b'<html>\n<title> - INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n        INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                   SUBCOMMITTEE ON CRIME, TERRORISM,\n                 HOMELAND SECURITY, AND INVESTIGATIONS\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 13, 2013\n\n                               __________\n\n                           Serial No. 113-14\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n79-878                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2f485f406f4c5a5c5b474a435f014c404201">[email&#160;protected]</a>  \n\n\n                       COMMITTEE ON THE JUDICIARY\n\n                   BOB GOODLATTE, Virginia, Chairman\nF. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan\n    Wisconsin                        JERROLD NADLER, New York\nHOWARD COBLE, North Carolina         ROBERT C. ``BOBBY\'\' SCOTT, \nLAMAR SMITH, Texas                       Virginia\nSTEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina\nSPENCER BACHUS, Alabama              ZOE LOFGREN, California\nDARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas\nJ. RANDY FORBES, Virginia            STEVE COHEN, Tennessee\nSTEVE KING, Iowa                     HENRY C. ``HANK\'\' JOHNSON, Jr.,\nTRENT FRANKS, Arizona                  Georgia\nLOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico\nJIM JORDAN, Ohio                     JUDY CHU, California\nTED POE, Texas                       TED DEUTCH, Florida\nJASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois\nTOM MARINO, Pennsylvania             KAREN BASS, California\nTREY GOWDY, South Carolina           CEDRIC RICHMOND, Louisiana\nMARK AMODEI, Nevada                  SUZAN DelBENE, Washington\nRAUL LABRADOR, Idaho                 JOE GARCIA, Florida\nBLAKE FARENTHOLD, Texas              HAKEEM JEFFRIES, New York\nGEORGE HOLDING, North Carolina\nDOUG COLLINS, Georgia\nRON DeSANTIS, Florida\nKEITH ROTHFUS, Pennsylvania\n\n           Shelley Husband, Chief of Staff & General Counsel\n        Perry Apelbaum, Minority Staff Director & Chief Counsel\n                                 ------                                \n\nSubcommittee on Crime, Terrorism, Homeland Security, and Investigations\n\n            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman\n\n                  LOUIE GOHMERT, Texas, Vice-Chairman\n\nHOWARD COBLE, North Carolina         ROBERT C. ``BOBBY\'\' SCOTT, \nSPENCER BACHUS, Alabama              Virginia\nJ. RANDY FORBES, Virginia            PEDRO R. PIERLUISI, Puerto Rico\nTRENT FRANKS, Arizona                JUDY CHU, California\nJASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois\nTREY GOWDY, South Carolina           KAREN BASS, California\nRAUL LABRADOR, Idaho                 CEDRIC RICHMOND, Louisiana\n\n                     Caroline Lynch, Chief Counsel\n\n                     Bobby Vassar, Minority Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                             MARCH 13, 2013\n\n                                                                   Page\n\n                           OPENING STATEMENTS\n\nThe Honorable F. James Sensenbrenner, Jr., a Representative in \n  Congress from the State of Wisconsin, and Chairman, \n  Subcommittee on Crime, Terrorism, Homeland Security, and \n  Investigations.................................................     1\nThe Honorable Robert C. ``Bobby\'\' Scott, a Representative in \n  Congress from the State of Virginia, and Ranking Member, \n  Subcommittee on Crime, Terrorism, Homeland Security, and \n  Investigations.................................................     3\nThe Honorable Bob Goodlatte, a Representative in Congress from \n  the State of Virginia, and Chairman, Committee on the Judiciary     8\nThe Honorable John Conyers, Jr., a Representative in Congress \n  from the State of Michigan, and Ranking Member, Committee on \n  the Judiciary..................................................    12\n\n                               WITNESSES\n\nJenny S. Durkan, United States Attorney, Western District of \n  Washington, U.S. Department of Justice\n  Oral Testimony.................................................    15\n  Prepared Statement.............................................    18\nJohn Boles, Deputy Assistant Director, Cyber Division, Federal \n  Bureau of Investigation, U.S. Department of Justice\n  Oral Testimony.................................................    29\n  Prepared Statement.............................................    32\nRobert Holleyman, President and CEO, BSA, The Software Alliance\n  Oral Testimony.................................................    38\n  Prepared Statement.............................................    40\nOrin S. Kerr, Fred C. Stevenson Research Professor, George \n  Washington University Law School\n  Oral Testimony.................................................    45\n  Prepared Statement.............................................    47\n\n          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING\n\nMaterial submitted by the Honorable Robert C. ``Bobby\'\' Scott, a \n  Representative in Congress from the State of Virginia, and \n  Ranking Member, Subcommittee on Crime, Terrorism, Homeland \n  Security, and Investigations...................................     5\nMaterial submitted by the Honorable Bob Goodlatte, a \n  Representative in Congress from the State of Virginia, and \n  Chairman, Committee on the Judiciary...........................     9\nPrepared Statement of the Honorable Bob Goodlatte, a \n  Representative in Congress from the State of Virginia, and \n  Chairman, Committee on the Judiciary...........................    11\nPrepared Statement of the Honorable John Conyers, Jr., a \n  Representative in Congress from the State of Michigan, and \n  Ranking Member, Committee on the Judiciary.....................    13\n\n\n        INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS\n\n                              ----------                              \n\n\n                       WEDNESDAY, MARCH 13, 2013\n\n                        House of Representatives\n\n                   Subcommittee on Crime, Terrorism, \n                 Homeland Security, and Investigations\n\n                       Committee on the Judiciary\n\n                            Washington, DC.\n\n    The Subcommittee met, pursuant to call, at 11:35 a.m., in \nroom 2237, Rayburn Office Building, the Honorable F. James \nSensenbrenner, Jr. (Chairman of the Subcommittee), presiding.\n    Present: Representatives Sensenbrenner, Goodlatte, Gohmert, \nCoble, Forbes, Franks, Chaffetz, Gowdy, Scott, Conyers, Chu, \nand Richmond.\n    Staff present: (Majority) Caroline Lynch, Chief Counsel; \nSam Ramer, Counsel; Alicia Church, Clerk; (Minority) Bobby \nVassar, Minority Counsel, and Joe Graupensperger, Counsel.\n    Mr. Sensenbrenner. Because the President is coming to \naddress the Republican Conference of the House, this hearing \nwill end at 1:00 sharp. So would everybody please make note of \nthat and judge their time accordingly?\n    I would like to welcome everybody to the first hearing of \nthe Subcommittee, acknowledge the Ranking Member, the gentleman \nfrom Virginia, Mr. Scott, and also welcome the full Committee \nChair, Mr. Goodlatte.\n    Today\'s hearing will investigate our focus on how America \ninvestigates and prosecutes 21st century cyber threats. The \nUnited States has been the subject of the most coordinated and \nsustained computer attacks the world has ever seen. Rival \nnations, particularly China, have been invading corporate \ncomputer systems and stealing intellectual property at an \nincreasing rate.\n    Spying between governments has always been a fact of life, \nbut in the digital age the spying is more pervasive and harder \nto guard against. The systematic and strategic theft of \nintellectual property by foreign governments threatens one of \nAmerica\'s most valuable commodities, our innovation and hard \nwork.\n    In 2011, the American Superconductor Corporation supplied \nsophisticated software for wind turbines to Sinovel, a giant \nChinese wind turbine corporation. When American engineers went \nto China to repair a wind turbine, they discovered that Chinese \nwind turbines were already using a stolen version of the \nAmerican software. Worse, the Chinese company had complete \naccess to the American company\'s proprietary source code. \nBecause they possessed this important code, the Chinese did not \nneed the American Superconductor Corporation anymore.\n    A few months later, Sinovel abruptly began turning away \nshipments. On April 5, 2011, the American Superconductor \nCorporation had no choice but to announce that Sinovel, its \nbiggest customer, accounting for more than two-thirds of the \ncompany\'s $315 million in revenue in 2010, had stopped making \npurchases. The result for the American company: investors fled, \nerasing 40 percent of the company\'s value in a single day, and \n84 percent of its value by September 2011.\n    This week, the Obama Administration has finally increased \npublic pressure on Chinese cyber spying. On Monday, the \nPresident\'s national security advisor announced what the media \nhas called the White House\'s most aggressive response to a \nseries of military-style hacks of American corporations. \nDescribing the problem as a key point of concern in discussion \nat all levels of government, Mr. Donilon said Beijing should \ntake serious steps to investigate and put a stop to these \nactivities. I agree.\n    The fact that such mild comments have been termed the \nAdministration\'s most aggressive ever may be part of the \nproblem. When one country decides to advance its economy by \nstealing our intellectual property, we must do more than simply \nask Beijing to investigate. Make no mistake. Sinovel stole \nhundreds of millions of dollars from the American \nSuperconductor Corporation. This is a company that received \nover $20 million in stimulus money from U.S. taxpayers. But far \nfrom demanding our $20 million, the Administration\'s strongest \nrebuke has been to ask that Beijing take serious steps to \ninvestigate.\n    We simply cannot outsource the fight against cybercrime to \ninternational diplomacy. The theft of valuable intellectual \nproperty is a serious strategic threat to the American economy, \nand it must be treated as such by U.S. law enforcement.\n    Congress has repeatedly addressed the issue of cybercrime. \nIn 2000 or in 1986, Congress implemented the Computer Fraud and \nAbuse Act as a tool for law enforcement to combat computer \ncrimes. As computer crimes continue to evolve, so, too, has the \nCFAA, which Congress has amended eight times since its \nenactment. It may be time for Congress to augment and approve \nthe CFAA and other criminal statutes to enable law enforcement \nto combat international criminal enterprises.\n    The Administration has taken initial steps to address the \ngrowing cyber threat. We applaud the Administration for its \nefforts, but it remains to be seen whether these steps will \nactually work.\n    Today the Committee will look at the criminal laws and \ninvestigative tools to combat cybercrime. We will determine \nwhat changes can be made to our criminal laws to more \neffectively combat and deter the cyberattacks we are enduring. \nWe will discuss what protection can be provided for the privacy \nof Americans through data breach notification laws, and we will \ndiscuss what steps can be taken by this Committee to protect \nthe intellectual property and sensitive government information \nthat hackers in foreign governments seek to obtain.