[Senate Hearing 106-527] [From the U.S. Government Publishing Office] S. Hrg. 106-527 CYBERCRIME: CAN A SMALL BUSINESS PROTECT ITSELF? ======================================================================= FORUM BEFORE THE COMMITTEE ON SMALL BUSINESS UNITED STATES SENATE ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ MARCH 9, 2000 Printed for the Committee on Small Business ______ _______________________________________________________________________ For sale by the U.S. Government Printing Office Superintendent of Documents, Congressional Sales Office, Washington, DC 20402 U.S. GOVERNMENT PRINTING OFFICE 64-417CC WASHINGTON : 2000 COMMITTEE ON SMALL BUSINESS ---------- ONE HUNDRED SIXTH CONGRESS CHRISTOPHER S. BOND, Missouri, Chairman CONRAD BURNS, Montana JOHN F. KERRY, Massachusetts PAUL COVERDELL, Georgia CARL LEVIN, Michigan ROBERT F. BENNETT, Utah TOM HARKIN, Iowa OLYMPIA J. SNOWE, Maine JOSEPH I. LIEBERMAN, Connecticut MICHAEL ENZI, Wyoming PAUL D. WELLSTONE, Minnesota PETER G. FITZGERALD, Illinois MAX CLELAND, Georgia MIKE CRAPO, Idaho MARY LANDRIEU, Louisiana GEORGE V. VOINOVICH, Ohio JOHN EDWARDS, North Carolina SPENCER ABRAHAM, Michigan Emilia DiSanto, Staff Director Paul Cooksey, Chief Counsel Patricia R. Forbes, Democratic Staff Director and Chief Counsel C O N T E N T S ---------- Opening Statement Page Bond, The Honorable Christopher S., Chairman, Committee on Small Business, and a United States Senator from Missouri............ 1 Kerry, The Honorable John F., Ranking Member, Committee on Small Business, and a United States Senator from Massachusetts....... 18 Burns, The Honorable Conrad, a United States Senator from Montana 21 Committee Staff Conlon, Paul, Research Analyst, Majority Staff................... * Dozier, Damon, Legislative Assistant, Minority Staff............. * Panelist Testimony Neptune, Joan, General Manager, LC Communications, Davie, Florida 24 Riley, Mary, Special Agent, Assistant to the Special Agent in Charge, Financial Crimes Division/Electronic Crimes Branch, United States Secret Service, Washington, D.C.................. 30 Charney, Scott, Partner, PricewaterhouseCoopers LLP, Washington D.C............................................................ 40 Farnsworth, Roger, Manager of Product Marketing, Cisco Systems Inc., San Jose, California..................................... 46 Alphabetical Listing of Senators and Panelists Bond, The Honorable Christopher S. Opening statement............................................ 1 Attachments to statement..................................... 4 Burns, The Honorable Conrad Opening statement............................................ 21 Prepared statement........................................... 22 Charney, Scott Testimony.................................................... 40 Prepared statement........................................... 42 Farnsworth, Roger Testimony.................................................... 46 Prepared statement and attachment............................ 49 Kerry, The Honorable John F. Opening statement............................................ 18 Prepared statement........................................... 20 Neptune, Joan Testimony.................................................... 24 Prepared statement........................................... 27 Riley, Mary Testimony.................................................... 30 Prepared statement........................................... 32 Participants Bahret, Mary Ellen, Manager, Legislative Affairs (Senate), National Federation of Independent Business, Washington, D.C... * Barton, Richard, Senior Vice President, Congressional Relations, Direct Marketing Association, Washington, D.C., and Representative, Association for Interactive Media and the Internet Alliance, Washington, D.C................................................ * DeBow, Charles H., III, Director, Special Projects, National Black Chamber of Commerce, Washington, D.C..................... * Duggan, Marty, President and Chief Executive Officer, Small Business Exporters Association, McLean, Virginia........................ * Glover, The Honorable Jere W., Chief Counsel for Advocacy, Small Business Administration, Washington, D.C....................... * Jacques, Veronica, Manager, Government Relations, Direct Selling Association, Washington, D.C................................... * Keam, Mark, Assistant Chief Counsel, Office of Advocacy, Small Business Administration, Washington, D.C....................... * Lane, Rick, Director, eCommerce and Internet Technology, U.S. Chamber of Commerce, Washington, D.C........................... * Morrison, James, Senior Policy Advisor, National Association for the Self-Employed, Washington, D.C............................. * Page, Matthew, Director, Legislative Affairs, Small Business Legislative Council, Washington, D.C........................... * Rivera, Maritza, Vice President of Government Relations, U.S. Hispanic Chamber of Commerce, Washington, D.C.................. * Schneier, Abe, Representative, National Alliance of Sales Representatives Associations, Washington, D.C.................. * Comment for the Record Wilkinson, Anthony R., President and Chief Executive Officer, National Association of Government Guaranteed Lenders, Inc., Stillwater, Oklahoma, statement and attachment................. 91 *Comments (if any) between pages 56 and 88. CYBERCRIME: CAN A SMALL BUSINESS PROTECT ITSELF? ---------- THURSDAY, MARCH 9, 2000 United States Senate, Committee on Small Business, Washington, D.C. The Committee met, pursuant to notice, at 9:41 a.m., in Room SR-428A, Russell Senate Office Building, The Honorable Christopher S. Bond (Chairman of the Committee) presiding. Present: Senators Bond, Burns, and Kerry. OPENING STATEMENT OF THE HONORABLE CHRISTOPHER S. BOND, CHAIRMAN, SENATE COMMITTEE ON SMALL BUSINESS, AND A UNITED STATES SENATOR FROM MISSOURI Chairman Bond. Good morning. The Committee on Small Business welcomes you to its second forum of the 106th Congress. This forum is entitled ``CyberCrime: Can a Small Business Protect Itself?'' I have to apologize for the delay in starting. We have had so much interest on this, I stopped to do some media interviews on the way in because people are finally beginning to realize how important this subject is. Senator Burns tells me that in the Commerce Committee he has just held a hearing on this. We want to focus particularly on small businesses and the vulnerability of small businesses, and what we can do about it. We have some real experts here today, some people who have had experience with this issue. I remember from unsuccessful political ventures of mine, friends after a significant loss have slapped me on the back and told me that experience is what you get when you expect to get something else. We believe we can learn from some of the experiences we will be told about today. Nine months ago this Committee held a forum on e-Commerce and its potential to allow a small business to compete successfully against its giant competitors. At that forum we outlined some of the obstacles to success in this dynamic market. The goal of this forum is to raise awareness of CyberCrime and to generate a dialogue between law enforcement and the small business community. According to a study by the University of Texas, e-Commerce accounted for the creation of 1.2 million jobs and $300 billion in revenue in 1998 alone. We all recognize what an astonishing growth pattern that is and the pace of it is truly remarkable. What is even more impressive is a recent Forrester Research study concluded that in January 2000 alone there was $2.8 billion in online retail sales, greater than the total $2.4 billion of retail sales for the entire year of 1997. We expect growth in this area to continue with increasingly more business being conducted via the Internet, both through e- retail and through more conventional business-to-business e- Commerce. With such expanded business activity, however, come new threats that we must address. A prime example is computer crime. The extent of the threat is truly alarming. The most accurate data that we have available comes to us from the Computer Emergency Response Team, or CERT as its known, at Carnegie Mellon University. We plotted that data on the chart to my right. What we see is a 121 percent increase in intrusion incidents like ``hacking'' reported from 1998 to 1999. For some of you it is a little hard to see with the lights, but you see a slowly rising curve to 1997 and it goes up sharply in 1998 and almost straight up in 1999. Recent research by the Computer Security Institute indicates that 30 percent of businesses nationwide have been victimized by computer intrusions. It is important to note that many companies have been the victim of hacker attacks, yet fearing negative publicity and reduced consumer confidence, they have been reluctant in too many instances to report such incidents. Over time many of the Nation's largest businesses have been actively working to protect themselves from computer criminals and computer vandals whose actions can cause considerable harm. I am concerned that with greater efforts on the part of Government, and as big business does take steps to protect itself, small business will become a much more inviting target. This is even more timely given the recent case where a home-based business in Oregon was reported to have its computer hacked and used in the so-called ``denial of service'' attacks on the web sites of Yahoo, eBay, CNN, Amazon.com and others. These recent attacks should serve as a useful wake-up call to business, Government and academia. Nearly 2 years ago, CERT warned the industry of the potential of a such an attack. These warnings were repeated by the National Infrastructure Protection Center at the FBI. Unfortunately, it appears that the warnings have not had their necessary impact. We have today a panel of experts, Joan Neptune from LC Communications in Florida was a victim of computer crime and she will share her personal experience; Special Agent Mary Riley from the Secret Service, the head of the Electronic Crimes Branch; Scott Charney from PricewaterhouseCoopers, formerly chief of the computer crime section at the Department of Justice; and we will hear from Roger Farnsworth, manager of product marketing at Cisco Systems. Cisco is the world's largest manufacturer of equipment that connects people and businesses. But before turning to our panelists, let me encourage everyone here today to take an active part in the discussion portion. I hope that everyone will think about areas where this Committee can be of assistance, either encouraging dialogue, by providing a voice for small businesses, or if there are legislative fixes needed. We will be producing a formal transcript of the forum and we will hold the record open for 2 weeks to invite additional statements that any of you would like to submit. I would extend that to our audience both here and the people who are watching us via live transmission on the Committee's web site. Before turning to the panelists, obviously it is always a pleasure to turn to my partner in this operation, the distinguished Senator from Massachusetts, Senator Kerry. Welcome, Senator Kerry. [Attachments to the statement of Senator Bond follow:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] OPENING STATEMENT OF THE HONORABLE JOHN F. KERRY, RANKING MEMBER, COMMITTEE ON SMALL BUSINESS, AND A UNITED STATES SENATOR FROM MASSACHUSETTS Senator Kerry. Thank you, Mr. Chairman, very, very much. And thank you for this particular forum and for its structure. I congratulate you on that. I think it is a terrific way to combine the input from the panel, but also to have a dialogue. I think this Committee does an excellent job of being creative in how we do our information-gathering and digesting, so I think this is a good way to do it. Let me just say very quickly that this is a timely, fascinating topic, for reasons that everybody here understands very well. I have the pleasure of also sitting on the Commerce Committee and I sit on the subcommittee with Senator Burns, and on both the Technology and Communications Subcommittees of the Commerce Committee. So I am really having as good a time as I have had since I have been in the United States Senate learning about and watching the extraordinary entrepreneurial creativity that is taking place in this sector, which many people assure me is really only just beginning in many ways. The disintermediation that is going to take place in the context of our economy is, I am convinced, going to be just enormous. We are already witnessing it. It will remake not everything, because consumers will always want to touch and feel and try and have a certain kind of experience in the context of their consumerism. But nevertheless, it will shape every kind of retail establishment in one way or the other, affect distribution monumentally, and most people are sharing with us the ways in which it will particularly be mostly business-to-business oriented in its impact, certainly at the earliest stages. We are seeing that. So this particular issue in small business looms even larger in that context because most of America is small business. And the Internet offers, obviously, this remarkable democratization of sales. You can be small and new and offer up something that can compete with the old and large and big. That is really what is fascinating about it, is that it creates these new opportunities. But obviously, one of the great restraints has been, is today, and will continue to be people's perceptions of security, of their privacy, which is another great issue we are grappling with here in the Congress. As I talk to CEOs of these companies I am convinced that they understand better than anybody, because they are in the middle of it and they are doing it with a passion, that they want this thing accessible to everybody and as available as possible; free if possible, in most contexts. But at the same time, there is this confrontation with these other issues that we are here to talk about today. How do you keep it that accessible, and that open, and that free if people disrespect it in the way some have chosen to over the last years. This is not just this year this has happened. I began to learn about some banks that had some rather embarrassing experiences a number of years ago and their choice was obviously not to let the world know about it, they were so embarrassed by it. So we have only now seen this surface as a kind of legitimate issue in the context we have to deal with it. The Chairman has properly shown the number of increases of incidents. I think the White House yesterday, the White House Office of Science and Technology was quoted as saying in Roll Call that there may be $100 million of cost associated with this. And the professional associations say it may be as much as $250 billion worth of actual losses, which is different from cost. So we are glad to hear from people here today. I am pleased with everybody on the panel. I particularly want to say welcome to Cisco who has been just a huge mover, player in what is happening globally, and we are delighted to have them opening a campus in Massachusetts now and engaged there. This is something the industry will solve, in my judgment. It is something that technology itself will solve, and I think Government needs to be careful not to--we should air it. We should discuss it. But we ought to be wary of maybe rushing in with solutions. But I think that is