[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
        INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                   SUBCOMMITTEE ON CRIME, TERRORISM,
                 HOMELAND SECURITY, AND INVESTIGATIONS

                                 OF THE

                       COMMITTEE ON THE JUDICIARY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 13, 2013

                               __________

                           Serial No. 113-14

                               __________

         Printed for the use of the Committee on the Judiciary


      Available via the World Wide Web: http://judiciary.house.gov


                  U.S. GOVERNMENT PRINTING OFFICE
79-878                    WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  


                       COMMITTEE ON THE JUDICIARY

                   BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr.,         JOHN CONYERS, Jr., Michigan
    Wisconsin                        JERROLD NADLER, New York
HOWARD COBLE, North Carolina         ROBERT C. ``BOBBY'' SCOTT, 
LAMAR SMITH, Texas                       Virginia
STEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina
SPENCER BACHUS, Alabama              ZOE LOFGREN, California
DARRELL E. ISSA, California          SHEILA JACKSON LEE, Texas
J. RANDY FORBES, Virginia            STEVE COHEN, Tennessee
STEVE KING, Iowa                     HENRY C. ``HANK'' JOHNSON, Jr.,
TRENT FRANKS, Arizona                  Georgia
LOUIE GOHMERT, Texas                 PEDRO R. PIERLUISI, Puerto Rico
JIM JORDAN, Ohio                     JUDY CHU, California
TED POE, Texas                       TED DEUTCH, Florida
JASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois
TOM MARINO, Pennsylvania             KAREN BASS, California
TREY GOWDY, South Carolina           CEDRIC RICHMOND, Louisiana
MARK AMODEI, Nevada                  SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho                 JOE GARCIA, Florida
BLAKE FARENTHOLD, Texas              HAKEEM JEFFRIES, New York
GEORGE HOLDING, North Carolina
DOUG COLLINS, Georgia
RON DeSANTIS, Florida
KEITH ROTHFUS, Pennsylvania

           Shelley Husband, Chief of Staff & General Counsel
        Perry Apelbaum, Minority Staff Director & Chief Counsel
                                 ------                                

Subcommittee on Crime, Terrorism, Homeland Security, and Investigations

            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman

                  LOUIE GOHMERT, Texas, Vice-Chairman

HOWARD COBLE, North Carolina         ROBERT C. ``BOBBY'' SCOTT, 
SPENCER BACHUS, Alabama              Virginia
J. RANDY FORBES, Virginia            PEDRO R. PIERLUISI, Puerto Rico
TRENT FRANKS, Arizona                JUDY CHU, California
JASON CHAFFETZ, Utah                 LUIS V. GUTIERREZ, Illinois
TREY GOWDY, South Carolina           KAREN BASS, California
RAUL LABRADOR, Idaho                 CEDRIC RICHMOND, Louisiana

                     Caroline Lynch, Chief Counsel

                     Bobby Vassar, Minority Counsel


                            C O N T E N T S

                              ----------                              

                             MARCH 13, 2013

                                                                   Page

                           OPENING STATEMENTS

The Honorable F. James Sensenbrenner, Jr., a Representative in 
  Congress from the State of Wisconsin, and Chairman, 
  Subcommittee on Crime, Terrorism, Homeland Security, and 
  Investigations.................................................     1
The Honorable Robert C. ``Bobby'' Scott, a Representative in 
  Congress from the State of Virginia, and Ranking Member, 
  Subcommittee on Crime, Terrorism, Homeland Security, and 
  Investigations.................................................     3
The Honorable Bob Goodlatte, a Representative in Congress from 
  the State of Virginia, and Chairman, Committee on the Judiciary     8
The Honorable John Conyers, Jr., a Representative in Congress 
  from the State of Michigan, and Ranking Member, Committee on 
  the Judiciary..................................................    12

                               WITNESSES

Jenny S. Durkan, United States Attorney, Western District of 
  Washington, U.S. Department of Justice
  Oral Testimony.................................................    15
  Prepared Statement.............................................    18
John Boles, Deputy Assistant Director, Cyber Division, Federal 
  Bureau of Investigation, U.S. Department of Justice
  Oral Testimony.................................................    29
  Prepared Statement.............................................    32
Robert Holleyman, President and CEO, BSA, The Software Alliance
  Oral Testimony.................................................    38
  Prepared Statement.............................................    40
Orin S. Kerr, Fred C. Stevenson Research Professor, George 
  Washington University Law School
  Oral Testimony.................................................    45
  Prepared Statement.............................................    47

          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING

Material submitted by the Honorable Robert C. ``Bobby'' Scott, a 
  Representative in Congress from the State of Virginia, and 
  Ranking Member, Subcommittee on Crime, Terrorism, Homeland 
  Security, and Investigations...................................     5
Material submitted by the Honorable Bob Goodlatte, a 
  Representative in Congress from the State of Virginia, and 
  Chairman, Committee on the Judiciary...........................     9
Prepared Statement of the Honorable Bob Goodlatte, a 
  Representative in Congress from the State of Virginia, and 
  Chairman, Committee on the Judiciary...........................    11
Prepared Statement of the Honorable John Conyers, Jr., a 
  Representative in Congress from the State of Michigan, and 
  Ranking Member, Committee on the Judiciary.....................    13


        INVESTIGATING AND PROSECUTING 21ST CENTURY CYBER THREATS

                              ----------                              


                       WEDNESDAY, MARCH 13, 2013

                        House of Representatives

                   Subcommittee on Crime, Terrorism, 
                 Homeland Security, and Investigations

                       Committee on the Judiciary

                            Washington, DC.