\n    As we saw from China\'s cyberattack on Google and other \ncompanies, America\'s edge in innovation and technical \nsuperiority can be compromised by competing countries that make \ntheft of intellectual property a national strategy. I look \nforward to hearing more about this issue and thank all of our \nwitnesses for participating in today\'s hearing.\n    It is now my pleasure to recognize for his opening \nstatement the Ranking Member of the Subcommittee, the gentleman \nfrom Virginia, Mr. Scott.\n    Mr. Scott. Thank you, Mr. Chairman.\n    Mr. Chairman, because of our growing reliance on Internet \nand computer networks, I welcome today\'s hearing to examine the \ncyber threats we face and to discuss how we can better protect \nourselves against them.\n    This hearing comes at a time when there\'s a rise in the \ndisparity of cyber threats, and so an update of our computer \ncrime statutes may have to be considered. It is critical that \nwe work together on this effort with the Members of Congress, \nAdministration, with the business community, and with private \nadvocates to find ways to enhance the security of our \ngovernment information systems, business computer systems, and \nour personal use of the Internet.\n    And while it is the job of Congress to evaluate and update \nour laws in response to changing circumstances, we have to be \ncareful that any changes we make will actually improve the law, \nand not just ratchet up penalties in an exercise of sound bite \npolitics. Often the problem is a lack of enforcement, \ninvestigation, and prosecution, and so penalties become \nirrelevant if a case is not even investigated in the first \nplace.\n    This is particularly important in the case of the Computer \nFraud and Abuse Act, a law whose breadth of scope and sometimes \nquestionable application has already generated concern by \ncitizens and narrowing by the courts. In the last Congress, we \nmet to discuss many of these same issues, and the cyber threats \nof course remain an urgent issue of national economic and \npersonal security. At that time, I raised concerns about one \nprovision in the proposed law, and that was the mandatory \nminimum sentencing for certain crimes of damaging political \ncritical infrastructure computers.\n    This Committee has heard a lot of testimony on mandatory \nminimums. They have been found to waste the taxpayers\' money, \ndo nothing about crime, and often result in sentences that are \nviolative of common sense. This Committee has recently also \nfocused on the issue of federalism, so we have to be concerned \nabout whether the Computer Fraud and Abuse Act appropriately \nfocuses on behavior that we all believe rises to the level of \nFederal criminal liability.\n    That statute was originally enacted to deal with intrusions \ninto computers, what we now call hacking, and since that time \nwe have extended the scope of the law on several occasions, \nwhich has led to expansive use in recent years, which have \ngenerated concerns on both sides of the aisle. I hope we can \nwork together to address those concerns.\n    Mr. Chairman, we know that criminals target computers and \ncyber networks of individual companies and our government. That \nis why we have to enhance the protective measures that we take \nat every level to prevent cyber intrusions. I applaud the \nPresident\'s resolve to work with industry to better resolve our \ncritical infrastructure. His executive order will improve the \nsharing of information with industry and establish a framework \nfor best practices to help companies step up cyber protection.\n    As in every area of crime policy, public safety demands \nthat we engage in level-headed efforts to identify and \nimplement comprehensive evidence-based solutions, and I hope we \ncan do that in this case.\n    Before I close, Mr. Chairman, I ask unanimous consent that \na letter signed by 20 Internet companies expressing their \nconcerns about the scope of the current Computer Fraud and \nAbuse Act be entered into the record.\n    Mr. Sensenbrenner. Without objection.\n    [The information referred to follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n\n                               __________\n    Mr. Sensenbrenner. And it is now my pleasure to recognize \nfor his opening statement the Chairman of the full Committee, \nthe gentleman from Virginia, Mr. Goodlatte.\n    Mr. Goodlatte. Thank you, Mr. Chairman. I very much \nappreciate your holding this hearing, and I will submit my full \nstatement for the record in order to save a little time for our \nwitnesses. But I do want to make a few points.\n    First of all, yesterday, and I would submit these for the \nrecord, the Secret Service launched an investigation of the \nalleged hacking of private information of Vice President Joe \nBiden, First Lady Michelle Obama, FBI Director Robert Mueller, \nAttorney General Eric Holder, and many others. And the \nPresident yesterday also acknowledged that hacking of personal \ndata is a big problem.\n    Mr. Sensenbrenner. Without objection, the material will be \nentered.\n    [The information referred to follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n                               __________\n\n    Mr. Goodlatte. Thank you. But that is just the beginning of \nthis problem. Cyber intrusions are just the tip of the iceberg. \nIn November 2011, the National Counterintelligence Executive, \nthe agency responsible for countering foreign spying on the \nU.S. government, issued a report that hackers and illicit \nprogrammers in China and Russia are pursuing American \ntechnology in industrial secrets jeopardizing an estimated $400 \nbillion dollars in U.S. research spending.\n    According to the report, China and Russia view themselves \nas strategic competitors of the United States, and are the most \naggressive collectors of U.S. economic information and \ntechnology.\n    Further, in January of this year, the New York Times \nreported it is has been the victim of a sustained cyberattack \nby Chinese hackers. Shortly afterward, the Wall Street Journal \nand Washington Post also reported they, too, had been breached \nby similar sources. The Times commissioned a report from \nMandiant, a private investigative agency which traced the \ncyberattacks to a unit of the Chinese People\'s Liberation Army. \nAccording to the report, the Chinese are engaged in massive \ncyber spying on the American industrial base and in areas the \nChinese are trying to develop for their own national purposes.\n    Earlier this year, the Administration issued a \ncybersecurity executive order and presidential directive aimed \nat helping secure America\'s cyber networks. The executive order \nis a first step toward protecting our public and private \nnetworks from attack, but Congress can and must do more. The \nJudiciary Committee is responsible for ensuring that our \nFederal criminal laws keep pace with the ever-evolving cyber \nlandscape. Our challenge is to create a legal structure that \nprotects the invaluable government and private information that \nhackers seek to exploit while allowing the freedom of thought \nand expression that made this country great.\n    I would submit the rest of my statement for the record, and \nI thank the Chairman.\n    [The prepared statement of Mr. Goodlatte follows:]\n\nPrepared Statement of the Honorable Bob Goodlatte, a Representative in \n  Congress from the State of Virginia, and Chairman, Committee on the \n                               Judiciary\n\n    Thank you, Chairman Sensenbrenner.\n    The 21st century has brought us a more connected, inter-dependent \nworld. The Internet and portable computer systems make it possible for \npeople, businesses and governments to interact on a global level never \nseen before.\n    The United States, with its bounty of personal freedom and free \nenterprise, is a leader in advancing the technology that enables us to \nstay in touch almost everywhere with almost everyone.\n    However, our technological advancement also makes the United States \nincreasingly vulnerable to cyber attacks--from routine cyber crimes to \nnation-state espionage. Earlier this week, we all heard about the high \nprofile cyber breach that exposed sensitive personal and financial \ninformation about high-ranking government officials and celebrities \nfrom FBI Director Mueller and Attorney General Holder to Beyonce and \nDonald Trump. The truth is that all citizens are vulnerable to these \nkinds of cyber attacks.\n    We are also currently experiencing a profound cyber-spying conflict \non the nation-state level. Most Americans are familiar with the \nWikileaks case, which resulted in the public disclosure of hundreds of \nthousands of secret State Department cables. And many of us are \nfamiliar with the cyber attack on the Chamber of Commerce, in which \nChinese hackers gained access to the files on the Chamber\'s 3 million \nmember companies.\n    But these cyber intrusions are just the tip of the iceberg. In \nNovember, 2011, the National Counterintelligence Executive, the agency \nresponsible for countering foreign spying on the U.S. government, \nissued a report that hackers and illicit programmers in China and \nRussia are pursuing American technology and industrial secrets, \njeopardizing an estimated $398 billion in U.S. research spending. \nAccording to the report, ``China and Russia view themselves as \nstrategic competitors of the United States and are the most aggressive \ncollectors of U.S. economic information and technology.\'\' The report \ndrew on 2009-2011 data from at least 13 agencies, including the Central \nIntelligence Agency and the Federal Bureau of Investigation.\n    And in January of this year, the New York Times reported it has \nbeen the victim of a sustained cyber attack by Chinese hackers. Shortly \nafterward, the Wall Street Journal and the Washington Post also \nreported they too had been breached by similar sources. The Times \ncommissioned a report from Mandiant, a private investigative agency, \nwhich traced the cyber attacks to a unit of the Chinese People\'s \nLiberation Army. According to the report, the Chinese are engaged in \nmassive cyber spying on the American industrial base and in areas the \nChinese are trying to develop for their own national purposes.\n    Earlier this year, the Administration issued a cyber security \nExecutive Order and Presidential Directive aimed at helping secure \nAmerica\'s cyber networks. The Executive Order is a first step towards \nprotecting our public and private networks from attack. But Congress \ncan and must do more. The Judiciary Committee is responsible for \nensuring that our federal criminal laws keep pace with the ever-\nevolving cyber landscape.\n    Our challenge is to create a legal structure that protects the \ninvaluable government and private information that hackers seek to \nexploit, while allowing the freedom of thought and expression that made \nthis country great. One thing is clear: cyber attacks can have \ndevastating consequences for citizens, private industry and America\'s \nnational security and should be treated just as seriously as more \ntraditional crimes by our criminal justice system.\n    The risks to our national infrastructure, our national wealth, and \nour citizens are profound, and we must protect them. We must not allow \ncyber crime to continue to grow and threaten our economy, safety and \nprosperity.