the purpose of today's discussion. Final comment is, I apologize that as usual around here I have about 17 different conflicts and several of them are hearings so I cannot be here for the whole thing. But my staff will be and I certainly look forward to reviewing the record and listening to the parts of the discussion I can. Thank you, Mr. Chairman. [The prepared statement of Senator Kerry follows:] [GRAPHIC OMITTED] Chairman Bond. Thank you very much, Senator Kerry. I too am being pulled in 11 different directions, and with Paul Conlon on my staff and Damon with your staff we are going to conduct the business and we hope that many of our colleagues will be able to join us. But one of our colleagues who has been a real leader in discussions of e-commerce and technology for a long time is here. We are very delighted to have Senator Kerry and Senator Burns' expertise in this area. With that, let me call on Senator Conrad Burns of Montana for his comments and insights into this. OPENING STATEMENT OF THE HONORABLE CONRAD BURNS, A UNITED STATES SENATOR FROM MONTANA Senator Burns. Thank you, Mr. Chairman, and thanks for calling this hearing. I too want to congratulate you on the structure of this hearing. I am going to submit my statement for the record. Chairman Bond. It will be accepted. Senator Burns. However, I want to make a couple of comments. As we look at this and what really brought us to this day of when Yahoo and eBay and e-Commerce and I think maybe a couple of trading houses were jammed, and it was not hacking as we understand it. In other words, hacking as we have always understood it is a person getting into a secure site illegally. Basically this one had to do with the enlistment of surrogate or many computers on the outside to jam the lines or to overload the system of any particular web site. That is the way I understand it. There was not actually an illegal entry into a secure site. It was they surrounded the site where nobody else could get into it, and that is a little more disconcerting to me because the situation of hijacking other computers and other systems in order to do your work for you is troubling to us, and as we look at this situation, what it would cost small business. The Chairman is exactly right, e-Commerce last year had a terrific year in growth. Although they only amounted to 1 percent of the retail sales totally in this country, they sent a strong message to the commerce sector of our country saying that we are a player now, and even the smallest web site can compete with the largest and the most well-established. That is an encouraging sign when we talk about commerce and the competition in the marketplace. So this morning I look forward to the comments of our panel and our experts here. I too am pulled 11 ways but I am OK until the twelfth one is added. Thank you, Mr. Chairman. [The prepared statement of Senator Burns follows:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Chairman Bond. Thank you, Senator Burns. Now let us get down to business. First we welcome Ms. Joan Neptune, general manager, LC Communications of Davie, Florida; one who can speak to us with great personal experience in this area. Ms. Neptune, welcome. STATEMENT OF JOAN NEPTUNE, GENERAL MANAGER, LC COMMUNICATIONS, DAVIE, FLORIDA Ms. Neptune. Thank you very much for having me here today. In 1996, I was executive vice president of a small ISP located in south Florida. When I tell this story please remember that it was in the beginning days of the Internet and technology is not what it is today. But at that time we were the victim of a CyberCrime that eventually had a devastating financial impact on the company. We offered many services. We offer all different types of access, web hosting, web development. We were connected to the customers through the public telephone network and into the Internet through a backbone provider, and of course, we had a billing platform where the customer information was. Plus about 80 percent of our customers did use credit card billing, so all the credit card information and other secure information about their passwords and logins were located on the billing server. One day in the early morning hours, miraculously the login and password file that you use to actually get into the Internet every time you dial in, was missing. We immediately went to our backup tapes, installed the backup of the file and then looked into the log files to see what had happened. We had determined that an unauthorized user had come in through a computer terminal that was left on, used a terminal simulator program so that they were actually looking like they were the operator of the terminal at the time. We instituted new procedures. A couple of weeks later the same thing happened. When we put the backup in, a few days passed and we received an e-mail from them saying that they were very upset and the reason that they had done this was because we had shut down an unauthorized chat room. We had chat rooms as one of our services, but this was unauthorized. They were using a lot of bandwidth. They were blocking our customers from accessing the Net. We decided not to put the unauthorized chat room back on. We installed new procedures, ordered new firewalls. We did have other firewalls, but the system was increasing over time and new technologies were coming out daily. A couple of weeks passed and again the system crashed, but this time they also deleted all of our customer web sites, hosting sites, et cetera. Of course as luck would have it, the backup was corrupted, so it was not a good backup and about 10 percent of the web sites were lost which we did have to redevelop on-site. A few days passed and we got an e-mail saying that they were not kidding around, and they had copies of our customers credit cards, and they wanted $30,000 otherwise they would sell these credit cards, notify our customers, et cetera. At that point we began to take them very seriously and contacted our corporate attorneys who referred us to the Secret Service through contacts, because the Secret Service was the agency that handled credit card fraud. It was very fortunate at the time that hacking was just coming into the limelight and the Secret Service was looking for a test case and looking to develop procedures to track people on the Internet. The Secret Service did come in. They were very wonderful. They lived day and night at our office. While we were sending e-mails back and forth to the hackers, which were passed by the Secret Service psychologist to kind of peg them in and develop a rapport, we also had to shut down a lot of our services like telenetting, chat rooms, et cetera, to our customer base because we needed to limit the access of the hackers. We could not notify our customer base and we could not notify most of our employees because the Secret Service did not want anybody to get wind of the investigation that was going on. About a month passed and finally a set up, a plan was developed and they wanted us to send $30,000 hidden in a book, overnight special delivery. By that time we had tracked the hackers back to Germany through the telecommunications industry. We were able to find the login files to find the telephone number that they had originated their access into our system from, tracked it back to an MCI long distance switch in New England, and then MCI helped track it back to access numbers in Germany. So the Secret Service had also gotten the German local authorities involved in this. The Secret Service flew over to Germany, waited with the German police at the dropoff point and a young gentleman picked it up. Of course, he was not the culprit. He was only instructed to pick it up, drop it at another destination. This went on through four different dropoff points. Finally, they found the gentleman, who turned out to be a college student who had spent his college money that his parents had given him and he needed this $30,000 to replace the money. The Secret Service had no authority in Germany so the case was turned over to the local authorities, and he was charged with a minor crime, which I cannot really recall exactly what it was called. About 6, 7 months later he went to trial. His family was very influential. He got 14 months probation and a slap on the wrist. Back on the homefront though, this cost us very much more than a slap on the wrist. Obviously, after the third hacking incident our customers were not happy. There was a lot of competition in the Internet involvement, as there is today, and they simply went to other carriers. Then when our services were curtailed, they went to other carriers. The money that we had earmarked for expansion instead went to putting in firewalls. Eventually we had to, because they did find the credit card numbers on the hacker's hard drive, we had to notify all of our customers in the end that their credit cards could have been compromised. So the cancellation rates went crazy and we were never able to come back from this devastating experience. Our momentum in the marketplace was lost. Our reputation was ruined in the marketplace. We had to expend about $500,000 in expenses of which we only received about $135,000 back from insurance. So all around it was a death sentence. The only good thing, and I would like to underline here, was how wonderful the Secret Service was to us. They really worked day and night and saved the company at that point. I thank them and I thank you for having me here today. [The prepared statement of Ms. Neptune follows:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Chairman Bond. Ms. Neptune, that is a very scary tale and that is also a wonderful introduction for our next panelist, Special Agent Mary Riley, assistant to the special agent in charge of the Financial Crimes Division of the United States Secret Service in Washington. Ms. Riley, welcome. STATEMENT OF MARY RILEY, SPECIAL AGENT, ASSISTANT TO THE SPECIAL AGENT IN CHARGE, FINANCIAL CRIMES DIVISION/ELECTRONIC CRIMES BRANCH, UNITED STATES SECRET SERVICE, WASHINGTON, D.C. Ms. Riley. Thank you very much, Mr. Chairman. Good morning. Within the Secret Service we have been working these network intrusion type investigations--Ms. Neptune outlined one of the perfect examples of that this morning--since about 1987. The focus of our efforts and in an effort to avoid duplication or unorganized activity between law enforcement agencies, we have tried very hard to focus our investigative efforts in the areas of financial institutions and telecommunications networks, such as that that Ms. Neptune described this morning. It has allowed us to really train our agents and give them an expertise in a smaller number of networks so that as they do respond to victim companies they have the ability to understand the types of questions to ask, the types of investigative techniques to bring forward, and keep that germane to a smaller segment of industry and allow the expertise to work through the investigations. One of the most important things that we have seen in working with victims in these types of cases is that we as law enforcement have got to take on a great deal of responsibility in protecting the victim throughout the investigation. We have to ensure that the activities that we have to deploy throughout the investigation do not cause greater harm to the victim than the original hacking activity or the criminal activity that brought them to our attention in the first place. For example, within the investigation that was outlined for you this morning, when 11,000 credit card numbers were identified as having been potentially compromised not only would there be harm in notifying a broad sector in some blanket notification that those numbers could have been potentially compromised. At that point we had a lot of threats but no confirmation initially that this information had actually been stolen. It was simply a threat to try to entice the victim in this case to provide the $30,000 or the open access into their network. They were using any type of threat that they could. What we did from our angle was, because of our experience within the credit card industry, for example, we have been working extensively with that industry for the last 15 years, we were able to take the information provided to us by the victim and take that information to the credit card issuers saying, these are potentially compromised numbers. Let us keep that in that realm initially. Let us not go out and notify every customer out there who may be somewhat skeptical about using credit cards on the Internet in the first place or dealing within the electronic commerce arena. Let us try to keep this in perspective. Let us make sure that we are only acting on known facts. Threats have got to be treated as such until we can provide confirmation there. The credit card industry responded admirably. They were able to take all 11,000 numbers, notify the issuers to flag those accounts in the event fraud activity did occur, but keep it within that realm until we could provide further confirmation through the activity in Germany that was later done in the search warrants at the suspect's residence. Another example of that same type of activity occurred when we had a network intrusion into a telecommunications company in Boston. The telecommunications company that provided services to the public was, of course, one of the primary victims. But a smaller business that was affected there was the company that actually manufactured the switch that was affected. Their reputation was on the line immediately once that switch was compromised. The first thing that we did in that investigation, once we identified the methods used by the suspects in that case, was contact the manufacturer of the switch and also give them the opportunity to notify their customers themselves of the compromised activity and the work that they were doing with law enforcement to provide a fix. The United States Attorneys Office was then incredibly responsive and agreed to give us the time--us meaning law enforcement and industry, to ensure that the company had the opportunity to work with their customers, develop patches that would allow the compromised activity to be discontinued completely, and ensure that at no time did we release any information about the case that could have caused that victim to suffer further harm as a result of our actions. All prosecution, for example, in that particular case was withheld until the fixes were put into place by the small company that manufactured the switches there. We find that it is incredibly important to ensure in all of our partnerships with industry and with other law enforcement agencies that we take the benefit of our experience, that every time we learn a new lesson in dealing with industry victims and in dealing with the types of vulnerabilities out there, that we are very candid with our industry partners so that we can learn from these past experiences. We would like to support entirely the prevention techniques that are being deployed by industry, such as those outlined in Mr. Farnsworth's written statement where he outlines some very effective prevention techniques that industry can use to keep these types of events from happening to other victims. We would like to continue to share the information that we have picked up from the industry, from the different types of suspect interviews that we have done, and the technical reviews of the actual hacking activity and just continue to get that out to industry and to any agencies and companies that are