    The Subcommittee met, pursuant to call, at 11:35 a.m., in 
room 2237, Rayburn Office Building, the Honorable F. James 
Sensenbrenner, Jr. (Chairman of the Subcommittee), presiding.
    Present: Representatives Sensenbrenner, Goodlatte, Gohmert, 
Coble, Forbes, Franks, Chaffetz, Gowdy, Scott, Conyers, Chu, 
and Richmond.
    Staff present: (Majority) Caroline Lynch, Chief Counsel; 
Sam Ramer, Counsel; Alicia Church, Clerk; (Minority) Bobby 
Vassar, Minority Counsel, and Joe Graupensperger, Counsel.
    Mr. Sensenbrenner. Because the President is coming to 
address the Republican Conference of the House, this hearing 
will end at 1:00 sharp. So would everybody please make note of 
that and judge their time accordingly?
    I would like to welcome everybody to the first hearing of 
the Subcommittee, acknowledge the Ranking Member, the gentleman 
from Virginia, Mr. Scott, and also welcome the full Committee 
Chair, Mr. Goodlatte.
    Today's hearing will investigate our focus on how America 
investigates and prosecutes 21st century cyber threats. The 
United States has been the subject of the most coordinated and 
sustained computer attacks the world has ever seen. Rival 
nations, particularly China, have been invading corporate 
computer systems and stealing intellectual property at an 
increasing rate.
    Spying between governments has always been a fact of life, 
but in the digital age the spying is more pervasive and harder 
to guard against. The systematic and strategic theft of 
intellectual property by foreign governments threatens one of 
America's most valuable commodities, our innovation and hard 
work.
    In 2011, the American Superconductor Corporation supplied 
sophisticated software for wind turbines to Sinovel, a giant 
Chinese wind turbine corporation. When American engineers went 
to China to repair a wind turbine, they discovered that Chinese 
wind turbines were already using a stolen version of the 
American software. Worse, the Chinese company had complete 
access to the American company's proprietary source code. 
Because they possessed this important code, the Chinese did not 
need the American Superconductor Corporation anymore.
    A few months later, Sinovel abruptly began turning away 
shipments. On April 5, 2011, the American Superconductor 
Corporation had no choice but to announce that Sinovel, its 
biggest customer, accounting for more than two-thirds of the 
company's $315 million in revenue in 2010, had stopped making 
purchases. The result for the American company: investors fled, 
erasing 40 percent of the company's value in a single day, and 
84 percent of its value by September 2011.
    This week, the Obama Administration has finally increased 
public pressure on Chinese cyber spying. On Monday, the 
President's national security advisor announced what the media 
has called the White House's most aggressive response to a 
series of military-style hacks of American corporations. 
Describing the problem as a key point of concern in discussion 
at all levels of government, Mr. Donilon said Beijing should 
take serious steps to investigate and put a stop to these 
activities. I agree.
    The fact that such mild comments have been termed the 
Administration's most aggressive ever may be part of the 
problem. When one country decides to advance its economy by 
stealing our intellectual property, we must do more than simply 
ask Beijing to investigate. Make no mistake. Sinovel stole 
hundreds of millions of dollars from the American 
Superconductor Corporation. This is a company that received 
over $20 million in stimulus money from U.S. taxpayers. But far 
from demanding our $20 million, the Administration's strongest 
rebuke has been to ask that Beijing take serious steps to 
investigate.
    We simply cannot outsource the fight against cybercrime to 
international diplomacy. The theft of valuable intellectual 
property is a serious strategic threat to the American economy, 
and it must be treated as such by U.S. law enforcement.
    Congress has repeatedly addressed the issue of cybercrime. 
In 2000 or in 1986, Congress implemented the Computer Fraud and 
Abuse Act as a tool for law enforcement to combat computer 
crimes. As computer crimes continue to evolve, so, too, has the 
CFAA, which Congress has amended eight times since its 
enactment. It may be time for Congress to augment and approve 
the CFAA and other criminal statutes to enable law enforcement 
to combat international criminal enterprises.
    The Administration has taken initial steps to address the 
growing cyber threat. We applaud the Administration for its 
efforts, but it remains to be seen whether these steps will 
actually work.
    Today the Committee will look at the criminal laws and 
investigative tools to combat cybercrime. We will determine 
what changes can be made to our criminal laws to more 
effectively combat and deter the cyberattacks we are enduring. 
We will discuss what protection can be provided for the privacy 
of Americans through data breach notification laws, and we will 
discuss what steps can be taken by this Committee to protect 
the intellectual property and sensitive government information 
that hackers in foreign governments seek to obtain.
    As we saw from China's cyberattack on Google and other 
companies, America's edge in innovation and technical 
superiority can be compromised by competing countries that make 
theft of intellectual property a national strategy. I look 
forward to hearing more about this issue and thank all of our 
witnesses for participating in today's hearing.
    It is now my pleasure to recognize for his opening 
statement the Ranking Member of the Subcommittee, the gentleman 
from Virginia, Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman.
    Mr. Chairman, because of our growing reliance on Internet 
and computer networks, I welcome today's hearing to examine the 
cyber threats we face and to discuss how we can better protect 
ourselves against them.
    This hearing comes at a time when there's a rise in the 
disparity of cyber threats, and so an update of our computer 
crime statutes may have to be considered. It is critical that 
we work together on this effort with the Members of Congress, 
Administration, with the business community, and with private 
advocates to find ways to enhance the security of our 
government information systems, business computer systems, and 
our personal use of the Internet.
    And while it is the job of Congress to evaluate and update 
our laws in response to changing circumstances, we have to be 
careful that any changes we make will actually improve the law, 
and not just ratchet up penalties in an exercise of sound bite 
politics. Often the problem is a lack of enforcement, 
investigation, and prosecution, and so penalties become 
irrelevant if a case is not even investigated in the first 
place.
    This is particularly important in the case of the Computer 
Fraud and Abuse Act, a law whose breadth of scope and sometimes 
questionable application has already generated concern by 
citizens and narrowing by the courts. In the last Congress, we 
met to discuss many of these same issues, and the cyber threats 
of course remain an urgent issue of national economic and 
personal security. At that time, I raised concerns about one 
provision in the proposed law, and that was the mandatory 
minimum sentencing for certain crimes of damaging political 
critical infrastructure computers.
    This Committee has heard a lot of testimony on mandatory 
minimums. They have been found to waste the taxpayers' money, 
do nothing about crime, and often result in sentences that are 
violative of common sense. This Committee has recently also 
focused on the issue of federalism, so we have to be concerned 
about whether the Computer Fraud and Abuse Act appropriately 
focuses on behavior that we all believe rises to the level of 
Federal criminal liability.
    That statute was originally enacted to deal with intrusions 
into computers, what we now call hacking, and since that time 
we have extended the scope of the law on several occasions, 
which has led to expansive use in recent years, which have 
generated concerns on both sides of the aisle. I hope we can 
work together to address those concerns.
    Mr. Chairman, we know that criminals target computers and 
cyber networks of individual companies and our government. That 
is why we have to enhance the protective measures that we take 
at every level to prevent cyber intrusions. I applaud the 
President's resolve to work with industry to better resolve our 
critical infrastructure. His executive order will improve the 
sharing of information with industry and establish a framework 
for best practices to help companies step up cyber protection.
    As in every area of crime policy, public safety demands 
that we engage in level-headed efforts to identify and 
implement comprehensive evidence-based solutions, and I hope we 
can do that in this case.
    Before I close, Mr. Chairman, I ask unanimous consent that 
a letter signed by 20 Internet companies expressing their 
concerns about the scope of the current Computer Fraud and 
Abuse Act be entered into the record.
    Mr. Sensenbrenner. Without objection.
    [The information referred to follows:]

    
    
    
    
    
    


                               __________
    Mr. Sensenbrenner. And it is now my pleasure to recognize 
for his opening statement the Chairman of the full Committee, 
the gentleman from Virginia, Mr. Goodlatte.
    Mr. Goodlatte. Thank you, Mr. Chairman. I very much 
appreciate your holding this hearing, and I will submit my full 
statement for the record in order to save a little time for our 
witnesses. But I do want to make a few points.
    First of all, yesterday, and I would submit these for the 
record, the Secret Service launched an investigation of the 
alleged hacking of private information of Vice President Joe 
Biden, First Lady Michelle Obama, FBI Director Robert Mueller, 
Attorney General Eric Holder, and many others. And the 
President yesterday also acknowledged that hacking of personal 
data is a big problem.
    Mr. Sensenbrenner. Without objection, the material will be 
entered.
    [The information referred to follows:]

    
    
    
    
                               __________

    Mr. Goodlatte. Thank you. But that is just the beginning of 
this problem. Cyber intrusions are just the tip of the iceberg. 
In November 2011, the National Counterintelligence Executive, 
the agency responsible for countering foreign spying on the 
U.S. government, issued a report that hackers and illicit 
programmers in China and Russia are pursuing American 
technology in industrial secrets jeopardizing an estimated $400 
billion dollars in U.S. research spending.
    According to the report, China and Russia view themselves 
as strategic competitors of the United States, and are the most 
aggressive collectors of U.S. economic information and 
technology.
    Further, in January of this year, the New York Times 
reported it is has been the victim of a sustained cyberattack 
by Chinese hackers. Shortly afterward, the Wall Street Journal 
and Washington Post also reported they, too, had been breached 
by similar sources. The Times commissioned a report from 
Mandiant, a private investigative agency which traced the 
cyberattacks to a unit of the Chinese People's Liberation Army. 
According to the report, the Chinese are engaged in massive 
cyber spying on the American industrial base and in areas the 
Chinese are trying to develop for their own national purposes.
    Earlier this year, the Administration issued a 
cybersecurity executive order and presidential directive aimed 
at helping secure America's cyber networks. The executive order 
is a first step toward protecting our public and private 
networks from attack, but Congress can and must do more. The 
Judiciary Committee is responsible for ensuring that our 
Federal criminal laws keep pace with the ever-evolving cyber 
landscape. Our challenge is to create a legal structure that 
protects the invaluable government and private information that 
hackers seek to exploit while allowing the freedom of thought 
and expression that made this country great.
    I would submit the rest of my statement for the record, and 
I thank the Chairman.
    [The prepared statement of Mr. Goodlatte follows:]

Prepared Statement of the Honorable Bob Goodlatte, a Representative in 
  Congress from the State of Virginia, and Chairman, Committee on the 
                               Judiciary

    Thank you, Chairman Sensenbrenner.
    The 21st century has brought us a more connected, inter-dependent 
world. The Internet and portable computer systems make it possible for 
people, businesses and governments to interact on a global level never 
seen before.
    The United States, with its bounty of personal freedom and free 
enterprise, is a leader in advancing the technology that enables us to 
stay in touch almost everywhere with almost everyone.
    However, our technological advancement also makes the United States 
increasingly vulnerable to cyber attacks--from routine cyber crimes to 
nation-state espionage. Earlier this week, we all heard about the high 
profile cyber breach that exposed sensitive personal and financial 
information about high-ranking government officials and celebrities 
from FBI Director Mueller and Attorney General Holder to Beyonce and 
Donald Trump. The truth is that all citizens are vulnerable to these 
kinds of cyber attacks.
    We are also currently experiencing a profound cyber-spying conflict 
on the nation-state level. Most Americans are familiar with the 
Wikileaks case, which resulted in the public disclosure of hundreds of 
thousands of secret State Department cables. And many of us are 
familiar with the cyber attack on the Chamber of Commerce, in which 
Chinese hackers gained access to the files on the Chamber's 3 million 
member companies.
    But these cyber intrusions are just the tip of the iceberg. In 
November, 2011, the National Counterintelligence Executive, the agency 
responsible for countering foreign spying on the U.S. government, 
issued a report that hackers and illicit programmers in China and 
Russia are pursuing American technology and industrial secrets, 
jeopardizing an estimated $398 billion in U.S. research spending. 
According to the report, ``China and Russia view themselves as 
strategic competitors of the United States and are the most aggressive 
collectors of U.S. economic information and technology.'' The report 
drew on 2009-2011 data from at least 13 agencies, including the Central 
Intelligence Agency and the Federal Bureau of Investigation.
    And in January of this year, the New York Times reported it has 
been the victim of a sustained cyber attack by Chinese hackers. Shortly 
afterward, the Wall Street Journal and the Washington Post also 
reported they too had been breached by similar sources. The Times 
commissioned a report from Mandiant, a private investigative agency, 
which traced the cyber attacks to a unit of the Chinese People's 
Liberation Army. According to the report, the Chinese are engaged in 
massive cyber spying on the American industrial base and in areas the 
Chinese are trying to develop for their own national purposes.
    Earlier this year, the Administration issued a cyber security 
Executive Order and Presidential Directive aimed at helping secure 
America's cyber networks. The Executive Order is a first step towards 
protecting our public and private networks from attack. But Congress 
can and must do more. The Judiciary Committee is responsible for 
ensuring that our federal criminal laws keep pace with the ever-
evolving cyber landscape.
    Our challenge is to create a legal structure that protects the 
invaluable government and private information that hackers seek to 
exploit, while allowing the freedom of thought and expression that made 
this country great. One thing is clear: cyber attacks can have 
devastating consequences for citizens, private industry and America's 
national security and should be treated just as seriously as more 
traditional crimes by our criminal justice system.
    The risks to our national infrastructure, our national wealth, and 
our citizens are profound, and we must protect them. We must not allow 
cyber crime to continue to grow and threaten our economy, safety and 
prosperity.
                               __________

