
whatever you would want to call it, is actually considerably
less than 230. Because these cases very often involve overseas
activity, you have added a RICO predicate here, which I think
is great. But RICO cases are complicated. I do not know to what
extent the Department requires departmental oversight of this.
If you do, for instance, a public corruption case and you are a
U.S. Attorney, you have to check in with the Department all the
time on that, and it adds a lot of work and effort and burden
to the case, probably with good reason. How closely does the
Department supervise and require engagement with a U.S.
Attorney's Office that is prosecuting a cyber case? If you are
doing a Hobbs Act case, you are kind of on your own. The
Department really barely ever checks in if you are doing a--
where on the spectrum is this in terms of the Department
requiring a lot of back-and-forth with the U.S. Attorney's
Office?
Mr. Baker. Just a quick comment on the RICO case. If
adopted by the Congress, the RICO provision would be subject to
the same type of oversight by the Department, so just to make
sure that is clear.
With respect to existing criminal activities with respect
to cyber crimes, there is a range. Some U.S. Attorney's Offices
have a significant number of trained prosecutors who know how
to do this. You know, they are in large offices, and so they
consult with Main Justice as needed. Other districts where they
do not encounter this type of activity as much or do not
prosecute the cases as much, they are going to rely more
extensively on our computer fraud----
Senator Whitehouse. So if a U.S. Attorney's Office has the
internal capability to handle a significant cyber case, they
can run with it on their own without a lot of supervision by
Main Justice?
Mr. Baker. That is essentially correct, I think, yes.
Senator Whitehouse. Well, that lifts at least one burden
off of this, but still, when you divide the 230 down for the
extent to which those are people who are actually doing
something different, and when you look at the complexity of
RICO cases of chasing people down internationally, probably
having to coordinate with our intelligence services to get
information about the foreign bad actors, I just continue to
worry that we are sorely, sorely understaffed for this.
How would you evaluate, how does the Department evaluate
the risk of a cyber attack on the country and the constant
regular day-to-day onslaught of cyber attacks in the Nation's
priorities?
Mr. Baker. In the Nation's priorities, I mean, I think that
the threat of a cyber attack or addressing the threat of a
cyber attack is very high on the list of priorities for the
Nation, not only for the Department of Justice but for the
entire Defense Department, the intelligence community, and all
elements of Government. We are very, very concerned about that
kind of thing. So it is very high on the list of priorities.
Senator Whitehouse. And just day to day, there are tens of
thousands of attacks. We are having a hemorrhage of our
intellectual property, mostly over to China, but to other
places. There is an immense amount of crime and fraud that
takes place, and that is kind of the baseline. If you put the
baseline together with the risk of a really significant knock-
down cyber attack on the country, doesn't that equate in terms
of risk to national security of, for instance, our exposure to
drug crime or our exposure to the hazard of alcohol, tobacco,
firearms, and explosives?
Mr. Baker. As you know, there is a huge problem with many
elements to it. We have to address all of them basically
simultaneously because there is an onslaught of attacks, as you
have described, every day. ``Attacks'' ? Let me back up. There
is an onslaught and intrusions and computer activity, malicious
activity all the time. Whether something is an attack or not,
let us put that aside for a second.
Senator Whitehouse. Yes, understood.
Mr. Baker. Let me back up 1 second. It is important to make
sure that we have adequate resources to deal with these crimes
and these activities. It is also important that we make sure we
have in place, when we catch someone, the appropriate
penalties, the appropriate language in various statutes to make
sure that somebody does not get out on a technicality and
things like that. So what I think we are focused on today, at
least in my comments, on the CFAA is to make sure that we have
the statutory structure to address the crime. What we need to
do then is go after the criminals, and we need to have all the
kinds of resources that we have been talking about today, the
Secret Service, the FBI, and that other elements of the
Government have.
Senator Whitehouse. I understand that. I am just worried
that we are going to pass this bill as it ends up being
amended, that it will go into effect, and we are going to pat
ourselves on the back for having done something good about
protecting America from cyber crime and from cyber attack, and,
in fact, what we have done is overlooked the resource
disadvantage that we have put ourselves at.
Mr. Baker. Well, I agree completely. When you look at how
the Nation has faced the threat from counterterrorism since 9/
11, we have not just done one piece. We have done a whole range
of things since then, and we need to dedicate ourselves to that
kind of effort for a prolonged period of time in terms of
dealing with this cyber threat. It is going to evolve over
time. The adversaries have significant resources themselves
devoted to it, and we face substantial risks if they are
successful.