\n                               __________\n\n    Mr. Sensenbrenner. Without objection, the Ranking Member \nand Chairman Emeritus of the Committee, the gentleman from \nMichigan, Mr. Conyers.\n    Mr. Conyers. Thank you, Chairman Sensenbrenner.\n    I would like to welcome the witnesses and note that I am \nreintroducing today a bill that I introduced in 2012, July or \nAugust, the Cyber Privacy Fortification Act, which will create \na strong standard for data breach notification, which does not \nexist now, and is a great reason for us to be conducting this \nhearing. It requires a data breach activity to be made public, \nnotified to us so that we can measure just what is going on.\n    Cyberattacks have increased, according to the National \nSecurity Agency, by 44 percent. And many of these attacks are \nperpetrated by criminals operating beyond our national \nboundaries, intent on stealing our intellectual property, \nassessing financial accounts, and compromising our critical \ninfrastructure.\n    And so, we have got a problem here, and it is one that I \nthink this Committee is perfectly suited to handle. And I would \nrecommend, and I will be looking for discussion on this, the \nincreasing collaboration necessary between the government and \nthe private sector on cybersecurity, but not at the expense of \nthe privacy of innocent citizens. We must not toss aside \nexisting privacy restrictions to grant the government and law \nenforcement unwarranted access to private communications.\n    The Administration and others have called for private \nsector companies to be allowed to share communications in their \npossession for the purpose of protecting against cyber threats. \nWe must require that any additional sharing only be allowed to \noccur if information is removed that can be used to identify \npersons unrelated to the cybersecurity threat itself.\n    And then in addressing a recent cybersecurity conference, \nFBI Director Mueller emphasized the law enforcement-focused \nneed for this information is limited to threats and attacks, \nnot other sensitive information about company secrets or \ncustomers. This must be the condition for enhancing \ncollaboration between the government and the private sector to \nbetter secure our computer networks.\n    And finally, the Internet has made the world a smaller \nplace, and because cyberattacks are often launched outside of \nour borders, now more than ever, we need a diplomatic \nengagement to increase cooperation between nations and \ncybersecurity issues. In other words, diplomacy is going to \nhave a larger role in this activity.\n    I submit the rest of my statement, and I yield back to the \nChairman.\n    Mr. Sensenbrenner. Without objection, the rest of the \nstatement will be included in the record.\n    [The prepared statement of Mr. Conyers follows:]\n\nPrepared Statement of the Honorable John Conyers, Jr., a Representative \n in Congress from the State of Michigan, and Ranking Member, Committee \n                            on the Judiciary\n\n    Good morning. This hearing focuses on a topic that is very \nimportant to the country and this Committee.\n    Last year, the head of the National Security Agency warned that \ncyber attacks had increased by 44%. With the proliferation of these \nattacks, especially those perpetrated by criminals operating beyond our \nnational boundaries intent on stealing our intellectual property, \naccessing financial accounts, and compromising our critical \ninfrastructure, we must take additional steps to protect our cyber \nnetworks.\n    To start with, we need a strong national requirement for reporting \ndata breaches. When a company has suffered a cyber attack that has \nresulted in the compromise of sensitive information of consumers, they \nshould report the attack to law enforcement and notify affected \nconsumers.\n    As it stands now, there are 47 different state laws with different \ndata breach notice requirements. This often makes compliance more \ncomplex and difficult than it should be. A national standard should be \nstrong enough to provide appropriate notice so that individuals may be \non guard against any subsequent identity theft and law enforcement is \nable to investigate these intrusions.\n    That is why I am reintroducing my Cyber Privacy Fortification Act, \nwhich will accomplish this.\n    Next, we must increase collaboration between the government and the \nprivate sector on cyber security, but not at the expense of the privacy \nof innocent citizens. We must not toss aside existing privacy \nrestrictions to grant the government and law enforcement unwarranted \naccess to private communications. The Administration and others have \ncalled for private sector companies to be allowed to share \ncommunications in their possession for the purpose of protecting \nagainst cyber threats.\n    We must require that any additional sharing only be allowed to \noccur if information is removed that can be used to identify persons \nunrelated to the cyber security threat.\n    In addressing a recent cyber security conference, FBI Director \nMueller emphasized that law enforcement\'s focused need for this \ninformation is limited to the threats and attacks, not other sensitive \ninformation about company secrets or customers. This must be the \ncondition for enhancing collaboration between government and the \nprivate sector to better secure our computer networks.\n    Finally, now more than ever, we need diplomatic engagement to \nstrengthen cooperation between nations on cyber security because the \nInternet has made the world a smaller place, and because cyber attacks \nare often launched from outside our borders. The interconnected nature \nof the Internet allows for communication across all borders, but also \nallows some cyber criminals to hide from prosecution behind \ninternational boundaries.\n    Even if we improve our domestic computer crime laws, those laws are \nonly as effective against international criminals as our ability to \nfind, investigate, and prosecute them.\n    The State Department and our federal law enforcement agencies must \ntake steps to reinforce international relationships so that their \nforeign colleagues enhance their capabilities to find and preserve \nevidence of cyber crime, extradite criminals to the United States, and \nprosecute these criminals in their own courts when extradition is not \npossible.\n    I commend the Crime Subcommittee for discussing this issue, and \nwith these thoughts in mind, we can better protect our cyber networks \nfrom intrusion while protecting our civil liberties and preserving the \nopenness of the Internet.\n                               __________\n\n    Mr. Sensenbrenner. And without objection, all Members\' \nopening statements will be included in the record.\n    We have a very distinguished panel today, and I will begin \nby recognizing the gentlewoman from Washington, Ms. DelBene, \nwho will introduce the first witness.\n    Ms. DelBene. Thank you, Mr. Chair. It is my pleasure to \nintroduce Jenny Durkan. Ms. Durkan currently serves as the \nUnited States attorney for the Western District of Washington, \nwhere my district is located. She is the top Federal law \nenforcement officer of 19 counties in western Washington. She \nwas nominated by President Obama in May of 2009 and was \nconfirmed by unanimous vote of the U.S. Senate on September 29 \nof 2009.\n    Ms. Durkan chairs the Attorney General\'s Advisory \nSubcommittee on Cybercrime and Intellectual Property \nEnforcement. She is also a member of three other subcommittees: \nTerrorism and National Security, Civil Rights, and Native \nAmerican Issues.\n    Ms. Durkan is a Seattle area native who grew up in \nIssaquah, Washington, graduated from the University of Notre \nDame, and received her law degree from the University of \nWashington.\n    Thank you, Mr. Chair.\n    Mr. Sensenbrenner. Before recognizing you, Ms. Durkan, let \nme introduce the rest of the members of the panel.\n    Mr. Boles currently serves as the deputy assistant director \nfor the cyber division of the FBI, where he oversees FBI cyber \noperations and investigations.\n    He entered on duty with the FBI in Sacramento in 1995, \nwhere he successfully investigated an Internet Ponzi scheme \nthat defrauded 15,000 victims in 57 countries. In 2009, as \nassistant special agent in charge of the San Diego Division, he \noversaw six investigative squads over cyber and white-collar \ncrime matters, as well as directing the administrative program \nfrom the office.\n    Mr. Boles was a legal attache? to Kiev, Ukraine in 2003, \nwhere he successfully facilitated the first extradition from \nUkraine to the United States. He served as the special \nassistant director, national security branch, and in 2011 was \nselected as the special agent in charge of the Norfolk FBI \noffice.\n    He is a graduate of the University of Georgia.\n    Mr. Robert Holleyman serves as president and CEO of BSA, \nthe Software the Alliance. He was also appointed by President \nBarack Obama to serve on the Advisory Commission for Trade \nPolicy and Negotiations, the principle advisory Commission for \nthe U.S. government on trade matters. He oversaw an innovative \nstudy of cloud computing-related policies around the world, and \nis an advocate for breaking down barriers that cloud providers \nface when they do business internationally. He also was an \nearly proponent for policies that promote the widespread \ndeployment of security technologies and to build public trust \nand confidence in cyber space.\n    He has testified before Congress, the European Commission, \nthe World Intellectual Property Organization, and other \ngoverning bodies on technology, trade, and economic matters. He \npreviously served as a counselor and legislative advisor in the \nSenate, an attorney in private practice, then a judicial clerk \nin the U.S. District Court.\n    He holds a bachelor\'s degree from Trinity University in San \nAntonio, where he was named distinguished alumnus in 2012, and \nreceived his law degree from Louisiana State University. He \ncompleted the Stanford Executive Program at the Stanford \nGraduate School of Business.\n    Professor Orrin Kerr is a professor law at George \nWashington University, where he teaches criminal law, criminal \nprocedure, and computer crime law. Before joining the faculty \nin 2001, Professor Kerr was an honors program trial attorney in \nthe Computer, Crime, and Intellectual Property section of the \ncriminal division at the Department of Justice, as well as the \nspecial assistant U.S. attorney for the Eastern District of \nVirginia.\n    He is a former law clerk for Justice Anthony Kennedy of the \nU.S. Supreme Court and Judge Leonard Garth of the U.S. Court of \nAppeals for the 3rd Circuit. In the summer of 2009 and \'10, he \nserved as special counsel for the Supreme Court nominations to \nSenator John Cornyn and the Senate Judiciary Committee. He has \nalso been a visiting professor at the University of Chicago Law \nSchool and the University of Pennsylvania Law School.\n    He received his bachelor of science degree in engineering \nfrom Princeton, master of science from Stanford, and earned his \njuris doctor from Harvard Law School.\n    Now, each of the witnesses\' written testimony will be \nentered into the record in its entirety, and I ask that each \nwitness summarize his or her testimony in 5 minutes or less. \nAnd I am going to be kind of like the chief justice given the \ntime constraints that we have with the President coming. So \nwhen the little red light appears before you, time is up.