    Mr. Sensenbrenner. Without objection, the Ranking Member 
and Chairman Emeritus of the Committee, the gentleman from 
Michigan, Mr. Conyers.
    Mr. Conyers. Thank you, Chairman Sensenbrenner.
    I would like to welcome the witnesses and note that I am 
reintroducing today a bill that I introduced in 2012, July or 
August, the Cyber Privacy Fortification Act, which will create 
a strong standard for data breach notification, which does not 
exist now, and is a great reason for us to be conducting this 
hearing. It requires a data breach activity to be made public, 
notified to us so that we can measure just what is going on.
    Cyberattacks have increased, according to the National 
Security Agency, by 44 percent. And many of these attacks are 
perpetrated by criminals operating beyond our national 
boundaries, intent on stealing our intellectual property, 
assessing financial accounts, and compromising our critical 
infrastructure.
    And so, we have got a problem here, and it is one that I 
think this Committee is perfectly suited to handle. And I would 
recommend, and I will be looking for discussion on this, the 
increasing collaboration necessary between the government and 
the private sector on cybersecurity, but not at the expense of 
the privacy of innocent citizens. We must not toss aside 
existing privacy restrictions to grant the government and law 
enforcement unwarranted access to private communications.
    The Administration and others have called for private 
sector companies to be allowed to share communications in their 
possession for the purpose of protecting against cyber threats. 
We must require that any additional sharing only be allowed to 
occur if information is removed that can be used to identify 
persons unrelated to the cybersecurity threat itself.
    And then in addressing a recent cybersecurity conference, 
FBI Director Mueller emphasized the law enforcement-focused 
need for this information is limited to threats and attacks, 
not other sensitive information about company secrets or 
customers. This must be the condition for enhancing 
collaboration between the government and the private sector to 
better secure our computer networks.
    And finally, the Internet has made the world a smaller 
place, and because cyberattacks are often launched outside of 
our borders, now more than ever, we need a diplomatic 
engagement to increase cooperation between nations and 
cybersecurity issues. In other words, diplomacy is going to 
have a larger role in this activity.
    I submit the rest of my statement, and I yield back to the 
Chairman.
    Mr. Sensenbrenner. Without objection, the rest of the 
statement will be included in the record.
    [The prepared statement of Mr. Conyers follows:]

Prepared Statement of the Honorable John Conyers, Jr., a Representative 
 in Congress from the State of Michigan, and Ranking Member, Committee 
                            on the Judiciary

    Good morning. This hearing focuses on a topic that is very 
important to the country and this Committee.
    Last year, the head of the National Security Agency warned that 
cyber attacks had increased by 44%. With the proliferation of these 
attacks, especially those perpetrated by criminals operating beyond our 
national boundaries intent on stealing our intellectual property, 
accessing financial accounts, and compromising our critical 
infrastructure, we must take additional steps to protect our cyber 
networks.
    To start with, we need a strong national requirement for reporting 
data breaches. When a company has suffered a cyber attack that has 
resulted in the compromise of sensitive information of consumers, they 
should report the attack to law enforcement and notify affected 
consumers.
    As it stands now, there are 47 different state laws with different 
data breach notice requirements. This often makes compliance more 
complex and difficult than it should be. A national standard should be 
strong enough to provide appropriate notice so that individuals may be 
on guard against any subsequent identity theft and law enforcement is 
able to investigate these intrusions.
    That is why I am reintroducing my Cyber Privacy Fortification Act, 
which will accomplish this.
    Next, we must increase collaboration between the government and the 
private sector on cyber security, but not at the expense of the privacy 
of innocent citizens. We must not toss aside existing privacy 
restrictions to grant the government and law enforcement unwarranted 
access to private communications. The Administration and others have 
called for private sector companies to be allowed to share 
communications in their possession for the purpose of protecting 
against cyber threats.
    We must require that any additional sharing only be allowed to 
occur if information is removed that can be used to identify persons 
unrelated to the cyber security threat.
    In addressing a recent cyber security conference, FBI Director 
Mueller emphasized that law enforcement's focused need for this 
information is limited to the threats and attacks, not other sensitive 
information about company secrets or customers. This must be the 
condition for enhancing collaboration between government and the 
private sector to better secure our computer networks.
    Finally, now more than ever, we need diplomatic engagement to 
strengthen cooperation between nations on cyber security because the 
Internet has made the world a smaller place, and because cyber attacks 
are often launched from outside our borders. The interconnected nature 
of the Internet allows for communication across all borders, but also 
allows some cyber criminals to hide from prosecution behind 
international boundaries.
    Even if we improve our domestic computer crime laws, those laws are 
only as effective against international criminals as our ability to 
find, investigate, and prosecute them.
    The State Department and our federal law enforcement agencies must 
take steps to reinforce international relationships so that their 
foreign colleagues enhance their capabilities to find and preserve 
evidence of cyber crime, extradite criminals to the United States, and 
prosecute these criminals in their own courts when extradition is not 
possible.
    I commend the Crime Subcommittee for discussing this issue, and 
with these thoughts in mind, we can better protect our cyber networks 
from intrusion while protecting our civil liberties and preserving the 
openness of the Internet.
                               __________

    Mr. Sensenbrenner. And without objection, all Members' 
opening statements will be included in the record.
    We have a very distinguished panel today, and I will begin 
by recognizing the gentlewoman from Washington, Ms. DelBene, 
who will introduce the first witness.
    Ms. DelBene. Thank you, Mr. Chair. It is my pleasure to 
introduce Jenny Durkan. Ms. Durkan currently serves as the 
United States attorney for the Western District of Washington, 
where my district is located. She is the top Federal law 
enforcement officer of 19 counties in western Washington. She 
was nominated by President Obama in May of 2009 and was 
confirmed by unanimous vote of the U.S. Senate on September 29 
of 2009.
    Ms. Durkan chairs the Attorney General's Advisory 
Subcommittee on Cybercrime and Intellectual Property 
Enforcement. She is also a member of three other subcommittees: 
Terrorism and National Security, Civil Rights, and Native 
American Issues.
    Ms. Durkan is a Seattle area native who grew up in 
Issaquah, Washington, graduated from the University of Notre 
Dame, and received her law degree from the University of 
Washington.
    Thank you, Mr. Chair.
    Mr. Sensenbrenner. Before recognizing you, Ms. Durkan, let 
me introduce the rest of the members of the panel.
    Mr. Boles currently serves as the deputy assistant director 
for the cyber division of the FBI, where he oversees FBI cyber 
operations and investigations.
    He entered on duty with the FBI in Sacramento in 1995, 
where he successfully investigated an Internet Ponzi scheme 
that defrauded 15,000 victims in 57 countries. In 2009, as 
assistant special agent in charge of the San Diego Division, he 
oversaw six investigative squads over cyber and white-collar 
crime matters, as well as directing the administrative program 
from the office.
    Mr. Boles was a legal attache? to Kiev, Ukraine in 2003, 
where he successfully facilitated the first extradition from 
Ukraine to the United States. He served as the special 
assistant director, national security branch, and in 2011 was 
selected as the special agent in charge of the Norfolk FBI 
office.
    He is a graduate of the University of Georgia.
    Mr. Robert Holleyman serves as president and CEO of BSA, 
the Software the Alliance. He was also appointed by President 
Barack Obama to serve on the Advisory Commission for Trade 
Policy and Negotiations, the principle advisory Commission for 
the U.S. government on trade matters. He oversaw an innovative 
study of cloud computing-related policies around the world, and 
is an advocate for breaking down barriers that cloud providers 
face when they do business internationally. He also was an 
early proponent for policies that promote the widespread 
deployment of security technologies and to build public trust 
and confidence in cyber space.
    He has testified before Congress, the European Commission, 
the World Intellectual Property Organization, and other 
governing bodies on technology, trade, and economic matters. He 
previously served as a counselor and legislative advisor in the 
Senate, an attorney in private practice, then a judicial clerk 
in the U.S. District Court.
    He holds a bachelor's degree from Trinity University in San 
Antonio, where he was named distinguished alumnus in 2012, and 
received his law degree from Louisiana State University. He 
completed the Stanford Executive Program at the Stanford 
Graduate School of Business.
    Professor Orrin Kerr is a professor law at George 
Washington University, where he teaches criminal law, criminal 
procedure, and computer crime law. Before joining the faculty 
in 2001, Professor Kerr was an honors program trial attorney in 
the Computer, Crime, and Intellectual Property section of the 
criminal division at the Department of Justice, as well as the 
special assistant U.S. attorney for the Eastern District of 
Virginia.
    He is a former law clerk for Justice Anthony Kennedy of the 
U.S. Supreme Court and Judge Leonard Garth of the U.S. Court of 
Appeals for the 3rd Circuit. In the summer of 2009 and '10, he 
served as special counsel for the Supreme Court nominations to 
Senator John Cornyn and the Senate Judiciary Committee. He has 
also been a visiting professor at the University of Chicago Law 
School and the University of Pennsylvania Law School.
    He received his bachelor of science degree in engineering 
from Princeton, master of science from Stanford, and earned his 
juris doctor from Harvard Law School.
    Now, each of the witnesses' written testimony will be 
entered into the record in its entirety, and I ask that each 
witness summarize his or her testimony in 5 minutes or less. 
And I am going to be kind of like the chief justice given the 
time constraints that we have with the President coming. So 
when the little red light appears before you, time is up.
    So we will start with you, Ms. Durkan.