affected by these types of cases so that we can learn from the past experience and hopefully deploy more prevention techniques, as you well mentioned, that technology can work to solve this problem by taking advantage of the information we have. Thank you for the opportunity. [The prepared statement of Ms. Riley follows:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Chairman Bond. Thank you very much, Ms. Riley. Mr. Scott Charney, partner of PricewaterhouseCoopers LLP in Washington, D.C. Welcome, Mr. Charney. STATEMENT OF SCOTT CHARNEY, PARTNER, PRICEWATERHOUSECOOPERS LLP, WASHINGTON, D.C. Mr. Charney. Thank you. Thank you for inviting me here. First I would like to say something about these statistics, which is that they probably under-report and under-represent the scope of the problem. The reason for that is that what you see from the CERT team and from the Computer Security Institute are reports of people who have detected and reported computer crime. It has been widely viewed by experts that most computer crimes are neither detected nor reported. Of course, it was always hard to prove that. How do you prove what someone does not know? Well, fortunately the Defense Department did a controlled study. They attacked their own machines. They attacked 38,000 of them and they got in 65 percent of the time, 24,700 successful penetrations. But here is the really interesting statistic. They then went to the system administrators and said, how many intrusions have you detected, and the answer was, 988 out of 24,700. Basically a detection rate of 4 percent. So then the next question was, how many of these system administrators reported the intrusions to DISA, the Defense Information Systems Agency, and the answer to that was 267; roughly 27 percent reporting rate. This is in an agency with mandatory reporting and a staff that if they know anything, it is follow orders. So one of the things that we learned from these statistics is, they probably do not fully represent the problem. It is interesting, if you come back to Senator Burns' comments about the denial of service attacks, one of the things about a denial of service attack is, you know it happened. Your system goes down. It is easy to detect. But other computer crimes attack the confidentiality and integrity of information. Those crimes are very hard to detect. It is somewhat interesting, as a person now in the private sector I will go to a company and say, you need to deploy computer security and they will say, ``Well, we have never been attacked.'' And I ask, ``How do you know?'' And they respond, ``Well, we have never seen anything go wrong.'' And I ask, ``Well, if I steal your car, how do you know?'' And they say, ``Well, my car is gone.'' And I ask, ``If I steal your customer list how do you know?'' They respond, ``My customer list is--oh, no, I would still have it, would I not?'' That is right. A copy has been taken, not the original. The original remains intact. So those kinds of crime are much harder to detect. There are, of course, increasingly, preventive steps that companies can take, and some of these involve intrusion detection systems, or computer anomaly detection systems using the power of the computer to look for behavior that we know is bad. But there are a couple of problems here. One is that the technology is not yet very mature, only it is getting better. The second thing is, how do you detect abuse in a computer network? You watch what people are doing. You monitor their activities. You see when they log on and log off. You watch their activities on the network to see what kinds of information they are accessing. In the context of computer security, these techniques equal surveillance. So now you run into some very serious privacy issues. How do you monitor what is going on on networks to figure out when people are abusing them without at the same time monitoring lots of innocuous activity, or activity that looks suspicious but later proves to be innocuous, and how do you protect the privacy of Americans using the Net? So needless to say, these are very complicated issues. I would add to that, a particular problem for small business, which is the technology is changing very, very rapidly. As a result of that, each time the technology changes it costs considerable money to upgrade to the newest and greatest technology. At the same time, with each new technology comes a new set of vulnerabilities. So when people migrate from one operating system to the next, they get the vulnerabilities of this new operating system. That means that businesses have to be ever vigilant, constantly testing their systems, mapping their networks, seeing who is connected, looking for vulnerabilities, educating their users, looking for fraud. The difficulty is, for large companies this can be very expensive. For smaller companies, where are they going to get the money to do it? To the extent they have some sort of IT budget, they are spending that budget to create opportunity; security is often viewed as a loss center as opposed to a business enabler. So it is very difficult for them to allocate their resources in a way that allows them to devote significant attention to computer security. I will leave you with one other problem along the same lines, which is where do small businesses get the talent to deploy their computer security? There are different statistics on this. One comes from Congressmen Wolf and Moran when they talked to the Partnership on Critical Infrastructure Security, an industry group looking at security. Their number was 12. Georgia State University tells me it is 9. But whether 12 or 9, that is the number of people in the United States who graduated with a Ph.D. in computer science last year. Six of them went to industry, three of them went to Government, some went back to their home country. None of them went into academia. So if you look at a model that we need greater computer security and we want this generation of experts to teach the next generation, that is not happening. And when a small business goes out and says, I need a system administrator who really understands technology and they are competing with the big companies of the world, it is going to be very hard for them. Thank you. [The prepared statement of Mr. Charney follows:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Chairman Bond. Mr. Charney, that is rather depressing. We now turn to a man who may have some of the answers to begin the discussion. I have to apologize in advance, I have to be someplace at 10:15, but I will be back. The full statements of all of you will be submitted and included in the record. I will turn this over, when I leave, to Senator Burns. Senator Burns. I will turn it over to Paul Conlon. Chairman Bond. OK. Paul and Damon will continue the discussion. But now it is a real pleasure to introduce Roger Farnsworth, manager of product marketing of Cisco Systems in San Jose, California. Mr. Farnsworth, welcome. STATEMENT OF ROGER FARNSWORTH, MANAGER OF PRODUCT MARKETING, CISCO SYSTEMS INC., SAN JOSE, CALIFORNIA Mr. Farnsworth. Thank you, Chairman Bond, Senator Burns, distinguished Members of the Committee and their guests. I want to thank you for the opportunity to come here today and speak with you. As a professional nerd, it is exhilarating to be able to put on a suit and rub shoulders with-- Chairman Bond. I was going to say what a nice looking suit that is. Mr. Farnsworth. Thank you very much. My name is Roger Farnsworth. As you said, I am a manager of marketing for Cisco in the area of network security. As you may know, Cisco is the world's largest manufacturer of equipment that connects people and businesses to the Internet. We are also widely acknowledged as the leader, if not one of the leaders, in providing security solutions for the Internet economy. Cisco employs over 26,000 employees, headquartered in San Jose, California with major presences, as Senator Kerry said, in Massachusetts, North Carolina, and Texas. Questions of security and Internet security are particular timely right now, especially with the recent incidents of denial of service attacks against high-visibility web sites. These issues are important not only to large companies but to companies of every size. The No. 1 reason people cite for not buying online today is fear for their privacy or the security of their transactions. Today I am here to suggest that these concerns can be addressed, security fears should not deter America's small businessmen and women from going online, and encourage all members of the industry to participate in finding the technological and operational answers to these problems. A few years ago, Cisco Systems boldly predicted that the Internet would change the way we work, learn, live, and play. At that time these types of hacking incidents probably would not have raised the eyebrows and achieved the visibility that they are today. Today it is a different story. An attack against an online business or the digital domain has far- reaching ramifications and can be considered an attack against all of us because of the way the Internet has transformed our lives. Some interesting statistics. Today nearly 40 percent of small businesses in the United States are now online, up from just 19 percent in 1998. Last year the Internet economy generated more than $500 billion in revenues and 2.3 million jobs in the United States according to a University of Texas study. Interestingly, of 3,400 businesses surveyed to measure the size of the Internet economy, more than one-third did not exist before 1996. This expansion so far is astounding, yet the growth is likely to continue. Analysts estimate more than 3.5 million small businesses will be online next year and the Internet economy will be worth $2.8 trillion in 2003. Business leaders recognize the strategic role the Internet plays in their company's ability to survive and compete in the new millennium. If you are a retailer and you did not have a yellow pages ad a few years ago, you were severely handicapped in your ability to perform your business. If you were a bank in the 1980s and you failed to add an ATM machine to your branch, you risked losing deposits of business. Today businesses should be looking into online banking, bill payment, or lending or face severe restrictions in their ability to grow their business. Making money in the new millennium means facing up to the reality that you either go online or go home. This is particularly true for small and medium businesses, because frankly the competition from large operators has never been more fierce. The big dog is not just the chain operation across the street; in the Internet economy it can be a company you have never seen before because it is out of town, out of State, or out of country. For some, that is going to be pretty frightening. But there is also a great opportunity here for small and medium business because everybody is the same size in the box sitting on your desk. The Internet levels the playing field between large and small businesses. Amazon.com, for example, realized it could leverage the efficiencies of the Internet to take on the likes of Crown Books and Barnes & Noble. Online booksellers can charge just 5 percent gross margin while equaling the return on investment that brick-and-mortar booksellers can only achieve by charging 30 percent margins. Similar economies of scale can be applied to many small and medium business categories and we are starting to see companies taking advantage of that. Smaller companies will continue to seek online opportunity. The key to competing in the Internet economy is recognizing the efficiencies of online commerce and moving faster than the other guy to take advantage of them. In the Internet economy, the big no longer beat the small. The fast defeat the slow. To accommodate the new model, the industry has worked very hard to build wider digital highways to carry more online traffic more quickly. Everyone agrees that faster access to the Web is a good thing. But as the recent hacker attacks show, a few misguided or challenged individuals can cause havoc by blocking these highways. Unfortunately, you cannot always stop these people from doing their bad deeds. But you can work to more quickly recognize these incidents and deal with them. The Internet, by and large, is still a very safe place to be. It is an essential part of today's business. What we have seen in recent weeks was a pothole on the information superhighway. Internet commerce did not stop. It slowed at a few sites for a limited amount of time. Businesses do need to step up and improve their Internet security. Security is essential if a company is going to successfully compete in the Internet economy. If you have a business that is brick-and-mortar you generally have an alarm system and locks on your doors. If someone shakes the handle, hopefully your alarm contacts the police. You should use the same types of technologies to protect your online business. Our online consulting team has indicated that the types of incidents that have been reported here, tragically, very common. We recommend that small businesses take a risk-based approach to solving these problems. Use an array of products, including firewalls, authentication systems, intrusion detection systems, and vulnerability scanning tools to protect your business. I brought today with me 10 tips for Internet security for small and medium businesses. These are by no means a comprehensive list of tips. These are probably the most common. I would encourage you to go online and look for information on Internet security. Cisco has a web site, www.cisco.com/go/ security that can help you understand issues of information security and how you might use tools. I will further say that as we heard a minute ago, the expertise in this area is rather centralized. The good news is that many service providers and consulting houses are now offering their expertise to small and medium business. In addition, companies such as Cisco and others are making available lower cost and usable tools for small business to use. For example, in the past year Cisco has bundled firewall software as well as intrusion detection software in some of our low-end routers to allow small businesses to deploy connectivity to the Internet in a cost-effective and safe manner. Again, I want to thank you very, very much for the opportunity to speak with you today. Cisco is very interested in solving these problems and we feel that one of the most important ways to address these issues is through public forums such as this where we can come together and talk about methods that we can use to protect ourselves and each other. [The prepared statement and attachment of Mr. Farnsworth follow:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Senator Burns. Thank you very much, Mr. Farnsworth. Sitting here listening to your testimony, and interested in business-- whenever the denial of service thing happened with those major businesses, business did not stop. But I think it sent a chilling warning through the community of people who use services on the Internet. I think what you brought along today points out that--they will probably be taken more serious now than they would have say just a month ago. Education and awareness is probably our biggest challenge right now as people try to protect themselves and try to protect their web sites. Yesterday I asked, is there a technology, in the area of denial of service that really jams it up, is there a technology that serves