[Senate Hearing 113-891]
[From the U.S. Government Publishing Office]
S. Hrg. 113-891
TAKING DOWN BOTNETS: PUBLIC AND
PRIVATE EFFORTS TO DISRUPT AND
DISMANTLE CYBERCRIMINAL NETWORKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CRIME AND TERRORISM
of the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
JULY 15, 2014
__________
Serial No. J-113-70
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
28-403 PDF WASHINGTON : 2018
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
DIANNE FEINSTEIN, California CHUCK GRASSLEY, Iowa, Ranking
CHUCK SCHUMER, New York Member
DICK DURBIN, Illinois ORRIN G. HATCH, Utah
SHELDON WHITEHOUSE, Rhode Island JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota LINDSEY GRAHAM, South Carolina
AL FRANKEN, Minnesota JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut TED CRUZ, Texas
MAZIE HIRONO, Hawaii JEFF FLAKE, Arizona
Kristine Lucius, Chief Counsel and Staff Director
Kolan Davis, Republican Chief Counsel and Staff Director
------
Subcommittee on Crime and Terrorism
SHELDON WHITEHOUSE, Rhode Island, Chairman
DIANNE FEINSTEIN, California LINDSEY GRAHAM, South Carolina,
CHUCK SCHUMER, New York Ranking Member
DICK DURBIN, Illinois TED CRUZ, Texas
AMY KLOBUCHAR, Minnesota JEFF SESSIONS, Alabama
MICHAEL S. LEE, Utah
Ayo Griffin, Democratic Chief Counsel
David Glaccum, Republican Chief Counsel
C O N T E N T S
----------
JULY 15, 2014, 2:31 P.M.
STATEMENTS OF COMMITTEE MEMBERS
Page
Graham, Hon. Lindsey O., a U.S. Senator from the State of South
Carolina....................................................... 3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode
Island......................................................... 1
prepared statement........................................... 85
WITNESSES
Witness List..................................................... 31
Boscovich, Richard, Boscovich, Assistant General Counsel, Digital
Crimes Unit, Microsoft Corporation, Redmond, Washington........ 16
prepared statement........................................... 54
Caldwell, Hon. Leslie R., Caldwell, Assistant Attorney General,
Criminal Division, U.S. Department of Justice, Washington, DC.. 4
prepared statement........................................... 32
Demarest, Joseph, Jr., Assistant Director, Cyber Division,
Federal Bureau of Investigation, Washington, DC................ 6
prepared statement........................................... 47
McGuire, Cheri F., Vice President, Global Government Affairs and
Cybersecurity Policy, Symantec Corporation, Mountain View,
California..................................................... 17
prepared statement........................................... 63
Spiezle, Craig D., Executive Director and Founder, Online Trust
Alliance, Bellevue, Washington................................. 22
prepared statement........................................... 78
Vixie, Paul, Ph.D., Chief Executive Officer, Farsight Security,
San Mateo, California.......................................... 19
prepared statement........................................... 71
QUESTIONS
Questions submitted to Richard Boscovich by Senator Whitehouse... 87
Questions submitted to Cheri F. McGuire by Senator Whitehouse.... 88
Questions submitted to Craig D. Spiezle by Senator Whitehouse.... 89
Questions submitted to Paul Vixie, Ph.D., by Senator Whitehouse.. 90
ANSWERS
[Note: At the time of printing, after several attempts to obtain
responses to the written questions, the Committee had not
received responses from Richard Boscovich.]
Responses of Cheri F. McGuire to questions submitted by Senator
Whitehouse..................................................... 91
Responses of Craig D. Spiezle to questions submitted by Senator
Whitehouse..................................................... 93
Responses of Paul Vixie, Ph.D., to questions submitted by Senator
Whitehouse..................................................... 95
TAKING DOWN BOTNETS:
PUBLIC AND PRIVATE EFFORTS
TO DISRUPT AND DISMANTLE
CYBERCRIMINAL NETWORKS
----------
TUESDAY, JULY 15, 2014
United States Senate,
Subcommittee on Crime and Terrorism,
Committee on the Judiciary,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:31 p.m., in
room SD-226, Dirksen Senate Office Building, Hon. Sheldon
Whitehouse, Chairman of the Subcommittee, presiding.
Present: Senators Whitehouse, Coons, and Graham.
OPENING STATEMENT OF HON. SHELDON WHITEHOUSE,
A U.S. SENATOR FROM THE STATE OF RHODE ISLAND
Chairman Whitehouse. I will call this hearing of the
Judiciary Committee's Subcommittee on Crime and Terrorism to
order, and I thank everyone for being here. I have the
permission of my Ranking Member to get underway. He will be
joining us shortly, but allowing for opening statements and so
forth, I think it is probably the best way to do this, to
simply proceed and get underway.
Today's hearing is entitled, ``Taking Down Botnets: Public
and Private Efforts to Disrupt and Dismantle Cybercriminal
Networks.'' We are going to be hearing testimony about these
botnets and about the threat that they pose to our economy, to
our personal privacy, and to our national security.
A botnet is a simple thing. It is a network of computers
connected over the Internet that can be instructed to carry out
specific tasks. The problem with botnets is that typically the
owners of those computers do not know that they are carrying
out those tasks.
Botnets have existed in various forms for well over a
decade, and they are now recognized as a weapon of choice for
cyber criminals, and it is easy to see why. A botnet can
increase the computing resources at a hacker's disposal
exponentially, all while helping conceal the hacker's identity.
A cyber criminal with access to a large botnet can command a
virtual army of millions, most of whom have no idea that they
have been conscripted.
Botnets enable criminals to steal individuals' personal and
financial information, to plunder bank accounts, to commit
identity theft on a massive scale. For years, botnets have sent
most of the spam that we all receive. The largest botnets are
capable of sending billions of spam messages every day.
Botnets are also used to launch distributed denial-of-
service--or DDOS--attacks, which can shut down websites by
simply overwhelming them with incoming traffic. This is a
constant danger for businesses in every sector of our economy,
but we have seen this strategy used against everything from
businesses to sovereign nations.
The only limit to the malicious purposes for which botnets
can be used is the imagination of the criminal who controls
them. And when a hacker runs out of uses for a botnet, he can
simply sell it to another criminal organization to use for an
entirely new purpose. It presents a virtual infrastructure of
crime.
Let us be clear. The threat from botnets is not just a
threat to our wallets. Botnets are effective weapons not merely
for those who want to steal from us, but also for those who
wish to do us far more serious harm. Experts have long feared
that the next 9/11 may be a cyber attack. If that is the case,
it is likely that a botnet will be involved.
Simply put, botnets threaten the integrity of our computer
networks, our personal privacy, and our national security.
In recent years, the Government and the private sector have
launched aggressive enforcement actions to disrupt and to
disable individual botnets. The techniques used to go after
these botnets have been as varied as the botnets themselves.
Many of these enforcement actions used the court system to
obtain injunctions and restraining orders, utilizing innovative
legal theories, combining modern statutory claims under
statutes such as the Computer Fraud and Abuse Act with such
ancient common law claims as trespass to chattels.
In 2011, the Government obtained for the first time a court
order that allowed it to seize control of a botnet using a
substitute command and control server. As a result, the FBI
launched a successful takedown of the Coreflood botnet, freeing
90 percent of the computers Coreflood had infected in the
United States.
Microsoft, working with law enforcement, has obtained
several civil restraining orders to disrupt and in some cases
take down individual botnets, including the Citadel botnet,
which was responsible for stealing hundreds of millions of
dollars. And earlier this year, the Justice Department and the
FBI, working with the private sector and law enforcement
agencies around the world, obtained a restraining order
allowing them to take over the Gameover Zeus botnet. This
action was particularly challenging because the botnet relied
on a decentralized command structure that was designed to
thwart efforts to stop it.
Each of our witnesses today has played a role in efforts to
stop botnets. I look forward to learning more about these and
other enforcement actions and the lessons that we should take
away from them. We must recognize that enforcement actions are
just one part of the answer, so I am interested in hearing also
about how we can better inform computer users of the dangers of
botnets and what other hygiene steps we can take to address
this threat.
My hope is that this hearing starts a conversation among
those dealing day to day with the botnet threat and those of us
in Congress who are deeply concerned about that threat.
Congress, of course, cannot and should not dictate tactics for
fighting botnets. That must be driven by the expertise of those
on the front lines of the fight.
But Congress does have an important role to make sure that
there is a solid legal foundation for enforcement actions
against botnets and clear standards governing when they can
occur.
We must also ensure that botnet takedowns and other actions
are carried out in a way that protects consumers' privacy, all
while recognizing that botnets themselves represent one of the
greatest privacy threats that computer users face today. They
can actually hack into your computer and look at you through
your webcam. And we must make sure that our laws respond to a
threat that is constantly evolving and encourage rather than
stifle innovation to disrupt cyber criminal networks.
I look forward to starting this conversation today and to
continuing it in the months ahead. I thank my distinguished
Ranking Member for being such a terrific colleague on these
cyber issues. We hope that a good piece of botnet legislation
can emerge from our work together.
I thank you all for participating in this hearing and for
your efforts to protect Americans from this dangerous threat,
and before we hear from our witnesses, I will yield to my
distinguished Ranking Member, Senator Lindsey Graham.
OPENING STATEMENT OF HON. LINDSEY GRAHAM,
A U.S. SENATOR FROM THE STATE OF SOUTH CAROLINA
Senator Graham. Thank you, Mr. Chairman. I just want to
acknowledge your work on this issue and everything related to
cyber threats. There is no stronger, clearer voice in the
Senate than Sheldon Whitehouse in terms of the threats we face
on the criminal front and the terrorist front that come from
cyber misdeeds, and Congress is having a difficult time
organizing ourselves to combat both threats.