 TESTIMONY OF JENNY S. DURKAN, UNITED STATES ATTORNEY, WESTERN 
       DISTRICT OF WASHINGTON, U.S. DEPARTMENT OF JUSTICE

    Ms. Durkan. Thank you. Good afternoon, Chairman 
Sensenbrenner, Ranking Member Scott, and Members of the 
Subcommittee. Thank you for the opportunity to testify before 
you this afternoon regarding the investigation and prosecution 
of cyber threats to our Nation. I want to thank Congresswoman 
DelBene for the introduction and for her service to our 
district.
    As United States attorney, I see the full range of threats 
to our communities and to our Nation. Few things are as 
sobering as the daily cyber threat briefing I receive.
    Technology is changing our economy and our daily lives. We 
have witnessed the rapid growth of wonderful companies, 
lifesaving technologies, and the way we connect with others. 
Unfortunately, the good guys are not the only innovators. We 
have also seen growth in the number and the sophistication of 
bad actors exploiting the new technology. Financially motivated 
international rings have stolen large quantities of personal 
data. Criminal groups develop tools and techniques to disrupt 
and damage computer systems. State actors and organized 
criminals have demonstrated the desire and the capability to 
steal sensitive data, trade secrets, and intellectual property.
    One particular area of concern is computer crime that 
invades the privacy of individual Americans. Every day, 
criminals hunt for our personal and financial data, which they 
use to commit fraud or to sell to other criminals. Hackers 
perpetrate large-scale data breaches that leave hundreds of 
thousands, if not millions, susceptible to identity theft.
    The national security landscape has evolved dramatically in 
recent years. Although we have not yet experienced a 
devastating cyberattack against our critical infrastructure, we 
have been victim to a range of malicious cyber activities that 
siphon off valuable economic assets and threaten our Nation's 
security. There can be doubt. Cyber threat actors pose 
significant risks to our national security and our economic 
interests.
    Addressing those complex threats requires a unified 
approach that incorporates criminal investigative and 
prosecutorial tools, civil and national security authorities, 
diplomatic tools, public-private partnerships, and 
international cooperation. Criminal prosecution, whether here 
in the United States or by a partner country plays a central 
and critical role in this collaborative effort. We need to 
ensure that throughout the country members of the Department of 
Justice who are actively working on these threats have the 
investigative resources and forensic capabilities to deal with 
these challenges, and we appreciate the support this Committee 
has given in this regard.
    To meet these challenges, the Department has organized 
itself to ensure that we are in a position to aggressively 
investigate and prosecute cybercrime wherever it occurs. The 
criminal division's Computer Crime and Intellectual Property 
Section works with a nationwide network of over 300 Assistant 
United States Attorneys designated as our computer hacking and 
intellectual property prosecutors. They lead our efforts in 
this area.
    Similarly, the Department's National Security Division is 
organized to ensure that we are aggressively investigating 
national security cyber threats through a variety of means. 
These include counterespionage and counterterrorism 
investigations and prosecutions.
    Recognizing the diversity of the national security cyber 
threats and the need for a coordinated approach, the Department 
established last year a National Security Cyber Specialist 
Network. It brings together the Department's full range of 
expertise on national security-related cyber matters, drawing 
on experts from the National Security Division, the Criminal 
Division, U.S. attorney offices, and other department 
components to make sure that we have a centralized resource for 
prosecutors and agents around the country.
    Our efforts have led to a number of enforcement successes, 
two of which I will highlight later. But I will say that in our 
district we have been able to bring these prosecutions very 
successfully, and have made a difference for our citizens and 
for our businesses.
    Thank you.
    [The prepared statement of Ms. Durkan follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                               __________

    Mr. Sensenbrenner. Thank you very much.
    Mr. Boles.

   TESTIMONY OF JOHN BOLES, DEPUTY ASSISTANT DIRECTOR, CYBER 
 DIVISION, FEDERAL BUREAU OF INVESTIGATION, U.S. DEPARTMENT OF 
                            JUSTICE

    Mr. Boles. Good morning, Chairman Sensenbrenner and 
distinguished Members of the Subcommittee. I appreciate the 
opportunity to be here today to talk to you about the cyber 
threat and how we are going about it with our partners to 
combat it.
    As the Subcommittee is aware, the number and sophistication 
of cyberattacks against our Nation's private sector and the 
government networks has increased dramatically over the recent 
years, and it expected to continue.
    We see four primary adversaries in the cyber world: spies 
who seek to steal our secrets and our intellectual property, 
organized criminals who want to steal our identities and our 
money, terrorists who would like to attack our critical 
infrastructure, and hacktivist groups who are trying to make a 
political or a social statement through the use of the 
Internet. The bottom line here is that we are losing data, 
money, ideas, and innovation to a wide range of cyber 
adversaries.
    FBI Director Mueller has stated that he expects the cyber 
threat to surpass the terrorism threat in our Nation in the 
coming years. That is why we are strengthening our cyber 
capabilities, much in the same way that we enhanced our 
intelligence and our national security capabilities in the wake 
of 9/11.
    The FBI recognized the significance of the cyber threat 
more than a decade ago, and in response the FBI developed a 
number of techniques to go after a strategy for responding to 
it. We created the Cyber Division. We elevated the cyber threat 
to our number three national priority behind only counter 
intelligence counterterrorism. We significantly increased our 
hiring of technically-trained agents, analysts, and forensic 
specialists, and we have expanded our partnerships with law 
enforcement, private industry, and academia.
    We have made progress since the cyber division was first 
created in 2002. Back then, we viewed it as a success when we 
were able to recognize that networks were being attacked. Just 
the fact that we saw it and recognized it was part of our 
success. So the next 8 or 9 years, attribution, which is 
knowing who is responsible for the attack on our computers and 
our networks, was considered the level of success, and we got 
very good tracking the Internet protocol address or the IP 
addresses back to their source to determine who was 
responsible.
    Now, we can often tell when the networks are being breached 
and are able to determine who is doing it. So the question now 
becomes as we move forward in this, is what are we going to do 
about it, or, how are we going to take action on this 
information that we have gathered.
    The perpetrators of these attacks are often overseas, and 
in the past tracking an IP back to a source in a foreign 
country, it usually led to a dead end investigatively. Since 
then we have imbedded cyber agents with law enforcement and 
several key countries, including Estonia, Ukraine, the 
Netherlands, and Romania. And we have worked with some of these 
countries to extradite subjects from their countries to stand 
trial in the United States.
    As I described in my written statement, the prime example 
of international collaboration came in the 2011 take down of 
Rove Digital, as company that was founded by a ring of Estonian 
and Russian criminals to commit a massive Internet fraud 
scheme. Seven of these have since been indicted in the Southern 
District of New York, two of which have been extradited to the 
United States now and are in U.S. custody, and one pled guilty 
last month.
    While we are proud of this and our other successes, we are 
continuing to push ourselves so that we can respond more 
rapidly and prevent attacks before they occur. Over the past 
year, under our current legal authorities and with our 
government partners, we successfully warned potential victims 
before an attack has occurred. They were then able to use that 
information to shore up their network defenses and combat the 
attack.
    As we go into now our next move here will be the next 
generation of cyber, and these have all come apart as our 
initiative to drive forward in the next gen. Next gen cyber 
entails a wide range of measures, including focusing the cyber 
division specifically on computer intrusion networks as opposed 
to crimes committed with the computers being the modality, 
hiring additional computer scientists to assist with the 
technical investigations at FBI field offices, and expanding 
our partnerships in collaboration with the National Cyber 
Investigative Joint Task Force, or the NCIJTF.
    Briefly, the NCIJTF is a compendium of 19 agencies who work 
together in a collaborative and information sharing environment 
so that we can almost in real time share information back and 
forth across the cyber threat.
    So the next step of that, of course, is our private sector 
outreach. We consider that as an important and as our next step 
for our whole of government team approach in combatting 
cybercrime. Now, we have reached into the industry, developed 
expertise with them, and are sharing as rapidly at unseen rates 
than we have seen in the past. We now realize that the 
information flow must go both ways, where in the past we have 
taken information and not necessarily given them back 
actionable intelligence. We have now actionable intelligence. 
We have now rectified that, and in developing our partnership, 
we are able to make that information flow go in both 
directions.
    So in conclusion, Mr. Chairman, to counter the threats that 
we face, we are engaging in an unprecedented level of 
collaboration within the U.S. government, with the private 
sector, and with international law enforcement. We look forward 
to continuing these partnerships and expanding them with the 
Committee and with Congress.
    And thank you very much. I look forward to your questions.
    [The prepared statement of Mr. Boles follows:]

    
    
    
    
    
    
    
    
    
    
    
    