\n    So we will start with you, Ms. Durkan.\n\n TESTIMONY OF JENNY S. DURKAN, UNITED STATES ATTORNEY, WESTERN \n       DISTRICT OF WASHINGTON, U.S. DEPARTMENT OF JUSTICE\n\n    Ms. Durkan. Thank you. Good afternoon, Chairman \nSensenbrenner, Ranking Member Scott, and Members of the \nSubcommittee. Thank you for the opportunity to testify before \nyou this afternoon regarding the investigation and prosecution \nof cyber threats to our Nation. I want to thank Congresswoman \nDelBene for the introduction and for her service to our \ndistrict.\n    As United States attorney, I see the full range of threats \nto our communities and to our Nation. Few things are as \nsobering as the daily cyber threat briefing I receive.\n    Technology is changing our economy and our daily lives. We \nhave witnessed the rapid growth of wonderful companies, \nlifesaving technologies, and the way we connect with others. \nUnfortunately, the good guys are not the only innovators. We \nhave also seen growth in the number and the sophistication of \nbad actors exploiting the new technology. Financially motivated \ninternational rings have stolen large quantities of personal \ndata. Criminal groups develop tools and techniques to disrupt \nand damage computer systems. State actors and organized \ncriminals have demonstrated the desire and the capability to \nsteal sensitive data, trade secrets, and intellectual property.\n    One particular area of concern is computer crime that \ninvades the privacy of individual Americans. Every day, \ncriminals hunt for our personal and financial data, which they \nuse to commit fraud or to sell to other criminals. Hackers \nperpetrate large-scale data breaches that leave hundreds of \nthousands, if not millions, susceptible to identity theft.\n    The national security landscape has evolved dramatically in \nrecent years. Although we have not yet experienced a \ndevastating cyberattack against our critical infrastructure, we \nhave been victim to a range of malicious cyber activities that \nsiphon off valuable economic assets and threaten our Nation\'s \nsecurity. There can be doubt. Cyber threat actors pose \nsignificant risks to our national security and our economic \ninterests.\n    Addressing those complex threats requires a unified \napproach that incorporates criminal investigative and \nprosecutorial tools, civil and national security authorities, \ndiplomatic tools, public-private partnerships, and \ninternational cooperation. Criminal prosecution, whether here \nin the United States or by a partner country plays a central \nand critical role in this collaborative effort. We need to \nensure that throughout the country members of the Department of \nJustice who are actively working on these threats have the \ninvestigative resources and forensic capabilities to deal with \nthese challenges, and we appreciate the support this Committee \nhas given in this regard.\n    To meet these challenges, the Department has organized \nitself to ensure that we are in a position to aggressively \ninvestigate and prosecute cybercrime wherever it occurs. The \ncriminal division\'s Computer Crime and Intellectual Property \nSection works with a nationwide network of over 300 Assistant \nUnited States Attorneys designated as our computer hacking and \nintellectual property prosecutors. They lead our efforts in \nthis area.\n    Similarly, the Department\'s National Security Division is \norganized to ensure that we are aggressively investigating \nnational security cyber threats through a variety of means. \nThese include counterespionage and counterterrorism \ninvestigations and prosecutions.\n    Recognizing the diversity of the national security cyber \nthreats and the need for a coordinated approach, the Department \nestablished last year a National Security Cyber Specialist \nNetwork. It brings together the Department\'s full range of \nexpertise on national security-related cyber matters, drawing \non experts from the National Security Division, the Criminal \nDivision, U.S. attorney offices, and other department \ncomponents to make sure that we have a centralized resource for \nprosecutors and agents around the country.\n    Our efforts have led to a number of enforcement successes, \ntwo of which I will highlight later. But I will say that in our \ndistrict we have been able to bring these prosecutions very \nsuccessfully, and have made a difference for our citizens and \nfor our businesses.\n    Thank you.\n    [The prepared statement of Ms. Durkan follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n                               __________\n\n    Mr. Sensenbrenner. Thank you very much.\n    Mr. Boles.\n\n   TESTIMONY OF JOHN BOLES, DEPUTY ASSISTANT DIRECTOR, CYBER \n DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. DEPARTMENT OF \n                            JUSTICE\n\n    Mr. Boles. Good morning, Chairman Sensenbrenner and \ndistinguished Members of the Subcommittee. I appreciate the \nopportunity to be here today to talk to you about the cyber \nthreat and how we are going about it with our partners to \ncombat it.\n    As the Subcommittee is aware, the number and sophistication \nof cyberattacks against our Nation\'s private sector and the \ngovernment networks has increased dramatically over the recent \nyears, and it expected to continue.\n    We see four primary adversaries in the cyber world: spies \nwho seek to steal our secrets and our intellectual property, \norganized criminals who want to steal our identities and our \nmoney, terrorists who would like to attack our critical \ninfrastructure, and hacktivist groups who are trying to make a \npolitical or a social statement through the use of the \nInternet. The bottom line here is that we are losing data, \nmoney, ideas, and innovation to a wide range of cyber \nadversaries.\n    FBI Director Mueller has stated that he expects the cyber \nthreat to surpass the terrorism threat in our Nation in the \ncoming years. That is why we are strengthening our cyber \ncapabilities, much in the same way that we enhanced our \nintelligence and our national security capabilities in the wake \nof 9/11.\n    The FBI recognized the significance of the cyber threat \nmore than a decade ago, and in response the FBI developed a \nnumber of techniques to go after a strategy for responding to \nit. We created the Cyber Division. We elevated the cyber threat \nto our number three national priority behind only counter \nintelligence counterterrorism. We significantly increased our \nhiring of technically-trained agents, analysts, and forensic \nspecialists, and we have expanded our partnerships with law \nenforcement, private industry, and academia.\n    We have made progress since the cyber division was first \ncreated in 2002. Back then, we viewed it as a success when we \nwere able to recognize that networks were being attacked. Just \nthe fact that we saw it and recognized it was part of our \nsuccess. So the next 8 or 9 years, attribution, which is \nknowing who is responsible for the attack on our computers and \nour networks, was considered the level of success, and we got \nvery good tracking the Internet protocol address or the IP \naddresses back to their source to determine who was \nresponsible.\n    Now, we can often tell when the networks are being breached \nand are able to determine who is doing it. So the question now \nbecomes as we move forward in this, is what are we going to do \nabout it, or, how are we going to take action on this \ninformation that we have gathered.\n    The perpetrators of these attacks are often overseas, and \nin the past tracking an IP back to a source in a foreign \ncountry, it usually led to a dead end investigatively. Since \nthen we have imbedded cyber agents with law enforcement and \nseveral key countries, including Estonia, Ukraine, the \nNetherlands, and Romania. And we have worked with some of these \ncountries to extradite subjects from their countries to stand \ntrial in the United States.\n    As I described in my written statement, the prime example \nof international collaboration came in the 2011 take down of \nRove Digital, as company that was founded by a ring of Estonian \nand Russian criminals to commit a massive Internet fraud \nscheme. Seven of these have since been indicted in the Southern \nDistrict of New York, two of which have been extradited to the \nUnited States now and are in U.S. custody, and one pled guilty \nlast month.\n    While we are proud of this and our other successes, we are \ncontinuing to push ourselves so that we can respond more \nrapidly and prevent attacks before they occur. Over the past \nyear, under our current legal authorities and with our \ngovernment partners, we successfully warned potential victims \nbefore an attack has occurred. They were then able to use that \ninformation to shore up their network defenses and combat the \nattack.\n    As we go into now our next move here will be the next \ngeneration of cyber, and these have all come apart as our \ninitiative to drive forward in the next gen. Next gen cyber \nentails a wide range of measures, including focusing the cyber \ndivision specifically on computer intrusion networks as opposed \nto crimes committed with the computers being the modality, \nhiring additional computer scientists to assist with the \ntechnical investigations at FBI field offices, and expanding \nour partnerships in collaboration with the National Cyber \nInvestigative Joint Task Force, or the NCIJTF.\n    Briefly, the NCIJTF is a compendium of 19 agencies who work \ntogether in a collaborative and information sharing environment \nso that we can almost in real time share information back and \nforth across the cyber threat.\n    So the next step of that, of course, is our private sector \noutreach. We consider that as an important and as our next step \nfor our whole of government team approach in combatting \ncybercrime. Now, we have reached into the industry, developed \nexpertise with them, and are sharing as rapidly at unseen rates \nthan we have seen in the past. We now realize that the \ninformation flow must go both ways, where in the past we have \ntaken information and not necessarily given them back \nactionable intelligence. We have now actionable intelligence. \nWe have now rectified that, and in developing our partnership, \nwe are able to make that information flow go in both \ndirections.\n    So in conclusion, Mr. Chairman, to counter the threats that \nwe face, we are engaging in an unprecedented level of \ncollaboration within the U.S. government, with the private \nsector, and with international law enforcement. We look forward \nto continuing these partnerships and expanding them with the \nCommittee and with Congress.\n    And thank you very much. I look forward to your questions.\n    [The prepared statement of Mr. Boles follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n\n                               __________\n    Mr. Sensenbrenner. Thank you.\n    Mr. Holleyman.\n\n  TESTIMONY OF ROBERT HOLLEYMAN, PRESIDENT AND CEO, BSA, THE \n                       SOFTWARE ALLIANCE\n\n    Mr. Holleyman. Mr. Chairman, Ranking Member Scott, Members \nof the Subcommittee, there are more than 400 million strains of \nmalicious computer code in the world today, and their most \nfrequent targets are here in the United States. And this costs \nAmerican citizens and businesses well over $100 billion a year, \nand the losses are mounting.