But to make sure that this is not an academic exercise, I
guess it was last year--or it might even have been a bit
longer, but the Department of Revenue in South Carolina was
hacked into by--we do not know all the details, but a criminal
enterprise that stole millions of Social Security numbers and
information regarding companies' charters, revenue, and that
has required the State of South Carolina to purchase
protection. I think it was a $35 million per year allocation to
protect those who had their Social Security numbers stolen, we
believe by a criminal enterprise. So it happened in South
Carolina. It can happen to any company, any business, any
organization in America, and our laws are not where they should
be, so the purpose of this hearing is to gather information and
hopefully come out and be a friend of law enforcement.
So, Senator Whitehouse, you deserve a lot of credit in my
view about leading the effort in the United States Senate, if
not the Congress as a whole, on this issue.
Thank you.
Chairman Whitehouse. I am delighted now to welcome our
administration witnesses. Before we do, his timing is perfect.
Senator Chris Coons has joined us and yields on making an
opening statement, so let us go ahead to the witnesses.
The first is Leslie Caldwell. She is the head of the
Criminal Division at the Department of Justice and was
confirmed on May 15, 2014. She oversees nearly 600 attorneys
who prosecute Federal criminal cases across the country. She
has dedicated most of her professional career to handling
Federal criminal cases, previously having served as the
Director of the Justice Department's Enron Task Force and as a
Federal AUSA in U.S. Attorneys' Offices in both New York and
California.
And after her testimony, we will hear from Joseph Demarest,
who is the Assistant Director for the FBI's Cyber Division. He
joined the FBI as a special agent in 1988 and has held several
leadership positions within the Bureau, serving as, for
instance, head and Assistant Director of the International
Operations Division and as the Assistant Director in charge of
the New York Division. He was appointed to his current position
in 2012, and I have to say that I have had the chance to work
very closely with Mr. Demarest, and I appreciate very much the
energy and determination that he has brought to this particular
arena of combat against the criminal networks of the world. And
I look forward to his testimony.
We begin with Assistant Attorney General Caldwell.
STATEMENT OF HON. LESLIE R. CALDWELL, ASSISTANT ATTORNEY
GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE,
WASHINGTON, DC
Ms. Caldwell. Thank you, Chairman Whitehouse, Ranking
Member Graham, and Senator Coons. Thank you for the opportunity
to discuss today the Justice Department's fight against
botnets, and I particularly want to thank the Chair for holding
this hearing and for his continued leadership on these
important issues.
The threat from botnets--defined in simple terms as
networks of hijacked computers surreptitiously infected with
malicious software, or malware, which are controlled by an
individual or an organized group for criminal purposes, has
increased dramatically over the past several years. Criminals
are using state-of-the-art techniques, seemingly drawn from
science fiction movies, to take control of thousands or even
hundreds of thousands of victim computers, or bots. They can
then command these bots to do various things, as Senator
Whitehouse indicated. They can flood an Internet site with junk
data. They can knock it offline by doing that. They can steal
banking credentials, credit card numbers, other personal
information, other financial information; send fraudulent spam
email; or even spy on unsuspecting computer users through their
webcams.
Botnet attacks are intended to undermine Americans' privacy
and security and to steal from unsuspecting victims. If left
unchecked, they will succeed in doing so. As cyber criminals
have become more sophisticated in recent years, the Department
of Justice, working through highly trained prosecutors at the
Computer Crime and Intellectual Property Section of the
Criminal Division, which I will call ``CCIPS,'' the National
Security Division of the Justice Department, U.S. Attorneys'
Offices across the country, and the FBI and other law
enforcement agencies, we have likewise adapted and advanced our
tactics to meet this threat.
As just one example, in May of this year, CCIPS, the U.S.
Attorney for the Western District of Pennsylvania, and the FBI,
in partnership with other Federal and private sector
organizations, disrupted the Gameover Zeus botnet and indicted
a key member of that group that operated that botnet. Until its
disruption, Gameover Zeus was widely regarded as the most
sophisticated criminal botnet in existence worldwide. From 2011
through 2014, Gameover Zeus infected between 500,000 and 1
million computers, and it caused more than $100 million in
financial loss.
Put simply, the botmaster stole personal information from
victim computers and with the click of a mouse, used that
stolen information to empty bank accounts and rob small
businesses, hospitals, and other victims by transferring funds
from the victims' accounts to the criminals' own accounts.
They also used Gameover Zeus to install CryptoLocker, which
is a type of malware known as ``ransomware.'' That was
installed on infected computers, and CryptoLocker enabled these
criminals to encrypt key files on the infected computers and to
charge victims a ransom for the release of their own files. In
the short period between its emergence and our action,
CryptoLocker infected more than 260,000 computers worldwide.
The Department's operation against Gameover Zeus began with
a complex international investigation conducted in close
partnership with the private sector. It continued through the
Department's use of a combination of a court-authorized
criminal and civil legal process to stop infected computers
from communicating with one another and with other servers
around the world. The investigation and operation ultimately
permitted the team not only to identify and charge one of the
leading perpetrators, but also to cripple the botnet and to
stop the ransomware from functioning.
Moreover, the FBI was able to identify victims and, working
with the Department of Homeland Security, foreign governments,
and private sector partners, was able to facilitate the removal
of malware from many victim computers. As we informed the court
last week, at present the Gameover Zeus botnet remains
inoperable and out of the criminals' hands. Gameover Zeus
infections are down 30 percent, and CryptoLocker remains non-
operational.
As the successful operation demonstrates, we are employing
investigative and remedial tools that Congress has given us to
protect our citizens and businesses. We have leveraged our
strengths by partnering with agencies all over the world and in
the private sector. If we want to remain effective in
protecting our citizens and businesses, however, our laws and
resources must keep pace with the increasingly sophisticated
tactics and growing numbers of our adversaries. Our adversaries
are always adapting. So must we.
In my written statement, I describe several legislative
proposals and resource increases that will assist the
Department in its efforts to counter this threat. These
proposals include an amendment to the Computer Fraud and Abuse
Act and several other proposals. We very much look forward to
working with the Committee to address these issues. We also
need additional resources at the Department to continue to
disrupt botnets, including hiring new attorneys, as indicated
in my statement.
Thank you again for the opportunity to discuss our work in
this area, and I look forward to answering any questions you
might have.
[The prepared statement of Ms. Caldwell appears as a
submission for the record.]
Chairman Whitehouse. Thank you, Assistant Attorney General
Caldwell.
And now, Mr. Demarest, Director Demarest.
STATEMENT OF JOSEPH DEMAREST, JR., ASSISTANT DIRECTOR, CYBER
DIVISION, FEDERAL BUREAU OF INVESTIGATION, WASHINGTON, DC
Mr. Demarest. Good afternoon, Chairman Whitehouse, Ranking
Member Senator Graham, and Senator Coons. Thank you for holding
this hearing, Chairman Whitehouse, and I look forward to
discussing the progress the FBI has made on campaigns to
disrupt and disable our significant botnets that you know that
we target.
Cyber criminal threats pose very real risks to the economic
security and private sector of the United States and its
citizens. The use of botnets is on the rise. Industry experts
estimate that botnet attacks have resulted in the overall loss
of millions of dollars from financial institutions and other
major businesses. They also affect universities, hospitals,
defense contractors, government, and even private citizens.
The ``weapons'' of a cyber criminal are tools, like
botnets, which are created with malicious software that is
readily available for purchase on the Internet. Criminals
distribute this malicious software, also known as `malware,'
that can turn a computer into a bot. When this occurs, a
computer can perform automated tasks over the Internet, without
any direction from its rightful user. A network of these
infected computers is called a ``botnet,'' as you pointed out.
Botnets can be used for organized criminal activity, covert
intelligence collection, or even attacks on critical
infrastructure.
The impact of this global cyber threat has been
significant. According to industry estimates, botnets have
caused over $9 billion in losses to U.S. victims and over $110
billion in losses globally. Approximately 500 million computers
are infected each year, translating into 18 victims per second.
The FBI, with its law enforcement partners and private
sector partners, to include the panel of distinguished
presenters today from Microsoft, Symantec, and Farsight, has
had success in taking down a number of large botnets. But our
work is never done, and by combining the resources of
Government and the private sector, and with the support of the
public, we will continue to improve cybersecurity by
identifying and catching those who threaten it.
Due to the complicated nature of today's cyber threat, the
FBI has developed a strategy to systematically identify cyber
criminal enterprises and individuals involved in the
development, distribution, facilitation, and support of complex
criminal schemes impacting U.S. systems. The complete strategy
involves a holistic look at the entire cyber underground
ecosystem and all facilitators of a computer intrusion.
The FBI has initiated an aggressive approach to disrupt and
dismantle most significant botnets threatening the U.S. economy
and our national security. The initiative, coined ``Operation
Clean Slate,'' is spearheaded by the FBI, our National Cyber
Investigative Joint Task Force, along with a host of USG
partners to include DHS and the private sector. It is a
comprehensive, public-private effort engineered to eliminate
the most significant botnets jeopardizing U.S. interests by
targeting the bot infrastructure and at the same time the
coders or those who are responsible for creating them. This
initiative incorporates all facets of the USG, as I mentioned,
international partners, major ISPs, the U.S. financial sector,
and other private sector stakeholders like the many
cybersecurity services. Again, I would point out Dell Secure
Works being one of the main, and we talked about Gameover Zeus.
Operation Clean Slate has three objectives: to degrade or
disrupt the actor's ability to exfiltrate sensitive information
from victims; to increase the actor's cost of business; and to
seed uncertainty in the actor's cyber activity by causing
concern about potential or actual law enforcement action
against them.