                               __________
    Mr. Sensenbrenner. Thank you.
    Mr. Holleyman.

  TESTIMONY OF ROBERT HOLLEYMAN, PRESIDENT AND CEO, BSA, THE 
                       SOFTWARE ALLIANCE

    Mr. Holleyman. Mr. Chairman, Ranking Member Scott, Members 
of the Subcommittee, there are more than 400 million strains of 
malicious computer code in the world today, and their most 
frequent targets are here in the United States. And this costs 
American citizens and businesses well over $100 billion a year, 
and the losses are mounting.
    So I would like to recommend and outline a policy approach 
that BSA believes can help us address the nature of the threats 
that we face. It has three principle elements: first, promoting 
real time information sharing; second, strengthening law 
enforcement tools and resources; and third, supporting 
cybersecurity research and development.
    On the issue of promoting real time information sharing, we 
know that to prevent cyberattacks, we need to be able to 
identify threats in real time, and the best way to do that is 
to let IT professionals share information. And when companies 
and government agencies detect threats, they need to tell each 
other.
    Unfortunately there are legal barriers and commercial 
disincentives that stand in the way when the private sector 
tries to information with the government. First, there are 
liability concerns whenever you share commercial data, and, 
second, there is a risk of exposing trade secrets. And BSA 
believes that we need legislation that promotes information 
sharing by addressing these issues, and we need to do that in a 
way that carefully balances privacy and civil liberties 
concerns.
    Secondly, we believe that we need to strengthen law 
enforcement tools and resources. Identifying emerging threats 
is important, but it is not nearly enough. We also need to 
enhance our ability to deter criminal behavior with effective 
law enforcement. We should not be over zealous in prosecuting 
people for innocent mistakes or minor infractions, but we in 
the government need tools and resources that send a strong 
message that there will be appropriate punishment for serious 
cybercrimes.
    Third, the last element we need to do is to create 
something that is really fundamental that is elemental. We need 
to recognize that technology innovation is the best tool to 
combat long-term cyber threats, and BSA believes that we need a 
robust national R&D plan that involves technology companies, 
involve technologists within the governments, to develop the 
resources to take our technologies and our practices and 
improve our country's overall cybersecurity policy.
    Now, the issue of data breach notification has come up as 
well, and we appreciate Mr. Conyers' statement this morning. We 
know that we will never be completely risk-free or eliminate 
all the risks of cyberattacks. But as a separate, but related, 
matter to cybersecurity legislation, we also believe we should 
clarify how and when to notify people when a breach compromises 
their personal information.
    Today there are 47 States that have their own laws, and BSA 
supports replacing that patchwork with a well-crafted Federal 
law that simplifies compliance for businesses, but also ensures 
the proper notices when there is a breach of sensitive personal 
information.
    And lastly, when Congress is working on cybersecurity 
legislation, we also do that knowing that the Administration is 
beginning to implement the President's recent executive order. 
And we are encouraged by the emphasis that order places on 
innovation, and we welcome the Administration's plan to improve 
coordination of cybersecurity policy and increased information 
sharing from the government to industry. And these measures 
must embody principles that everyone can embrace.
    But it will take congressional oversight to ensure that the 
order is implemented effectively. And as the Administration 
develops the framework it envisions for protecting critical 
infrastructure, it will be especially important to forge a 
close partnership with industry. We believe that NIST should 
have a lead role in that, and done well, there is an 
opportunity for the framework to serve as a model for best 
practices that can be extended beyond just critical 
infrastructure.
    So I appreciate the opportunity to testify today. BSA looks 
forward to working with this Committee and Congress to upgrade 
America's cyber readiness. Thank you.
    [The prepared statement of Mr. Holleyman follows:]

    
    
    
    
    
    
    
    
    
    

                               __________
    Mr. Sensenbrenner. Thank you, Mr. Holleyman.
    Professor Kerr.

     TESTIMONY OF ORIN S. KERR, FRED C. STEVENSON RESEARCH 
       PROFESSOR, GEORGE WASHINGTON UNIVERSITY LAW SCHOOL

    Mr. Kerr. Mr. Chairman, Ranking Member Scott, and Members 
of the Subcommittee, thank you for the invitation to testify 
this morning.
    The Computer Fraud and Abuse Act is the primary Federal 
computer crimes statute, and its main prohibition is on 
unauthorized access to a computer. A year and a half ago, the 
Subcommittee had a relatively similar hearing to that today, 
and at that time I testified about some of the recent court 
decisions which had adopted a very broad interpretation of the 
Computer Fraud and Abuse Act, not only punishing what we would 
think of as hacking, breaking into a system, but also violating 
the terms of use on a computer, doing something contrary to an 
employer's interest while using a computer, and the like.
    And I warned about the implications of that broad 
interpretation of the Computer Fraud and Abuse Act. Everyone 
agrees that the law should punish serious computer crimes, but 
I hope we would also agree that the law should not punish 
completely innocent activity, the kind of innocent activity 
that most Americans engage in every day might be violating 
terms of use on a Web site. That is that little language that 
nobody reads off to the corner that everybody blows by when 
they go to use a Web site or an Internet service. It should not 
be that violating those terms of service is a crime. Some 
Federal circuits have, in fact, indicated that that is the 
case.
    And a lot has changed, though, in the last 18 months since 
the last hearing. In the 9th Circuit, the en banc 9th Circuit 
in United States v. Nozol, concluded that the Computer Fraud 
and Abuse Act does not apply to breach of employer restrictions 
on access to a computer, and is relegated only to sort of 
classic breaking into a machine, what we might call hacking or 
we think of as hacking, what the court called circumventing a 
technological access barrier.
    Also in 2012, the 4th Circuit decided a case, concluding 
that an employee that acts in a way disloyal to an employer 
while using the employer's network is not violating the 
Computer Fraud and Abuse Act, creating a disagreement between 
the decision of the 4th Circuit and another decision of the 7th 
Circuit, which it indicated that that would be a Federal crime.
    So right now, the state of the law in the lower courts 
interpreting this critical phrase of this critical statute, the 
Computer Fraud and Abuse Act, is essentially in disarray. There 
are circuits that are all over the map in terms of just 
figuring out what this prohibition means, what is this statute 
that has been on the books for 25 years.
    So I think this Committee basically has two choices. One is 
to do nothing and let the Supreme Court figure it out. There is 
a circuit split. That means usually the Supreme Court at some 
point will step in and resolve the uncertainty and either pick 
the narrow view of the statute, or the broad view of the 
statute, or something in between, or Congress could act and 
actually clarify which interpretation of the statute is the 
right one.
    I think this Congress should act. This is a question 
ultimately of what Congress wants to prohibit, and I think the 
best approach is for Congress to enact the narrow view of the 
Computer Fraud and Abuse Act, essentially codifying the rule of 
the 9th Circuit, United States v. Nozol, that what this statute 
does is prohibit breaking into a computer.
    We are not meeting here because we are worried about 
individuals breaching terms of service. We are not worried 
about employees of companies checking Facebook on company time. 
We are worried about people hacking into critical 
infrastructure, people accessing United States' secrets that 
are stored on computers from abroad. Those are problems which 
would be prosecuted and criminalized under any interpretation 
of the Computer Fraud and Abuse Act. But I think it is 
essential that Congress narrow the statute and expressly adopt 
this narrow view rather than just wait for the Supreme Court to 
try to figure it out.
    We do not know what would happen if the Supreme Court took 
this case, and in all likelihood, no matter what the Supreme 
Court would do, we would probably be back here to try to figure 
out what the laws should look because there are hard cases to 
be dealt with on either side.
    In particular, imagine the Supreme Court adopts the narrow 
view of the statute and says that the Computer Fraud and Abuse 
Act only prohibits classic hacking into a network. In that 
case, there is the problem of insiders. They are given access 
to the network, but they essentially steal secrets and then 
send them to somebody else or use them in some nefarious way or 
maybe give them to a foreign government. We of course need to 
make sure that that is prohibited as well.
    And there are statutory authorities that can do that, for 
example, the Theft of Trade Secrets Statute is available in 
those situations. But also we could amend the Interstate 
Transportation of Stolen Property Act, which is used to deal 
with the transferring of stolen property in the case of 
physical property. The Justice Department has tried 
unsuccessfully to use that statute to prosecute stolen 
information. The 2nd Circuit has said that is not a fair 
interpretation of the statute, and that could be amended to 
make sure the insider threat is dealt with.
    Thank you. I look forward to your questions.
    [The prepared statement of Mr. Kerr follows:]