Senator Whitehouse. When DNI Clapper had his confirmation
hearing in the Intelligence Committee, he listed the threats to
America's national security. The No. 1 was cyber.
I wanted to just follow up quickly on the question that I
think Senator Franken asked, and I think Chairman Leahy did
also, about violating the terms of a service agreement and
criminalizing basically contracts with--violations of contracts
with your provider. When you were asked that question, you
responded with an example of somebody who was stealing large
amounts of petty cash. I would just suggest to you that there
is a difference between stealing petty cash, which I think
every American understands that stealing cash is a bad thing to
do, with violating the terms of fine print in contracts. I do
not think there has ever been a society more bedeviled by fine
print in contracts than America is right now. The average
American has so much fine print in all of the computer programs
they download, in all of their service agreements, in the cell
phone contract. I mean, wherever you look, everything you do
with the bank has pages, your credit card agreement is probably
20 pages long of fine print. Americans are absolutely tormented
with fine print. And I do think that it would be very salutary
for the Department of Justice to put out a proper, solid
prosecution policy that would reassure Americans that it is not
the Department of Justice's intention in pursuing these
criminal offenses to go after somebody who comes in under the
wrong name on Facebook or who, you know, one way or another is
out of compliance with a private contract that they have
entered into that is probably a contract of adhesion more or
less in the sense that they did not really negotiate it and it
is multiple pages long and the average person does not even
read it.
I think you want to be out of that business, and I think
the cases that raise that question really throw the
Department's prosecution in this area, its activities in this
area in a pretty bad light. They have had a lot of attention
today. It is attention that I do not think you need, and I
think there is a clear difference between going after somebody
who goes into the petty cash drawer and takes money out, which
everybody knows is wrong, and somebody who sends an
unauthorized e-mail or accesses a program that they are not
supposed to. I just think you need to be a lot more careful
about that and make sure you are going after who you should be,
and that I think will calm down a lot of the concern about
this, because it really does lend itself to abuse if it becomes
a Federal crime to violate the fine print of all the
innumerable contracts that Americans are now subjected to.
Mr. Baker. I do not think that we have actually done that.
I think that our performance with respect to enforcing the CFAA
has been better than that. And so I would submit that, you
know, consistent and pursuant to oversight of this Committee in
particular, we have not done that. I think the case that people
are concerned about, the Drew case, did not involve--it was not
just some random case of somebody who happened to violate some
terms of a service agreement. It was a case involving
individuals essentially goading a 13-year-old girl into
committing suicide, and I think it is understandable that law
enforcement would take a dim view of that and try to address
that kind of situation to the fullest extent of the law. In
that particular situation, as I noted, the judge disagreed
strongly with our interpretation of the statute. We reviewed
his decision, and we decided not to appeal. And I do not think
it is accurate for those who--I mean, we understand why people
are concerned about the kinds of issues that you have raised
with respect to terms of a service agreements and all these
different contracts and so on. We get that. We understand that
completely.
What we are trying to do is find a way to address those
concerns and at the same time not let people off the hook who
are insiders in particular companies.
Let me back up. The key thing is this term ``exceeds
authorized access'' in the statute.
Senator Whitehouse. Yes.
Mr. Baker. As you well know. And so the key is: How do you
avoid the kind of cases that you are very concerned about and
yet at the same time not let off the hook somebody who works,
again, at the IRS, the Social Security Administration, you name
it, or some bank, to go in, take information, and misuse it for
some particular purpose.
So we are happy to work with people to address these kinds
of concerns. I will definitely take back your suggestion about
issuing some clear policy statement. Maybe that would be
helpful in this area.
Senator Whitehouse. I think you are better off doing it
yourself than counting on Congress to try to draw that fine
line and that moving line. So I would recommend that.
Well, I have gone well beyond my time, which I was able to
do since nobody else is here, so it was no prejudice to any
colleague. And I want to express my appreciation, Special Agent
Martinez, to you for the work that you and the Secret Service
are doing in this area, and to you, Mr. Baker, for the work the
Department of Justice is doing and for your long and very
meritorious service to our country in these areas of national
security.