Just a brief description about some of the successes of
late. In December 2012, the FBI disrupted an international
organized cybercrime ring related to Butterfly Botnet, which
stole computer users' credit card, bank account, and other
personally identifiable information. The Butterfly Botnet
compromised more than 11 million computer systems and resulted
in over $850 million in losses. The FBI, along with
international law enforcement partners, executed numerous
search warrants, conducted interviews, and arrested 10
individuals from Bosnia and Herzegovina, Croatia, Macedonia,
New Zealand, Peru, the United Kingdom, and the United States--
all of this not possible without DOJ, CCIPS in particular, and
local U.S. Attorneys' Offices.
In June 2013, again, the formal debut of Operation Clean
Slate, the team, in coordination with Microsoft and financial
service industry leaders, disrupted the Citadel Botnet that you
pointed out, which had facilitated unauthorized access to
computers of individuals and financial institutions to steal
online banking credentials, credit card information, and other
PII. Citadel was responsible for the loss of over a half
billion dollars. Over 1,000 Citadel domains were seized,
accounting for more than 11 million victim computers worldwide.
Building on that success of the disruption of Citadel, in
December 2013, the FBI and Europol, together with Microsoft
and, again, the Operation Clean Slate team and other industry
partners, disrupted the ZeroAccess botnet. ZeroAccess was
responsible for infecting more than 2 million computers,
specifically targeting search results on Google, Bing, and
Yahoo search engines, and is estimated to have cost online
advertisers $2.7 million each month.
Again, in April 2014, the Operation Clean Slate team
investigative efforts resulted in the indictments of nine
alleged members of a wide-ranging racketeering enterprise and
conspiracy that infected thousands of business computers with
malicious software known as ``Zeus'' or ``Jabba Zeus,'' which
is malware that captured passwords, account numbers, and other
information necessary to log into online banking accounts. The
conspirators allegedly used the information captured by Zeus to
steal millions of dollars from account-holding victims' bank
accounts.
Later, in June 2014, yet another operation by the Clean
Slate team announced a multinational effort to disrupt the
Gameover Zeus botnet, the most sophisticated botnet that the
FBI and its allies had ever attempted to disrupt. Gameover Zeus
is believed to be responsible for the theft of millions of
dollars from businesses and consumers in the U.S. and around
the world. This effort to disrupt it involved impressive
cooperation with the private sector--namely, Dell Secure
Works--and international law enforcement. Gameover Zeus is an
extremely sophisticated type of malware designed specifically
to steal banking and other credentials from the computers it
infects. In the case of Gameover Zeus, its primary purpose is
to capture banking credentials from infected computers, then
use those credentials to initiate or redirect wire transfers to
accounts overseas that are controlled by the criminals. Losses
attributable to Gameover Zeus are estimated to be more than
$100 million.
Much like the FBI's other investigative priorities and
programs, our focus is impacting the leaders of the criminal
enterprises and terrorist organizations we pursue. We are
focusing the same effort on the major cyber actors behind the
botnets. We remain focused on defending the United States
against these threats, and we welcome the opportunity like the
one today to discuss our efforts.
We are grateful for the Committee's support, and yours in
particular, Senator Whitehouse, and we look forward to working
closely with you as we continue to forge aggressive campaigns
against botnets.
[The prepared statement of Mr. Demarest appears as a
submission for the record.]
Chairman Whitehouse. Thank you very much.
Assistant Director Demarest, there have to be, what,
hundreds of thousands, millions of botnets out there?
Mr. Demarest. Yes.
Chairman Whitehouse. One could say, ``So many botnets, so
little time.'' So given that, what are your factors for
prioritizing which ones to go after through the Clean Slate
program or just generally?
Mr. Demarest. So by Operation Clean Slate, it was to forge
an alliance with the private sector and Government and then
prioritize the most egregious botnets that are out there in the
wild that we know about. So working with not only Government,
DHS being principal, and friends in the intelligence community,
but also I will say in the private sector, Microsoft being
chief, and looking across, you know, the world, and those
botnets that are seemingly causing the most damage, economic
damage or other means or potentially physical damage, and
prioritizing those and then developing a campaign about going
after not only the infrastructure but the actors behind that
botnet or those botnets.
Chairman Whitehouse. Assistant Attorney General Caldwell,
one of the--this pre-dates you, but I have had some concerns
based on my time in the Department of Justice as a U.S.
Attorney about the way in which the Department has responded to
the botnet threat. I think you are doing a good job, but there
is a cultural divide sometimes between the criminal prosecutors
and the civil attorneys for the Government.
These cases that take down the botnet tend to be civil
cases in nature, so I have worried a bit about the extent to
which it is instinctive on the part of criminal prosecutors to
think that that is a lesser task and a lesser pursuit than what
they are doing and whether that gets in the way of adequately
pursuing the civil remedies that shut these botnets down.
The second is that when the Coreflood takedown took place,
it appeared to me that that was kind of an ad hoc group of very
talented people who were brought together to address themselves
to Coreflood and to succeed at taking it down; but once the
operation was complete, they went back to their individual AUSA
slots in offices around the country, and the effort was
dispersed.
I think that the botnet problem is a continuing one. I
think as soon as you strip out, as Mr. Demarest said, some of
the worst offenders, others pop up into the next most wanted
botnet slot. And I am interested first in how you are making
sure that this is prioritized, despite the civil nature of the
legal proceeding that cures the botnet problem, that strips it
out of the system, and what you have done to try to establish a
permanent, lasting institutional presence for taking down
botnets without having to reassemble teams each time a botnet
rears its head as a target.
Ms. Caldwell. Thank you, Senator. I think that the Gameover
Zeus operation is the perfect example of how we see this going
forward. Although I would not dispute that there are some
criminal Assistant U.S. Attorneys who may think that the civil
Assistant U.S. Attorneys have a less exciting job, we do not
see it that way. The civil component, as you indicated, is a
very critical part of this, but there are different ways to
approach botnets. They are all different, as you indicated
earlier.
In Gameover Zeus, we used a combination of civil and
criminal authorities, and I think that is--again, it is not one
size fits all, but I think that is likely what we will continue
to see in the future. As you know, the leading perpetrator of
that particular botnet was actually indicted criminally, and
the civil injunctions were obtained at the same time. It was
very carefully coordinated. There was a lot of communication
between the civil prosecutors who were handling the injunction
paperwork and the criminal prosecutors who were--it was really
all one team. So I think the civil tool is a very important
tool, and we expect to continue to use it.
There are some holes in that tool. Right now we are
permitted to get a civil injunction against fraud and a civil
injunction against wiretapping. But as you indicated in your
opening remarks, botnets are not always engaged in fraud and
wiretapping. They are engaged in other things, too. So one
thing that we would like to see happen is an amendment to the
statute to permit injunctions in other circumstances in which
we see botnets operating.
Then on the issue of the institutional knowledge, the
Computer Crime and Intellectual Property Section is really the
receptacle--that is a bad word, but where all that knowledge is
based. The Computer Crime and Intellectual Property Section has
a headquarters component. It has field components. It has a lot
of institutional knowledge about botnets, so that if one
prosecutor leaves, the knowledge is not going to leave. We
coordinate regularly with the FBI, and there is a lot of
coordination. There is a lot of coordination with the Computer
Hacking Intellectual Property Network in the U.S. Attorneys'
Offices. And there really is an institutional base of knowledge
about botnets. So even----
Chairman Whitehouse. In a nutshell, you feel right now that
that task has been adequately institutionalized in the
Department, that there will be continuity and persistence
rather than ad hoc efforts?
Ms. Caldwell. Yes, and I think that although they were not
as prominent, there were at least a half-dozen other botnet
takedowns in the last couple of years between Coreflood and
Gameover Zeus. So there is definitely--it is definitely a
priority, and there is definitely a focus, and there is a lot
of knowledge among the CCIPS prosecutors and their counterparts
at the FBI about these botnets. And they will keep coming, and
we will keep attacking them.
Chairman Whitehouse. I will yield to my Ranking Member, but
my impression was that some of those were sort of sporadic and
ad hoc takedowns that appeared in individual U.S. Attorneys'
Offices and not necessarily consistent with a continuing,
lasting, persistent presence stripping down one botnet after
another. And I am glad that you have gotten to where you have
gotten, so thank you.
Senator Graham.
Senator Graham. Are you the Eliot Ness of botnets?
[Laughter.]
Senator Graham. Do we have an Eliot Ness of botnets?
Ms. Caldwell. I think he is the Eliot Ness of botnets.
Senator Graham. Okay. Well, no matter what kind of behavior
you are dealing with, you try to deter it, make people think,
``If I do this, I am going to get caught, and if I get caught,
bad things are going to happen.'' What do you think the
deterrence is like right now, Mr. Demarest?
Mr. Demarest. Well, I think it is significant now, and in
years past, maybe not as much so, where they did travel and
they felt they could take some actions with impunity. And we
are finding today, based on some of the actions, enforcement
actions that were successful, we are causing impact because we
actually see that in other collections, them talking amongst
each other, and concern about traveling now, which is a way of
containing some of the threats that we see in individuals
today.
Senator Graham. What nation states do we need to worry
about in terms of being involved in this activity?
Mr. Demarest. I would say the Nation states of EurAsia,
principally. We have seen a lot of the criminal actors coming
from that area of the world.
Senator Graham. Okay. Are they reliable partners, the
governments?
Mr. Demarest. We are opening dialogue, I will say on that
front. I think you will find some of our Russian counterparts
in law enforcement are a bit more agreeable, but, you know, as
in any new relationship, I think especially in this space, we
are working toward improving them.
Senator Graham. If it is possible, maybe by the end of the
year could you provide the Committee with a list of countries
that you think have been good partners and the list of
countries you think have been resistant.
Mr. Demarest. Yes, easily done, based on our activities or
working with the countries we do work with.
Senator Graham. Well, once we identify them, maybe we can
change their behavior. There are all kinds of ways of getting
people's attention.