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    


                               __________
    Mr. Sensenbrenner. Thank you very much. Because of the time 
constraints, the Chair will withhold his questions until the 
end if there is time remaining.
    And the Chair recognizes the gentleman from Arizona, Mr. 
Franks, to start the questions.
    Mr. Franks. Well, thank you, Mr. Chairman. And thank all of 
you for being here today. I do not envy your jobs. It is 
difficult when you are trying to marry highly esoteric 
technological issues with very precise legal enforcement and 
prosecution issues. So it is a difficult challenge.
    And it so happens that I am new on this Committee, so my 
primary familiarity with cybersecurity issues is on the 
Strategic Forces Committee where there is a national security 
component. And of course, it is an issue of the first 
magnitude.
    So my first question is to you, Mr. Boles. Given that some 
type of commercial cyber intrusion carries with it one set of 
concerns, and national security carries with it a whole 
different set of concerns.
    Are there different protocols or more latitude in existing 
law when you are doing what is necessary to protect our 
critical systems from national security threats or threats that 
have a national security nexus as opposed to the commercial 
intrusions?
    Mr. Boles. Thank you, sir. That leads right into why I 
spoke briefly about the next generation of cyber initiative. 
And one of the things that we have seen, that we have 
implemented in the change of that initiative is putting all 
tools in the toolbox. We recognize that in the cyber world, 
crimes are essentially without borders, as one of the gentlemen 
said, that the world has gotten smaller, crimes without 
borders. And it is often difficult to tell at the outset is it 
criminal or is it national security oriented.
    So one of the things that we, working with the DoJ partners 
and with our other law enforcement partners, is how do we bring 
all the tools to the toolbox to combat the threat? So, for 
example, if it is a nation-state actor who is attempting 
economic espionage and stealing trade secrets, that then may 
enhance their national economy and/or structure. Is that 
criminal? Is it national security? I would say that it is both, 
and we have both sets of tools that we can bring to it.
    So it gives us a wide latitude. It makes us a much more 
nimble law enforcement community to go after and combat these 
threats by being able to put the appropriate tool against the 
appropriate threat.
    Mr. Franks. But once you identify whether it is a national 
security threat or it is simply a commercial threat, do you 
have a different set of criteria in the law as it is now to 
combat those, or are they treated essentially the same as far 
as your tools to respond?
    Mr. Boles. Again, I will tell you it sounds a little bit 
like I am going to hedge on you, but I am not. The fact of the 
matter is that by having both sides in the toolbox, we have 
kind of melded the two protocols together.
    So what that means is, let us say, for example, we 
determine that is, in fact, a straight national security, you 
know, intrusion or theft, you know. How can we go about 
disrupting that? Part of the next generation cyber initiative 
is to identify the hands on the keyboard, you know, the skin 
behind the screen, and how do we go after them and disrupt 
that? So that is through criminal prosecution? Is that through 
working with our intelligence partners and our foreign partners 
overseas to disrupt in other manner or shutting off access?
    It is a multitude of options that are open to us by doing 
that. So I would tell you that the protocols, by going to the 
all tools approach, actually gives us access to both protocols 
through the entirety of the investigation.
    Mr. Franks. What would you suggest to this Committee, if we 
were to apportion our concern for each of those two things I 
mentioned, commercial intrusion as opposed to those threats 
that have a national security nexus.
    When you identify these threats, what would you suggest 
would be the proportion, I mean, how much under attack from 
your point of view, and we are familiar with it in some of the 
security committees. But from your point of view in the FBI, 
what would you suggest is the state of the union here as far as 
our protection from national security cyber threats? Do you 
think that we are facing pretty significant challenges?
    Mr. Boles. We are absolutely facing significant challenges.
    Mr. Franks. That was a leading question.
    Mr. Boles. Yes, it was. [Laughter.]
    Mr. Franks. I am very familiar with just how serious they 
are in some ways. And I guess I would like to put something on 
your radar. It is not really in the form of a question, but I 
am concerned, and we are concerned on some of the security 
committees that intentional electromagnetic interference may 
someday be or EMP may be our ultimate cybersecurity threat in 
terms of a national security destructive to try to disrupt our 
systems. And I would hope that we would have that on the radar. 
I realize that is a little ways down the road, but perhaps not 
as far as it should be.
    And I appreciate all of you for what you are doing. You are 
kind of the front line of freedom, even though people do not 
see you and appreciate it.
    Thank you, Mr. Chairman.
    Mr. Sensenbrenner. The time of the gentleman has expired.
    The gentleman from Virginia, Mr. Scott.
    Mr. Scott. Thank you, Mr. Chairman. And I would like to 
follow through on that same line of questioning, but I would 
like Ms. Durkan to respond with the various levels of 
seriousness. First, will the Administration have a 
recommendation to address the concerns that Professor Kerr 
pointed out that there is split in the circuits on 
interpretation. Do we have a recommendation on how to deal with 
that split in the circuits?
    Ms. Durkan. Thank you, Ranking Member Scott. As we have 
said in other forums, we believe that there needs to be some 
clarification to the law in terms of particularly what exceeds 
authorized access is. But we think that what we need to make 
sure is that there are a number of insiders who have access to 
very valuable and confidential information, and we have to make 
sure that we still have the law enforcement necessary to 
protect against that threat.
    Mr. Scott. Well, do you have a legislative recommendation?
    Ms. Durkan. We do not have a specific legislation 
recommendation, but we are willing to work with your staff and 
provide technical assistant to reach those goals.
    Mr. Scott. Are there any other elements of the crime that 
need clarification?
    Mr. Scott. There are additional ones we need clarification. 
I think that in our last year's proposal, we had how the 
difference between felonies, and misdemeanors, and previous 
offenses. And so, I think we can look at those issues.
    But I think that you are right, and it has been said before 
is the nature of the threat is evolving rapidly, and it ranges 
everything from the consumers whose private data is threatened 
by hackers to the national security threats. We at the 
Department of Justice have to deal with that full range of 
threats, and so the important thing for us right now is not to 
create greater gaps in the law, but to ensure we have the tools 
that we need.
    Mr. Scott. In your statement, you mentioned that judges 
would still, of course, make sentencing decisions on a case by 
case basis. Should we infer from that that the Administration 
will not have any mandatory minimums in its recommendations?
    Ms. Durkan. We are not recommending mandatory minimums in 
these recommendations. The judicial discretion, as you know, is 
very important for the judge to be able to determine what level 
of penalty is important.
    I want to emphasize the Department does that at each stage 
of prosecutions as well, whether an investigation is merited in 
the first place, whether charges should be brought, and then 
what plea or what sentence is appropriate.
    Mr. Scott. Well, we do not have to scour the 
recommendations for mandatory minimums, so we will assume that 
they are not there. Is that a fair assumption?
    Ms. Durkan. Yes, sir.
    Mr. Scott. And a lot of these crimes, there are overseas 
connections to some of these crimes. Does that create 
jurisdictional problems that we need to address legislatively?
    Ms. Durkan. There may be some legislative fix. We need to 
do that. The Department has already taken some steps on the 
international front. It is more and more important, more of 
these cyber cases. For example, in my district we recently 
prosecuted a case where a case where a small business in 
Seattle was hacked by someone who was in Maryland, who traded 
the card information he got to a Dutch citizen living in 
Romania, who then sold them to someone in Los Angeles.
    We were able to bring the person in Maryland, who has been 
prosecuted and convicted, as well as extradite the person from 
Romania charges pending against Los Angeles.
    So international cooperation is key, and we are working on 
many fronts to make sure we have the most robust system 
possible.
    Mr. Scott. Are any legislative changes needed to help you 
in that regard?
    Ms. Durkan. There may be some. There was one proposal that 
we had that was approved in the previous budget that gave us 
additional resources abroad, what we call our iChip Center, 
national cyber prosecutors, who can assist our foreign partners 
to make sure that we gather the evidence we need to bring the 
people an extradite them to America.
    Mr. Scott. Well, that brings me to my next question. A lot 
of this is resources and investigation. You have got these 
things in a statute. It is just a matter of priorities. This 
Committee has looked at things like ID theft where consumer ID 
theft cases are not brought because you just do not have the 
resources, organized retail theft for those cases are not 
investigated because of resources or funding. And somebody 
fails a background check on a gun purchase, nothing is done 
because you do not have the resources.
    I guess, Mr. Boles, if you focus more on cybercrime, do you 
have enough resources to do the other things you need to do? 
And as part of that, what effect will the sequester have on 
your ability to continue doing your work?
    Mr. Boles. I keep going back to the net gen cyber, and that 
was one of our functions and one of our driving forces in that.
    So the Cyber Division focuses entirely on intrusions and 
pushing forward for the high tech solution, but part of that 
was that we have also added impact and emphasis on the 
traditional cyber--I am sorry.
    Mr. Sensenbrenner. You can continue your sentence. 
[Laughter.]
    Mr. Boles. Okay. Under traditional cybercrime, much like on 
the ID theft, sir.
    Mr. Sensenbrenner. The time of the gentleman has expired.
    The gentleman from Michigan, Mr. Conyers.
    Mr. Conyers. Thank you very much. Members of the panel, 
most of our serious computer hacking threats come from other 
countries. Can any of you discuss with me and make a point 
about how we can better identify, stop, and prosecute these 
attacks?
    Your recollection of what happened in another case is very 
compelling because we want to improve the law protecting 
against cybercrime. And the whole idea of this hearing is to 
identify where we should be going.
    I think I have about the only general law on cyber privacy, 
which I introduced last year and will reintroduce today. And so 
I would appreciate, and the comments that have been made and 
any that may be added to this discussion.
    Who would like to volunteer?
    Ms. Durkan. I can address some of that, Congressman.
    First, I want to be clear. While the international cyber 
threat is growing and complex, we have a lot of homegrown cyber 