like a thermostat when you are nudging up to a point where your load is such that it allows you to take some actions that may prevent something like the denial of service? Mr. Farnsworth. Yes, Senator Burns, one of the things that we encourage-- Senator Burns. I realize this one happened all at once. I mean, just instant. Mr. Farnsworth. Let me point out two things. When the first incidents of these types of denial of service attacks occurred back in the fall of last year it took approximately 3\1/2\ days for the leading consultant teams to determine the source of the attacks and put them down. The most recent incidents are being detected and responded to and solved in a matter of hours, if not minutes. So our skill at detecting these types of attacks is improving. The other question you raised about a type of thermostat is a good question. Cisco has been encouraging our large service provider customers as well as our large enterprise customers to implement some tools. There is a particular tool called rate limiting, for example, that can be placed on certain interfaces of the Internet backbone routers which can, in fact, set thresholds for this type of traffic. And if those thresholds are approached or exceeded, this type of traffic can be throttled before it becomes a significant problem to an end system. The issue there is that this is an issue that everyone has to address because it has to be implemented at all areas of the network in order to become effective. That is why we are encouraging all members of business to take a look at their procedures and see if they are addressing this. Senator Burns. Now another question I did not get to yesterday--by the way, we had a terrific hearing yesterday. Now we know that what happened to eBay in this denial of services, and Yahoo, was the enlistment of, or the use of computers dropping--you know, in other words, very successfully entering somebody else's computer, setting a program in there that can be triggered by me, and those computers can be found all over the United States. I think they finally found some of them located in some learning institutions, were found that way. Tell me about how do I protect my computer, my system on my web site from being--from one of these--I guess you could not call it a cookie really--but a program to be imbedded in there and to be used by somebody else without my knowledge? Mr. Farnsworth. That is interesting. We would call that a malicious applet or malicious code being placed on your computer. Senator Burns. I tell you what, we got to learn a whole new vocabulary. Got to get out a new dictionary here. Mr. Farnsworth. Your point about educational facilities being a primary target is well taken. Historically, those were the most publicly available sites that were online 100 percent of the time. What is very frightening to us now is the emergence of a new type of online access for the private home user, digital subscriber line service, or DSL service, or cable modem access. These types of service mean that home computers that are turned on and connected to the Internet become accessible to the Internet 24 hours a day. So it is not just the Government and educational facilities that we have to worry about now. Using virus scanning programs that are able to detect these types of malicious applets is something that people should do religiously. Not just the educational and Government facilities, but every user of a home computer that connects to the Internet. Recognize that if traffic can go out from your computer to the Internet, it can come in. So make sure that you look at your PC or your computing work station and take advantage of the advances that virus scanning companies are making; companies like McAfee and others. They do a very good job of detecting and reacting to the most recent virus profiles and malicious code profiles. And you need to be aware of that and use these programs as a normal part of-- Senator Burns. Are you saying then, let us say my computer at home. When I leave I should turn it off? Mr. Farnsworth. Yes, sir. Senator Burns. When it is off, is it accessible to outside entry? Mr. Farnsworth. Generally speaking, no, sir. Generally speaking, once you turn your PC off and there is no longer power applied to it, it is not accessible. There are certain exceptions to that with systems that are what we would say, Energy Star compliant, that can---- Senator Burns. Can be turned on? Mr. Farnsworth [continuing]. Recognize stimulus and wake up. But generally speaking, home computers are not vulnerable to that type of attack. Senator Burns. In other words, when I am not home, turn the damn thing off? Mr. Farnsworth. That is a very good idea. Senator Burns. I will tell you, you know, our kids had to teach us how to use these computers. Now you got to remember-- because us old ducks, you know, they were strange and we were afraid when we first started fiddling around with them that if you hit wrong key, the thing would blow up. But we later found out that computers are kind of like mules. You cannot make them do what they do not want to do. And you have got to be smarter than the mule, and I am having a hard time with that, as you well know. [Laughter.] Senator Burns. I have got to leave and I understand you are going to form a dialogue here now with these folks here. But I want to--I appreciate you coming today. We did talk about--Ms. Riley, I am going to also ask you, if the Secret Service is into the enforcement of some laws and then we also have the center, we are building a center for the FBI so they can deal with these things, have we done an overlap of law enforcement agencies that are starting to deal with crimes regarding the Internet? Ms. Riley. That is an excellent question, Senator. I think one of the most important things to note there is that there is a concerted effort on the part of all law enforcement, whether it is State, local, or Federal, associated with CyberCrime to share information on a regular basis. To ensure that if we are working an investigation involving a target that has hacked into four businesses, that we are sharing that information and sharing investigative leads early on. So that if another agency is working an investigation into that particular target, that we are sharing the information very quickly. The issue is that CyberCrime is not defined only by hacking activity. The specialized skills that we have, for example, in the financial networks or in the telecommunications networks used to be some very traditional offenses involving things like credit card fraud and bank fraud. A lot of those traditional offenses have now migrated onto the Internet. That does not change the fact that the expertise we have in those financial investigations is not there with our investigators any more. We just have to add skill sets to those investigators to work them in the Internet environment and in the cyber-arena. I think every agency that has traditional offenses, whether it is child pornography with Customs, or weapons trafficking with ATF, all of those agencies have a very core expertise in working those types of cases, and it brings a lot of value into our enforcement efforts between all the very different agencies. But the key is that we are sharing information between agencies. Senator Burns. Do we have a central point where we are collecting the information, or one particular agency that is in charge of that information and building databases of cases? Ms. Riley. On all types of CyberCrime? Senator Burns. Yes. Ms. Riley. No, not one central database. We do-- Senator Burns. We got to talking yesterday about--you know, I am going to bring an old culture forward a little bit. Some way or other we have got to put a warning on these--some of these hackers and people who cause mischief on the Internet are young folks who are just kind of searching and just playing games. Some way or other we have got to warn those people that they are venturing into an area where they could be prosecuted under Federal law. I can remember as a child the first thing you learned, even though we had open mailboxes, we did not fiddle around with somebody else's mail. There was a warning there that said, Government property and if you touched somebody else's mail, why you could go to jail. I am wondering if we should not do that with some technology or something that says, you are wandering into an area where you could be prosecuted? Yes, Mr. Charney? Mr. Charney. Yes, I would like to address that point, because first of all many computer systems do have banners warning them. But more importantly, it is an ethics and education problem. The Justice Department with the Information Technology Association of America has announced a cybercitizen partnership which is funded by the Justice Department and industry and it is an ethical campaign for children, to teach children the ethical use of computers. Senator Burns. I think that is notable, because awareness on this type of thing is very, very important. Ms. Neptune. I would also like to make a point on that, because this all goes back to the parents. I think that one of the problems with the Internet is that it is not regulated, and it is not a per-minute service. It started out free. It is not regulated, but it is a telecommunication service just like regular long distance. If it was regulated by the FCC, although there are problems there with small business, but if it was regulated by the FCC and the telephone companies charged per-minute rates, the Internet service providers would have to pass that along to the consumer. And when the parents got their bills I think we would have a lot of control over the children just like we have had elsewhere. I know that is not a very happy thought. Senator Burns. I think she has thrown out quite a lot of fresh meat here and you guys will have quite a lot to talk about. Ms. Neptune. I know you Internet users do not like to think that way but I do believe that that time will come because the Internet service providers cannot make a profit anyway if somebody stays on-- Senator Burns. I have got another appointment here and I am going to go take care of that. I am going to throw that out and leave it for your discussion. I am going to leave it to these gentlemen here, and they will know how to handle all this. Thank you for coming and participating in this and for your time. We know that you have got other things to do. We happen to think that this is very, very important to small business, the Small Business Committee, and over on Commerce as far as science, technology and communications is concerned. Just like I say, with the Justice Department yesterday I asked the gentleman then, has he had any communications with Congress and how do they want Congress to react to these type things? Should we be looking at a different approach and how can we partner on trying to prevent what happened to Ms. Neptune and also this denial of service shutdown. We keep the lines of communication open. We have just got to do that because we know that we are dealing with an entirely different kind of situation that we have never dealt with before. And everyone of us are sort of dumb about this. So again I want to thank you for coming, and Paul and Damon thank you for inviting them. Mr. Conlon. Let me do a little bit of housekeeping first. Before we go around and introduce all our participants, if there are any participants in the audience that have not come up and taken their seats, it is an opportunity now to come up. Would you like to go ahead and introduce yourself, Mr. Keam? Mr. Keam. Sure. My name is Mark Keam. I am assistant chief counsel with the Office of Advocacy at the Small Business Administration. Mr. Glover. Jere Glover, chief counsel for Advocacy. Mr. Duggan. Marty Duggan, Small Business Exporters Association. Mr. DeBow. Charles DeBow, National Black Chamber of Commerce. Mr. Barton. Richard Barton with the Direct Marking Association and also the Association for Interactive Media and the Internet Alliance which is part of our group. Ms. Bahret. Mary Ellen Bahret with the National Federal of Independent Business. Mr. Dozier. Damon Dozier, Senate Small Business Committee minority staff. Mr. Conlon. Paul Conlon, Senate Small Business Committee. Abe Schneier. Abe Schneier representing the National Alliance of Sales Representatives Associations. Ms. Rivera. I am Maritza Rivera with the U.S. Hispanic Chamber of Commerce. Mr. Page. Matthew Page with the Small Business Legislative Council. Mr. Morrison. James Morrison with the National Association for the Self-Employed. Mr. Lane. Rick Lane with the U.S. Chamber of Commerce. Ms. Jacques. Veronica Jacques with the Direct Selling Association. Mr. Conlon. Before I open the discussion I just want to ask one quick question to Ms. Neptune. What advice would you give to another small business given the experience that you have had? Ms. Neptune. It is very difficult to say but Mr. Charney's remarks were right on key. I mean, every point that he made is a problem for small business. We were unique because we were an Internet service provider so our concerns would be different than a small business who is doing e-commerce over the net. I do believe that you have to get a very good systems administrator, and there are problems finding that. You have to invest in some firewall software, virus detection that automatically comes up on your computer every morning. It is not going to catch everything, but it does help. Changing your passwords and make sure your systems are behind firewalls and you turn those systems off. It is not going to protect you all of the time. He also made a very good point, technology changes every day and small business does not have the money to go out and do that. We can only do as much as we can. I would also say that small businesses should join trade associations where they can pool their resources and share the information. Mr. Dozier. I think it is probably appropriate at this point if a member of the forum here would like to be recognized, it is probably best if you turn your card up so that we can acknowledge you, and then we will try to get everyone's comments in turn. I think one of the comments that got the most head-shaking was the comment about regulation of the Internet which seems to be a very, very controversial issue. I think Mr. Lane wanted to say something about that, with Paul's permission. Mr. Conlon. Go ahead. Mr. Lane. Probably one of the most stifling aspects of the EU (European Union) is that they do charge a per minute charge for the Internet and it does stifle innovation and its use. We have seen it grow. So we would not support a permanent charge for the Internet, nor certain regulations of e-commerce. I am the co-chair for the policy committee for the Partnership for Critical Infrastructure Protection, and we are looking at a lot of the policy issues. Partnership for Critical Infrastructure Protection is a group of about over 120 corporations that are working together, trying to figure out a lot of the issues that we are discussing today. But some of the general consensus is that the Government should not mandate the level of security. Security changes too quickly. You just cannot keep up and say here is the standard, because as we know, security is a process and it is constantly changing and there is a cost associated with constantly trying to update to standards that are constantly changing. The marketplace does a pretty good job of doing that, such as web-hosting facilities where small