\n    So I would like to recommend and outline a policy approach \nthat BSA believes can help us address the nature of the threats \nthat we face. It has three principle elements: first, promoting \nreal time information sharing; second, strengthening law \nenforcement tools and resources; and third, supporting \ncybersecurity research and development.\n    On the issue of promoting real time information sharing, we \nknow that to prevent cyberattacks, we need to be able to \nidentify threats in real time, and the best way to do that is \nto let IT professionals share information. And when companies \nand government agencies detect threats, they need to tell each \nother.\n    Unfortunately there are legal barriers and commercial \ndisincentives that stand in the way when the private sector \ntries to information with the government. First, there are \nliability concerns whenever you share commercial data, and, \nsecond, there is a risk of exposing trade secrets. And BSA \nbelieves that we need legislation that promotes information \nsharing by addressing these issues, and we need to do that in a \nway that carefully balances privacy and civil liberties \nconcerns.\n    Secondly, we believe that we need to strengthen law \nenforcement tools and resources. Identifying emerging threats \nis important, but it is not nearly enough. We also need to \nenhance our ability to deter criminal behavior with effective \nlaw enforcement. We should not be over zealous in prosecuting \npeople for innocent mistakes or minor infractions, but we in \nthe government need tools and resources that send a strong \nmessage that there will be appropriate punishment for serious \ncybercrimes.\n    Third, the last element we need to do is to create \nsomething that is really fundamental that is elemental. We need \nto recognize that technology innovation is the best tool to \ncombat long-term cyber threats, and BSA believes that we need a \nrobust national R&D plan that involves technology companies, \ninvolve technologists within the governments, to develop the \nresources to take our technologies and our practices and \nimprove our country\'s overall cybersecurity policy.\n    Now, the issue of data breach notification has come up as \nwell, and we appreciate Mr. Conyers\' statement this morning. We \nknow that we will never be completely risk-free or eliminate \nall the risks of cyberattacks. But as a separate, but related, \nmatter to cybersecurity legislation, we also believe we should \nclarify how and when to notify people when a breach compromises \ntheir personal information.\n    Today there are 47 States that have their own laws, and BSA \nsupports replacing that patchwork with a well-crafted Federal \nlaw that simplifies compliance for businesses, but also ensures \nthe proper notices when there is a breach of sensitive personal \ninformation.\n    And lastly, when Congress is working on cybersecurity \nlegislation, we also do that knowing that the Administration is \nbeginning to implement the President\'s recent executive order. \nAnd we are encouraged by the emphasis that order places on \ninnovation, and we welcome the Administration\'s plan to improve \ncoordination of cybersecurity policy and increased information \nsharing from the government to industry. And these measures \nmust embody principles that everyone can embrace.\n    But it will take congressional oversight to ensure that the \norder is implemented effectively. And as the Administration \ndevelops the framework it envisions for protecting critical \ninfrastructure, it will be especially important to forge a \nclose partnership with industry. We believe that NIST should \nhave a lead role in that, and done well, there is an \nopportunity for the framework to serve as a model for best \npractices that can be extended beyond just critical \ninfrastructure.\n    So I appreciate the opportunity to testify today. BSA looks \nforward to working with this Committee and Congress to upgrade \nAmerica\'s cyber readiness. Thank you.\n    [The prepared statement of Mr. Holleyman follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n                               __________\n    Mr. Sensenbrenner. Thank you, Mr. Holleyman.\n    Professor Kerr.\n\n     TESTIMONY OF ORIN S. KERR, FRED C. STEVENSON RESEARCH \n       PROFESSOR, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL\n\n    Mr. Kerr. Mr. Chairman, Ranking Member Scott, and Members \nof the Subcommittee, thank you for the invitation to testify \nthis morning.\n    The Computer Fraud and Abuse Act is the primary Federal \ncomputer crimes statute, and its main prohibition is on \nunauthorized access to a computer. A year and a half ago, the \nSubcommittee had a relatively similar hearing to that today, \nand at that time I testified about some of the recent court \ndecisions which had adopted a very broad interpretation of the \nComputer Fraud and Abuse Act, not only punishing what we would \nthink of as hacking, breaking into a system, but also violating \nthe terms of use on a computer, doing something contrary to an \nemployer\'s interest while using a computer, and the like.\n    And I warned about the implications of that broad \ninterpretation of the Computer Fraud and Abuse Act. Everyone \nagrees that the law should punish serious computer crimes, but \nI hope we would also agree that the law should not punish \ncompletely innocent activity, the kind of innocent activity \nthat most Americans engage in every day might be violating \nterms of use on a Web site. That is that little language that \nnobody reads off to the corner that everybody blows by when \nthey go to use a Web site or an Internet service. It should not \nbe that violating those terms of service is a crime. Some \nFederal circuits have, in fact, indicated that that is the \ncase.\n    And a lot has changed, though, in the last 18 months since \nthe last hearing. In the 9th Circuit, the en banc 9th Circuit \nin United States v. Nozol, concluded that the Computer Fraud \nand Abuse Act does not apply to breach of employer restrictions \non access to a computer, and is relegated only to sort of \nclassic breaking into a machine, what we might call hacking or \nwe think of as hacking, what the court called circumventing a \ntechnological access barrier.\n    Also in 2012, the 4th Circuit decided a case, concluding \nthat an employee that acts in a way disloyal to an employer \nwhile using the employer\'s network is not violating the \nComputer Fraud and Abuse Act, creating a disagreement between \nthe decision of the 4th Circuit and another decision of the 7th \nCircuit, which it indicated that that would be a Federal crime.\n    So right now, the state of the law in the lower courts \ninterpreting this critical phrase of this critical statute, the \nComputer Fraud and Abuse Act, is essentially in disarray. There \nare circuits that are all over the map in terms of just \nfiguring out what this prohibition means, what is this statute \nthat has been on the books for 25 years.\n    So I think this Committee basically has two choices. One is \nto do nothing and let the Supreme Court figure it out. There is \na circuit split. That means usually the Supreme Court at some \npoint will step in and resolve the uncertainty and either pick \nthe narrow view of the statute, or the broad view of the \nstatute, or something in between, or Congress could act and \nactually clarify which interpretation of the statute is the \nright one.\n    I think this Congress should act. This is a question \nultimately of what Congress wants to prohibit, and I think the \nbest approach is for Congress to enact the narrow view of the \nComputer Fraud and Abuse Act, essentially codifying the rule of \nthe 9th Circuit, United States v. Nozol, that what this statute \ndoes is prohibit breaking into a computer.\n    We are not meeting here because we are worried about \nindividuals breaching terms of service. We are not worried \nabout employees of companies checking Facebook on company time. \nWe are worried about people hacking into critical \ninfrastructure, people accessing United States\' secrets that \nare stored on computers from abroad. Those are problems which \nwould be prosecuted and criminalized under any interpretation \nof the Computer Fraud and Abuse Act. But I think it is \nessential that Congress narrow the statute and expressly adopt \nthis narrow view rather than just wait for the Supreme Court to \ntry to figure it out.\n    We do not know what would happen if the Supreme Court took \nthis case, and in all likelihood, no matter what the Supreme \nCourt would do, we would probably be back here to try to figure \nout what the laws should look because there are hard cases to \nbe dealt with on either side.\n    In particular, imagine the Supreme Court adopts the narrow \nview of the statute and says that the Computer Fraud and Abuse \nAct only prohibits classic hacking into a network. In that \ncase, there is the problem of insiders. They are given access \nto the network, but they essentially steal secrets and then \nsend them to somebody else or use them in some nefarious way or \nmaybe give them to a foreign government. We of course need to \nmake sure that that is prohibited as well.\n    And there are statutory authorities that can do that, for \nexample, the Theft of Trade Secrets Statute is available in \nthose situations. But also we could amend the Interstate \nTransportation of Stolen Property Act, which is used to deal \nwith the transferring of stolen property in the case of \nphysical property. The Justice Department has tried \nunsuccessfully to use that statute to prosecute stolen \ninformation. The 2nd Circuit has said that is not a fair \ninterpretation of the statute, and that could be amended to \nmake sure the insider threat is dealt with.\n    Thank you. I look forward to your questions.\n    [The prepared statement of Mr. Kerr follows:]\n\n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n    <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n    \n\n\n                               __________\n    Mr. Sensenbrenner. Thank you very much. Because of the time \nconstraints, the Chair will withhold his questions until the \nend if there is time remaining.\n    And the Chair recognizes the gentleman from Arizona, Mr. \nFranks, to start the questions.\n    Mr. Franks. Well, thank you, Mr. Chairman. And thank all of \nyou for being here today. I do not envy your jobs. It is \ndifficult when you are trying to marry highly esoteric \ntechnological issues with very precise legal enforcement and \nprosecution issues. So it is a difficult challenge.\n    And it so happens that I am new on this Committee, so my \nprimary familiarity with cybersecurity issues is on the \nStrategic Forces Committee where there is a national security \ncomponent. And of course, it is an issue of the first \nmagnitude.\n    So my first question is to you, Mr. Boles. Given that some \ntype of commercial cyber intrusion carries with it one set of \nconcerns, and national security carries with it a whole \ndifferent set of concerns.\n    Are there different protocols or more latitude in existing \nlaw when you are doing what is necessary to protect our \ncritical systems from national security threats or threats that \nhave a national security nexus as opposed to the commercial \nintrusions?\n    Mr. Boles. Thank you, sir. That leads right into why I \nspoke briefly about the next generation of cyber initiative. \nAnd one of the things that we have seen, that we have \nimplemented in the change of that initiative is putting all \ntools in the toolbox. We recognize that in the cyber world, \ncrimes are essentially without borders, as one of the gentlemen \nsaid, that the world has gotten smaller, crimes without \nborders. And it is often difficult to tell at the outset is it \ncriminal or is it national security oriented.