actors as well. In my district, we regularly prosecute people 
who are located right in our district who are able to do a 
significant amount of damage to both individual consumers and 
to businesses.
    With regards to your privacy legislation, obviously we have 
not had the opportunity to review it yet. We look forward to 
doing so and working with the staff of the Committee. I will 
say that it has always been the position of the Department of 
Justice that all legislative proposals should carefully balance 
both the need to deter and hold accountable the bad actors with 
consumer privacy and civil rights, as well as making sure we 
have the adequate public-private partnerships. And so we look 
forward to working with you on that bill.
    Mr. Conyers. Well, you have the kind of a Subcommittee here 
that is going to take this seriously. There have been so many 
things going on, especially in the Judiciary Committee, that it 
is easy for this to slip through the cracks. And I think this 
hearing is extremely important for focusing in on that.
    Mr. Holleyman. Mr. Conyers, let me say I think it is going 
to take a complement of laws and a mix like criminal statutes. 
I think the corollary around data breach notification can be 
very important, particularly if it also encourages the kind of 
incentives for companies to build in security practices so that 
if there is a breach of consumer data, that that data will be 
essentially useless because it is has been protected in the 
first instance.
    So I think as the Federal Government, we can do more to 
protect our citizens. I think the private sector can do more. 
And it is going to take a mix of civil and criminal statutes to 
effectively deal with this.
    Mr. Conyers. Professor Kerr?
    Mr. Kerr. Yeah, just one brief comment. So the substantive 
law, the Computer Fraud and Abuse Act, already jurisdictionally 
covers the world. It covers everything. In fact, the Computer 
Fraud and Abuse Act covers every computer that the United 
States government can regulate around the world under the 
Constitution, under the foreign commerce clause and under the 
interstate commerce clause. So it will certainly apply to a 
foreign hacker who hacks into U.S. computers, the U.S. hacker 
that hacks into foreign computers, or even a foreign person 
that hacks into other foreign computers through the U.S.
    So the substantive criminal law is very broad. The 
difficulty is always if somebody is outside the U.S., if the 
foreign government is going to cooperate with the U.S., then 
that is a way that the U.S. can have the person extradited and 
brought to the United States for prosecution. But if they are 
not a cooperative government, that is where the problem is 
going to be.
    Mr. Conyers. Well, you know, I think that we are going to 
have to put increased emphasis on our diplomacy aspect. I think 
the sooner, Chairman Sensenbrenner, that we begin to look at 
this part of this problem, the better off we are going to be in 
terms of getting as much cooperation as we can. Now, we know 
that is going to vary from country to country, but it is still 
very important.
    Mr. Sensenbrenner. The time of the gentleman has expired, 
and I agree with the last point that the gentleman from 
Michigan has made since the Internet is completely 
internationalized and knows no boundaries, either for doing 
good or breaking the law.
    The gentleman from Texas, Mr. Gohmert.
    Mr. Gohmert. Thank you, Mr. Chairman, and thank you to all 
the witnesses for your research, for your concerns, and for 
your testimony here today.
    It is my understanding that under 18 U.S.C. 1030, that it 
is a violation, a criminal violation, of our law to do anything 
that helps take control of another computer even for a moment. 
Is that your understanding? Some general nods.
    Mr. Kerr. It depends exactly what you mean by take control, 
but certainly if taking control includes gaining access to the 
computer in order to take--assuming a network, you are not 
supposed to take control of, then, yes, that would clearly be 
prohibited by the statute.
    Mr. Gohmert. All right. For example, my understanding is 
there was a recent example where someone had inserted malware 
on their own computer such that when their computer was hacked 
and the data downloaded, it took the malware into the hacker's 
computer, such that when it was activated, it allowed the 
person whose computer was hacked to get a picture of the person 
looking at the screen. So they had the person that did the 
hacking and actually did damage to all the data that was in the 
computer.
    Now some of us would think that is terrific. That helps you 
get at the bad guys. But my understanding is that since that 
allowed the hackee to momentarily take over the computer and 
destroy information in that computer, and to see who was using 
that computer, then actually that person would have been in 
violation, in the United States would have been in violation of 
18 U.S.C. 1030.
    So I am wondering if perhaps one of the potential helps or 
solutions for us would be to amend 18 U.S.C. 1030 to make an 
exception such that if the malware or the software that allows 
someone to take over a computer, is taking over a hacker's 
computer, than it is not a violation. Perhaps it would be like 
we do for, say, assaultive offenses, you have a self-defense. 
If this is part of a self-defense protection system, then it 
would be a defense that you violated 1030.
    Anybody see any problem with helping people by amending our 
criminal code to allow such exceptions or have any suggestions 
along those lines?
    Mr. Kerr. Mr. Gohmert, I think it is a great question and 
one that is very much debated in computer security circles 
because from what I hear, there is a lot of this sort of 
hacking back, as they refer to it. But at least under current 
law, it is mostly illegal to do that.
    There is a limited necessity defense that some courts have 
recognized to say basically if you are a victim of a crime, you 
have a certain amount of ability to act to try to stop that 
crime. But it is not really clear how the necessity defense, as 
it is recognized in current Federal law, would apply in those 
circumstances.
    I think the idea of saying there is some ability to 
counterhack back, however you want to describe it, is a sound 
one. The real difficulty is in the details of how do you do it. 
What circumstances do you allow somebody to counterhack how 
broadly, how broadly are they allowed to counterhack, how far 
can they go?
    The difficulty, I think, is once you open that door as a 
matter of law, it can be something that is difficult to cabin. 
So I think if there is such an exception, it should be a quite 
narrow one to avoid it from sort of becoming the exception that 
swallows the rule.
    Mr. Gohmert. Well, I am not sure that I would care if it 
destroyed a hacker's computer completely, as long as it was 
confined to that hacker. Are you saying we need to afford the 
hacker protection so that we do not hurt him too bad?
    Mr. Kerr. No. The difficulty is that you do not know who 
the hacker is, so it might be that you think the hacker is one 
person. Let us say you think you are being hacked from a French 
company or even a company in the United States.
    Mr. Gohmert. Oh, and it might be the United States 
government, and we do not want to hurt them if they are 
snooping on our people. I do not really understand why you are 
wanting to be protective of the hacker.
    Mr. Kerr. The difficulty is first identifying who is the 
hacker. You do not know when somebody is intruding into your 
network who is behind it. So all you will know is that there is 
an IP address that seems to back to a specific computer, but 
you will not know who it is that is behind the attack. That is 
the difficulty.
    Mr. Sensenbrenner. The time of the gentleman has expired.
    The gentleman from Louisiana, Mr. Richmond.
    Mr. Richmond. Thank you, Mr. Chairman. I guess my first 
question, maybe first two questions, will go to Mr. Holleyman.
    You talked about information sharing, you talked about 
security, and you talked about oversight over critical 
networks. And we had that bill last year in Homeland Security, 
which was the PRECISE Act, which when it came up, the 
interesting thing about it, it was a pretty decent bill at the 
time that shared bipartisan support. But when it came up for 
markup, it was gutted by the author, which was a strange thing, 
but that is because he could not get leadership to move on the 
issue and bring it up to a floor vote if that was that 
comprehensive.
    So I guess I am asking you your thoughts on the PRECISE 
Act, and was that going in the right direction.
    Mr. Holleyman. Thank you for that question. I know that in 
the last Congress there were a number of pieces of legislation 
that were considered, several of which were approved. We 
believe it is important for Congress to supplement what the 
President did in his executive order with not only oversight, 
but with additional legislation.
    I think the executive order has tried to do--yeah, I would 
need to look back at the elements of the PRECISE Act to be able 
to comment further. But I think the President's executive order 
has tried to address many of the elements that would have been 
outlined in the PRECISE Act. So whether or not that act would 
be needed at this point in time, I cannot comment on. I would 
be happy to look at that for the record.
    Mr. Richmond. If anyone else wanted to comment on it, that 
is fine.
    My next question would be, you mentioned one of the 
elements and one of the things we should be doing is continuing 
or creating a robust R&D for cybersecurity. And I guess my 
question would be, would that be in the term of maybe an R&D 
tax credit, or are you thinking of something like NIH and 
grants to people who want to do that type of research for 
cybersecurity?
    Mr. Holleyman. Well, I think there are really three 
elements of it. One is that we do not have enough students who 
are being trained as professionals to be able to work in 
cybersecurity for the future, and that is a problem for the 
private sector and for the government. So we need to have the 
right education and the right training. Secondly, I think we 
need the right cooperative agreements between private sector 
and government to allow that research to happen, including with 
university research. And certainly, finally there is research 
that goes on at the Federal Government about the level and the 
nature in evolving threats, and that research needs to be 
properly funded, and there needs to be proper oversight. So I 
think it takes all three of those.
    Mr. Richmond. And I guess I have a third question for you 
or Mr. Kerr. I think that Ms. Durkan and Mr. Demers will 
probably know the answer to it. But part of it is from your 
organization's standpoint and from your experience, the level 
of cooperation, and information sharing, and assistance that 
our security agencies provide now. And sometimes we get the 
benefit of hearings that are not public. But I am interested in 
knowing from your perspective the interaction between FBI, CIA, 
Department of Justice, and those in terms of helping either 
avert or on the back end, find the perpetrators. So how has 
that been with you all?
    Mr. Holleyman. Well, I will start by saying I think the 
nature of that is critical, and they are certainly very good 
relationships. What we need is to be able to share more real 
time threat information, not simply after the fact, but real 
time threat information. That is part of what the President has 
tried to do in his executive order and part of what we think 
Congress can supplement that would make it even easier and 
better for industry to share information with the government, 
too.
    Mr. Richmond. And I understand the barriers for industry. 