businesses can sell or use a web-hosting facility to help protect their Internet. One of the things that small businesses and the Government should be working on is a sharing of information. We should look at FOIA (Freedom of Information Act), so businesses can share information with one another. We should also look at increasing punishments for those who are hacking. We should make sure that we are not putting liabilities on small businesses, because they already face liabilities. I think Ms. Neptune hit the nail right on the head. Her cost of her business, it was just decimated. So to add on top of that, additional liability to small businesses when they do get broken into would just be ridiculous, because they already pay a heavy, heavy price as we see things moving forward. Security is a process and we need to ensure that we are educating our employees. Most of the trouble does not come from the outside; most of the trouble comes from employees from within who are stealing that information. One of the other things that we need to look at that is being discussed a lot here in Washington, is access to personal information. The problem with that is if you allow easy access to my information on a web site, that means you make it easier for everybody else to access that information. So we need to be very careful when we are talking about access, and you hear about that a lot, that we think we are not, in fact, compromising security, when actually we are. Mr. Conlon. Would anyone else like to add something to that? Mr. Duggan? Mr. Duggan. I think that the things that you talked about were all preventive type things that corporations could do, and I think that that is each corporation's responsibility. They should have due diligence in everything that they are doing. I think that from the standpoint of the hackers, the people who are abusing the system and taking advantage of the system, is that I would think there needs to be, if there is not already, Federal legislation where you have got uniform or mandatory sentences where people know that there is a price to pay--that they cannot go in there and wreak havoc on somebody's business, and to the cost to a small company of a half a million dollars, and for others maybe in the billions by the time they get through, that there is going to be one hell of a price to pay. I think the deterrence has to be part of the education which was mentioned earlier. You let hackers know that there is going to be one big price that they are going to have to pay for doing what they do. Mr. Charney. Can I respond to that comment? The U.S. Sentencing Guidelines do, of course, have penalties for computer crime. And if you are convicted under 18 USC 1030(a)4, the fraud provisions, or (a)5, the damage provisions, there is a mandatory sentence. The difficulty is twofold. First, in the case that we heard about, the defendant was not in the United States. A country may not extradite their own nationals and you cannot impose U.S. law on foreign countries. So the international cases are tough. Second, the real deterrence is more the certainty of getting caught rather than the actual sentence you will receive. Because defendants do not sit back and say, ``I think I will do this because I will only get 3 months as opposed to 6.'' What they worry about is, ``Am I going to get caught in the first instance?'' If you look at the clearance rate for computer crimes, that is the number of computer crimes solved in the hacker environment, it is incredibly low. Homicides run from 70 to 90 percent. Hacker cases are very, very low. The reasons for that are many, but the bottom line is the Internet allows for a large degree of anonymity, global reach, and there is no traceability. When someone is victimized, you now need evidence to find the source? In the United States, due to market forces and privacy concerns, providers do not keep data. In Europe, you have the European data directives and telecom directives, and they are not allowed to keep data. Which means there is no way to do a historical investigation and there is no way to catch anybody. So if you really want to look at the fundamental problem, about why people are not deterred, you have to look at the clearance rates and ask, ``Why is the Government not finding more people?'' That is not a criticism of the Government, because I was there up until 4 months ago and did this for 9 years. The technology does not support finding people. For some reasons that is good, if you are exercising first amendment rights and shopping, that is fine. But bad guys are not held accountable. That is a problem and it is going to be here for a while because of the competing interests. You just cannot have traceability on the Internet. It raises too many technical concerns, Government mandate concerns, and privacy concerns. Mr. Lane. There is also the Digital Millennium Copyright Act that is out there, as well, which makes it both a civil and criminal crime to circumvent what is known as a copy control technology. So if you bypass somebody's password to get at copyrighted information--which you can argue most information is except for factual data--you can go after them both for civil and criminal penalties. We want to make sure that ``yes,'' there is no traceability, but we do not want to trample on civil liberties, because there is a fear factor out there. We need to make sure that we have a very balanced approach, so that way those individuals who do want to be anonymous, if you think about China, for example, where they are not anonymous and they can go after them, I do not think we want to have that type of oversight here in the United States. At the same time, I do not know what the answer is. I am not going to come up with a solution, but it is a very difficult balancing act and we just have to make sure we are not trampling on civil liberties here, as well. Mr. Duggan. I think what Mr. Charney said about the number of prosecutions, I think last year there were six. Certainly the abuse is a hell of a lot higher than that. Mr. Charney. Believe me, the Government has been throwing a lot of resources at this. I mean, Ms. Riley can talk about what the Secret Service has been doing, the growth at the FBI, the 10 National squads and NIPC agents in every office. It is a fundamental problem. Ms. Riley. I would like to point out too though, that the statistics may not exactly mirror the efforts on the part of law enforcement in prosecution. For example, in the investigation involving Ms. Neptune's company, that was centered around credit card fraud. So when you pull a hard statistic from the national criminal information databases, it is going to reflect a credit card fraud investigation rather than a hacking investigation. So a lot of times where the Internet was used and was certainly a tool of the criminal activity, the actual offense that is listed in all of these statistics that are commonly cited, may certainly be reflective of the actual hacking activity but another type of crime. We actually have gotten better sentencing, had this been in the United States for example, as was mentioned, this person was prosecuted in Germany. The good news is they did have computer crime laws that were applicable to the activity. That is not true in all countries. There are certain areas of the world where it is not a crime to do what they had done to Ms. Neptune's company. But the United States, many times in consultation with the prosecutors--we used to have these conversations with Mr. Charney on a regular basis--the question was how can we get the best sentencing? How can we most effectively prosecute this case? And which statute, whether it is hacking or another type of criminal activity or another criminal violation, best applies to the activity that is here. So I hate to hinge all of our prosecution investigative efforts in law enforcement based on statistics from only the computer crime statutes, because there are a lot of other violations that are charged that are really related to that activity. Mr. Lane. Remember, Al Capone was charged on tax evasion. Mr. Conlon. Mr. Glover. Mr. Glover. There are a couple of things that are fairly exciting about this. No. 1, it is an industry made almost entirely of small business alumni, 10 years ago everybody in this industry was small business. It is really interesting. We just did a study that 76 percent of all of the jobs created in the whole information industry area are still small business, so it is still a small business industry. But let me focus specifically on an area of fraud and crime that I think is going to become much more prevalent. We all know what is referred to as the toner cartridge scams that exist, where people call up and sell office supplies at multiple times what they were worth. There is going to be a whole other assault on truly the small business users, and that is going to be real interesting because they are huge problems that we are all dealing with. There is another level of crimes that are going to be out there, and that will shake the foundation of a lot of people who start getting burned by buying and finding out that the funds they send through the Internet get flipped four or five times and may well end up internationally somewhere they cannot follow them. So there is a much lower level of crime affecting individual purchasers one at a time. We spend a good bit of our time and resources in working with the SEC (Securities and Exchange Commission) and the FCC (Federal Communications Commission) and other agencies looking at making sure the general system works. But investor fraud, there are a whole bunch of areas where I think you are going to see a lot of things popping up very quickly. What I am afraid of is that the Government is going to be behind the learning curve and we are not going to react to these kinds of problems quickly enough, and we will see thousands of small businesses get burned on a one-on-one basis. Mr. Conlon. Ms. Riley, maybe you want to follow up a little bit on that, in relation to what law enforcement in the United States is doing to reach out to law enforcement in other countries? Ms. Riley. Sure. There are several initiatives underway involving United States law enforcement with our international counterparts to address the high-tech crime issues and the traceability options that we have, in working these investigations across borders. There are a great number of restrictions that we are faced with in trying to work internationally. And that works both ways. International law enforcement has those same restrictions in trying to trace criminal activity into the United States. What is happening in one form, for example, the G-8 countries have a high-tech subcommittee that has been dedicated to working through options for law enforcement to be able to follow investigative leads, investigative traffic across borders quickly. Our biggest problem in high-tech law enforcement is that the records that we need to successfully investigate a case are only there and available to us for a limited amount of time. So speed is definitely of the essence. Some of the work that is being done in this international forum is really geared toward expediting the political issues and the legislative judicial issues, in working through the international concerns that are there, and being able to work these cases through. Now I have to say one of the most effective things that we have had though, and was especially true in the case involving Ms. Neptune's company, was that we had agents already stationed in foreign countries. They already had a relationship established with the local law enforcement. So it was a case, in that particular instance, the German officials were able to open an investigation because of criminal activity that did occur in Germany and work through the case very, very quickly. The relationships that we had already established worked very much the same way if we were to go into another city within the United States and work with another law enforcement agency. So those partnerships were really key and we, as well as many other law enforcement agencies, intend to continue building those partnerships to be effective and quick at dealing with these types of investigations. From the time Ms. Neptune called us to the time the German student was identified was only about 9 days. That is how quick all of this worked through. And it had to work that fast, or we would not have had the records to trace. Ms. Neptune. It seemed a lot longer to me, Mary. But I would like to ask one question, now that I hear a lot of the concerns. Thinking back, I am very surprised, like what would I have done if it was not credit card and my corporate attorney--and I could afford a high-priced corporate attorney, some small businesses cannot--what would I have done? Because I would have had the threat, even if I sent the $30,000, I would have had the threat of this gentleman always coming back for more and more money. So what would another small business do in that instance? Even now, where do they go? Local law enforcement? Mr. Lane. That is one of the biggest problems. The Critical Partnership is looking at that, because when you get robbed in a small business you always go to your local police. And then if it is credit card fraud or something, you may go to the State level and then finally to the Federal level. It is a similar type of process that you do go through. But for you, you were in 1996, so the computer security bill that we were just talking about was not enacted until I think 1998. And so now you can go to the Federal FBI and others, to have them come and try to take a look at this. Ms. Neptune. But would small business know that? It is very intimidating to say I think I will call up the FBI. Mr. Lane. That is one of the things that the United States Chamber is doing. We are actually holding a network security conference on March 23 to talk about network security, where we will be web casting it, having our local chambers tying into that. There is a whole host of education. The Small Business Administration is having small business week during, what is the week of that? Mr. Glover. May 24. Mr. Lane. So part of their effort is to educate. So education of small businesses, as Senator Burns was talking about when we were talking about DSL and cable modems, most individuals--and my brother is one--did not realize the threat that he has a cable modem, and the impact. When I called him and said you realize all your financial information that is on that computer when you are doing taxes and Intuit and all the other fun stuff is compromised. And he did not know that. So it is part of a massive education that we could partner with the Government, with the Small Business Administration, and other groups around this table to be in a massive education effort, just as we are trying to do on the privacy issue, as well. Ms. Neptune. I do have one other question for the Small Business Administration. Is there a possibility that, just as you offered special loans for equipment that was necessary for Y2K, which nobody knew about when I called the SBA I might add, is there a possibility that you could offer some guidance and some loans for people, with some guidance on what they need to purchase for better security systems? Mr. Glover. One of the interesting things when we talk to bankers, and we do most of our lending through bankers, we find that financing businesses in the information technology area is new for bankers and it is certainly new