Was this a problem 5 years ago? How long ago has this been
a problem?
Mr. Demarest. This has existed for years, and probably we
are just now--you know, this is the tip of the iceberg. And I
think as we get more sophisticated internally in the U.S.
Government in seeing and being able to identify----
Senator Graham. What made us aware of it today more than,
say, 5 years ago? Just the consequences?
Mr. Demarest. I think the consequences, I think victim
reporting, I think major losses occurring to private industry.
Senator Graham. Is there any end to this? How far can these
people go?
Mr. Demarest. They will keep on going. As you can see, each
bot will evolve. We take actors off. Now they will change. We
see a complete evolution. But, again, we are actually placing--
at least there is a price to pay for actually engaging in this
activity now.
Senator Graham. Are terrorist organizations involved in
this?
Mr. Demarest. We track them very closely. I would say there
is an interest. But much further than that, Senator Graham,
probably in a different setting we could give you a further
briefing.
Senator Graham. Ms. Caldwell, on the civil-criminal aspect
of this, what are the couple things that you would like
Congress to do to enhance your ability to protect our Nation? I
am sure you have got this written down somewhere, but just for
the average person out there listening to this hearing, what
are the couple things you would like to see us do?
Ms. Caldwell. Well, one is the one that I already
mentioned, which is changing the civil injunction ability so
that we will have the capability to enjoin botnets other than
those that are engaged in fraud and wiretapping, because there
are, for example, distributed denial-of-service attacks. Right
now we cannot get an injunction against that. So we would like
to be able to do that.
Senator Graham. Do we need to increase penalties?
Ms. Caldwell. That is an interesting question, Senator, and
I think that we have been seeing increased penalties being
imposed by courts. So----
Senator Graham. I mean statutorily, Mr. Demarest, do we
need to change any statutes to make this bite more?
Mr. Demarest. I will defer to Ms. Caldwell, but--I will
defer to you.
Ms. Caldwell. Yes, I think that the maximum sentences under
most of the statutes are adequate. I do not think we need any
kind of mandatory minimums because we have been seeing judges
imposing sentences around the 7-, 8-, and 9-year range, which
is, I think, a very substantial sentence.
There are a couple other things that we would like to see.
Right now there is no law that explicitly covers the sale or
transfer of a botnet that is already in existence, and we have
seen evidence that a lot of folks sell botnets. They rent them
out, and we would like to see a law that addresses that.
One other thing which is a little bit off point but I think
is still relevant to botnets, is that right now there is no law
that prohibits the overseas sale of U.S. credit cards unless
there has been some action taken in the United States or unless
money is being transferred from overseas to the United States.
So we see credit card--situations where people have millions of
credit cards from U.S. financial institutions, but they never
set foot in the United States. That is currently not covered by
our existing law.
Senator Graham. So you could steal my credit card
information from overseas and basically be immune.
Ms. Caldwell. Correct, unless you transferred proceeds of
your scheme back to the United States.
Senator Graham. Okay. One last question here. When they
basically seize your computer, hijack your computer, the
information contained therein, they actually hold--I mean, they
make a ransom demand? How does that work?
Ms. Caldwell. Under CryptoLocker what happened--and I am
certainly not a technical expert, so jump in--you would be on
your computer, and you would see something flash up on your
screen that basically told you all your files were encrypted
and would remain encrypted until you paid a ransom. And you had
to pay the ransom within X hours, and if you did not pay, your
files would all be deleted.
Mr. Demarest. In a payment made through Bitcoin or
whatever. Whatever the established venue is, they expected
payment within a given amount of time, and if not, your box
would be encrypted.
Senator Graham. Do people pay?
Mr. Demarest. They do.
Senator Graham. What is the biggest payout you have seen?
Mr. Demarest. Well, of all CryptoLocker and then Cryptowall
now, and where there is a major concern, they have paid
probably in excess of $10,000. But they are focused more now on
major concerns, businesses, and entities as opposed to single
victims.
Senator Graham. Is that extortion under our law?
Ms. Caldwell. Yes.
Senator Graham. So you do not need to change that statute?
Ms. Caldwell. No. The problem is, though, as with a lot of
these cybercrimes, most of the people who are engaged in this
activity are overseas.
Senator Graham. Thank you.
Chairman Whitehouse. Let me recognize Senator Coons, who
has been very interested and dedicated to this topic and whose
home State is very energized on this topic because the Delaware
National Guard actually has a cyber wing that is very active,
and they are one of the best cyber National Guard detachments
in the country. I say ``one of the best'' because Rhode Island
has one, too.
Senator Coons.
Senator Coons. Thank you very much. Thank you, Chairman
Whitehouse, and thank you, Senator Graham. You have both been
great and engaged and effective leaders on this issue.
So to the point raised by the Chairman, given the
persistency of this threat, given its trajectory, its scope,
its scale, and the resources that you are having to deploy in
order to take down these botnets and in order to break up the
criminal gangs, is it acceptable, is it possible for us to deal
with this threat with a Federal law enforcement response alone?
Do we need a partnership from State and local law enforcement?
I assume the answer is yes. And how are we doing at delivering
an integrated capability, Federal, State, and local, first?
Second, what kind of capabilities do businesses and
individuals and the private sector and citizens have? And what
are we doing to help scale up that? Because the resiliency of
our country, our ability to respond to these threats, as we all
know, much as it is with natural disasters or with terrorism
threats, requires a sort of ``everybody engaged'' response that
engages our private sector, engaged entrepreneurs, and engages
State and local as well as Federal law enforcement? So I would
be interested in your answer to that question.
Mr. Demarest. Sure. Thank you, Senator Coons. So on the
State and local question, we have cyber task forces throughout
each of our offices. There are 56 out there. Each office is
engaging at the local level to bring State and local
authorities aboard, whether investigator or net defenders from
the organizations they represent. It is very difficult because
of resources being somewhat constrained at the State and local
level and fully understanding and appreciating what the threat
is.
Operation Wellspring is an effort we kicked off, and what
that is, it is focused on Internet fraud, whether defrauding
the elderly, it is real estate fraud, and working with State
and local, having them either bring an officer or investigator
aboard, or an analyst. We work closely with them to foster
their skills or to develop their skill in this area working
cybercrime. It has worked well in some of the initial offices
in Salt Lake City, with the Utah Department of Public Safety,
and down in Dallas with some of the local departments, the
Dallas Police Department. We have got a long way to go in that
space and for them to fully appreciate what the threats are
today facing the public or the citizens they are responsible
for.
In the private sector, we have worked far and wide and
somewhat limited in force. We have now focused on those
priority sectors, if you will, that are most threatened. But we
have found time and time again the most threatened and the most
vulnerable are those small to medium-sized business owners
where they may have one single person that is responsible for
Internet security or cybersecurity, information assurance and
the like. So it is not--it is how do we target that band and
actually bring them aboard when we are still working through--
we actually had health care, representatives from the health
care industry in our headquarters working through what that
relationship would look like with health care, because we have
focused on, as you can imagine, finance, energy, the IT,
telecommunications and the like over the past 2 years, and now
how do we broaden that effort out?
Senator Coons. Implicitly, from your reference to health
care, I share your concern that as we have transitioned to
electronic medical records, we now have an online treasure
trove of data for cyber criminals to go after?
Ms. Caldwell.
Ms. Caldwell. Yes, I think any online data base is
vulnerable. Some obviously have more security protections than
others. And as you indicated, Senator Coons, the health care
data bases obviously have a lot of very sensitive personal
information. So we have seen, I know, in some of the botnets
that we have seen over the years, including, if I am not
mistaken, Gameover Zeus, some of the victims were hospitals. So
that is a very serious area of concern, which we are very
concerned about.
Senator Coons. Let me just ask one other question. As
Senator Whitehouse referenced, both of our States are blessed
to have network warfare squadrons of the National Guard. The
Air National Guard in Delaware has stood up and grown and
developed this National Guard capability which takes advantage
of the fact that we have a fairly sophisticated financial
services community. We have large data centers. We have a lot
of credit card processing, and as a result, there is a lot of
fairly capable and sophisticated online security and financial
services security professionals who can then also serve in a
law enforcement and national security, first responder context
through the National Guard.
What lessons do you think we could learn from that
partnership, that collaboration in our two home States? And how
could that lead us to a better scale-up of the needed Federal
work force to respond to and deal with these law enforcement
challenges?
Mr. Demarest. There is a treasure trove of skill in the
Guard and Reserve forces. We participated, actually hosted down
at the FBI Academy the Cyber Guard exercise in 2014. We brought
personnel in from around the field, at least 50 from our local
cyber task forces that corresponded with the local Guard units
that were in. Great capability there. Our Director, along with
the Deputy Director, had a meeting with the combatant command,
cyber command, OSD, and joint staff about how we better
correlate or collaborate in this space.
Tomorrow we actually have another meeting with the
combatant commanders at my level to actually put this in place
along with the Reserve and Guard units.
As you know, Admiral Rogers held a meeting at NSA recently
to talk through what that looks like in working with cyber
command, the Guard forces, and Reserve forces, and what skills
they bring, how that may assist the FBI in our operations, and
also training opportunities that we can leverage with one
another.
Senator Coons. Terrific. Thank you for your testimony. I
look forward to hearing more about the development of this
partnership.
I just want to thank you for your leadership in this area,
Senator Whitehouse.
Chairman Whitehouse. Well, I will let you two go. I am sure
we could ask you questions all afternoon. This is such a
fascinating and emerging area of criminal law enforcement. I
appreciate very, very much the work that you do, and I want you
to pass on to Attorney General Holder my congratulations for
the dedication that he has brought to this pursuit,
particularly as exemplified by the Gameover Zeus takedown and
by the indictment of the Chinese PLA officials. Those were both
very welcome steps, and I am looking forward to seeing more
criminal prosecution of foreign cyber hackers. I think the
opening gambit with the indictment of the Chinese PLA folks was
really terrific. So congratulations to you both. Thank you for
your good work, and we will release you and call the next panel
forward.