\n    So one of the things that we, working with the DoJ partners \nand with our other law enforcement partners, is how do we bring \nall the tools to the toolbox to combat the threat? So, for \nexample, if it is a nation-state actor who is attempting \neconomic espionage and stealing trade secrets, that then may \nenhance their national economy and/or structure. Is that \ncriminal? Is it national security? I would say that it is both, \nand we have both sets of tools that we can bring to it.\n    So it gives us a wide latitude. It makes us a much more \nnimble law enforcement community to go after and combat these \nthreats by being able to put the appropriate tool against the \nappropriate threat.\n    Mr. Franks. But once you identify whether it is a national \nsecurity threat or it is simply a commercial threat, do you \nhave a different set of criteria in the law as it is now to \ncombat those, or are they treated essentially the same as far \nas your tools to respond?\n    Mr. Boles. Again, I will tell you it sounds a little bit \nlike I am going to hedge on you, but I am not. The fact of the \nmatter is that by having both sides in the toolbox, we have \nkind of melded the two protocols together.\n    So what that means is, let us say, for example, we \ndetermine that is, in fact, a straight national security, you \nknow, intrusion or theft, you know. How can we go about \ndisrupting that? Part of the next generation cyber initiative \nis to identify the hands on the keyboard, you know, the skin \nbehind the screen, and how do we go after them and disrupt \nthat? So that is through criminal prosecution? Is that through \nworking with our intelligence partners and our foreign partners \noverseas to disrupt in other manner or shutting off access?\n    It is a multitude of options that are open to us by doing \nthat. So I would tell you that the protocols, by going to the \nall tools approach, actually gives us access to both protocols \nthrough the entirety of the investigation.\n    Mr. Franks. What would you suggest to this Committee, if we \nwere to apportion our concern for each of those two things I \nmentioned, commercial intrusion as opposed to those threats \nthat have a national security nexus.\n    When you identify these threats, what would you suggest \nwould be the proportion, I mean, how much under attack from \nyour point of view, and we are familiar with it in some of the \nsecurity committees. But from your point of view in the FBI, \nwhat would you suggest is the state of the union here as far as \nour protection from national security cyber threats? Do you \nthink that we are facing pretty significant challenges?\n    Mr. Boles. We are absolutely facing significant challenges.\n    Mr. Franks. That was a leading question.\n    Mr. Boles. Yes, it was. [Laughter.]\n    Mr. Franks. I am very familiar with just how serious they \nare in some ways. And I guess I would like to put something on \nyour radar. It is not really in the form of a question, but I \nam concerned, and we are concerned on some of the security \ncommittees that intentional electromagnetic interference may \nsomeday be or EMP may be our ultimate cybersecurity threat in \nterms of a national security destructive to try to disrupt our \nsystems. And I would hope that we would have that on the radar. \nI realize that is a little ways down the road, but perhaps not \nas far as it should be.\n    And I appreciate all of you for what you are doing. You are \nkind of the front line of freedom, even though people do not \nsee you and appreciate it.\n    Thank you, Mr. Chairman.\n    Mr. Sensenbrenner. The time of the gentleman has expired.\n    The gentleman from Virginia, Mr. Scott.\n    Mr. Scott. Thank you, Mr. Chairman. And I would like to \nfollow through on that same line of questioning, but I would \nlike Ms. Durkan to respond with the various levels of \nseriousness. First, will the Administration have a \nrecommendation to address the concerns that Professor Kerr \npointed out that there is split in the circuits on \ninterpretation. Do we have a recommendation on how to deal with \nthat split in the circuits?\n    Ms. Durkan. Thank you, Ranking Member Scott. As we have \nsaid in other forums, we believe that there needs to be some \nclarification to the law in terms of particularly what exceeds \nauthorized access is. But we think that what we need to make \nsure is that there are a number of insiders who have access to \nvery valuable and confidential information, and we have to make \nsure that we still have the law enforcement necessary to \nprotect against that threat.\n    Mr. Scott. Well, do you have a legislative recommendation?\n    Ms. Durkan. We do not have a specific legislation \nrecommendation, but we are willing to work with your staff and \nprovide technical assistant to reach those goals.\n    Mr. Scott. Are there any other elements of the crime that \nneed clarification?\n    Mr. Scott. There are additional ones we need clarification. \nI think that in our last year\'s proposal, we had how the \ndifference between felonies, and misdemeanors, and previous \noffenses. And so, I think we can look at those issues.\n    But I think that you are right, and it has been said before \nis the nature of the threat is evolving rapidly, and it ranges \neverything from the consumers whose private data is threatened \nby hackers to the national security threats. We at the \nDepartment of Justice have to deal with that full range of \nthreats, and so the important thing for us right now is not to \ncreate greater gaps in the law, but to ensure we have the tools \nthat we need.\n    Mr. Scott. In your statement, you mentioned that judges \nwould still, of course, make sentencing decisions on a case by \ncase basis. Should we infer from that that the Administration \nwill not have any mandatory minimums in its recommendations?\n    Ms. Durkan. We are not recommending mandatory minimums in \nthese recommendations. The judicial discretion, as you know, is \nvery important for the judge to be able to determine what level \nof penalty is important.\n    I want to emphasize the Department does that at each stage \nof prosecutions as well, whether an investigation is merited in \nthe first place, whether charges should be brought, and then \nwhat plea or what sentence is appropriate.\n    Mr. Scott. Well, we do not have to scour the \nrecommendations for mandatory minimums, so we will assume that \nthey are not there. Is that a fair assumption?\n    Ms. Durkan. Yes, sir.\n    Mr. Scott. And a lot of these crimes, there are overseas \nconnections to some of these crimes. Does that create \njurisdictional problems that we need to address legislatively?\n    Ms. Durkan. There may be some legislative fix. We need to \ndo that. The Department has already taken some steps on the \ninternational front. It is more and more important, more of \nthese cyber cases. For example, in my district we recently \nprosecuted a case where a case where a small business in \nSeattle was hacked by someone who was in Maryland, who traded \nthe card information he got to a Dutch citizen living in \nRomania, who then sold them to someone in Los Angeles.\n    We were able to bring the person in Maryland, who has been \nprosecuted and convicted, as well as extradite the person from \nRomania charges pending against Los Angeles.\n    So international cooperation is key, and we are working on \nmany fronts to make sure we have the most robust system \npossible.\n    Mr. Scott. Are any legislative changes needed to help you \nin that regard?\n    Ms. Durkan. There may be some. There was one proposal that \nwe had that was approved in the previous budget that gave us \nadditional resources abroad, what we call our iChip Center, \nnational cyber prosecutors, who can assist our foreign partners \nto make sure that we gather the evidence we need to bring the \npeople an extradite them to America.\n    Mr. Scott. Well, that brings me to my next question. A lot \nof this is resources and investigation. You have got these \nthings in a statute. It is just a matter of priorities. This \nCommittee has looked at things like ID theft where consumer ID \ntheft cases are not brought because you just do not have the \nresources, organized retail theft for those cases are not \ninvestigated because of resources or funding. And somebody \nfails a background check on a gun purchase, nothing is done \nbecause you do not have the resources.\n    I guess, Mr. Boles, if you focus more on cybercrime, do you \nhave enough resources to do the other things you need to do? \nAnd as part of that, what effect will the sequester have on \nyour ability to continue doing your work?\n    Mr. Boles. I keep going back to the net gen cyber, and that \nwas one of our functions and one of our driving forces in that.\n    So the Cyber Division focuses entirely on intrusions and \npushing forward for the high tech solution, but part of that \nwas that we have also added impact and emphasis on the \ntraditional cyber--I am sorry.\n    Mr. Sensenbrenner. You can continue your sentence. \n[Laughter.]\n    Mr. Boles. Okay. Under traditional cybercrime, much like on \nthe ID theft, sir.\n    Mr. Sensenbrenner. The time of the gentleman has expired.\n    The gentleman from Michigan, Mr. Conyers.\n    Mr. Conyers. Thank you very much. Members of the panel, \nmost of our serious computer hacking threats come from other \ncountries. Can any of you discuss with me and make a point \nabout how we can better identify, stop, and prosecute these \nattacks?\n    Your recollection of what happened in another case is very \ncompelling because we want to improve the law protecting \nagainst cybercrime. And the whole idea of this hearing is to \nidentify where we should be going.\n    I think I have about the only general law on cyber privacy, \nwhich I introduced last year and will reintroduce today. And so \nI would appreciate, and the comments that have been made and \nany that may be added to this discussion.\n    Who would like to volunteer?\n    Ms. Durkan. I can address some of that, Congressman.\n    First, I want to be clear. While the international cyber \nthreat is growing and complex, we have a lot of homegrown cyber \nactors as well. In my district, we regularly prosecute people \nwho are located right in our district who are able to do a \nsignificant amount of damage to both individual consumers and \nto businesses.\n    With regards to your privacy legislation, obviously we have \nnot had the opportunity to review it yet. We look forward to \ndoing so and working with the staff of the Committee. I will \nsay that it has always been the position of the Department of \nJustice that all legislative proposals should carefully balance \nboth the need to deter and hold accountable the bad actors with \nconsumer privacy and civil rights, as well as making sure we \nhave the adequate public-private partnerships. And so we look \nforward to working with you on that bill.\n    Mr. Conyers. Well, you have the kind of a Subcommittee here \nthat is going to take this seriously. There have been so many \nthings going on, especially in the Judiciary Committee, that it \nis easy for this to slip through the cracks. And I think this \nhearing is extremely important for focusing in on that.