for everybody in the Small Business Administration. Historically, our lending patterns were based on brick-and-mortar and we are trying very hard to change that. The Congress gave us special authority in Y2K to make those kinds of loans. I think it has done some good, to make sure that we learn a lot more about the people who need the money the most to grow in the new technology. But there still is a significant amount of resistance in banks about lending to information technology companies. They simply, all too often, are forced to go get venture capital or fail because nobody else understands the industry. Ms. Neptune. Because they want you to be in business 2 years and be profitable for a year. So it is very difficult to go to banking. Mr. Glover. The life cycle of an awful lot of technologies today is so short that by the time you meet traditional standards it is too late. Mr. Conlon. Can I just throw the previous issue back to Mr. Charney and Ms. Riley? Who does small business call? Mr. Charney. I want to go back to the issue of division of resources between Federal, State and local because it raises some very serious issues. Originally, the Federal Government got involved in CyberCrime in a big way because there were a couple of incidents, like getting hacked by the KGB, which required the Government to mobilize and become quickly knowledgeable. Because so many cases were interstate or international in nature, the Federal Government had a huge role to play. But as the technology has simply exploded and you have more and more of this criminal activity, there is an increasing burden because the Federal Government cannot do it all. So the State and locals have to pull up and do some of this stuff. There are programs underway, like the National CyberCrime Training Partnership which is a DOJ/State/local venture, to train State and local law enforcement. The difficulty is in large cities where they can dedicate some people to computer crime work, like New York and Los Angeles. In smaller towns it is much, much harder to do that because the resources are not there. The difficulty is not just the amount of expertise needed to do these cases, which requires a lot of training, but also the budget implications of developing a CyberCrime unit in practice. I was a local prosecutor in Bronx County for 7 years in New York City. And when police officers came out of the police academy, they were given a gun, a memo pad, and a flashlight. Twenty years later they turn those three things in, they still had them. They change bullets and paper and batteries, and that was it. Now you go to the CyberCrime area and you go into a town, because we do a lot of roving training, and we go out and say ``OK, you are going to need to buy all of this computer equipment and all of this training so you can do CyberCrimes''. And they look at that as a percentage of your law enforcement budget and they panic. Then you hit them with the best thing, which is 2 years from now you are going to have to buy it all again, because it is all obsolete and you have got to start over. The way the budgeting for this matter works has made it difficult for the Federal Government to keep up. The burden on State and locals is phenomenal in law enforcement, and the Congress is really going to have to rethink how to fund State and local initiatives on CyberCrime. If you do not do that, they are not going to have the resources, it is not going to happen. The burden is going to fall completely on the Feds, the Feds are not going to be able to do all the cases that come in the door, and the system is going to collapse. Mr. Conlon. Ms. Riley, if I am a small business and I have been the victim of some form of computer crime, I am not certain exactly what the details are, who do I call? What do I do? Ms. Riley. There are a couple of issues there. First of all, Mr. Charney is absolutely right. There is no way the Federal law enforcement can take every case that is out there. But in that vein, it is also incumbent upon us, with the experience that we have been able to build up over the last 15 years of working these cases, to train our local law enforcement counterparts to be able to respond to some of these investigations, as well. To answer your question quickly, though, if you were the victim of a crime like this, call your State, local or Federal law enforcement agency. Picking up the phone and calling cold is OK, too. We get calls like that on a routine basis. If it is not the right place to call, if you have not called the right agency, who has the right expertise for your type of investigation, we make common referrals. In fact, what is very common for us, if we know that a particular case does not meet a prosecutive threshold--and that happens and especially in some of the larger cities--if the case does not have a certain degree of loss associated with it or there is another prosecutive threshold that we are unable to meet on the Federal side, we do not want the case just to go away and the person to get away with it because of these thresholds. We will call our local counterparts and either work a joint investigation with them if they need our expertise or work with them through the investigation until they are comfortable taking that over. There are some phenomenal CyberCrime units within a lot of State and local police departments. They are intent on increasing their technology and increasing their ability in these CyberCrimes. One example of an initiative like this was conducted between our agency and the International Association of Chiefs of Police. They were concerned that State and local law enforcement at every level did not have the expertise to be able to appropriately seize computer evidence, whether they saw it in a traffic stop or they ran into it in connection with a homicide investigation or some other non-traditional CyberCrime, they did not want them ignoring that evidence, that was very important, just because of a lack of training. They requested that we work together in an initiative to put a quick guide together that could be distributed to all law enforcement; it was written at a level all law enforcement could understand. That is not to say that only State and local needed it. We needed it at the Federal level, as well. What they came up with was this guide that has been distributed now, we have distributed nearly 100,000 of these to State, local, and Federal law enforcement, that quickly identifies high-tech evidence and how to safely seize that evidence without losing any integrity of that evidence. That is only the first step, but this was done as a concerted effort between State and local law enforcement agencies ranging in size from the Lubbock, Texas police department all the way up to the New York City police department. Every size department was involved in the development of this, was given the opportunity to provide comment and ensure that it was applicable to everyone involved in the initiative. It was very effective. It is something that we have to continue to make sure that we are all dealing with these cases at the same level and sharing our experience and our training initiatives as much as we possibly can. [The guide follows:] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] Mr. Schneier. You can hardly go to a hotel, even a Holiday Inn, these days without having access for your computer. Many of the members that I represent here spend most of their time on the road, traveling, and they are increasingly using their computers from these remote locations. Do they face any greater level of risk because they are working from these remote locations and maybe dealing with a local network out of their personal residences or out of some other location? Mr. Farnsworth. Generally speaking, folks who move around like that and log in from remote locations are issued a new network address each time they log in, which makes them significantly less vulnerable, I would say. However, the fact that they are logging into a central location makes that central location more vulnerable because it has to be set up in order to accept communication calls. So there is a double-edged sword there. Certainly, take protections on the individual laptops to make sure that if they are compromised electronically, lost, or stolen, that the information that they contain is protected. Local cryptography programs can help you with that. Virtual private networking tools can assist with that. But more importantly, look at the site to which they are dialing and make sure that you have a strong authentication mechanism in place to make sure that the connections coming in are, in fact, from legitimate users. Mr. Lane. A lot of businesses for the sales reps that are out there are buying the high-speed modems because they are transferring a lot of information, which gets back to: Are they leaving them on all the time? So all of the sudden, that information becomes critical because what they do is they dial into your system and then they are able to get all that information and then dial back to the central server with all the information intact. You then totally compromise the site, no matter what you have done at the central site to begin with. So you need to, again, educate those individuals that if they have open lines all the time, they should close them down. The businesses that are supplying them with the technology should have the firewalls in place, both in the laptops and in the system. Mr. Charney. I would like to point out, your question reveals how difficult this is, particularly for small businesses. It is absolutely true, if you have got a lot of mobile people with laptops you want to protect their data. But you can educate your users so if one of your users said, ``I really want to protect my data in case my laptop is stolen from the hotel. So I am going to encrypt all my data.'' This is a good thing to do. Then he goes out, he follows 20 sales leads, gets lots of information, he encrypts all that data in case his laptop is stolen, and then he gets hit by a bus. The laptop is given back to the company, and they cannot get any of the data because he encrypted it. Therefore, if you are going to use encryption, now you have to think about key recovery. What kind of encryption are you going to use that if the employee either goes bad or just has some sort of accident and is unavailable, the company can gets its data back? That is part of the problem, none of this stuff is simple. And for small businesses, it is very hard to find people who would think: We need an encryption scheme with key recovery so the company can be protected, and then we have to implement it, educate users, and manage the keys. It is not easy. Mr. Schneier. I was feeling better there for a moment. Mr. Dozier. Mr. Charney, then in light of your comments, what do we do to protect consumer confidence? I do not necessarily mean just consumers purchasing from small businesses, but small businesses also purchasing from their suppliers. From what we have heard today, the rate of incidents are going up. From what we have heard today, there is an overlap of enforcement mechanisms. From what we have heard today there is not really a one-stop shop, in terms of going to one place to make a complaint or to say that your system has been compromised in some sort of way. The Internet is a lot like the dollar bill. There is nothing behind it, we just have confidence in it because people say it is worth something. So what do we do, and what do the representatives around the table do to protect that consumer confidence in the Internet? To say that this is a safe place to shop, this is a safe place to purchase, this is a safe place to transact? Mr. Charney. I think there are two things, there is reality and perception, and both are important. On the reality side, I think small businesses, through their associations, need to continue their dialogue with vendors about how to have security built into products that are easy to implement. So, when you look at browsers today that use secure socket layer, for example, if you build that stuff into the products and consumers can use their credit card on the Internet, it will be encrypted from their home machine to the merchant, and that works seamlessly. Because it is deployed in the product, it is very cheap and it is spread out over the whole group. So there are some real basic security things that can be done by the vendors. The perception is a separate problem. People will not use the Internet if they perceive it is not secure, even if it is secure. Mr. Dozier. The Committee has held a lot of forums and we have heard from small businesses that said they are terrified of the Internet. We have seen a lot of fraud schemes and I think we investigated that at one time. We also talked about barriers, in terms of people wanting to get on the Internet and transact, whether that be importing or exporting to other countries. So we are very concerned about basically how safe it is. Mr. Farnsworth. Let me just speak to that very quickly. The chart that shows the number of incidents spiking there is a very frightening chart. But if you overlay that with the chart that shows the overall growth of the Internet, your perception changes. Mr. Dozier. So the percentages are actually down? Mr. Charney. No, level. Mr. Farnsworth. And the thing is, despite personal occurrences and the traumatization that they cause, it is statistically very improbable that someone will be attacked on the Internet. I also want to point out, while we talk about law enforcement efforts and the efforts to get information to people about who to go to, many of our educational efforts in the past that dealt with traditional crime in brick-and-mortar institutions dealt with educational programs to say leave a light on, trim the bushes back away from the windows, get an alarm that is centrally monitored. These are all good ideas in cyberspace, as well. The idea here is not that if you are turning the light on and locking the door and trimming the bushes back and a burglar comes down the street, your intent is not to cause that person to look inside themselves and say. ``I do not want to be a burglar anymore.'' Your intent is for them to say, ``Oh, this guy has got a dog, the house is lit up, there is a sign from an alarm company. I am going to go around the block and see if there is an easier target.'' Small businesses, if they stay in the herd, implement best practices, and take a responsible approach to Internet security, can be safe as a herd. It is when you overlook these things that you become statistically more prone to these types of attacks. Mr. Charney. We have to remind consumers that the physical world is a dangerous place, too. They may get carjacked or have a car accident and they do not give up their car. When consumers say they do not want to use their credit card on the Internet, what we used to say to them is, ``Well, do you give it to the waiter in the restaurant?'' What does he do? He goes in the back with it. OK, so what is your concern? I mean part of it is really an educational problem. Ms. Neptune. Is it not also true that most of the credit card crime is not from them sending it to buy things, but where all of the credit cards are stored? So even if you called up and gave them your credit card, they would be under the same amount of risk. So it is really not sending it. Mr. Farnsworth. That is right. The actual transmission of the card data, whether it is encrypted or not, the odds of intercepting that