Chairman Whitehouse. All right. Thank you all so much for
being here. This is a really terrific private sector panel on
this issue, and I am grateful that you have all joined. I will
make the formal introductions right now of everyone, and then
we can just go right across with your statements.
Our first witness is going to be Richard Boscovich, who is
the assistant general counsel on Microsoft's Digital Crimes
Unit, a position where he developed the legal strategies used
in the takedowns and disruptions of several botnets, including
the Citadel, Zeus, and Zeus Access botnets. He previously
served for over 17 years at the Department of Justice as an
Assistant U.S. Attorney in Florida's Southern District, where
he directed the district's Computer Hacking and Intellectual
Property Unit.
We will next hear from Cheri McGuire, the vice president of
global government affairs & cybersecurity policy at Symantec
Corporation, which is one of our leading cybersecurity
providers in this country. She is responsible for Symantec's
global public policy agenda and government engagement strategy,
including cybersecurity, data integrity, critical
infrastructure protection, and privacy. Before she joined
Symantec in 2010, she was director for critical infrastructure
and cybersecurity in Microsoft's Trustworthy Computing Group,
and before that she served in numerous positions at the
Department of Homeland Security, including as Acting Director
and Deputy Director of the National Cyber Security Division and
the US-CERT.
We will then hear from Dr. Paul Vixie, who is the chief
executive officer of Farsight Security, which is a commercial
Internet security company. He previously served as the chief
technology officer for Abovenet, an Internet service provider,
and as the founder and CEO of MAPS, the first anti-spam
company, and as the operator of the ``F'' DNS root name server.
Dr. Vixie is the author of several Internet standards related
to DNS and was the maintainer of BIND, a popular open-source
DNS software system, for 11 years. And he was recently inducted
into the Internet Hall of Fame.
Finally, we will hear from Craig Spiezle, who is the
executive director, founder, and president of the Online Trust
Alliance. The Online Trust Alliance encourages best practices
to help protect consumer trust, and he works to protect the
vitality and innovation of the Internet. Prior to founding the
Online Trust Alliance, he worked at Microsoft, again--the
fraternity--where he drove development of anti-spam, anti-
phishing, anti-malware, and privacy-enabling technologies. He
is on the board of the Identity Theft Council and was appointed
to the FCC's Communications Security, Reliability, and
Interoperability Council. He is also a member of InfraGard,
which is the partnership between the FBI and the private
sector.
So these are immensely knowledgeable and experienced
witnesses, and let me begin with Richard Boscovich. We are so
glad you are here. Thank you.
STATEMENT OF RICHARD BOSCOVICH, ASSISTANT GENERAL COUNSEL,
DIGITAL CRIMES UNIT, MICROSOFT CORPORATION, REDMOND, WASHINGTON
Mr. Boscovich. Chairman Whitehouse, Ranking Member Graham,
and Members of the Subcommittee, my name is Richard Domingues
Boscovich, and I am an assistant general counsel in Microsoft's
Digital Crimes Unit. Thank you for the opportunity to discuss
Microsoft's approach to fighting and detecting botnets. We also
thank you for your leadership in focusing attention to this
complicated and important topic.
Botnets are groups of computers remotely controlled by
hackers without their owners' knowledge or consent, enabling
criminals to steal information and identities, to disrupt the
operation of computer networks, and to distribute malicious
software and spam. I will describe for you how Microsoft, one,
works with partners to fight botnets; two, raises costs for
cyber criminals by disrupting their tools; and, three,
carefully designs these operations to protect consumers.
To understand the devastating impact of botnets, we can
look at how they affected one victim. Consider Eunice Power, a
chef in the United Kingdom, who turned on her laptop 1 day to
find a warning that she could not access her files unless she
paid a ransom to cyber criminals within 72 hours. When she
failed to meet the deadline, all of her photos, financial
account information, and other data were permanently deleted.
All this was caused by a botnet. She later told a reporter,
``[i]f someone had robbed my house it would have been easier.''
Indeed, botnets conduct the digital equivalent of home
invasions, but on a massive scale. Botnet operators quietly
hijack webcams to spy on people in their own homes and later
sell explicit photographs of the unsuspecting victims on the
black market. They use malicious software to log every
keystroke that users enter on their computers--including credit
card numbers, Social Security numbers, work documents, and
personal emails. They send deceptive messages designed to
appear as though they were sent by banks that convince people
to disclose their financial account information.
Now, Microsoft has long partnered with other companies and
global law enforcement agencies to battle malicious cyber
criminals such as those who operate botnets. We do not and
cannot fight botnets alone. As the title of this hearing
suggests, fighting botnets requires efforts from both the
private and the public sector. We routinely work with other
companies and domestic and international law enforcement
agencies to dismantle botnets that have caused billions of
dollars in worldwide economic damage. I joined efforts to
demonstrate that public-private partnerships are highly
effective at combating cybercrime. In reality, problems as
complex as botnets cannot be addressed without partnerships.
Microsoft's philosophy to fighting botnets is simple: We
aim for their wallets. Cyber criminals operate botnets to make
money. We disrupt botnets by undermining cyber criminals'
ability to profit from their malicious attacks.
Microsoft draws on our deep technical and legal expertise
to develop carefully planned and executed operations that
disrupt botnets pursuant to court-approved procedures. In
general terms, Microsoft asks a court for permission to sever
the command-and-control structures of the most destructive
botnets. This breaks the connection between the botnets and the
infected computers to control. Traffic generated by infected
computers is either disabled or routed to domains controlled by
Microsoft where the IP addresses of the victims can be
identified.
Now, privacy is a fundamental value in Microsoft's anti-
botnet actions. When we execute an operation, we are required
to work within the bounds of the court order. We never have
access to email or other content of victim communications from
infected computers. Instead, Microsoft receives the IP address
used by the infected computers to identify the victims. We give
domestic IP addresses to Internet service providers in the
United States so they can alert their customers directly. We
give the rest to the Computer Emergency Response Teams,
commonly referred to as ``CERTS,'' in countries where those
victims are located. The owners are then notified of the
infections and offered assistance in cleaning their computers.
In summary, through the course of anti-botnet operations,
Microsoft has worked with partners to protect millions of
people and their computers against malicious cyber criminals.
This has led to the disruption and shutdown of some of the most
menacing threats to public trust and security on the Internet.
Cyber criminals continue to evolve their tactics. They keep
developing more sophisticated tools to profit from the online
chaos that they themselves create. We remain firmly committed
to working with other companies and law enforcement to disrupt
botnets and make the Internet a more trusted and secure
environment for everyone.
Thank you for your time, Senator, and I am happy to answer
any questions you may have.
[The prepared statement of Mr. Boscovich appears as a
submission for the record.]
Chairman Whitehouse. Ms. McGuire.
STATEMENT OF CHERI F. McGUIRE, VICE PRESIDENT, GLOBAL
GOVERNMENT AFFAIRS AND CYBERSECURITY POLICY, SYMANTEC
CORPORATION, MOUNTAIN VIEW, CALIFORNIA
Ms. McGuire. Chairman Whitehouse, thank you for the
opportunity to testify today. I am especially pleased to be
here with you again to focus attention on botnets and
cybercrime and how industry and Government are working together
to address these serious issues.
As the largest security software company in the world,
Symantec protects much of the world's information, but botnets
today are the foundation of the cyber criminal ecosystem. And
as was discussed earlier, the uses for malicious botnets are
only limited by the imagination of the criminal botmasters.
These can range, as you mentioned, from distributed denial-of-
service attacks to Bitcoin mining to distribution of malware
and spam. Botmasters also rent out their botnets as well as use
them for stealing passwords, credit card data, intellectual
property, or other confidential information, which is then sold
to other criminals.
Until now, virtually all botnets have been networks of
infected laptop and desktop computers. However, in the past few
years we have seen botnets made up of mobile devices, and we
fully expect that the coming ``Internet of Things'' will bring
with it a future of ``thingbots,'' ranging from appliances to
home routers to video recorders--and who knows what else.
Taking down a botnet is technically complex and requires a
high level of expertise. But despite these obstacles, law
enforcement and the private sector working together have made
significant progress in the past several years.
Symantec's work to bring down the ZeroAccess botnet, one of
the largest botnets in history at 1.9 million infected devices,
is a good example of how coordination can yield results.
ZeroAccess was designed for click fraud and Bitcoin mining,
with an estimated economic impact of tens of millions of
dollars lost per year. And the electricity alone to run that
botnet cost as much as $560,000 per day.
One year ago today, Symantec began to sinkhole ZeroAccess
infections, which quickly resulted in the detachment of more
than half a million bots. This meant that these bots could no
longer receive any commands and were effectively unavailable to
the botmaster for updating or installing new revenue generation
malware.
Another significant win came last month with the major
operation against the financial fraud botnet Gameover Zeus, as
several witnesses have testified to. As part of this effort,
Symantec worked in a broader coalition to provide technical
insights into the operation and impacts of this botnet. As a
result, authorities were able to seize a large portion of the
criminals' infrastructure.
In our view, the approach used in the Gameover Zeus
operation was the most successful to date and should serve as a
model for the future. A group of more than 30 international
organizations from law enforcement, the security industry,
academia, researchers, and ISPs all cooperated to collectively
disrupt this botnet. This successful model of public and
private cooperation should be repeated in the future.
While ZeroAccess and Gameover Zeus were successes for law
enforcement and industry, there are undoubtedly more criminal
rings operating today. Unfortunately, there are just not enough
resources. As you said, so many botnets, so little time. As
criminals migrate online, law enforcement needs more skilled
personnel dedicated to fighting cybercrime.