\n    Mr. Holleyman. Mr. Conyers, let me say I think it is going \nto take a complement of laws and a mix like criminal statutes. \nI think the corollary around data breach notification can be \nvery important, particularly if it also encourages the kind of \nincentives for companies to build in security practices so that \nif there is a breach of consumer data, that that data will be \nessentially useless because it is has been protected in the \nfirst instance.\n    So I think as the Federal Government, we can do more to \nprotect our citizens. I think the private sector can do more. \nAnd it is going to take a mix of civil and criminal statutes to \neffectively deal with this.\n    Mr. Conyers. Professor Kerr?\n    Mr. Kerr. Yeah, just one brief comment. So the substantive \nlaw, the Computer Fraud and Abuse Act, already jurisdictionally \ncovers the world. It covers everything. In fact, the Computer \nFraud and Abuse Act covers every computer that the United \nStates government can regulate around the world under the \nConstitution, under the foreign commerce clause and under the \ninterstate commerce clause. So it will certainly apply to a \nforeign hacker who hacks into U.S. computers, the U.S. hacker \nthat hacks into foreign computers, or even a foreign person \nthat hacks into other foreign computers through the U.S.\n    So the substantive criminal law is very broad. The \ndifficulty is always if somebody is outside the U.S., if the \nforeign government is going to cooperate with the U.S., then \nthat is a way that the U.S. can have the person extradited and \nbrought to the United States for prosecution. But if they are \nnot a cooperative government, that is where the problem is \ngoing to be.\n    Mr. Conyers. Well, you know, I think that we are going to \nhave to put increased emphasis on our diplomacy aspect. I think \nthe sooner, Chairman Sensenbrenner, that we begin to look at \nthis part of this problem, the better off we are going to be in \nterms of getting as much cooperation as we can. Now, we know \nthat is going to vary from country to country, but it is still \nvery important.\n    Mr. Sensenbrenner. The time of the gentleman has expired, \nand I agree with the last point that the gentleman from \nMichigan has made since the Internet is completely \ninternationalized and knows no boundaries, either for doing \ngood or breaking the law.\n    The gentleman from Texas, Mr. Gohmert.\n    Mr. Gohmert. Thank you, Mr. Chairman, and thank you to all \nthe witnesses for your research, for your concerns, and for \nyour testimony here today.\n    It is my understanding that under 18 U.S.C. 1030, that it \nis a violation, a criminal violation, of our law to do anything \nthat helps take control of another computer even for a moment. \nIs that your understanding? Some general nods.\n    Mr. Kerr. It depends exactly what you mean by take control, \nbut certainly if taking control includes gaining access to the \ncomputer in order to take--assuming a network, you are not \nsupposed to take control of, then, yes, that would clearly be \nprohibited by the statute.\n    Mr. Gohmert. All right. For example, my understanding is \nthere was a recent example where someone had inserted malware \non their own computer such that when their computer was hacked \nand the data downloaded, it took the malware into the hacker\'s \ncomputer, such that when it was activated, it allowed the \nperson whose computer was hacked to get a picture of the person \nlooking at the screen. So they had the person that did the \nhacking and actually did damage to all the data that was in the \ncomputer.\n    Now some of us would think that is terrific. That helps you \nget at the bad guys. But my understanding is that since that \nallowed the hackee to momentarily take over the computer and \ndestroy information in that computer, and to see who was using \nthat computer, then actually that person would have been in \nviolation, in the United States would have been in violation of \n18 U.S.C. 1030.\n    So I am wondering if perhaps one of the potential helps or \nsolutions for us would be to amend 18 U.S.C. 1030 to make an \nexception such that if the malware or the software that allows \nsomeone to take over a computer, is taking over a hacker\'s \ncomputer, than it is not a violation. Perhaps it would be like \nwe do for, say, assaultive offenses, you have a self-defense. \nIf this is part of a self-defense protection system, then it \nwould be a defense that you violated 1030.\n    Anybody see any problem with helping people by amending our \ncriminal code to allow such exceptions or have any suggestions \nalong those lines?\n    Mr. Kerr. Mr. Gohmert, I think it is a great question and \none that is very much debated in computer security circles \nbecause from what I hear, there is a lot of this sort of \nhacking back, as they refer to it. But at least under current \nlaw, it is mostly illegal to do that.\n    There is a limited necessity defense that some courts have \nrecognized to say basically if you are a victim of a crime, you \nhave a certain amount of ability to act to try to stop that \ncrime. But it is not really clear how the necessity defense, as \nit is recognized in current Federal law, would apply in those \ncircumstances.\n    I think the idea of saying there is some ability to \ncounterhack back, however you want to describe it, is a sound \none. The real difficulty is in the details of how do you do it. \nWhat circumstances do you allow somebody to counterhack how \nbroadly, how broadly are they allowed to counterhack, how far \ncan they go?\n    The difficulty, I think, is once you open that door as a \nmatter of law, it can be something that is difficult to cabin. \nSo I think if there is such an exception, it should be a quite \nnarrow one to avoid it from sort of becoming the exception that \nswallows the rule.\n    Mr. Gohmert. Well, I am not sure that I would care if it \ndestroyed a hacker\'s computer completely, as long as it was \nconfined to that hacker. Are you saying we need to afford the \nhacker protection so that we do not hurt him too bad?\n    Mr. Kerr. No. The difficulty is that you do not know who \nthe hacker is, so it might be that you think the hacker is one \nperson. Let us say you think you are being hacked from a French \ncompany or even a company in the United States.\n    Mr. Gohmert. Oh, and it might be the United States \ngovernment, and we do not want to hurt them if they are \nsnooping on our people. I do not really understand why you are \nwanting to be protective of the hacker.\n    Mr. Kerr. The difficulty is first identifying who is the \nhacker. You do not know when somebody is intruding into your \nnetwork who is behind it. So all you will know is that there is \nan IP address that seems to back to a specific computer, but \nyou will not know who it is that is behind the attack. That is \nthe difficulty.\n    Mr. Sensenbrenner. The time of the gentleman has expired.\n    The gentleman from Louisiana, Mr. Richmond.\n    Mr. Richmond. Thank you, Mr. Chairman. I guess my first \nquestion, maybe first two questions, will go to Mr. Holleyman.\n    You talked about information sharing, you talked about \nsecurity, and you talked about oversight over critical \nnetworks. And we had that bill last year in Homeland Security, \nwhich was the PRECISE Act, which when it came up, the \ninteresting thing about it, it was a pretty decent bill at the \ntime that shared bipartisan support. But when it came up for \nmarkup, it was gutted by the author, which was a strange thing, \nbut that is because he could not get leadership to move on the \nissue and bring it up to a floor vote if that was that \ncomprehensive.\n    So I guess I am asking you your thoughts on the PRECISE \nAct, and was that going in the right direction.\n    Mr. Holleyman. Thank you for that question. I know that in \nthe last Congress there were a number of pieces of legislation \nthat were considered, several of which were approved. We \nbelieve it is important for Congress to supplement what the \nPresident did in his executive order with not only oversight, \nbut with additional legislation.\n    I think the executive order has tried to do--yeah, I would \nneed to look back at the elements of the PRECISE Act to be able \nto comment further. But I think the President\'s executive order \nhas tried to address many of the elements that would have been \noutlined in the PRECISE Act. So whether or not that act would \nbe needed at this point in time, I cannot comment on. I would \nbe happy to look at that for the record.\n    Mr. Richmond. If anyone else wanted to comment on it, that \nis fine.\n    My next question would be, you mentioned one of the \nelements and one of the things we should be doing is continuing \nor creating a robust R&D for cybersecurity. And I guess my \nquestion would be, would that be in the term of maybe an R&D \ntax credit, or are you thinking of something like NIH and \ngrants to people who want to do that type of research for \ncybersecurity?\n    Mr. Holleyman. Well, I think there are really three \nelements of it. One is that we do not have enough students who \nare being trained as professionals to be able to work in \ncybersecurity for the future, and that is a problem for the \nprivate sector and for the government. So we need to have the \nright education and the right training. Secondly, I think we \nneed the right cooperative agreements between private sector \nand government to allow that research to happen, including with \nuniversity research. And certainly, finally there is research \nthat goes on at the Federal Government about the level and the \nnature in evolving threats, and that research needs to be \nproperly funded, and there needs to be proper oversight. So I \nthink it takes all three of those.\n    Mr. Richmond. And I guess I have a third question for you \nor Mr. Kerr. I think that Ms. Durkan and Mr. Demers will \nprobably know the answer to it. But part of it is from your \norganization\'s standpoint and from your experience, the level \nof cooperation, and information sharing, and assistance that \nour security agencies provide now. And sometimes we get the \nbenefit of hearings that are not public. But I am interested in \nknowing from your perspective the interaction between FBI, CIA, \nDepartment of Justice, and those in terms of helping either \navert or on the back end, find the perpetrators. So how has \nthat been with you all?\n    Mr. Holleyman. Well, I will start by saying I think the \nnature of that is critical, and they are certainly very good \nrelationships. What we need is to be able to share more real \ntime threat information, not simply after the fact, but real \ntime threat information. That is part of what the President has \ntried to do in his executive order and part of what we think \nCongress can supplement that would make it even easier and \nbetter for industry to share information with the government, \ntoo.\n    Mr. Richmond. And I understand the barriers for industry. \nWhat is the biggest barrier, or if you want to do it \ncomprehensively, what are the biggest barriers to doing it? Is \nit just permission and law for real time information sharing?\n    Mr. Holleyman. Yeah, I think some of it is sort of the \nexisting laws that private sector companies feel like they \nmust, and appropriately, adhere to, which in some cases makes \nit difficult, if not impossible, to share real time threat \ninformation. So you can only do something about it after the \nfact. That is not in anyone\'s interest to do that, so we need \nthe appropriate way to be able to share that with the Federal \nGovernment.