particular transmission, putting the numbers in order, and getting useful information from that is just infinitesimal, given the volume of traffic that is going over the electronic media every day. Mr. Morrison. It seems to me, from what I know of this, that some of this problem is rooted in the genesis of the Internet as a way mostly for universities to communicate to one another. The notion of commerce going over the Internet was not even really thought of as part of the picture, when the system was created. We are now hearing about a successor network and, maybe in 2003 or something, Internet II. Is it possible to engineer better security into a successor network? And what might we look forward to in that respect? Mr. Farnsworth. Absolutely. Actually, a lot of the work that is going into the next generation Internet protocol is being retrofitted into our existing infrastructure today, and concepts that include digital authentication or certification of users and encryption or authentication of traffic actually had been developed for deployment in the next generation infrastructure and is being employed in today's networks. Your comment about the size, when the Internet was designed we were talking about tens of hosts and communicating largely between military and educational facilities. Today we have, I believe, over 40 million hosts connected to the Internet. So the foundation which was built to facilitate open communication is being stressed severely in that space. What we have seen is a large amount of entrepreneurial spirit on the part of small businesses to come up with products like firewalls, which are extremely useful in this space. Those companies, there are several that I can think of right off the top of my head, who have been wildly successful at deploying that technology. I think that is going to continue. It will be innovators and small organizations that are very bright and can evolve these products who will fill the need until the next generation infrastructure can be deployed. I think it is also important to point out that whatever we deploy for the next generation infrastructure will probably have an equally long lifetime. So making sure that that infrastructure supports sophisticated security mechanisms as an integral part of its evolution is important. Ms. Riley. I think from the law enforcement perspective, and having chased some of the activity around, I have to emphasize, too, though the consistency and the completeness of that type of security. While the network and certain offerings can certainly add more security features and allow for more consistency between the users of the Internet, if the entire security package is not reviewed, the holes are still going to be there. I think, Mr. Lane, you made the point that it is a process. If you have all of the security and all the encryption built into your computer, but you forgot to lock the front door on your way out, the vulnerability remains. So the emphasis has to be placed on the issue that we need to be consistent in the types of security mechanisms that are being deployed, so if one place plugs the hole and the other one leaves it open, we are not gaining anything there. And that those that are deploying security are looking at it as a complete issue and not focused only on the network, but on all the components of security associated with their business. Mr. Page. Mr. Charney, you mentioned earlier in your testimony that there is what you called a lack of talent, or that there is a drain in talent? Do you have a proposal or suggestion to the panel here, to the Small Business Committee, or even the Small Business Administration that would help assist small businesses that are starting to wade into the Internet who are using the Internet commerce as a means of educating their staff or whoever is in that small business, and it may even be a part-time employee, who all of a sudden takes on the systems administration responsibilities. What can we be doing to better educate these employees who ultimately hold the keys to security to the business? Mr. Charney. There are a couple of things that both businesses can do and that the Governments have to do. On the business level the problem is one of cost. In the early years, when I started doing computer crime, you found that many system administrators were secretaries who were really good at word processing. When it came time for someone to manage the network they said, ``You are really good with your computer, you are now the systems administrator.'' And she would say, ``That is great. What is that?'' Then when you talked about doing it right it meant OK, you have to start taking training courses. You may have computer literacy and you are not computer phobic, but you need to go take courses. There are lots of them by lots of organizations. You can take courses from the CERT team at Carnegie Mellon on how to do emergency response and set up a computer emergency response team within a company. The difficulty is for a small company that is a large resource drain. You are going to take someone and give them 80 hours of training at the start. Then because the technology changes, like in my company, constant training is required. Every year people have to go back and back and back. Windows 2000 is out. OK, time to go get Windows 2000 training. So it is very, very difficult for a small business to say, ``Not only are we going to tell you that you are the systems administrator, but at the same time we are going to allow you all this funding to take training and the time to take the training,'' which means that employee is out-of-pocket. But companies do need to do that. The second thing is we have to increase the supply of technically literate people. There are some proposals to do that now. For example, the Government is looking at an ROTC- like program for systems administrators. The Government will pay for your education if you get your degree in computer security, and then devote 4 years to computer security. That is just one example. But the supply/demand ratio is way out of whack. That not only means you cannot find talent, but what talent is there is very, very highly priced talent. So it is very hard for smaller companies to grab that talent. Mr. Farnsworth. Along with that, what we have seen is a redeployment of that talent. It used to be that the folks who knew what they were doing with security would not only set the policy, but would be responsible for implementing and managing that policy, to the point where they would be behind the keyboard making rules changes to firewalls and access control on the infrastructure. What we are seeing now is a redeployment of talent and a new generation of products. For example, products that Cisco has brought to market that allow the network management people who are already doing things like the telecom and links management to actually take the steps to enforce policy. And the people who are aware of information security technologies become sort of the mentors and the policy setters who state what needs to be done and the dates by which it needs to be done. So what we are seeing is that the centralization of these resources, and the people who know what they are doing, moving to more strategic roles within organizations. Mr. Charney. And somewhat of an automation of the process, as well. I have a client, for example, who can have his servers reach out to a main server and give a little command. Then the main server will attack the servers and do attack and penetration and check settings and do all this stuff in an automated way. It is not foolproof by a long shot. The technology is a bit too complex to automate the whole process. There needs to be some intuitive human intervention. But you will see more automation, I think, of security to take it out of the hands of the people. Ms. Neptune. That would help, because even if you train people and you give them all that, you know in a year you are going to lose them because they are going to get a fantastic offer from somebody else. Mr. Lane. This ties in to a more controversial issue which is the whole H1-B visa issue. I mean, if you lift the caps of H1-Bs and you allow technically literate people to come into the United States, it helps fill some of the gaps that are out there. So it is very important for small businesses to support the lifting of the caps on the H1-B visas. In addition, technology does provide security. There is a new company out there that has developed, for lack of a better system, a credit card system that is the size of a credit card but fits on your CD-ROM. What it does is it sends encrypted information to the business with your account information, but the business does not collect that information. What the business does is it forwards it to the bank and the bank decrypts it and then wire transfers the money back to the small business or the large business, depending on the clientele. So that way, the issue of security of credit cards is not compromised because it is at the host which would be the bank, which supposedly would have the best encryption and the best security mechanisms and serve the small businesses, without having the liability of holding these credit card numbers on their site. So technology again is working to try to help small businesses. Mr. Dozier. What type of internal controls are available to a small business, or a large business for that matter? I mean in the context of let us say you have a disgruntled employee or something, who then could take the password and sell it at a profit, or just corrupt the system because they are having a bad day. In my thinking, that is a form of crime as well. So what can a business do to sort of protect its assets internally, as well as externally? Mr. Conlon. Can I just jump in and say something on that? In a prior life, before coming up here, I worked for a technology company where we used to see people attempting to get at the accounting servers in the company on a daily basis. It never ceased to amaze me. This is related to Damon's question, the insider angle. You know, threat from inside. Mr. Charney. Mr. Charney. Clearly, the insider threat is larger than the outsider threat. That is absolutely true. The reason for that is you have given insiders access to your systems, so they do not have to break in. There are reasons the outsider threat gets more attention, and we can talk about that later. But there are internal controls in businesses that have been used in the paper world that also work in the technical world. Basically what you need to do is a combination of personnel security, physical security, and IT security. And you need to monitor systems for anomalous transactions. You cannot necessarily stop a secretary or an employee from giving their password to a bad guy, but you can require that passwords be changed regularly and you can monitor the use of the password. So for example, if you see that someone is dialing in and using this password and the employee is also logged on internally with this password, you know instantly you have a problem. Mr. Dozier. But is that not sort of crossing the line, in terms of the privacy issue we raised before? I mean, I understand that there are certain keystroke programs that you have where you can watch every key stroke. But do you not get into a situation where you are having very, very aggressive oversight of your employees, if you are watching every step that they take? Mr. Charney. First of all, it depends on what you are watching. I think most employees expect that businesses will keep logs of who signs on and that their user names and passwords are valid. Those do not raise the same kind of privacy concerns as, for examples, reading employees' e-mails, especially when you have told employees that short personal messages are OK and you reserve the right to read them. Now under Federal law, the Electronic Communications Privacy Act, in fact, companies can read electronic mail. It does not violate the wiretape statute. Although some employees have sued for invasion of privacy in State courts, they have generally lost those suits and the courts have held that businesses do have a right to protect their business interests by monitoring the activities of employees on their own network. It is more complicated for businesses that are offering services to the public because monitoring of public activities, and particularly things like chat rooms where you have huge first amendment interests, obviously raise a different level of concern than it does when you tell employees--and I wrote the Justice Department monitoring policy for the criminal division--when you tell employees, ``Look, we have an obligation to make sure that Government equipment is used for Government purposes and we reserve the right to watch what is happening on our networks.'' Most employees are fine with that. The key is notification and education so they do not feel they are being surreptitiously monitored, which creates a ton of bad morale. Mr. Schneier. Ms. Neptune, you mentioned in your presentation that your insurance carrier was helpful to you. Was this coverage part of your normal liability package? Or was this something that you had to buy in addition? And is it something that most small business owners should be looking at? Ms. Neptune. We had a very extensive insurance policy. You know, with the Internet now, every year there was a new policy you had to do. Computer fraud, copyright, patent right, because I had a site service. It was very expensive, but I happened to purchase business-income loss, which as we all know is a very expensive policy. If I did not have that, I would not have gotten any reimbursement. Mr. Schneier. But was it an additional rider that you had to get? Ms. Neptune. Yes, it was because it is not covered under normal theft. It is specifically for loss of business income. It kicks in based on how much you want to pay. Do you want it to kick in in 10 hours, 24 hours, a certain level or whatever? And these are very expensive. I might also add, we were cancelled the next year, of course, from the insurance carrier. Now go find it from somebody else. So it has a rolling effect. Mr. Conlon. Mr. Farnsworth and Mr. Charney, I will direct this one to both of you. How much does all of this cost? There are a lot of incidents going on, some of them are reported, a lot of them are not. Is there any kind of ballpark figure of how much this costs the business world? Mr. Farnsworth. There is a wide range of solutions with a wide range of costs. What we have found is that it is very much, as we just heard about the insurance industry, folks are more likely to spend more money if they have been victimized than if they have not been. Small businesses can subscribe to services from service providers who take advantages of economies of scale to provide secure web hosting, secure content hosting services at a reasonably low cost. Businesses who are engaged in controversial business practices, if you make baby harp seal fur coats, for example, there is some segment of the population that might take exception to that, thus raising your visibility and your vulnerability. Those folks will necessarily have to spend more money in order to protect their resources. You can get something as simple as a personal firewall software package for $20 to $30 and download it over the Internet. You can go as high as hundreds of thousands of dollars to provide state-of-the-art high-capacity firewalling with intrusion detection and centralized-monitoring