At Symantec, we take numerous steps to assist victims of
botnets and cybercrime and to aid law enforcement around the
world. In the interest of time, I will mention only
victimvoice.org, a new online assistance program that we
unveiled in April with the National White Collar Crime Center.
This site helps cybercrime victims file complaints and
understand the investigation process. And in particular, I
would like to thank you again, Senator Whitehouse, for your
support and participation in that launch. It has already helped
many victims of cybercrime.
To combat botnets and cybercrime, cooperation is key. In
the private sector, we need to know that we can work with
Government and industry partners to disrupt botnets without
undue legal barriers. To be clear, I am not talking about a
blank check. But consistent with privacy protections and legal
parameters, we need to be able to share cyber threat
information and coordinate our efforts quickly.
Information-sharing legislation will go a long way to do
this. But it also must address the considerable privacy
concerns and must include a civilian agency lead and data
minimization requirements for both the Government and industry.
Last, the laws governing cybercrime should be modernized.
In the U.S., we need to amend laws such as the Electronic
Communications Privacy Act, the CFAA, and others that were
written before our modern Internet and e-commerce was
envisioned.
In addition, Mutual Legal Assistance Treaties and their
process that allows governments to cooperate take far too long
to address the real-time nature of international cybercrime and
should be streamlined.
As this Subcommittee knows so well, we still face
significant challenges in our efforts to take down botnets and
dismantle cybercrime networks. But while there remains much
work to be done, we have made progress.
At Symantec, we are committed to improving online security
across the globe, and we will continue to work collaboratively
with our customers, industry, and governments on ways to do so.
Thank you again for the opportunity to testify today, and I
will be happy to answer any questions you may have.
[The prepared statement of Ms. McGuire appears as a
submission for the record.]
Chairman Whitehouse. Thank you, Ms. McGuire, and thank you
for Symantec's leadership in this area.
I am going to briefly recess the hearing and then return.
We have a vote on the Senate floor that started 15 minutes ago,
and I have 15 minutes to get there and vote, so I have zero
time. But with any luck, that means I can get over there, vote,
vote on the next vote, and then come right back. And then we
will be able to proceed in uninterrupted fashion. So please
just relax in place. It probably is going to be 5 to 10
minutes, and we will resume. Thank you.
[Whereupon, at 3:28 p.m., the Subcommittee was recessed.]
[Whereupon, at 3:45 p.m., the Subcommittee reconvened.]
Chairman Whitehouse. All right. The hearing will come back
to order. I appreciate everybody's courtesy while I got those
two votes done.
And now, Dr. Vixie, we welcome your testimony. We welcome
you here. Please proceed.
STATEMENT OF PAUL VIXIE, Ph.D., CHIEF EXECUTIVE OFFICER,
FARSIGHT SECURITY, SAN MATEO, CALIFORNIA
Mr. Vixie. Thank you, Mr. Chairman. Thank you for inviting
me to testify on the subject of botnets. I am speaking today in
my personal capacity based on a long history of building and
securing Internet infrastructure, including domain name system
infrastructure. I am also here at the behest of the Messaging,
Malware and Mobile Anti-Abuse Working Group (M3AAWG), a
nonprofit Internet security association whose international
membership is actively working to improve the Internet security
condition worldwide.
Let me start by reviewing some successful botnet takedowns
in recent years, since they may prove instructive. They are
successes, after all.
In 2008 the Conficker worm was discovered, and by mid-2009
there were over 10 million infected computers participating in
this botnet. That was the largest to that time. I had a hands-
on-keyboard role in operating the data collection and
measurement infrastructure for the takedown team, in which
competing commercial security companies and Internet service
providers--most of which were members of M3AAWG--cooperated
with each other and with the academic research and law
enforcement communities to mitigate this global threat.
Then in 2011, the U.S. Department of Justice led
``Operation Ghost Click'' in which a criminal gang
headquartered in Estonia was arrested and charged with wire
fraud, computer intrusion, and conspiracy. The DNS Changer
botnet included at that time at least 600,000 infected
computers, and the mitigation task was made complicated by the
need to keep all of these victims online while shutting off the
criminal infrastructure the victims depended on. My employer
was the court-appointed receiver for the criminal's Internet
connectivity and resources, and I personally prepared,
installed, and operated the replacement DNS servers necessary
for that takedown.
In each of these examples we see an ad hoc public-private
partnership in which trust was established and sensitive
information, including strategic planning, was shared without
any contractual framework. These takedowns were so-called
handshake deals where personal credibility, not corporate or
government heft, was the glue that held it together and made it
work. And in each case the trust relationships we had formed as
members of M3AAWG were key enablers for rapid and coherent
reaction.
Each of these takedowns is also an example of modern
multilateralism in which intent, competence, and merit were the
guiding lights. The importance of multilateralism cannot be
overemphasized. We have found that when a single company or a
single agency or nation goes it alone in a takedown action, the
result has usually been catastrophe, because the Internet is
richly interdependent and many of the rules governing its
operation are unwritten.
Now, the ad hoc nature of these public-private partnerships
may seem like cause for concern, but I hope you will consider
the following:
First, this is how the Internet was built and how the
Internet works.
Second, this is how criminals work with other criminals. We
would not get far by trying to solve these fast-evolving global
problems with top-down control or through Government directives
and rules.
Let me explain what makes botnets possible. As you yourself
pointed out in your opening remarks, a botnet is literally a
network of robots, where by ``robot'' we mean a computer that
has been captured and made to run software neither provided by
the computer's maker nor authorized or installed by its owner.
Every Internet-connected device has some very complex software
including an operating system, installed applications, and so
forth. The only hard and fast requirement for any of this
software is interoperability, meaning it merely has to work.
Now, the cost of the Internet's spectacular growth is that
much of the software we run was not adequately tested. The
challenge for the Internet is that today there is perhaps more
assurance that a UL-listed toaster oven will not burn down our
house than there is that some of our vastly more expensive and
powerful Internet-connected devices are insulated from becoming
a tool of online criminals. These are consumer devices in a
competitive and fast-moving market, so time to market is often
the difference between success and bankruptcy.
This is a very brief overview, and I would like to leave
you with the following thoughts:
Number one, the Internet is the greatest invention in
recorded history, in my opinion, in terms of its positive
impact on human health, education, freedom, and on every
national economy.
Number two, the Internet is also the greatest invention in
recorded history in terms of its negative impact on human
privacy and freedom, as evidenced by the massive and continuing
intrusions that have been described here today.
Number three, our democratic commitment to the rule of law
has very little traction on the Internet compared to how it
works in the real world. The Internet is borderless, and yet it
carries more of the world's commerce every year.
Number four, takedown of criminal infrastructure, including
botnets, must be approached not just as reactions after the
fact but also as prevention by attacking underlying causes.
Number five, the U.S. Department of Justice is the envy of
the world in its approach to takedown and its awareness of the
technical and social subtleties involved, and I want to give a
special nod to NCFTA, a public-private partnership with strong
FBI ties, located in Pittsburgh.
Number six, and finally, no legislative or regulatory
relief is sought in these remarks. The manner in which
Government and industry have coordinated and cooperated on
botnet takedown efforts has underscored the effectiveness of
public-private partnerships as currently practiced in this
field.
Mr. Chairman, this concludes my oral statement. Thank you
for this opportunity to speak before you, and I would be happy
to answer your questions.
[The prepared statement of Mr. Vixie appears as a
submission for the record.]
Chairman Whitehouse. Thank you very much.
Finally, Mr. Spiezle. But before I let you begin your
statement, my apologies for the mispronunciation earlier. And
let me also say that, without objection, everybody's complete
statements will be made a part of the record, and I appreciate
the abbreviated version that allows the testimony to proceed
expeditiously at the hearing.
STATEMENT OF CRAIG D. SPIEZLE, EXECUTIVE DIRECTOR AND FOUNDER,
ONLINE TRUST ALLIANCE, BELLEVUE, WASHINGTON
Mr. Spiezle. Thank you very much. Chairman Whitehouse,
Ranking Member Graham, and Members of the Committee, thank you
for the opportunity to testify before you today. I also would
like to thank you for your leadership in focusing attention to
this important topic which is impacting users and businesses
throughout this country.
My name is Craig Spiezle, and I am the executive director
and president of the Online Trust Alliance. OTA is a global
nonprofit, with the mission to enhance online trust and empower
users, while promoting innovation and the vitality of the
Internet.
Botnets pose a significant risk to businesses and
governments, and one of my specific concerns is the impact to
small and medium businesses that are often defenseless.
Increasingly bots are deploying loggers, malvertising, and
ransomware driving identity theft and bank account take-overs
and holding users and their data hostage.
It is important to recognize that fighting bots is not a
domestic issue. Criminals are leveraging the jurisdictional
limitations of law enforcement and often operate with impunity.
Left unabated, they are a significant threat to our Nation's
critical infrastructure and to our economy.
In my brief testimony, I will touch on five key areas:
status of industry efforts, a holistic anti-bot strategy, the
role and issues of takedowns, the role of data sharing, and the
importance of privacy safeguards.
I should note efforts to combat botnets have been embraced
by a range of public and private efforts. An example is the
FCC's Communications Security, Reliability and Interoperability
Council (CSRIC), which last year developed a voluntary Anti-
Botnet Code of Conduct for ISPs. This is a first step and
example of the industry's ability to self-regulate.
In parallel, the OTA has facilitated several multi-
stakeholder efforts, bringing in leaders throughout the world.
We have published specific remediation and notification best
practices and anti-bot guidelines for hosters and cloud service
providers. The initial adoption of these practices are now
paying dividends helping to protect users' data and their
privacy.