\n    Mr. Richmond. Mr. Chairman, for the sake of time, I yield \nback.\n    Mr. Sensenbrenner. The time of the gentleman had expired. \n[Laughter.]\n    The gentlewoman from California, Ms. Chu.\n    Ms. Chu. Thank you, Mr. Chair.\n    I wanted to ask about economic espionage and the stealing \nof intellectual property, of trade secrets, customer lists, \nfuture plans and contracts. And, Mr. Holleyman, I wanted to ask \nyou, you said that Semantic estimated that it lost $110 billion \nthrough economic espionage and the stealing of IP through these \nmeans.\n    What do you think is the overall cost to the corporations \nthat you represent?\n    Mr. Holleyman. Well, the Semantic number came from their \nInternet security threat report, and it really related to the \ntotal amount of losses. It was not sort of referring to their \ncompany losses. And so the figure of $110 billion of damages on \nconsumers is what they cited.\n    I think that all of the data shows, and certainly the \ninformation that is being very public and that the Chairman \nspoke of in his opening remarks, shows that the nature of the \nthreat is increasing and it is increasing substantially. \nMcAfee, one of our members, estimated that it used to be that a \nnew piece of malware was identified and put into action about \n15 minutes, and now they estimate it is one per second.\n    So the pace at which this is occurring is huge. The \nconsequence of losses are growing. And this is exactly the kind \nof hearing this Committee and other Committees should be \nfocused on because we are all in this together.\n    Ms. Chu. And what is the private sector doing to minimize \nthese intrusions and to protect intellectual property \nthroughout all these layers?\n    Mr. Holleyman. Well, I think the Attorney General, the IP \nenforcement coordinator, the Homeland Security Secretary, about \nthree weeks ago had a major discussion about theft of trade \nsecrets. And I know Members of this Committee were a part of \nthat process.\n    One, I think it is sort of building awareness. Two, it is \nbuilding best practices. Three, is security companies. We are \nworking to create faster, more effective ways of preventing \nthese intrusions to share information about the threats when \nthey occur. And it is a race. I mean, it is a race, and we are \nin the business of trying to help prepare us. But a lot of it \nis going to take education on the part of businesses, and \nconsumers, and the Federal Government, who is the biggest \nsource of attacks, against the Federal Government. The Federal \nhas to be using the strongest security to try to limit those \nattacks.\n    So, I mean, we are all in this together. Our companies want \nto do more things, particularly in small or medium enterprises \nand others, build in security procedures, so that if there are \nbreaches of their information, and there will be from time to \ntime, that that information is rendered useless so that the \nhacker or the perpetrator cannot do anything with it because it \nis has been secured through encryption or other means. And \nthose additional incentives will be helpful to a long-term \nsolution.\n    Ms. Chu. I wanted to make sure law enforcement has the \ntools that it needs to prosecute these cases and investigate \nthem. And Ms. Durkan and Mr. Boles, I want to know, Ms. Durkan, \nI note that the DoJ leads vigorous prosecutions in cyber theft \nand economic espionage. I am curious to know how frequently a \ncase regarding intellectual property appears in your case load \nand if you feel like you have the appropriate tools, like \ntraining and funding, to effectively prosecute these cases.\n    Ms. Durkan. Thank you. It is a very significant part of our \ndistrict\'s work. We have some small mom and pop corporations, \nlike Boeing, Amazon, Microsoft, and the like, where the \nproprietary information, as the Chairman said, is their most \nvaluable commodity. So we consistently work with those \ncorporations to make sure that we are getting the appropriate \nreferrals.\n    We have specially trained prosecutors. We will say we \nalways take more resources because the threat is evolving, but \nwe appreciate the resources this Committee has given to us.\n    Ms. Chu. And, Mr. Boles, do you have the adequate training \nand funding to carry on your investigations?\n    Mr. Boles. Like my partner, Ms. Durkan, said, we will \nalways take more. It is important. It is a high tech and \nevolving thing.\n    And just to give you a feel for it, we currently have about \n1,100 cases ongoing in the FBI that involve intellectual \nproperty theft, and it cuts across all of our programs whether \nit be cyber, counter intelligence, and in the traditional \ncriminal. So it is a wide-ranging need that we have. And part \nof our drive is to make sure that all the investigators, and \nthe analysts, and the support folks have the training that they \nneed as we push that out and go forward in the computer world.\n    But, you know, that is a need that we constantly reassess \nand try to address.\n    Mr. Sensenbrenner. The gentlewoman\'s time has expired.\n    The Chair will recognize himself for a couple of questions.\n    Ms. Durkan, in response to Mr. Scott\'s question, you said \nin the Administration\'s proposal, there are no mandatory \nminimum sentences. My understanding is the bill the \nAdministration sent us up in the last Congress had mandatory \nminimums. What made them change their mind?\n    Ms. Durkan. We assess a variety of factors, and at this \ntime we are not supporting that. But we would be happy to work \nwith your staff to answer any further questions that the \nChairman may have.\n    Mr. Sensenbrenner. Well, what factors were those?\n    Ms. Durkan. We will look at the number of factors we have \nto as to what our priorities are in addressing the statute. And \nright now we see that as the threat is evolving, what we really \nneed are tools that can address some of the gaps we see in the \nlaw to make sure that we disrupt, deter crimes in the first \ninstance and hold people accountable.\n    Mr. Sensenbrenner. Well, you know, there are two separate \nthings, you know. When we are talking about mandatory minimums, \nwe are talking about after a conviction when the judge \npronounces a sentence. There certainly is not a lot of effort \nand a lot of money that is required to go into that, \nparticularly with a mandatory minimum giving the judge little \nor no discretion. I think you are trying to confuse apples with \noranges and not get into the fact.\n    Does the Administration oppose mandatory mininums as a \nmatter of principle, or do they not think that the crimes that \nwe are talking about here deserve a mandatory minimum?\n    Ms. Durkan. I think what you are getting at, Chairman, is \nwhat is the appropriate sanction for these activities, and we \nagree that we must assess and make sure that these bad actors \nare held accountable under the law. It is one reason why we \nsupport increasing the statutory maximum in the fraud scenario \nto bring that on par because there are some cases where that is \nthe only statute available, but yet a judge would not be able \nto assess the nature of the crime that occurred and assess the \nappropriate penalty.\n    And so the Department of Justice is always going to look at \nthe factors present in a case and make sure that we are \nrecommending to a judge what the appropriate sanction is. And \nthen, of course, the judge needs to have the discretion and the \nability to make sure that that sanction can be imposed so that \nwe both deter the crime in the first instance and hold the \npeople when it occurs.\n    Mr. Sensenbrenner. I think we are going to be talking about \nthis issue a lot more as legislation is developed. I disagree \nwith that conclusion.\n    I do want to spend some time asking two questions of \nProfessor Kerr.\n    I am a little bit concerned, Professor Kerr, about your \nidea that there should be certain things that are currently \ncriminal that should not be criminal anymore. And let me pose a \nhypothetical view. Say that there is a foreign agent that is \nemployed by a U.S. tech company, and he was ordered to check to \nsee that the company was not working on a certain project, \nusing process of elimination to see who is working on that \nproject. The spy exceeds the authorized access and determines \nthat the company really is not working on the project.\n    Now, in this example, nothing was taken or damaged, but \nshould the Justice Department not have a tool to be able to do \nsomething about that, even though another crime was not \ncommitted?\n    Mr. Kerr. In that situation, I would imagine there would be \nanother crime committed. I am thinking in terms of attempt \nliability for attempted--I gather the goal was to ultimately \ndetermine confidential information relating to the company as \nto what the company was or was not doing. So it would be either \nan attempted theft of that information. I am not sure of the \ncriminal statutes governing spying, for example.\n    I think the key idea is that it is not a computer-related \noffense. It just so happens that that offense involves \ncomputer-related conduct. But it should be treated under the \nlaw just as it would be if the spy were going were going into a \nlocked closet instead of locked computer. It does not make any \ndifference as to whether it is a physical or a computer crime.\n    So my approach would be just to resolve the circuit split \nby adopting the 9th Circuit standard, which is treating hacking \nlike hacking and treating computer crime offenses like the \nphysical world analysis.\n    Mr. Sensenbrenner. Okay. Well, let me go into the trespass \nissue that you talked about. Now, it is obvious if somebody got \ninto the mechanical room at Space Mountain at Disneyworld and \nthen pulled the pin on that, and all of a sudden the cars, you \nknow, stopped abruptly and nobody was injured. Maybe it was \nlucky. But, you know, how about cyber trespass that would have \njust as much damage, and that would be a violation of a term of \nservice. And should that not be criminalized as well?\n    Mr. Kerr. It should be criminalized, but not because of the \nterms of service violation. It could be criminalized under a \nnumber of different theories.\n    First, it would be access without authorization because I \nam assuming that breaking into the computer that is controlling \nthis machine would itself be password protected. It is not like \nanyone can walk up and pull something on the machine.\n    Also it would be a Section 1030(a)(5) violation, which is \nintentionally causing damage to a protected computer without \nauthorization, and that is a separate criminal statute that \ndoes not involve unauthorized access. It is sort of \nintentionally causing damage without authorization.\n    So these are all situations that would already be \ncriminalized without the need to go to the unauthorized access \nprohibition.\n    Mr. Sensenbrenner. Okay. Well, my time is up.\n    So I would like to thank all of the witnesses for appearing \ntoday, for being brief in the answers to your questions so that \nwe Republicans can go listen to what the President has to say. \nAnd I understand you Democrats will have that pleasure sometime \nin the future, very soon.\n    So without objection, this hearing is adjourned.\n    [Whereupon, at 12:54 p.m., the Subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'