services. It is a risk assessment and risk vulnerability issue, though. Mr. Charney. If you are talking about the cost of computer crime generally, several years ago I started looking at the public literature. The public literature ranged from computer crime is costing businesses $50 million a year to $5 billion a year, which basically tells you that no one has a clue. I mean, you can discount the high-end one as lunacy. But if you look at the CSI surveys, they try and quantify the cost. But if you remember that most computer crime is not detected nor reported, it is really hard to get an accurate figure. Mr. Conlon. We included the computer security study in the packets we distributed. A question for Agent Riley. Mr. Charney, in his testimony, talked about the kind of impact on, I believe it was a bank, that had suffered a computer crime when you have to go public with this. And the same kind of issue with Ms. Neptune, with reduced consumer confidence. How much of a challenge is this to law enforcement? And what has law enforcement been doing to kind of get over the issue of consumer confidence and confidentiality. Ms. Riley. That is a good question. As I pointed out earlier, when we train agents to work CyberCrime, we train them not only in the technical aspects of how to follow the leads and how to work through to an investigation, but we also focus very heavily on the impact of any publicity and any actions by law enforcement, and how that will affect the victim after we come into the scene. I cannot emphasize enough that all of the work that was done on the investigation that was described for you this morning was done in partnership. I think Ms. Neptune will certainly agree that everything that was done associated with that case was discussed at great length with both the law enforcement representatives, the Secret Service agents from the local Miami field office, along with the company, so that we could explore any actions that we might take and the resulting impact that is there. I cannot emphasize those partnerships enough, before, during, and after the investigation. As far as publicity goes, within our own agency we have a very strict policy, which is that no press releases are put out about any investigations by our agency. Rather, that is done by the United States Attorney and the prosecutor's office. At times there is a careful balance that is weighed there. At certain times, the publicity associated with the case may more importantly come from the Government or the prosecutor and put the perspective on the case and the way that it was worked out rather than a defense attorney, for example. So publicity is not always bad. It also serves as a deterrent factor, to put the word out that you can be caught when you do these types of investigations. But again, as was done in the Boston case, where the telephone companies were heavily victimized, they actually participated in the press release. The message that they wanted to get across as a victim was that we are not going to tolerate this type of activity. So I think there is good and bad associated with the type of activity we have to do in releasing information about an investigation, but it is very important that we consider the partnerships with the victim and with the other affected industry members when trying to weigh how to release information about an investigation. Mr. Conlon. If there were a single message from law enforcement to the participants around the table here, what would that be? Something that they can take back to the members of their associations. Ms. Riley. I actually would have to support the comments made by several of my colleagues here on the panel, which is share information. The prevention is really a key. Preventing this type of activity by sharing information, we are happy to do that from the law enforcement perspective, especially with trade associations. Ms. Neptune made a great point, the trade associations give us a mechanism in law enforcement to share that hindsight with larger segments of industry and try to effectively help in the prevention techniques. The types of techniques or the tips that were provided by Mr. Farnsworth today, for example, we absolutely support the initiatives underway within industry to prevent these types of crimes. But when they do occur, we have got to learn from those. And we are committed, in law enforcement, to help industry do that. Mr. Conlon. I believe Senator Bond will be returning in a few minutes so I guess we will take the opportunity to wrap up. Mr. Lane has a comment? Mr. Lane. Consumer confidence is critical to small businesses when you are getting onto the web as a small business. I have started my own software company. It is four guys sitting around a table deciding to come up with a product. The best thing to do is try to get eyes to your sight or get consumer confidence in the product that you are developing. But what is really hurting us right now is, I hate to say it, but the press focusing on a small amount of cases. Even the title of this forum, ``CyberCrime: Can Small Business Protect Itself?'' sends out a message that my god, I better not go to the small businesses. I better go to the Amazon.coms of the world who are, in fact, being attacked. We have to make sure that we are not sending out a message of fear that inhibits the ability of the Internet to grow. Just like any business, consumers go into places where they feel comfortable. They go into the stores where they feel comfortable. Small businesses have to work to build up consumer confidence, but it does not help when we have a fear factor for either political reasons and we say, ``Oh my gosh, we need to do something and vote for me next November,'' or something else. We need to make sure that we are providing quality information out there, which gets back to the other issue of sharing information. On the Y2K example, the Y2K liability was a perfect example for businesses to share. There were a lot of antitrust issues that businesses could not talk to one another and share information about because of antitrust concerns. What do we do about that? How can we allow the sharing of information? Then on the association side, if we put out information and it is inaccurate, are we now liable? Again, the Y2K liability and the legislation on the Y2K sharing of information took care of that. But we need to look at this as a whole because right now we are not going to put anything up on our site that makes us liable. We cannot ask our businesses to talk to one another and say you are not going to be slammed by an antitrust suit. So we need to look at all this, plus the FOIA information that is out there, as well. Mr. Burton. I just want to take a minute just to completely underline what you said from the viewpoint of direct marketing, not only in terms of liability which is something of very great concern to us that we want to try to work around it, but probably more than almost any type of business, direct marketing depends on consumer confidence. We have, since the beginning of the Sears Roebuck catalog, had to depend on arms- length transactions where you do not know the people you are dealing with and you have to trust the process. So we have had a lot of experience before the Internet even came in trying to create a trust process. It is totally and absolutely critical that we have a process we can trust. I agree, though I do not like to attack the media in any way, I agree that I think that from a consumer perspective the problem has been overdramatized. In other words, I feel perfectly safe, much safer conducting business on the Net with companies that I know or at least can trust, than I do giving it to a restaurant. In fact, I have had my identity stolen twice. Once it went all the way to Paris. In both of those cases it was because of a waiter in a restaurant. I have never been to Paris, but my credit card has been there. So I just want to underline that I think that forums like this are very, very important. We, of course, commit ourselves, to working with law enforcement officials and people who provide security on the Net, so that we can be sure that we have this consumer confidence. Because the wave of the future is going to be buying on the Net. Mr. DeBow. I concur that there are a lot of positive things that we can compliment, particularly law enforcement and all the different organizations that are working hard to try and keep pace. But one of the things that I feel we would be remiss if we did not consider is that there is a tremendous marketing assault to get those people which may have been considered to be technologically phobic, or, for whatever reason not accessible to the Internet, to come to the Internet. I think when you look at these major corporations that are practically giving away computers to their employees, you have got products now that are designed in the $100 price range to be particularly directed towards the Internet. There are a lot of things which we can anticipate which would probably be somewhat of a repetition of things we have already identified. There are areas that need to be prepared for and anticipated including an exchange of information or some type of educational process. One of the things that, in our particular organization, which is the National Black Chamber of Commerce, which we are being questioned about and are confronting is a reverse side of the caveat emptor aspect of the card services providers--in that when there is a dispute or something that is questionable, where the consumer wants to challenge the charge on the credit card, those companies traditionally immediately either freeze those funds that are in that merchant's account, or they are immediately removed. There are basically, I think, two major companies that are providing that service. They go about the judicious process of determining whether it is a valid dispute, or perhaps maybe the consumer did use the product and just chose not to want to keep it or whatever. The education and information to other small businesses, which probably is going to be an ever increasing density of the existence of those businesses as well as these type of circumstances where they do, in fact, feel somewhat defenseless in their ability to protect the sale because they have, in fact, shipped the goods or provided the services. It is gone from their inventory. It is gone from their business. And now the funds and the reciprocal for that are in question. So with that in mind, is there a place: (1) where we can go and see some type of statistics on consumer satisfaction or dissatisfaction with these particular companies? And (2) what do you do if you feel you have been unjustly dealt in one of those circumstances? I would just throw that out to anybody. Mr. Lane. The problem with online transactions is that the company is responsible. It is not reimbursed by Visa or Mastercard or American Express, the $50 limit. The business itself, because it is unsigned, eats that cost. So there is a huge incentive to try to make sure that that is a valid transaction. That is the way it is for a phone call, anything where there is not an underlying signature of a transaction. So there is a huge concern for small businesses. We heard last year from a small business that sold lobsters from Maine. The problem with that is you cannot return the product. It is either eaten or it has been dead for too long and you cannot resell it. They were estimating almost 30 percent of their sales were in conflict, people saying we did not receive it or saying that we did not like it or trying to dispute it. The company had to eat those costs. So it is a huge risk to businesses. I do not know what the underlying answer is, but it is real. Chairman Bond. That is something we are going to work on. I know we have reached the hour we said that we were going to close. First, I want to express my sincere thanks to all of you for participating today. Obviously, this is a question of great import- ance, not just for small business but for everybody involved in e-Commerce. I want to offer a special thanks to the panelists for joining us, for providing what my staff tells me has been very interesting and informative testimony. We have had some great insights into what the real life problems are. There is no question that Government can provide a lot of information that will be of assistance to the small business community. I think that is something that we need to explore and we will continue to work on that. But there is one question, I guess, that has kind of floated around without an answer and I have a suggestion that I am going to propose. What does a small business do when they have been hit? Who do you call? What is the 911 if you find out there has been a problem? Obviously, Ms. Neptune was able to get in touch with the Secret Service. I propose to write to FBI Director Louis Freeh to ask him to ensure that the National Infrastructure Protection Center undertakes outreach initiatives to the small business associations around this table and to small business generally, to Government-funded business development programs, to Small Business Development Centers, the Business Information Centers, and the Service Corps of Retired Executives who were unable to join us today. I will be writing to Attorney General Janet Reno to request that a toll-free number be set up to provide a single point of contact for small business consumers and others to report computer crimes and computer security issues related to law enforcement. We have seen a similar system in the FTC with the toll-free number, 1-877-FTC-HELP, which I think has provided small businesses with good access to information, and given business owners a place to go. I think that given the overlapping jurisdictions of the various law enforcement organizations, it is important that some centralized entity provide a common point of contact for small businesses and others to reach law enforcement organizations. We will work with you and would like your comments and suggestions on that. Obviously, this is a subject which we have just begun to discuss. We intend to continue to work with it, Paul and Damon and our Committee Members' staffs here, along with you as we determine how best we can deal with the problem. As we can see, the problem is rising. As Mr. Charney said, it may be rising a whole lot faster than we even know. I think that the time has come, if not even past, for us to be serious about providing some comprehensive assistance. I know the private sector, Mr. Farnsworth and others, are working to assure that we have the technology and the equipment. We do not want to do anything that would interfere with the ability of the industry and all the related organizations to develop appropriate response mechanisms. That is where we need your guidance. How can you all handle it best through technology? To the extent that there is Government assistance needed, we would like your advice and counsel on that. You have given us a lot of good ideas to follow up. Again, my sincere thanks to all of you for joining us today, for discussing what is emerging as a very serious problem, particularly for a lot of small businesses who may not realize that they are at risk. As always, you have been very helpful and I appreciate the time and the information that you have presented us. Thank you very much and the hearing is adjourned. [Whereupon, at 11:42 a.m., the forum was adjourned.] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED] [GRAPHIC OMITTED]