Fighting botnets requires a global strategy. As outlined
here in Exhibit A, OTA advocates a six-pronged (1) framework,
(2) prevention, (3) detection, (4) notification, (5)
remediation, and (6) recovery. Within each one of these, we
have outlined a partial list of tactics, which underscores the
increased need for collaboration, research, and data sharing
between both the public and private sectors.
In the bottom of this slide, it points out the role of
consumers and education. We need to help them update their
device and look to how we can help educate them on the risks of
botnets.
As outlined, law enforcement is an important part here as
well, and it serves three major functions: disrupting cyber
criminals, gathering intelligence, and bringing criminals to
justice.
But law enforcement cannot act on this alone. A trusted
partnership is required, and progress has been made with
industry leaders, including Microsoft, Symantec, and others.
But takedowns need to be taken with respect to three major
considerations: one, the risk of collateral damage; two, the
errors in identifying targets for mitigation; and, three, the
importance of respecting users' privacy. For example, when
taking down a web hoster because they have a handful of bad
customers, there is a risk of collateral damage. At the same
time, service providers cannot hide behind bad actors, and they
must take steps to prevent the harboring of such criminals.
It is also important to note that all anti-abuse and
security tactics all run similar risks. The anti-spam community
often blocks legitimate senders. Web browsers can misidentify
phishing sites and AV solutions can mistakenly block downloads.
Recognizing these possibilities, risk assessment procedures
must be pre-established with processes in place to remediate
any unintended impact.
Data sharing has the promise of being one of the most
impactful tools in our arsenal, yet it must be reciprocal.
Collaboration is required in all sectors, including retail,
financial services, and advertising. In this void, criminals
move from one industry to another, sending malicious spam one
day and perpetrating click fraud and malvertising the next.
The privacy landscape is also rapidly evolving, creating
perceived obstacles to data sharing. Privacy needs to be at the
foundation of all fraud prevention and data-sharing practices.
I believe these can be easily addressed. When data is used and
collected for threat detection, entities should be afforded a
``safe harbor.'' Conversely, industry needs assurances that law
enforcement will not use any data for any other purposes.
As Exhibit A outlines, every stakeholder has a
responsibility. Progress has been made, but a renewed
commitment needs to be required by all stakeholders. As the
Internet of Things, mobile, the smart grid, and wearable
technologies becomes prevalent, we need to look beyond the
desktop.
In summary, it is important to recognize that there is no
absolute defense. Both the public and private sectors need to
increase investments in data sharing and adopt privacy-
enhancing practices while finding new approaches to work with
law enforcement and expand international cooperation. Working
together we can make the Internet more trustworthy, secure, and
resilient.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Spiezle appears as a
submission for the record.]
Chairman Whitehouse. Thank you very much, Mr. Spiezle, and
thank you all.
Let me start with a question that I will ask each of you
for the record, which means if you could provide a written
response, and that is that, as you have heard, Senator Graham
and I are working on legislation in this area. As you heard
from the first panel, the Department of Justice and the Federal
Bureau of Investigation have a number of suggestions. I would
like to ask you to provide your comments, if any, to the
suggestions that have been made so far and add any suggestions
that you may have of your own for this legislation so that we
can build a good legislative record to support our proposal
going forward.
[The information referred to appears as a submission for
the record.]
Chairman Whitehouse. I am also interested in your thoughts.
As a lay person, it strikes me that botnets are becoming more
dangerous, that their capabilities are growing. My first
exposure to botnets was when they were spam propagators, and
then they became distributed denial-of-service vectors to swamp
individual websites. But now they seem--so many additional
capabilities have been listed in this hearing, right up to and
including having people spy on you through your webcam on your
computer while you are going about your business and tracking
your keystrokes individually so that they can know your
passwords and have access to your accounts.
Is my lay reading that botnets are becoming more dangerous
or the criminals behind them are learning more dangerous
capabilities a correct one? And what do you think the rate is
of that change, if I am correct? Let me start with Mr.
Boscovich.
Mr. Boscovich. Yes, Senator, I think the observation is
correct. I think that we are seeing an ever-changing
sophistication on the part of cyber criminals.
I would like to point out one particular case which really
demonstrates how creative cyber criminals are, and in this
particular case, which was the Bamital case, if my memory
serves me correctly, one of our industry partners was Symantec
on that case. It was a case in with the botherders had actually
developed code which actually took a step backward. And one of
the reasons why they did that is because technical
countermeasures that had been put in place by Bing, Google, and
other companies to detect click fraud relied upon a certain
type of algorithm. The criminals understood that, and they had
to reintroduce a human element into their code. In essence,
what they did is that they have changed their code, and they
took one step back to take two steps forward in such a way that
now the user would actually be using his mouse or her mouse,
and while he or she thought he was actually clicking or looking
for something, the reality was that they were, in fact,
clicking on ads that the user was not even seeing, was
appearing behind the screen that they were looking at,
introducing a certain variation that was consistent with human
behavior.
So the observation that criminals are, in fact, always
learning, always changing, is an accurate one, and I think this
example really underscores how sophisticated these cyber
criminals are.
Chairman Whitehouse. And in both dimensions. I mean, in
terms of if you view a botnet as an infrastructure for criminal
activity, it is one that has to be maintained and groomed, and
they are getting more sophisticated at that. They are also
getting more sophisticated at the type of criminal payload, if
you will, that they deliver through that botnet as well. Is
that correct, Ms. McGuire?
Ms. McGuire. That is correct. I think your summary is quite
accurate, that these have begun to progress and become much
more sophisticated over the last 5 years. For example, the type
of technology or infrastructure that they are using now, moving
from central command and control, simple command and control
servers to peer-to-peer networks, which are much more difficult
to take down because of their complexity, is the type of
morphing that we are seeing by the cyber criminals to use all
avenues at their availability.
Chairman Whitehouse. Dr. Vixie, you mentioned that in the
face of this threat, prevention was something that we should be
looking at, and you used the phrase in your testimony
``underlying causes,'' that we should be prepared to address
the underlying causes that allow this to occur even before the
harm of a particular botnet is made manifest.
What did you mean by ``underlying causes''? And what would
you recommend, if anything, that we do to get ahead of this
more by going after those underlying causes, as you have
defined them?
Mr. Vixie. I think that the reason that botnets have gotten
stronger is because our computers have gotten stronger, better
CPUs, more memory, more storage, et cetera. Our network has
also gotten stronger, so it is possible to get a lot more work
done with each computer you steal now compared to 5 years ago
or 5 years before that.
If we wanted to start kicking the dependencies under
botnets, we would need to somehow address the lack of testing.
I mentioned in my written remarks that this last week there was
an Internet of Things, I think it was a wireless light bulb
that has a terrible security flaw in it, and I understand how
that can happen. I have tried to get things--software products
out the door myself, and it is difficult to say let us hold it
back for another couple of weeks while we try to attack it
every which way. Really what you want to do is get it out there
and put it in customers' hands and so forth.
That is not going to work. We have got to find a way to
test this software the way the bad guys do. We have to do the
so-called Red Team test where you try to break in, and if you
can, you get some sort of internal prize. We have got to find a
way to encourage that.
Chairman Whitehouse. So when electricity was the new
technology and people were trying to get stuff out the door
that caught fire if you left it on too long, as you pointed
out, with respect to the toaster, Underwriters Laboratories was
established to make sure that appliances met basic standards,
and as a result, toaster fires and things like that have not
been a very prominent concern for Americans for quite some
time.
Do you think that an equivalent to an Underwriters
Laboratories is possible on the Internet? And how would you see
it as being overseen?
Mr. Vixie. I do not think a direct equivalent is possible.
When you are doing this kind of testing, you are looking for
combinations and permutations of sort of how you set the knobs,
what you put in the toaster, other conditions. And, you know,
every one of those conditions is a State variable, and the
problem is that my laptop has more complexity of that kind than
all the computers on the planet had 30 years ago. And so coming
up with a direct analog of the way UL tests our electric
devices I think is misleading. I think standards in software
development, standards in testing, possibly getting away from
some of the older programming languages that almost encourage
the type of defects that we see in our monthly updates are
going to be better approaches. But I do want to say----
Chairman Whitehouse. How would those approaches be
administered?
Mr. Vixie. Excuse me?
Chairman Whitehouse. How would those proposals be best
administered? Through the Government? Through the Internet
governance system? Through a rating that you can advertise you
have on your product if you have been through it voluntarily?
Mr. Vixie. In that sense, the Underwriters Laboratories
system is perfect because it is voluntary. If you want to sell
a device that is not listed, then that is up to you. And if
people would not buy as many--if fewer people want to buy it
because it does not have that stamp, that is up to them. So I
think there is room for someone to step into that role, but it
is not a Government role.
Chairman Whitehouse. Got you. And, Mr. Spiezle, you said
that you felt that there were steps that consumers,
individuals, could take to better acquaint themselves with this
threat and to better protect themselves from this threat. What
would your recommendations be? This seems like such a giant and
complex and very high tech type of crime, and if you are an
innocent user of your own computer going about your own
business and doing what you are good at, which may not be
anything to do with computers, how can you--what sensible steps
should people be thinking about who are not computer whizzes to
defend themselves and their computers?
Mr. Spiezle. Let me clarify. My point is that we all have a
shared responsibility, not unlike driving a car. We have a
responsibility of driving safely. We need to make sure our car
is maintained and we have new tires on it. That was the point
there.
I think realistically, though, education has a limited
effect here. These attacks are--social engineering exploits are
very hard to identify. They are drive-by, so just by their very
nature of going to a trusted website that someone types in a
URL, there can be malicious ads served on them. So it is a
shared responsibility, but I do not put the faith that
education is going to be the solution, but it should be one
part.
I do want to address one point in your original question
about the sophistication. Clearly, in the technical aspect,
botmasters are more and more sophisticated. They are leveraging
big data, data mining capability and analytics. So that adds to
the profitability. Their ability to use that data, append data
from other sources, and then trade in the underground economy
makes it very profitable. They have become very nimble, become
good marketers in a sense, and they are learning from business.