What is the biggest barrier, or if you want to do it 
comprehensively, what are the biggest barriers to doing it? Is 
it just permission and law for real time information sharing?
    Mr. Holleyman. Yeah, I think some of it is sort of the 
existing laws that private sector companies feel like they 
must, and appropriately, adhere to, which in some cases makes 
it difficult, if not impossible, to share real time threat 
information. So you can only do something about it after the 
fact. That is not in anyone's interest to do that, so we need 
the appropriate way to be able to share that with the Federal 
Government.
    Mr. Richmond. Mr. Chairman, for the sake of time, I yield 
back.
    Mr. Sensenbrenner. The time of the gentleman had expired. 
[Laughter.]
    The gentlewoman from California, Ms. Chu.
    Ms. Chu. Thank you, Mr. Chair.
    I wanted to ask about economic espionage and the stealing 
of intellectual property, of trade secrets, customer lists, 
future plans and contracts. And, Mr. Holleyman, I wanted to ask 
you, you said that Semantic estimated that it lost $110 billion 
through economic espionage and the stealing of IP through these 
means.
    What do you think is the overall cost to the corporations 
that you represent?
    Mr. Holleyman. Well, the Semantic number came from their 
Internet security threat report, and it really related to the 
total amount of losses. It was not sort of referring to their 
company losses. And so the figure of $110 billion of damages on 
consumers is what they cited.
    I think that all of the data shows, and certainly the 
information that is being very public and that the Chairman 
spoke of in his opening remarks, shows that the nature of the 
threat is increasing and it is increasing substantially. 
McAfee, one of our members, estimated that it used to be that a 
new piece of malware was identified and put into action about 
15 minutes, and now they estimate it is one per second.
    So the pace at which this is occurring is huge. The 
consequence of losses are growing. And this is exactly the kind 
of hearing this Committee and other Committees should be 
focused on because we are all in this together.
    Ms. Chu. And what is the private sector doing to minimize 
these intrusions and to protect intellectual property 
throughout all these layers?
    Mr. Holleyman. Well, I think the Attorney General, the IP 
enforcement coordinator, the Homeland Security Secretary, about 
three weeks ago had a major discussion about theft of trade 
secrets. And I know Members of this Committee were a part of 
that process.
    One, I think it is sort of building awareness. Two, it is 
building best practices. Three, is security companies. We are 
working to create faster, more effective ways of preventing 
these intrusions to share information about the threats when 
they occur. And it is a race. I mean, it is a race, and we are 
in the business of trying to help prepare us. But a lot of it 
is going to take education on the part of businesses, and 
consumers, and the Federal Government, who is the biggest 
source of attacks, against the Federal Government. The Federal 
has to be using the strongest security to try to limit those 
attacks.
    So, I mean, we are all in this together. Our companies want 
to do more things, particularly in small or medium enterprises 
and others, build in security procedures, so that if there are 
breaches of their information, and there will be from time to 
time, that that information is rendered useless so that the 
hacker or the perpetrator cannot do anything with it because it 
is has been secured through encryption or other means. And 
those additional incentives will be helpful to a long-term 
solution.
    Ms. Chu. I wanted to make sure law enforcement has the 
tools that it needs to prosecute these cases and investigate 
them. And Ms. Durkan and Mr. Boles, I want to know, Ms. Durkan, 
I note that the DoJ leads vigorous prosecutions in cyber theft 
and economic espionage. I am curious to know how frequently a 
case regarding intellectual property appears in your case load 
and if you feel like you have the appropriate tools, like 
training and funding, to effectively prosecute these cases.
    Ms. Durkan. Thank you. It is a very significant part of our 
district's work. We have some small mom and pop corporations, 
like Boeing, Amazon, Microsoft, and the like, where the 
proprietary information, as the Chairman said, is their most 
valuable commodity. So we consistently work with those 
corporations to make sure that we are getting the appropriate 
referrals.
    We have specially trained prosecutors. We will say we 
always take more resources because the threat is evolving, but 
we appreciate the resources this Committee has given to us.
    Ms. Chu. And, Mr. Boles, do you have the adequate training 
and funding to carry on your investigations?
    Mr. Boles. Like my partner, Ms. Durkan, said, we will 
always take more. It is important. It is a high tech and 
evolving thing.
    And just to give you a feel for it, we currently have about 
1,100 cases ongoing in the FBI that involve intellectual 
property theft, and it cuts across all of our programs whether 
it be cyber, counter intelligence, and in the traditional 
criminal. So it is a wide-ranging need that we have. And part 
of our drive is to make sure that all the investigators, and 
the analysts, and the support folks have the training that they 
need as we push that out and go forward in the computer world.
    But, you know, that is a need that we constantly reassess 
and try to address.
    Mr. Sensenbrenner. The gentlewoman's time has expired.
    The Chair will recognize himself for a couple of questions.
    Ms. Durkan, in response to Mr. Scott's question, you said 
in the Administration's proposal, there are no mandatory 
minimum sentences. My understanding is the bill the 
Administration sent us up in the last Congress had mandatory 
minimums. What made them change their mind?
    Ms. Durkan. We assess a variety of factors, and at this 
time we are not supporting that. But we would be happy to work 
with your staff to answer any further questions that the 
Chairman may have.
    Mr. Sensenbrenner. Well, what factors were those?
    Ms. Durkan. We will look at the number of factors we have 
to as to what our priorities are in addressing the statute. And 
right now we see that as the threat is evolving, what we really 
need are tools that can address some of the gaps we see in the 
law to make sure that we disrupt, deter crimes in the first 
instance and hold people accountable.
    Mr. Sensenbrenner. Well, you know, there are two separate 
things, you know. When we are talking about mandatory minimums, 
we are talking about after a conviction when the judge 
pronounces a sentence. There certainly is not a lot of effort 
and a lot of money that is required to go into that, 
particularly with a mandatory minimum giving the judge little 
or no discretion. I think you are trying to confuse apples with 
oranges and not get into the fact.
    Does the Administration oppose mandatory mininums as a 
matter of principle, or do they not think that the crimes that 
we are talking about here deserve a mandatory minimum?
    Ms. Durkan. I think what you are getting at, Chairman, is 
what is the appropriate sanction for these activities, and we 
agree that we must assess and make sure that these bad actors 
are held accountable under the law. It is one reason why we 
support increasing the statutory maximum in the fraud scenario 
to bring that on par because there are some cases where that is 
the only statute available, but yet a judge would not be able 
to assess the nature of the crime that occurred and assess the 
appropriate penalty.
    And so the Department of Justice is always going to look at 
the factors present in a case and make sure that we are 
recommending to a judge what the appropriate sanction is. And 
then, of course, the judge needs to have the discretion and the 
ability to make sure that that sanction can be imposed so that 
we both deter the crime in the first instance and hold the 
people when it occurs.
    Mr. Sensenbrenner. I think we are going to be talking about 
this issue a lot more as legislation is developed. I disagree 
with that conclusion.
    I do want to spend some time asking two questions of 
Professor Kerr.
    I am a little bit concerned, Professor Kerr, about your 
idea that there should be certain things that are currently 
criminal that should not be criminal anymore. And let me pose a 
hypothetical view. Say that there is a foreign agent that is 
employed by a U.S. tech company, and he was ordered to check to 
see that the company was not working on a certain project, 
using process of elimination to see who is working on that 
project. The spy exceeds the authorized access and determines 
that the company really is not working on the project.
    Now, in this example, nothing was taken or damaged, but 
should the Justice Department not have a tool to be able to do 
something about that, even though another crime was not 
committed?
    Mr. Kerr. In that situation, I would imagine there would be 
another crime committed. I am thinking in terms of attempt 
liability for attempted--I gather the goal was to ultimately 
determine confidential information relating to the company as 
to what the company was or was not doing. So it would be either 
an attempted theft of that information. I am not sure of the 
criminal statutes governing spying, for example.
    I think the key idea is that it is not a computer-related 
offense. It just so happens that that offense involves 
computer-related conduct. But it should be treated under the 
law just as it would be if the spy were going were going into a 
locked closet instead of locked computer. It does not make any 
difference as to whether it is a physical or a computer crime.
    So my approach would be just to resolve the circuit split 
by adopting the 9th Circuit standard, which is treating hacking 
like hacking and treating computer crime offenses like the 
physical world analysis.
    Mr. Sensenbrenner. Okay. Well, let me go into the trespass 
issue that you talked about. Now, it is obvious if somebody got 
into the mechanical room at Space Mountain at Disneyworld and 
then pulled the pin on that, and all of a sudden the cars, you 
know, stopped abruptly and nobody was injured. Maybe it was 
lucky. But, you know, how about cyber trespass that would have 
just as much damage, and that would be a violation of a term of 
service. And should that not be criminalized as well?
    Mr. Kerr. It should be criminalized, but not because of the 
terms of service violation. It could be criminalized under a 
number of different theories.
    First, it would be access without authorization because I 
am assuming that breaking into the computer that is controlling 
this machine would itself be password protected. It is not like 
anyone can walk up and pull something on the machine.
    Also it would be a Section 1030(a)(5) violation, which is 
intentionally causing damage to a protected computer without 
authorization, and that is a separate criminal statute that 
does not involve unauthorized access. It is sort of 
intentionally causing damage without authorization.
    So these are all situations that would already be 
criminalized without the need to go to the unauthorized access 
prohibition.
    Mr. Sensenbrenner. Okay. Well, my time is up.
    So I would like to thank all of the witnesses for appearing 
today, for being brief in the answers to your questions so that 
we Republicans can go listen to what the President has to say. 
And I understand you Democrats will have that pleasure sometime 
in the future, very soon.
    So without objection, this hearing is adjourned.
    [Whereupon, at 12:54 p.m., the Subcommittee was adjourned.]

                                 