As you know, I continue to believe that we are sorely
underresourced in this area and that if you put the 230
prosecutors, many of whom are part-time--or no-time, depending
on the nature of the district's caseload--up against, say, the
Drug Enforcement Administration and ATF and major organizations
like that that are working diligently and properly on threats
to our National security and to our National well-being that
are probably no greater than the threat we have from cyber
crime and cyber attack, there is a huge disconnect. And I would
urge that you and the administration ramp up a more energized
proposal about how we can go after these folks, particularly
bearing in mind how immensely complicated each one of these
cases is going to be as you have to track down people in
foreign countries and work through all of the complexities of
engaging with foreign law enforcement authorities and dealing
with the RICO statute. These are not easy cases, and they take
an immense amount of work just to do the forensic preparation
of the case.
So as I said, my message is good job on the statute.
Obviously, we are not going to agree with everything you have
put in, but I think we do need to improve it. But the
rhinoceros in the living room is the resource question, and it
is fine to improve the statute, but we have really got, I
think, to be much more aggressive about this in terms of--I
know that individually everybody is doing a wonderful job. It
is not your fault that there are not more of you to do this.
But I think it is important for Congress to act in this area.
Thank you very much. We will keep the record open for 1
week, if anybody cares to add anything to it, and the hearing
is adjourned. Thank you.
[Whereupon, at 11:30 a.m., the Committee was adjourned.]
[Submissions for the record follow.]
[GRAPHIC] [TIFF OMITTED] T0751.001
[GRAPHIC] [TIFF OMITTED] T0751.002
[GRAPHIC] [TIFF OMITTED] T0751.003
[GRAPHIC] [TIFF OMITTED] T0751.004
[GRAPHIC] [TIFF OMITTED] T0751.005
[GRAPHIC] [TIFF OMITTED] T0751.006
[GRAPHIC] [TIFF OMITTED] T0751.007
[GRAPHIC] [TIFF OMITTED] T0751.008
[GRAPHIC] [TIFF OMITTED] T0751.009
[GRAPHIC] [TIFF OMITTED] T0751.010
[GRAPHIC] [TIFF OMITTED] T0751.011
[GRAPHIC] [TIFF OMITTED] T0751.012
[GRAPHIC] [TIFF OMITTED] T0751.013
[GRAPHIC] [TIFF OMITTED] T0751.014
[GRAPHIC] [TIFF OMITTED] T0751.015
[GRAPHIC] [TIFF OMITTED] T0751.016
[GRAPHIC] [TIFF OMITTED] T0751.017
[GRAPHIC] [TIFF OMITTED] T0751.018
[GRAPHIC] [TIFF OMITTED] T0751.019
[GRAPHIC] [TIFF OMITTED] T0751.020
[GRAPHIC] [TIFF OMITTED] T0751.021
[GRAPHIC] [TIFF OMITTED] T0751.022
[GRAPHIC] [TIFF OMITTED] T0751.023
[GRAPHIC] [TIFF OMITTED] T0751.024
[GRAPHIC] [TIFF OMITTED] T0751.025
[GRAPHIC] [TIFF OMITTED] T0751.026
[GRAPHIC] [TIFF OMITTED] T0751.027
[GRAPHIC] [TIFF OMITTED] T0751.028
[GRAPHIC] [TIFF OMITTED] T0751.029
[GRAPHIC] [TIFF OMITTED] T0751.030
[GRAPHIC] [TIFF OMITTED] T0751.031
[GRAPHIC] [TIFF OMITTED] T0751.032
[GRAPHIC] [TIFF OMITTED] T0751.033
[GRAPHIC] [TIFF OMITTED] T0751.034
[GRAPHIC] [TIFF OMITTED] T0751.035
[GRAPHIC] [TIFF OMITTED] T0751.036
[GRAPHIC] [TIFF OMITTED] T0751.037
[GRAPHIC] [TIFF OMITTED] T0751.038
[GRAPHIC] [TIFF OMITTED] T0751.039
[GRAPHIC] [TIFF OMITTED] T0751.040
[GRAPHIC] [TIFF OMITTED] T0751.041
[GRAPHIC] [TIFF OMITTED] T0751.042
[GRAPHIC] [TIFF OMITTED] T0751.043
[GRAPHIC] [TIFF OMITTED] T0751.044
[GRAPHIC] [TIFF OMITTED] T0751.045
[GRAPHIC] [TIFF OMITTED] T0751.046
[GRAPHIC] [TIFF OMITTED] T0751.047