So those are some of the challenges we must address.
Chairman Whitehouse. Two final questions. The first is that
many of the perpetrators in this area are foreigners, and we
are obviously going to work with the Department of Justice and
the Federal Bureau of Investigation to make sure that they have
the capabilities that they need to be as strong as they can be
in terms of pursuing foreign criminals. But none of you are
involved as law enforcement officials. You are involved
representing private companies and organizations, and in that
sense, when you bring a civil action to close down a botnet,
you may have civil remedies against individuals overseas that
are different than what a prosecutor would be looking at.
Are there recommendations that you would have as to how we
could strengthen overseas enforcement against the individuals
and organizations that are running the botnets that would
supplement just the technical capability to take down the
botnets? Let me start with you, Mr. Boscovich.
Mr. Boscovich. Well, Senator, I think that obviously as a
private company, as you mentioned, our main sphere of influence
is only using the civil process, and even in the civil process,
once we get default judgments, there actually is a procedure in
which we could seek to, for example, localize a U.S. judgment
overseas. But it is a complex and lengthy process.
In all of the actions that we take with our partners, we
then go ahead and always refer the cases and the evidence that
is the basis of the information that we arrive at through the
civil process to law enforcement. The process that law
enforcement uses, of course, has been around for quite some
time, and I believe some of the representatives of DOJ and the
FBI were here earlier today, and they made references to the
MLAT process and things of that sort. And these are procedures
that have been around for a very long time. And in terms of how
quickly these things could turn around, there has always been a
question. I could only talk about my experiences when I was at
Justice, that it does take time to turn this information
request around.
But from the civil perspective, I think----
Chairman Whitehouse. Particularly if the coordinating
country is of two minds as to how much they want to take down
this industry.
Mr. Boscovich. Well, that is why the partnership, the
private and public partnership is important, because what we
try to focus on, of course, is the immediate cessation of the
harm to people on the Internet. And to sever that
communication, to stop the harm, and then notify the victims
and then try to do something to remediate and clean their
computers, working through ISPs and country CERTs, that is the
job that we believe we can do, and do very well, with industry
partners and with the Government as well.
In terms of the criminal side, I would have to defer to,
you know, my former colleagues at the Justice Department.
Chairman Whitehouse. No, I was thinking more of the civil
side and pursuing personal liability and accountability of
foreigners who have done harm to your companies.
Ms. McGuire, any thoughts on that?
Ms. McGuire. Just this week we have seen reports, for
example, that Gameover Zeus, that modifications to that
particular malware are already being used by a new criminal
gang or perhaps the original perpetrator, who fled to Eastern
Europe, to launch new criminal activity. This is the kind of
thing where, if we had a faster, speedier MLAT process, we
could potentially address these kinds of issues at the speed of
the Internet as opposed to what I have been told by law
enforcement partners can take anywhere from 6 months to never.
And so those are the kinds of enhancements, modernizations
to these international treaties that we really need in order to
go after----
Chairman Whitehouse. Again, you are comfortable relying on
the law enforcement process for that and at this point do not
have any interest in pursuing civil liability on the part of
your private sector companies against foreign individuals to--
as a deterrent or to recover for the damages that they have
caused you?
Ms. McGuire. Most of our activity is on the sharing of
information and notification to both our international law
enforcement and CERT partners so that they can then take the
action that they need within their jurisdictions.
Chairman Whitehouse. And what have each of you seen in
terms of the coordination that has been your experience between
the private sector and between law enforcement? It has emerged,
and it seems to me from what I hear to be in a pretty good
place right now. There are a number of mechanisms through which
the FBI in particular but other Federal law enforcement
agencies cooperate with the private sector and exchange
information and deconflict activities. I think there has been a
lot of improvement there, but I would like to hear from each of
you how close you think we are to what we should be doing and
whether there is any specific recommendations you have. Let me
start from this side, Mr. Spiezle.
Mr. Spiezle. Thank you. I think we have had great success,
but I think there is a whole other layer of information sharing
that we are not getting today, and we need to bring other data
sources together. So more data sharing between the financial
services, and certainly we are seeing progress with the FS-
ISAC. We are seeing more breaches experienced in the retail
sector. We get data from them. And the reason this is important
is it is connecting the dots. And so it is not always just from
the ISPs and other sectors. So we need to get that. We need to
open the dialogue, but also to remove the burden of whether it
is antitrust, the concerns of privacy, or the concerns of
regulatory authorities coming after them. So how do we open up
that dialogue even domestically so we can get a higher level of
granularity and telemetry from other data sources?
Chairman Whitehouse. Dr. Vixie.
Mr. Vixie. So I mentioned in my remarks that the Internet
is borderless, and you mentioned in this question that the
criminals are borderless, and I think that firmly points to the
fact that our solutions have to be borderless. So I will say
again NCFTA in Pittsburgh has a huge international outreach
program. I go and do some training there of the international
law enforcement community every summer. But they do it year-
round, and it is a huge thing, because a lot of the other
countries where the cybercrime is originating right now do not
have the capability to train their people locally. They do not
necessarily have the budget for the tools that are needed and
so forth. So I think I really want to encourage more outreach
of that kind, possibly not just by NCFTA but by other U.S.
agencies who are leading in the world.
I do not have an answer for civil lawsuits. I know that it
can be used if you are trying to get at somebody and you do not
know who they are. You can often get a court order using a John
Doe. But it is messy, and it has not really produced consistent
results.
Chairman Whitehouse. Ms. McGuire.
Ms. McGuire. I would also echo that the NCFTA is a terrific
organization, particularly on the international front, as well
as working with industry and between law enforcement partners
and Government agencies. But in particular to your question on
information sharing and has it gotten better with the FBI and
the Department of Justice, we have seen significant
improvements, frankly, over the last 2 years in our ability to
work with them, their responsiveness to the information that we
are sharing with them about indicators of compromise, about
just the process that they are using. And as I think I
mentioned earlier, Gameover Zeus we think is the best example
so far where they reached out to more than 30 international
organizations, including industry, governments, researchers,
ISPs, brought all of them together so that collectively we
could be ready and work the takedown once the injunctions and
the appropriate actions were taken.
So that is, I think, the model----
Chairman Whitehouse. The borderless response, to Dr.
Vixie's point.
Ms. McGuire. Yes, borderless response, exactly. And I think
that is the model we need to work toward in the future, and we
have one now as a proof point for the future.
Chairman Whitehouse. Mr. Boscovich, last thoughts.
Mr. Boscovich. I think deconfliction is one of the key
components of a successful private-public partnership, and in
cases such as Citadel, Gameover Zeus, and more recently the
Shylock-Capshaw operation recently that went down in Europe is
a perfect example of public-private partnerships, civil process
complementing criminal process, all while stopping the harm
immediately, working to help the victims, yet at the same time
allowing the criminal side to do what they do best, the
deterrent effect, going out and arresting individuals. And I
think that we have come a long way in getting at that sweet
spot where we now have an appropriate mechanism by which we
share information, where we deconflict with law enforcement,
both domestically and internationally, to achieve the greatest
impact possible in these takedowns.
Chairman Whitehouse. Thank you very much.
A final good word to Microsoft, just lawyer to lawyer. You
were among the earliest companies--probably all three of you
were involved over the years; a lot of people were connected to
Microsoft here--in the first civil takedowns, and just as a
lawyer, to read those early complaints and see the statutory
grounds based on very modern, complicated electronic privacy
statutes, and at the same time doctrines of English common law
that were transplanted to America when we formed our country
and that are part of the common law history dating back to the
1400s side by side as a separate count, it was--it must have
been a lot of fun. It was terrific legal work, and it had a
wonderful effect. So I compliment you on it. And I assume that
you would want--you know, we are legislators, and so we think
about legislating. It is like the story about the hammer. Every
solution that a hammer sees requires a nail. And so we tend to
think in terms of new and amended statutes. But I gather you
would want to make sure that we left room for traditional
common law remedies to maintain themselves as a part of the
repertoire here and to allow the natural development that the
common law permits. Is that fair to say?
Mr. Boscovich. Absolutely, Senator. One of the beauties
behind the common law system is its ability to adapt constantly
to new facts. And what we are looking at here is a threat which
is constantly adapting, something that is always moving, always
morphing. And the beauty behind common law and trespass to
chattels, tortious interference with a contractual
relationship, these are theories that we could use over and
over again and are part of a system that in it at its core is
able to adapt quickly. So, yes, I think that I would love to
see the standard common law principles remain intact as we
tackle these.
Now, having said that, it does not mean that there is not
always room for improvement in both present statutes and
potentially even new statutes. And we would gladly take a look
at any type of amendment and/or proposed legislation that
Congress and yourself may have and give our comments so that
you could have the best insight possible, from us at least.
Chairman Whitehouse. Well, certainly when they first came
up with trespass upon chattels, it was well before anybody had
an inkling there could ever be an Internet, so that certainly
has been a lasting doctrine.
Let me thank all of the witnesses for this hearing. I
appreciate very much your input. I look forward to the
responses to the question for the record. I think that we have
a very strong, bipartisan group of Senators who are very
interested in this issue and are looking forward to coming up
with legislation that can pass and help you all in your
important pursuits to protect our economy and your clients and
your companies from the kind of attacks that we are seeing,
largely from overseas.
So Godspeed to you all in your work. Thank you very much
for what you have done and for your testimony today. We will
keep the record open for 1 week for anybody who cares to add
anything to the record and for those question-for-the-record
responses to come in.
And, with that, we are adjourned.
[Whereupon, at 4:24 p.m., the Subcommittee was adjourned.]
[Additional material submitted for the record follows.]
A P P E N D I X
Additional Material Submitted for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]